Increase visibility, improve response efficiency
The NetWitness Platform enables your security team to access all data about threats in your IT environment so they can determine the most appropriate response - quickly and precisely.
See how an analyst uses the NetWitness Platform to seamlessly address a phishing attack in the network portion of their platform.
Let’s go
The NetWitness Platform empowers analysts to determine the most appropriate response to threatening activity, while safeguarding the organization, limiting harm to users, and protecting critical information owned by the company.
Set up a meeting
See how we can increase visibility for your security team
Prioritize
Respond
Reconstruct
Survey
Investigate
Confirm
Prioritize
When an analyst first logs into the NetWitness Platform, they’ll see the springboard landing page — a rollup summary of numerous data points within the platform.
Step 1
Step 2
Step 3
Step 4
Dashboards draw an analyst’s attention to the highest priority -- and highest risk -- alerts and anomalies in their environment.
Next Step 2
Step 1
The customizable rollup shows data points that can be clicked on to pivot the analyst into an investigation.
Next Step 3
Step 2
Analysts use the top alerts and top incidents to access the respond module of the platform, an incident-management queue that contains all of the alerts. A single incident can contain one or even hundreds of alerts.
Next Step 4
Step 3
The rollup allows analysts to pivot directly to a data point so that they can begin their investigation. In this case, the analyst is looking at a phishing obfuscated link incident.
Next: Respond
Step 4
Respond
All of the information in the respond module is presented in bite-size chunks to allow easier, more precise and more efficient consumption. The analyst’s ability to determine the correct response relies on them having the correct information at their fingertips, and being able to understand that information properly.
Step 4
Step 3
Step 2
Step 1
The analyst focuses on specific data points by clicking on the events within the alert. Alternatively, the analyst can select everything by clicking the alert itself.
Next: Reconstruct
The nodal view visualizes directionality so analysts can easily determine the source of activity, on the left, as well as its destination or targets, on the right.
Next Step 4
The analyst sees that the source of the phishing attempt came from a single IP address and targeted multiple addresses within the organization.
Next Step 3
Within this single incident, there’s a potential phishing attempt that encompasses seven events.
Next Step 2
Step 1
Step 2
Step 3
Step 4
Now that the analyst knows the threat’s source and destination, they can determine who or what the response should focus on.
Now that the data point is selected, the analyst can choose their response.
Reconstruct
Reconstructing the original event helps determine if the incident needs further investigation. The analyst starts by selecting any of the individual sessions within the event.
Step 3
Step 2
Step 1
Because this is the original email, clicking on this link could potentially trigger the malicious threat. However, the NetWitness Platform has safeguards built in that shows the analyst what would have happened and where that user would have browsed to.
Next: Survey
There are numerous ways that an event can be reconstructed, including the hex bytes that composed the raw packets and payloads, as well as any malicious files or attachments. Since the analyst is looking at a phishing incident, email reconstruction will show what the individual users received.
Next Step 3
Step 2
Clicking on the session’s hyperlink will reconstruct that session in its original raw form as it passed across the network.
Next Step 2
Step 1
Open Email
Step 3
Open Email
The initial goal is to determine if this was a legitimate phishing email and, if so, what its intent was. The email reconstruction reveals spelling errors and a dubious email address, which indicates this wasn’t a very sophisticated email.
After identifying the specific threat, the analyst can now see which individuals clicked the potentially threatening link.
Survey
Once more, the nodal view in the response module easily visualizes the threat’s source and destinations.
Step 1
Step 1
By clicking on the source, the analyst chooses from a number of options, including pivoting the investigation and running a query against the NetWitness Platform for that source IP address.
Next: Investigate
By clicking on the pivot link, the analyst is brought to an investigation screen where all of the data that the NetWitness Platform collects is ingested.
Investigate
The NetWitness Platform takes all of the platform’s raw data and converts it into metadata that’s easily visible and usable by analysts.
Step 2
Step 1
Based on the resulting IP addresses, the analyst immediately identifies the hosts that clicked on the link — these three hosts.
Not only did searching the IP address garner hits, it found sessions within the environment.
Next: Confirm
Now the analyst wants to know what happened when these hosts browsed to the potentially malicious link.
Step 2
In this investigation, the analyst wants to know who browsed to the potentially harmful IP address. The NetWitness Platform makes it easy to determine the target or destination where that malicious link would have taken users.
Next Step 2
Step 1
Confirm
The analyst further narrows down the investigation, reconstructing it similarly to the incident’s initial response and using the three sessions from those same three individual IP addresses.
Step 2
Step 1
The analyst may want to break down the file, upload it to a malware analysis sandbox or do further investigation. Since it’s the original, malicious file, the NetWitness Platform will shield the analyst and the organization from further harm by downloading a password-protected zip file.
In the file view, the analyst sees that same sair.exe file.
next steps
NetWitness empowers analysts to determine the most appropriate response to threatening activity, while safeguarding the organization, limiting harm to users, and protecting critical information owned by the company.
See how we can increase visibility for your security team.
Step 2
In the text view, the analyst sees exactly what was happening when the host clicked on that link. In this case, they received a request to download a sair.exe file.
Next Step 2
Step 1