There are some exciting new enhancements to NetWitness coming with the release of 9.5 in early August.  One of the most compelling areas we have been working on is in content extraction.  If there is a single use-case that I see at almost all of our best client sites, it would be the extraction and analysis of malware.  Another very common use case is the collection and analysis of certain types of content, such as executables, PDF files, and other documents.  In many cases, the second is to facilitate the first.

Well, we listen.  We decided getting at any piece of content should be easy.  And we did it the way we always do it – at enterprise scale and speed.  In the end, exporting anything from NetWitness is as much as 10 or 20 times faster in 9.5 than in 9.0, all while EASING the burden on capture.

Once we had such immediate access to content, we began exploiting that access.  What follows is a quick demo of two of the many enhancements in 9.5.  Content exporting through NetWitness Investigator, and the new NetWitness Visualize.  For those customers interested in content extraction, and even our freeware community, exporting any type of file – or indeed ALL files – from network captures could not be easier.

The Export Files dialog in Investigator

For our enterprise customers, NetWitness Visualize is something we have wanted to create since the very early days of NetWitness.  People who have seen Visualize frequently bring up references to that Tom Cruise movie Minority Report.  The product does not ship with a pool full of hairless psychics, but the perspective that Visualize can provide is something I think is unique to our industry. 

Visualize Screenshot

What follows is a very quick demo:

NetWitness Visualize and Content Extraction Demo

We really recommend that you watch the video first, before checking out our demonstration site:

http://visualize.netwitness.com

If you would like to see Visualize in action before the release – find us at Blackhat 2010 in Las Vegas next week!

Knowledge of what’s really happening on your network is critical if you are responsible for the protection of your organization’s information assets.  Depending upon where you work and what you believe about both the capabilities of your security team and those of the adversary, you live somewhere on the spectrum of “really concerned about advanced threats” to feeling that “things are just about A-OK. ‘

NetWitness recently sponsored a study by the Ponemon Institute regarding the prevalence and awareness of advanced threats by security practitioners.  There have been many studies and reports over the last two years claiming that most successful data breaches result from “advanced threats” or “sophisticated attacks,” so we wanted to understand exactly what security people believed was happening in their organizations today and how they were coping with it.

A security blogger tweeted people to stay away from the study because it did not “hit the mark.”  Reason?  In a moment or two of weakness, the study used the revered term “advanced persistent threat (APT)” versus “advanced threat.”  Unfortunately, many security practitioners today cannot precisely define the difference.  Use of terminology within the study should not reduce the utility of the paper, however, especially if the end result of either advanced threat vector contains tangible risk to the corporation or government agency that might be mitigated through a better understanding of the network traffic.  Security people and vendors will get the terminology right at some point.

The other issue raised regarding the study concerned the number of respondents who would include terms such as “SQL Injection” in their definition of an advanced threat (“What other terms are used to describe an advanced threat?”).  Actually, the blogger missed the point of this question – the point was not to claim each response actually was an advanced threat, but to illustrate the relationship between common problems that security practitioners believe to be advanced in nature, and those that are simply evading their detection or mitigation capabilities.  Other questions in the study go down this path of lack of awareness.

Compared to other risk-based industries, the security industry is bereft of adequate pan-industry historical data, meaningful metrics, and comparative information.  Although imperfect as a first survey instrument, rather than ignore professional surveys such as the Ponemon Institute study, it should be used by security practitioners in an appropriate context:

1.  Prepare a non-FUD-based discussion for senior management regarding the characteristics of the current state of the threat environment.

2.  Bring forward studies from reputable national/international-level firms that illustrate the costs of data breaches, the sources and methods of these threat vectors, and now with Ponemon data, the opinions of 600 fellow security practitioners regarding the technical and administrative readiness of peer organizations to cope with the threats they are facing.

3.  Develop real evidence of what’s really happening in your world using your own corporate data.  For example, conduct a proof of concept of NetWitness and get definitive answers to some of the nagging questions you may have about advanced threat prevalence or insider threat concerns within your own I/T environment.

4.  Present a people, process and technology plan for reducing the uncertainty around advanced threats (and even APTs depending upon where you work).