Presentation is loading. Please wait.

Presentation is loading. Please wait.

1© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Overview Helmut Wahrmann, RSA

Similar presentations


Presentation on theme: "1© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Overview Helmut Wahrmann, RSA"— Presentation transcript:

1 1© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Overview Helmut Wahrmann, RSA

2 2© Copyright 2011 EMC Corporation. All rights reserved. The Current Scenario Network Security Today –Network-layer / perimeter-based –Dependent on signatures, statistical methods, foreknowledge of adversary attacks –High failure rate –Ongoing cycle of purchases of preventative and detective measures where rate of failure = economic or material losses for the organization Threats Today –Constantly Evolving – Faster than preventative measures –Various actors: Insiders, criminals, nation-state –Numerous vectors: application-layer, APT, 0day and targeted malware, fraud, espionage, data leakage Commercial and Government Organizations Want Something Better –To close these risk gaps –And obtain the agility to deal with future changes to their IT needs and the threat landscape

3 3© Copyright 2011 EMC Corporation. All rights reserved. A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence NetWitness Is …

4 4© Copyright 2011 EMC Corporation. All rights reserved. Why are packed or obfuscated executables being used on our systems? What critical threats my Anti-Virus and IDS are missing? I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all… I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all… What critical threats my Anti-Virus and IDS are missing? Why are packed or obfuscated executables being used on our systems? Invest in Certainty. Invest in Agility. Know Everything... Answer Anything

5 5© Copyright 2011 EMC Corporation. All rights reserved. How Does NetWitness Work? - NextGen

6 6© Copyright 2011 EMC Corporation. All rights reserved. NextGen Design Concepts » Decoder (SENSOR): ‣ Full packet capture, session processing, packet storage, w/10G/Any-G support » Concentrator (DATABASE): ‣ Aggregates and indexes metadata in real-time » Broker (QUERY BROKER): ‣ Provides a single logical view into Concentrators distributed throughout an enterprise. APPLICATIONS Informer – Visualization, reporting, alerting and live charting server Investigator Enterprise – Interactive analysis with NetWitness appliances Live - Real-time integration of the collective intelligence of the world with your data. Spectrum – Automated malware prioritization and analysis SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console SDK/API - Free for rapid development of any conceivable network analysis application

7 7© Copyright 2011 EMC Corporation. All rights reserved. Understanding the NetWitness NextGen Appliances Portable Tactical Branch Fixed Capacity Data Center High Performance Service Provider Unlimited Scalability NWA200 Hybrid NWA1200/2400 Decoder NWA55 “Eagle” Usage: Incident Response Tactical Operations Usage: Remote Office Managed Services Small Security teams Usage: Enterprise Monitoring SOC Operations Usage: National Monitoring Large SOC Operations Indefinite retention 100Mbps 1TB/day 1Gbps 10TB/day 10Gbps 100TB/day 40Gbps 400TB/day Features: Briefcase form-factor Encrypted/Removable Drives 2TB Retention Features: 1U form-factor Fixed capacity Distributed visibility 8TB Retention NWA200 Broker Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available Throughput Saturated Storage Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available NWA200 Broker NWA1200/2400 Concentrator 250Mbps 2.5TB/day

8 8© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Platform Capture, process & store (Decoder) Index & direct query (Concentrator) Distributed query (Broker) 2-5% of raw Analytics (Investigator, Informer, API) Network span, tap, or load balancer Metadata aggregated Session ranges aggregated <1MByte/hr

9 9© Copyright 2011 EMC Corporation. All rights reserved. Automated Analysis, Reporting and Alerting Informer Flexible dashboard, chart and summary displays for unified view of threat vectors Get automatic answers to any question for… Network Security Security / HR Legal / R&D / Compliance I/T Operations HTML, CSV and PDF report formats included Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management

10 10© Copyright 2011 EMC Corporation. All rights reserved. Getting Answers to the Toughest Questions Investigator Interactive data-driven session analysis of layer 2-7 content Award-winning, patented, port agnostic session analysis Infinite freeform analysis paths and content /context investigation points Data presented as the user experienced (Web, Voice, Files, s, Chats, etc.) Supports massive data-sets Instantly navigate terabytes of data Fast analytics - analysis that once took days, now takes minutes Freeware Version used by over 45,000 security experts worldwide

11 11© Copyright 2011 EMC Corporation. All rights reserved. Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals

12 12© Copyright 2011 EMC Corporation. All rights reserved. A New Way to Look at Everything Visualize Revolutionary visual interface to content on the network Extracts and interactively presents images, files, objects, audio, and voice for analysis Supports multi-touch, drilling, timeline and automatic “play” browsing Rapid review and triage of content

13 13© Copyright 2011 EMC Corporation. All rights reserved. Sample Deployment Options

14 14© Copyright 2011 EMC Corporation. All rights reserved. THANK YOU

15 15© Copyright 2011 EMC Corporation. All rights reserved. Crafted Spear Phish was the Carrier Malicious link is to report.zip at dnicenter.com Malicious link is to report.zip at dnicenter.com

16 16© Copyright 2011 EMC Corporation. All rights reserved. Zero-Day : Your A/V security has failed  Only 1 of 42 AV vendors identified the file as malicious on (virustotal.com) AV disabled by overwriting the host file, vendor updates routed to Result: if AV didn’t pick up the malware initially, it never will

17 17© Copyright 2011 EMC Corporation. All rights reserved. BTW - Spectrum saw this from the beginning… Report.zip and its contents prioritized by NetWitness Revisiting Spectrum ability to prioritize file objects, report.zip was flagged as a critical object for analysis, accelerating incident resolution for this zero-day.

18 18© Copyright 2011 EMC Corporation. All rights reserved. Demonstration Recap Sequence of Events –User receives a well crafted spear-phish. – User downloads and executes a zip file from a site in China – Once executed, the victim’s machine becomes a member of a ZeuS botnet. – The ZeuS botnet begins beaconing to establish command and control with the botnet operator – Botnet operator commands the new zombie to download and execute second-stage malware – This second-stage malware successfully FTPs documents from the victim computer to a server in Belarus. Only NetWitness can: –Provide deep visibility into all content –Pervasively expose network context and behavior –Provide an understanding that cuts across every dimension of your network


Download ppt "1© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Overview Helmut Wahrmann, RSA"

Similar presentations


Ads by Google