360 likes | 372 Views
This training course provides an introduction to RSA ECAT, its capabilities, and how it addresses customer challenges. Learn how to identify and qualify ECAT opportunities, handle competitive situations, and position ECAT in the customer environment.
E N D
RSA SecurWorld ECAT: Product Introduction SecurWorld Sales Associate Security Management Sales Process Solutions Product Introduction Messaging
Instructions For Completing This Training • A self-paced learning format • User-interface • Player controls • Course continuation • Attachments Note: These reference documents are RSA Confidential; made available to you because you have been authorized to take this training. These documents are not for general distribution.
Learning Objectives Upon completion of this course, you should be able to: • Describe RSA ECAT, its capabilities and differentiators • Describe how RSA ECAT addresses customer challenges • Identify an RSA ECAT opportunity • Qualify the RSA ECAT opportunity and handle competitive situations • Position RSA ECAT in the customer environment
Module One: Current State • Explain what ECAT is and what is does • Describe the market opportunity • Describe the customer challenges (Before Scenarios) • Define the capabilities needed to address the challenges (Required Capabilities) • Understand the specific customer pains(Negative Consequences) Current State Future State The RSA Solution Discovery Proof Points
Enterprise Security Today Workstations Antivirus AV and other signature-based solutions have been rendered ineffective by targeted attacks. Perimeter Security Firewall, Anti-spam, Gateway A/V, IDS, SIEM, Network Security Monitoring Bluetooth and WiFi can bypass inline devices. Internet Inline devices can’t identify what happened on the host in a compromise.
Market Opportunity • ECAT falls into the forensics and incident investigation segment, including both endpoint and network • IDC estimates the size to be $356M in 2013, growing at 20% $489 M 2015 $422 M 2014 $356 M 2013
What We’ve Heard from Customers Required Capabilities Before Scenario “Signature-based defenses are easily bypassed, leaving endpoints vulnerable.” Quickly identify malware without relying on signatures. Gain actionable intelligence that enables fast validation of a compromised machine and correlation to other infected hosts. “Unable to easily detect infected hosts and determine how severe the threat is.” “Can detect malicious activity on the network, but lack visibility into what’s happening on the host.” Determine if a host is actually compromised and effectively remediate. Solution Detect, investigate and remediate active advanced threats with signature-less malware detection.
Negative Consequences Internally • Loss of Intellectual Property (IP) • Unplanned expenses of breach remediation • IT security resource drain trying to identify affected machines Externally • Loss of revenue & market share • Loss of reputation/brand damage and customer trust
Module Two: Future State • Describe an After Scenario that results from solving the customer’s problem • Articulate the Positive Business Outcomes a customer can expect • Define how success will be measured Current State Future State The RSA Solution Discovery Proof Points
After Using RSA ECAT After Scenario Positive Business Outcomes • Easily detect the presence of unknown malware • Quickly identify compromised machines • Gain an understanding of the level of compromise in the midst of an advanced attack • Allow ongoing monitoring for suspicious host activity • Reduced attacker dwell time • Reduced time to identify compromised machines • Reduced time to investigate endpoints • Reduced remediation costs • Increased IP protection
Metrics • Reduce endpoint scan time • Reduce time to analyze and determine a machine is compromised • Reduce attacker dwell time • Reduce remediation costs What have prior customers achieved? Get results very quickly Begin analyzing the data faster What can our prospects expect to gain? • Gain actionable intelligence • Confirm if a machine is compromised & remediate • Reduce unnecessary reimaging
Module Three: The RSA Solution • Understand how RSA ECAT solves the customer problem • Articulate how RSA ECAT fits the customers’ environment • Identify the key differentiators and how we solve the problem better than the competition Current State Future State The RSA Solution Discovery Proof Points
What Does ECAT Do? • Enterprise Compromise Assessment Tool • Signature-less malware detection • Detect, analyze & respond to advanced malware • Deep analysis of the endpoint by combining multiple technologies and approaches • ECAT’s host-based analysis complements the network visibility of RSA Security Analytics • Security Operations Centers (SOCs) and Incident Response (IR) Teams will have a holistic view of their environments
RSA ECAT - Deployment Scenarios • Incident Response • Assessment • Monitoring Automate detection of malware across hosts Reactive Proactive
How RSA ECAT Works • Scans are scheduled to run automatically at set intervals • Quick scans throughout the day • Deep scans during evenings or weekends • Deployed in an ongoing monitoring mode, where it’s actually tracking the host’s network traffic • Data is sent back to the server and stored in the SQL database • Analysis • Suspect levels • ECAT agent is very lightweight • Runs a scan of the system to create a full inventory of that machine • Typically takes between 4-12 minutes to complete • Can be done in parallel across all machines with agents • Identifies the code currently running in memory and all programs that are configured to run automatically at startup • Identifies and reports executables, DLLs and drivers to the server for processing and analysis • If machine is compromised, security team can begin remediating • Team can also quickly identify other machines exhibiting the same: • Malicious behavior • Suspicious network traffic • Malicious files ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Server ECAT Agent ECAT Agent
Server Software Requirements • Minimum & recommended configurations • Proof of Concept (POC) scenario • Small deployments (i.e. less than 100 agents) • Recommended Microsoft SQL database is required • Free version or buy separately • Hardware should be: • Microsoft Server 2008 R2 • 32 GB of RAM • Quad core processor • Solid state disk (SSD) • 2 TB mass storage • Database-driven client/server architecture • Support up to 5K endpoints • Data is sent back to the server and stored in the SQL database • Standard scan report will take up about .5 MB • Minimal impact • Unknown files will be sent to the repository • Scanned and analyzed ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Server ECAT Agent ECAT Agent
Agent System Requirements • Low kernel-level driver • Supports 32 & 64-bit systems on all Windows versions • Lightweight footprint • 2 MB on disk • 10-20 MB in live memory • Scan can be set up as a low priority task • No impact to end user • Perform a scan of system’s memory • All EXEs, DLLs and drivers are identified and reported ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Agent ECAT Server ECAT Agent ECAT Agent
AHA! RSA ECAT Scan Techniques • Most anti-malware solutions work at the computer’s internal and external interfaces • Network • Disk • USB drive • Email • When malware bypasses those defenses, a payload gets loaded in memory • That’s exactly where the ECAT agent is • Looking for malware footprints • Monitoring for dangerous behavior • 1) Live Memory Analysis • Full system inventory of everything in running memory • Executables, DLLs and drivers • Per-process memory analysis vs. full memory dump • 2) Direct Physical Disk Inspection • Looks for all files on disk • Validates Windows kernel internal structures • Low-level system access • Legitimate applications may do code injections and hooking, but malware most certainly will • Code injections and hooking • Hide in legitimate processes • Validates system integrity with a sophisticated comparison of live memory & files found on disk, bypassing the Windows disk driver subsystem • Take the file on disk, load the image and see if matches what’s running in memory • If there’s a difference, then it shows that something has happened in memory that modified the file • It doesn’t necessarily prove that it is malware Critical Technique used by ECAT: Compares the file on disk with what is running in memory to make sure no modification or tampering. • 3) Host-Based Network Traffic Analysis • Continuously monitors network traffic • Provides statistical information • Provides visibility even off corporate network
RSA ECAT Scan Results & Endpoint Scoring Security Operation Center (SOC) will have an early warning system on any scan results coming in from machines. Behavior analysis Which endpoints are likely compromised and to what degree based on what was found during the scan.
RSA ECAT - Baselines and Whitelists • Baseline • Compares scan results to baseline from clean machine to quickly eliminate clutter • Analysts can: • Further investigate the files that weren’t whitelisted using different techniques • Make a determination about whether the machine is in fact compromised Whitelisting • Whitelisting • Feature used by analysts during their investigations to differentiate known good files from unknown files • If analyst determines that a file is okay, it can be whitelisted • If same file is found on another machine, then it will automatically be whitelisted • Drastically reduces the amount of work analysts have to do over time • Server-side certificate validation • Issued by trusted authorities • Split between ECAT client & server to avoid • tampering • If certificate is valid, then the file is okay • Compares each file against three Whitelists to eliminate noise from legitimate files & applications • Opswat Metascan scans against 8 or more AV engines (leading provider of software management & security technologies)
Remediation & Forensic Capabilities • Malware event without ECAT: • Scan the system with different antivirus packages • If nothing is discovered, reimage the whole system • Malware event with ECAT: • Exactly where the malware is installed • What files are running in memory • How they launch at startup • How they interact with trusted applications Remediation Options Forensic Data Gathering • Customers: • Have a higher degree of certainty of whether there is compromise and the nature of if • Have actionable information and options to respond • Deploy HitmanPro (SurfRight) • Purchase optional 3rd party license to remove malware • Deploy from ECAT console • Reimage machines • Use 3rd party tool to reimage machines • Gather data • Do full memory dump • Provide Master File Table (MFT) View • Locate modified & deleted files in a forensically sound manner ECAT is not a remediation tool – it is a detection tool Remediation Incident Response Forensics
Ongoing ECAT Scanning & Monitoring • 2nd phase of deployment • More proactive scanning and monitoring of hosts enterprise-wide • Schedule deep or quick scans • Deployed on machines • Monitor network connections • Conduct statistical analysis • Monitor different system operations • Receive tracking information & network traffic data
Top RSA ECAT Differentiators Gain fast actionable intelligence to quickly identify compromises Physical Disk & Live Memory Comparison Centralized Whitelisting ECAT Tracking System Complete Network & Endpoint Visibility • Compares files in memory to files on disk • Quickly identifies deviations • Highlights suspicious activity • Uses three powerful whitelists to eliminate noise • Provides faster analysis • Reduces time to identify threats • Traces a compromise back to point of exploitation • Gains deeper understanding of attack methods • Provides direct integration between ECAT and RSA Security Analytics • Provides faster investigations • Shortens dwell time
ECAT Tracking System When most solutions can tell customers that there’s a problem. Malware.exe User clicks on malicious email attachment or link Injected code Code executes, vulnerability exploited Malware hooks applications then unloads Injected code Browser or other “good” application now runs injected malicious code Data exfiltrated out of organization RSA ECAT • Trace the compromise back to the point of exploitation • Gain a deep understanding of attack methods used
Speed up investigations to shorten attacker dwell time Gauge compromise magnitude Complete network and host visibility Advanced threat detection on hosts Enable seamless investigations across the network and endpoints Pivot from endpoint to network views Have access to richer intelligence RSA ECAT & RSA Security Analytics Detect and Respond to Advanced Threats RSA Security Analytics Capture & Analyze – Logs, Network Packets, Threat Intel & Business Context Directly query SA from ECAT Syslog alert of high Machine Suspect Levels (MSLs) RSA ECAT Detect suspicious endpoint activity
Top Competitors • Mandiant Intelligent Response (MIR) • Scans end-points based on Mandiant’s latest attacker intelligence • Relies on Indicators of Compromise (IOCs) • HBGary (ManTech) Active Defense • Uses Digital DNA technology to detect and score OS threats running in physical memory • Relies on full memory dumps, which are time consuming and difficult to analyze • Competitive Resources • RSA Fight Site • Competitive video
What About FireEye? • NOT a direct competitor of ECAT • May compete for money • ECAT provides deep visibility into the host to detect malware • FireEye is network-based
Module Four: Discovery • Understand the target markets and key industries to focus on • Articulate key discovery questions for determining the extent of the customer problem • Develop questions that truly expose the ‘pain’ to the customer • Identify trap setting questions to help guide the customer towards the RSA ECAT solution Current State Future State The RSA Solution Discovery Proof Points
2013 Go-To-Market • Security Analytics Sales & SE Teams: • Quoting • Demoing • Proof of Concepts • Directed Availability: • Only SA Team can quote & sell RSA ECAT • Deals limited to 5K licenses • Professional Services & Customer Education Services must be included • Call to Action: • Involve SA Sales Team in any opportunities • Contact ECATAnswers@emc.com with any questions
Target Markets & Industries • Organizations that: • Are concerned about advanced, targeted attacks • Have intellectual property that is the target of advanced attacks • Have a Security Operations Center (SOC) or Critical Incident Response Team (CIRT) • Are existing NetWitness/Security Analytics customers • Examples: • Government & intelligence community • Manufacturing • Technology • Services
Stakeholders • Key Roles to Target: • SOC/CIRT Manager • SOC/CIRT Analyst • Malware Analyst • IT Security Manager/Director • Typical Economic Buyer: • Chief Information Security Officer (CISO) • Chief Information Officer (CIO)
Trap-Setting Questions • How long does it take to scan your environment for threats? • How quickly can you identify compromised machines? • Mandiant relies on Indicators of Compromise (IOCs), which is signature-based detection, so it can only detect known threats • How do you detect an unknown threat? • Mandiant sweeps can take weeks to complete • There’s no way to filter out known good files • Causing information overload for analysts
Module Five: Proof Points • Describe how other RSA customers have solved similar problems using RSA ECAT Current State Future State The RSA Solution Discovery Proof Points
Success Stories • Use ECAT in CIRC along with all other RSA products • When NetWitness identifies suspicious network activity, it deploys ECAT to that endpoint • Saves a lot of time and effort when using ECAT compared to other solutions • Currently deploying across EMC environment for monitoring • Moving towards becoming more proactive instead of reactive • Long-standing relationship • Uses ECAT in Incident Response engagements and proactive assessments with Fortune 500 companies • Led customers purchasing perpetual ECAT licenses after their engagements very time consuming to scan the environment tedious to identify infected machines based on the results
Course Summary During this course, you have learned to: • Describe RSA ECAT, its capabilities and differentiators • Describe how RSA ECAT addresses customer challenges • Identify an RSA ECAT opportunity • Qualify the RSA ECAT opportunity and handle competitive situations • Position RSA ECAT in the customer environment