Start a Conversation


This post is more than 5 years old


September 10th, 2014 07:00

Ask the Expert: What's New: RSA Security Analytics 10.4 & RSA ECAT 4.0


Ask the Expert - Heartbleed: What It Is & How to detect it using RSA Security Analytics

Ask the Expert: Upgrade your Mobile Support Experience - EMC MOBILE 3.2

This Ask the Expert session will be covering the just announced the release of RSA Security Analytics 10.4 and RSA ECAT 4.0.  These releases mark significant milestones for both products and include many powerful new features that will go a long way to helping SOCs go from the hunted to the hunter.  Some highlights of the releases include:

  • Complete visibility and rapid investigations enabling you to focus on the most important security incidents.  Teams can now rapidly investigate incidents with network packet, endpoint, logs and NetFlow data to understand the true nature and scope of an incident

  • All the capabilities of a log-centric SIEM … and beyond.  By using both endpoint data and network data RSA Security Analytics & RSA ECAT can spot incidents that logs can’t while meeting all the requirements of a traditional SIEM tool.

  • Discover hidden endpoint malware in real time.  RSA ECAT can detect malware and other endpoint threats that go undiscovered by traditional AV and can quickly investigate and analyze suspicious endpoint activity. Once malware is discovered easily determine how for it has spread through the enterprise.

The highlights mentioned above are just the tip of the iceberg. There are too many new features to list them all! Fortunately Brian Dunphy, the head of RSA’s Advanced SOC product management group, is here to answer any questions you might have about RSA Security Analytics 10.4 and RSA ECAT 4.0.

Your Host:

Brian Dunphy is the Senior Director of Product Management for Security Analytics at RSA where he leverages his experience with security monitoring and analytics, incident response, crisis management and security operations.   Prior to his current role Brian spent a decade at Symantec in their MSS group, focusing on delivering security services to global Fortune 500 companies, and eventually becoming the Senior Director of MSS Product Management.

Brian graduated from Carnegie Mellon University with a Bachelors Degree in Computer Engineering followed by a four-year stint as an Incident Response Lead at DISA while serving in the United States Air Force.

This discussion takes place September 15 - 26. Get ready by following this page to receive updates in your activity stream or through email.

Share this event on Twitter:

>> Join the next Ask the Expert: What's New in #RSA Security Analytics 9/15 - 9/26 #EMCATE <<

666 Posts

September 15th, 2014 04:00

This discussion is now open for questions. We very much look forward to an interactive and informative discussion.

8 Posts

September 19th, 2014 12:00

Has the ability to create dashboards from ESA Alerts been added into 10.4?

78 Posts

September 22nd, 2014 11:00

Unfortunately we were unable to add that to 10.4, hopefully we will have it in a future release

2 Posts

September 23rd, 2014 14:00

What are the new features in RSA security analytics 10.4

78 Posts

September 24th, 2014 06:00

There are quite a few new features and we're really proud of this release.  Some of the major categories of new features are:

·  Complete Visibility.  SA 10.4 expands our visibility story by expanding from logs and packets to endpoint and NetFlow visibility.   For endpoint visibility, RSA ECAT extends our insight into high risk processes and file visibility, while NetFlow provides visibility into internal traffic and lateral movement.

·  Rapid Investigations. We have added a seris of enhancements for analysts, to include improved performance and advanced abilities to query and search.  The SA 10.4 capabilities provide security analysts the ability to hone in on issues with precision and speed.

·  SIEM & Beyond Analytics. Unlike other SIEMs, Security Analytics can detect events not only using logs, but with meta from Packets and ECAT alerts.  In SA 10.4 we also enable the RSA Analytics Warehouse to deliver packaged data science based analytics to detect “under the radar” attacks.

·  Prioritized Incident Management. We now have the capability to prioritize alerts, enabling analysts to natively perform incident management in RSA Security Analytics and combine alerts across logs, endpoints, packets and malware data into incidents..  Security teams can drive actions such assigning incidents, triggering investigations, and comment in an analyst journal.  This new capability also integrates with SecOps for Archer for enhanced workflow, pre-defined incident response procedures, breach management and additional investigative context.

· Scalable and Modular Platform.  We offer SIEM, Network Forensics, and Endpoint Detection in modules to provide customers a platform that they can build on as their security program matures. Deploy the entire solution, or just the modules you need right now.

September 25th, 2014 12:00

Does 10.4 have the ability to show in the UI the parser xml file so that we can determine what messages SA knows about without having to look at the file through an SSH or WinSCP sessions? Along with this, is there a place in the GUI that we can map the eventid that we find in the parser xml file to the event category name that is used within the UI for meta without having to use SSH or WinSCP to manually pull the ecat file and find it?

September 25th, 2014 12:00

Does 10.4 have the ability to do device grouping? When writing an alert in ESA, if we want to only know if core switches have high alerts, we currently have to put all 20+ IP's manually into the ESA logic (and do this for each alert), being able to group devices easily by function/location would be a huge time-saver.

5 Posts

September 25th, 2014 12:00

Device grouping is targeted for our next release of Security Analytics.  In the meantime with SA 10.4, you can create Incident Management rules that would group by IP fairly simply.  

September 25th, 2014 12:00

We've seen a lot of issues around reports not running when using a time frame of more then 30 minutes to an hour. They give us 500 internal server errors, will this be resolved in 10.4?

September 25th, 2014 12:00

How does 10.4 handle being able to report on it's own health? i.e. alerting when a service is down, alerting when traffic is congesting the system, alerting/monitoring of systems within a single pane of glass.

2 Posts

September 25th, 2014 12:00

Does SA 10.4 tag a device's hostname as meta to logs as they come in? This would be useful to create dynamic device groups based on REGEX values of the hostnames.

5 Posts

September 25th, 2014 12:00

Does 10.4 have the ability to show in the UI the parser xml file so that we can determine what messages SA knows about without having to look at the file through an SSH or WinSCP sessions?

>>No, it does not

Along with this, is there a place in the GUI that we can map the eventid that we find in the parser xml file to the event category name that is used within the UI for meta without having to use SSH or WinSCP to manually pull the ecat file and find it?

>>No, it does not

September 25th, 2014 12:00

How does SA 10.4 better handle using Active Directory based authentication and can this be configured and managed from the UI? Along with this, how does 10.4 better handle reporting on failed logins to the console?

2 Posts

September 25th, 2014 12:00

Does SA 10.4 have a device or asset table? Somewhere that is a central repository for all devices that have reported into SA where descriptions and notes could be added (ie location, refresh date, etc).

September 25th, 2014 12:00

I heard that in 10.4 we will be able to do static device typing (i.e. lock an IP address to a specific device type like Cisco Router). Where and how will this be accomplished?

No Events found!
