Collection: Complete network awareness is finally an emerging market.

Recent vendor press releases by NitroSecurity and NetWitness highlight the evolving requirement for full network packet collection, indexing and reconstruction for analysis. These products and others (including Solera Networks) illustrate an emerging market in total network awareness. Working in conjunction with Log Management (LogLogic, Splunk, ArcSight Logger, etc) and SIEM tools (RSA, EiQNetworks and of course ArcSight ESM) these tools provide invaluable insight into your network's behavior (not to mention the behavior of individual users and applications over the network). NitroSecurity updated their capabilities to include what they term as "content aware SIEM" and NetWitness announced a milestone of 15,000 active users. Both press releases highlighted quotes from Decurity, which we appreciate, but more important to us, the emergence and rapid growth of this market segment add further credibility to Security Professionals having all of the right tools and information available. Recent news about DHS Einstein and NSA Tutelage technologies also point towards an increased trend in better, more capable Collection tools.

Security Operations and Incident Response capabilities can't continue to function in the dark and be expected to adequately protect the enterprise. We need to make all of the applicable information available and apply intelligent analytical techniques against the data set so that we can more rapidly and accurately identify risks to the enterprise. These tools when used properly can reduce analytical time required to identify incidents into time segments measured in seconds and can help understand the scope of the incident much more rapidly. You can review the artifacts (documents, files, audio, video, web, email, chat, as well as interactive sessions (ftp, telnet, ssh, etc)) instantly and determine the legitimacy of the session. You can extract information and search log management/SIEM for related events and set up alerts and workflow along the way. All in a matter of clicks. Of course you can accomplish the reverse and search for anomalies identified in SIEM/Log Management or IDS/IPS in your Network Awareness tool and understand quickly what occurred. With this level of information available to you, the limitations of the they of analysis have more to do with the level of expertise of the user/analyst than the information.

These use of these tools in the right hands allow for much more than just security "alerts" and incident identification. They lend themselves to true security convergence concepts and overall enterprise intelligence and security operations. More on those concepts over the next few months.


References:
NetWitness "July 27, 2009 | Security Experts Worldwide Rely Upon NetWitness® Investigator " Link: http://www.netwitness.com/resources/pressreleases/Jul272009.aspx

NitroSecurity "NitroSecurity Heightens Enterprise Security Information Management with Real-Time Application Content and Protocol Analysis" Link: http://www.nitrosecurity.com/information/news/pr/2009/20090722.psp

Decurity Blog: Dec 2008: http://blog.decurity.com/index.php/dec_template/more/netwitness_investigator_summary_1/