The first time I saw this product I almost was literally knocked off my pins. Never, in 52 years in this field, have I seen a collection of dashboards that even comes close to the collection you'll see in ProtectWise.
In my view, one of the most difficult things we do is visualization. We have figured out how to capture a lot of data and we have begun to develop very sophisticated analytics. But being able to make sense of all of that data at a glance – and then be able to dig down to any level of detail that we need – is an immense challenge. The folks at ProtectWise have the whole package and the best visualization I ever have seen. But, let's step back and put this all in context.
The ProtectWise platform is in the cloud. Its purpose is to provide the most comprehensive view of activity on your network available. This goes beyond just capturing data. It extends to deep analytics and sense-making. It all starts with placement of lightweight sensors throughout your network. When I say “lightweight,” that is exactly what I mean. The install package is a mere 12 MB and installs in any Linux environment, real or virtualized. Sensors have a tiny footprint and don't overtax the device on which they reside. The data they collect is compressed up to 80 percent for encrypted transfer to the cloud. The sensors talk to the cloud system and everything they see is collected and stored in the Cloud Network DVR. That means that the data are there for future forensic analysis and retrospective view.
ProtectWise Cloud Network DVR
Price Starts at $40,000 per year.
What it does Full network security monitoring from the cloud.
What we liked If visualizations are the speed bumps in event analysis, this tool has smoothed them all out with its creative Visualizer. With a vast array of analytics and “forever” storage of event data for future analysis, when it comes to figuring out what bad things are happening on your network this tool is the undisputed monarch.
The bottom line This tool belongs in every SOC of organizations that are targets for attack. Coupled with the usual array of security tools, the addition of this one makes the overall package perfect.
Analytics are done in the Wisdom Engine. ProtectWise does a thing it calls “Network Shattering.” What this means is that the tool decomposes everything that comes into the engine and does deep packet inspection that addresses more than 4,000 protocols and applications. Once all of this capture and analysis is processed, it is available for visualization. And that, from the user perspective, is where the dazzle in this product becomes very obvious. If it looks to you as if the Heads-Up Display – the HUD – and the rest of the visualization came from a Hollywood sci-fi designer, you'd be right on target. It did.
The visualization is set up in four main groupings: The HUD, The Killbox, The Explorer and The Sitrep. Each of these, from the HUD on down, has a remarkable level of drill-down and analysis capability. The whole system is built around the kill chain, providing the security analyst with all of the detail they need to detect and defend against – or clean up after, if necessary – attacks.
There are a lot of places where you can begin an analysis. However, the most common start point is the RADAR display in the center of the screen. This is broken down into four quadrants representing traffic to the sensor from North America, Latin America, Europe and Asia, and Australia and the Pacific Rim. Clicking on an event stream in the RADAR display brings up details. Further drill-downs on other screens lets the analyst track all available information about the event/flow.
Forensically, I couldn't ask for a more complete analysis tool. By drilling down and selecting appropriate visualization options, users can recreate the progression of an attack and relate it to the steps in the kill chain. If you need to preserve your evidence or you want to analyze offline, you can save the entire attack – all of the flows – to a pcap file. By drilling down on a particular sensor as shown in the HUD, you can see all of the statistics relating to that sensor. These include protocols, applications, encryption, mail messages and a bubble map that shows the capture estimate. This is a collection of interlinked bubbles that describe and locate – in shared relationships – the protocols seen by the sensor. The bubbles are larger or smaller depending on the intensity of the selected protocol's traffic.
Hovering over any icon or graph gives information about that item and, in many cases, a mouse click will get you more details. Overall, the ProtectWise platform delivers a total Cyber Common Operating Picture (C-COP) and this tool makes an excellent centerpiece for any SOC. However, analysts and researchers will want access to the tool as well. In my lab, I have been working with ProtectWise for a while and I continue to be impressed. It is likely that we will be using this tool to instrument a honeypot in the near future. I look forward to seeing what we can see.