It’s a little known fact that NetWitness has been innovating in the security field for over 11 years, which was further validated by the announcement of our recently granted US Patent # 7,634,557. Clearly, when it comes to network analysis we do it better than anyone else, and it’s really the only way to get the results you need.

Reaching back over a decade (ca.1999) when our first patent was filed, ( US Patent # 7,016,951 ), and murmurs of network forensics were swirling from a few experts in the security community, our innovation in this field was in full swing.  The technology was chartered as an analytical application to make sense of network traffic for users with no networking experience.  This in itself was no small task, as I cannot emphasize how difficult it was explaining what an IP address was to an English major. See the snapshot of NetWitness v3.5 ca. 2002, ironically it looks like some our 2010 competition.

In retrospect, NetWitness was conceived in a reverse direction from how most security products end up being developed.  Our strategy was to understand the data FIRST, then figure out how to capture it and scale it reliably into an enterprise.  Honestly, we spent several years trying to determine the best way to present complex network data to our users, which at that time was simple HTTP and SMTP sessions.  We had no idea how the network application profile of an Enterprise would evolve to what it is today.   With that said, we made sure that the advanced methods we developed were flexible enough to evolve with the Internet and the needs of our users.  These methods found their way into these two patents.

The first and most important patent is a method for traffic capture, session reassembly, metadata extraction and recursive port-agnostic service identification. Did you get all that?  Back when Firewall and IDS were tinkering with port numbers for rule logic, NetWitness was beyond that approach over 10 years ago.  The assumption to classify network traffic by port alone is prone to mistakes for reliable security analysis. It was not until recently there was a prominent increase in products that are, or at least market port agnostic support, like application firewalls and some DLP products.

The second patent, the topic of this announcement, extends the core technology by defining a system and method for organizing and describing the traffic we collect.  Yet again an example of how we designed the technology to evolve as the Internet evolved.   The patent specifically focuses on the session data model and structures that fuel the Investigator interface and the user experience.  The result is the most visible difference between NetWitness and our competitors, as well as what provides the analytical value when responding to <INSERT NETWORK PROBLEM HERE>. Another example of the product evolution can be seen in the screenshot below of NetWitness v5 ca. 2004.

Its always been my assertion that to do true network forensics, or really any good network analysis, you need a few key ingredients:

1) Reliable, scalable, and forensically sound network capture.  Unfortunately the vast majority of “network forensic” vendors stop HERE!

2) As you would expect from any forensic science, the technical ability to piece the clues or segments of an event back together is the next logical step. For network forensics its assembling the packets back into full sessions, because without this step you have disparate puzzle pieces, without a complete picture.

3) Then finally the right tools to analyze, correlate, mine and report the findings to humans. Thankfully there is an NetWitness App for that and a free API/SDK too.

These elements combined are the foundation of what NetWitness NextGen is, and the basis of our technology that is truly becoming a game-changer in security.  NetWitness Corporation was founded in late 2006, but unknown to many, the innovation and pioneering environment that fuels the technology today started 10 years earlier.  Enjoy our innovation by using Investigator Freeware, and know that before the security challenges of today really materialized we were hard at work creating solutions for today. Network security products that simply work.

Cheers,

NetWitness v9, ca. 2010.

On monday of this week, we released Investigator 8.6, and we released it free.  I thought I would take to this poor, neglected blog and write some thoughts about it.  So far the reaction has been very positive.  It seems people like what they see, and we are very happy with the many blog posts, and positive feedback we are getting.  I thought I would answer some questions here directly.

The number one question from the press, blogs, and friends – was “Why?”

It would be easy to say that this is simply a good thing for the security community - and we wanted to contribute.  To be sure – there was a lot of that in our discussions.  But the truth is – we really don’t sell Investigator.  What we sell – are enterprise class, distributed network appliances that perform very high speed network capture, and all the analysis you see in Investigator — in real time — providing weeks and months of historic visibility.

Investigator – is simply the front end for that solution.  If you want to know what we do as a company, and what we sell — it is simple.  If you like what Investigator does on a gigabyte of packet captures – just imagine it working over 100 Terabytes or more.  Imagine having that power over every every bit and byte that has entered or left your network over the last month.  To be sure – there are reporting engines and alerting engines we sell that automate common analysis – but with Investigator you should get the idea of what we offer enterprise customers.

The number two question that we get – always seems to involve Wireshark, in some sort of competition skew.

Again – the simple truth is that the products are not competitive at all.  In fact, they work together to make both products better.  In the demonstration videos – I even show how easy it is to open sessions in wireshark.  We use wireshark every day.  And those of you who used to – will still use it.  What we hopefully let you do – is find those sessions that need to be looked at – 100 times faster than before.  Perhaps a thousand…  In the end - I bet wireshark developers will use Investigator as well.  The products compliment – not compete.

The next question is about registration.  It seems everyone thinks it is a bit cumbersome.

There are several reasons for this.  First – we are a small – private – commercial company.  We are not a charity, a think tank, or a group of cyber crime fighters.  So if we require people to register – it can help us see which industries we should be focusing on, and other marketing needs.  We are not going to be overzealous in this regard, but the information will help us be a better company.

Next – there are quite a few ways we have built in extensibility in the product.  From custom alert rules – to custom threat and intelligence feeds – to full on custom session protocol parsing – users of investigator can contribute by creating extensions.  I wanted – personally above all else as CTO - to get a community of users that are pushing the product forward.  That is why your registration also registers you for the community.  The video tutorial did not focus on this aspect yet – but I will extend it soon.  For now – if you are interested in those aspects – you will have to make do with the manuals and the community forums.

The last question - seems to be “Windows – Really?”

Well – remember – this is our front end client software to enterprise solutions.  We actually are working in the background to make the client more cross platform.  All of our enterprise solutions work on dedicated – very high speed, open Linux architectures.  As a small company – we can move faster by picking our battles with technology.  All of the database technology that we have written, all of the core components for processing and extracting data, essentially all of our core components – are all already cross platform.  When we have time – we will work on getting the UI components there as well.

In the end – we really hope you enjoy Investigator.  We hope it makes your jobs easier.  Please provide us feedback.  We will listen – and we will update often with new capabilities.