Select Page

Context Hub

The RSA NetWitness Platform concentrates and synthesizes relevant information for easy access by analysts. Toggling between a myriad of different tools can be frustrating and confusing, making it easy for an analyst to miss something. The Context Hub provides an enrichment data lookup capability in both the Respond and the Investigation views to expose context data on demand. The sources for enrichment data include asset criticality directly from RSA Archer, Microsoft Active Directory, and threat intelligence sources; Respond or incident management; custom lists; Endpoints and various options for customers to incorporate their own external enrichment data.

K

Multiple Enrichment data

K

Business Context for investigation

K

Single pane window

K

Detailed analysis

The Problem

Security analyst investigating a threat incident need more insightful data to take appropriate action. Often these data is available in different tools, switching to these tools and correlating with the investigation data is challenging and frustrating for the analyst. E.g. let us say an incident created when a laptop sends out an unusual amount of packets to an external web site. Investigating analyst would like to understand the user logged in, owner of the system, unexpected activity details, etc. The analyst would require to spend significant time trying to retrieve these values from different sources and bringing them together in the investigation context.  

The Solution

The context hub is a feature in RSA Netwitness platform which brings in contextual data to the metadata presented in the investigation and incident screen. Metadata which have extra contextual data is highlighted in the screen providing analyst to streamline their investigation on the critical metadata. Hovering over the metadata and clicking on the context lookup will load a window pane with all the contextual information the system could gather from. The contextual data is fetched from RSA Archer, Microsoft Active Directory, RSA’s crowd-sourced threat intelligence platform; custom white or blacklists and Endpoints and custom external enrichment data.

The Results

The feature set the main premise for RSA’s business driven security strategy which helped various product lines to bring an unified view of a threat.