RSA today rolled out an orchestration and automation tool for its security information and event management (SIEM) product, along with new endpoint capabilities and other updates built into the platform.
The company also today said it will acquire Fortscale, a behavioral analytics startup based in San Francisco. Terms of the deal were not disclosed. Fortscale’s technology will provide new user and entity behavioral analytics (UEBA) capabilities embedded in the NetWitness Platform.
RSA hosts its annual conference next month in San Francisco. The company will showcase the new capabilities at the security event, said Mike Adler, VP of RSA NetWitness Platform.
The security vendor, which is 100 percent owned by Dell Technologies, competes against SIEM products from companies including IBM, Splunk, LogRhythm, and McAfee with its NetWitness Platform.
RSA’s product uses network full-packet capture, security event and log data, NetFlow, and telemetry from endpoints to detect and analyze threats and do incident response and forensics.
The latest version, available today, adds three new capabilities: an endpoint agent, UEBA, and greater log visibility.
The free endpoint agent means customers don’t need to buy a separate security tool to manage endpoints and collect Microsoft Windows logs, Adler said. “If you are a customer, this is now built-in for you,” he said.
The agent can be deployed on servers, laptops, and other machines to perform endpoint inventory scans. It also forwards Microsoft Windows logs to the platform.
“I describe this as completing the last mile of the investigation,” Adler said. “When an analyst in a SOC sees an alert coming in from logs they have parsed and stored, or they ID suspicious behavior they want to investigate, now they don’t need a separate tool or separate screen. It’s right in the platform, and its built for the endpoint.”
The second new feature provides instant log visibility using what RSA calls “dynamic parsing” technology. This allows companies to parse log data sources and immediately access security data.
“A lot of folks struggle with extracting the right amount of data to be useful in a security context,” Adler said. “This can take any log and extract from it the major components of that log line.” This includes user names, user resource identifiers (URIs), IP addresses, and time stamps. The SIEM tool now sees all of this data and gives it context.
“This makes it easier to manage, and for folks operating and collecting that data to be successful early and often,” he said.
Finally, the UEAB capabilities from the Fortscale acquisition leverage user, network, and endpoint behavioral profiling. Machine learning and analytics identify what’s normal user behavior and what looks suspicious. “It identifies behaviors customers are potentially missing from a security point of view because they don’t have the ability to analyze what users are doing,” Adler said.
RSA today also announced NetWitness Orchestrator, an add-on to the platform, that will be available later this month.
“It combines orchestration and management with the ability to automate investigations and then respond to incidents within the platform itself,” Adler said.
The orchestration tool uses machine learning to draw from past analyst interactions and investigations to create playbooks and identify the best course of action for investigations. It can also automate responses, which helps security teams struggling with a shortage of security professionals and massive threat volumes, reduce time to remediation, Adler said.
“If we can help customers automate the regular occurrences, the events they deal with on a day-to-day basis, we can free up security analysts to deal with the most critical threats, the one-offs that do look really suspicious,” he added.