NetWitness Guide

NetWitness Bridges Security Gaps with NextGen
Abstract any information subject to regulation was lost. This can have
On September 10 , 2007, NetWitness, an industry leader in
th a dramatic impact on investigative processes—a major speed
network forensics solutions, announced the launch of its new bump for organizations that may not have previously factored
flagship product, NextGen. NextGen is a network level, full the importance—or the impact—of investigations into their
packet capture, forensic solution that can be used to bridge the regular activities.
gaps in a defense-in-depth layered security model. The threat Consider, for example, that a complete and properly docu-
environment has adopted multiple evasive techniques to ex- mented forensic investigation of a computer system could eas-
ploit the gaps in current monitoring solutions. To address this ily take upwards of 15 hours. This amount of time will likely
issue as well as issues surrounding breach notification laws, be expanded if any given system’s storage capacity is larger
data leakage, and internal threats, organizations are looking to than 40 gigabytes, or if multiple disks or multiple partitions
solutions such as NetWitness NextGen for the level of net- exist—just to name only a few of a wide range of other pos-
work visibility needed to accurately identify risks, threats and sible system particulars that add to the cumulative impact of a
compromises, and to take necessary corrective actions. EMA complete analysis.
believes that, without such solutions, businesses increasingly
lack the level of awareness essential to responding effectively This raises many questions as to just how great an impact a
to ever more complex and demanding risk and compliance midsized-to-large organization is truly prepared to absorb.
priorities. Certain types of threats, such as worms and viruses, could
easily infect 5,000 computers fairly quickly. If the level of
investigation required to satisfy a regulatory or other require-
Context and Background ment takes 15 hours per computer, the scale of the impact of
Despite innovations in security technologies, breaches are still a full forensic investigation becomes apparent. Although this
occurring regularly. These breaches often exploit the gaps be- is a simple thumbnail illustration, the impact of such events
tween the monitoring technologies currently adopted in most is reflected in the total cost of incidents such as last year’s
layered security models, complicating the investigative and TJX breach. What this illustration suggests is that one need
incident response processes, causing losses to organizations not consider an event of that scale to see what the impact of
in terms of substantial risk exposure, as well as downtime and mandatory incident analysis could be.
inefficiency. Even more serious, without proper network vis-
ibility, these incidents may go totally unnoticed for an extended
period of time. Massive amounts of data can be compromised
Event
during these periods of effective blindness, resulting in sub- In response to these new demands, NetWitness has released
stantial negative impact on the organization. its new flagship product, NextGen. The purpose of NextGen
is to increase the capabilities of network monitoring teams
The continued proliferation of these incidents has driven the through full packet captures. This functionality allows security
creation of breach notification laws to protect consumers by teams to create efficient processes for a broad range of busi-
forcing disclosure of breaches that affect personally identifi- ness needs, including data leakage detection, assessment of
able information (PII) and individual privacy. Naturally, this compliance issues, and more efficient incident investigation.
type of disclosure has driven the need to be as accurate as
possible when reporting the scope of such a breach. Not only This increase in network visibility provides a technology plat-
should notification be as specific as possible for those affected, form for higher levels of assurance in content filtering, net-
the negative exposure that results from a security breach can work control, and network management. This maps directly
have significant consequences. Knowing the actual extent of to governance, risk, and compliance efforts by offering deep
an incident is therefore paramount. visibility into typical network activities at the application layer.
This gives organizations the ability to manage risk through
Compliance with notification laws will force organizations more accurate determination of activity indicative of a poten-
to investigate far more security incidents than in the past. tial or actual breach, and network visibility essential to more
Minor incidents such as spyware or adware infiltration have effective security and risk management.
the potential to trigger a major investigation to determine if
October 2007 • Page

© 2007 Enterprise Management Associates, Inc. All Rights Reserved. I M PAC T BRIEF
Key Ramifications EMA’s Perspective
Attackers recognize that security countermeasures exist in vic- EMA believes that a full packet capture utility with forensic
tim organizations. This recognition has spurred innovation in capabilities is a necessity in today’s medium-to-large enter-
malicious activity that now includes evasion and stealth tech- prise. Innovations in attack and anti-forensic capabilities
niques that often hide the attack or the presence of an attacker have allowed attackers to circumvent several current security
within an infrastructure. As a result, organizations need higher countermeasures. New vectors for malware, insider threats,
levels of network visibility to ensure security as well as to pro- data leakage and traditional external hacker threats are being
vide the insight necessary to incident investigation. discovered every day. It is therefore a necessity for network
security to increase its visibility into the risks and threats borne
This is the need that NetWitness NextGen fulfills. NextGen
by the network.
is not a content monitoring and filtering (CMF), security in-
formation and event management (SIEM), intrusion detec- The current threat environment as well as regulatory man-
tion, or other standalone security technology. NextGen is a dates—particularly those requiring consumer notification in
full packet capture solution that manages captured data in a the event of a security breach—are forcing security teams
way that helps solve multiple data-centric information security to be better prepared to answer the demands of an incident
challenges, which include data leakage, insider threats, malware investigation. There are distinct gaps between what security
detection, compliance, and e-discovery, as well as deep analysis teams can determine based on basic firewall, IPS, and anomaly
of network performance issues based on comprehensive net- detection. NetWitness helps to bridge these gaps by giving se-
work content awareness. curity teams tools that provide high network visibility through
capturing and logically managing network data directly relevant
Organizations that previously spent large amounts of time
to an incident investigation.
investigating events with system level forensics or through log
analysis of multiple systems can dive deeper into analysis of The enterprise must stop and consider just what breach no-
network traffic. Thus, the time spent investigating events not tification laws require. Most IT and security shops simply do
captured by IDS or firewall logs or incomplete information not have the bandwidth—or the budget—to allocate time and
captured by anomaly detection systems (ADS) can be saved resources to the level of incident investigation required by a
through deeper analysis of network traffic with NextGen. wide range of regulatory mandates. The scale is potentially
While NextGen is by no means a replacement for these tech- daunting, considering how much time and effort it takes to
nologies, it does make them more efficient. NextGen delivers evaluate only a few exploited systems or resources in detail.
this efficiency by reducing the number of people required to Tools that make this response more efficient can do more than
review data through a central network visibility solution, while make such investigations more cost-effective. Without today’s
reducing the amount of time and number of technologies used emerging generation of network forensic tools, businesses
to correlate data in an incident. In terms of an investigation, must face the reality that they will have to divert precious re-
NextGen can be used as a network-level solution to reduce sources and budget away from strategic priorities to meet these
the number of systems that must be investigated separately. requirements. As reports of new breaches continue virtually
Visibility into network content makes this possible, by cap- unabated, the actual scope and scale of such efforts is likely to
turing the information communicated between target systems be an eye-opener for many businesses that have not heretofore
and those exploiting them. considered the real impact of incident analysis. Such events
will help drive the market for network forensic solutions such
as those of NetWitness, and will have an impact on the nature
of security solutions brought to market in the future.
Enterprise Management Associates

Phone: 303.543.9500, Fax: 303.543.7687
www.enterprisemanagement.com 1463.103007
October 2007 • Page

© 2007 Enterprise Management Associates, Inc. All Rights Reserved. I M PAC T BRIEF
I N T E L L I G E N T A N A LY S I S
The NetWitness Difference
Richard Stiennon
Chief Research Analyst
White Paper © IT-Harvest 2010
Sponsored by NetWitness
INTRODUCTION
KEY TAKEAWAYS Despite years of investment in preventive security measures such as firewalls, IDS/
IPS, and Anti-virus, most enterprises are succumbing to sophisticated targeted attacks.
• Advanced threats are being
These advanced threats are carefully orchestrated to side step those preventive measures
successful in spite of
investments in layered
and find the cracks in an organization’s defenses to compromise email, take over
security defenses. control of end points and exfiltrate data. The revelation by Google that they suspected
China of hacking into their systems using social networks to induce employees to click
• IT innovation supporting
business growth is outpacing on malicious links should come as no surprise in light of similar revelations over the
security technologies’ effectiveness past six years. The most important incidents include:
• Through continuous monitoring, • Titan Rain[1], a successful infiltration of US research labs and government
alerting and recording or network contractors
traffic, a defense can be mounted
that is agile and responsive. • The Haephrati Trojan[2], a custom malware used to steal competitive
intelligence from Israeli companies
• NetWitness’ tool set is flexible
and easy for customers to create • Email server compromises at the German Chancellery[3], UK Whitehall[4],
custom parsers to solve their unique and US Pentagon[5], all attributed to Chinese hackers
problems.
• GhostNet[6], a 1,200 strong botnet infecting diplomatic and foreign office
• By deploying NetWitness,
organizations can reduce IT risks
machines all connected to interests in Southeast Asia including the Office of
associated with malware infection the Dalai Lama.
and data exfiltration, and realize • Targeted attacks that successfully stole data from Marathon Oil, ExxonMobil,
cost savings quickly.
and ConocoPhillips. [7]
• Well documented incidents
highlight the need for advanced • Kneber botnet. [8], a new form of malware that has infected more than 74,000
monitoring and analysis computer systems across the world and is focused on stealing login credentials
capabilities to counter for e-mail systems, social networks, and banking sites.
sophisticated attacks.
As long as organizations rely on purely preventive technologies, instead of real-time
monitoring techniques, they will continue to succumb to advanced threats that target
their data, networks, and people.
Security Fails to Keep Up
Ironically, keeping up with IT security threats evokes the military dictum “Generals
are doomed to always fight the last war”. The history of IT security has been
one of reaction. As the advantages of a networked world are gained through social
networking, outsourcing, connecting, moving to the cloud, and deploying computers
to knowledge workers, profiteers that prey on network resources develop increasingly
sophisticated methods of disrupting theses benefits. Spam, viruses, worms, phishing
attacks, DDoS and now advanced threats are each met with preventative technologies.
Each new technology requires ever increasing investment in people, products, and
processes to ensure the continued benefits of that networked world. Unfortunately,
preventative measures pre-suppose the attack methodology. Even when technology
1
©2010 IT-Harvest
is developed to counter future threats, it is not deployed until after those threats
materialize. Wi-Fi security, IM security, and Secure Web Gateways are all examples of
such technology.
What Needs to Change?

Most successful attacks that lead to data loss have a common trait, they come from the
inside. The attacker may well be a state sponsored spy, a cyber criminal, or a motivated
malicious insider. Each of these is either granted access to critical information or has
obtained it by abusing weaknesses in the preventative security measures. The key to
addressing these inside threats is effective network monitoring, but that is a daunting
task as thousands of individuals, tens of thousands of programs, and millions of
customers access a network every day. Through continuous monitoring, alerting, and
recording, a defense can be mounted that is agile and responsive.
NetWitness has broken new ground using a unique set of tools to enable real-time
situational awareness, monitoring, alerting, and the ability to respond to advanced
threats based on the rigor of network forensics. Our investigation of NetWitness
has provided insight into how two large organizations discovered the extent of their
problem and deployed NetWitness technology to control that problem. The difference
in how they use the tools is testament to the agility of the solution.
Illuminating the Invisible: Financial Services
A large US Bank employed dozens of people in its AV infrastructure. They had AV

technology deployed on desktops, servers, and in front of mail servers.Yet, thanks to
employees accessing malicious websites, opening email attachments, and using social
networks, incidents still occurred at an alarming rate. Like most organizations, the
AV teams were fighting a constant battle to track down and quell malware outbreaks
that would start from a single infection and spread throughout its global locations.
The bank deployed NetWitness in four data centers and immediately began to realize
dividends. In the words of the primary analyst: “NetWitness provided a quantum leap
in visibility into network security incidents and flexibility in response.”
Immediately after deployment the bank began to see:
• Employees using proxies to break out of the confines of the corporate
network. Most organizations use URL Content Filtering to block access to
inappropriate sites and protect them from malware containing web pages. An
employee can work around those filters by browsing through proxy servers
that have not yet been classified by these filter products. NetWitness can
recognize attempts to make these connections and can alert on such activity.
• Uploading files to remote storage. The motivation for employees to store
data offsite may be as benign as a desire to protect copies of files or as
2
©2010 IT-Harvest
malicious as a preparatory action to leaving the bank and wanting to steal
customer lists, trading algorithms, or other corporate data. This activity was a
common practice inside the bank and was caught by the security team using
NetWitness.
Even before a signature is available for a new web-born threat, a threat feed that
incorporates names of suspicious files (PDFs, ZIP files, etc.) is fed into NetWitness.
When these suspect files cross the network, they are immediately flagged by
NetWitness and the machines that accessed them are identified. When the bank
The bank saved $6 million first deployed NetWitness, a report was run in eight seconds that identified all such
in six months from cost machines and recovery action could be scheduled.
savings associated with The bank saved $6 million in six months just from cost savings associated with quickly
quickly finding and finding and isolating these machines.
isolating potentionally
Another powerful technique developed at the bank was to take a feed of key words
compromised machines.
from current events and write NetWitness “flex parser” rules. These words such
as “Sarah Palin”, “H1N1”, or “World Cup”, may often be associated with social
engineering efforts. Analysts at the bank quickly determined the source of emails
containing these key words as well as the links to potentially malicious sites, long
before the particular malware or scam associated with them was categorized by legacy
software tools.
One effective use of NetWitness solved another problem the bank faced. The bank
had a policy of not allowing .zip files to be attached to emails. The email protection
products they employed would strip off the attachment before forwarding on the
email. Unfortunately, the banks security team had no way to examine those files
Another large bank had
for malicious content because they were not stored; they were flying blind. Since
a revealing experience.
NetWitness was deployed in front of the email server, the entire .zip file was captured
Within 30 seconds of first
and made available to the analysts.
installing NetWitness and
examining traffic they Incident handling also is expedited by connections to existing tools such as IDS and
discovered a machine SEIM. All of the NetWitness intelligence can be interactively linked to traditional
that was communicating IDS solutions so that an analyst can see an IDS alert, click through to the associated
with a remote server and NetWitness data and determine what is in fact going on.
uploading key stroke logs. NetWitness Live provides several threat alert streams that can be fed into the analysis
The attacker’s machine was framework as part of its standard subscription. One such feed from MyNetWatchman
located in China’s southern provides a list of suspect URLs/IP addresses from electronic crime groups. Standard
Guangdong province. IDS cannot look into encrypted traffic so attackers will use SSL to bypass IDS. An
email or web site will contain a link to the SSL protected site while the user is usually
unaware of the SSL connection initiated by their browser. The bank wrote a flex
parser to identify SSL connections established to those suspect sites.
Deployment of NetWitness ultimately served to dramatically improve the bank’s
defensive posture, reduce data loss and business risk, and save millions in operation
costs.
3
©2010 IT-Harvest
Illuminating the Invisible: Government
A large agency within a Western government had over 40 field offices. Those offices
were responsible for intelligence gathering, regulatory compliance, security forces, and
law enforcement. The team responsible for securing the disparate departments was
shackled with rudimentary tools such as TCPdump and some internally written scripts
for analyzing network traffic.
Thanks to published reports of investigations from researchers in Cambridge and
Toronto, the use of custom Trojans is now understood to be one of the primary tools
of cyber spies (Ghostnet and Sleeping Dragon[9]). In attacks very similar to the
Haephrati Trojan fiasco reported in Israel in 2004, adversaries create custom malware
that cannot be detected by commercial AV products. The malware either is sent as
an attachment to a craftily written email or downloaded from what appears to be a
This technique legitimate web site. Once installed, the malware “phones home” to beaconing servers
[…comparing the SMTP for further instructions or to transmit key strokes and files. These targeted attacks were
sender field to the actual widely spread within the offices of the government agency.
source] reduced the number
of emails that had to be
Using various open and closed source threat feeds, the agency wrote a flex parser to
investigated from over
catch “potentially spoofed emails” by comparing the SMTP sender field to the actual
600,000 to 100 or so a day,
source. This technique reduced the number of emails that had to be investigated
allowing the security team
from over 600,000 to 100 or so a day, allowing the security team to focus their efforts
to focus their efforts and
and provide comprehensive investigations. They also used key words from threat
provide comprehensive
feeds to identify emails with suspicious messages such as “Karzai” or “swine flu”.
investigations.
With NetWitness, the security team could identify PDF attachments with potentially
malicious “actions” associated with them as well as embedded java scripts. They also
wrote a “self signed certificate parser” to find instances of suspicious website access.
By leveraging different techniques in NetWitness, the security team stopped many
sophisticated infiltration attempts.
Like many organizations, the network of the 40+ offices was subdivided by address
range and those addresses were recorded in a spreadsheet. It was a simple matter to
output a CSV file from the spread sheet and feed it into NetWitness. From that point
on network traffic was identified by the department from which it originated or was
destined to. This was a quantum leap in the agency’s ability to understand what was
happening on its networks.
CONCLUSION
With an understanding of the extent an attacker will go to achieve their objectives

comes the realization that preventive security measures are not enough. Well
documented incidents at Google, credit card processors, oil and gas companies, and the
Pentagon highlight the need for advanced monitoring and analysis tools to counter
advanced attacks. Whether from outsiders who have infiltrated a network or insiders
with malicious intent, advanced threats have created an urgent need for NetWitness’
tools.
4
©2010 IT-Harvest
By deploying real-time network security monitoring and analysis tools to achieve
accurate situational awareness, organizations can stop attacks on their digital assets
before it is too late.
THE POWER ELEMENTS OF NETWITNESS
The NetWitness Decoder is the cornerstone and the frontline component of an

enterprise-wide network data recording and analysis infrastructure. Decoder is a
highly configurable network appliance that enables the real-time collection, filtering,
and analysis of all network data. They can be positioned anywhere on the network:
egress, core, or segment.
Decoders are architected to work in conjunction with NetWitness Concentrators
that aggregate information for analysis from Decoders in real-time. Concentrator is
designed to aggregate metadata hierarchically to enable scalability and deployment
flexibility across an enterprise. As a result, Concentrators can be deployed in tiers to
provide visibility and high availability into multiple Decoder capture locations.
NetWitness Broker operates at the highest level of the hierarchical NextGen
infrastructure. Its function is to facilitate queries across an entire enterprise-wide
deployment where multiple Concentrators are employed. Broker provides a single
point of access to all the NetWitness metadata and is designed to operate and scale
in any network environment.
NetWitness Informer provides an interactive and intuitive web-based dashboard
for generating reports and alerts, trending events and visualizing all recorded
network activity. From Informer’s interactive reports, you can drill into the data using
NetWitness Investigator.
Investigator provides unprecedented free-form contextual analysis on massive
volumes of information exposed by the NetWitness NextGen infrastructure. Users
of Investigator can easily perform interactive analyses of complex security problems
and gather valuable network forensics to answer tough security questions. An
intelligence feed, NetWitness Live, provides up to the minute information on
malicious traffic, source IP addresses, and known file names that can be used
to highlight associated network traffic and quickly determine infected hosts,
communication to attack “beacons”, and exfiltration of critical data.
5
©2010 IT-Harvest
References
1. Thornburgh, Nathan. The Invasion of the Chinese Cyberspies, Time

Magazine, August 29, 2005. http://www.time.com/time/magazine/
article/0,9171,1098961,00.html
2. Worthen, Ben, Lessons Learned, The Wall Street Journal, December 11, 2007.
http://online.wsj.com/article/SB119717607386118466.html
3. Merkel’s China Visit Marred by Hacking Allegations, Der Spiegel, August 27,
2007. http://www.spiegel.de/international/world/0,1518,502169,00.html
4. Chinese Army ‘is hacking into Whitehall Computers’, UK Daily Mail, September
5, 2007. http://www.spiegel.de/international/world/0,1518,502169,00.html
5. Jowitt, Tom, Chinese Army Blamed for Pentagon Attack. September 4, 2007.
http://news.techworld.com/security/9978/chinese-army-blamed-for-pentagon-
hack/
6. Markoff, John, Vast spy system loots computers in 103 Countries, New York Times,
March 28, 2009. http://www.nytimes.com/2009/03/29/technology/29spy.html
7. Clayton, Mark, US Oil Industry Hit by Cyber Attacks, Christian Science Monitro,
January 25, 2010. http://www.csmonitor.com/USA/2010/0125/US-oil-
industry-hit-by-cyberattacks-Was-China-involved
8. Netwitness Discovers Massive ZeuS Compromise. February 18, 2010. http://
netwitness.com//resources/pressreleases/feb182010.aspx
9. Shadows in the Cloud, SecDev, April 5, 2010. http://www.scribd.com/
doc/29435784/SHADOWS-IN-THE-CLOUD-Investigating-Cyber-
Espionage-2-0
6
©2010 IT-Harvest
Enabling Full Network Capture and Real-Time
Analysis at 10Gbps
Summary streaming the data to disk is the solution required by network,

security, audit and investigations staffs in organizations today.
Growing concern regarding the peril of advanced threats faced The error in this logic is that while this approach supports
by organizations today, coupled with the introduction of new 10Gbps capture and short-term data retention requirements,
governance requirements, regulatory mandates, and an increased it does little to address the issue of actually analyzing this
focus on risk management are driving network monitoring large quantity of data in a live capacity, providing actionable
requirements to include full data retention for extended periods intelligence with the data that is captured and analyzed, and
of time. When combined with the increasing adoption by overlooks the new long-term data retention requirements that
organizations of 10Gbps network infrastructures a situation exists organizations face.
in which network monitoring software vendors must adapt, if not
re-architect, their capture and processing methods. Capturing the information is only one part of the 10Gbps
challenge; making use of it once captured is more difficult.
While a number of vendors have released 10Gbps support, NetWitness, through its NextGen product offering, has a great
and most are focused on the issue, many of the promises held deal of experience monitoring 10Gbps networks for large
by their marketing claims do not measure up to real-world commercial enterprises, governments, and telecommunication
environments. For the most part, vendors are focused on providers around the world. Many of our current customer
the development of simple network capture appliances that deployments support multi-gig throughputs – some at 10Gbps,
can support a 10Gbps Ethernet interface. The logic is that by and some much larger in aggregate. This paper outlines our
consolidating into a single-box environment, they will be able distributed architecture approach to the 10Gbps challenge,
to address 10Gbps throughput and maintain their footprint – discusses technical challenges associated with the consolidated
which should, in theory, translate into hardware cost control. model, and provides examples of how the NetWitness NextGen
Not a bad idea…if 10Gbps solutions were actually priced in line solution supports 10Gbps without sacrificing any of the analytic
with their consolidation techniques. This approach completely and threat intelligence functionality for which it has become so
overlooks the massive storage requirements that 10Gig network well known.
monitoring creates, and the scalability and real-time analytics
these solutions demand. The Problem
The problem is that these vendors are approaching the issue The challenge of 10Gbps network monitoring is not capturing
with the logic that simply supporting a 10Gbps Ethernet the data from the network. The real challenge is organizing and
interface, monitoring simple network-layer characteristics, and making sense of the data, at all network layers, and creating
value for security, network management, audit, investigation,
and risk management professionals.
Solutions coming from most network and security vendors

marketing “deep packet inspection” and “stream to disk”
technology fail to address the challenge and resource
requirements to make sense of a single 10Gbps link, let alone
multiple, distributed enterprise links of various throughputs.
Advanced security threat profiles of the last few years
demonstrate that it is not enough to simply inspect packets
and trend on high level metrics, nor stream all data directly to
disk to save for a rainy day. Advanced and persistent threats are
rapidly evolving in driving requirements for analytical solutions
that deliver an in-depth understanding of network activity across
multiple points and time frames, and with the advancement of
10Gbps, now at very high speeds.
Enabling Full Network Capture and Real-Time Analysis at 10Gbps
DECODER AND CONCENTRATOR

The NetWitness Decoder appliance is the cornerstone of the NetWitness NextGen™
infrastructure and the key component of an enterprise-wide network data recording
solution. Decoder is a real-time, distributed, highly configurable network recording
appliance that enables users to collect, filter, and analyze full network traffic in an infinite
number of dimensions.
The NetWitness Concentrator appliance facilitates current and historical reporting and
alerting, and extends the reach of NextGen across multiple capture locations. Concentrator
is designed to aggregate data hierarchically for ultimate scalability and deployment
flexibility across various organization-specific network topologies and infrastructures.
The most important component of the analytics issue is – one that is different from the marketing messages from
having the right software in place – but this paper is not other vendors, but a solution that will better deliver against
meant to debate NetWitness’ monitoring and modeling actual needs and provide true value against the problems
approach against that of the competition. Leaving that organizations are facing.
aspect of the discussion aside, the second most important
component of the analytics issue related to 10Gbps is the The NextGen Solution
ability to process huge quantities of information in a up-to-
the-minute capacity. It is our contention that a consolidated With massive storage requirements, as well as high-
architecture solution sacrifices a significant amount of performance processing and memory needs, a true 10Gbps
processing power – resulting in slower returns against the data full capture and analysis system must be architected in a
captured. Our distributed architecture model relies of multiple distributed fashion to scale appropriately for processing and
devices to perform real-time analytics, without sacrificing storage load. To assume a single high-throughput device could
a consolidated output of the information. In addition to support this requirement ignores scalability, reliability, flexibility,
the need for real-time analytics, the problem with the and usability requirements.
consolidated architecture approach is further compounded by
the fact that a saturated 10Gbps link will produce over 100TB From its inception, NetWitness NextGen was architected
per day. The storage requirements are massive. Consider the to be dynamic and robust enough to grow with our clients’
following for a saturated 10Gbs link: infrastructure. A byproduct of this scalability-by-design within
NextGen is that our technology can be deployed to support
10Gbps link = 108TB/day = 756TB/week = 3.2PB/month any single or aggregated network link. Simply put, NetWitness
NextGen modularly scales via reliable and distributed
Clearly there are massive additional storage requirements that devices, and logically organizes data to optimize analytical
must be addressed – yet these requirements are not mentioned value across an entire enterprise without using expensive,
in marketing discussions related to a consolidated architecture specialized hardware.
approach. These solutions are overlooking this need, they
have no practicable technical solution, or they are purposely How does it work?
excluding the storage discussion in an effort to retain the low-
cost, low footprint value proposition. Every product within the NetWitness NextGen suite uses a
single framework to communicate, and to facilitate data and
The consolidated architecture approach also overlooks configuration transfer. The NextGen framework leverages P2P
requirements related to scalability, reliability and flexibility. concepts to provide a highly scalable monitoring solution,
This model makes it difficult to implement additional devices enabling on-demand access to distributed network capture
without incurring significant cost. It also forces single points points, while providing a single logical view of the captured
of failure into your environment. To address these problems, data no matter the total throughput.
NetWitness is taking a unique approach to the issue of 10Gbps
Enabling Full Network Capture and Real-Time Analysis at 10Gbps
The NextGen infrastructure is comprised of three devices that Europe

are deployed in n-tiers for true scalability:
D C
D
D
Decoder C B
6.6Gbps
Responsible for network capture, processing, and packet D
D
storage. Decoder is the front-line device and serves content D C
and metadata to the framework.
Concentrator
Responsible for aggregating and indexing metadata in real- HeadQuarters
time from Decoders, Concentrator acts as the metadata 1.2Gbps

D C
aggregator and serves metadata to the framework. B
B
D
Broker 3.8Gbps D C
D
Provides a single logical view into Concentrators distributed
throughout an enterprise. Broker queries and aggregates
results for user consumption.
Asia
NetWitness Tiered Architecture Across an Enterprise Unified
Enterprise view giving real-time access to network traffic in
excess of 10Gps (see Figure 1) 45mbps
D C B
With network capture points distributed across multiple

Decoders, the data is logically aggregated to Concentrators and
then unified by Broker.
(Figure 1)
From a central location users can experience consistent and
(Actual hardware configuration may vary with traffic profile and requirements)
deep analytical capabilities regardless of the dynamics of the
underlying infrastructure.
This design enables growth by simply expanding Decoder and needs of some of the largest private and public organization
Concentrator aggregation coverage, by distributing capture, across the world. It also positions the technology to address
index and query load across multiple devices to respond to specific 10Gbps requirements without having to completely
requests. This distributed deployment of NextGen devices re-engineer our solutions or change the fundamental
provides an unprecedented view into every monitored link, infrastructure footprint. At the current time, more than 95% of
whether a single downstream 10Gbps link, or 25-1Gig links across all NetWitness NextGen deployments are providing analysis
a global network. into multi-gig networks. Many of our client engagements are
explicitly 10Gbps links. This ability is driven by the scalable
The result is an infrastructure that can evolve and grow as architecture upon which NextGen is based.
throughput, analysis, and threat intelligence needs grow.
Intentionally, by design, the NextGen architecture inherently As a result, NetWitness NextGen does not have a 10Gbps
supports 10Gbps networks and beyond for full packet capture model number or “SKU” - it simply does not require it. The
and analysis. architecture is designed to inherently support enterprise
analysis regardless of the throughput or amount of data
Conclusion retained, and leverage existing load-balancing technologies
to address high speed streams. This approach enables our
NetWitness realized from inception that to truly achieve high customers to deploy and leverage NextGen in their dynamic
throughput performance, the technology needed to distribute environments, evolve logically and scale economically.
resources and leverage multi-source analysis methods. This
architectural foresight has enabled NetWitness to address the
About NetWitness
NetWitness® Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial
organizations detect, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems
including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat
management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide
enterprises around the world with breakthrough methods of network content analysis and host-based risk discovery and prioritization. NetWitness customers
include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations.
NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.
NetWitness Corporation | 500 Grove Street, Suite 300 | Herndon, VA 20170

T: 703.889.8950 | F: 703.651.3126 | info@netwitness.com www.netwitness.com
NetWitness® NextGen™
A Case Study in Advanced

Information Security
they were aware that the information they were getting from
their existing devices was just a snapshot, lacking necessary
contextual information that could help them understand and
protect their assets and their customers. IDS and DLP solutions
provided alerts, but without full session data they had no way to
easily judge which were legitimate threats and which were false
positives. Staff was required to spend countless hours weeding
through system data trying to determine what was actually
happening on the network — hours that were critical when
an attack was in progress. The company came to NetWitness
because they understood that they needed a solution that could
help the staff pinpoint advanced threats and data exfiltration
Executive Summary attempts in a real-time fashion.
One of the largest financial services companies in the world — Evaluating NetWitness
involved in all aspects of the industry from wealth management and
investment services, to retail and commercial banking, to credit cards When the company began the project to improve the function
and investment banking — represents a high profile target for cyber of its security infrastructure, the staff was primarily focused on
criminals and nation-state sponsored threats. With a global footprint, anomaly detection. They thought they were looking for a solution
the company’s IT infrastructure is responsible for processing billions that could help analysts better monitor traffic peaks — significant
in financial transactions on a daily basis and is among the most upswings in traffic that can indicate connections with command
complex and aggressively-targeted in existence. and control networks, or botnets.
The company’s executives and IT staff understand this reality and While they depended on the information from products they
have built one of the world’s most advanced information security had already deployed, they had become disappointed with the
programs. To protect the assets of its millions of customers, the results of flow-based anomaly detection solutions. The problem
company operates in a state of elevated vigilance. To minimize was due to both the nature of the anomaly detectors and the
potential intrusion points, it maintains a centralized Internet complex structure of the company’s network. It wasn’t that the
gateway strategy, and invests heavily in security solutions such products didn’t do what they claimed — it was that what they
as firewall, anti-virus, Intrusion Detection Systems (IDS) and Data were designed to do wasn’t sufficient for the needs of a large
Loss Prevention (DLP) technologies. The company constantly international financial institution. The IT staff began discussions
evaluates its security policies and validates their effectiveness. with their peers in the industry, and through those conversations
It also employs a global security staff comprised of some of were pointed to NetWitness as a possible solution.
the brightest individuals in the industry. The organization goes
far beyond simply meeting its compliance requirements — it Initially, the company was looking at NetWitness simply
recognizes that the security of sensitive information is as as a forensics tool. As they dug deeper into the system’s
important to clients as the services it provides. capabilities, they found that it actually solved a number of
other problems plaguing their operations — but from a different
Against an ever-evolving threat landscape, in which the enemies angle than what they were considering. As the analysis of
are countless and their methods growing more sophisticated by NetWitness continued, it became obvious to the staff that the
the day, the company’s security staff keeps a watchful eye for new total capabilities of the system gave them a host of additional
threats: monitoring an endless stream of alerts; rapidly determining benefits that they hadn’t expected.
their validity; discarding the mundane and mounting an immediate
response to the severe. It is a daunting array of tasks. After gaining a better understanding of NetWitness through a series
of executive-level discussions, the company decided to conduct a
The company’s IT security staff recognized that despite all of proof of concept deployment. According to an IT executive at the
their investments, what they had in place was simply not enough company, “The results were quite extraordinary. There was definitely
to support their complex and critical mission. In particular, an ‘oh wow’ moment. Our current log files contain 70 million lines
NetWitness NextGen A Case Study in Advanced Information Security
per day — of that 70 million, identifying those that might be Trojan discovering new potential uses on a daily basis. They have taken
communications was previously a very difficult undertaking. Using advantage of the broad NetWitness community for help and
NetWitness we were able to immediately zero in on malicious traffic, suggestions with new ideas based on real-world applications
cutting days of work out of our process.” of the NextGen technology. In addition, the staff’s hands-on
experience with the system has enabled them to develop a
Based on this successful test run of the NetWitness NextGen number of innovative uses internally.
solution, the company decided to move forward with initial
deployments on its centralized Internet gateway, and for some The company’s experience with NetWitness has been sufficiently
of its international offices. positive that they are now planning to expand the relationship
in two directions. First, they will be using NextGen as a rapid
Instant Success security deployment solution when an in-country incident
requires deep forensic analysis. Secondly, they will be adding
It took only days for the initial deployment to produce significant several additional international locations to the permanent
benefits. The most important difference between the prior enterprise monitoring architecture. The company’s near-term
environment and the environment with NetWitness in place is goal for NetWitness deployment is now 90% coverage across the
that the company’s IT staff now has a complete view into all entire international network — an amazingly short transition from
traffic — whether Internet-based or within the company’s VPN proof of concept to broad international deployment.
infrastructure. The new level of contextual knowledge enables the
staff to make rapid decisions and to implement countermeasures Get in the Know.
that limit the impact of threats. Become a NetWitness User.
The NetWitness infrastructure now sits at the company’s The threats facing NetWitness customers are advanced and
centralized Internet gateway, and in select international offices our customer’ environments are very demanding. NetWitness
in geographies where the potential for insider threats is most customers are security experts with years of experience and
pronounced. Because of the centralized architecture the company a refined sense for the challenges facing their organizations.
has put in place for Internet connectivity, the positive impact has NetWitness excels at working with this savvy base of users,
spread across their global network operations. They have been whose workload and requirements push the limits of any
able to automate the process of identifying issues — taking the platform. Our discerning customers are provided unprecedented
problem from a tedious and time-consuming human inspection access to technical support, our product and development
task to an automated analyst provided by the NextGen solution staff, and our executive leadership. Our fanatical focus on this
that is both faster and much more reliable than the alerting that advanced user base, coupled with our extensive knowledge of
had been coming from previously deployed technologies. advanced threats resulted in the customer taking full advantage
of the power of the NextGen solution from day one.
Within specific countries of concern, they are now able to monitor
traffic for any potential wrong doing — giving the IT staff near 100% NetWitness helps clients combat advanced cyber-security
certainty that their assets, and the identities of their customers are threats by giving them an unprecedented level of knowledge
protected. The staff is able to create reports based on advanced into what is happening across their networks, and providing
threat characteristics and automate and examine them on a daily them insight needed to take definitive action. The NetWitness
basis. This enables them to streamline operational processes that NextGen security monitoring solution has received numerous
once took hours and days down to a matter of minutes. awards for its innovation and has become a critically important
part of our clients’ day-to-day operations. It is this intersection of
An Evolutionary Engagement rich application data and context that differentiates the patented
NetWitness products from any other solution available in the
One of the aspects of the deployment that has been most market. Try it out for yourself and see what you’ve been missing
satisfactory to the company’s IT staff is that even though the on your network.
company has only recently deployed NetWitness, they are
About NetWitness
NetWitness
About NetWitness
®
is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and
remediate complex IT risks. NetWitness’ patented and award-winning solutions solve a wide variety of information security problems, including advanced persistent threats, data
NetWitness ®
is theactivity,
leakage, malware world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and
and more.
leakage, malware activity, and more.
A Financial Services Customer

Success Story
Executive Summary Instant Success

Like many larger financial institutions, a top 10 bank set a mature The severity of the incident was of such material significance that
information security program in place. The program implemented it required briefing the CEO of the bank. Based on evaluating
an effective defense in-depth strategy. In addition to a broad its performance in the live environment, the security team
range of security technologies such as firewalls, intrusion decided to move forward with a NetWitness NextGen purchase
prevention systems, data leakage prevention technologies and to monitor the bank’s Internet gateways and critical systems.
a Security Information and Event Management system, they NextGen’s level of visibility into session and application layer
also implemented advanced security processes and controls content and context and its forensic rigor quickly became a
for incident detection and response. Their security staff was critical component of the bank’s strategy to protect its data.
recognized within the industry as one of the brightest in the field.
The bank’s security team continuously evaluates how new The bank continues to leverage the
technologies can be used to improve their security posture by
identifying breaches and improving the efficiency of incident
NextGen platform for numerous critical
response activities when breaches are discovered. The bank’s benefits, including identifying and
security team evaluated NetWitness NextGen in their operating
environment and immediately identified a complex and
addressing costly wire fraud transfer
ongoing criminal breach that had previously gone undetected. issues, detection and analysis of zero-
Some of their most sensitive servers had been compromised
and were establishing a remote command and control channel
day and custom malware and detecting
to IP addresses in Russia. The periodic beaconing of this numerous instances of advanced data
remote control signal was occurring using non-standard traffic
over DNS ports.
leakage and exfiltration.
Following the initial deployment, the bank continues to leverage

its NextGen platform for numerous critical benefits, including
identifying and addressing costly wire fraud transfer issues,
detection and analysis of zero-day and custom malware and
detecting numerous instances of advanced data leakage and
exfiltration. NextGen has become invaluable to the security
team by enabling them to accelerate incident response and
investigation processes. As part of the organization’s daily
process and workflow, NextGen performs on-demand event
research, enriching and validating telemetry from SIEM and other
security indicators. It also reduces losses from insider abuse and
fraud, validating that only authorized access has occured to the
bank’s extensive client account databases.
About NetWitness
NetWitness® is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and

Growing Risk of
Advanced Threats
Independently conducted by Ponemon Institute LLC
Publication Date: 30 June 2010
Ponemon Institute© Research Report

Growing Risk of Advanced Threats
Study of IT Practitioners in the United States
Ponemon Institute, 30 June 2010
I. Executive Summary
Ponemon Institute and NetWitness are pleased to present the results of a comprehensive study on
advanced threats. While the definition of what constitutes an advanced threat still varies within the
industry, for purposes of this research we have defined an advanced threat as a methodology employed
to evade an organization’s present technical and process countermeasures which relies on a variety of
attack techniques as opposed to one specific type.
The predominant majority of these threats are represented by unknown, zero-day attacks, but there are
increasingly many instances where known attacks are being re-engineered and repackaged to extend
their usefulness. According to the IT and IT security practitioners in our study, the issue of advanced
threats is of growing concern – with 83 percent stating that they believe their organization has been the
target of such threats in the recent past.
According to our study, the top two problems organizations face in managing advanced threats are
insufficient intelligence and the proper security technologies. The majority of respondents also believe
that advanced exploits and malware have successfully evaded the anti-virus (AV) and intrusion detection
system (IDS) technologies they primarily rely upon to prevent attacks against their information systems. .
In addition to the difficulty in preventing advanced threats, the study reveals how slow organizations are
to detect them. It takes one month or longer before an advanced threat is detected, according to 46
percent of respondents which leaves a very large window of opportunity for any type of nefarious activity.
As documented in Ponemon Institute’s Cost of a Data Breach studies, the theft of sensitive and
confidential information about customers, employees and business partners can result in devastating
1
economic consequences.
We surveyed 591 IT and IT security practitioners (hereafter referred to as IT practitioners) located in the
United States. We queried these individuals about the following topics:
Are advanced threats a major, growing problem for organizations?

Are organizations ready to deal with advanced threats against their organization?
What is most at risk to an organization when it does not detect an advanced threat?
What are key problems in managing advanced threats that target their organization and what should
organizations do?
Following is a summary of the most salient findings from our study. We expand upon each one of these
findings in the following section of this paper.
Advanced threats seem to be pervasive and growing. 83 percent of respondents believe their
organization has been the target of an advanced threat. 71 percent believe they have seen an
increase in advanced threats over the past 12 months and 70 percent say that advanced threats
suggest a new, more dangerous threat landscape.
Uncertainty about the frequency of attacks indicates the difficulty in detecting them. 44 percent
of respondents believe they were frequent targets of such threats. However, 41 percent say they
were unable to determine how frequently they were targeted, indicating a lack of the proper
intelligence required to pinpoint these threats.
1
See the 2009 Cost of Data Breach: US Study, Ponemon Institute January 2010.
Ponemon Institute©: Private & Confidential Document Page 1
Sensitive data is targeted. 50 percent believe the targets of advanced threat attacks were sensitive
proprietary data such as source code, non-financial business confidential information and financial
information. 48 percent believe the targets were PII including customer or consumer information and
employee records.
Organizational commitment and understanding of the changing threat environment is lacking.

Only 24 percent of respondents strongly agree or agree that prevention or quick detection of
advanced threats is a top security priority in their organization. Further, only 19 percent believe their
IT leaders are fully aware of advanced threats and how they can negatively impact the enterprise.
Policies and procedures exist but support from personnel and technology seems to be
inadequate to address the problem. More than half (58 percent) of respondents believe they have
the procedures and policies in place to defend against advanced threats. However, only about one-
third (32 percent) report that their security-enabling technologies are adequate and only 26 percent
report security personnel are adequate to deal with advanced threats.
Prevention and detection of advanced threats is difficult. Organizations risk a costly data breach
because detection of an advanced threat takes too long. 80 percent of respondents say it takes a day
or longer to detect an advanced threat and 46 percent say it takes 30 days or longer. This leaves a
huge window of opportunity to steal confidential or sensitive information. In addition, 79 percent
believe that advanced threats are very difficult to prevent, detect and resolve.
The most effective technologies have yet to be deployed. 92 percent of respondents believe
network and traffic intelligence solutions are essential, very important or important. Yet, only 8
percent say these technologies are their first choice to detect or prevent an advanced threat. 69
percent of respondents say that AV and 61 percent of respondents say that IDS are typically used to
detect or discover advanced threats. Yet, 90 percent report that exploits or malware have either
evaded their IDS systems or they are unsure. 91 percent say that exploits and malware have evaded
their AV systems or they are unsure. The same percentage (91 percent) believes exploits bypassing
their IDS and AV systems to be advanced threats.
II. Key Findings
This section provides details about our most important findings. We organized the paper according to four
major themes that emerged from the findings. These are: attributions about advanced threats; why
organizations face a growing security problem; the lack of preparedness to deal with advanced threats;
and the difficulty in detecting advanced threats. Whenever feasible, we provide a simple graph to
illustrate the result. A tabular presentation may be provided as an alternative illustration when the result is
too complex to graph.
Attributions about advanced threats
Table 1 reports IT practitioners’ agreement with six attributions about their organizations’ approach to
dealing with advanced threats. These findings indicate that respondents are aware of the risk of
advanced threats, but are not prepared to deal with them because of insufficient resources and
personnel.
Table 1: Attributions about Advanced Threats Strongly

Agree Agree
My organization has enabling security technologies that effectively
prevent or quickly detect advanced threats. 13% 19%
My organization has sufficient resources to prevent or quickly detect
advanced threats. 15% 20%
My organization has security personnel who are well trained and able
to identify and resolve advanced threats. 11% 16%
In my organization, IT leaders are fully aware of advanced threats and
how they can negatively impact the enterprise. 8% 11%
In my organization, the prevention or quick detection of advanced
threats is a top security priority. 10% 14%
My organization is more likely than most other companies to be the
target of advanced threats. 24% 24%
As shown above, 48 percent strongly agree or agree that their organization is more likely than most other
organizations to be the target of advanced threats. However, less than one-third strongly agree or agree
that their organization has enabling security technologies that effectively prevent or quickly detect
advanced threats (32 percent) or resources to prevent or quickly detect advanced threats (35 percent).
Advanced threats are an increasing problem
As shown in Bar Chart 1, 19 percent of respondents say that absolutely their organization has been the
target of an advanced threat. Twenty-eight percent say it is very likely and 36 percent say it is likely. Only
12 percent say it is possible they had an attack and 5 percent say they never had an attack.
Bar Chart 1: Likelihood the organization has been a target
Bar Chart 2 reports 44 percent of respondents believe their organization has been the target of an
advanced threat all the time (12 percent), most of the time (17 percent) or some of the time (15 percent).
However, almost the same percentage (41 percent) can’t determine if they have been the target.
Bar Chart 2: Frequency of advanced threats
The realization that this is a growing threat among IT practitioners is shown in Bar Chart 3, where the
majority of respondents believe attacks are rapidly increasing (35 percent) or increasing (36 percent).
Bar Chart 3: Perceived change over the past 12 months
As shown in Bar Chart 4, the primary consequences of an advanced threat are IT downtime (51 percent),
theft of intellectual property (45 percent) and theft of confidential or sensitive information (44 percent).
Thirty percent report that nothing happened.
Bar Chart 4: What happened as a result of advanced threats
Bar Chart 5 reports the respondent’s views on the most frequent attack techniques that have been
employed against their organizations, which are viruses (91 percent), malware (80 percent) and worms
(67 percent). It is important to note that for the purposes of this research, we have defined an advanced
threat as a methodology employed to evade an organization’s present technical and process
countermeasures which relies on a variety of attack techniques as opposed to one specific type.
Bar Chart 5: Attack techniques employed
Bar Chart 6 shows 79 percent strongly agree or agree that advanced threats are very difficult to prevent,
detect and resolve. In addition, 70 percent believe advanced threats suggest a new, more dangerous
threat landscape.
Bar Chart 6: Perceptions about advanced threats
Organizations do not seem prepared to deal with advanced threats.
There does not appear to be one consistent approach used by IT practitioners to prevent and detect
advanced threats. Specifically, respondents describe their approach for preventing and detecting
advanced threats in Bar Chart 7 as ad hoc (31 percent), a combination of manual procedures and
security technologies (27 percent), mostly a process that relies on perimeter controls such as IDS and AV
solutions (17 percent) and mostly a process that relies on manual controls such as log management
procedures. It is notable that only 8 percent select as their one best choice a process that relies on
network intelligence technologies when considering the findings detailed later in Bar Chart 9.
Bar Chart 7: Process for preventing and detecting advanced threats
Policies and procedures exist but their implementation may be lagging. More than half (58 percent) state
they have the procedures and policies in place to defend against advanced threats (see Bar Chart 8).
However, 50 percent report that their security-enabling technologies are not adequate and 64 percent
report their security personnel are not adequate to deal with the threat.
Bar Chart 8: Defensive capabilities against advance threats
As shown in Pie Chart 1 below, 51 percent have no dedicated staff to respond to advanced threats and
34 percent have less than two staff members. As revealed throughout these findings, the lack of
personnel who are knowledgeable about advanced threats is making it difficult for IT practitioners to
protect their information systems.
According to Table 2, the key problems organizations in our study face when managing advanced threats
are insufficient intelligence and insufficient technologies. Keeping pace with the rash of sophisticated
attacks is also of concern to more than a quarter of all respondents.
Pie Chart 1: Staff dedicated to advance threats Table 2: Problems managing advance threats
What are the key problems you

face in managing advanced
threats that target your
organization? Pct%
Insufficient intelligence about
threats 45%
Insufficient security technologies 39%
Insufficient resources 37%
Lack of well trained or
experienced personnel 36%
Keeping pace with the rash of
sophisticated attacks 27%
Lack of consistently applied
control procedures 12%
Other 2%
Bar Chart 9 shows 92 percent of respondents believe network or traffic intelligence technologies are
important (24 percent), very important (45 percent), or essential (23 percent) to discovering advanced
threats. Only 8 percent say this technology is not important.
Bar Chart 9: Importance of network and traffic intelligence
Discovery of advanced threats is difficult
As shown in Bar Chart 10, only 25 percent are very confident (8 percent) or confident (17 percent) that
their organizations have the ability to detect advanced threats, 37 percent are not confident and 7 percent
are unsure. This finding is consistent with the fact that only 8 percent of organizations in our study select
as their first choice a process that relies upon network intelligence technologies. However, 92 percent
believe those technologies to be important or essential in discovering advanced threats. The more
common approach is ad hoc and a combination of manual procedures and security technologies.
Bar Chart 10: Confidence in detection capability
Bar Chart 11 shows different ways organizations detect advance threats. Anti-virus/anti-malware software
(69 percent) and IDS (61 percent) are the two technologies most frequently cited for preventing or
detecting advance threats. 2
2
Cross-tab analysis revealed that respondents who expressed a very confident or confident response in Bar Chart 10
were almost twice as likely to deploy event correlation management software (SIEM) or network intelligence tools
than respondents who are not confident.
Bar Chart 11: How organizations detect advanced threats
`
Despite the importance of AV and IDS solutions, as noted in Bar Chart 12, more than 79 percent report
that they have experienced situations when exploits and malware have evaded AV solutions and 71
percent report that exploits and malware have evaded IDS solutions.
According to a recent white paper by NetWitness related to the discovery of a large ZeuS botnet labeled
“Kneber”, the botnet “had less than a 10 percent detection rate among all anti-virus products and the
botnet communication was not identified by existing intrusion systems. This compromise, the scope of
global penetration and the shear magnitude of the collected data illustrates the inadequacy of signature-
based network monitoring methods used by most commercial and public sector organizations today.” 3
Bar Chart 12: Exploits and malware evade IDS or AV systems

Percentage Yes response
As noted in Bar Chart 13, less than 9 percent of respondents say their organizations are able to detect
the attack immediately. About 26 percent are able to detect an attack within a few hours (11 percent) or
one day (15 percent). Thirty-nine percent report that it is within 30 days (23 percent) or 60 days (16
3
See: The “Kneber” Botnet: A ZeuS Discovery and Analysis White Paper, NetWitness 2010 p.2.
percent). Only 7 percent of respondents say it takes longer than 60 days, on average, to detect an
advanced threat.
The inability of organizations to respond to advanced threats, such as zero days, can immediately result
in significant business impact, such as data loss, disruption of service and malicious attacks upon critical
infrastructure. The “typical” slower than necessary response is unlikely to change for many respondents
given that only 24 percent believe that prevention or quick detection of advanced threats is a top security
priority within their organizations today (see Table 1). As described above, respondents believe that
advanced threats put customer information at risk and this creates a perfect storm for a costly data
breach. 4
Bar Chart 13: Length of time before an advanced threat is detected
Bar Chart 14 reports the average rank for four threat areas, where four is the highest possible rank and
one is the lowest possible rank in terms of significance if detection does not occur. Clearly, the most
significant risk to organizations is the loss of confidential information followed by the theft of trade secrets.
Unfortunately, it is well known that criminals are profiting from the sale of these types of sensitive and
proprietary business information. The ultimate consequence of these data thefts can be devastating for
any organization.
Bar Chart 14: Risks of an undetected advance threat
Average rank from 4 = most significant to 1 = least significant risk
4
In a study conducted by Verizon Business RISK team, it was shown that data breaches still go undiscovered and
uncontained for weeks or months in 75 percent of the cases they examined. See 2009 Data Breach Investigations
Report, A Study Conducted by the Verizon Business RISK team.
Ponemon Institute©: Private & Confidential Document Page10
Bar Chart 15 shows the data most at risk are customer or consumer information or intellectual property
such as source code, followed by intellectual property such as source code. Employee records and
financial information appear to be at a lower risk level.
Bar Chart 15: Data is most at risk due to advance threats
III. Final Thoughts & Recommendations
The findings of our research suggest a growing awareness among IT practitioners of the problem of
advanced threats. However, there appears to be a series of problems in confronting the issue:
• In the view of our respondents, senior management does not appear to understand the seriousness
of the threat nor do they appear to be making the issue a top priority.
• Those surveyed believed that they had the proper processes in place but lacked the appropriate
resources, skill sets and technologies needed to combat the problem.
• Detection is a major concern amongst IT practitioners. While most of those surveyed felt confident
that their organizations were the target of advanced threats, nearly half were unable to determine
accurately how frequently they were targeted.
• The two most heavily relied upon technologies for combating advanced threats are Anti-Virus and
IDS but the vast majority of respondents believe that these technologies are inadequate in detecting
these types of threats. Further, they say their A/V and IDS solutions are being bypassed.
• There is overwhelming majority consensus that network and traffic intelligence solutions are needed
to detect and combat advanced threats but only a very slim minority currently have these solutions in
place.
We believe there are four important recommendations for organizations:
1. Senior management must be educated on the seriousness of the advanced threats issue in order to
garner support for the investments in people and technology required to combat the problem.
2. There is a need to train existing security teams and hire new team members in advanced threat
detection techniques.
3. Over reliance on A/V and IDS solutions has weakened the collective security posture as these
solutions cannot stand up in the face of the advanced threats we now see.
4. New solutions focused on network and traffic intelligence are seen as the best way to combat
advanced threats and much broader adoption is required.
IV. Methods and Demographics
A sampling frame of nearly 12,000 adult-aged individuals who reside within the United States was used to
recruit and select participants to this survey. Our randomly selected sampling frame was built from
several proprietary lists of experienced IT and IT security practitioners. In total, 702 respondents
completed the survey. Of the returned instruments, 111 surveys failed reliability checks. A total of 591
surveys were used as our final sample, which represents a 5 percent response rate.
Table 3: Sample response Freq. Pct%

Total sampling frame 11,930 100%
Invitations sent 10,991 92%
Bounce-back 1,816 15%
Total response 702 6%
Rejections for reliability 111 1%
Final sample 591 5%
Pie Chart 3 reports the primary industry sector of respondents’ organizations. As shown, the largest
segments include financial services (19 percent), government (16 percent), and healthcare (11 percent).
Pie Chart 3: Industry distribution of respondents’ organizations
Table 4 reports the respondent organization’s global headcount. As shown, a majority of respondents
work within companies with more than 1,000 employees. Over 51 percent of respondents are located in
larger-sized companies with more than 5,000 employees.
Table 4: The worldwide headcount of your organization? Pct%

Less than 500 people 11%
500 to 1,000 people 14%
1,001 to 5,000 people 25%
5,001 to 25,000 people 28%
25,001 to 75,000 people 19%
More than 75,000 people 4%
Total 100%
Table 5 reports the respondent’s primary reporting channel. As can be seen, 52 percent of respondents
are located in the organization’s IT department (led by the company’s CIO). Seventeen percent report to
the company’s security officer or CISO.
Table 5: Respondent’s primary reporting channel Pct%

Chief Financial Officer (CFO) 3%
Chief Technology Officer (CTO) 7%
Chief Information Officer (CIO) 52%
Chief Information Security Officer (CISO) 17%
Compliance Officer 7%
Chief Security Officer (CSO) 4%
Chief Risk Officer 7%
Other 2%
Total 100%
Table 6 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States, Canada
and Europe.
Table 6: Geographic footprint of respondents’ organizations Pct%

United States 100%
Canada 63%
Europe 65%
Middle east 16%
Asia-Pacific 29%
Latin America 31%
Table 7 reports the approximate position level or title of respondents. As shown, a majority of
respondents state they are at or above the supervisory level (56 percent). The mean experience of
respondents in this study is 11.12 years and the median is 10.5 years.
Table 7: Respondent’s self-reported position level Pct%

Senior Executive 1%
Vice President 2%
Director 17%
Manager 21%
Supervisor 15%
Technician 32%
Staff 5%
Contractor 5%
Other 3%
Total 100%
V. Caveats
There are inherent limitations to survey research that need to be carefully considered before drawing
inferences from findings. The following items are specific limitations that are germane to most Web-based
surveys.
Non-response bias: The current findings are based on a sample of survey returns. We sent surveys
to a representative sample of individuals, resulting in a large number of usable returned responses.
Despite non-response tests, it is always possible that individuals who did not participate are
substantially different in terms of underlying beliefs from those who completed the instrument.
Sampling-frame bias: The accuracy is based on contact information and the degree to which the list is
representative of individuals who are IT or IT security practitioners. We also acknowledge that the
results may be biased by external events such as media coverage. We also acknowledge bias
caused by compensating subjects to complete this research within a holdout period. Finally, because
we used a Web-based collection method, it is possible that non-Web responses by mailed survey or
telephone call would result in a different pattern of findings.
Self-reported results: The quality of survey research is based on the integrity of confidential
responses received from subjects. While certain checks and balances can be incorporated into the
survey process, there is always the possibility that a subject did not provide a truthful response.
Appendix I: Survey Details
The survey was conducted in April and May 2010. Our sampling frame includes qualified IT and IT security
practitioners located in business and government organizations in the United States.
Sample response Freq. Pct%

Total sampling frame 11,930 100%
Invitations sent 10,991 92%
Bounce-back 1,816 15%
Total response 702 6%
Rejections for reliability 111 1%
Final sample 591 5.0%
I. Background
Q1a. Have you experienced situations when exploits and malware
have evaded your IDS? Pct%
Yes 71%
No 10%
Unsure 19%
Total 100%
Q1b. Have you experienced situations when exploits and malware

have evaded your AV solutions? Pct%
Yes 79%
No 9%
Unsure 12%
Total 100%
Q1c Do you consider these any of these exploits as an advanced

threat? Pct%
Yes 91%
No 9%
Total 100%
Q1d. What other terms are used to describe an advanced threat?

Please select all that apply. Pct%
Advanced persistent threat 50%
Emerging threat 41%
Spear-phishing 38%
SQL Injection 33%
Cyber warfare 25%
Continuous attack 21%
Cyber terrorism 21%
Denial of service attack 19%
Other 9%
Total 257%
II. Attributions
Please rate your opinions for Q2a to Q2f using the scale provided
below each statement. Strongly agree Agree
Q2a. My organization has enabling security technologies that
effectively prevent or quickly detect advanced threats. 13% 19%
Q2b. My organization has sufficient resources to prevent or quickly
detect advanced threats. 15% 20%
Q2c. My organization has security personnel who are well trained
and able to identify and resolve advanced threats. 11% 16%
Q2d. In my organization, IT leaders are fully aware of advanced
threats and how they can negatively impact the enterprise. 8% 11%
Q2e. In my organization, the prevention or quick detection of
advanced threats is a top security priority. 10% 14%
Q2f. My organization is more likely than most other companies to be
the target of advanced threats. 24% 24%
Average 14% 17%
III. Experience
Q3a. Has your organization been the target of an advanced threat? Pct%
Absolutely 19%
Very likely 28%
Likely 36%
Possible [Go to 4a] 12%
Never [Go to 4a] 5%
Total 100%
Q3b. To the best of your knowledge, how often has your organization
been the target of an advanced threat over the past 12 months? Pct%
All the time 12%
Most of the time 17%
Some of the time 15%
Rarely 9%
Never 6%
Can’t determine 41%
Total 100%
Q3c. How has the frequency or rate of advanced threats changed

over the past 12 months. Pct%
Rapid increase 35%
Increase 36%
No change 15%
Decrease 10%
Rapid decrease 4%
Total 100%
Q3d. What happened to your organization as a result of an advanced
threat? Please select all that apply. Pct%
Nothing happened 30%
IT downtime 51%
Business interruption 26%
Theft of confidential or sensitive information 44%
Theft of intellectual property 45%
Damage to IT infrastructure 6%
Damage to software (source code) 7%
Destruction of information asset 2%
Other 0%
Total 211%
Q3e. What advance threat attack methods or technologies were

unleashed against your organization? Please select up to four most
frequently experienced attack methods. Pct%
Viruses 91%
Worms 67%
Trojans 32%
Botnets 35%
Malware 80%
Phishing scam 26%
Malicious code (SQL injection) 29%
Social engineering 25%
Other 3%
Total 388%
Q3f. Typically, how does your organization detect or discover

advanced threats? Please select up to four most likely discovery
methods. Pct%
Warning from law enforcement or intelligence agencies 16%
Warning from InfoSec community 21%
Notice from a bona fide CERT 36%
Network or traffic intelligence software 29%
Event correlation management software 28%
Managed or outsourced security provider 25%
Anti-virus & anti-malware software (AV) 69%
Intrusion detection systems (IDS) 61%
Intrusion prevention systems (IPS) 49%
Discovered AT by accident 45%
Other (please specify) 3%
Q3g. Typically, how long does it take you and your organization to Extrapolated
detect an advanced threat? Pct% days
Immediately (zero days) 9% 0.00
Within a few hours 11% 0.02
Within one day 15% 0.15
Within one week 19% 1.33
Within 30 days 23% 6.90
Within 60 days 16% 9.60
More than 60 days 7% 5.04
Total 100% 23.04
Q4a. How familiar are you with ZeuS? Pct%
Very familiar 20%
Familiar 43%
Not familiar 29%
No knowledge 8%
Total 100%
Familiar & Very

Q4b. Has your organization been the victim of a ZeuS botnet? Overall familiar
Yes 35% 57%
No 26% 34%
Unsure 39% 9%
Total 100% 100%
Q5a. How familiar are you with Spear-Phishing? Pct%

Very familiar 23%
Familiar 49%
Not familiar 22%
No knowledge 6%
Total 100%
Familiar & Very

Q5b. Has your organization been the victim of Spear-Phishing? Overall familiar
Yes 23% 39%
No 41% 51%
Unsure 36% 10%
Total 100% 100%
Q6. With respect to technologies, personnel, policies and resources,

how would you describe your organization’s defensive capabilities
against advanced threats? Adequate Inadequate
Security enabling technologies 32% 50%
Security personnel 26% 64%
Policies & procedures 58% 23%
Budget resources 28% 61%
Q7. Please rate the following statements using the scale provided
below. Strongly agree Agree
Q7a. Nation-state sponsored advanced threats occur frequently. 8% 13%
Q7b. Criminal group sponsored advanced threats occur frequently. 16% 28%
Q7c. Advanced threats suggest a new, more dangerous threat
landscape. 26% 44%
Q7d. Advanced threats are simply another form of computer crime
(i.e., nothing new). 18% 16%
Q7e. Advanced threats are very difficult to prevent, detect and
resolve. 29% 50%
Q8. In what countries do advanced threats come from? Please
select the top five countries from the following list. Pct%
China (PRC) 25%
Russian Federation 14%
Romania 10%
Brazil 9%
Czech Republic 6%
UAE (Dubai) 6%
All other countries 28%
Total 100%
Q9. What industries do you see as the most susceptible to an

advanced threat attack? Pct%
Financial services 23%
Technology & software 20%
Communications 13%
Government 11%
Energy 8%
All others 25%
Total 100%
Q10. Has your organization been the target of an advanced threat? Pct%
Absolutely 20%
Very likely 28%
Likely 35%
Possible 17%
Never 0%
Total 100%
Q11a. What is most at risk within your organization as a result of an

advanced threat that goes undetected? Please rank from 1 = most at
risk to 4 = least at risk. Forced rank Rank order
Business disruption and continuity 2.55 3
Damage to critical infrastructure 3.64 4
Loss of confidential information 1.83 1
Theft of trade secrets 1.98 2
Average 2.50
Q11b. What data is most at risk within your organization as a result of

advanced threats that go undetected? Pct%
Intellectual property such as source code 23%
Customer or consumer information 33%
Employee records 15%
Non-financial business confidential information 19%
Financial business confidential information 8%
Others 2%
Total 100%
Q12. Omitted during instrument pretest
Q13. What level of staffing do you have to respond to advanced Extrapolated
threats throughout the enterprise? Pct% dedicated staff
No dedicated staff 51% 0
Less than 2 34% 0.51
Between 2 and 5 9% 0.32
Between 6 and 10 6% 0.48
Between 11 and 15 0% 0
Greater than 15 0% 0
Total 100% 1.31
Q14. What best describes the process for preventing and detecting
advanced threats in your organization today? Please select one best
choice. Pct%
An “ad hoc” process 31%
Mostly a process that relies on manual controls such as log
management procedures 16%
Mostly a process that relies on perimeter controls such as IDS and
AV solutions 17%
Mostly a process that relies on network intelligence technologies 8%
A combination of manual procedures and security technologies 27%
None of the above. 0%
Total 100%
Q15. Who is most responsible for preventing and detecting advanced

threats against your organization? Pct%
Information technology department 57%
Information security department 23%
Compliance department 12%
Legal department 0%
Business unit managers 5%
Human resource department 0%
Other 3%
Total 100%
Q16. How confident are you that your organization has the ability to
detect to advanced threats that attack your organization? Pct%
Very confident 8%
Confident 17%
Somewhat confident 30%
Not confident 37%
Unsure 7%
Total 100%
Q17. In your opinion, what are the key problems you face in
managing advanced threats that target your organization? Please
select only your top two choices. Pct%
Insufficient intelligence about threats 45%
Insufficient security technologies 39%
Keeping pace with the rash of sophisticated attacks 27%
Lack of consistently applied control procedures 12%
Insufficient resources 37%
Lack of well trained or experienced personnel 36%
Other (please specify) 2%
Total 199%
Q18. How important are network or traffic intelligence technologies

for your organization’s ability to defend itself against advanced
threats. Pct%
Essential 23%
Very important 45%
Important 24%
Not important 8%
Irrelevant 0%
Total 100%
Q19. In your opinion (best guess), what dollar range best describes Extrapolated
the total cost incurred by your organization in the past 12 months to value in
defend it against advanced threats? Pct% $millions
Less than $1 million 7% 0.05
Between $1 to 5 million 9% 0.26
Between $6 to $10 million 15% 1.20
Over $100 million 2% 2.64
Total 100% 18.97
IV. Your role
D1. What organizational level best describes your current position? Pct%
Senior Executive 1%
Vice President 2%
Director 17%
Manager 21%
Supervisor 15%
Technician 32%
Staff 5%
Contractor 5%
Other 3%
Total 100%
D2. Check the Primary Person you or your IT security leader reports
to within the organization. Pct%
CEO/Executive Committee 0%
Chief Financial Officer (CFO) 3%
Chief Technology Officer (CTO) 7%
Chief Information Officer (CIO) 52%
Chief Information Security Officer (CISO) 17%
Compliance Officer 7%
Human Resources VP 0%
Chief Security Officer (CSO) 4%
Chief Risk Officer 7%
Other 2%
Total 100%
Mean Median
D3. Total years of relevant work experience 11.12 10.5
D4. What industry best describes your organization’s industry focus? Pct%
Communications 7%
Consumer products 6%
Defense 3%
Education 3%
Energy 2%
Financial services 19%
Government 16%
Health & pharma 11%
Hospitality 3%
Industrial 4%
Media 2%
Retail 6%
Services 4%
Technology 5%
Transportation 4%
Other 3%
D5. Where are your employees located? (check all that apply): Pct%
United States 100%
Canada 63%
Europe 65%
Middle east 16%
Asia-Pacific 29%
Latin America (including Mexico) 31%
Total 304%
D6. What is the worldwide headcount of your organization? Pct%

Less than 500 people 11%
500 to 1,000 people 14%
1,001 to 5,000 people 25%
5,001 to 25,000 people 28%
25,001 to 75,000 people 19%
More than 75,000 people 4%
Total 100%
Please contact research@ponemon.org or call us at 800.877.3118 if you have any questions.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible information and
privacy management practices within business and government. Our mission is to conduct high quality, empirical
studies on critical issues affecting the management and security of sensitive information about people and
organizations.
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict data
confidentiality, privacy and ethical research standards. We do not collect any personally identifiable information from
individuals (or company identifiable information in our business research). Furthermore, we have strict quality
standards to ensure that subjects are not asked extraneous, irrelevant or improper questions.
NextGen™ Informer
NetWitness Informer sets a new standard for network security analytics. As part of the
NextGen AppSuite, Informer is the application for enterprise-wide visualization, alerting,
reporting and real-time situational awareness. Informer outperforms traditional network
security products on the market because it highlights critical areas of concern which are
blind spots to traditional security products. Informer does not simply rely on log files,
netflow or other limited data sets to generate alerts – it harnesses the network forensics
accuracy of the NextGen full packet capture infrastructure.
By having every session, communication, graphical user interface (UI) for viewing Visualize
service, application and user’s activity alerts, charting and tiled views, and
recorded, reconstructed and exposed employing the hundreds of standard Visualize presents application and user
for analysis, the possibilities are endless reports and alerts. content in a revolutionary way. Visualize is
as to what can be done in Informer. Zero an extremely powerful analytical capability
day malware, botnets, policy evasion The UI also enables users of any skill that enables a user (e.g. an analyst, incident
tactics, intentional data exfiltration, level to quickly build their own custom responder, investigator) to zoom in and
anomalous communications, compliance alerts, queries, reports and rules. out of collected traffic using their mouse
gaps, and other trends occurring on your Informer is designed to immediately or fingers, if equipped with a multi-touch
network can become quickly apparent integrate into your existing security monitor, and to drill down and see exactly
through Informer’s rules-based approach operations processes and deliver a level what transpired over the course of time.
and dashboard. Informer uses a fully of real-time situational awareness that
interactive and intuitive web-based was previously unachievable. Users can quickly and efficiently scan
through large volumes of objects such
as audio, documents, images and video
captured by NextGen, render a visual
timeline of an event, deeply
interrogate all the activity
(e.g. communications, data
sent and received, audio
transmissions, etc.), and
understand all the rich
context associated with each
object. Visualize enables
users to leverage all the rules,
keyword searches, and other
filters created in Informer to
further refine and process the
presented information. This
capability drives efficiency and
accuracy into many security
use cases.
NetWitness NextGen Informer
Visualize Use cases

Exfiltration of Proprietary Information Employee Investigation Data Leakage Monitoring
The ability to monitor and examine all What documents has an employee The ability to create a daily report
images such as diagrams, schematics, downloaded, sent or received to inspect every document sent
whiteboard drawings, and other images during the last 6 months? Was there and received over the network
captured by a mobile phone and sent corporate confidential information during the past 24 hours regardless
outside the corporate network. in any of the documents, such of port or protocol. Analysts
financial information, released before can interrogate for corporate
a quarterly announcement? Has an policy violations, Internet usage
employee’s productivity improved monitoring or offensive activities.
after being placed on performance
review probation?
Features
»» Flexible dashboard, chart and summary »» Flexible, WYSIWYG drag-and-drop »» Interactive through the use of
displays for unified view of real-time report builder and scheduling engine a multi-touch monitor
captured data
»» Full role-based access controls »» Integrates bidirectionally with
»» Fully customizable, XML-based rules NextGen Investigator
and report library for infinite report »» HTML and PDF report output formats
and alert combinations »» Offered as Windows® software –
»» Easily navigate sessions in both grid or integrated appliance for
»» Supports CEF, SNMP, syslog, and chronological views deployment flexibility
SMTP data push for integration
in SIEM and network security »» Intuitive zoom in/zoom out UI with
monitoring technologies on-demand session information for
each image
Appliance Models
Sku NWA100-4i NWA200-N-8i
Model 100 series 200 series
Processor Dual-Core Quad-Core
RAM 4GB 8GB
Interfaces (2) 100/1000 Copper (2) 100/1000 Copper
Storage 2TB Redundant 8TB Redundant
Power Single 260W Redundant 400W
Form Factor 1U, Half-Depth 1U, Full-Depth
Maximum Weight 25 lbs 34 lbs
About NetWitness
NetWitness® is the next-generation network monitoring platform that delivers clarity and definitive answers to improve security and optimize risk management. By recording a
content-based and contextual understanding of an organization’s network activity, we provide forensic accuracy into past activities, real-time analysis for situational awareness, and
the agility to adapt and confront tomorrow’s challenges.

T: 703.889.8950 | F: 703.651.3126 | sales@netwitness.com Learn more at netwitness.com
NextGen™ Investigator
1
2
1. Interactive user interface to drill into

multiple dimensions of recorded traffic
across all network layers.
2. View any network sessions and visualize

your network traffic via Google Earth.
Investigator is based upon more than 10 years of development and deployment

experience in some of the most demanding and complex customer environments.
NetWitness® Investigator is the primary interactive analysis application of the NetWitness
NextGen AppSuite. Investigator provides unprecedented free-form contextual analysis
on massive volumes of information exposed by the NetWitness NextGen infrastructure.
Over 35,000 security professionals in 5,000 organizations across 179 countries rely upon
NetWitness Investigator for answers.
When you need clarity and definitive Metadata Framework, a lexicon of nouns, Analysis that previously took days,
answers to the most challenging questions, verbs and adjectives — characteristics of now only takes minutes to perform.
you need a level of fine-grained detail the actual application layer content and Users of Investigator can easily perform
and the agility to quickly and efficiently context parsed by NextGen during session automated and interactive analyses of
examine application layer sessions in a reconstruction at the time of capture. complex security problems. In addition,
way that is easy to comprehend. Unlike With its customizable user interface and Investigator can be launched with one-
other products which display network unprecedented analytics, Investigator click to provide forensic confirmation or
traffic in the context of confusing network lets users analyze their network traffic refute any event triggered in an existing
nomenclature and force an IP-centric view in unlimited dimensions for complete IDS or SIEM (security information and
of the world, Investigator uses the NextGen situational awareness. event management) console by using
NetWitness NextGen Investigator
NetWitness’ SIEM Link, a utility application Deployment is fully integrated with all NetWitness
that transparently provides direct access NextGen products and is licensed on
to NetWitness analytics. With the fusion of NetWitness Investigator has the a per computer host basis. In addition,
NetWitness Live, the extent and magnitude flexibility to locally capture live traffic Investigator can be used to locally process
of a situation can be further illuminated to and process packet files from virtually packet files and record in real-time from a
achieve the definitive accuracy required in any existing network collection device network tap or span port with immediate
today’s business environment. for quick and easy analysis. Investigator insight into network traffic.
Features
»» Real-time, Patented OSI Layer »» Interactive packet view and decode »» Hash Pcap on export
2–7 analytics
»» Enhanced content views »» Imports packets from any packet
++ Effectively analyze data starting from capture system (e.g. open-source,
application layer entities like users, »» Patented port agnostic service custom built and commercial) in .pcap
email, address, files, and actions. identification file format
++ Unlimited, free-form analysis dimensions »» Extensive network and application »» Bookmarking & History Tracking
layer filtering (e.g. MAC, IP, User,
++ Content starting points Keywords, Etc.) »» Traffic visualized geographically via
Google Earth Supports SNORT rules
»» Captures in real-time from any wired or »» IPv6 support Identification of encrypted traffic
wireless interface
»» Full content search, with Regex support »» SSL Decryption (with server certificate)
»» Patented method for decapsulating
protocols and applications »» Exports data in .pcap format for
malware analysis and content inspection
»» Interactive time charts and summary view
Minimum system requirements:

NetWitness recommends the following minimum hardware requirements for NetWitness Investigator:
»» Windows® 2003 Server or Vista 32-bit »» 1GB RAM (2GB Recommended) »» 1 Ethernet Port
»» Single 2Ghz Intel-based processor »» Internet Explorer v7+ »» Ample data storage to process
(Dual-core recommended) (IE v6 may limit some functionality) and collect
About NetWitness

NextGen™ Live
As the threat landscape evolves, what’s the best way to directly leverage the collective
intelligence and analytical skills of the worldwide security community to ensure that you
have the most current visibility into attack vectors?
Attack methodologies and exploit »» Transparent Integration: Live enables »» Identity: It is increasingly important
frameworks are evolving at staggering automated fusion of open source, to associate data and activity with the
rates. The enterprise security intelligence commercial, and confidential threat behavior of a specific user. NetWitness
(ESI) available to information security and fraud intelligence with your Live supports integration with
professionals increases by the day, organization’s live and recorded Microsoft Active Directory through the
but can be overwhelming and often network traffic. This powerful Live Manager.
lacks prioritization or a means of direct combination provides unmatched
operational implementation. Proactive visibility into the intent, scope and Unlike other services which focus of
threat management also requires the magnitude of advancing threats and single source intelligence, NetWitness
creation of queries that consider zero-day enhances a user’s ability to identify Live enables users to tailor their sources
attack vectors, improved analytics and and prioritize changes to internal received, the Profilers used and the
accuracy, and optimal decision making, but and external risk profiles. It answers ability to employ their own intelligence
many security teams do not have the time, definitively, “Were we hit by this newly according to their unique environment
the training, or technology to create this discovered threat?” and threat profile. NetWitness has
custom content. partnered with some of the most
»» Multi-source Intelligence: Information trusted, reliable providers in the open-
NetWitness Live gathers the best is sourced from some of the most source, commercial, private and
intelligence, analytics and content in the trusted names in the industry including research communities to provide the
security community: the ideas, research, SANS Internet Storm Center, SRI most dynamic, comprehensive threat
ongoing tracking and analysis – and brings Malware Threat Center, ShadowServer, intelligence service available.
it directly into your security operations U.S. Department of Treasury, and
center to definitively classify computers others. Additional content will be
associated with botnets, malware and other incorporated on a regular and ongoing
malicious exploits. NetWitness changes basis.
the paradigm by aggregating, correlating
and illuminating only the most pertinent »» NetWitness Profilers: In addition to
information relevant to an organization; as the ESI feeds, NetWitness Live also
a result, providing the clarity and definitive provides a single platform and location
answers you need to inform and enable for NetWitness-verified and published
optimal risk management decisions. Profilers: indicators, parsers, reports,
rules and software modules to help
NetWitness Live provides a uniquely identify and verify the latest threats to
configurable dashboard for managing your information.
a wide variety of content within the
NetWitness NextGen solution.
NetWitness NextGen Live
Service Packages
Live is available at two levels: Basic and Enhanced. Premium sources can be added to an Enhanced subscription for additional
customization and industry-specific content.
» Informer Threat/Security Reports INTELLIGENCE SOURCES:

Basic » BOT/C2 Reports SANS Top 10,000 Senderbase
[Free] » Exploit Kit Identification Zeustracker MalwareDomains
Open Source Threat Intelligence » Zero-Day Indicators SRI MalwareURL
Advanced Threat Content
» Compromise Indicators Shadow Server and more...
» Suspicious and Information Warnings
Enhanced » Trend Intelligence

[subscription] » Anonymous Proxies
Corroborated Intelligence » Website Classification
User Identity » Active Directory - Base User Identity Feed
Compliance/Policy Content » Compliance and Policy-based Reporting
Premium
[subscription]
» A La Carte Service
Fraud Intelligence » Must be Enhanced Customer
Financial Services Intelligence
SPAM/PHISH/EXPLOIT Intelligence
Features
»» Proactively optimize and automate »» Identify network traffic associated with ++ Insider Threat – monitor and profile
insight into advanced threats specific computers of the Specially Designated computer, user, and resource activity
to your environment Nationals List (SDN) across every application and device
»» Reduce time to identify, assess and »» Standard report rules, categories and
respond to incidents, improve staff templates are available: ++ Legal – support e-Discovery, criminal
efficiency and time to incident closure and HR investigations, or liability
++ Security – profile and alert on zero-day, audits through network entity
»» Real-time, reliable and credible multi- botnets, malware and other intrusion profiling and full content analysis
source threat intelligence activity with complete content
»» Synchronize with verified NetWitness
»» Ability to integrate your own threat ++ IT Operations – report and trend content derived from best of breed
intelligence sources via Live Manager metrics across the OSI layers data feeds
»» Definitively classify computers ++ Business Intelligence – profile data

associated with botnets, malware and movement in real-time with full
other malicious exploits access to all events and content
surrounding anomalous activity
Minimum system requirements:

»» Windows® XP, 2003 Server, Vista, »» Internet Explorer 6+ or Firefox »» NetWitness Investigator & NextGen
Windows 7 »» 1 Ethernet Port capture infrastructure
About NetWitness

NextGen™ Infrastructure
In today’s rapidly evolving threat environment, how do you know what is really happening
on your network? With the ability to record and analyze everything (every session,
communication, service, application and user), you can always know with clarity and
definitive answers what did or did not occur on your network and obtain an unprecedented
level of situational awareness and continuous monitoring.
The NetWitness NextGen™ is the single in continuous capture mode or tactically to Concentrators can be deployed in tiers to
core security platform that makes this consume network traffic from any source. provide visibility and high availability into
capability a reality through three core Decoder’s patented technology represents multiple Decoder capture locations.
components: Decoder, Concentrator a breakthrough in network monitoring that
and Broker. Decoder is the cornerstone dynamically creates a complete ontology Broker operates at the highest level of
and the frontline component of an of searchable metadata across all network the hierarchical NextGen infrastructure. Its
enterprise-wide network data recording layers and user applications. function is to facilitate queries across an
and analysis infrastructure. Decoder is a entire enterprise-wide deployment where
highly configurable network appliance that Decoders are architected to work in multiple Concentrators are employed.
enables the real-time collection, filtering, conjunction with Concentrators that Broker provides a single point of access to
and analysis of all network data. Position aggregate metadata for analysis from all the NextGen metadata and is designed
Decoder(s) wherever you want on the Decoders in real-time, and Broker which to operate and scale in any network
network: egress, core, or segment. provides a real-time, single enterprise view environment, independent of network
across your entire network. latency, throughput, or data volume.
Unlike any other packet capturing or
network monitoring product on the market, Concentrator is designed to aggregate Depending on your network topology and
Decoder fully reassembles and globally metadata hierarchically to enable operational performance requirements, all or
normalizes network traffic at every layer scalability and deployment flexibility across a subset of the NextGen components could
of the OSI model for real-time, full session various organization-specific network be required to create a flexible, scalable
analysis. The appliances can be operated topologies and geo-locations. As a result, infrastructure that grows with your business.
DECODER CONCENTRATOR BROKER
EUROPE NEXTGEN™
D C METADATA FRAMEWORK
D
D
C B
INFORMER
D
S>
automated reporting
<VERBgin
D and alerting
D C
lo et
<AD g ut
p
JEC
TIV
HEADQUARTERS alia ES> <NOUNS
> INVESTIGATOR™
pro ess interactive

network forensics
D C
per co m p u te rs
t
B
B tim ies users
e
content
D
D C
ns
applicatio
D
SIEMLink™
resource
seamless integration
ASIA
VISUALIZE
content monitoring
and visualization
D C B
LIVE
NetWitness NextGen Infrastructure
The NextGen infrastructure is designed utilizing our open API/SDK to seamlessly business processes, mitigate intentional
to interoperate directly with NextGen integrate with the NextGen platform and data exfiltration and confront tomorrow’s
AppSuite products: Investigator, Informer, to extend the value of their investment. challenges. NextGen represents the
Visualize, Live and SIEMLink. In addition By having all this information immediately intersection of network telemetry and rich
to standard content, users can create accessible, customers have the agility application layer content and context that
their own custom applications that meet to respond to emerging threats and differentiates NetWitness® from any other
their operational and business needs by forensic investigations, identify broken solution on the market.
Features
»» 64-bit Linux-based, highly configurable »» Integrates with NetWitness Live to »» Protocol and application exploitation:
network appliances add list-based content and context,
including NetWitness Profilers HTTP, FTP, TFTP, TELNET, SMTP,
»» Up to 10Gbps throughput performance (indicators, parsers, reports and rules), POP3, NNTP, DNS, SOCKS, HTTPS,
to recorded network information SSL, SSH, Vcard, PGP, SMIME,
»» Applies metadata for efficient indexing, DHCP, NETBIOS, SMB/CIFS, SNMP,
storage and searchability »» Available open API/SDK to empower NFS, RIP, MSRPC, Lotus Notes®,
custom application development TDS(MSSQL), TNS(Oracle®), IRC,
»» Scalable architecture to create a Lotus Sametime®, MSN IM, RTP,
distributed recording framework »» FlexParse™ enabled for rapid, user Gnutella, Yahoo Messenger, AIM, SIP,
defined parsing and modeling H.323, Net2Phone®,Yahoo Chat, SCCP
»» File object exporting (.exe, .pdf, .doc, (Cisco® Skinny), Bittorrent, GTALK,
.gif, .jpeg, .wav, .mps and many others) »» Supports RSA SecurID and LDAP Hotmail, Yahoo Mail, GMail, TOR, Social
authentication Networking, Fast Flux, VLAN tagging
»» Integrates with expandable DAS and many others.
storage and SAN solutions, including »» Supports SNORT signatures
EMC and NetApp
Appliance Models * Optional (2) 1Gbps Fiber ** Optional (2) 1Gbps Fiber or (1) 10Gbps Adapter
Model Processor RAM Interfaces Storage Power Form Factor Weight
Broker 100 series Dual-Core 8GB 100/1000 2TB Single 260W 1U, Half-Depth 25 lbs
Copper (2) Redundant
200 series Quad-Core 8GB 100/1000 4TB Redundant 1U, Full-Depth 34 lbs
Copper (2) Redundant Max 450W
Concentrator 1200 series Quad-Core 32GB 100/1000 up to 12TB Redundant 2U, Full Depth 66 lbs
Copper (2)* Redundant Max 850W
2400 series Dual up to 100/1000 14.5TB Redundant 2U, Full Depth 65 lbs
Hex-Core 128GB Copper (2)* Redundant Max 800W
Decoder 100 series Dual-Core 8GB 100/1000 2TB Not Single 260W 1U, Half-Depth 25 lbs
1200 series Quad-Core 16GB 100/1000 12TB Redundant 2U, Full Depth 66 lbs
Copper (6)** Redundant Max 850W
2400 series Hex-Core 32GB 100/1000 24TB Redundant 2U, Full Depth 65 lbs
Eagle 50 series Quad-Core up to (2) 100/1000 up to 4TB Single up Briefcase up to 20 lbs

16GB Copper Redundant to 520W
Hybrid 200 series Dual 32GB 100/1000 8TB Redundant 1U, Full-Depth 34 lbs
Quad-Core Copper (2) Redundant Max 700W
About NetWitness

NextGen™ Infrastructure
on your network? With the ability to record and analyze everything (every session,
communication, service, application and user), you can always know with clarity and
definitive answers what did or did not occur on your network, and obtain an unprecedented
level of situational awareness and continuous monitoring.
NetWitness® NextGen™ is the single in continuous capture mode or tactically to Concentrators can be deployed in tiers to
core security platform that makes this consume network traffic from any source. provide visibility and high availability into
capability a reality through three core Decoder’s patented technology represents multiple Decoder capture locations.
components: Decoder, Concentrator a breakthrough in network monitoring that
and Broker. Decoder is the cornerstone dynamically creates a complete ontology Broker operates at the highest level of
and the frontline component of an of searchable metadata across all network the hierarchical NextGen infrastructure. Its
enterprise-wide network data recording layers and user applications. function is to facilitate queries across an
and analysis infrastructure. Decoder is a entire enterprise-wide deployment where
highly configurable network appliance that Decoders are architected to work in multiple Concentrators are employed.
enables the real-time collection, filtering, conjunction with Concentrators that Broker provides a single point of access to
and analysis of all network data. Position aggregate metadata for analysis from all the NextGen metadata and is designed
Decoder(s) wherever you want on the Decoders in real-time, and Broker which to operate and scale in any network
network: egress, core, or segment. provides a real-time, single enterprise view environment, independent of network
across your entire network. latency, throughput, or data volume.
Unlike any other packet capturing or
network monitoring product on the market, Concentrator is designed to aggregate Depending on your network topology and
Decoder fully reassembles and globally metadata hierarchically to enable operational performance requirements, all or
normalizes network traffic at every layer scalability and deployment flexibility across a subset of the NextGen components could
of the OSI model for real-time, full session various organization-specific network be required to create a flexible, scalable
analysis. The appliances can be operated topologies and geo-locations. As a result, infrastructure that grows with your business.
DECODER CONCENTRATOR BROKER
EUROPE NEXTGEN™
D C METADATA FRAMEWORK
D
D
C B
INFORMER
D
S>
automated reporting
<VERBgin
D and alerting
D C
lo et
<AD g ut
p
JEC
TIV
HEADQUARTERS alia ES> <NOUNS
> INVESTIGATOR™
pro ses
interactive
network forensics
D C
per compute rs
t
B
B tim ies users
e
content
D
D C
ns
applicatio
D
SIEMLink™
reso u rc e seamless integration
ASIA
VISUALIZE
content monitoring
and visualization
D C B
LIVE
Platform Options generation requirements and still meet own backbone to national service providers,
important operational security initiatives for NextGen offers an extensible platform to
To meet your growth needs and operational responsive incident management and threat maximize investment value and deliver the
uses cases, NetWitness has developed mitigation capabilities. operational performance needed to inform
a series of high performance NextGen and enable better risk management and
platform options: Data Center – For high availability, business decisions.
enterprise-wide environments, NetWitness
Portable – NetWitness Eagle is a portable NextGen Decoder, Concentrator and Broker Each NextGen component has a critical
and compact version of the NetWitness appliances offer the deployment flexibility to role in enabling scalability and achieving
Decoder. Eagle enables powerful and rapid meet bandwidth and storage performance an organization’s operational performance
field deployment of the NetWitness network requirements. NextGen’s hierarchical metrics. In order to enable application layer
monitoring platform with a briefcase-size architecture allows geographically dispersed traffic analysis in real-time at Data Center
footprint. Unlike other portable solutions, locations to be sized appropriately while and Service Provider levels, a next-generation
Eagle also supports Wi-Fi monitoring with maintaining operational standards for real- computing architecture must scale out
the same level of forensic analytics the time situational awareness. as well as scale up. The distributed and
NetWitness community has come to expect. hierarchical nature of NetWitness’ NextGen
Service Provider – For the most demanding infrastructure allows an organization to
Branch – For optimizing branch performance environments that require unlimited incrementally add traffic processing,
on a single platform and lowering total cost scalability and global network monitoring, database and storage capacity as-needed.
of ownership, the NetWitness NextGen the NetWitness NextGen platform brings The “one box does it all” at the point of
Hybrid is a combined Decoder/Concentrator industry-leading technology and experience capture simply cannot maintain system
platform. Hybrid enables the branch office to support any security operations team. integrity and performance while processing
or small security team to scale to next- From a global organization operating their network traffic and running analytical queries
NextGen Platform Options

Portable Branch Data Center Service Provider
Tactical Fixed Capacity High Performance Unlimited Scalability
Usage: Usage: Usage: Usage:

Incident Response Remote Office Enterprise Monitoring National Monitoring
Tactical Operations Managed Services SOC Operations Large SOC Operations
Small Security teams Indefinite retention
NWA1200/2400 Decoder
NWA200 Hybrid
NWA1200/2400 Concentrator
NWA50 “Eagle”
NWA100 Broker
NWA100 Broker
Features: Features: Features: Features:
Briefcase form-factor 1U form-factor 1U & 2U form-factors 1U & 2U form-factors
Encrypted/Removable Drives Fixed capacity Bandwidth Scalable Bandwidth Scalable
2TB Retention Distributed visibility Distributed visibility Distributed visibility
8TB Retention 12 or 24TB Retention 12 or 24TB Retention
DAS & SAN Storage Available DAS & SAN Storage Available
Throughput 100Mbps 250Mbps 1Gbps 10Gbps 40Gbps

Saturated Storage 1TB/day 2.5TB/day 10TB/day 100TB/day 400TB/day
at the same time. Moreover, recording traffic create their own custom applications that and forensic investigations, identify broken
without being able to use or analyze it does meet their operational and business needs business processes, mitigate intentional
not satisfy customer expectations. by utilizing our open API/SDK to seamlessly data exfiltration and confront tomorrow’s
integrate with the NextGen platform and to challenges. NextGen represents the
The NextGen infrastructure is designed extend the value of their existing security intersection of network telemetry and rich
to interoperate directly with NextGen investment. By having all this information application layer content and context that
AppSuite products: Investigator, Informer, immediately accessible, customers have differentiates NetWitness from any other
Visualize, Live and SIEMLink. Users can the agility to respond to emerging threats solution on the market.
Features
»» 64-bit Linux-based, highly configurable »» Integrates with NetWitness Live to »» Protocol and application exploitation:
network appliances add list-based content and context,
including NetWitness Profilers HTTP, FTP, TFTP, TELNET, SMTP,
»» Up to 10Gbps throughput performance (indicators, parsers, reports and rules), POP3, NNTP, DNS, SOCKS, HTTPS,
to recorded network information SSL, SSH, Vcard, PGP, SMIME,
»» Applies metadata for efficient DHCP, NETBIOS, SMB/CIFS, SNMP,
indexing, storage and searchability »» Available open API/SDK to empower NFS, RIP, MSRPC, Lotus Notes®,
custom application development TDS(MSSQL), TNS(Oracle®), IRC,
»» Scalable architecture to create a Lotus Sametime®, MSN IM, RTP,
distributed recording framework »» FlexParse™ enabled for rapid, user Gnutella, Yahoo Messenger, AIM, SIP,
defined parsing and modeling H.323, Net2Phone®,Yahoo Chat, SCCP
»» File object exporting (.exe, .pdf, .doc, (Cisco® Skinny), Bittorrent, GTALK,
.gif, .jpeg, .wav, .mps and many others) »» Supports RSA SecurID and LDAP Hotmail, Yahoo Mail, GMail, TOR, Social
authentication Networking, Fast Flux, VLAN tagging
»» Integrates with expandable DAS and many others.
storage and SAN solutions, including »» Supports SNORT signatures
EMC and NetApp

About NetWitness

NextGen™ Platform Options
on your network? With the ability to record everything (every session, communication,
service, application and user), you can always know with clarity and definitive answers
what did or did not occur on your network and obtain an unprecedented level of situational
awareness and continuous monitoring.
The NetWitness NextGen™ is the single core Concentrators can be deployed in tiers to a subset of the NextGen components could
security platform that makes this capability provide visibility and high availability into be required to create a flexible, scalable
a reality through three core components: multiple Decoder capture locations. infrastructure that grows with your business.
Decoder, Concentrator and Broker. To meet your growth needs and operational
Broker operates at the highest level of uses cases, NetWitness has developed
Decoder is a highly configurable network the hierarchical NextGen infrastructure. Its a series of high performance NextGen
appliance that enables the real-time function is to facilitate queries across an platform options:
collection, filtering, and analysis of entire enterprise-wide deployment where
all network data. Position Decoder(s) multiple Concentrators are employed. Portable – NetWitness Eagle is a portable
anywhere on the network: egress, core, Broker provides a single point of access to and compact version of the NetWitness®
or segment. all the NextGen metadata and is designed Decoder. Eagle enables powerful and rapid
to operate and scale in any network field deployment of the NetWitness network
Concentrator is designed to aggregate environment, independent of network monitoring platform with a briefcase-size
metadata hierarchically from Decoder(s) to latency, throughput, or data volume. footprint. Unlike other portable solutions,
enable scalability and deployment flexibility Eagle also supports Wi-Fi monitoring with
across various organization-specific network Depending on your network topology and the same level of forensic analytics the
topologies and geo-locations. As a result, operational performance requirements, all or NetWitness community has come to expect.
Portable Branch Data Center Service Provider

Tactical Fixed Capacity High Performance Unlimited Scalability
Usage: Usage: Usage: Usage:

Incident Response Remote Office Enterprise Monitoring National Monitoring
Tactical Operations Managed Services SOC Operations Large SOC Operations
Small Security teams Indefinite retention
NWA1200/2400 Decoder
NWA200 Hybrid
NWA1200/2400 Concentrator
NWA50 “Eagle”
NWA100 Broker
NWA100 Broker
Features: Features: Features: Features:
Briefcase form-factor 1U form-factor 1U & 2U form-factors 1U & 2U form-factors
Encrypted/Removable Drives Fixed capacity Bandwidth Scalable Bandwidth Scalable
2TB Retention Distributed visibility Distributed visibility Distributed visibility
8TB Retention 12 or 24TB Retention 12 or 24TB Retention
DAS & SAN Storage Available DAS & SAN Storage Available
Throughput 100Mbps 250Mbps 1Gbps 10Gbps 40Gbps

Saturated Storage 1TB/day 2.5TB/day 10TB/day 100TB/day 400TB/day
NetWitness NextGen Platform options
Branch – For optimizing branch performance NetWitness NextGen platform brings industry- while processing network traffic and
on a single platform and lowering total cost leading technology and experience to support running analytical queries at the same time.
of ownership, the NetWitness NextGen any security operations team. From a global Moreover, recording traffic without being
Hybrid is a combined Decoder/Concentrator organization operating their own backbone to able to use or analyze it does not satisfy
platform. Hybrid enables the branch office national service providers, NextGen offers an customer expectations.
or small security team to scale to next- extensible platform to maximize investment
generation requirements and still meet value and deliver the operational performance The NextGen infrastructure is designed to
important operational security initiatives for needed to inform and enable better risk interoperate directly with NextGen AppSuite
responsive incident management and threat management and business decisions. products: Investigator, Informer, Visualize,
mitigation capabilities. Live and SIEMLink. Users can create their
Each NextGen component has a critical own custom applications that meet their
Data Center – For high availability, enterprise- role in enabling scalability and achieving operational and business needs by utilizing
wide environments, NetWitness NextGen an organization’s operational performance our open API/SDK to seamlessly integrate
Decoder, Concentrator and Broker appliances metrics. In order to enable application with the NextGen platform and to extend the
offer the deployment flexibility to meet layer traffic analysis in real-time at Data value of their existing security investment.
bandwidth and storage performance Center and Service Provider levels, a By having all this information immediately
requirements. NextGen’s hierarchical next-generation computing architecture accessible, customers have the agility to
architecture allows geographically dispersed must scale out as well as scale up. The respond to emerging threats and forensic
locations to be sized appropriately while distributed and hierarchical nature of investigations, identify broken business
maintaining operational standards for real- NetWitness’ NextGen infrastructure allows processes, mitigate intentional data exfiltration
time situational awareness. an organization to incrementally add and confront tomorrow’s challenges. NextGen
traffic processing, database and storage represents the intersection of network
Service Provider – For the most demanding capacity as-needed. The “one box does it telemetry and rich application layer content
environments that require unlimited all” at the point of capture simply cannot and context that differentiates NetWitness®
scalability and global network monitoring, the maintain system integrity and performance from any other solution on the market.

About NetWitness

A United States
Government Case Study
Mission But longer term, also address advanced threats and implement
better processes to make our operations staff more efficient,”
In 2007 the United States embarked on a Comprehensive said the agency-level deputy CISO.
National Cyber Initiative (CNCI). One major component of this
program is the Trusted Internet Connection (TIC), dictated in Evaluating NetWitness
OMB memorandum M-08-05 of November of 2007, specifically
designed to improve the security of federal agency networks. Due to its critical role in the national security infrastructure, the
department was under constant attack from a wide variety
TIC reduces the risk to government data by consolidating the of threats ranging from script kiddies to state-sponsored
number of Internet connection points, establishing common entities, criminal organizations and political activists. Thanks to
security controls across the agency and departmental levels, and years of hardening by the dedicated staff and a wide variety
providing adequate monitoring capabilities into traffic — thus of technologies, the agency was effectively fending off most
improving incident response capabilities. intrusion attempts. However, the detection and mitigation of
advanced persistent threats remained a serious challenge.
An aggressive implementation timeline for TIC put pressure on
executive branch agencies to move quickly. Our client, a large The department had to address this gap through increased
department, was given only three months to complete the tasks network visibility and improved threat intelligence simultaneous
of documenting existing network connections across all offices, with the consolidation into a TIC architecture. Integrating a
assessing technical architecture plans and security policies and network security monitoring and analysis solution to compliment
creating a plan of action with milestones for TIC implementation existing IDS and security information and event management
by the June 2008 deadline. The department also used the (SIEM) technologies was considered critical to provide a much
TIC consolidation project to develop a centralized Security deeper level of analysis and incident response capabilities.
Operations Center (SOC) to deliver a consistent level and quality The security and architecture teams collaborated with peers
of security monitoring across the components. across other government agencies. The CISO of an intelligence
agency recommended NetWitness NextGen, a technology used
“We had to look seriously at our security strategy and find the successfully for similar problems for a number of years.
best combination of next generation monitoring technologies
that would enable us to implement an efficient TIC architecture. “My peer was raving about NextGen and the breadth and depth
of full visibility into network, application and user context and
content,” said the department’s CISO. “Given the complexity of
our environment, we were somewhat skeptical going into the
evaluation process, but a brief evaluation of the solution quickly
made it compelling.”
NetWitness NextGen is a network security monitoring solution

explicitly designed to help combat advanced cyber security
threats. The solution is based on full packet capture and session
analysis. It utilizes the most comprehensive and advanced
network session modeling techniques to provide very specific
and granular security analytics into terabytes of data. Using
SIEMLink, the department leveraged NextGen’s application
layer insights and intelligence to augment existing security
countermeasures and accelerate operational security processes.
The resulting workflow acted as a force multiplier to improve the
security team’s efficiency and effectiveness.
NetWitness NextGen A United States Government Case Study
Instant Success push the limits of any platform. Our discerning customers
are provided unprecedented access to technical support, our
The initial NetWitness deployment began with a two week proof product and development staff and our executive leadership.
of concept. The department deployed NetWitness NextGen Our fanatical focus on this advanced user based, coupled with
appliances on their production network, emulating where these our extensive knowledge of advanced threats resulted in the
appliances would reside in their TIC configuration, with full access department taking full advantage of the power of our solution
to production data. Both government and contractor support from day one. Since our initial success together, their appetite
teams worked closely with NetWitness engineers, comprised of for visibility has only expanded, with additional deployments
cleared professionals that have spent decades working at the into the corporate environment.
forefront of IT security.
Within two weeks of active testing, the agency was able to Within two weeks of active testing,
uncover both a potentially serious external data breach and
an employee created data leakage incident. Both of these the agency was able to uncover both
incidents were overlooked by the agency’s existing security a potentially serious external data
technologies and were deemed critical incidents by the
department’s leadership. breach and an employee created data
leakage incident.
An Evolutionary Engagement
The initial purchase and first phase deployment went very NetWitness helps clients combat advanced cyber-security
well. A close working relationship between NetWitness staff threats by giving them an unprecedented level of knowledge
and the TIC project team resulted in a virtually error free into what is happening across their networks, and providing
implementation, and significant operational improvements them the insight needed to take definitive action. The
within the department’s security operations and threat analysis NetWitness NextGen security monitoring solution has received
teams. Based on the early success of the project, the client has numerous awards for its innovation and has become a critically
officially launched its centralized SOC strategy — delivering important part of our clients’ day-to-day operations. It is
centralized event analysis, incident coordination, response this intersection of rich application data and context that
and reporting for its components. According to one of the differentiates the patented NetWitness products from any
government senior engineers, “On a consistent basis, over 60% other solution available in the market.
of our confirmed kills are now attributed to data we obtain
from our NetWitness infrastructure versus the combination of
other technologies we have deployed and use.”
Get in the Know.
The threats facing our customers are advanced and our

customers are very demanding. They are security experts with
years of experience and a refined sense for the challenges
facing their organization. NetWitness excels at working with
this savvy base of users, whose workload and requirements
About NetWitness
NetWitness® is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial organizations detect, prioritize and

The “Kneber” BotNet
A ZeuS Discovery and Analysis
This white paper was written by Alex Cox and Gary Golomb
If you would like to know more about how we discovered Kneber using NetWitness technology; or how your organization can detect
advanced threats and problems such as Kneber, and avoid costly and damaging problems, please contact NetWitness for a proof-of-
concept. sales@netwitness.com.
Download the freeware version of NetWitness Investigator today: http://download.netwitness.com and see what’s really happening
on your network.
The “Kneber” BotNet A ZeuS Discovery and Analysis
Table of Contents
Abstract . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
What Is ZeuS?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Botnet “Kneber”. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Botnet Make-up. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Approximate Size. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Geographic Scope Of Compromise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Operating System Breakdown. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Compromised Data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Number of Compromised Credentials. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Significant Organizational Involvement. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Certificate Theft . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Banking Focus. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Connection To Waledac Botnet. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Attribution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Web of Maliciousness. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Global Dispersion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Multiple Aliases. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Indications of Monetization Activity. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Abuse of Chinese Registration Services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
A Long-Running Criminal Enterprise. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Targeting The Government Sector. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Implications. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Detection Using Netwitness Technology. . . . . . . . . . . . . . . 7
Download of Executable Content. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Leveraging Third-Party Intelligence Feeds. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1
Abstract What Is ZeuS?

On Tuesday, January 26th, 2010 as part of routine analytic tasks The format and structure of the logged data indicate a ZeuS
related to an evaluation of an enterprise network, NetWitness Trojan botnet.
discovered a 75+ gigabyte cache of stolen data - the result of
At its core, ZeuS is a botnet system designed to steal
the activities of an unknown miscreant using a large botnet to
information from an infected host. Unlike a traditional
control and monitor more than 74,000 compromised PCs. This
keylogger system, which records every keystroke, ZeuS
compromise was discovered by using NetWitness NextGen™
can specifically target information desired by the criminal
to identify and observe a known member of an existing botnet
miscreant. It does this through a number of means, but is used
downloading a new executable. NetWitness provides a series
of security analytic applications based on a patented network primarily to do the following:
forensic engine. The use of network forensic methods enables »» Capture data typed into web forms that are often used for
analytic paths and detective capabilities which are specifically authentication to sensitive systems. By capturing traffic prior
required to deal with advanced threats. to encryption on the endpoint, encrypted authentication
mechanisms are subverted.
One such capability, enabled through real-time automated
forensics, provides alerts to security analysts within an »» Inject additional form elements into target webpages to
organization when obfuscated executables are being downloaded. prompt for additional information from the victim.
This particular malicious executable had less than a 10 percent

»» Parse out relevant portions of system URLs that may contain
login credentials or session IDs.
detection rate among all antivirus products and the botnet
communication was not identified by existing intrusion »» Capture cookie information, which is often used to store
detection systems. This compromise, the scope of global credentials and session information for websites.
penetration and the sheer magnitude of the collected data »» Access and copy credential information stored in a
illustrates the inadequacy of signature based network web browser’s “protected store.” An example of this is
monitoring methods used by most commercial and public the system used by Microsoft Internet Explorer to save
sector organizations today. Full packet capture systems usernames and passwords.
coupled with analytic methods that provide content and
context from the network to the application layers are a Additionally ZeuS can:
fundamental requirement today to address advanced threats. »» Search for and capture any file that is resident on the
victim host.
In this case, multi-level analysis of network traffic and active
malware analysis using NetWitness, led to some very insightful »» Allow full remote control capability on the victim host
information about this botnet. using VNC.
»» Download and execute arbitrary executables.

»» Remotely destroy the host by deleting required elements
of the host operation system.
ZeuS Sequence of Infection

ZeuS receives command and control information from the controlling server via the HTTP protocol.
The sequence of infection is typically as follows:
A ZeuS executable is run Once installed, the ZeuS bot Periodically the bot uploads Checks in on a schedule for
1 2 3 4
on a target system, either downloads a configuration file captured information to a updates, including updated
though a social engineering from the command and control “drop zone.” binaries or configuration files.
ruse or technical exploit – server, which directs the bot to This allows the criminal miscreant
both are quite common. capture desired data. to change the configuration of the
botnet at will.
2
ZeuS uses common malware techniques in order to maximize Additionally, but on a much smaller scale, Windows Server and
the amount of time it is resident on a system. These include: Embedded systems are also represented. The implications of
compromises on embedded systems requires additional analysis.
»» Using registry entries to survive system reboots.
»» Using rootkit technology to hide the malware files and Compromised Data
logged data. Number of Compromised Credentials
»» Injecting into running processes to mask traffic and bypass NetWitness analysis clearly shows that this botnet was focused
host firewalls. for a period on theft of credentials. The data we analyzed
contain over 68,000 stolen
Botnet “Kneber” credentials during a 4-week
TOP 5 STOLEN CREDENTIALS
period. Although credentials

Botnet Make-up Facebook
602 586
exist for many systems, the Yahoo
Based on analysis of the information cache discovered, this Hi5 1,281
following graph shows the 3,644
Metroflog
botnet uses the internal name “BTN1”. The data appears to five most prolific systems Sonico
be a one-month dump of data from the controlling server’s represented in this data set. Netlog
database. BTN1 is typically the default name given to a newly 2,472
created ZeuS botnet. The top credentials stolen
2,575
illustrate a focus on social
Approximate Size networks and email systems.
By counting unique IDs assigned by the ZeuS system, we
estimated that BTN1 is composed of 74,126 hosts. Because these Significant Organizational Involvement
logs represent a snapshot in time, the current actual size of the When comparing US-based botnet members to
botnet is difficult to measure. IP address-to-organization mapping systems, the following
markets and organizations are represented, which include
Geographic Scope Of Compromise Fortune 500 enterprises:
The ZeuS Trojan records the location of the host when the
»» Local, State and Federal Government Agencies
bot checks into the command and control server. The logs
indicate that the following countries are the top five sources for »» Financial Institutions
compromised machines: »» Energy Companies
»» Egypt TOP 10 VICTIM COUNTRIES
»» Internet Service Providers
»» Mexico Egypt
5%
5% »» Educational Institutions
Mexico 19%
»» Saudi Arabia Saudi Arabia
5% »» Technology Companies
7%
»» Turkey Turkey
United States In total, the scope of organizational compromises by this botnet
8%
»» United States PK
PL
15%
is 374 unique US-based entities, and 2411 unique global entities.
11%
In total, the geographic AR
13%
Certificate Theft
DE
scope of this botnet is 12%
PE The ZeuS Trojan allows for the theft of any file that is resident
196 unique countries. on an infected system, and a common target for this capability
are encryption certificates used for access to banking, corporate
Operating System Breakdown
VPN and other sensitive systems.
The ZeuS Trojan is TOP O/S BREAKDOWN - KNEBER BOTNET
purpose-built to 431 1,177 There were 1972 unique certificates files in the data set.
infect the Microsoft Windows XP 3,531
Windows operating
Professional SP2
4,951 Banking Focus
Windows XP
system. The findings Professional SP3 By conducting malware analysis on the source malware for this
Windows XP
reflect the targeting Home Edition SP3 drop, it appears that this data set is from an earlier campaign
18,565 45,472
of Windows systems. Windows XP
Home Edition SP2
designed to target social networking and email sites. The most
The top five Windows Windows Vista recent configuration file that was downloaded by the malware
Home Edition SP2
versions that are prior to the site’s takedown was almost exclusively designed
Others
infected are as follows: to target credentials for banking and/or digital currency sites.
3
Please remember, the sites in question may be well managed and Connection To Waledac Botnet
adequately secured. The infected machines were simply scraping
One very interesting observation is that more than half of the
information when users communicated with the sites below. ZeuS bots are logging traffic from additional infections on the
same host that are indicative of Waledac command and control
A partial list follows:
traffic. Waledac is a peer-to-peer spamming botnet that is often
https://internetbanking.gad.de used as a delivery mechanism for additional malware. Additional
https://www.citibank.de analysis needs to be conducted, but this raises the possibility of
http://ebay.com/ direct enterprise-to-enterprise communication of Waledac bot
https://www.us.hsbc.com peers in addition the existing C2 traffic from the Zeus botnet.
https://www.e-gold.com
https://online.wellsfargo.com While it is not uncommon for compromised hosts to have
https://www.paypal.com multiple strains of malware, the sheer amount of Waledac traffic
https://www.usbank.com in this data set suggests a possible link between this ZeuS
https://www.tdcanadatrust.com infrastructure and the Waledac botnet and their respective
https://onlinebanking.nationalcity.com controlling entities. At the very least, two separate botnet
https://www.citizensbankonline.com families with different C2 structures can provide fault tolerance
https://onlinebanking.nationalcity.com and recoverability in the event that one C2 mechanism is taken
https://www.suntrust.com down by security efforts.
https://www.53.com
Attribution
https://web.da-us.citibank.com
https://onlineeast.bankofamerica.com Attributing this activity to a single individual or group of
https://online.wamu.com individuals is exceptionally difficult to do well without global
https://onlinebanking.wachovia.com cooperation across disparate technology and organizational
https://resources.chase.com systems. However, some key information can be revealed about
https://bancaonline.openbank.es the miscreants involved with this operation by tying IP, domain
https://extranet.banesto.es and registry information together.
https://empresas.gruposantander.es
Web of Maliciousness
https://www.bbvanetoffice.com
https://www.bancajaproximaempresas.com The initial domain that was the source of this cache revealed
https://probanking.procreditbank.bg a single registrant as follows:
https://ibank.internationalbanking.barclays.com
hilarykneber@yahoo.com
https://online-offshore.lloydstsb.com
http://www.hsbc.co.uk Cross referencing this email address with the Malware Domain
https://www.nwolb.com List results in a network of malicious activity including a focus on
https://home.ybonline.co.uk ZeuS and the use of exploit kits:
https://home.cbonline.co.uk
vkontalte.cn - PDF exploits and Trojan installs
This targeted attack against banking infrastructures on a online-counter.cn – Exploit Kit, PDF exploits and Trojan installs
worldwide scale includes e-banking and other entities. bizuklux.cn – ZeuS Controller
In many cases, form elements are injected into these login
pages to provide answers to common “security
questions” such as:
»» “What is your mother’s maiden name?” Credit Card Numbers

While not the primary purpose of ZeuS, occasionally credit card
»» “What street did you grow up on?” numbers are recorded as part of the Trojan’s logging activity. In this
»» “What was your first pet’s name?” data set across thousands of systems, only several hundred unique credit
card numbers were present.
Because these questions are often used to allow
remote reset of passwords and credentials, it shows Social Security Numbers
a desire and potential for the miscreant to be able The ZeuS Trojan can also record social security numbers during logging
to leverage the compromise onto other systems for activity. Only a few hundred unique SSNs were present.
additional access.
4
liagand.cn – El Fiesta Exploit kit , PDF exploits, Trojan installs Multiple Aliases
morsayniketamere.cn – ZeuS Controller
When these domain names are resolved to their associated IP
mydailymail.cn – ZeuS Controller
addresses, a global distribution of servers is evident, with a focus
grizzli-counter.com – Exploit kit and Trojan install
on Chinese IPs:
tds-info.net – Exploit Kit and Trojan install
kolordat482.com – ZeuS Controller
yespacknet.org – Yes Exploit Kit , PDF exploits, Trojan install
scriptwb.com – Yes Exploit Kit, Trojan install
qbzq16.com – ZeuS Controller
mega-counter.com – Trojan install
silence7.cn – ZeuS Controller
iuylqb.cn – ZeuS Controller
pidersli.net – ZeuS Controller
klalkius.com – Liberty Exploit Kit , Flash and PDF exploits, Trojan install
secureantibot.net – Yes Exploit Kit, PDF exploits
Global Dispersion
When these domain names are resolved to their associated IP
addresses, a global distribution of servers is evident, with a focus
on Chinese IPs: And 41 malicious registrants by email address:
IP Address Ctry Organization
113.105.152.71 CN CHINANET-BACKBONE No.31,Jin-rong Street
122.115.63.17 CN JINGXUN Beijing Jingxun Public Information
Technology Co., Ltd
125.46.60.222 CN CHINA169-BACKBONE CNCGROUP China169 Backbone
60.12.117.147 CN CHINA169-BACKBONE CNCGROUP China169 Backbone
61.235.117.71 CN CRNET CHINA RAILWAY Internet(CRNET)
61.235.117.86 CN CRNET CHINA RAILWAY Internet(CRNET)
61.4.82.216 CN DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd.
193.104.110.88 CZ SOFTNET Software Service Prague s.r.o. Indications of Monetization Activity
95.169.186.103 DE KEYWEB-AS Keyweb AG
A Google search for the original email address (hilarykneber@
222.122.60.186 KR KIXS-AS-KR Korea Telecom
yahoo.com) also reveals website registration activity pertaining
217.23.10.19 NL WORLDSTREAM WorldStream
85.17.144.78 NL LEASEWEB LEASEWEB AS to money-mule recruitment. This is a common way for
200.106.149.171 PA Hosting Panama criminal miscreants to monetize online fraud in which they use
200.63.44.192 PA Eveloz unsuspecting “employees” to do deposits, withdrawals, and wires
200.63.46.134 PA Eveloz to offshore accounts. Once the money has been transferred to
91.206.231.189 RU WEBALTA-AS Wahome networks these locations, the miscreant quickly withdraws the currency to
124.109.3.135 TH SERVENET-AS-TH-AP ServeNET Solution Ltd Partnership
stymie victim organization fraud recovery efforts.
61.61.20.134 TW KGTNET-TW KG Telecommunication Co., Ltd
91.206.201.14 UA ANSUA-AS PE Sergey Demin http://www.bobbear.com/24-hour-express-service.html
91.206.201.222 UA ANSUA-AS PE Sergey Demin
91.206.201.8 UA ANSUA-AS PE Sergey Demin
216.104.40.218 US SINGLEHOP-INC - SingleHop
69.197.128.203 US WII-KC - WholeSale Internet, Inc.
1
Malware Domain List -http://www.malwaredomainlist.com – an open forum and database of malware-related activity with contributions from the security research community.
2
http://blog.novirusthanks.org/2008/12/website-spreading-virus-through-exploits-elfiesta-exploit-kit/
3
http://evilfingers.blogspot.com/2009/05/yes-exploit-system-manipulating-safety.html
4
http://blog.webroot.com/2009/09/18/one-click-and-the-exploit-kits-got-you/
5
Abuse of Chinese Registration Services This activity shows that this miscreant group is not only using
exploit kits to steal banking login credentials and propagate
.CN domains make up a subset of the observed criminal domains
their malware (as previously detailed), but is now also targeting
and the following registrars appear to bear the brunt of the
government agencies with convincing phishing emails (that
abuse. All are Chinese.
correctly identify existing projects) with a high degree of success.
A Long-Running Criminal Enterprise In this case, the National Intelligence Council’s “2020 Project”
was used as a social engineering hook.
Taken as a whole, the associated IP, domain and network tie-ins
show that this exploit campaign has been running for nearly a
year and is still active. Implications
There are a number of key threat intelligence findings and
implications derived from our analysis of the activities of the
controlling miscreant:
1. ZeuS, typically considered a “Banking Trojan,” also is

being employed specifically to target social networking
Initial reports of maliciousness with this data set date back to
March 25, 2009. and email sites.
This bot shows that the developers of the ZeuS system have a
deep understanding of the nature of the Web and the manner in
which people use their computers. While targeting financial sites
The most recent report of maliciousness with this data set is
ultimately may result in financial gain for the miscreant, targeting
February 5, 2010
logon credentials to social networks and email gives them the
“keys to the castle.” This personal information is pivotal for
stealing identities and crafting very well targeted and convincing
criminal and espionage campaigns.
Targeting The Government Sector
Social networks are among the most popular and often visited
Recent events also show this miscreant group targeting the websites on the Internet. Compromising these accounts provides
government sector, specifically via phishing emails as detailed here: the miscreant a network of “friends” who will inherently trust
the compromised account and would be more likely to click
http://www.krebsonsecurity.com/2010/02/zeus-attack-
on phishing and other exploit messages from that account.
spoofs-nsa-targets-gov-and-mil/
Additionally, social networks offer a centralized repository of data
Conducting malware analysis on the involved samples reveals on an individual that can be used for highly sensitive activities,
command and control systems that reside in the same network such as password resets, credit account creation, or other types
location as other involved servers: of identity-oriented fraud.
updatekernel.com. 3144 IN A 15.100.250.119 Email accounts are often the critical part of the credentialing
process of many sites on the Internet because they form the
WHOIS information for this domain indicates a connection to “username” component of the login process. Email accounts are
previously used registration information: used for contact points, authentication mechanisms, alerting,
information distribution, password resets and much more.
Domain Name: UPDATEKERNEL.COM
Registrar: TODAYNIC.COM, INC. Controlling an email account gives the criminal miscreant an
Email: abuseemaildhcp@gmail.com enormous leverage point for the compromise of additional
Creation Date: 31-jan-2010 systems associated with the end-user. These systems could
include banking systems as previously discussed, but also could
TODAYNIC.COM is one of the previously listed abused Chinese
include corporate or government systems because many people
registrars, and “abuseemaildhcp@gmail.com” was used in a
utilize the same password constructs for both personal and
previous exploit campaign initially reported on August 18, 2009:
professional environments.
Domain Name: popupserf.cn
Registrar: Guangdong Time Internet Technology Co., Ltd.
Administrative Email: abuseemaildhcp@gmail.com
Registration Date: 2009-07-24 23:04
5
http://www.dni.gov/nic/NIC_2020_project.html
6
2. Miscreants are not limiting themselves to a single social network accounts, and other PII can be bought and sold.
geographic target area. Although the operator of this botnet may have had certain
specific theft objectives during a period, the ultimate consumer
The analysis of this incident data shows a worldwide dispersion of
of these data could range from criminal enterprises for certain
command and control structures, exploit systems, infected hosts
pieces, to terrorist groups and state-sponsored entities for other
and compromised credentials. This indicates an interest in all
credentials and information that would be useful to their specific
types of data regardless of language and geo-political boundaries.
enterprises and end goals. The ultimate implications of these
Miscreants are specifically targeting Government Agencies as undetected data losses and infestations of public and commercial
well as Private Firms. organizations are far-reaching and complex, and transcend
simple labels attached to them.
The previously detailed phishing attack on US Government
agencies shows miscreants using relevant process names and
Detection Using
inside knowledge of government organization to craft convincing
email messages designed to gain access to information and
Netwitness Technology
further propagate their botnets. This event illustrates a desire to From a detection standpoint, modern antivirus and intrusion
penetrate sensitive organizations for data gathering. Observing detection systems are struggling to provide protection against
this criminal element’s activities over time, led to the highly likely modern and sophisticated malware threats such as ZeuS. This is
scenario that such insider knowledge came from previously due to the criminal hacker element being aware of the limitations
successful infection campaigns. This discovery supports of these technologies and engineering their exploits and malware
previous stories that foreign intelligence services are purchasing around them.
government data from criminal hackers.
NetWitness uses a patented analysis engine that involves
analytics from the packet level all the way up to the application
3. Criminal “gangs” may be working together to provide
level in order to alert on suspect behavior. In this case, our
sustainability to their botnets.
system detected the following behaviorally significant indication
The link between ZeuS and Waledac in this finding provides of botnet activity:
valuable threat intelligence because it shows hosts being infected
ZeuS:
with two different families of botnet malware at the same time.
It is highly improbable that such cross-pollination of botnets Download of a .bin ZeuS bot configuration file from a newly seen
went unnoticed. If the owners of these two botnets are working network location:
together, there is the strong potential for additional resilience for
both systems.
In the event that one of the two botnet command and control
structures is disrupted by security efforts, the surviving C2 could
be used to “recover” the disrupted activity. This could be as
simple as providing a new configuration file to a ZeuS bot in
order to reassign a new C2 server, to pushing a new malware
system and control method altogether.
4. Cyber-criminals operate with impunity for extended

periods of time.
Connecting the dots of this incident shows a worldwide dispersal
of exploitation and botnet command and control activity, that
use multiple families of malware and exploitation technology
to accomplish specific goals and the worldwide abuse of
registration services regardless of language barrier.
5. Ultimate End-User of these data is unknown.

It is well known that an underground criminal data mart exists
where these vast harvests of account numbers, email and
7
Waledac Leveraging Third-Party Intelligence Feeds

Identification of behaviorally identifiable peer-to-peer Lastly, the ability to leverage third-party intelligence feeds using
botnet communication involving HTTP “POST” traffic using NetWitness technology allows an analyst to quickly identify
randomized filenames: traffic that has been reported malicious by other parties:
(Screen capture from NetWitness Investigator)
Summary
While this is a large-scale botnet with large volumes of collected
information, it is ultimately a very small portion of the amount of
data being stolen from individuals, corporations, and government
agencies on an ongoing basis. This is illustrated by both the
limited time frame of stolen information in this cache (only
one-month’s capture), as well as the evidence supporting the
existence of a large and dispersed criminal enterprise.
The analysis of this activity plainly depicts the scale and

Download of Executable Content sophistication of one botnet. It reiterates what security
professionals with even a modest understanding of the current
In other cases, the only indication of compromise is through
threat environment already know:
identification of executable content being downloaded to an
infected host. This identification has historically been a “post- Advanced threats have festered their way into thousands of
incident” host forensic analysis task, but NetWitness technology enterprises. The widely deployed security technologies modern
is able to detect this behavior “on the wire” as it occurs: enterprises use to protect themselves such as firewalls, antivirus
and intrusion detection technologies, even when well managed,
are ineffective in countering the current and ongoing threat to
our information systems posed by a focused criminal adversary
or nation-state.
Social Networking, Online Banking, Corporate Security,

National Security, Intellectual Property Theft, and nearly every
other information security concern are inextricably linked by
the data being siphoned off to criminal and state sponsored
adversaries. In an environment where compromised systems
are key to broad data theft, security professionals can no longer
afford to turn a blind eye to problems by categorizing them
broadly as affecting other markets. Nearly all security vendors
who cover these specific examples of malicious code have
lumped them into a category of “banking Trojan.” Analysis of
the Kneber data reveals the keys to thousands of corporate
networks around the world, and activities specifically targeting
the United States Department of Defense. Neither nation –
state nor criminal adversaries are concerned with how we
(Screen capture from NetWitness Investigator) categorize their exploits. They are diligently focused on stealing
sensitive information using increasingly sophisticated methods
and evading the rudimentary security capabilities so many
organizations continue to rely on with a false sense of security.
8
About NetWitness
NetWitness® Corporation is the world leader in real-time network forensics and automated threat intelligence solutions, helping government and commercial
organizations detect, prioritize and remediate complex IT risks. NetWitness solutions concurrently solve a wide variety of information security problems
including: advanced persistent threat management; sensitive data discovery and advanced data leakage detection; malware activity discovery; insider threat
management; policy and controls verification and e-discovery. Originally developed for the US Intelligence Community, NetWitness has evolved to provide
enterprises around the world with breakthrough methods of network content analysis and host-based risk discovery and prioritization. NetWitness customers
include Defense, National Law Enforcement and Intelligence Agencies, Top US and European Banks, Critical Infrastructure, and Global 1000 organizations.
NetWitness has offices in the U.S. and the U.K. and partners throughout North and South America, Europe, the Middle East, and Asia.

T: 703.889.8950 | F: 703.651.3126 | sales@netwitness.com www.netwitness.com
Guidance on the
Responsible Use of Surveillance
A Study of Security and Compliance Professionals
Independently conducted by Ponemon Institute LLC
Publication Date: January 2011
Ponemon Institute© Research Report

Guidance on the Responsible Use of Surveillance
A Study of IT Security and Compliance Professionals
Presented by Ponemon Institute, January 2011
Organizations face costly security risks from both internal and external sources. Among the 47
organizations participating in Ponemon Institute’s study on the Cost of Cyber Crime, it was
1
determined that one cyber attack can range from a low of $237,000 to $52 million. Further, the
organizations participating in the study experienced 205 separate and discernible cyber attacks
over a four-week period.
In addition to external cyber attacks, organizations can face threats from malicious insiders. A
recent well-publicized case involved an employee of T-Mobile in the UK who pleaded guilty to
2
stealing confidential information and selling it to rival companies. DuPont suffered from two
separate insider attacks. In one case, DuPont lost $400 million from an insider data breach. Two
years later DuPont fired and filed a lawsuit against a Chinese-born employee accusing him of
misappropriation of trade secrets. The company discovered the employee’s incriminating action
3
when reviewing his hard drive.
While employee surveillance and related technologies can be used to reduce the risk of malicious
insiders, they are controversial. Some privacy advocates believe that employees have an
inalienable right to privacy in the workplace. They become especially concerned when incidents
occur that reveal how surveillance technologies can exceed their mission and violate privacy. For
example, when security cameras are placed in private locations such as bathrooms or locker
rooms. Or, when cameras capture employees smoking outside the building and the company
increases the cost of their healthcare policies because they are deemed to have a higher risk of
disease.
Leading network surveillance technologies are complex and valuable in helping security find the
“needle in the haystack” that could pose a serious threat to the company but they are not perfect.
There have been incidents where employees have been wrongly accused of a security violation
due to an error in the surveillance system. This especially can be the case when there are no
clear guidelines and policies for the use of these technologies.
For these reasons, organizations have an obligation to evaluate and monitor their surveillance
technologies for accuracy to ensure the civil liberties of employees are not at risk. In turn,
organizations have a legitimate right to use security to prevent attacks from both internal and
external threats.
Ponemon Institute and Netwitness conducted a study of 780 IT security and compliance
professionals in a variety of industries to better understand their perceptions about the use of
surveillance in their organizations. These respondents have an average of approximately 11
4
years of relevant experience. The purpose of this study is to address the concerns of both
1
2010 Cost of Cyber Crime Study, Ponemon Institute, July 31, 2010
2
“Former T-Mobile Employee Pleads Guilty to Stealing Customer Information,” Cellular-news, November
23, 2010
3
“DuPont Sues Chinese Scientist for Trade-Secret Theft,” Jaikumar Vijayan, Computerworld, September 9,
2009
4
The security sample contains individuals responsible for IT security operations including network defense
and data protection. Most of these respondents are located in the IT organization. Compliance practitioners
are those individuals responsible for data protection, privacy and information security policy. Most of these
respondents are located in the legal, corporate compliance, internal audit or human resource departments.
Ponemon Institute© Research Report Page 1

groups and to provide guidance on the responsible approach to the use of surveillance
technologies, process and policies.
We decided to study these two groups because very often they are not in alignment about what
policies and procedures should be employed. This disagreement can make it difficult to achieve
the necessary security posture, leaving the organization vulnerable to security risks and non-
5
compliance. In fact, in Ponemon Institute’s Cyber Security Readiness study , 93 percent of IT
security leaders in the study believe the organizations most vulnerable to cyber attacks do not
have a clearly defined leadership structure for information security, data protection and privacy
issues. In these organizations information security operates within silos located in IT or
compliance, without a clear mandate for the enterprise.
Following is a summary of five key findings that illustrate why organizations are at risk:
 Compliance and security practitioners are not in alignment about the issue of surveillance in
the workplace. This is especially the case when it comes to the right to conduct surveillance
versus the right to privacy in the workplace
 Compliance and security practitioners disagree about what is most critical in creating
effective surveillance systems to prevent or detect wrongful or illegal activities. Security
professionals believe enabling technologies, adequate budget and knowledgeable security
professionals are key. Compliance professionals put their faith in such governance
procedures as policies and training.
 There is a significant gap between compliance and security practitioners about the personal
data collected about employees, temporary employees and contractors. Security
professionals are much more likely to say their organizations collect personally identical
information.
 Compliance and security practitioners have very different perceptions about what is the worst
outcome from a surveillance snafu. Compliance worries about the classification of a legal act
as illegal and security’s priority is that a wrongful act would not be detected.
 One of the chief concerns expressed by compliance practitioners is that workplace
surveillance creates a “big brother” culture that might result in a decline in morale and have
other adverse consequences. This might be attributed to the perceived but inaccurate
concerns about the privacy risks associated with these technologies.
We conclude that compliance and IT security are often at odds on the issue of surveillance and
as a result organizations face a major obstacle when attempting to address their security risks. It
is our objective to shed light on the gaps in perceptions in the hopes that a dialog will occur to
close those gaps and create a more collaborative relationship. As a result, a more secure
enterprise will result.
In the final section of this paper, we offer what we believe are responsible approaches to the use
of surveillance technologies and procedures based on collaboration between security and
compliance.
5
Cybersecurity Readiness Study, Benchmark Research of IT Security Leaders in the U.S. and Europe,
September 30, 2010.

Part 2. Survey Findings
In this section, we provide the summarized findings of IT security and compliance practitioners in
private and public organizations located throughout the United States. The security sample is
composed of 399 respondents who reside in the organization’s IT or IT security function. The
compliance sample consists of 381 respondents who are located in the compliance, legal, internal
audit or human resource departments.
Bar Chart 1 summarizes the “agree” and “strongly agree” response to six statements about the
state of surveillance and privacy in the workplace. A high combined percentage indicates a net
favorable response and a low combined percentage indicates the opposite.
This chart clearly shows differences in the perceptions of security and compliance practitioners.
Security professionals tend to believe organizations have a legitimate right to conduct
surveillance and that it is necessary to operate in stealth and secrecy in order to be effective and
as a result privacy rights are diminished. The closest these two groups come to agreeing is that
surveillance is necessary to ensure compliance with policies and procedures.
Bar Chart 1: Six attributions about the state of surveillance in the workplace
Strongly agree and agree response combined.
Organizations have a legitimate right to conduct 60%

surveillance even though it diminishes
employee’s privacy rights in the workplace. 80%
Employees have a legitimate right to privacy in 73%

the workplace. 49%
Securing the workplace from illegal or 35%

unauthorized activities is more important than
ensuring employees’ privacy rights. 56%
The surveillance of employees can be effectively 58%

accomplished without diminishing employees’
privacy rights. 31%
The surveillance of employees needs to operate 40%

in stealth and secrecy in order to be effective. 75%
The surveillance of employees is necessary to 69%

ensure compliance with policies and procedures. 78%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Compliance Security
Some of the most significant gaps in perception and shown above are as follows:
 Eighty percent of security practitioners versus 60 percent of compliance practitioners believe

their organization has a legitimate right to conduct surveillance even if it diminishes
employee’s privacy rights.

 Forty-nine percent of security practitioners versus 73 percent of compliance practitioners
believe employees have a legitimate right to privacy in the workplace.
 Thirty-one percent of security practitioners versus 58 percent of compliance practitioners
believe the surveillance of employees can be effectively accomplished without diminishing
privacy rights.
 Seventy-five percent of security practitioners, versus only 40 percent of compliance
practitioners believe surveillance needs to operate in stealth and secrecy in order to be
effective.
Taken together, differences in perceptions among security and compliance practitioners suggest
possible vulnerabilities or gaps in the ways organizations manage their surveillance operations
and obligations to protecting employee privacy rights.
Most surveillance activities focus on employees’ use of the Internet and their email usage.
Bar Chart 2 lists in descending order the different types of surveillance activities deployed by
organizations according to security and compliance practitioners. This bar chart shows that
Internet and email-related surveillance methods are utilized most frequently by respondents’
organizations. In contrast, the tracking of employees’ off-premise locations (geo tracking) is least
likely to be deployed by respondents’ organizations.
Bar Chart 2: What employee surveillance activities are conducted by your organization?
70%
Internet use
77%
69%
Internet behavior (websites visited)
71%
66%
Email (including attachments)
69%
51%
Content of desktop or laptop computer
50%
43%
Closed circuit TV in secure workspaces
45%
45%
Network access and use
45%
39%
Data access (including downloads)
42%
32%
Physical location on premises
29%
16%
Physical location off premises (geo tracking)
18%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%
Compliance Security
Compliance and security disagree about what is most critical in creating effective
surveillance systems to prevent or detect wrongful or illegal activities.
Bar Chart 3 shows how respondents view the effectiveness of their organization’s surveillance
methods or systems to thwart illegal activities. In general, all respondents view surveillance as
effective, but compliance practitioners are more likely than security practitioners to see
surveillance as effective in preventing or detecting wrongful activities.

Bar Chart 3: How effective are your organization’s surveillance systems?
35% 32%
30% 28%
25% 25% 26%
25% 23%
19%
20%
14%
15%
10%
5%
5% 3%
0%
Very effective Effective Moderately Not effective Unsure
effective
Security Compliance
Compliance and security disagree about what is most critical in creating effective
surveillance systems to prevent or detect wrongful or illegal activities.
Bar Chart 4 shows marked differences between security and compliance practitioners. Security
practitioners are much more likely to see enabling technologies, budget resources and staffing
(with knowledgeable security practitioners) as key to ensuring effectiveness than compliance
practitioners. Compliance practitioners tend to put their faith in policies and procedures. These
differences make it difficult to reach a consensus on how best to protect the organization from
internal and external attacks, which can result in nothing being done to address the threats.
Bar Chart 4: What can be done to increase the effectiveness of workplace surveillance?
For respondents who rated surveillance as moderately effective, not effective or unsure
24%
Enabling technologies
56%
21%
Budget resources
54%
45%
Governance and oversight procedures
49%
10%
Knowledgeable security practitioners
36%
35%
Training and awareness activities for end-users
29%
8%
Leadership across the enterprise (one view)
23%
28%
Policies and procedures for end-users
9%
0% 10% 20% 30% 40% 50% 60%
Compliance Security

Compliance respondents are far more confident about their organization’s ability to
prevent or detect employee privacy violations in the workplace.
Bar Chart 5 shows how respondents view the effectiveness of their organization’s compliance
efforts in terms of protecting employees’ privacy rights. The gap in this finding is huge with 60
percent of compliance saying they are effective in protecting privacy rights versus 30 percent of
security practitioners. This finding may be attributed to security professionals’ belief that in order
to enforce compliance and safeguard the organization from internal and external attacks privacy
rights cannot always be protected.
Bar Chart 5: How effective are your organization’s compliance initiatives at preventing or
detecting employee privacy violations in the workplace?
40%
34% 34%
35%
30%
30% 26%
24%
25%
19%
20%
15% 11% 12%
10% 6%
4%
5%
0%
Very effective Effective Moderately Not effective Unsure
effective
Security Compliance
The following bar chart provides a side-by-side comparison of surveillance and privacy rights
protection in the workplace. Bar Chart 6 shows that compliance practitioners are much more
positive about their organization’s ability to achieve both a high state of surveillance and a high
level of privacy protections than security practitioners.
Bar Chart 6: Combined very effective and effective ratings for surveillance and privacy
rights protection.
70%
57% 60%
60%
50% 44%
40%
30%
30%
20%
10%
0%
Surveillance Privacy rights
Security Compliance

Both groups agree that surveillance makes it possible to identify malicious acts.
Bar Chart 7 summarizes what respondents believe are the most important issues or problems
solved by surveillance activities. As can be seen, both security and compliance practitioners are
generally consistent in their perceptions. For both groups, the most important issues concern the
identification of malicious acts and the deterrent factor. It is not a surprise that compliance is more
positive about the ability of surveillance to show compliance with laws and policies.
Bar Chart 7: What problems does employee surveillance solve?
70%
Helps to identify wrongful or malicious acts
68%
65%
Serves as a deterrent to undesirable behavior
56%
59%
Demonstrates compliance with laws and policies
42%
24%
Improves operational efficiencies
23%
29%
Provides substantive evidence for e-discovery
18%
0% 10% 20% 30% 40% 50% 60% 70% 80%
Compliance Security
Compliance is more likely to believe surveillance creates a “big brother” culture.
One of the first concerns expressed when the topic of workplace surveillance is raised is that the
organization risks creating a “big brother” culture that might result in a decline in morale and have
other adverse consequences. Compliance practitioners are more concerned about the
diminishment of privacy rights and creation of a “big brother” culture. Whereas, security
practitioners are more concerned about operational problems that can result when a surveillance
program is not managed properly. These can include: an over dependence on technologies to
solve problems and the cost and complexity of instituting surveillance programs.
Bar Chart 8 summarizes what respondents believe are the most serious problems caused by
surveillance activities. While security and compliance practitioners are not consistent in their
perceptions, both groups rate their most serious issue as the diminishment of employee privacy
rights in the workplace.

Bar Chart 8: What problems does employee surveillance create?
53%
Diminishes employee privacy rights
49%
25%
Causes over-dependence on technologies
45%
16%
Increases operational complexity and costs
43%
43%
Creates a “Big Brother” culture
33%
0% 10% 20% 30% 40% 50% 60%
Compliance Security
There is a significant gap between compliance and security in the perception of what
employee data is collected.
When asked what types of data are collected about employees for purposes of security, a
majority of respondents acknowledged they collect personally identifiable information. Bar Chart
9 shows that security practitioners are much more likely to say their organizations collect a
substantial amount of personally identifiable information than compliance practitioners. Because
security practitioners implement surveillance procedures, these results indicate that compliance
practitioners may be out of touch with their own organization’s practices.
Bar Chart 9: What types of employee data are collected?
60% 54%
50% 43%
40% 34% 34%
30% 23%
20%
12%
10%
0%
Only device level information Minimal amounts of personally Substantial amounts of
identifiable information personally identification
information
Security Compliance
Compliance is more likely to believe that employees are made aware of surveillance
activities.
Bar Chart 10 shows respondents’ responses to the transparency issue – in other words, how
does the organization communicate that it uses various surveillance methods in the workplace.
Bar Chart 10 shows nearly half of security practitioners say their organization does not provide
notice to employees. In sharp contrast, only 17 percent of compliance practitioners say their
organizations do not provide notice.

Bar Chart 10: Are employees made aware of your organization’s surveillance activities?
50% 46%
45%
40% 36%
35%
28%
30% 24%
25% 19% 19%
20% 17%
15% 11%
10%
5%
0%
Yes, communicated Yes, communicated Yes, communicated No
during pre-employment during or soon after informally (no specific
employee orientation timeline)
Security Compliance
Security and compliance have different perceptions about what is the worst outcome of a
surveillance snafu.
Bar Chart 11 summarizes the results of one question that asks respondents to choose what they
perceive as the more serious or worst problem resulting from a surveillance snafu. The two
problems are: (1) failure to detect a wrongful act (a.k.a. Type I detection risk) and (2) the
classification of a legal act as illegal (a.k.a. Type II detection risk).
The biggest gap exists when asked if an employee legitimately downloads a document but it is
recorded as a violation and the employee is wrongfully accused. A significant number (38
percent) of the compliance respondents believe this would be the worst outcome from a
surveillance snafu versus only 12 percent of the security respondents.
As a result of this perceived risk to employees’ rights, compliance may put the brakes on
investing in technologies that could be a reasonable approach to protecting against internal
attacks. Thus, exposing the organizations to unnecessary risks. On the other hand, security
professionals need to be aware of the employee issues created by using surveillance
technologies and make every effort to address the fears held by compliance. They should take
steps to protect employees’ from wrongful accusations.
A much larger number (70 percent) of security practitioners and 50 percent of compliance
practitioners hold the opinion that the failure to detect a wrongful act is the most serious issue
than misclassification. This still represents a significant difference in perception.

Bar Chart 11: In your opinion, which one of the following situations is worse?
12%
Both are equally bad situations
18%
Employee legitimately downloads confidential

data onto a USB memory stick, but this act is 38%
incorrectly recorded as a security violation by 12%
the company’s surveillance system.
Employee steals confidential data by

downloading it onto a USB memory stick, but 50%
this act is not detected by the company’s 70%
surveillance system.
0% 20% 40% 60% 80%
Compliance Security
There is uncertainty as to who is ultimately responsible for ensuring adequate surveillance

policies and procedures are in place.
The next bar chart lists the various functional areas cited by both security and compliance
practitioners as most responsible for ensuring that surveillance activities are managed well. The
pattern of responses shown in Bar Chart 12 suggests marked differences between these two
groups. In short, security practitioners see compliance, no one individual, or legal as the most
responsible functions for achieving surveillance objectives in their organizations.
We believe that this perception exists because security respondents probably believe it is the
responsibility of compliance and legal to create the policies and procedures and they are
responsible for execution. However, compliance practitioners see IT and information security as
the most responsible party.

Bar Chart 12: Who in your organization is most responsible?
9%
Compliance
23%
27%
No one individual
22%
8%
Legal
16%
20%
Information security (CISO)
15%
23%
IT (CIO, CTO or equivalent)
11%
11%
Security (CSO)
9%
2%
Human resources
4%
0% 5% 10% 15% 20% 25% 30%
Compliance Security
Security practitioners look to other technologies as alternative solutions. Compliance

prefers audits, training and easy-to-understand policies for end-users.
Bar Chart 13 summarizes what respondents see as viable alternatives to workplace surveillance.
As shown, security practitioners are much more likely to believe there is no viable alternative to
surveillance than compliance practitioners.
Bar Chart 13: What are the viable alternatives to workplace surveillance?
25%
No viable alternative exist
55%
32%
Hardened perimeter and network controls
40%
44%
Strict access governance procedures
40%
45%
Audits of end-user activities
32%
41%
Close supervision and monitoring of end-users
32%
30%
Strict enforcement for non-compliance
30%
39%
Training activities for end-users
23%
15%
Endpoint security procedures
19%
23%
Clear policies for end-users
10%
0% 10% 20% 30% 40% 50% 60%
Compliance Security

Part 3: Methods
Two independent sampling frames of adult-aged individuals who reside within the United States
were used to recruit and select participants to this survey. Our randomly selected sampling frame
was built from several proprietary lists of experienced IT security and compliance practitioners. In
total, 399 IT security practitioners and 381 compliance practitioners served as our final samples.
Table 1: Sample response Security Compliance

Total sample frames 11,090 8,199
Total returns 415 412
Usable returns 403 405
Final samples 399 381
Response rate 3.6% 4.6%
Pie Chart 1 reports the primary industry sector of all respondents’ organizations (security and
compliance samples combined). As shown, the largest segments include financial services (17
percent), public sector (15 percent), and health and pharmaceutical (11 percent).
Pie Chart 1: Industry distribution of respondents’ organizations
3%1%
4% Financial services Public sector
4% 17%
5% Health & pharma Services
5% Industrial Retail
Manufacturing Transportation
5% 15%
Technology Hospitality
6%
Energy Media
7% Communications Education & research

11%
8%
9%
Table 2 reports the respondent organization’s global headcount. As shown, a majority of

respondents work within companies with more than 1,000 employees. Over 29 percent of
security practitioners and 30 percent of compliance practitioners are located in larger-sized
companies with more than 5,000 employees.
Table 2: The worldwide headcount of respondents’ organizations Security Compliance

Less than 500 people 6% 8%
500 to 1,000 people 10% 9%
1,001 to 5,000 people 24% 23%
5,001 to 25,000 people 31% 30%
25,001 to 75,000 people 24% 23%
More than 75,000 people 5% 7%
Total 100% 100%

Table 3 reports the respondent’s primary reporting channel. As can be seen, 54 percent of
security practitioners are located in the organization’s IT department. Forty-seven percent of
compliance practitioners are located in the corporate compliance department.
Table 3: Reporting channel of respondents Security Compliance

CEO/Executive Committee 0% 0%
Chief Financial Officer (CFO) 2% 5%
General Counsel 0% 19%
Chief Information Officer (CIO) 54% 6%
Chief Information Security Officer (CISO) 24% 0%
Compliance Officer 0% 47%
Human Resources VP 2% 8%
Chief Security Officer (CSO) 9% 0%
Chief Risk Officer 6% 9%
Other 3% 6%
Total 100% 100%
Table 4 reports the respondent organization’s global footprint. As can be seen, a large number of
participating organizations are multinational companies that operate outside the United States,
Canada and Europe.
Table 4: Global footprint of respondents’ organizations Security Compliance

United States 100% 100%
Canada 63% 59%
Europe 65% 63%
Middle east 20% 18%
Asia-Pacific 49% 51%
Latin America (including Mexico) 38% 35%
Total 335% 326%
Table 5 reports the approximate position level or title of respondents. As shown, a majority of
respondents state they are at or above the supervisory level. The mean experience of security
practitioners is 11.32 years and for compliance practitioners is 10.89 years.
Table 5: Respondents’ current position level Security Compliance

Senior Executive 2% 1%
Vice President 2% 2%
Director 15% 16%
Manager 23% 28%
Supervisor 18% 16%
Technician 25% 5%
Staff 9% 28%
Contractor 3% 2%
Other 3% 2%
Total 100% 100%

Part 4. Caveats
There are inherent limitations to survey research that need to be carefully considered before
drawing inferences from findings. The following items are specific limitations that are germane to
most Web-based surveys.
 Non-response bias: The current findings are based on a sample of survey returns. We sent
surveys to a representative sample of individuals, resulting in a large number of usable
returned responses. Despite non-response tests, it is always possible that individuals who did
not participate are substantially different in terms of underlying beliefs from those who
completed the instrument.
 Sampling-frame bias: The accuracy is based on contact information and the degree to which
the list is representative of individuals who are security and compliance practitioners. We also
acknowledge that the results may be biased by external events such as media coverage. We
also acknowledge bias caused by compensating subjects to complete this research within a
holdout period. Finally, because we used a Web-based collection method, it is possible that
non-Web responses by mailed survey or telephone call would result in a different pattern of
findings.
 Self-reported results: The quality of survey research is based on the integrity of confidential
S
responses received from subjects. While certain checks and balances can be incorporated
into the survey process, there is always the possibility that a subject did not provide a truthful
response.

Part 5. A responsible approach to surveillance technology
IT security and compliance professionals rarely see eye-to-eye on how surveillance should be
used to prevent or detect internal and external attacks. As revealed in this study, compliance
professionals are more likely to believe that surveillance of employees can be effectively
accomplished without diminishing employees’ privacy rights and that securing the workplace from
illegal or unauthorized activities is not as important as ensuring employees’ privacy rights. In
contrast, security professionals tend to believe in the necessity and legitimacy of surveillance to
protect their organizations.
These different perceptions can lead to what has been referred to as “analysis paralysis.” Rather
than address the threats as a problem to be managed holistically and collaboratively,
organizations tend to manage issues within silos. Thus, it is difficult to have a dialog that is based
on what is best for the entire enterprise and weighs the benefits of security vs. the privacy rights
of individuals.
As we learned in this study, compliance professionals’ perceptions about employees’ rights may
result in putting the brakes on investing in technologies that could be a reasonable approach to
protecting against internal attacks. Thus, exposing the organizations to unnecessary risks. On the
other hand, security professionals need to be aware of the employee issues created by using
surveillance technologies and make every effort to address the fears held by compliance.
To advance collaboration between these two groups we recommend organizations take the
following steps.
• Establish commonly used terms and clearly defined policies with respect to the use of
surveillance methods and enabling technologies. This ensures that both security and
compliance understand and agree to the scope and mission of the technologies to be used.
This also is essential when creating procedural guidelines that govern the appropriate use of
the technology.
• Breakdown the silo mentality. Establish a committee to achieve an all-inclusive, cross-

functional approach to oversee the organization’s surveillance practices and enabling
technologies.
• Build data protection and privacy into the organization’s DNA by educating all employees as
to why both privacy and security are important to the organization. Further, empower and
reward employees to do the right thing.
• Create a culture that fosters collaboration in supporting the organization’s goal to protect the
organization from privacy and security risks. While employees may expect privacy in the
workplace, they also should reciprocate by respecting their employer’s rights to have
sensitive and confidential information protected.
• Establish and use objective metrics that define the organization’s performance in securing the
enterprise. Monitor and measure the technology’s ability to achieve its stated objectives
without overextending its reach. Thoroughly vet the technology for accuracy and conduct
ongoing monitoring to ensure it is maintained.
• Assess the threats to the organization before determining the degree of surveillance required.
Specifically, decide in advance the limits of how much information about employees will be
collected.
• Without diminishing the effectiveness of the technology, consider providing employees with
adequate warning that their activities may be under surveillance.

Final Thoughts
The findings of our research suggest gaps in the way surveillance methods and employee privacy
compliance efforts are maintained. The challenge for organizations concerned with addressing
the risks of both internal and external threats is to ensure that the delicate balance between
privacy and security is properly and consistently applied across the enterprise. As noted above,
achieving harmony requires practitioners dedicated to information security and compliance
professionals to collaborate closely to close gaps and avoid silos, especially when it concerns
employee’s privacy rights.

Appendix I: Survey Details
The survey was conducted in October and November 2010. Our sampling frame includes
qualified IT security and compliance practitioners located in business and government
organizations in the United States.
Attributions (strongly agree & agree combined) Security Compliance Difference

Q1a. The surveillance of employees is necessary to ensure compliance
with policies and procedures. 78% 69% 9%
Q1b. The surveillance of employees needs to operate in stealth and
secrecy in order to be effective. 75% 40% 35%
Q1c. The surveillance of employees can be effectively accomplished
without diminishing employees’ privacy rights. 31% 58% -27%
Q1d. Securing the workplace from illegal or unauthorized activities is more
important than ensuring employees’ privacy rights. 56% 35% 21%
Q1e. Employees have a legitimate right to privacy in the workplace. 39% 73% -34%
Q1f. Organizations have a legitimate right to conduct surveillance even
though it diminishes employee’s privacy rights in the workplace. 80% 60% 20%
Q2. What employee surveillance activities are conducted by your

organization? Security Compliance Difference
Internet use 77% 70% 7%
Internet behavior (websites visited) 71% 69% 2%
Email (including attachments) 69% 66% 3%
Content of desktop or laptop computer 50% 51% -1%
Physical location on premises 29% 32% -3%
Physical location off premises (geo tracking) 18% 16% 2%
Network access and use 45% 45% 0%
Data access (including downloads) 42% 39% 3%
Closed circuit TV in secure workspaces 45% 43% 2%
Total 446% 431% 15%
Q3a. How effective are your organization’s surveillance systems at

preventing or detecting wrongful or illegal activities in the workplace? Security Compliance Difference
Very effective 19% 25% -6%
Effective 25% 32% -7%
Moderately effective 23% 26% -3%
Not effective 28% 14% 14%
Unsure 5% 3% 2%
Total 100% 100% 0%
Q3b. [If moderately effective, not effective or unsure] What can be done to
increase the effectiveness of your workplace organization’s surveillance
systems? Security Compliance Difference
Leadership across the enterprise (one view) 23% 8% 15%
Governance and oversight procedures 49% 45% 4%
Staffing with knowledgeable security practitioners 36% 10% 26%
Policies and procedures for end-users 9% 28% -19%
Training and awareness activities for end-users 29% 35% -6%
Enabling technologies 56% 24% 32%
Budget resources 54% 21% 33%
Total 256% 171% 85%

Q4. How effective are your organization’s compliance initiative at
preventing or detecting employee privacy violations in the workplace? Security Compliance Difference
Very effective 11% 26% -15%
Effective 19% 34% -15%
Moderately effective 34% 24% 10%
Not effective 30% 12% 18%
Unsure 6% 4% 2%
Total 100% 100% 0%
Q5. What problems does employee surveillance solve? Security Compliance Difference
Serves as a deterrent to undesirable behavior 56% 65% -9%
Helps to identify wrongful or malicious acts 68% 70% -2%
Demonstrates compliance with laws and policies 42% 59% -17%
Provides substantive evidence for e-discovery 18% 29% -11%
Improves operational efficiencies 23% 24% -1%
Total 207% 247% -40%
Q6. What problems does employee surveillance create? Security Compliance Difference
Creates a “Big Brother” culture 33% 43% -10%
Diminishes employee privacy rights 49% 53% -4%
Causes over-dependence on technologies 45% 25% 20%
Increases operational complexity and costs 43% 16% 27%
Total 170% 137% 33%
Q7. What types of employee data are collected? Security Compliance Difference
Only device level information 23% 34% -11%
Minimal amounts of personally identifiable information 34% 54% -20%
Substantial amounts of personally identification information 43% 12% 31%
Total 100% 100% 0%
Q8a. Are employees made aware of your organization’s surveillance

activities? Security Compliance Difference
Yes, communicated during pre-employment 11% 19% -8%
Yes, communicated during or soon after employee orientation 24% 36% -12%
Yes, communicated informally (no specific timeline) 19% 28% -9%
No 46% 17% 29%
Total 100% 100% 0%
Q8b. If yes, is there any recourse available to employees if they have

questions or concerns about your organization’s surveillance activities? Security Compliance Difference
Yes 23% 29% -6%
No 63% 31% 32%
Unsure 14% 40% -26%
Total 100% 100% 0%
Q9. What constraints are imposed over the security staff who are involved
in surveillance activities? Security Compliance Difference
Background checks of the security staff 42% 41% 1%
Privacy and other specialized training for security staff 54% 53% 1%
Stringent oversight over the security staff 38% 65% -27%
Limited access to surveillance data 41% 51% -10%
Short retention of surveillance data 12% 35% -23%
Total 187% 245% -58%

Q10. In your opinion, which one of the following situations is worse? Security Compliance Difference
Employee steals confidential data by downloading it onto a USB memory

stick, but this act is not detected by the company’s surveillance system. 70% 50% 20%
Employee legitimately downloads confidential data onto a USB memory
stick, but this act is incorrectly recorded as a security violation by the
company’s surveillance system. 12% 38% -26%
Both are equally bad situations 18% 12% 6%
Total 100% 100% 0%
Q11. Who in your organization is most responsible for ensuring adequate

policies and procedures over surveillance activities in the workplace? Security Compliance Difference
IT (CIO, CTO or equivalent) 11% 23% -12%
Information security (CISO) 15% 20% -5%
Security (CSO) 9% 11% -2%
Privacy (CPO) 0% 0% 0%
Human resources 4% 2% 2%
Compliance 23% 9% 14%
Legal 16% 8% 8%
No one individual 22% 27% -5%
Total 100% 100% 0%
Q12. What are the viable alternatives to workplace surveillance? Security Compliance Difference
Clear policies for end-users 10% 23% -13%
Training activities for end-users 23% 39% -16%
Close supervision and monitoring of end-users 32% 41% -9%
Strict enforcement for non-compliance 30% 30% 0%
Strict access governance procedures 40% 44% -4%
Hardened perimeter and network controls 40% 32% 8%
Audits of end-user activities 32% 45% -13%
Endpoint security procedures 19% 15% 4%
No viable alternative exist 55% 25% 30%
Total 281% 294% -13%

Organizational characteristics and demographics
D1. What organizational level best describes your current position? Security Compliance Difference
Senior Executive 2% 1% 1%
Vice President 2% 2% 0%
Director 15% 16% -1%
Manager 23% 28% -5%
Supervisor 18% 16% 2%
Technician 25% 5% 20%
Staff 9% 28% -19%
Contractor 3% 2% 1%
Other 3% 2% 1%
Total 100% 100% 0%
D2. Check the Primary Person you or your IT security leader reports to
within the organization. Security Compliance Difference
CEO/Executive Committee 0% 0% 0%
Chief Financial Officer (CFO) 2% 5% -3%
General Counsel 0% 19% -19%
Chief Information Officer (CIO) 54% 6% 48%
Chief Information Security Officer (CISO) 24% 0% 24%
Compliance Officer 0% 47% -47%
Human Resources VP 2% 8% -6%
Chief Security Officer (CSO) 9% 0% 9%
Chief Risk Officer 6% 9% -3%
Other 3% 6% -3%
Total 100% 100% 0%
D3. Total years of relevant work experience (mean) 11.32 10.89
D4. What industry best describes your organization’s industry focus? Security Compliance Difference
Communications 4% 3% 1%
Education & research 2% 0% 2%
Energy 4% 4% 0%
Financial services 18% 17% 1%
Health & pharmaceuticals 11% 10% 1%
Hospitality 4% 5% -1%
Industrial 7% 9% -2%
Manufacturing 5% 6% -1%
Media 3% 4% -1%
Public sector 15% 14% 1%
Retail 8% 6% 2%
Services 9% 10% -1%
Technology 5% 4% 1%
Transportation 5% 6% -1%
Total 100% 100% 0%
D5. Where are your employees located? (check all that apply): Security Compliance Difference
United States 100% 100% 0%
Canada 63% 59% 4%
Europe 65% 63% 2%
Middle east 20% 18% 2%
Asia-Pacific 49% 51% -2%
Latin America (including Mexico) 38% 35% 3%
Total 335% 326% 9%

D6. What is the worldwide headcount of your organization? Security Compliance Difference
Less than 500 people 6% 8% -2%
500 to 1,000 people 10% 9% 1%
1,001 to 5,000 people 24% 23% 1%
5,001 to 25,000 people 31% 30% 1%
25,001 to 75,000 people 24% 23% 1%
More than 75,000 people 5% 7% -2%
Total 100% 100% 0%
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO),we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.

A United States Government Case Study
Mission:
In 2007 the United States embarked on a Comprehensive National

Cyber Initiative (CNCI). One major component of this program is the
Trusted Internet Connection (TIC), dictated in OMB memorandum
M-08-05 of November of 2007, specifically designed to improve the
security of Federal agency networks.
TIC reduces the risk to government data by consolidating the number

of internet connection points, establishing common security controls
across the agency and departmental levels, and providing adequate
monitoring capabilities into traffic – thus improving incident response
capabilities.
An aggressive implementation timeline for TIC put pressure on

executive branch agencies to move quickly. Our client, a large
department, was given only three months to complete the tasks of
documenting existing network connections across all offices,
assessing technical architecture plans and security policies and
creating a plan of action with milestones for TIC implementation by
the June 2008 deadline. The department also used the TIC
consolidation project to develop a centralized Security Operations
Center (SOC) to deliver a consistent level and quality of security
monitoring across the components.
“We had to look seriously at our security strategy and find the best
combination of next generation monitoring technologies that would
enable us to implement an efficient TIC architecture, but longer
term also address advanced threats and implement better processes
to make our operations staff more efficient,” said the agency-level
deputy CISO.
Evaluating NetWitness
Due to its critical role in the national security infrastructure, the department was under constant attack from a wide
variety of threats ranging from script kiddies to state-sponsored entities, criminal organizations and political
activists. Thanks to years of hardening by the dedicated staff and a wide variety of technologies, the agency was
effectively fending off most intrusion attempts. The detection and mitigation of advanced persistent threats remained
a serious challenge. The department had to address this gap through increased network visibility and improved threat
intelligence simultaneous with the consolidation into a TIC architecture. Integrating a network security monitoring and
analysis solution to compliment existing IDS and security event and information management (SEIM) technologies was
considered critical to provide a much deeper level of analysis and incident response capabilities. The security and
architecture teams collaborated with peers across other government agencies. The CISO of an intelligence agency
recommended NetWitness NextGen, a technology used successfully for similar problems for a number of years.
“My peer was raving about NextGen and of the breadth and depth of full visibility into network, application and user
context and content,” said the department’s CISO. “Given the complexity of our environment, we were somewhat
skeptical going into the evaluation process, but a brief evaluation of the solution quickly made it compelling.”
NetWitness NextGen is a network security monitoring solution that was explicitly designed to help combat advanced
cyber security threats. The solution is based on full packet capture and session analysis. It utilizes the most
comprehensive and advanced network session modeling techniques to provide very specific and granular security
analytics into terabytes of data. Using SIEMLink, the department leveraged NextGen’s application layer insights and
intelligence to augment existing security countermeasures and accelerate operational security processes. The resulting
workflow acted as a force multiplier to improve the security team’s efficiency and effectiveness.
Instant Success
The initial NetWitness deployment began with a two week proof of concept. The department deployed NetWitness
NextGen appliances on their production network, emulating where these appliances would reside in their TIC
configuration, with full access to production data. Both government and contractor support teams worked closely with
NetWitness engineers, comprised of cleared professionals that have spent decades working at the forefront of IT security.
Within just two weeks of active testing, the agency was able to uncover both a potentially serious external data breach
and an employee created data leakage incident. Both of these incidents were overlooked by the agency’s existing
security technologies and were deemed critical incidents by the department’s leadership.
An Evolutionary Engagement
The initial purchase and phase I deployment went very well. A close working relationship between NetWitness staff and
the TIC project team resulted in a virtually error free implementation, and significant operational improvements within
the department’s security operations and threat analysis teams. Based on the early success of the project, the client has
officially launched its centralized SOC strategy – delivering centralized event analysis, incident coordination, response and
reporting for its components. According to one of the government senior engineers, “On a consistant basis over 60% of
our confirmed kills are now attributed to data we obtain from our NextGen infrastructure versus the combination of other
technologies we have deployed and use.”
Get in the Know.
NetWitness NextGen is not for everyone. The threats facing our customers are advanced and our customers are very
demanding. They are security experts with years of experience and a refined sense for the challenges facing their
organization. NetWitness excels at working with this savvy base of users, whose workload and requirements push the
limits of any platform. Our discerning customers are provided unprecedented access to technical support, our product
and development staff and our executive leadership. Our fanatical focus on this advanced user based, coupled with our
extensive knowledge of advanced threats resulted in the department taking full advantage of the power of our solution
from day one. Since our initial success together, their appetite for visibility has only expanded, with additional
deployments into the corporate environment
NetWitness helps clients combat advanced cyber-security threats by giving them an unprecedented level of
knowledge into what is happening across their networks, and providing them the insight needed to take definitive action.
The NetWitness NextGen security monitoring solution has received numerous awards for its innovation and has become
a critically important part of our clients’ day to day operations. It is this intersection of rich application data and context
that differentiates the patented NetWitness® products from any other solution available in the market.
To learn more, please visit www.netwitness.com

Email: info@netwitness.com | Phone: 703.889.8950

NetWitness Guide

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NetWitness Guide

Uploaded by

Copyright:

Available Formats

NetWitness Bridges Security Gaps with NextGen

October 2007 • Page 

Enterprise Management Associates

October 2007 • Page 

Chief Research Analyst

White Paper © IT-Harvest 2010

Security Fails to Keep Up

What Needs to Change?

Illuminating the Invisible: Financial Services

A large US Bank employed dozens of people in its AV infrastructure. They had AV

With an understanding of the extent an attacker will go to achieve their objectives

THE POWER ELEMENTS OF NETWITNESS

The NetWitness Decoder is the cornerstone and the frontline component of an

1. Thornburgh, Nathan. The Invasion of the Chinese Cyberspies, Time

Summary streaming the data to disk is the solution required by network,

Solutions coming from most network and security vendors

DECODER AND CONCENTRATOR

The NextGen infrastructure is comprised of three devices that Europe

and metadata to the framework.

time from Decoders, Concentrator acts as the metadata 1.2Gbps

With network capture points distributed across multiple

NetWitness Corporation | 500 Grove Street, Suite 300 | Herndon, VA 20170

A Case Study in Advanced

A Financial Services Customer

Executive Summary Instant Success

Following the initial deployment, the bank continues to leverage

NetWitness Corporation | 500 Grove Street, Suite 300 | Herndon, VA 20170

Ponemon Institute© Research Report

 Are advanced threats a major, growing problem for organizations?

 Organizational commitment and understanding of the changing threat environment is lacking.

Attributions about advanced threats

Table 1: Attributions about Advanced Threats Strongly

Advanced threats are an increasing problem

Bar Chart 2: Frequency of advanced threats

Bar Chart 3: Perceived change over the past 12 months

Bar Chart 5: Attack techniques employed

Organizations do not seem prepared to deal with advanced threats.

Bar Chart 7: Process for preventing and detecting advanced threats

What are the key problems you

Discovery of advanced threats is difficult

Bar Chart 10: Confidence in detection capability

Bar Chart 12: Exploits and malware evade IDS or AV systems

Bar Chart 15: Data is most at risk due to advance threats

III. Final Thoughts & Recommendations

We believe there are four important recommendations for organizations:

IV. Methods and Demographics

Table 3: Sample response Freq. Pct%

Pie Chart 3: Industry distribution of respondents’ organizations

Table 4: The worldwide headcount of your organization? Pct%

Table 5: Respondent’s primary reporting channel Pct%

Table 6: Geographic footprint of respondents’ organizations Pct%

Table 7: Respondent’s self-reported position level Pct%

Sample response Freq. Pct%

Q1b. Have you experienced situations when exploits and malware

Q1c Do you consider these any of these exploits as an advanced

Q1d. What other terms are used to describe an advanced threat?

Q3c. How has the frequency or rate of advanced threats changed

Q3e. What advance threat attack methods or technologies were

Q3f. Typically, how does your organization detect or discover

Familiar & Very

Q5a. How familiar are you with Spear-Phishing? Pct%

Familiar & Very

Q6. With respect to technologies, personnel, policies and resources,

Q9. What industries do you see as the most susceptible to an

October 2007 • Page

October 2007 • Page

Are advanced threats a major, growing problem for organizations?

Organizational commitment and understanding of the changing threat environment is lacking.