There's a lot of discussion around this space. Gartner dubbed this space network forensics so that's the moniker that it's getting these days. But a lot of it really does have to do with advance threat intelligence. For organizations that are really thinking about ways to deal with these advanced threats – these security problems that are getting past the antivirus, evading intrusion detection systems and fall into this category of sophisticated threats. There's this category of solutions that are based on full packet capture and then real time situational awareness and that's where we fall into. There are a few products in this category and of those there are only a few that deal with real time incident response or real time intrusion detection and management and NetWitness falls into that category. You mention the word response. Is there in fact a response or is it more of an alert? Once you start talking about response, doesn't that turn it into an intrusion prevention system?
There's a number of ways to approach it, but just as an example, one of our customers is arguably one of the largest private IP networks in the world and they're doing 60 GB/s of aggregate throughput and has got 1.5 PBs of inline real time storage in what you would call a real time situational awareness grid. It's definitely doable in a very large environment. The issue is just building scalability into the environment. There are ways to do it with commodity-type appliance based storage and there are ways to do it with traditional approaches to storage, such as storage area networks or other types of approaches. It just depends what your goals are with respect to data retention and use cases. Some organizations have use cases that are strictly incident response for security operations so the useful life of that information is shorter than an organization that may have more of a classic forensics or investigatory type of use case where they want to go back and look at the history of network traffic for a longer period that might be 60 days, 90 days or even longer in some cases. One term we've been hearing is "advanced persistent threat (APT)." I spoke to one expert who said it's being watered down by security vendor marketing departments. What is your definition of an APT?
For me to classify something as an APT there's a few different criteria that has to be met. First of all, there has to be evidence that there is a specific adversary and that the adversary has some sort of organization, motivation and funding associated with them. The second is that there are specific targets in mind. The third is that they have the ability to operate across a broad spectrum of different types of activities from social engineering to malware creation to network-based attacks or things of that sort. For example, we've seen with certain government clients where there have been a series of spear phishing attacks. These spear phishing attacks have ranged from being very clear social engineering attacks that have hand crafted malware in them, that have never been seen anywhere before to where once the malware is installed, it's very clear that the malware had some prior information relative to the specific assets in the organization – some network mapping had been done at a prior time. That would fall under my definition of an APT.