NetWitness Visualize

by Rocky DeStefano


NetWitness Content Extraction and Visualize

Content Extraction: NetWitness has always collected everything on the network and provides top of the line analytical capabilities to slice and dice that information. Now the team has taken things one giant step forward by offering the ability to support extraction of key artifacts or “content” for further analysis.

 

 

The automated extraction of artifacts that cross the network and facilitation of the analysis of that extracted information has been a need of security teams for a number of years. Malware analysis being the most tangible example today, but many other possibilities exist. Looking forward and building that capability into an operational model by refining that collection along the way of the data to target more specifically or to not extract and re-analyze known good information sets makes this even more efficient and helps to level the playing field for the Good Guys!

 

 

 

 

Now that the content from the data has been extracted you need a tool to analyze that information and NetWitness thought through that problem from several perspectives, certainly Investigator and Informer offer their own views of the information, but now with Visualize, NetWitness offers a truly unique way of going through information and identifying interesting anomalous traffic. 

 

NetWitness provides examples for “Data Leakage”, “Personnel Investigations” and “A Day at NetWitness” as extracted content packages for you to peruse and analyze.  These seem to accurately fit the initial enterprise use-cases for this technology supporting various analytical teams.  The only experiences you don’t get from the demo would be integration with Investigator and looking at your environments data set.  You’ll have to schedule with sales to gain that additional experience.

 

 

Overall I think that the term “Visualize” may more accurately apply to your thought process than the limits of the product itself (for example it can replay audio). 

 

Summary:

NetWitness Visualize and the associated content extraction platform allow for a significantly enhanced analytical experience by providing new and meaningful reconstructions and related investigative tools and in reality that is just the beginning! 

 

Next NetWitness Related Post:  Spectrum.  Visualize is a great add-on tool to extend analytical techniques, Spectrum is a platform that extends analytical reach, improving effectiveness, efficiency and really allowing security programs to take the next logical step forward.

 

References:

Original Blog Post:  http://www.networkforensics.com/2010/07/19/visualize/

Demo Location: http://visualize.netwitness.com

Overview Video: http://www.youtube.com/watch?v=p4nIqIWKiMo

Other Blog Posts: http://www.dragoslungu.com/2010/07/20/new-netwitness-visualize-welcome-to-the-future/  <-  Great review