RSA NetWitness® Platform is a powerful threat detection suite that enables Security Operation Centers (SOCs) to quickly locate, prioritize, and triage threats. NetWitness Platform helps you to isolate and remediate known threats as well as those that were previously unknown. It provides deep insight into packets, logs, and endpoints that provide you with an unparalleled view into your enterprise or business.
NetWitness Platform is powerful, but it is easier for Tier 1 Analysts to use because it automates the process of identifying and prioritizing suspicious threats. Tier 2 and Tier 3 analysts can hunt for and locate threats by searching and filtering events and then examining events using reconstruction and analysis tools.
RSA NetWitness Platform is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. NetWitness Platform allows administrators to collect three types of data from the network infrastructure, packet data, log data, and endpoint data. If NetWitness Endpoint 4.4, 18.104.22.168, or later is installed and configured, endpoint event data is also collected. The key aspects of the architecture are:
Distributed Data Collection. The Decoder ingests packet data while the Log Decoder ingests log data. Decoders parse and reconstruct all collected network traffic from Layers 2 - 7, or log and event data from hundreds of devices and event sources, including NetWitness Endpoint data (if installed and configured). The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The Broker aggregates data captured by other devices and event sources. Brokers aggregate data from configured Concentrators; Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.
Real-time Alerting. The NetWitness Platform Event Stream Analysis (ESA) service provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It can process large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language (EPL) that allows analysts to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.
Real-time Analytics (Automatic analysis of events) The RSA Automated Threat Detection functionality includes preconfigured ESA analytics modules for detecting Command and Control traffic.
NetWitness Server. The NetWitness Server provides reporting, investigation, administration, and other aspects of the user interface.
Capacity. NetWitness Platform has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.
NetWitness Platform provides large deployment flexibility. You can design its architecture using as many as multiple dozens of physical hosts or a single physical host, based on the particulars of the customer's performance and security-related requirements. In addition, the entire NetWitness Platform system has been optimized to run on virtualized infrastructure.
The System Architecture comprises these major components: Decoders, Brokers, Concentrators, Archivers, ESA, and Warehouse Connectors. NetWitness Platform components can be used together as a system or can be used individually.
- In a security information and event management (SIEM) implementation, the base configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the NetWitness Server.
- In a forensics implementation, the base configuration requires these components: Decoder, Concentrator, Broker, ESA, Malware Analysis, and Endpoint Hybrid or Endpoint Log Hybrid. The Response-Server service is also required and is used to prioritize alerts.
The table provides a synopsis of each major component:
Core Versus Downstream Components
In NetWitness Platform, the Core services ingest and parse data, generate metadata, and aggregate generated metadata with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker. Downstream systems use data stored on Core services for analytics; therefore, the operations of downstream services are dependent on Core services. The downstream systems are Archiver, ESA, Malware Analysis, Investigate, and Reporting.
Although the Core services can operate and provide a good analytics solution without the downstream systems, the downstream components provide additional analytics. ESA provides real-time correlation across sessions and events as well as between different types of events, such as log, packet, and endpoint data. Investigate provides the ability to drill into data, examine events and files, and reconstruct events in a safe environment. The Malware Analysis service provides real-time, automated inspection for malicious activity in network sessions and associated files.
Table of Contents > Getting Started with NetWitness Platform