Let's talk briefly about what NetWitness does. Is it really just about placing forensics tools
around an intrusion defense system?
There's a lot of discussion around this space. Gartner dubbed this space network forensics
I'm not a big fan of the word prevention because I think the
world is too complex today. I think there are a number of simple tasks that do fall into the
category of what could be prevented or where there could be an action. That's the world of
signatures or definition files where somebody's already been hit with something or there is some
existing foreknowledge of an attack. The problem as you correctly describe in your article on the
KHOBE issue is that in a lot of cases if you look at some of these malware instances you'll find
that one out of 35 vendors will actually recognize these things and there's only an eight hour
window where you're dealing with the notion of a stimulus and response. Prevention is not really a
good strategy. When something is known and understood you could feed it into some preventative
platform. So when we say response, it's more an issue of proactive detection and then taking
whatever steps are necessary as a response action. In some cases the response may be a combination
of things where you're changing a firewall rule and writing a Snort signature and where you're
simply monitoring something more closely or engaging some additional threat feeds in your
environment to look at some new threat vector that you hadn't considered before. You mentioned full
packet capture. Are the appliances out there powerful enough to collect packets without dropping
There's a number of ways to approach it, but just as an example, one of our customers is arguably one of the largest private IP networks in the world and they're doing 60 GB/s of aggregate throughput and has got 1.5 PBs of inline real time storage in what you would call a real time situational awareness grid. It's definitely doable in a very large environment. The issue is just building scalability into the environment. There are ways to do it with commodity-type appliance based storage and there are ways to do it with traditional approaches to storage, such as storage area networks or other types of approaches. It just depends what your goals are with respect to data retention and use cases. Some organizations have use cases that are strictly incident response for security operations so the useful life of that information is shorter than an organization that may have more of a classic forensics or investigatory type of use case where they want to go back and look at the history of network traffic for a longer period that might be 60 days, 90 days or even longer in some cases. One term we've been hearing is "advanced persistent threat (APT)." I spoke to one expert who said it's being watered down by security vendor marketing departments. What is your definition of an APT?
For me to classify something as an APT there's a few different criteria that has to be met. First of all, there has to be evidence that there is a specific adversary and that the adversary has some sort of organization, motivation and funding associated with them. The second is that there are specific targets in mind. The third is that they have the ability to operate across a broad spectrum of different types of activities from social engineering to malware creation to network-based attacks or things of that sort. For example, we've seen with certain government clients where there have been a series of spear phishing attacks. These spear phishing attacks have ranged from being very clear social engineering attacks that have hand crafted malware in them, that have never been seen anywhere before to where once the malware is installed, it's very clear that the malware had some prior information relative to the specific assets in the organization – some network mapping had been done at a prior time. That would fall under my definition of an APT.