Novetta Cyber Analytics Know your network. Arm your analysts.An advanced network-traffic analytics solution.

Dramatically increase the efficiency and effectiveness of IT security staff and threat responders by providing them with the right information when they need it.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 1

During network security investigations analysts frequently encounter situations where a review of raw packet capture is required to determine if an alert was accurate. This happens often with SIEM systems and firewall consoles because they either do not provide immediate access to raw PCAP (depending on the solution), or do not allow for a broader search of raw PCAP beyond the specific PCAP provided with the alert.

On the other hand, leading Security Analytics platforms were originally designed for PCAP analysis, but for forensics, and have since grown their feature set to handle real-time detection of threats, mainly through signature-based deep packet inspection and unknown file sandbox detonation. But because these solutions unravel all content and extract a large volume of data about observed network traffic, even their metadata databases are both enormous and distributed. And because

of this, especially at very large scale, ad hoc queries made against these databases that are needed to confirm or deny the criticality of an alert, or rapidly investigate an escalated incident, often take minutes-to-hours-to-never to return comprehensive answers. This lack of response is debilitating to a security analyst, often forcing them into the tedious and time consuming task of wrangling data from multiple systems attempting to piece together what is happening on their network.

With both SIEMs and Security Analytics platforms, analysts often quickly reach a point of frustration due to lack of rapid and comprehensive answers to queries run against ground truth PCAP data and/or lack of access to the right PCAP itself.

Introduction

The Problem: A PCAP Visibility Gap

The harsh reality of modern network security is that determined attackers will eventually breach enterprise networks‒–attackers have an asymmetrical advantage and only need to find a single vulnerability to gain an initial foothold. Current security tools, including SIEMs, IPS/IDSs, and Security Analytics tools try to detect and block these attacks, but even today’s best commercially available mostly automated solutions cannot guarantee immunity from targeted attacks, zero-day exploits, and sophisticated malware. To combat these threats security teams must be able to rapidly detect, assess, and contain breaches with a deep but fast network visibility and analysis solution.

Novetta Cyber Analytics is an advanced network-traffic analytics solution that empowers analysts with comprehensive, near real-time cyber security visibility and awareness, filling a critical gap in today’s enterprise cyber security toolset. With queries that take only seconds ‒– even at Petabyte network traffic scale ‒– the solution enables analysts to receive comprehensive answers to complex questions “at the speed of thought,” then instantly access the ground truth network traffic needed for alert triage, incident response and hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat response teams by providing them with the right information when they need it.

Novetta Cyber Analytics substantially increases the efficiency and effectiveness of security teams.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 2

Key CapabilitiesComprehensive contextual view• Captures and processes packet

capture data at wire speed from multiple strategically distributed sensors across an entire network.

• Facilitates rapid, comprehensive queries and immediate access to the original PCAP.

• Creates synthetic sessions to make individual host-to-host ‘conversations’ understandable to an analyst.

• Generates context-aware security intelligence that fuses network traffic data with threat intelligence and enrichment sources.

Security team ‘super charger’ • Provides a feature-rich web interface

for alert triage, incident response, and hunting at interactive speeds.

• Identifies behaviors that are undetectable using signature-based and forensics-focused solutions.

• Includes 100+ pre-built queries, built from years of experience working with network security experts at the Department of Defense.

• Enables an analyst’s thoughts and suspicions to be shared within the database itself.

Key FeaturesSpeed & scale• Collects network traffic at wire speed

‒– up to 40 Gbps. • Queries metadata representing

petabytes of network traffic in seconds using Massively Parallel Processing (MPP) and a columnar metadata structure in a centralized analytics hub.

• Supports collection from Novetta sensors, legacy devices, and packet capture archives.

• Scales to enterprise levels using a cluster-based distributed design.

Enriched session views • De-duplicates, fuses, sessionizes

and centralizes metadata to create a complete, near real-time, human-understandable network view across dispersed network sensors.

• Augments network data via threat intelligence, registrar and passive DNS, IP netblock owners, IP geolocation data, as well as custom sources.

Built for analysts • Provides an analytics-focused intuitive

web interface for rapid discovery and analysis.

• Enables one-click immediate reachback access to original PCAP files.

• Provides an ability to ‘tag’ sessions and IP addresses to share knowledge and to label subnets (e.g. ‘Web Servers’)

• Integrates seamlessly with third party tools such as SIEMs, Firewalls, and Security Analytics solutions and into existing workflows.

Key BenefitsAnalysts see the truth—fast!• See a complete enterprise-wide view of

the behavior associated with advanced threats.

• Rapidly contextualize and distinguish between acceptable network traffic behavoir and suspicious or malicious events.

• Understand the ground truth of activity by rapidly going to the source — the right network traffic.

• Drastically accelerate alert triage, incident response, and breach discovery.

• Increase the efficiency of cyber security workers by an estimated 5X – 10X.

Improved security posture • Be highly confident in the

thoroughness of alert and incident response efforts.

• Empower cyber security workers to think creatively about exactly how to find intruders.

• Assist analysts in finding never-before-seen — or even suspected — attacks.

• Maximize the value of existing infrastructure by discovering vulnerabilities.

The SolutionBut there is a solution. With strategically placed sensors providing a comprehensive, broad, ground truth network view, and with its core being a single contextually enriched columnar ‘table’ of observed network activity, Novetta Cyber Analytics answers complex queries rapidly and completely, allowing an analyst to, for example, quickly find all related sessions and hosts related to a particular threat or alert ‒– whether it be from a SIEM, firewall or Security Analytics console ‒– immediately drill into the directly related PCAP, pivot and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process provides an analyst with the ability to quickly and comprehensively come to conclusions for alert triage, incident response, and pure network hunting.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 3

System Architecture

Deployment Options

100% Novetta SensorsThe most effective way to deploy Novetta Cyber Analytics is by instrumenting Novetta sensor technology at all strategic vantage points on the enterprise network. Novetta sensors consist of proprietary software run on standard commercial off-the-shelf hardware. Novetta sensor technology compresses and retains PCAP data at the sensor site and makes it available on demand to end users. This design mitigates network congestion and reduces ingest latency to achieve near real-time network data processing in the Cyber Analytics Hub.

100% Legacy SensorsCustomers are never locked into Novetta sensor technology. The Novetta Cyber Analytics Batch Ingest Module integrates existing sensor hardware and PCAP data repositories on enterprise networks. Customers can schedule at any interval the batch ingest of the data they collect into the Hub.

HybridNovetta Cyber Analytics adapts to the needs of heterogeneous enterprise networks. Customers often find that they would prefer more visibility in different sections of their network after understanding the capabilities and effectiveness of the solution. Any number of existing sensors and Novetta sensors can operate concurrently on a network. Customers can easily swap out existing sensors or Novetta sensors to fulfill their unique requirements.

Key architectural notes: Strategically placed sensors, distributed raw PCAP storage, centralized metadata-based hub

Systems Integration

Novetta Cyber Analytics integrates seamlessly with existing security solutions by providing a RESTful web API, a Python API, and a syslog message generation capability. The APIs give external systems direct and secure programmatic access to the Analytics back-end engine with very minimal integration effort — an administrator simply adds a new menu item to launch an analytical search and analysts have direct access to Novetta Cyber Analytics from within their primary workstation interface. The syslog message generation capability enables the creation of syslog messages after the execution of an analytical search, which provides SIEM tools and other monitoring solutions with greater context around network events.

Novetta Cyber Analytics is architected from front to back to enhance the speed and efficiency of security team members when doing any sort of investigation. Even deployment is fast, with most installations up and running within two weeks — no tuning required.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 4

Analytics

Pre-processingNovetta Cyber Analytics eliminates common barriers to network traffic analysis by pre-processing data at ingest. The solution performs the following tasks to facilitate a seamless analytical workflow that increases the operational tempo of incident responders and network security analysts:

• Reassembles sessions partitioned by asymmetric routing paths.

• Disambiguates sessions from multiple private IP address spaces across the enterprise.

• Classifies sessions and nodes to identify threat actors and traffic patterns.

• Dissects application-layer services and indexes parameters for major services.

• Batch-loads sources of existing PCAP or other traffic data.

Performance Novetta Cyber Analytics is designed to process petabytes of network traffic analysis at carrier-grade speed and scalability. Novetta Cyber Analytics represents the state of the art in the application of network traffic analysis and has proven itself on the premises of the largest network in the world — the U.S. Department of Defense.

• Sensors capture packets at up to 40 Gbps throughput.

• Only essential metadata is extracted from PCAP and loaded into the columnar-based centralized analytics hub to ensure rapid query response times.

• Queries on metadata representing petabytes of network traffic run in just seconds.

• PCAP is archived at the sensor and retrieved on demand to mitigate network congestion and latency.

Analyst Empowerment Novetta Cyber Analytics empowers incident responders and network security analysts to ask questions at the speed of thought, unencumbered by the chores of remembering syntax, data formats, or where they stored their network traffic. Novetta Cyber Analytics exposes an advanced query construction form and provides interactive results exploration features to create a productive analytical experience. For example, the solution:

• Enables analysts to have total control over their data via the advanced query construction form.

• Includes 100+ pre-built, customizable analytical queries.

• Enables analysts to easily drill down and pivot within their data sets via the web UI.

• Retrieves original packet capture from sensor archives for forensic analysis.

• Distills PCAP data to extract and decode embedded content.

A simple, clean, and efficient interface, ideal for analysts, incident responders and network hunters.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 5

Contextualization

Novetta Cyber Analytics gives context to events by associating the communicating parties of a session with enrichment data sources. Incident responders and network security analysts receive immediate insight into the agents communicating on their networks. Novetta Cyber Analytics immediately integrates the following sources:

Collaboration

Novetta Cyber Analytics enables teams to create and share knowledge. Incident responders and network security analysts can humanize the traffic data to characterize threats, assets, or activities on their system. This enables teams to effectively discover and prioritize the threats on their systems. To that, end users can: • Create and share knowledge by tagging IP addresses and

sessions. • Save, reuse, and share queries. • Schedule queries and specify the conditions for sending

notifications. • Enforce custom authentication and role-based access

control policies.

• City and country level geolocation for IP addresses. • Historic domain names for publicly routable IP addresses. • Domain name resolutions as observed passively on the wire.

• Whois IP address block assignments. • Threat intelligence and blacklists. • Custom subscriptions, spreadsheets, or lists.

An example of queryable session information made available to an analyst

Tags can be applied manually, in bulk, or automatically.

Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 6

Let us prove to you just how effective this solution can be. For more information:

844-NOVETTA (Toll Free)contact@novetta.com

novetta.com/cyber-analytics

Product Specifications

SensorHardware Software

Device Type: Commodity servers Operating System: RHEL-based LinuxPacket Capture Storage:

On-board drives, Direct attached storage, and/or SAN/NAS

PCAP Compression Ratio:

1.3:1 average

Packet Capture Location:

SPAN port or Network Tap

Metadata to Content Ratio:

100:1 average

Network Traffic Interface:

Commodity network interface cards

Analytics EngineHardware Software

Device Type: Commodity servers Operating System: RHEL-based LinuxData Storage: On-board drives User Interface: Thin client web

applicationDatabase: Massively Parallel

Processing EDWQuery APIs: Web-based and Python

Example InstallationsMedium Large Extra Large

Sensors 4x 1Gbps 8x 1 Gbps + 2x 10 Gbps 12x 10Gbps

Metadata Retention 30 Days 30 Days 120 Days

Metadata Storage 13.7 TB 93.8 TB 1.6 PB

PCAP Retention 7 Days 7 Days 7 Days

PCAP Storage 320 TB 2.1 PB 9.1 PB

Novetta Cyber Analytics runs proprietary software on commodity hardware. It is designed to be configurable to the requirements of existing network systems. Please speak with a Novetta sales consultant today to learn how it can be integrated with your systems.

From Complexity to Clarity