Given today's commercial threat landscape, network defenses are almost inevitably breached. To support incident investigation, evidence gathering, impact assessment and clean-up, Network Forensics Appliances deliver full-packet recording, in-depth analysis, event reconstruction, visualization and reporting.
In this EnterpriseNetworkingPlanet Network Forensics Appliance buying guide, we look at how RSA's acquisition of NetWitness marries two best-of-breed products to create a more comprehensive monitoring solution that leverages threat analytics to revamp security operations center (SOC) workflows.
Forging a partnership against cybercrime
When EMC's security division RSA purchased NetWitness in April, it acquired a network forensics line that raked in $40 million last year. NetWitness was founded in 2006 by Amit Yoran and has since been deployed by six Fortune 10 companies, three of the world's largest banks and 75 percent of U.S. federal agencies.
Senior director of product management Brian Girardi says he sees opportunity for NetWitness to leverage EMC's portfolio. "As [network forensics] becomes more pervasive within the enterprise, EMC products come into play because storage is a significant part of what we do," he said. "There's value in scalability when you're storing petabytes of data, to help customers move from [saving] three weeks to 60 days of data."
Furthermore, working within EMC/RSA enables NetWitness to forge an even tighter bond with RSA's SIEM. "Our number one buyer is the SOC - those people in the trenches, responsible for daily security. As an extension to their existing workflow, NetWitness can go hand in hand with a SIEM like enVision. We see customers leveraging NetWitness to summarize events that roll up to senior management. The types of threats we tend to expose require that visibility," he said.
Creating a network forensics infrastucture
NetWitness divvies its network forensics technology into applications and appliances. "We've spent a lot of time designing our architecture to scale and grow as customer's network evolves. We separated capture and storage and processing onto appliances that can scale," explained Girardi. "As [Decoders] capture data, [Concentrators] build a metadata model that describes entities and how they behave on the network, while fusing in threat intelligence from third parties. [Brokers] then roll this data up to applications that need it."
NetWitness offers a range of appliances to perform one or more of these functions, sized to meet different customer environments and throughput / retention needs:
- For on-site investigators, the NWA50 Eagle is a portable briefcase appliance, capable of storing 2TB of data, captured at 100 Mbps, on removable encrypted disks.
- For remote/branch offices that need 24/7 local recording, the NWA200 Hybrid (decoder+concentrator) can store 8TB (max 2.5 TB/day), captured at 250 Mbps.
- For larger data centers and service providers, NWA1200 or 2400 Decoder and Concentrator appliances can record and store 12 or 24TB (10 TB/day), extensible with DAS/SAN storage. Capture rates and GB Ethernet interfaces vary, but these appliances can be clustered to handle up to 400 TB/day at 40 Gbps.
- Optional NWA100 Broker appliances can make physically-distributed Concentrator data accessible by servicing queries performed on a logically-unified view.
"In a starter deployment, a customer might put one Decoder and Concentrator at an egress point, expanding to other egress points over time," said Girardi. "We're also seeing focus now on internal networks, because during attacks, there's a lot of lateral data movement between internal systems. It isn't until [intruders] find what they want that data starts leaving the network [through egress points]."
Feeding forensics applications
NetWitness appliances revolve around data capture. "Getting all of it, as fast as you can, and storing it - that's common," said Girardi. "Where we really differentiate is in what we do with that data."
"We reassemble and index data to give security teams visibility to do their jobs effectively - not just for post mortems but in real time to deal with emerging threats. Our focus is actionable information - when you're talking about the volumes of traffic we're looking at, if you don't have the ability to find data over large spans of time, there's not much point in having it. We help teams respond to questions as they come up," he said.
Currently, NetWitness offers four separately-licensed forensics applications:
- Spectrum applies information sourced from threat intelligence and reputation services to identify and prioritize malware. "There's a lot of concern now about zero day threats," said Girardi. "Spectrum is optional but critical in environments where [customers] want to scrape through [forensic] data to pull off malware."
- Informer delivers threat reporting and alerting, presented in dashboards and charts. Informer's primary audience tends to be upper management, explained Girardi. "We roll up data into a single display for use by human resources, legal and regulatory compliance. It's here that our integration with SIEMs really comes into play."
- Investigator is a free-form analytic application, available as both commercial product and freeware. "Investigator is a very good for anyone sitting in a SOC, [trying] to determine the root cause of security event," said Girardi. "Both versions offer the same experience, just on a different scale. When used with our appliances, Investigator can [pivot through] much larger volumes of data, much faster."
- Finally, Visualize enables rapid review and triage of content leaving a network by extracting and presenting entire artifacts carried by recorded traffic. "We pull together documents, images and conversations, rendering them for easy [browsing]," explained Girardi.
Although these applications are sold separately, most NetWitness customers license all four. Girardi acknowledged that Investigator, with more than 50,000 freeware users, is by far the most commonly used. Depending upon customer workflow, Informer is becoming increasingly popular as a way to get more value from security infrastructure investments through operations integration and automation.
NetWitness in action
To illustrate, Girardi described a Zeus attack that started with a fraudulent email inviting high-profile targets to click on a phishing link. During this zero-day attack, just one in 42 anti-virus vendors identified the linked zip file as malware.
However, when users in networks monitored by NetWitness clicked the link, Spectrum checked several intelligence sources to learn that one vendor had identified the file as malware. By bringing this file to the SOC's attention, associated flows could be examined using Investigator, tapping metadata like IP, services, actions and usernames.
In this attack, high volume beacon traffic to a command and control server in China, along with FTP traffic to Belarus, offered visual cues that something was seriously amiss. NetWitness customers not only learned that Zeus was active but could quickly spot which hosts had been infected and visualize documents exfiltrated via FTP.
Investigating this kind of threat in near-real-time requires integrated intelligence. NetWitness Live subscriptions pull together malware and reputation data from many sources, ranging from free feeds like the SANS ISC to Enhanced and Premium subscriptions which cull data from ZeusTracker, Verisign and elsewhere.
Through growing third-party integration, NetWitness seems to be moving well beyond traditional network forensics territory, placing more emphasis on supporting real-time investigation. Collaborating closely with a large security firm like RSA and a SIEM like enVision should be helpful in this respect. However, note that customers with other SIEMs can still use NetWitness' SIEMLink to meet their own integration needs.
Under the hood, NetWitness takes an unusually decoupled approach to promote flexibility and scalability. But this also requires assembling a complete solution from available appliances and applications to realize the full benefits of any NetWitness deployment - or understand its true cost.
To learn more about RSA NetWitness network forensics products, visit this link.