Products and Solutions

Visibility into the Unknown

Jul 30, 2020 | by Brian Robertson |
Various icons appear to be soaring towards a bright ligth

In my role, I am fortunate enough to work with some of the brightest people working in security. 

I recently penned a blog post about organizations embracing the idea of a dynamic workforce where employees can access resources and perform their job from anywhere. However, there are considerations that must be made to protect the organization from new threats and vulnerabilities introduced by the model of remote work.

This blog post is inspired by the conversations I’ve had with Halim Abouzeid, an RSA System Engineer. He shared with me some perspective based on conversations with RSA customers.

Below is a summary of our recent discussion:

Brian Robertson: Halim, we know with the current state of the world, a dynamic workforce is critical for keeping businesses running and productive. What is the one thing you would say is most important to have to make this successful?

Halim Abouzeid: In order to support a dynamic workforce, and keep malicious actors at bay, visibility becomes your best asset. Visibility cannot only be within the physical confines of your organization, it needs to be extended to the end users everywhere.

Robertson: Can you outline some things organizations should consider when trying to gain that visibility?

Abouzeid: There are six ways organizations can gain and improve their threat visibility:

  1. Organizations should consider monitoring packets that traverse the network from user device, across the network infrastructure and to the cloud, including VPN links and any other entry point into the corporate network.
  2. Organizations should monitor activity across all endpoints, on and off the network, for deep visibility into their security state, and properly prioritize alerts when there is an issue.
  3. Organizations should enhance rule-based or signature-based threat detection with the addition of advanced machine learning through user and entity behavior analytics (UEBA) and endpoint behavior analytics to recognize anomalies that could indicate malicious intent and threats.
  4. When an incident is recognized, time is of the essence. Streamlining the activities and processes across the security team is critical for getting to the heart of the problem quickly and efficiently.
  5. Context and threat intelligence are key, not only to increase detection capabilities based on known indicators, but also by providing confidence levels towards identified indicators and bringing in context around the identified attack and its threat actor.
  6. Organizations can even go as far as having machines automatically act on the security analysts’ behalf to mitigate incidents before they impact your organization.

Robertson: How would you describe RSA NetWitness Platform’s ability to help organizations focus on those areas?

Abouzeid: RSA NetWitness Platform provides real-time visibility into network traffic across all internal (east-west), internet-bound (north-south), virtual infrastructure and cloud computing environments paired with deep process-level endpoint visibility. This enables the platform to detect intrusions as they are happening inside and outside the organization. Multiple types of behavior analytics detect anomalies across the network (whether on encrypted channels or not), suspicious activities of machines and users, as well as abnormal activities across applications (whether on or off the corporate network) -- no matter where they reside. Once detected, a prioritized and automated response to the full scope of the attack helps defend against current and future threats.

Robertson: Can you provide a couple examples?

Abouzeid: A common one is phishing attacks. Phishing attacks take advantage of varying security awareness, lack of security controls or even bridging the home network to gain access to the corporate environment. RSA NetWitness Platform provides immediate visibility into the entire enterprise, at every step of the attack, with a synergistic view of log, network and endpoint data presented in a single pane-of-glass for security analysts. Through respond functionality, it groups suspicious activities together into an incident for analysts to easily visualize. The nodal view provides a powerful tool for security teams to instantly dig into suspicious activities, in this case a phishing attack.

RSA NetWitness Endpoint allows an analyst to identify the email client application triggering a succession of processes and commands that it does not usually perform on a given workstation. The security analyst can see the processes and execution details for a file, enabling a fast decision on what actions to take next. Having the full payload of all network communications, the security analyst can reconstruct the email and other network sessions to instantly determine the nature of the suspicious email and file, confirming the initial suspicion: it’s clearly a phishing attack!

If the phishing attack was successful and the user machine was infected, an anomaly can be triggered due to an abnormal encrypted communication between two entities, the malware/infected workstation and the Command & Control server.

Automating the investigation and remediation process can be an enormous security multiplier for analysts, especially with the dynamic workforce opening new attack vectors. RSA NetWitness Orchestrator is the orchestration and automation layer of the RSA NetWitness Platform that powers this capability.

Once a phishing attack is understood, an automated workflow can be created within RSA NetWitness Orchestrator to enable efficiency and automate response for the activity that a security team would typically have to handle manually.

In the use case we just examined, a security analyst could trigger an automated phishing playbook once they were confident that the suspected activity was validated as a threat and they wanted to act. For example, RSA NetWitness Orchestrator can monitor a central mailbox for user or analyst submitted phishing emails. It can then abstract information like email headers, attachments and indicators that can be used as artifacts during the investigation process today and for future incidents, as well as automatically linking them to available threat intelligence and contextual information. You can then automate actions such as informing the originator, generating an investigation ticket and escalating the issue.

Another example is the risk created by employees working from home or outside the corporate facilities.

With IT not being able to harden end-user devices like smartphones, tablets or personal computers, malicious actors can use this to find new measures to infiltrate your environment by compromising user credentials.  

With an expanded remote workforce and shared device model, it is critical to have visibility into these endpoints as users and identities can more commonly be compromised. RSA NetWitness Platform and RSA NetWitness User and Entity Behavior Analysis (UEBA) provides tremendous out-of-the-box value for security teams to quickly highlight anomalies within network, endpoint and log data. Additional visibility allows security analysts to identify users with risky behaviors. RSA NetWitness UEBA looks at behavioral trends, such as failed authentications, time and location of authentications, file access, creation and deletion, user account changes, active directory change time, abnormal hosts and many other attributes to increase the risk score of a potential incident.

Similarly, RSA NetWitness UEBA also looks at behavioral trends on a workstation, allowing to identify deviations from the norm based on how processes usually behave and interact with each other, or which commands and tools are being executed, increasing the risk level of that workstation as deviations are seen. Such deviations can play an important role in identifying compromised users as it allows to detect unusual behaviors triggered by that user account.

From here a security analyst can pivot into machine-level details of a concerning host with compromised user credentials that are seen within RSA NetWitness UEBA. Although hosts aren’t the only part of a compromised user credential, they can certainly play an important role in gaining access to resources. They can also tell a story of a security incident and help facilitate remediation. RSA NetWitness Endpoint can quickly see the security status of this machine, run a scan, isolate the host from the network, and even download forensic data for further investigation.

Let's recap:

  • The need for visibility with the dynamic workforce is becoming more critical to security operations in the on-going battle to keep threats at bay.
  • As employee access evolves to connect to the organization’s resources from anywhere, the attack surface will continue to grow exponentially.
  • Bad actors will try to take advantage of new avenues as ways to infiltrate your environment to gain access to those resources for financial gains or malicious reasons that impact operations and your organizations reputation.
  • The key to minimizing the impact of these bad actors is visibility that spans from the end-user device through the network and even to cloud assets. 

Our new infographic illustrates the security risks created by the dynamic workforce and how RSA NetWitness Platform can help your SOC team manage them. Check it out here.

Recommended for you