Vendor Profile - NetWitness® Corporation provides patented next generation network monitoring software products that enable organizations to achieve Total Network Knowledge™. Users of NetWitness NextGen™ can concurrently solve a wide variety of network and security problems, including, insider threat management, data leakage protection, malware activity detection, network performance management, compliance verification and e-discovery. Originally, developed for the US Intelligence Community, NetWitness has evolved to provide enterprises with breakthrough methods of network content analysis and risk determination. Customers include Defense, National Law Enforcement and Intelligence Agencies and Fortune 1000 organizations.
Brian Girardi is the Director of Product Management for Netwitness.
INSTANTLY INTEGRATE AND IMPROVE THE POWER OF ANY SIEM, I/T SEARCH ENGINE OR LOG-BASED EVENT CORRELATION SYSTEM
Security operations centers today are commonly overwhelmed with network and host-based security events. Often the response is to buy a Security Information and Event Manager (SIEM) or other event aggregation solution in order to create more manageable working sets for the incident response team.
Yet, though there are fewer events and incidents to investigate, rapid and complete answers are still rare. Resolution is incomplete and risk is difficult to quantify. Who is to blame? Is it the technology? Is it the staff? How sure are you of anything?
This uncertainty is part of the nature of running an enterprise network in a world where threat vectors are both unpredictable and rapidly evolving. Attack profiles today are unconventional. Victims are vulnerable from the inside and outside. Adversaries are using the openness of applications to obfuscate and covertly extract information from your enterprise.
Security depends on knowing when and where a threat exists and knowing its scope and magnitude so that you can take appropriate action in a timely manner – before critical damage is done. Extending your existing infrastructure by empowering it with the deep knowledge and analytics needed to react more effectively to incidents.
This white paper provides an overview of integrating Security Information and Event Management (and in particular NetWitness™ SIEMLink solution). For the first time, seamless integration, ubiquitous network-wide event interrogation, and session analysis is available from within any existing security information and event management system.
Today’s cyber threat environment is more complex than ever. It is dominated by well-funded adversaries with strong economic and political motivations and powerful technical capabilities. These state-sponsored and organized crime groups understand that you have deployed perimeter countermeasures and network monitoring sensors, but they are skilled enough to work around them. Consider STORM: a daily polymorphic, self-mutating, encrypted, P2P, worm Trojan with compartmentalized botnet functionality.
Network monitoring in today’s threat environment requires much more robust and diverse visibility than ever to cope with these multi-dimensional threats that may be invisible to your current defenses.
For example, enterprise technologies are overwhelmingly log/event-based, which by nature, create a narrow view of suspect events. To compensate, enterprises have adopted the use of Security Information and Event Managers (SIEMs) to provide centralized views of enterprise events across heterogeneous infrastructures.
However, by design, SIEMs do not have transaction content. Therefore, they lack the ability to definitively determine the scope and magnitude of complex threats or unforeseen events. Enterprises cannot continue to rely solely on the limited network visibility provided by signature-based approaches.
Even with all of the log file and event correlation provided by today’s security products, an organization cannot respond effectively to alerts if it does not have enough information regarding the actual cause of an event.
Evolving to the necessary level of network visibility, and ultimately an improved incident response and threat management, requires the knowledge and insight gained from the detailed and complete data contained in full network recordings.
However, it is not just about capturing and storing packets. By definition, network traffic is multi-layered and complex. Using raw network traffic to resolve security problems requires deep analysis and complete visibility from the lower-level network communications to the top-level application layer information.
NetWitness™ SIEMLink is becoming a critical component of today’s security ecosystem because it enables instant integration of NetWitness NextGen session analysis and full content capture into any SIEM-like environment.
NetWitness SIEMLink is simple in concept, but delivers extremely potent operational and financial value. Instead of relying on costly, custom integration with existing systems and vendors, SIEMLink instantly integrates directly into the web-browser of the analyst. The powerful investigative and root cause analysis capabilities of NetWitness NextGen capitalize on the single, common, vendor-agnostic component of most network management and security event correlation consoles. Using this approach, NetWitness users can immediately apply full session analysis to any network or security event or problem, and seamlessly pivot into the raw network and application data comprising the issue at hand.
SIEMLink is compatible with any SIEM, log consolidator, I/T Search Engine, IDS/IPS, Firewall, NSM, CMF/DLP, sniffer, NBAD, etc. For flexibility, it is a Microsoft Windows system tray application that acts as a real-time translator between an external Web-based application (e.g., a SIEM) and NetWitness NextGen. The tray application takes a screen scrape of an event string from any application and parses it to formulate a valid NetWitness query. Specifically, the application identifies Time and IP address data values in the string and constructs a request that automatically retrieves data for analysis through the NetWitness Investigator application.
SIEMLink Use Case
Before NetWitness SIEMLink:
A large enterprise, equipped with the best-of-breed technology, is plagued by alerts with no context. On a daily basis, their seasoned computer incident response team encounter incidents such as:
- Obscure IDS signatures,
- Network behavior/anomaly triggers,
- Suspicious host-based activity,
- Potential data leakage
A recently deployed SIEM aggregates and organizes the events by priority. However, definitive results are rare. The team has survived with tactical, post-incident network capture to supplement incidents, and threat analysis. The staff is overwhelmed by the unrelenting and unpredictable nature of the threats. Obtaining reliable intelligence is difficult to obtain using their existing tools.
A typical response scenario involves manually deploying a sensor, retrieving data, and loading it into a packet analyzer for analysis. Depending on the size and location of data, this might require several hours or days to complete. As a result, these measures were often reserved for the most serious of incidents.
After NetWitness SIEMLink:
To support the CERT staff with the raw network data needed to solve serious problems, the staff had proactively installed NetWitness NextGen several weeks earlier. The SIEMLink application was installed on analyst workstations in conjunction with NetWitness Investigator. In this configuration, analysts used NetWitness™ SIEMLink to rapidly pivot into events and alerts of interest directly from their SIEM console.
During an incident, an analyst using Cisco MARS identified a suspicious event in need of deeper analysis:
An IIS Backslash Evasion was observed on Feb 15, 2008 at 7:20 PM EST, between the IP addresses 22.214.171.124 and 126.96.36.199.
With a single highlight of the event text and a right-click, the analyst pivoted instantly to the network data for that alert. With the data instantly provided via SIEMLink, the staff determined from the content of the HTTP transaction that actual backslash evasion did not exist. This almost immediate resolution to the alert prompted a rapid modification to the IDS rule that triggered the alert. The rule change, to reduce false-positives, cleared the incident out of the work queue in less than one minute.