On Monday, NetWitness plans to release a free version of its NetWitness Investigator (NWI) software to provide IT security personnel with better insight into network traffic.
Originally developed in the late '90s for the intelligence community, NWI is a Windows application that allows users to analyze network traffic.
The company's clients include more than a dozen federal agencies involved in defense, intelligence, and law enforcement; several top banks, major companies; universities; and state and local agencies, none of which apparently want to be named.
NWI is similar in some respects to the free WireShark, through it's not open source or available on platforms other than Windows.
It's designed to detect inappropriate network activity, simplify threat analysis, verify standards and policy compliance, monitor applications and content, and identify insider threats.
Amit Yoran, the company's CEO and former director of the Department of Homeland Security's National Cyber Security Division, acknowledged that NWI is similar enough to WireShark to merit comparison.
"The primary difference is that we're focused on a session-level or an application-level view," he said. "It has a friendlier interface for analyzing network traffic and certainly is far more capable if you're more interested in application-level context and content than in packet sequencing. It's kind of like a lens that gives you a vantage point that wasn't previously available."
For example, NWI allows a user to click on an e-mail address and find instances of that e-mail address in different IM sessions, e-mail records, and attachments.
Yoran said enterprises have used NWI to provide visibility into gaps between IDS (intrusion-detection systems), SIMS (security information management systems), and antivirus products that rely on signatures, "things that take a network layer-centric approach to security."
Why release NWI for free? "It’s a good thing to do, it's a good contribution," said Yoran.
The free version of NWI has all the features of the enterprise-level version that starts at about $20,000, except that it doesn't connect to the company's infrastructure products for reporting and alerting. It's also limited to 25 simultaneous 1-GB captures, to prevent people from using it to build their own appliances.