Around RSA

Black Hat NOC 2017: Can Your Siem Do This?

Jul 25, 2017 | by Percy Tucker |

Setup of the Black Hat NOC is an exciting time. The entire network infrastructure is dropped in place at Mandalay Bay. Multiple Black Hat NOC teams work long hours to get the network in place, configured and tested. The attention then turns to the NOC setup where the infrastructure is tied together. RSA, one of the technology providers to the Black Hat NOC, provides Threat Intelligence and Identity and Access Management.

At the NOC setup phase, the Black Hat NOC Teams build out the NOC while their teams and four technology providers setup their solutions to harmoniously work together to ensure network availability and protect the conference attendees.

As you can imagine, this does not happen in a day.

Prior to the solutions being fully integrated a log indicated there was a host with malware communicating to a command and control site. Time, effort and energy were spent tracking this host down to better understand the risk and let the individual know. This turned out to be a false positive. So when I ask "Can your SIEM do this?" what do I mean? If this had occurred just one day later, the logs and packets would have been collected by RSA NetWitness®. Instead of relying on just a log that had intelligence supporting it, we would have been able to pivot into the packet and see that this was a false positive right away...saving time, effort and energy. The power of pervasive visibility in an evolved SIEM.