In times of crisis you need to respond immediately with powerful analytics and situational awareness. Something’s wrong -- but where do you focus your response and investigatory efforts? Your current security countermeasures and technologies such as Intrusion Detection Systems (IDS), SIM or log aggregation systems are providing varying degrees of information ranging from highly useful alerts regarding unusual activity on your network, to notifications with very little information that your team may construe as false positives or big question marks.

Although signature based methodologies play an important role in incident response, they have limitations in exploit detection because they rely upon the discovery of a known pattern. Although network-based attacks are evident in the network traffic, much of it may evade the pattern and signature matching technology found in IDS and the statistical anomaly detection NBAD systems. Once inside your network, malicious code is free to evolve into program code that closely resembles normal applications that your organization uses such as DNS, SNMP, HTTP, or proprietary protocols used by Microsoft, Yahoo, and others. The end result is that your incident response team may be blind to a significant amount of malicious activity and information exfiltration.

NetWitness NextGen plays a critical role in the incident response process:

• NextGen definitively answers the uncertainty around what’s really happening on your network. When an incident response team member receives an alert about a problem on your network, he or she can quickly and easily use NetWitness Investigator Enterprise to go straight to the actual network traffic associated with the event occurred and investigate the content and context of the network and application level events, shortening time to resolution and providing certainty. What traffic triggered a signature? How did the target system respond and was it compromised? What other systems were implicated? What techniques were attempted in advance of the signature being triggered and what other systems were probed?
• Beyond what your current security investments provide, NetWitness Informer is an automated reporting and alerting application specifically tuned to analyze network traffic for the kinds of hacker and malware-related problems to which IDS and other current network-based countermeasures are blind, such as low and slow attacks, beacon traffic, buffer overflow attacks, and many application-layer exploits based upon protocols such as IRC, DNS, P2P tunneling traffic and more.

With 10 years of patented, core technology developed for the most challenging security missions of the U.S. intelligence, defense, and law enforcement communities, NetWitness NextGen provides comprehensive network situational awareness for your incident response team.

NetWitness Decoder and Concentrator comprise the underpinnings of an enterprise infrastructure providing comprehensive visibility into content and context of all network activity. When combined with power of automated reporting and alerting in Netwitness Informer and the interactive network forensics and analytics in NetWitness Investigator Enterprise, your organization can acquire the Total Network Knowledge to advance the capabilities of your incident response team to the next level, shorten the time to problem discovery and resolution, and limit damage to your organization’s valuable information assets.