NetWitness Overview 1
The Current Scenario APT Network Security Today Network-layer / perimeter-based Dependent on signatures, statistical methods, foreknowledge of adversary attacks High failure rate Ongoing cycle of purchases of preventative and detective measures where rate of failure = economic or material losses for the organization Threats Today Constantly Evolving Faster than preventative measures Various actors: Insiders, criminals, nation-state Numerous vectors: application-layer, APT, 0day and targeted malware, fraud, espionage, data leakage Commercial and Government Organizations Want Something Better To close these risk gaps And obtain the agility to deal with future changes to their IT needs and the threat landscape 2
NetWitness Is A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence Know Everything. Answer Anything. 3
Know Everything... Answer Anything Invest in We need to better I understand am worried and about manage targeted the malware and APTs On Why What our risks are Certainty. critical high packed associated value threats or with How can I detect new assets, my -- insider how can I fingerprint and how obfuscated We need to Anti-Virus can threats we and executables examine IDS I want variants of Zeus have or certainty are other analyze visibility these activities in that being critical missing? our used incidents security into on end-user our as if we 0day malware on controls my my activity environment? are systems? had an HD video camera functioning and to be exactly alerted recording network? it all as on implemented? certain Invest types in of behavior? Agility. What critical threats my Anti-Virus and IDS are missing? Why are packed or obfuscated executables being used on our systems? I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? We need to better understand and manage the risks associated with insider threats I want visibility into end-user activity and to be alerted on certain types of behavior? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all 4
Introducing the NetWitness Network Security Analysis Platform Automated Malware Analysis and Prioritization Automated Threat Reporting, Alerting and Integration Freeform Analytics for Investigations and Real-time Answers Revolutionary Visualization of Content for Rapid Review 5
RSA Security Management Process Infrastructure Event Logs Network Activity State Configuration Identities Sensitive Data Vulnerabilities Collection and Correlation RSA Products Third Party Tools Prioritization Business Objectives Policies Regulations Visualization Investigation Remediation NetWitness is a critical element of the RSA Security Management Process: Collect all network activity Prioritize threats via real-time fusion with advanced intelligence feeds Investigate threats quickly via automated and freeform session analysis Visualize all network traffic in a rapidreview, multi-touch visual experience 6
Security Leaders Leverage NetWitness Security teams in high threat environments: 6 of the Fortune 10 70% of US Federal agencies Over 50,000 security experts around the world NetWitness is a cutting edge vendor for Network Analysis and Visibility. John Kindervag Forrester Research NetWitness is the last security appliance you will ever need to buy. Josh Corman 451 Group Recognize for outstanding performance: #21 in the 2010 Inc. 500, including #1 in the U.S. in enterprise software companies Winner of the SC People s Choice Award and numerous other industry achievements Traditional security measures like firewalls, intrusion detection, patch management, anti-virus, single tier DMZs are not enough to stop the new threats. CISO Major U.S. Federal Agency I rely upon NetWitness to detect and analyze malware that no other product can find. Director of Incident Response NY Health Care Provider 7
NetWitness Applications 8
Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known bad action Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks Utilizes NetWitness pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals 9
Automated Analysis, Reporting and Alerting Informer Flexible dashboard, chart and summary displays for unified view of threat vectors Get automatic answers to any question for Network Security Security / HR Legal / R&D / Compliance I/T Operations HTML, CSV and PDF report formats included Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management 10
Getting Answers to the Toughest Questions Investigator Interactive data-driven session analysis of layer 2-7 content Award-winning, patented, port agnostic session analysis Infinite freeform analysis paths and content /context investigation points Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) Supports massive data-sets Instantly navigate terabytes of data Fast analytics - analysis that once took days, now takes minutes Freeware Version used by over 45,000 security experts worldwide 11
A New Way to Look at Everything Visualize Revolutionary visual interface to content on the network Extracts and interactively presents images, files, objects, audio, and voice for analysis Supports multi-touch, drilling, timeline and automatic play browsing Rapid review and triage of content 12
NetWitness Integration Leveraging the Power of NetWitness within Your Existing Infrastructure 13
NetWitness SIEMLink NetWitness SIEMLink - Light-weight Windows utility that generically enables network event interrogation by NetWitness from ANY existing system Compatible with any existing SIEM, IDS/IPS or log console or enterprise network management system Highlight-right-click functionality from any browser-based console Augment and empower interactive contextual analysis around every event your enterprise creates Event Console Get Instant Context via NetWitness Investigator and the NextGen Infrastructure Event: Buffer Overflow IP: 212.2.3.2 @ 11:32PM Tray Utility 14
NetWitness Is Designed to Integrate With Your Existing Investments 15
NetWitness Infrastructure 16
NetWitness Collection Architecture Decoder - Real-time, distributed, highly configurable network recording appliance (full packet) Concentrator - Aggregate and analyze data across multiple capture locations Broker - Request-brokering across entire infrastructure 17
Sample Deployment Options 18