NetWitness Spectrum Appliance Automates Malware Detection and Analysis

The NetWitness Spectrum appliance examines all inbound and outbound traffic to determine whether the network traffic is malicious, performs damage assessment and prioritizes potential threats.

NetWitness announced on Jan. 24 a malware analysis appliance that works with the company's network monitoring platform.

The appliance automates malware analysis so that IT managers get real-time monitoring, immediate feedback on threats in the network and prioritization on which issues to address, Eddie Schwartz, NetWitness chief security officer, told eWEEK. Malware can be difficult to find and require "elite skills" the organization might not have, he said. Spectrum provides security managers with a prioritized list of "invisible" threats without the security managers having to look for them, according to Schwartz.

Spectrum tells the managers which threats they should address first or what the potential risks are if a specific vulnerability is not quickly resolved, he said. The information also provide links to full details about the appliance's performance including logs and scanning session information, he said.

"With a detailed record of everything that has happened on the network, the analytic possibilities are vast," said Joshua Corman, Research Director of Enterprise Security at The 451 Group.

The appliance is installed right at the Internet gateway so that it can examine all traffic as it enters and exits the network, said Schwartz. It examines each inbound and outbound byte in real-time, as well as looks for signs of emerging "zero day" malware, hidden executables, or unknown processes, said Schwartz. It also analyzes outbound traffic to determine whether there may be any botnet activity from zombies within the network, according to NetWitness.

The appliance promises "100 percent protocol coverage," including Samba/CIFS, said Schwartz. The network analysis includes looking at the country where the network session originated, time of day, referrer sites, JavaScript, PDF executables, and the size of the content, as well as static scanning to determine if a file contains malicious code or has been obfuscated, he said.

Spectrum doesn't block suspicious malware on its way into the network, said Schwartz. The malware has to "pass by" the appliance for it to examine it, before the appliance can determine that it's bad, he said, so there is no blocking mechanism in place. Instead, the appliance immediately issues a warning to the security manager about the suspicious traffic and "leaves it to the discretion of the security team" to do damage assessment, said Schwartz.

In fact, not all prevention is putting a block on the traffic, but rather, stopping user behavior, said Schwartz.

"This type of analysis also helps assess the attacker's intent and the potential damage that may have occurred," according to Rob McMillan of Gartner. It also allows managers to predict similar attacks and indentify other potential targets so they can use the predictions to make business decisions, he said.

The appliance does not depend on signatures or known "bad" actions to identify malware, said Schwartz. Spectrum knows what is "good" behavior, and looks for any deviations across all ports and protocols to flag suspicious activity. Over half of the data breaches are the result of customized malware that had unknown signatures at the time of the exploit, the company said. Relying on signatures can't be effective because it ignores the rapid changes in malware, according to NetWitness.

NetWitness Spectrum will be unveiled at the RSA Security Conference Feb. 14-18, the company said. The appliance will compete with Damballa's similar malware analytics box.

Spectrum works with the other components in the network monitoring platform from NetWitness, which includes Informer, which automates threat reporting and alerts, Investigator, which performs freeform analytics and finds real-time answers, and Visualize, a data visualization module.

The appliance are priced at $50,000 and orders are being accepted, but general availability will start at the time the RSA conference opens and the appliances will ship thereafter, Schwartz said. Netwitness doesn't segment the appliance or pricing on the number of users or bandwidth. "We don't pull those tricks," said Schwartz.