RSA recently released NetWitness Platform v11.7.1 for customer download.
What new threat detection, response and management capabilities have been added?
Here some highlights of both this new release and of v11.7, released in November.
To learn about even more new capabilities, see the links at bottom.
Meta only Event Reconstruction Views - As analysts review events, the new compact and expanded metadata views provide an alternative workflow to view only the high-level details of the event and use cases where no raw data is present. This helps analysts more quickly sift through large amounts of data to rapidly identify the source and flow of threat actions. Learn more from this video:
Improved Broker Query Experience – Analyst queries at the top-level Broker now, by default, provide partial results when one of the sub-services loses connectivity or times out for some reason. This ensures a more complete view of detection data even under imperfect hunting conditions. In addition, a hierarchical view of what is attached to the broker is available so analysts can exclude certain sub-brokers prior to query when not beneficial to their search.
Improved Endpoint Detection - Find more threats and mitigate their spread and impact. Improved ability to detect Windows Registry-based compromises, including privilege escalation and ransomware threats. Additional detections can be found via OPSWAT integration. We've added offline scans to provide the ability to scan air-gapped hosts. Ability to scan all storage attached to a host provides a more comprehensive scan.
Introduction of Centralized Configuration Management – The management of general NetWitness core service configurations can be administered centrally from a single policy-based interface and distributed to multiple services.
Granular RBAC (Role Based Access Control) for Endpoint Server - Administrators can restrict access to analyst workflows around viewing hosts and files based on the permissions applied to their role. This facilitates better implementation and enforcement of “least privilege” access for users.
Expanded Endpoint Agent support - Support for Mac OS Monterey and Windows 11 to ensure all your endpoints can be monitored
Extensive Core Services API Documentation – A comprehensive standalone document outlining all the supported application programming interfaces (APIs) is now available. This will help customers understand available integration points and automation options for NetWitness Platform.
And many more.
For further details and information, refer to the following pages and stay tuned for additional blogs on new capabilities.
Updates to NetWitness Orchestrator, were also released, based on the Threat Connect platform v6.3 (September) and v6.5 (April). Several great new capabilities are included. For further details, refer to info here:
In other recent news, our Threat Intelligence research team is, as always, hard at work to scout out new malicious activity “in the wild”. Please see their most recent Threat Research Intelligence and Content Blog here: