Managing RiskVision traffic capture and analysis

Technical Library | Support

Go to the table of contents

Go to the previous page

Go to the next page

TRITON RiskVision System Management : Managing RiskVision traffic capture and analysis

Managing RiskVision traffic capture and analysis

System Management | TRITON RiskVision | 02-June-2016

Use the System > Analytics tab in the Local Manager to start and stop traffic capture, configure and test the connection to a file analysis platform, and monitor database status for Local Analysis.

Traffic capture

In order for RiskVision to monitor and analyze live traffic in your network, all of the following are required:

1.

An appliance interface must be connected to a span port that has visibility into the network that you want to monitor.

2.

RiskVision must be configured to use the interface connected to the span port to capture traffic (see Configuring network settings for the RiskVision appliance).

3.

The Capture service must be running.

4.

Traffic capture must be enabled.

Enable and disable traffic capture via the Traffic Capture toggle at the top of the Analytics tab. By default, traffic capture is ON.

When the Traffic Capture switch is off:

An alert icon is displayed on the System tile in the RiskVision toolbar.

Pcap files can still be submitted manually for analysis.

When the Capture service is stopped, the Traffic Capture switch is disabled. In this case, to enable traffic capture:

1.

Start the Capture service from the System > Services tab.

2.

When the Capture service is running, check the Analytics tab to make sure traffic capture has started. If it does not start automatically, switch the toggle to ON.

Advanced file analysis

In addition to Local Analysis, RiskVision can be configured to use either of 2 remote (off-box) file analysis platforms:

The File Sandboxing cloud service, enabled by default, uses ThreatScope™ technology to analyze potentially malicious files in a sandbox environment, then provides detailed forensic reporting about file behavior.

Threat Protection Appliance offers advanced files analysis and behavioral sandboxing.

Customers who purchase Threat Protection Appliance can optionally configure RiskVision to communicate with the Threat Protection Controller instead of the File Sandboxing cloud service.

Configure file analysis

If you are using the File Sandboxing cloud service, no configuration is needed on the Analytics tab. File Sandboxing is enabled by default.

If requests from the Local Manager must go through a proxy to reach the Internet, the File Sandboxing connection will fail until the proxy is configured. See Configure RiskVision proxy settings.

To test communication with the cloud service manually, click Test Connection.

The connection to the File Sandboxing service is tested automatically every 5 minutes.

To instead connect to Threat Protection Appliance:

1.

Click Configure analysis platform.

2.

In the Configure Platform dialog box, select Threat Protection Appliance.

3.

Enter the IP address for the prod1 interface of the Threat Protection Controller.

4.

If you have configured RiskVision to use a proxy to connect to the Internet, but do not want communication with the Threat Protection appliance to go through the proxy, mark Ignore proxy settings.

5.

RiskVision attempts to connect to the Threat Protection Controller, then reports whether the connection succeeded or failed.

To test communication with the Threat Protection Controller manually, click Test Connection.

If you select Threat Protection Appliance as your file analysis platform, and later want to return to using the File Sandboxing cloud service:

1.

Click Configure analysis platform.

2.

In the Configure Platform dialog box, select the File Sandboxing radio button.

3.

RiskVision attempts to connect to the File Sandboxing cloud service, then reports whether the connection succeeded or failed.

How does advanced file analysis work?

When you use the File Sandboxing cloud service, Local Analysis uses the following criteria to determine whether to send a file for further analysis:

If Local Analysis determines that a file is malicious, further analysis is not required.

If Local Analysis determines that a file has suspicious characteristics, it recommends additional file analysis.

If Local Analysis does find malicious or suspicious characteristics, but the transaction contains an executable file, it recommends additional file analysis.

When RiskVision is configured to communicate with Threat Protection Appliance, Local Analysis uses the following criteria to determine whether to send a file for further analysis:

The file type (executable, PDF, doc, ria, and archive files are sent by default)

The file size (under 20 MB, by default)

The file types and maximum file size for files sent to Threat Protection Appliance can be configured in the /opt/websense/config/ccaplugin.config file on the RiskVision appliance.

When a file is flagged for additional analysis, RiskVision first sends a file hash to determine whether the file analysis platform has already analyzed the file.

If the file has already been analyzed, the incident record is updated with a link to the file analysis report.

If the file has not been analyzed previously, the file is sent to the file analysis platform. When analysis is complete, the incident record is updated with a link to the file analysis report.

Local analytic status

The analytics that make up RiskVision Local Analysis use databases to help them identify suspicious and malicious traffic.

Use the Local Analytics section of the page to enable or disable automatic database updates for Local Analysis. Automatic database updates are enabled by default, and should remain enabled as a best practice.

The table under the toggle switch shows:

Whether or not the analytic is available for use (live)

The analytic engine name

The analytic engine version

The current database version

The date and time of the last database update

After installation, Local Analysis may not occur until the analytics have downloaded a database. Use the table to make sure that all of the analytic engines have succeeded in performing a database download.

If the analytics are not running because they have not been able to download a database:

1.

Make sure the appliance interface selected for Local Manager communication has Internet access (see Configuring network settings for the RiskVision appliance).

2.

If Internet communication from the appliance must pass through a proxy, verify that RiskVision has the correct proxy settings (see Configure RiskVision proxy settings).

Go to the table of contents

Go to the previous page

Go to the next page

TRITON RiskVision System Management : Managing RiskVision traffic capture and analysis

Copyright 2016 Forcepoint LLC. All rights reserved.