This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

ECAT 4.0 Questions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-09-23 05:08 PM

On the list of new features there is an items that says ECAT will alert in real-time when a threat is detected. What kind of threats are covered? Are these based on signatures like AV?

 

During the product launch video ECAT was able to show a system count of other computers with the same binary, how fresh is that data? Is that data based on the last scan?

 

The new features list also stated that ECAT can scale to 50k endpoints. Can I scan all 50k at one time or would I have to stagger the scanning to keep from exhausting my network connection?

 

New interface looks great! Much needed.

 

Regards,

 

Needa

Labels:
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-09-24 09:12 AM


Hi Needa,

 

RSA ECAT doesn't rely on signatures to detect threats (malware, rootkits, RATs, etc.).  Instead, ECAT looks more for suspicious activity.  For example, if an unknown executable file loads in memory, starts hooking into different processes, creating new processes, etc. ECAT can alert you of this type of suspicious activity, give you a deep view of what's happening on the endpoint, and flag the suspicious activity for faster investigations.

 

RSA ECAT maintains a repository of all files found across your environment, and you can easily see how many other machines a file has been found on (which is especially helpful when you have a malicious file). With ECAT's Behavior Tracking system, the endpoint data is updated within seconds, not just after a scan.

 

RSA ECAT scales beyond 50k- each ECAT server supports up to 50k endpoints, and then we have a multi-server architecture where you can deploy as many servers as needed.  You have a lot of flexibility with scanning in ECAT, so you can set up scan schedules for different groups and the system can also automatically stagger scans.

 

Hope this helps!  Thanks for the feedback.

View solution in original post

0 Likes
4 REPLIES 4

Go to solution
Anonymous
Not applicable

‎2014-09-24 08:52 AM

Sorry Needa, you caught us in-between business hours. I'm checking with an ECAT expert and will get you your answers ASAP.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-09-24 09:12 AM


Hi Needa,

 

RSA ECAT doesn't rely on signatures to detect threats (malware, rootkits, RATs, etc.).  Instead, ECAT looks more for suspicious activity.  For example, if an unknown executable file loads in memory, starts hooking into different processes, creating new processes, etc. ECAT can alert you of this type of suspicious activity, give you a deep view of what's happening on the endpoint, and flag the suspicious activity for faster investigations.

 

RSA ECAT maintains a repository of all files found across your environment, and you can easily see how many other machines a file has been found on (which is especially helpful when you have a malicious file). With ECAT's Behavior Tracking system, the endpoint data is updated within seconds, not just after a scan.

 

RSA ECAT scales beyond 50k- each ECAT server supports up to 50k endpoints, and then we have a multi-server architecture where you can deploy as many servers as needed.  You have a lot of flexibility with scanning in ECAT, so you can set up scan schedules for different groups and the system can also automatically stagger scans.

 

Hope this helps!  Thanks for the feedback.

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner

‎2014-09-24 01:35 PM

Thank you for the informative reply.

 

If I need to run three ECAT servers, can they be manage them from a single console?

 

What is the platform for the user interface (web-based)? 

 

I would like to read more about behavior tracking, is there a white paper available to get more details? What type of endpoint behavior will generate a report back to the server (i.e. spike/sustained hardware utilization, file changes/additions, rights escalation, etc)?

 

Regards,

 

Needa

0 Likes

Go to solution
RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-09-24 03:17 PM

Yes, all ECAT servers are managed centrally from a single console.

 

The UI is a fat client today, mainly for speed/usability reasons.

 

I don't have a specific white paper focused on the behavior tracking right now, but here are some examples of the type of activity that is tracked & reported back on an ongoing basis:

- an executable loads

- a process creates a process (see the source and target process name)

- a process creates a remote thread

- a process opens a process (or browser process) or reads a document

- modifications to the firewall policy

- modifications to the Task Manager settings or Windows system policies
- etc.

© 2022 RSA Security LLC or its affiliates. All rights reserved.