What will you Learn:
1.How to gain endpoint visibility and detection capabilities to expose malware and respond with precision to stop attackers.
2.How to use actionable intelligence for rapid breach detection across all endpoints that may have already been infected but not identified as active participants
3.How to Increase Security Operations Center (SOC) efficiency by providing a method to gauge the magnitude of an intrusion and reduce incident response time.
Note: the quote from lead Malware Analyst in EMC’s CIRC (part of EMC’s case study)
RSA ECAT collects a ton of information about the endpoint, and provides analysts with an effective way to analyze it.
RSA ECAT provides several built-in tools to help security analysts determine if a file is malicious, including the ability to check the legitimacy of file certificates and hashes, check for known-threats, identify any code modifications typically made by malware, and more.
Tools:
File Hashes- check for known file hashes. ECAT provides 2 hash databases: Bit9 (licensed through RSA) and NIST (provided at no added charge). If a file hash is known to be good, then there is a good chance that the file is legitimate and can be trusted. Any type of modification made to the file (i.e. malware making changes to it) will change the file hash. Hash types checked: SHA-256, MD5, SHA-1
Cert Validation- ECAT performs a validation of the “digital stamp” applied on files when they are released by software vendors. Code signing certificates are issued to companies and individuals by trusted authorities such as VeriSign who follow a strict authenticating process. The certificate validation process is done on the ECAT server to avoid potential tampering by malware on the agent/client-side. If the cert is valid, then it’s evidence that the file is likely ok.
Flag known threats- ECAT can check for known threats so analysts don’t waste time investigating and can focus their effort on validating unknown threats. There are 2 sources for known threats that can be integrated with ECAT:
YARA rules: YARA is an open source tool that’s used by many organizations to identify and classify malware. Customers can also incorporate YARA rules, as another source to check files against to identify known threats.
OPSWAT Metascan: Metascan is a multi-engine AV scanner that combines unique technologies and engines from 4 or more AV vendors to scan for known threats. Metascan is installed on the ECAT Server, and all incoming files are checked against the AV engines to automatically find known threats. Endpoints will be automatically flagged as infected in the ECAT console.
Web searches- Analysts can use Virus Total, Google, etc. to search for any information in the security community about files (i.e. has a file hash been seen before and is it associated with a known threat)…another way to help analysts during their investigation to validate if a file is legitimate
File analyzer- If a copy of the file has been downloaded to the ECAT server, there is a file analyzer that can be used to actually look down through the strings of the file.
Environment correlation- Security teams will have context about how many machines a particular file has been found on, whether the file is active or dormant on a machine, and which machines are connecting to a particular IP address.
Whitelist: With RSA ECAT, security analysts have the flexibility to whitelist known-good (trusted) files and filter them from view during an investigation
Blacklist: You can also blacklist known-bad files and IPs, so they’ll be automatically flagged if found on any endpoints. This helps to reduce time during an investigation.
With the ability to whitelist/blacklist, it significantly reduces the amount of data that analysts have to investigate (see customer quote on slide) and with the suspect levels that ECAT automatically applies, it helps analysts to focus their investigations even further.
Easily move between endpoints, network packets & logs during investigations:
Direct integration between RSA ECAT and RSA Security Analytics provides comprehensive visibility into endpoint activity, network packets, and logs, and enables your analysts to seamlessly transition between endpoint and network views during investigations.