Signature-less Malware Detection
Detect. Analyze. Respond.
Gain Endpoint Visibility
Detect Advanced Threats
Obtain Actionable Intelligence
Increase SOC Agility
Attackers continuously use new, hard-to-detect methods to compromise hosts, establish a hidden presence on target systems, and exfiltrate sensitive data out of organizations. As traditional security systems are easily bypassed with these methods, organizations need a solution to quickly detect and investigate advanced threats.
RSA ECAT (Enterprise Compromise Assessment Tool) is an enterprise malware-detection and response solution that enables organizations to easily scan and monitor Windows endpoints for even the most elusive malware – including deeply hidden rootkits and other advanced threats used in targeted attacks.
By automating the detection of anomalies within applications and memory, RSA ECAT employs a fundamentally different approach than traditional anti-malware solutions. The cornerstone of this approach – per-process live memory analysis – provides a granular view of what’s happening in memory to quickly find traces of compromise and malicious activity.
As a result, analysts and incident-response teams don’t waste time filtering through background noise and false positives. With the industry’s broadest whitelisting and software-reputation services built in, known good files are quickly identified and added to the baseline, highlighting truly malicious activity for immediate attention.
In one integrated package, RSA ECAT provides:
- Remediation Option
- Forensic Data Gathering
RSA ECAT agents are deployed on servers and endpoints to identify all running processes and drivers using a set of low-level functions. The agent conducts numerous checks to identify behavior related to malware. Information gathered during the scan is sent to a centralized server for analysis.
The RSA ECAT console presents a complete view of the scanned computers along with a machine suspect level (MSL) to identify which should be investigated first.
RSA ECAT correlates a suspicious behavior with its author – a driver, a process, a DLL, or a memory block (floating code) – then displays contextual intelligence about the author (metadata like file size, file attributes, MD5 file hash). Suspicious modules can be whitelisted or blacklisted by the operator. Once modules are categorized, organizations can quickly identify the same suspicious behavior across the entire environment.
If the analysis determines that an endpoint is infected with malware, an optional remediation agent can be pushed out by the operator to clean the endpoint.
Gather Forensic Data
RSA ECAT includes a set of tools to gather information for a complete forensic analysis and cybercrime investigation, including:
- Full memory downloads: Pull a complete live memory dump from a suspect machine for further analysis
- Master File Table (MFT) Viewer: Locate and remotely download hacked and deleted files in a forensically sound manner
RSA Security Analytics
Provide enterprise-wide visibility into network traffic and log event data to reduce attacker free time from weeks to hours
RSA Critical Incident Response Solution
Detect security threats, prioritize actions based on business impact, and expand your analysts’ expertise.
Data and Spec Sheets
- Live Memory Analysis for Advanced Threat Detection
- Building End-to-End Advanced SOC Operations with RSA Solutions
- RSA ECAT in Action: Endpoint Malware Investigation
News & Blogs
Sep 19, 2012RSA Launches Incident Response and Breach Readiness Services to Help Customers Turn the Tide on Advanced Threats