Security Testing and Evaluation Labs
Security Evaluation Laboratory (SEL)
NetWitness: NetWitness NextGen Suite
| Sponsor: | NetWitness Corporation |
| Point of Contact: | Brian Girardi Phone: (703)889-8948 |
| Assurance Level: | EAL2 |
| Status: | In-Evaluation |
NETWITNESS provides a suite of products that captures network traffic and uses the data to solve a broad range of business and security problems. The NextGen suite simultaneously captures, re-sessionizes, and models network layer and application layer traffic in real-time. It retains full packet payload for complete analysis by synchronizing network metadata across a secure and flexible framework. Users of NetWitness NextGen can concurrently solve a wide variety of information security problems including: advanced persistent threat management, data leakage protection, malware activity detection, insider threat detection, GRC controls verification and network-based e-discovery.
NextGen’s components are:
Administrator - A Graphical User Interface (GUI) that allows you to manage a NetWitness Server product. Management capabilities include configuration, stopping and starting servers, monitoring server health and performance, monitoring application performance, and viewing server logs.
Decoder - An appliance-based network capture device that fully reassembles and normalizes traffic at every layer for full session analysis. This enables users to collect, filter, and analyze full network traffic by an infinite number of dimensions.
Concentrator - A network appliance that consolidates multiple decoders to create single logical views for analysis. This enables users to instantly analyze network and application layer detail across multiple capture locations, including full content.
Investigator - A NetWitness application that provides the capability to process pre-existing data or capture live data from a network interface and perform analysis on data collected by either of the two capture methods. INVESTIGATOR can connect live into DECODER or CONCENTRATOR for interactive browsing and searching.
Informer - A NetWitness application that enables users to create customized reports on real-time incidents, threats, anomalies, misconfigurations, compliance violations, and other malicious or benign activities on the network. Report results can be verified by using links to NetWitness INVESTIGATOR.
Broker - NetWitness Broker is a Linux-based network appliance that brokers and distributes queries across multiple concentration points. NetWitness Broker provides a single ubiquitous view across an entire network.