Security Analytics Key Features

Symantec Security Analytics is a powerful solution to effectively arm today’s incident response modern day threats. Packed with award-winning technology and features, Security Analytics provides the details that expose the full source and scope of any threat or attack targeting your information assets and significantly speeds the time to conduct complete network forensics investigations.

Alerts Dashboard

To provide a comprehensive view of your network activity and highest priority alerts at first glance, the Security Analytics web interface defaults to the Alerts Management Dashboard. This new view presents a histogram of alert activity plus new “alert cards” that pivot to filtered lists of alerts and their threat scores. From this page you can filter your alerts by IP, by indicator, or by threat level.

Alerts Dashboard

Anomaly Detection

An exciting new feature, anomaly detection performs statistical analysis on your captured data and alerts you on anomalous behavior. When you pivot from the alert to the new Anomaly Investigation view, you can see when the anomaly occurred, how often, and which other endpoints were involved.

Anomaly Detection

SCADA

Industrial Control Systems (ICS) are attractive targets for cyber attack and like the rest of the network, require complete visibility. Security Analytics supports SCADA protocol analysis and delivers the power of Blue Coat Security Analytics to industrial control environments. Security Analytics monitors Modbus and DNP3 protocols that are common in networks that control operations at nuclear facilities, water treatment plants, power plants, oil refineries, manufacturing facilities…and numerous other industries. Use of Indicators, Rules (notifications) and Anomaly Detection is possible on indexed SCADA attributes.

SCADA

Dynamic Filtering

Not all traffic is created equal…or equally malicious. Incident response teams may choose to eliminate traffic they don’t see as a threat and prioritize available capture storage to optimize their investment. With Security Analytics, you can selectively filter and “not” capture packets based on rules settings. Eliminate streaming video or music; video conferencing and a whole lot more. This will increase your capture window to focus on what you feel is most critical.

Dynamic Filtering

Capture Only Mode

When specific use cases call for very fast raw packet capture – without the need of for extensive metadata enrichment – Security Analytics delivers. Selectively turn off data enrichment and significantly boost capture performance on a single appliance.

Capture Only Mode

Summary View

With Security Analytics you have the flexibility and freedom to create multiple, customized views for each use case to suit your incident-response workflow. Add and rearrange report widgets to your selected view to display summarized data in table, pie, bar, or column charts. Create new views for specialized use cases. No matter your preference, the summary view provides instant situational awareness of your network on a single page.

Summary View

Active Reports

Identify evasive exploits and malware with Symantec Security Analytics reports, which provide a detailed, vivid picture of network traffic while giving users the power to respond to incidents as they unfold. Reports are a key navigation point, helping even novice users pinpoint their target data faster and with more accuracy. Reports fall into these categories:

  • applications
  • DNS
  • email activity
  • encryption
  • files
  • geolocation
  • network packets
  • social personas
  • threat intelligence
  • web activity
Active Reports

Application Classification

Identify network activity by peering deep inside packet data to find the telltale signs of malicious intent. Symantec Security Analytics classifies more applications crossing your network than any other network forensics solution. More than 2,500 applications and thousands of attributes are recognized and indexed for easy search and recovery. Not only can you identify specific applications in network traffic, you can search metadata attributes such as To, From, Subject Line, Protocol, Tunnel Initiator, Presented MIME Type, Detected (magic number) File Type, and more within network flows.

Application Classification

Reputation Services/Data Enrichment

Security Analytics delivers on demand reputation checks from multiple trusted threat intelligence providers including:

  • Symantec ThreatExplorer
  • Domain Age
  • RobText
  • Team Cyrmu
  • YARA
  • WHOIS
Reputation Services/Data Enrichment

Symantec Intelligence Services

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 15,000 customers reporting on billions of web and URL threats.

Blue Coat Intelligence Services

Extractions of Artifacts

The most powerful contributor to Situational Awareness is Security Analytics’s ability to reconstruct network traffic exactly as it passed over the wire. Produce evidence that makes sense. With every packet that is captured and classified, quick discovery, reconstruction and delivery of files in their original format is easy and intuitive. See the web page as the user saw it. View IM and email conversations. Reconstruct PDFs, Word docs, PPTs, Excel spreadsheets and more in their original format. Perform surveillance on a host or an individual and deliver real, recognizable evidence – not just a collection of packets.

Extractions of Artifacts

Seamless Integrations

Symantec Security Analytics integrates with best-of-breed network security technologies to give them the ability to pivot directly from an alert or log and obtain complete packet-level detail and artifacts of the event before, during and after the alert. The open, web services REST API lets you leverage technologies like HP ArcSight, Splunk, IBM Qradar, Guidance, Countertack and more. Streamline your incident response workflow and get a complete source and scope of an attack.

Seamless Integrations

Sandbox Brokering

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 15,000 customers reporting on billions of web and URL threats.

Sandbox Brokering