Wednesday, July 21, 2010

SIEMLink with MARS

Although not exactly new news, you may not know, that one of the complaints from the security community regarding MARS, and to be honest most SIEMS, is the lack of real session data, or raw packets, for incident response.

Now one of the hottest products around, in this arena is NetWitness.

"NetWitness Investigator is the award-winning interactive threat analysis application of the NetWitness NextGen product suite. Investigator provides security operations staff, auditors, and fraud and forensics investigators the power to perform unprecedented free-form contextual analysis of raw network data."

NetWitness has a product called SIEMLink, that can be used with your NetWitness setup to interface with MARS.

Simply install the SIEMLink product, and browse the MARS interface. Anywhere where we see ip address information, ie, in an incident, you can highlight the ip, and send to the NetWitness product, and reconstruct the traffic.

I actually did a demonstration of this a few months ago in London, as apart of an ASA Botnet Demo you can see the process here.

I should also mention, you can do this with not only MARS. I have personally done this with Palo Alto, QRadar, and Lancope.

NetWitness also provide a free edition to the community, I would seriously recommend to check this out, if its of Interest to you.

You can see some YouTube videos here on NetWitness in action, well worth 5 minutes of your time.

Further news on the upcoming NetWitness v9.5 have just been released, if you are interested......

One of the most compelling areas they have been working on is in content extraction, for the extraction and analysis of malware, and collection of certain types of content, such as executables, PDF Files etc..

And for enterprise customers, NetWitness Visualize, is a great new feature of Informer 2.0

A YouTube video of the new version is here, and a demonstration site of the cool new Virtualize features can be accessed here.


Mars Phanboy said...

Intriguing. So all the equipment syslogs to Mars, and I assume Mars would then have to syslog to the Netwitness box? And once Netwitness has the raw data on box, then SIEMLink can query against it on its own local box?

Anonymous said...

Hi, no MARS does not syslog to NetWitness.

MARS is simply sending a query to NetWitness with the src and dst ip, and time, and displaying the results.

Remember, MARS is logs, and NetWitness is Packets.

Mars Phanboy said...

The problem I am encountering is that NetWitness has no data, and SIEMLink doesn't do anything but put a query in its window, doesn't pull anything. There is clearly something I am missing. From reading the documentation on NetWitness, perhaps I need to set up a new Remote Collection, which would require purchasing a license? Please forgive my ignorance - can't find a lot of documentation on how to actually get SIEMLink to integrate with my Mars and Palo Alto boxes.