Security Analytics Key Features

Symantec Security Analytics is a powerful solution to effectively arm today’s incident response modern day threats. Packed with award-winning technology and features, Security Analytics provides the details that expose the full source and scope of any threat or attack targeting your information assets and significantly speeds the time to conduct complete network forensics investigations.

Summary View

With Security Analytics you have the flexibility and freedom to create multiple, customized views for each use case to suit your incident-response workflow. Add and rearrange report widgets to your selected view to display summarized data in table, pie, bar, or column charts. Create new views for specialized use cases. No matter your preference, the summary view provides instant situational awareness of your network on a single page.

Active Reports

Identify evasive exploits and malware with Symantec Security Analytics reports, which provide a detailed, vivid picture of network traffic while giving users the power to respond to incidents as they unfold. Reports are a key navigation point, helping even novice users pinpoint their target data faster and with more accuracy. Reports fall into these categories:

  • applications
  • DNS
  • email activity
  • encryption
  • files
  • geolocation
  • network packets
  • social personas
  • threat intelligence
  • web activity

Extractions of Artifacts

The most powerful contributor to Situational Awareness is Security Analytics’s ability to reconstruct network traffic exactly as it passed over the wire. Produce evidence that makes sense. With every packet that is captured and classified, quick discovery, reconstruction and delivery of files in their original format is easy and intuitive. See the web page as the user saw it. View IM and email conversations. Reconstruct PDFs, Word docs, PPTs, Excel spreadsheets and more in their original format. Perform surveillance on a host or an individual and deliver real, recognizable evidence – not just a collection of packets. An artifacts timeline provides a histogram of network artifacts over time. It helps incident response specialists quickly visualize a sequence of events and significantly improves artifact search performance.

Extractions of Artifacts

Artifact Preview

With the ability to reconstruct network traffic into its Artifacts, Security Analytics also offers a Preview capability. This allows content to be viewed in a number of methods; webpages can be previewed as the user saw them, VoIP recordings can be replayed as Audio, and numerous other formats depending on the content that is reconstructed.

Application Classification

Identify network activity by peering deep inside packet data to find the telltale signs of malicious intent. Symantec Security Analytics classifies more applications crossing your network than any other network forensics solution. More than 3,100 applications and thousands of attributes are recognized and indexed for easy search and recovery. Not only can you identify specific applications in network traffic, you can search metadata attributes such as To, From, Subject Line, Protocol, Tunnel Initiator, Presented MIME Type, Detected (magic number) File Type, and more within network flows.

Application Classification

User-Selectable Metadata

Simply check a box to enable or disable hundreds of metadata types and their associated reports. This allows systems to be tuned for the environment they are deployed in. When specific use cases call for very fast raw packet capture – without the need for extensive metadata enrichment – Security Analytics delivers. Selectively turn off data enrichment and significantly boost capture performance on a single appliance.

User-Selectable Metadata

Symantec Intelligence Services

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats.

Blue Coat Intelligence Services

Reputation Services/Data Enrichment

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats. Unknown content can be sent to Content Analysis for further inspection and sandboing. Additionally, Security Analytics delivers on-demand reputation checks from multiple trusted threat intelligence providers including:

  • VirusTotal
  • Google Safebrowse
  • Domain Age
  • RobTex
  • Team Cyrmu
  • LastLine
  • SORBS
  • YARA
  • WHOIS

Indicators/Rules

Indicators use structured language to observe and identify specific activity. Use built-in metadata attributes, automatically-updated 3rd party indicator data or use custom updates from virtually any source.

Rules enable automation of alerts and common actions for additional analysis based on any indicator. For example, automatically export data to a PCAP, enrich retained metadata or send to file shares, analyze with 3rd-party tools like DLP or endpoint solutions. Tune notification frequency to what your incident response team and processes require.

Indicators/Rules

Alerts Dashboard

To provide a comprehensive view of your network activity and highest priority alerts at first glance, the Security Analytics web interface defaults to the Alerts Management Dashboard. This new view presents a histogram of alert activity plus new “alert cards” that pivot to filtered lists of alerts and their threat scores. From this page you can filter your alerts by IP, by indicator, or by threat level.

Alerts Dashboard

Packet Analyzer

For those who love a good packet (and what incident response team doesn’t), but hate multiple steps for analysis, Security Analytics includes a full-featured packet analyzer right on the appliance. No need to transfer huge files over the network just to determine that the packets you were looking for aren’t in there. Use Wireshark filter syntax and conduct your deep analysis without having to leave the comfort of the Security Analytics interface. Filtered results are always one click away. Very powerful!

Packet Analyzer

Anomaly Detection

An exciting new feature, anomaly detection performs statistical analysis on your captured data and alerts you on anomalous behavior. When you pivot from the alert to the new Anomaly Investigation view, you can see when the anomaly occurred, how often, and which other endpoints were involved.

Anomaly Detection

PCAP Import

Rich analysis of Security Analytics can be applied to PCAPs from other sources of you may already have. You can also optimize available Security Analytics storage by exporting captured network traffic as PCAPs on external storage for later import and analysis as needed. PCAP Import also allows forensics analysts and incident response teams to obtain detailed information and analysis from PCAPs delivered from external sources.

PCAP Import

Seamless Integrations

Symantec Security Analytics integrates with best-of-breed network security technologies to give them the ability to pivot directly from an alert or log and obtain complete packet-level detail and artifacts of the event before, during and after the alert. The open, web services REST API lets you leverage technologies like HP ArcSight, Splunk, IBM Qradar, Guidance, Countertack, Symantec ATP and more. Streamline your incident response workflow and get a complete source and scope of an attack.

Seamless Integrations

Central Manager

Central Manager provides a single point of management for Security Analytics Appliance, VMs and high-density storage deployments. It delivers central access to all Security Analytics sensors for directed, aggregate searches and management, without the need for heavy data replication. Supporting over 200 sensors, Central Manager makes it easy for incident response teams to conduct efficient and comprehensive global investigations across the entire organization.

Central Manager

Media Panel

Nothing tells a story like a picture. When trying to enforce acceptable Internet use policy, quickly see what images are crossing your network and who’s viewing them. Media panel lets you quickly view and analyze all image and audio files to see exactly what the user experienced. Filter by file, extension or size and associated metadata such as: URL, source/destination IP, size or MIME type. A picture is worth a thousand words and can lead to details of unsanctioned or malicious activity.

Geolocation

With Security Analytics Geolocation you see the origin and destination of all network traffic. Identify patterns and concentrations of traffic traveling to and from non-traditional locations. See hot spots of activity, zoom-in on specific paths and flag IP addresses, locations or even countries as suspicious. Abnormal traffic patterns may be your starting point of an investigation and reduce your time to resolution. Export any network traffic as a .klm file and import into Google Earth. “Traffic to a restricted country – that’s not right!”

Root Cause Explorer

Quickly get to the root cause of an attack with automatic tracing of HTTP referrer chains. Root Cause Explorer correlates relevant email, IM, and HTTP information for quick analysis and discovery of how the threat entered the network and the subsequent activities. As one user stated – “You’ve made one of the most time-consuming, rote functions of my job as simple as pushing a button …That was easy!”

Root Cause Explorer

SCADA

Industrial Control Systems (ICS) are attractive targets for cyber attack and like the rest of the network, require complete visibility. Security Analytics supports SCADA protocol analysis and delivers the power of Symantec Security Analytics to industrial control environments. Security Analytics monitors Modbus and DNP3 protocols that are common in networks that control operations at nuclear facilities, water treatment plants, power plants, oil refineries, manufacturing facilities…and numerous other industries. Use of Indicators, Rules (notifications) and Anomaly Detection is possible on indexed SCADA attributes.

PCAP Import

Dynamic Filtering

Not all traffic is created equal…or equally malicious. Incident response teams may choose to eliminate traffic they don’t see as a threat and prioritize available capture storage to optimize their investment. With Security Analytics, you can selectively filter and “not” capture packets based on rules settings. Eliminate streaming video or music; video conferencing and a whole lot more. This will increase your capture window to focus on what you feel is most critical.

Dynamic Filtering

Filter & Replay Traffic

Filter inbound and outbound traffic by protocol, IP, MAC address, payload type, or unique bit pattern. Filter at the header or payload level. Apply multiple filters with the ability to start and stop filters at any time, while continuing to capture traffic. You can also iImport filters using standard Berkley Packet Filter (BPF) format. Replay captured traffic to other tools to validate their effectiveness after they have been updated with new signatures or threat intelligence. By playing historical traffic back to updated tools you can determine if you were infected before that new threat was classified. This level of control is unique to Symantec Security Analytics and provides flexibility to capture and direct the traffic you feel most important to your investigations.

Filter & Replay Traffic

Comparative Reporting

Compare captured network traffic to previous periods to identify abnormal patterns and establish a baseline and then highlight and notify when deviations occur. With comparative reporting, you understand trends over time and determine if further investigation is needed.

Comparative Reporting

Performance/Scale

Symantec Security Analytics appliances capture everything that crosses your network (packet header and payload), giving you a complete and forensically sound record of network activity. Only Security Analytics appliances meet the grueling demands of the largest government and enterprise networks, yet swiftly reconstruct and deliver real files from within terabytes of raw packet data.

Deployment options range from small or branch-office appliances to dedicated 10Gb High Density appliances with expandable storage for today’s fastest networks. Only Symantec Security Analytics gives you the option to also deploy as a Virtual Appliance. Large customers with expansive networks have selected Symantec as the only solution capable of meeting their needs for incident response and advanced network forensics, now and in the future.

Passively receiving traffic from a tap or SPAN, Security Analytics is invisible to the rest of your network, capturing traffic at line speeds without adding latency.

Performance/Scale

Extended Metadata Retention

Optimize the storage available on your Symantec Security Analytics appliance and extend the window of your forensics data. Create independent allocations of storage for metadata and full packets. This enables retention and analysis of longer periods of metadata and packets—weeks, months, or more. This enables long-term window for trend analysis and optimize the limited amount of storage.

Extended Metadata Retention