We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byJacob Randall
Modified about 1 year ago
1© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Overview Helmut Wahrmann, RSA firstname.lastname@example.org
2© Copyright 2011 EMC Corporation. All rights reserved. The Current Scenario Network Security Today –Network-layer / perimeter-based –Dependent on signatures, statistical methods, foreknowledge of adversary attacks –High failure rate –Ongoing cycle of purchases of preventative and detective measures where rate of failure = economic or material losses for the organization Threats Today –Constantly Evolving – Faster than preventative measures –Various actors: Insiders, criminals, nation-state –Numerous vectors: application-layer, APT, 0day and targeted malware, fraud, espionage, data leakage Commercial and Government Organizations Want Something Better –To close these risk gaps –And obtain the agility to deal with future changes to their IT needs and the threat landscape
3© Copyright 2011 EMC Corporation. All rights reserved. A revolutionary approach to enterprise network monitoring A platform for pervasive visibility into content and behavior Providing precise and actionable intelligence NetWitness Is …
4© Copyright 2011 EMC Corporation. All rights reserved. Why are packed or obfuscated executables being used on our systems? What critical threats my Anti-Virus and IDS are missing? I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all… I am worried about targeted malware and APTs -- how can I fingerprint and analyze these activities in my environment? We need to better understand and manage the risks associated with insider threats – I want visibility into end-user activity and to be alerted on certain types of behavior? On our high value assets, how can we have certainty that our security controls are functioning exactly as implemented? How can I detect new variants of Zeus or other 0day malware on my network? We need to examine critical incidents as if we had an HD video camera recording it all… What critical threats my Anti-Virus and IDS are missing? Why are packed or obfuscated executables being used on our systems? Invest in Certainty. Invest in Agility. Know Everything... Answer Anything
5© Copyright 2011 EMC Corporation. All rights reserved. How Does NetWitness Work? - NextGen
6© Copyright 2011 EMC Corporation. All rights reserved. NextGen Design Concepts » Decoder (SENSOR): ‣ Full packet capture, session processing, packet storage, w/10G/Any-G support » Concentrator (DATABASE): ‣ Aggregates and indexes metadata in real-time » Broker (QUERY BROKER): ‣ Provides a single logical view into Concentrators distributed throughout an enterprise. APPLICATIONS Informer – Visualization, reporting, alerting and live charting server Investigator Enterprise – Interactive analysis with NetWitness appliances Live - Real-time integration of the collective intelligence of the world with your data. Spectrum – Automated malware prioritization and analysis SIEMLink - Provides immediate access to NetWitness analytics from within your IDS or SIEM console SDK/API - Free for rapid development of any conceivable network analysis application
7© Copyright 2011 EMC Corporation. All rights reserved. Understanding the NetWitness NextGen Appliances Portable Tactical Branch Fixed Capacity Data Center High Performance Service Provider Unlimited Scalability NWA200 Hybrid NWA1200/2400 Decoder NWA55 “Eagle” Usage: Incident Response Tactical Operations Usage: Remote Office Managed Services Small Security teams Usage: Enterprise Monitoring SOC Operations Usage: National Monitoring Large SOC Operations Indefinite retention 100Mbps 1TB/day 1Gbps 10TB/day 10Gbps 100TB/day 40Gbps 400TB/day Features: Briefcase form-factor Encrypted/Removable Drives 2TB Retention Features: 1U form-factor Fixed capacity Distributed visibility 8TB Retention NWA200 Broker Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available Throughput Saturated Storage Features: 1U & 2U form-factors Bandwidth Scalable Distributed visibility 12 or 24TB Retention DAS & SAN Storage Available NWA200 Broker NWA1200/2400 Concentrator 250Mbps 2.5TB/day
8© Copyright 2011 EMC Corporation. All rights reserved. NetWitness Platform Capture, process & store (Decoder) Index & direct query (Concentrator) Distributed query (Broker) 2-5% of raw Analytics (Investigator, Informer, API) Network span, tap, or load balancer Metadata aggregated Session ranges aggregated <1MByte/hr
9© Copyright 2011 EMC Corporation. All rights reserved. Automated Analysis, Reporting and Alerting Informer Flexible dashboard, chart and summary displays for unified view of threat vectors Get automatic answers to any question for… Network Security Security / HR Legal / R&D / Compliance I/T Operations HTML, CSV and PDF report formats included Supports CEF, SNMP, syslog, SMTP data push for full integration in SIEM and other network event management
10© Copyright 2011 EMC Corporation. All rights reserved. Getting Answers to the Toughest Questions Investigator Interactive data-driven session analysis of layer 2-7 content Award-winning, patented, port agnostic session analysis Infinite freeform analysis paths and content /context investigation points Data presented as the user experienced (Web, Voice, Files, Emails, Chats, etc.) Supports massive data-sets Instantly navigate terabytes of data Fast analytics - analysis that once took days, now takes minutes Freeware Version used by over 45,000 security experts worldwide
11© Copyright 2011 EMC Corporation. All rights reserved. Signature-Free, Automated Malware Analysis, Prioritization, and Workflow Spectrum Mimics the techniques of leading malware analysts by asking thousands of questions about an object without requiring a signature or a known “bad” action Leverages NetWitness Live by fusing information from leading threat intelligence and reputation services to assess, score, and prioritize risks Utilizes NetWitness’ pervasive network monitoring capability for full network visibility and extraction of all content across all protocols and applications Provides transparency and efficiency to malware analytic processes by delivering complete answers to security professionals
12© Copyright 2011 EMC Corporation. All rights reserved. A New Way to Look at Everything Visualize Revolutionary visual interface to content on the network Extracts and interactively presents images, files, objects, audio, and voice for analysis Supports multi-touch, drilling, timeline and automatic “play” browsing Rapid review and triage of content
13© Copyright 2011 EMC Corporation. All rights reserved. Sample Deployment Options
14© Copyright 2011 EMC Corporation. All rights reserved. THANK YOU
15© Copyright 2011 EMC Corporation. All rights reserved. Crafted Spear Phish was the Carrier Malicious link is to report.zip at dnicenter.com Malicious link is to report.zip at dnicenter.com
16© Copyright 2011 EMC Corporation. All rights reserved. Zero-Day : Your A/V security has failed Only 1 of 42 AV vendors identified the file as malicious on 03.05.2010 (virustotal.com) AV disabled by overwriting the host file, vendor updates routed to 127.0.0.1 Result: if AV didn’t pick up the malware initially, it never will
17© Copyright 2011 EMC Corporation. All rights reserved. BTW - Spectrum saw this from the beginning… Report.zip and its contents prioritized by NetWitness Revisiting Spectrum ability to prioritize file objects, report.zip was flagged as a critical object for analysis, accelerating incident resolution for this zero-day.
18© Copyright 2011 EMC Corporation. All rights reserved. Demonstration Recap Sequence of Events –User receives a well crafted spear-phish. – User downloads and executes a zip file from a site in China – Once executed, the victim’s machine becomes a member of a ZeuS botnet. – The ZeuS botnet begins beaconing to establish command and control with the botnet operator – Botnet operator commands the new zombie to download and execute second-stage malware – This second-stage malware successfully FTPs documents from the victim computer to a server in Belarus. Only NetWitness can: –Provide deep visibility into all content –Pervasively expose network context and behavior –Provide an understanding that cuts across every dimension of your network
1© Copyright 2011 EMC Corporation. All rights reserved. RSA NetWitness Overview Helmut Wahrmann Senior Technology Consultant.
1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Rapid Detection & Incident Response What, Why and How March 2016 Ft Gordon.
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
BUFFERZONE Advanced Endpoint Security Data Connectors-Charlotte January 2016 Company Confidential.
Get Full Protection on Microsoft Azure with Symantec™ Endpoint Protection 12.1 MICROSOFT AZURE ISV PROFILE: SYMANTEC Symantec™ Endpoint Protection is an.
1© Copyright 2014 EMC Corporation. All rights reserved. Applying the Power of Data Analytics to Cyber Security Dr. Robert W. Griffin Chief Security Architect.
ECAT 4.1 – Rule Your Endpoints What’s New Customer Overview.
Chapter 5: Implementing Intrusion Prevention
1 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL How to Make Cyber Threat Intelligence Actionable Ft. Gordon Cyber Security & Technology.
+ Logentries Is a Real-Time Log Analytics Service for Aggregating, Analyzing, and Alerting on Log Data from Microsoft Azure Apps and Systems MICROSOFT.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Tripwire Threat Intelligence Integrations. 2 Threat Landscape by the Numbers Over 390K malicious programs are found every day AV-Test.org On day 0, only.
Developer TECH REFRESH 15 Junho 2015 #pttechrefres h Understand your end-users and your app with Application Insights.
The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Net Optics Confidential and Proprietary Net Optics appTap Intelligent Access and Monitoring Architecture Solutions.
The Most Analytical and Comprehensive Defense Network in a Box.
Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.
Unified Logs and Reporting for Hybrid Centralized Management
Why SIEM – Why Security Intelligence?? Sponsored by: Presented by: Curtis Johnson LogRhythm Sales Engineer.
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
2© Copyright 2013 EMC Corporation. All rights reserved. Cyber Intelligence Fighting Cyber Crime Insert Event Date LEADERS EDGE.
1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.
An Introduction to Deception Based Technology Asif Yaqub Nick Palmer February 5, 2016.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
©2015 Check Point Software Technologies Ltd. 1 Website Watering Holes Endpoints are at risk in numerous ways, especially when social engineering is applied.
© 2012 Solera Networks. Contains confidential, proprietary, and trade secret information of Solera Networks. Any use of this work without express written.
Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.
Microsoft Ignite /16/2017 4:54 PM
1 Making Networks Smarter. Trends Everything is moving to the network –Telephony –Video –Web services (and further.
Adra Match BALANCER: Balance Sheet Reconciliation Software Powered by the Microsoft Azure Cloud MICROSOFT AZURE ISV PROFILE: ADRA MATCH Adra Match develops.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
MICROSOFT AZURE ISV PROFILE: D-SCOPE SYSTEMS D-Scope Systems is an enterprise-level medical media product and integration specialist company. It provides.
Palindrome Technologies all rights reserved © 2016 – PG: Palindrome Technologies all rights reserved © 2016 – PG: 1 Peter Thermos President & CTO Tel:
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
Overview SessionVista™ Enterprise is the first integrated network monitoring and control appliance that combines application layer firewall capabilities.
1 GE Fanuc ©2008 GE Fanuc Intelligent Platforms All Rights Reserved Proficy* DataMart v1.0 Barry Lynch Product Manager GE Fanuc Software Puts the “E” in.
Blue Coat Cloud Continuum John Rose, Regional Account Manager.
Office 365: Efficient Cloud Solutions Wednesday March 12, 9AM Chaz Vossburg / Gabe Laushbaugh.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
Enterprise Alert on Microsoft Azure Fully Automates Critical Incident Communication and Transforms It into an Intelligent, Reliable, and Mobile Experience.
Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Sky Advanced Threat Prevention
Microsoft Operations Management Suite
Microsoft Azure and DataStax: Start Anywhere and Scale to Any Size in the Cloud, On- Premises, or Both with a Leading Distributed Database MICROSOFT AZURE.
Microsoft Azure Integrated with C21 Live Cloud Mosaic Helps Control Your Live Streaming from Anywhere by Deploying in Global Azure Regions MICROSOFT AZURE.
Dr. Hussein Al-Bahadili Faculty of Information Technology Petra University Week #5 1/10 Securing E-Transaction - SIEM.
© 2017 SlidePlayer.com Inc. All rights reserved.