I was introduced to a company a couple weeks ago that I think everyone should learn a little bit more about. Why? Well, for starters, their technology is really, really cool. But, being cool isn't enough (or, shouldn't be), and so I think it would be useful to go into a little more detail. The company in question is NetWitness.
NetWitness is essentially a combination between a packet recorder, a sniffer, and a layer 2-7 analyzer. They have their own metalanguage that is used to describe data, making it much easier to sort through what you've collected. Their appliances have 12 TB of storage (yes, that is indeed a 'T' there), which is a lot of disk. More importantly, they've built reasonably good tools for digging into that data, thanks in part to their metalanguage.
What It Is
The overall NetWitness NextGen solution is comprised of four (4) key components: Informer (reporting/alerts), Investigator (contextualized analytics interface), Decoder (the main collector), and Concentrator (used to aggregate multiple Decoders). For good measure, they also have an API and SDK to support external queries.
What makes NetWitness truly interesting is their ability to do content inspection and analysis all the way up through the application layer (layer 7). This feature is a significant departure from most sniffers/protocol analyzers on the market, and provides a very distinct advantage.
Beyond this, because they literally record all the packets in a stream, they can also do a playback as part of an investigation. Did your server get hacked and then wiped? Want to know what the attacker did? Find the stream, play it back through the Investigator, and viola! you can back-trace into what was done.
What It Isn't
NetWitness NextGen is not an Intrusion Detection/Prevention System. It's not a firewall, nor is it a SIM or an Anomaly Detection System. While it can be configured to do some alerting and reporting, the reporting capability is really more geared to support a compliance, audit, or assessment purpose. They cannot agregate data from other sources, just their own. They can, however, suport external queries of their data via their API and SDK.
So, What Is It Exactly and How Would I Use It?
This is perhaps the best question to ask. You know what it does, you know what it doesn't do, but how in the world would you use it? Clearly the technology is very interesting, and if you were to see a demo, you'd probably agree with me when I say that it has a lot of good potential. But what exactly is that potential?
The first case is the one that they probably built the company on (per their web site literature): federal sector, with particular focus on intel and DoD. Beyond this, they probably have appeal to large organizations that are at a level of IT maturity where they can afford to shell out mega-bucks to do monitoring at this level.
The best case I would make today is to look at the Field Edition of their Investigator tool. If you're doing compliance assessments or audits, this is an interesting standalone tool that you could load on a laptop, drop onto a span or tap port, and run a data collection over a key network segment. Using the metalanguage you can then do a quick, thorough analysis of traffic and compare it to what is believed to be there.
Beyond this, larger orgs and security team might also find Investigator Field Edition useful for troubleshooting and incident response. For large org handling sensitive data you would likely want to move up to the Decoder deployment, possibly with a Concentrator to help aggregate C&C. In either case, you can use structured reports and alerts for certain well-defined area, and then supplement investigations with the in-depth data captured.
Conclusions
NetWitness has a very interesting product line that provides advanced features unique within the industry. However, their position is somewhat confusing in that they don't fit any existing mainstream tool models. For industries that are concerned about performing a thorough incident response investigation, then these units would be an excellent addition to the network. For auditors and assessors, the Investigator Field Edition could also be quite handy. Beyond that, though, the value proposition isn't altogether clear.
This is a definite case where the tool is in search of a problem to solve, and we should all hope that they find that niche area. It would be a shame for this technology to die off due to lack of use or integration. Maybe you have ideas on where these tools could be used?
Please note: this is neither an endorsement nor a paid review of the above product, nor is it a reflection of any official stance by my employer.