RSA NetWitness Suite is a powerful threat detection suite that enables Security Operation Centers (SOCs) to quickly locate, prioritize, and triage threats. NetWitness Suite helps you to isolate and remediate known threats as well as those that were previously unknown. It provides deep insight into packets and logs that provide you with an unparalleled view into your enterprise or business.
NetWitness Suite is more powerful than ever, but it is easier for Tier 1 Analysts to use because it automates the process of identifying and prioritizing suspicious threats. NetWitness Suite 10.6 users can still hunt for and locate threats in the same way they have done in the past using the Investigation view, which is still available.
RSA NetWitness Suite is a distributed and modular system that enables highly flexible deployment architectures that scale with the needs of the organization. NetWitness Suite allows administrators to collect two types of data from the network infrastructure, packet data and log data. If NetWitness Endpoint 4.4 is installed and configured, endpoint event data is also collected. The key aspects of the architecture are:
Distributed Data Collection. The Decoder ingests packet data while the Log Decoder ingests log data. Decoders parse and reconstructs all collected network traffic from Layers 2 - 7, or log and event data from hundreds of devices and event sources, including NetWitness Endpoint data (if installed and configured). The Concentrator indexes metadata extracted from network or log data and makes it available for enterprise-wide querying and real-time analytics while also facilitating reporting and alerting. The Broker aggregates data captured by other devices and event sources. Brokers aggregate data from configured Concentrators; Concentrators aggregate data from Decoders. Therefore, a Broker bridges the multiple real-time data stores held in the various Decoder/Concentrator pairs throughout the infrastructure.
Real-time Alerting. The NetWitness Suite Event Stream Analysis (ESA) service provides advanced stream analytics such as correlation and complex event processing at high throughputs and low latency. It is capable of processing large volumes of disparate event data from Concentrators. ESA uses an advanced Event Processing Language (EPL) that allows analysts to express filtering, aggregation, joins, pattern recognition and correlation across multiple disparate event streams. Event Stream Analysis helps to perform powerful incident detection and alerting.
Real-time Analytics (Automatic analysis of events) The RSA Automated Threat Detection functionality includes preconfigured ESA analytics modules for detecting Command and Control traffic.
NetWitness Server. The NetWitness Server provides Reporting, Investigation, Administration, and other aspects of the user interface.
Capacity. NetWitness Suite has a modular-capacity architecture enabled with direct-attached capacity (DACs) or storage area networks (SANs), that adapts to the organization's short-term investigation and longer-term analytic and data-retention needs.
The NetWitness Suite provides large deployment flexibility. You can design its architecture using as many as multiple dozens of physical hosts or a single physical host, based on the particulars of the customer's performance and security-related requirements. In addition, the entire NetWitness Suite system has been optimized to run on virtualized infrastructure.
The System Architecture comprises these major components: Decoders, Brokers, Concentrators, Archivers, ESA, and Warehouse Connectors. NetWitness Suite components can be used together as a system or can be used individually.
- In a security information and event management (SIEM) implementation, the base configuration requires these components: Log Decoder, Concentrator, Broker, Event Stream Analysis (ESA), and the NetWitness Server.
- In a forensics implementation, the base configuration requires these components: Decoder, Concentrator, Broker, ESA, and Malware Analysis. The Response-Server service is also required and is used to prioritize alerts..
The table provides a synopsis of each major component:
Core Versus Downstream Components
In NetWitness Suite, the Core services ingest and parse data, generate metadata, and aggregate generated metadata with the raw data. The Core services are Decoder, Log Decoder, Concentrator, and Broker. Downstream systems use data stored on Core services for analytics; therefore, the operations of downstream services are dependent on Core services. The downstream systems are Archiver, ESA, Malware Analysis, Investigate, and Reporting.
Although the Core services can operate and provide a good analytics solution without the downstream systems, the downstream components provide additional analytics. ESA provides real-time correlation across sessions and events as well as between different types of events, such as log and packet data. Investigate provides the ability to drill into data, examine events and files, and reconstruct events in a safe environment. The Malware Analysis service provides real-time, automated inspection for malicious activity in network sessions and associated files.