ANALYTICS NOVETTA CYBER. NOVETTA Cyber Analytics Product Brochure. Optimal for Analysis. Not Enough. Too Much

Transcription

1 NOVETTA Product Brochure The harsh reality of modern network security is that determined attackers will eventually breach enterprise networks attackers have an asymmetrical advantage and only need to find a single vulnerability to gain an initial foothold. Current security tools, including SIEMs, IPSs, forensics/analysis tools, etc., try to detect and block these attacks, but even today s best commercially available solutions cannot guarantee immunity from targeted attacks, zero-day exploits, and sophisticated malware. To combat these threats security teams must be able to rapidly detect, assess, and contain breaches, with a deep but fast network visibility and analysis solution. Key Capabilities Complete contextual network view Captures and processes packet capture data at wire speed from multiple distributed sensors. Extracts the most meaningful metadata and intelligently stores data to facilitate rapid analysis. Sessionizes and fuses network traffic into synthetic sessions to resolve asymmetric routing paths. Generates context-aware security intelligence that fuses network traffic data with threat intelligence and enrichment sources. Novetta is a network security situational awareness solution that substantially increases the effectiveness of security analysts and current security infrastructure. Advanced analytical capabilities enable security analysts to see a complete, truthful, near real-time picture of their entire network, then ask and get answers to subtle and complex questions at the speed of thought. The solution supercharges the effectiveness of incident responders, network security analysts, and current security infrastructure, using a state of the art data processing platform that has proven its speed and scalability on one of the largest and most attacked enterprise networks in the world the U.S. Department of Defense. Security team Super Charger Identifies behaviors that are undetectable using any other solution including SIEMs and competing network analytics solutions. Provides a feature-rich web interface for network analysis and hunting at interactive speeds. Retains compressed packet capture at the sensors for retrieval and analysis. Includes 50 pre-built queries, built from years of experience working with the Department of Defense, that can be used to detect, triage, and remediate breaches. Provides an ability to tag data with an analyst s thoughts and suspicions, such as whether an IP address is suspected of being a bad actor. Packets Don t Lie Sophisticated attackers change events and logs as a very first step upon breach to cover their tracks. So, SIEMs are correlating and analyzing on inherently untrustworthy data. The theoretically correct approach to network security is to monitor the network itself by definition hackers must travel across a network to do anything. Novetta accomplishes this by capturing ground truth raw network traffic, extracting the most meaningful metadata, elegantly enriching and storing this metadata, and rapidly making this collected intelligence available for automated and human analysis. The solution provides a highly scalable and efficient system for the detection of both short-term and long-term anomalous behavior. Optimal for Analysis NOVETTA CYBER ANALYTICS Leading Security Analytics Solution (Good for Forensics) Common Netflow Solutions Not Enough Sampled Net Flow -based client-view De-duplicates, fuses, sessionizes, extracts, and centralizes Advanced Queries Social Workflow Team & Infrastructure Effectiveness Novetta substantially increases the effectiveness of security teams and their current infrastructure. Key Features Speed Collects network traffic at wire speed (40Gbps+). Queries on petabytes of data run in just seconds using MPP and columnar data structures. Supports collection from Novetta sensors, legacy devices, and batch packet capture archives. Too Much Intelligent & Selective Extraction Content Unraveling

2 metadata to create a complete, near real-time view across globally dispersed network sensors. Augments network data via enrichment data: threat intelligence data, registrar and passive DNS, IP netblock owners, IP geolocation data, as well as custom sources. Scales to enterprise levels using a cluster-based distributed design built for analysts. See a complete enterprise-wide view of the unpredictable and suspicious behavior associated with advanced threats. Drastically accelerate discovery, triage, and response. Distinguish between acceptable network traffic, suspicious behavior, and malicious activity. Rapidly contextualize suspicious or malicious events. Queries on petabytes of data run in just seconds using MPP and columnar data structures. Built for analysts Provides an analytics-focused interface for rapid discovery and analysis via intuitive web interface. Enables one-click immediate drilldown access to original files for detailed investigations. Improve overall security posture Substantially increases security team effectiveness with knoweldge sharing. Increase the value of existing firewall, SWG, DLP, IDS, IPS, and/or SIEM systems by discovering network vulnerabilities. Integration Integrates with third party tools and fits into existing workflows via REST and Python APIs. 100% Legacy s: Customers are never locked into Novetta sensor hardware. The Novetta Batch Ingest Module integrates existing sensor hardware and data repositories on enterprise networks. Customers can schedule at any interval the batch ingest of the data they collect into the Novetta Cyber Analytics Hub. Key Benefits See the truth fast! Understand the ground truth of activity by going back to the source the network traffic. System Architecture: Deployment 100% Legacy s: Customers are never locked into Novetta sensor hardware. The Novetta Batch Ingest Module integrates existing sensor hardware and data repositories on enterprise networks. Customers can schedule at any interval the batch ingest of the data they collect into the Novetta Hub. 100% Novetta s: The most effective way to deploy Novetta is by instrumenting Novetta sensors at all strategic vantage points on the enterprise network. Novetta sensor technology compresses and retains data at the sensor site and makes it available on demand to end users. This design mitigates network congestion and reduces ingest latency to achieve near real-time network data processing in the Hub. Internet CYBER ANALYTICS HUB Archive Legacy Router Firewall Novetta collects all important network traffic of any size via strategic placement of sensors. Hybrid: Novetta adapts to needs of large, heterogeneous enterprise networks. Customers often find they would prefer more visibility in different sections of their network after understanding the capabilities and effectiveness of the Novetta solution. Any number of existing sensors and Novetta sensors can operate concurrently on a network. Customers can easily swap out existing sensors or Novetta sensors to fulfill their unique requirements. Packet Capture Batch Ingest Module SIEM IDS/IPS DLP ATP Analytics Engine Web Interface Network APIs Stored at sensor, but available for immediate use if needed. The solution runs proprietary software on commodity hardware and can be deployed in three primary methods:

3 Analytics A simple, clean, and efficient interface, ideal for analysts and hunters. Analyst Empowerment Novetta empowers incident responders and network security analysts to ask questions at the speed of thought, unencumbered by the chores of remembering syntax, data formats, or where they stored their network traffic. Novetta exposes an advanced query construction form and hyperlinks virtually all fields of the results to create a productive analytical experience. Analysts have total control over the data with the advanced query construction form. Novetta comes with 50+ pre-built, customizable analytical queries. Web UI enables analysts to drill down and pivot the data sets. Retrieves packet capture from sensor archives for forensic analysis. Distills data to extract and decode embedded content. Automation Novetta eliminates common barriers to network traffic analysis by pre-processing data at ingest. The solution performs the following tasks to facilitate a seamless analytical workflow that increases the operational tempo of incident responders and network security analysts: Reassembling sessions fragmented by asymmetric routing paths. Disambiguating sessions from multiple private IP address spaces across the enterprise. Classifying sessions and nodes to identify threat actors and traffic patterns. Dissecting application-layer services and indexes parameters for major services. Batch-loading sources of existing or other traffic data. Performance Novetta is designed to process petabytes of network traffic analysis at carrier-grade speed and scalability. Novetta represents the state of the art in the application of massively parallel processing to network traffic analysis and has proven itself on the premises of the largest network in the world the U.S. Department of Defense. s capture packets at ~40/ Gbps throughput an order of magnitude faster than competitors. Only the essential metadata is extracted from and loaded into the data warehouse. is archived at the sensor and retrieved on demand to mitigate congestion and latency. Queries on petabytes of data run in just seconds using MPP and columnar data structures.

4 Contextualization Session Details Related Sessions and IPs Bytes to/from server, TCP flags, packet counts Overlapping sessions Common IPs Associated IPs (hop finder) Domain Names Role Port Port Role ftp-prod2.largeco.com Client Server Geo MN, USA Protocol Service Duration TCP FTP 47 sec Custom Tags IP Block Owner Threat Lists IT, website FTP Big Company Emerging Threats Novetta gives context to events by associating the communicating parties of a session with their corporate and geographic entities. Incident responders and network security analysts receive immediate insight into the agents communicating on their networks. Novetta immediately integrates the following sources: Domain Names RuVPS123.com private.ruvps123.com Geo Moscow, RU IP Block Owner Distance ru VPS nmi City and country level geolocation for IP addresses. Historic domain name resolutions for publicly routable IP address. Domain name resolutions as observed passively on the wire. Who is IP address block assignments. Threat intelligence and blacklists. Custom subscriptions, spreadsheets, or lists client ip Collaboration & Integration Novetta enables teams to create and share knowledge and integrate enterprise security applications. Incident responders and network security analysts can humanize the traffic data to characterize threats, assets, or activities on their system. This enables teams to effectively discover and prioritize the triage of threats or targets on their systems. To that, end users can: Create and share knowledge by tagging IP addresses and sessions. Save, reuse, and share queries. Schedule queries and specify the conditions for raising alerts. Enforce custom authentication and role-based access control policies. Integrate enterprise network analysis applications via REST and Python APIs. client port Finance PCI_Subnet PCI_Subnet Suspicious Suspicious 4815 The colored text boxes are handwritten tags.

5 Product Specifications Novetta runs proprietary software on commodity hardware. It is designed to be configurable to the requirements of existing network systems. Please speak with a Novetta Solutions sales consultant today to learn how it can be integrated with your systems. Operating System Storage Compression Databases Capture Interface to Content Ratio Retention Storage Estimates No other solution can improve the effectiveness of a network security team and their current infrastructure as much as Novetta. Proven at the heart of our nation s defense, this linchpin solution is now available for commercial enterprise. RHEL-based Linux Direct Attached Storage, RAID6 LZ4 SQLite SPAN port or network tap 10:1 200:1 (100:1 1Gbps throughput 7 days 80 TB 14 days 160 TB 30 days Gbps throughput 7 days 775TB 14 days 1.5 PB 30 days 3.3 PB Analytics Engine Direct Attached Storage, RAID6 Massively Parallel Processing EDW (Teradata & ParAccel supported) Django Web application user interface Web-based export Web-based query results export REST API Python CLI API Operating System Storage Databases Interfaces Let us prove to you, just how effective this solution can be. For more information: Typical Installations Medium Large (844) NOVETTA (Toll Free) Extra Large s 4x 1Gbps 8x 1 Gbps + 2x 10 Gbps 12x 10Gbps Retention 30 Days 30 Days 120 Days Storage* 13.7 TB 93.8 TB 1.6 PB Retention Storage 320 TB 2.1 PB 9.1 PB (844) cyber-info@novetta.com novetta.com/cyber-analytics 1:100 Ratio metadata-to-content