Security Analytics Key Features

Symantec Security Analytics is a powerful solution to effectively arm today’s incident response modern day threats. Packed with award-winning technology and features, Security Analytics provides the details that expose the full source and scope of any threat or attack targeting your information assets and significantly speeds the time to conduct complete network forensics investigations.

Security Analytics Cloud Deployment

Security Analytics enables full visibility and forensics for your cloud workloads. Security Analytics can be deployed in Amazon Web Services, Microsoft Azure, and Oracle Cloud for full visibility, network traffic analysis and incident response for cloud workloads.

All the powerful data enrichment within Security Analytics that is available for your on-prem network is available in the cloud (file reputation, deep packet inspection, full indexing, anomaly detection, artifact reconstruction, and more…). License the Security Analytics VM for deployment in the cloud and can manage centrally along with any of their on-prem deployments of Security Analytics. Conduct thorough investigations and proactive threat hunting from a single console to uncover the source and scope of a threat or attack and deliver clear evidence…whether the threat is targeting your on-prem network or cloud workload.

Summary View

With Security Analytics you have the flexibility and freedom to create multiple, customized views for each use case to suit your incident-response workflow. Add and rearrange report widgets to your selected view to display summarized data in table, pie, bar, or column charts. Create new views for specialized use cases. No matter your preference, the summary view provides instant situational awareness of your network on a single page.

Session View

With Session View, Incident Responders can quickly get all details of network flows and narrow their investigation focus before retrieving artifacts, greatly improving the efficiency of an investigation. Users can customize views to exactly what they need and how they prefer to work. This feature will significantly reduce the time to answers and speed incident resolution.

Intelligent Capture

All captured traffic is sent through the full analysis pipeline, with metadata generation, artifact extraction, and anomaly detection, but only packets deemed necessary for long-term storage are retained, optimizing available storage and easing adoption of Security Analytics.

You get all the powerful enrichment that makes Security Analytics so valuable, but you have more flexibility to keep only those packets you feel are truly valuable. You can create rules to determine what stays and what goes. The metadata is there for long term analysis, but it now becomes more cost effective to get started with Security Analytic. Like other Network Traffic Analysis solutions, Security Analytics analyzes all traffic, but you also have the option to retain those packets – a capability other solutions don’t usually offer.

Dynamic Storage Expansion

Dynamically scale storage and expand as needed. You can start with a smaller deployment and grow when needed. The “Expand Storage utility” (available through Symantec Support) makes it easy to add storage; you simply introduce new storage to the head unit and there is no need to reinstall the software, no destruction of capture or indexing data. When starting to use Security Analytics in a SOC, you may use Intelligent Capture to capture what you want, focusing on metadata retention first and then adding packet retention and more storage as needed.

ICDx Integration

ICDx support provides instant integration with thousands of apps. Anything that integrates with ICDx can benefit from the massive data that Security Analytics can provide. Security Analytics provides extremely rich forensics data and will add great value to correlated data from other sources. Security Analytics supports two types of integration:

  • Event Notifications: When the traffic that is captured and analyzed in Security Analytics matches a rule, Security Analytics will then send the alert metadata to ICDx servers.
  • Metadata Forwarding: You can choose to share Security Analytics metadata to the ICDx platform to be consumed by multiple other tools for further analysis.

Active Reports

Identify evasive exploits and malware with Symantec Security Analytics reports, which provide a detailed, vivid picture of network traffic while giving users the power to respond to incidents as they unfold. Reports are a key navigation point, helping even novice users pinpoint their target data faster and with more accuracy. Reports fall into these categories:

  • applications
  • DNS
  • email activity
  • encryption
  • files
  • geolocation
  • network packets
  • social personas
  • threat intelligence
  • web activity

Risk and Visibility Report

Simply deploy Security Analytics appliance or virtual appliance on your network and capture traffic. Let it run for a few days or a week, then push a button and generate a comprehensive PDF report that covers critical areas including:

  • Predicted file count hidden in encrypted traffic
  • The amount of encrypted traffic crossing your network
  • Risky applications on the network
  • Anomalous network behavior based on a benchmark of your actual traffic
  • An executive summary to share with security team or management so you can prioritize activities

Extractions of Artifacts

The most powerful contributor to Situational Awareness is Security Analytics’s ability to reconstruct network traffic exactly as it passed over the wire. Produce evidence that makes sense. With every packet that is captured and classified, quick discovery, reconstruction and delivery of files in their original format is easy and intuitive. See the web page as the user saw it. View IM and email conversations. Reconstruct PDFs, Word docs, PPTs, Excel spreadsheets and more in their original format. Perform surveillance on a host or an individual and deliver real, recognizable evidence – not just a collection of packets. An artifacts timeline provides a histogram of network artifacts over time. It helps incident response specialists quickly visualize a sequence of events and significantly improves artifact search performance.

Extractions of Artifacts

Artifact Preview

With the ability to reconstruct network traffic into its Artifacts, Security Analytics also offers a Preview capability. This allows content to be viewed in a number of methods; webpages can be previewed as the user saw them, VoIP recordings can be replayed as Audio, and numerous other formats depending on the content that is reconstructed.

Application Classification

Identify network activity by peering deep inside packet data to find the telltale signs of malicious intent. Symantec Security Analytics classifies more applications crossing your network than any other network forensics solution. More than 3,100 applications and thousands of attributes are recognized and indexed for easy search and recovery. Not only can you identify specific applications in network traffic, you can search metadata attributes such as To, From, Subject Line, Protocol, Tunnel Initiator, Presented MIME Type, Detected (magic number) File Type, and more within network flows.

Application Classification

User-Selectable Metadata

Simply check a box to enable or disable hundreds of metadata types and their associated reports. This allows systems to be tuned for the environment they are deployed in. When specific use cases call for very fast raw packet capture – without the need for extensive metadata enrichment – Security Analytics delivers. Selectively turn off data enrichment and significantly boost capture performance on a single appliance.

User-Selectable Metadata

Symantec Intelligence Services

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats.

Blue Coat Intelligence Services

Reputation Services/Data Enrichment

All traffic that is captured on a Symantec Security Analytics appliance is analyzed for any known malicious web, mail and file-based threats. Security Analytics uses Intelligence Services for Security Analytics to harness the Symantec Global Intelligence Network, threat intelligence from 175 million endpoints reporting on billions of web and URL threats. Unknown content can be sent to Content Analysis for further inspection and sandboing. Additionally, Security Analytics delivers on-demand reputation checks from multiple trusted threat intelligence providers including:

  • VirusTotal
  • Google Safebrowse
  • Domain Age
  • RobTex
  • Team Cyrmu
  • LastLine
  • SORBS
  • YARA
  • WHOIS

Indicators/Rules

Indicators use structured language to observe and identify specific activity. Use built-in metadata attributes, automatically-updated 3rd party indicator data or use custom updates from virtually any source.

Rules enable automation of alerts and common actions for additional analysis based on any indicator. For example, automatically export data to a PCAP, enrich retained metadata or send to file shares, analyze with 3rd-party tools like DLP or endpoint solutions. Tune notification frequency to what your incident response team and processes require.

Indicators/Rules

Alerts Dashboard

To provide a comprehensive view of your network activity and highest priority alerts at first glance, the Security Analytics web interface defaults to the Alerts Management Dashboard. This new view presents a histogram of alert activity plus new “alert cards” that pivot to filtered lists of alerts and their threat scores. From this page you can filter your alerts by IP, by indicator, or by threat level.

Alerts Dashboard

Packet Analyzer

For those who love a good packet (and what incident response team doesn’t), but hate multiple steps for analysis, Security Analytics includes a full-featured packet analyzer right on the appliance. No need to transfer huge files over the network just to determine that the packets you were looking for aren’t in there. Use Wireshark filter syntax and conduct your deep analysis without having to leave the comfort of the Security Analytics interface. Filtered results are always one click away. Very powerful!

Packet Analyzer

Anomaly Detection

An exciting new feature, anomaly detection performs statistical analysis on your captured data and alerts you on anomalous behavior. When you pivot from the alert to the new Anomaly Investigation view, you can see when the anomaly occurred, how often, and which other endpoints were involved.

Anomaly Detection

PCAP Import

Rich analysis of Security Analytics can be applied to PCAPs from other sources of you may already have. You can also optimize available Security Analytics storage by exporting captured network traffic as PCAPs on external storage for later import and analysis as needed. PCAP Import also allows forensics analysts and incident response teams to obtain detailed information and analysis from PCAPs delivered from external sources.

PCAP Import

Seamless Integrations

Symantec Security Analytics integrates with best-of-breed network security technologies to give them the ability to pivot directly from an alert or log and obtain complete packet-level detail and artifacts of the event before, during and after the alert. The open, web services REST API lets you leverage technologies like HP ArcSight, Splunk, IBM Qradar, Guidance, Countertack, Symantec ATP and more. Streamline your incident response workflow and get a complete source and scope of an attack.

Seamless Integrations

Central Manager

Central Manager provides a single point of management for Security Analytics Appliance, VMs and high-density storage deployments. It delivers central access to all Security Analytics sensors for directed, aggregate searches and management, without the need for heavy data replication. Supporting over 200 sensors, Central Manager makes it easy for incident response teams to conduct efficient and comprehensive global investigations across the entire organization.

Central Manager

Media Panel

Nothing tells a story like a picture. When trying to enforce acceptable Internet use policy, quickly see what images are crossing your network and who’s viewing them. Media panel lets you quickly view and analyze all image and audio files to see exactly what the user experienced. Filter by file, extension or size and associated metadata such as: URL, source/destination IP, size or MIME type. A picture is worth a thousand words and can lead to details of unsanctioned or malicious activity.

Geolocation

With Security Analytics Geolocation you see the origin and destination of all network traffic. Identify patterns and concentrations of traffic traveling to and from non-traditional locations. See hot spots of activity, zoom-in on specific paths and flag IP addresses, locations or even countries as suspicious. Abnormal traffic patterns may be your starting point of an investigation and reduce your time to resolution. Export any network traffic as a .klm file and import into Google Earth. “Traffic to a restricted country – that’s not right!”

Root Cause Explorer

Quickly get to the root cause of an attack with automatic tracing of HTTP referrer chains. Root Cause Explorer correlates relevant email, IM, and HTTP information for quick analysis and discovery of how the threat entered the network and the subsequent activities. As one user stated – “You’ve made one of the most time-consuming, rote functions of my job as simple as pushing a button …That was easy!”

Root Cause Explorer

SCADA

Industrial Control Systems (ICS) are attractive targets for cyber attack and like the rest of the network, require complete visibility. Security Analytics supports SCADA protocol analysis and delivers the power of Symantec Security Analytics to industrial control environments. Security Analytics monitors Modbus and DNP3 protocols that are common in networks that control operations at nuclear facilities, water treatment plants, power plants, oil refineries, manufacturing facilities…and numerous other industries. Use of Indicators, Rules (notifications) and Anomaly Detection is possible on indexed SCADA attributes.

PCAP Import

Dynamic Filtering

Not all traffic is created equal…or equally malicious. Incident response teams may choose to eliminate traffic they don’t see as a threat and prioritize available capture storage to optimize their investment. With Security Analytics, you can selectively filter and “not” capture packets based on rules settings. Eliminate streaming video or music; video conferencing and a whole lot more. This will increase your capture window to focus on what you feel is most critical.

Dynamic Filtering

Filter & Replay Traffic

Filter inbound and outbound traffic by protocol, IP, MAC address, payload type, or unique bit pattern. Filter at the header or payload level. Apply multiple filters with the ability to start and stop filters at any time, while continuing to capture traffic. You can also iImport filters using standard Berkley Packet Filter (BPF) format. Replay captured traffic to other tools to validate their effectiveness after they have been updated with new signatures or threat intelligence. By playing historical traffic back to updated tools you can determine if you were infected before that new threat was classified. This level of control is unique to Symantec Security Analytics and provides flexibility to capture and direct the traffic you feel most important to your investigations.

Filter & Replay Traffic

Comparative Reporting

Compare captured network traffic to previous periods to identify abnormal patterns and establish a baseline and then highlight and notify when deviations occur. With comparative reporting, you understand trends over time and determine if further investigation is needed.

Comparative Reporting

Performance/Scale

Symantec Security Analytics appliances capture everything that crosses your network (packet header and payload), giving you a complete and forensically sound record of network activity. Only Security Analytics appliances meet the grueling demands of the largest government and enterprise networks, yet swiftly reconstruct and deliver real files from within terabytes of raw packet data.

Deployment options range from small or branch-office appliances to dedicated 10Gb High Density appliances with expandable storage for today’s fastest networks. Only Symantec Security Analytics gives you the option to also deploy as a Virtual Appliance. Large customers with expansive networks have selected Symantec as the only solution capable of meeting their needs for incident response and advanced network forensics, now and in the future.

Passively receiving traffic from a tap or SPAN, Security Analytics is invisible to the rest of your network, capturing traffic at line speeds without adding latency.

Performance/Scale

Extended Metadata Retention

Optimize the storage available on your Symantec Security Analytics appliance and extend the window of your forensics data. Create independent allocations of storage for metadata and full packets. This enables retention and analysis of longer periods of metadata and packets—weeks, months, or more. This enables long-term window for trend analysis and optimize the limited amount of storage.

Extended Metadata Retention