NW: Getting Started with NetWitness Suite

Document created by RSA Information Design and Development on Sep 18, 2017Last modified by RSA Information Design and Development on Sep 28, 2017
Version 4Show Document
  • View in full screen mode
  

Overview

RSA NetWitness Suite is a powerful threat detection suite that enables Security Operation Centers (SOCs) to quickly locate, prioritize, and triage threats. NetWitness Suite helps you to isolate and remediate known threats as well as those that were previously unknown. It provides deep insight into packets and logs that provide you with an unparalleled view into your enterprise or business.

NetWitness Suite is more powerful than ever, but it is easier for Tier 1 Analysts to use because it automates the process of identifying and prioritizing suspicious threats. NetWitness Suite 10.6 users can still hunt for and locate threats in the same way they have done in the past using the Investigation view, which is still available.

Architecture

RSA NetWitness Suite is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. NetWitness Suite allows administrators to collect two types of data from the network infrastructure, packet data and log data. If NetWitness Endpoint 4.4 is installed and configured, endpoint event data is also collected. The key aspects of the architecture are:

  • Distributed Data Collection. The Decoder ingests packet data while the Log Decoder ingests log data. Decoders parse and reconstructs all collected network traffic from Layers 2 - 7, or log and event data from hundreds of devices and event sources, including NetWitness Endpoint data (if installed and configured). The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The Broker aggregates data captured by other devices and event sources. Brokers aggregate data from configured Concentrators; Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.

  • Real-time Alerting. The NetWitness Suite Event Stream Analysis (ESA) service provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language (EPL) that allows analysts to express filtering, aggregation, joins, pattern recognition and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.

  • Real-time Analytics (Automatic analysis of events) The RSA Automated Threat Detection functionality includes preconfigured ESA analytics modules for detecting Command and Control traffic.

  • NetWitness Server. The NetWitness Server provides Reporting, Investigation, Administration, and other aspects of the user interface.

  • Capacity. NetWitness Suite has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.

The NetWitness Suite provides large deployment flexibility. You can design its architecture using as many as multiple dozens of physical hosts or a single physical host, based on the particulars of the customer's performance and security-related requirements. In addition, the entire NetWitness Suite system has been optimized to run on virtualized infrastructure.

The System Architecture comprises these major components: Decoders, Brokers, Concentrators, Archivers, ESA, and Warehouse Connectors. NetWitness Suite components can be used together as a system or can be used individually.

  • In a security information and event management (SIEM) implementation, the base configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the NetWitness Server.
  • In a forensics implementation, the base configuration requires these components: Decoder, Concentrator, Broker, ESA, and Malware Analysis. The Response-Server service is also required and is used to prioritize alerts..

The table provides a synopsis of each major component:

                                              
System ComponentDescription
Decoder / Log Decoder
  • NetWitness Suite collects two types of data: packet data and log data. 
  • Packet data, that is, network packets, are collected using the Decoder through the network tap or span port, which is typically determined to be an egress point on an organization's network. 
  • A Log Decoder can collect four different log types - Syslog, ODBC, Windows eventing, and flat files.
  • Windows eventing refers to the Windows 2008 collection methodology and flat files can be obtained via SFTP. 
  • Both types of Decoders ingest raw transactional data that is enriched, closed out, and aggregated to other NetWitness Suite components.
  • The process for ingesting and parsing transactional data is a dynamic and open framework.
Concentrator
  • Provides index and query capability to NetWitness Collections. 
  • Can optionally forward data to ESA.

Broker

  • Distributes NetWitness Collection access across many Concentrators or Archivers, making the entire NetWitness Suite enterprise appear as a single collection.
Archiver
  • The Archiver service enables long-term log archiving by indexing and compressing log data and sending it to archiving storage.  
  • The archiving storage is optimized for long-term data retention, and compliance reporting.  
  • Archiver stores raw logs and log meta data from Log Decoders for long term-retention, and it uses Direct-Attached Capacity (DAC) for storage.

    Note: Raw packets and packet meta data are not stored in the Archiver.

Event Stream Analysis (ESA)
  • The Event Stream Analysis service provides event stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators.
  • ESA uses advanced Event Processing Language that allows users to express filtering, aggregation, joins, pattern recognition, and correlation across multiple disparate event streams. 
  • ESA helps to perform powerful incident detection and alerting.
  • The RSA Automated Threat Detection functionality includes preconfigured ESA analytics modules for detecting Command and Control traffic.

Core Versus Downstream Components

In NetWitness Suite, the Core services ingest and parse data, generate metadata, and aggregate generated metadata with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker. Downstream systems use data stored on Core services for analytics; therefore, the operations of downstream services are dependent on Core services. The downstream systems are Archiver, ESA, Malware Analysis, Investigate, and Reporting. 

Although the Core services can operate and provide a good analytics solution without the downstream systems, the downstream components provide additional analytics. ESA provides real-time correlation across sessions and events as well as between different types of events, such as log and packet data. Investigate provides the ability to drill into data, examine events and files, and reconstruct events in a safe environment. The Malware Analysis service provides real-time, automated inspection for malicious activity in network sessions and associated files.

You are here
Table of Contents > NW: Getting Started with NetWitness Suite

Attachments

    Outcomes