1 / 14

NetWitness Overview

NetWitness Overview. Helmut Wahrmann , RSA h elmut.wahrmann @rsa.com. The Current Scenario. Network Security Today Network-layer / perimeter -based Dependent on signatures, statistical methods, foreknowledge of adversary attacks High failure rate

chelsa
Download Presentation

NetWitness Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetWitness Overview Helmut Wahrmann, RSA helmut.wahrmann@rsa.com

  2. The Current Scenario • Network Security Today • Network-layer / perimeter-based • Dependent on signatures, statistical methods, foreknowledge of adversary attacks • High failure rate • Ongoing cycle of purchases of preventative and detective measures where rate of failure = economic or material losses for the organization • Threats Today • Constantly Evolving – Faster than preventative measures • Various actors: Insiders, criminals, nation-state • Numerous vectors: application-layer, APT, 0day and targeted malware, fraud, espionage, data leakage • Commercial and Government Organizations Want Something Better • To close these risk gaps • And obtain the agility to deal with future changes to their IT needs and the threat landscape APT

  3. NetWitness Is … A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence Know Everything. Answer Anything.

  4. Know Everything ... Answer Anything • What critical threats my Anti-Virus and IDS are missing? Invest in Certainty. Invest in Agility. We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? • Why are packed or obfuscated executables being used on our systems? I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? • I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? Why are packed or obfuscated executables being used on our systems? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? What critical threats my Anti-Virus and IDS are missing? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all… • We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? • On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? • How can I detect new variants of Zeus or other 0day malware on my network? • We need to examine critical incidents as if we had an HD video camera recording it all…

  5. How Does NetWitness Work? - NextGen

  6. NextGen Design Concepts APPLICATIONS Informer– Visualization, reporting, alerting and live charting server Investigator Enterprise – Interactive analysis with NetWitness appliances Live - Real-time integration of the collective intelligence of the world with your data. Spectrum – Automated malware prioritization and analysis SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console SDK/API- Free for rapid development of any conceivable network analysis application • Decoder (SENSOR): • Full packet capture, session processing, packet storage, w/10G/Any-G support • Concentrator (DATABASE): • Aggregates and indexes metadata in real-time • Broker (QUERY BROKER): • Provides a single logical view into Concentrators distributed throughout an enterprise.

  7. Understanding the NetWitness NextGen Appliances Portable Tactical Branch Fixed Capacity Data Center High Performance Service Provider Unlimited Scalability Usage: Incident Response Tactical Operations Usage: Remote Office Managed Services Small Security teams Usage: Enterprise Monitoring SOC Operations Usage: National Monitoring Large SOC Operations Indefinite retention NWA1200/2400 Decoder NWA200 Hybrid NWA55 “Eagle” NWA1200/2400 Concentrator NWA200 Broker NWA200 Broker • Features: • Briefcase form-factor • Encrypted/Removable Drives • 2TB Retention • Features: • 1U form-factor • Fixed capacity • Distributed visibility • 8TB Retention • Features: • 1U & 2U form-factors • Bandwidth Scalable • Distributed visibility • 12 or 24TB Retention • DAS & SAN Storage Available • Features: • 1U & 2U form-factors • Bandwidth Scalable • Distributed visibility • 12 or 24TB Retention • DAS & SAN Storage Available 100Mbps 1TB/day 250Mbps 2.5TB/day 1Gbps 10TB/day 10Gbps 100TB/day 40Gbps 400TB/day Throughput Saturated Storage

  8. Network span, tap, or load balancer NetWitness Platform Capture, process & store (Decoder) Metadata aggregated 2-5% of raw Index & direct query (Concentrator) Session ranges aggregated <1MByte/hr Distributed query (Broker) Analytics (Investigator, Informer, API)

  9. Automated Analysis, Reporting and Alerting • Flexible dashboard, chart and summary displays for unified view of threat vectors • Get automatic answers to any question for… • Network Security • Security / HR • Legal / R&D / Compliance • I/T Operations • HTML, CSV and PDF report formats included • Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management Informer

  10. Getting Answers to the Toughest Questions • Interactive data-driven session analysis of layer 2-7 content • Award-winning, patented, port agnostic session analysis • Infinite freeform analysis paths and content /context investigation points • Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) • Supports massive data-sets • Instantly navigate terabytes of data • Fast analytics - analysis that once took days, now takes minutes • Freeware Version used by over 45,000 security experts worldwide Investigator

  11. Signature-Free, Automated Malware Analysis, Prioritization, and Workflow • Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action • Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks • Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications • Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals Spectrum

  12. A New Way to Look at Everything Visualize • Revolutionary visual interface to content on the network • Extracts and interactively presents images, files, objects, audio, and voice for analysis • Supports multi-touch, drilling, timeline and automatic “play” browsing • Rapid review and triage of content

  13. Sample Deployment Options

More Related