The NetWitness Spectrum appliance examines all inbound and outbound traffic to determine whether the network traffic is malicious, performs damage assessment and prioritizes potential threats.
NetWitness announced on Jan. 24 a malware analysis appliance
that works with the company's network monitoring platform.
The appliance automates malware analysis so that IT managers
get real-time monitoring, immediate feedback on threats in the network and
prioritization on which issues to address, Eddie Schwartz, NetWitness chief
security officer, told eWEEK. Malware can be difficult to find and require
"elite skills" the organization might not have, he said. Spectrum provides
security managers with a prioritized list of "invisible" threats
security managers having to look for them, according to Schwartz.
Spectrum tells the managers which threats they should
address first or what the potential risks are if a specific vulnerability is
not quickly resolved, he said. The information also provide links to full
details about the appliance's performance including logs and scanning session
information, he said.
"With a detailed record of everything that has happened
on the network, the analytic possibilities are vast," said Joshua Corman,
Research Director of Enterprise Security at The 451 Group.
The appliance is installed right at the Internet gateway so
that it can examine all traffic as it enters and exits the network, said
Schwartz. It examines each inbound and outbound byte in real-time, as well as
looks for signs of emerging "zero day" malware, hidden executables, or unknown
processes, said Schwartz. It also analyzes outbound traffic to determine
whether there may be any botnet activity
from zombies within the network,
according to NetWitness.
The appliance promises "100 percent protocol coverage,"
including Samba/CIFS, said Schwartz. The network analysis includes looking at
the country where the network session originated, time of day, referrer sites,
scanning to determine if a file contains malicious code or has been obfuscated,
Spectrum doesn't block suspicious malware on its way into
the network, said Schwartz. The malware has to "pass by" the appliance for it
to examine it, before the appliance can determine that it's bad, he said, so
there is no blocking mechanism in place. Instead, the appliance immediately
issues a warning to the security manager about the suspicious traffic and
"leaves it to the discretion of the security team" to do damage assessment,
In fact, not all prevention is putting a block on the
traffic, but rather, stopping user behavior, said Schwartz.
"This type of analysis also helps assess the attacker's
intent and the potential damage that may have occurred," according to Rob
McMillan of Gartner. It also allows managers to predict similar attacks and
indentify other potential targets so they can use the predictions to make
business decisions, he said.
The appliance does not depend on signatures or known "bad" actions
to identify malware, said Schwartz. Spectrum knows what is "good" behavior, and
looks for any deviations across all ports and protocols to flag suspicious
activity. Over half of the data breaches are the result of customized malware
that had unknown signatures at the time of the exploit, the company said.
Relying on signatures can't be effective because it ignores the rapid changes
in malware, according to NetWitness.
NetWitness Spectrum will be unveiled at the RSA Security
Conference Feb. 14-18, the company said. The appliance will compete with Damballa's similar malware analytics box
Spectrum works with the other components in the network
monitoring platform from NetWitness, which includes Informer, which automates
threat reporting and alerts, Investigator, which performs freeform analytics
and finds real-time answers, and Visualize, a data visualization module.
The appliance are priced at $50,000 and orders are being
accepted, but general availability will start at the time the RSA conference
opens and the appliances will ship thereafter, Schwartz said. Netwitness
doesn't segment the appliance or pricing on the number of users or bandwidth. "We
don't pull those tricks," said Schwartz.