CAWS is an interesting product. It is designed specifically to answer some powerful questions: (1) Am I at risk of being breached? (2) How can I compare my defensive measures to decide if I have the competitive intelligence that I need? and, (3) How do I gain complete visibility of exploits across all assets within my environment from a single interface?
CAWS is a unique application that mimics a human operator so you have an active honeypot rather than a passive honeypot. It also can mimic vendor product stacks and compare efficiencies. The vendor refers to the CAWS source capture/crawling and the "bait net." The tool focuses on exploits, mostly malware, and follows the kill chain. However, since everything CAWS sees is recorded you can go back and analyze an attack from start to finish.
CAWS uses data gathered by NSS Labs rather than monitoring your enterprise directly. However, it collects a huge amount of data. You enter a sort of profile of your network. This profile contains the applications, profiles and security products that you select from over 350 options. These represent what you have in your enterprise. As you monitor this profile you learn immediately what NSS Labs has learned about attacks against each item in your profile, the threats that have bypassed your defenses and what you should do about them.
In addition to your profile, CAWS monitors a large number of known malicious URLs. But you can add your own URLs for analysis. We dropped into the dashboard as our starting point. This gave us a summary of applications exploited, total active exploits, URLs hosting exploits, exploits bypassing security products, exploits blocked by security products, total application families targeted and top platforms targeted.
Among other things, the dashboard told us that over the past 30 days it had checked more than three million URLs and found 281 hosting exploits. Drilling down we see the 281 URLs and we can add them into our block lists. Once we've done that we can check on a daily basis - seven malicious URLs added today, for example.
Because CAWS is testing tools constantly to ensure that they catch all of the weaknesses present in the tools and applications in their test harness, the tool is an effective means of comparing devices for their security abilities. We looked at a couple of next-generation firewalls and compared them for their effectiveness. This is a good way to help make buying decisions.
CAWS is available at no cost for single users. The enterprise version is reasonably priced and gives several additional capabilities above the free version. This is not a tool to be considered a replacement for defensive devices. Rather, it is a pure-play intelligence tool. The intelligence information that CAWS gathers applies to threats, applications and devices. By creating a profile of your environment you can proactively determine where you are at risk. Additionally, you can track malicious URLs and update your block lists from a downloadable csv file.
We liked this tool largely because it lets us track many of the risks associated with threats and vulnerabilities in our enterprise. That is not to say that we should stop vulnerability assessments or pen tests. It simply gives us a tool to be proactive. For example, knowing in advance that our firewall has some discovered weaknesses to specific attacks is useful. Because CAWS lets us see the compromise path for a discovered weakness we can look at the path within our enterprise and take all reasonable measures along the whole path - including on the device itself.
Product Cyber Advanced Warning System (CAWS)
Company NSS Labs
Price CAWS is free. CAWS Enterprise is $5,000 annually or $500 month per seat (user).
What it does Threat intelligence centered on device and application susceptibility to threats as well as malicious URLs.
What we liked Ease of use, comprehensive view of the devices and applications in our environment.