RSA NetWitness is a unique solution that allows you to capture, store and analyze network data traffic and be able to see exactly what comes in and goes of the network, in real time as they happen.
In simple terms, RSA offers the network version of a Closed Circuit TV (CCTV). Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flowed through the network into its original format according to its own type or application. With this, you can further strengthen security measures by taking appropriate action.
Since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.
RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.
Why is it important?
NetWitness is an investigative tool that can also be used to avoid attacks or thwart those in progress.
NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product, and since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring giving administrators an opportunity to stop attacks before they cause damage on the network.
Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. Elements to consider include:
- How did the system originally get compromised and how does one prevent it from happening again?
- If one machine is compromised, chances are high that others will be, as well, even if you have not found them.
- Why are these attacks difficult to detect?
The answer is that these threats originate from the inside, or trusted areas of the network. The most common threats to a network involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.
Security fails and systems get breached because many people do not take the threat seriously, or do not take the time and effort to learn about it. It takes a proactive approach to be secure and protected against threats.
Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly due to people and their attitudes, but also somewhat because of outdated ways of thinking about security and having inadequate technologies in place to deal with the threat.
Anatomy of an Attack
For example, Zeus was a popular attack last year that stole and spread through internal network. Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes.
Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked of interest to them. They were then instructed to download a report from what appeared to be a legitimate website. In reality, the report was Trojan horse that allowed attackers to control the victim’s system. The website it was hosted on was located in China.
A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have complete control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.
Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireciting anti-virus updates to a 127.0.0.1 IP address.
Since NetWitness recorded all network traffic, it recorded what systems were compromised, communicating with systems in China, and what they were transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.
NetWitness is the only security tool that provides complete visibility on a network. It shows the when attacks are occurring in real-time and gives an organization the tools and the means to detect and stop those attacks.
