NetWitness Adds Automated Malware Analysis To Network Monitoring Platform

NetWitness has introduced an automated malware analysis module to its NextGen network security monitoring and analysis platform. Spectrum combines the platform's network capture/recording capabilities to obtain detailed information on suspect file activity and techniques that malware researchers commonly use in a "sandbox" environment. These capabilities include static analysis to reveal details such as packing, obfuscation, embedded Java scripts, etc., in order to examine the nature of the malware and its impact on the enterprise.

Spectrum also leverages public global information from the security community, including sources such as the Malware Domain List, ZeuSTracker and Shadowserver, as well as its own Live threat intelligence service. NetWitness uses additional analysis from several partners to be announced, and will enable enterprises to include their own data sources and third-party products and services that offer sandboxing, file integrity checking, security intelligence and malware detection capabilities to augment malware and threat analysis.

NetWitness says that the synthesis of network capture and analysis, threat intelligence and malware analysis gives organizations the information they need to understand the full extent of an attack and respond.

"All the results are served up and prioritized to security teams," says Eddie Schwartz, NetWitness CSO. "They also have all the context and content to do things like follow-up, damage assessment and understand potential second-, third- and fourth-stage infections they are facing based on the type of malware."

NetWitness is among several vendors, such as Packet Motion and Solera Networks, that are in what Forrester Research calls the network visibility and analysis (NAV) market. Forrester asserts that comprehensive knowledge of everything that is happening on enterprise networks is essential to good security practice because the "trust but verify" model is based on a flawed assumption. The better approach is to assume that no one is to be trusted and proceed accordingly."Once you have zero trust you suddenly have paranoia," says John Kindervag, senior analyst at Forrester. "Then you have to inspect and log all traffic to see what internal users are doing, as well as activity on the external part of the network. In order to meet that criteria and scalability, you need to deploy an automated tool that we define as NAV."

The need is acute, particularly in the face of malicious insider activity, epitomized by WikiLeaks, and targeted, long-term attacks--advanced persistent threats (APT)--neither of which can be effectively detected by traditional security tools. For example, WikiLeaks suspect Bradley Manning was a trusted insider with authorized access to highly sensitive material, so strong access controls would not have prevented or detected the leaks.

Kindervag says WikiLeaks has caught the attention of enterprises that are concerned that the same type of insider activity could result in the loss of sensitive corporate data, such as intellectual property. "We're getting comments such as, 'My CEO just asked if that could happen to my organization,'" he says. "I have to say, 'Yes, there's no way of knowing if an insider is doing anything wrong.' If you change your trust model, you need situational awareness. You better know what's going on in your network."

NetWitness platform appliances include Informer automated threat reporting and alerting; Investigator analytics for forensics; and Visualizer for rapid content review. Pricing starts at $50,000.

See more on this topic by subscribing to Network Computing Pro Reports Security: Epic Fail