This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- NetWitness Community
- Blog
- Introducing NetWitness Platform XDR v12.0
RobinCohan
Moderator
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
2022-06-03
01:22 PM
A New Name and a Major Release!
NetWitness will soon release NetWitness Platform XDR v12.0 for customer download. This post will cover some of the highlights of this forthcoming release and explain the name change. For more information on features or functionality, follow the links at the bottom.
New Branding - NetWitness XDR
NetWitness has long been synonymous with world class visibility, enabling customers to hunt for, and respond to, threats observed in network traffic, log data, and on endpoint machines. This has been called many things, from Security Analytics to Evolved SIEM, but now it is commonly known as XDR, eXtended Detection and Response.
Our statement to the world: NetWitness is XDR. We’ve been doing it for years.
Fundamentally, XDR describes an architecture and an approach to threat detection and response that leverages data from multiple sources to provide analysts comprehensive visibility to protect their organizations. While we didn’t coin the phrase, we did invent the concept. NetWitness began merging data between network, logs and endpoints over a decade ago and have had a fully integrated solution since 2017! We did XDR first, we do XDR best, and we will continue to deliver on the concept of XDR for years to come.
As such, NetWitness Platform is now NetWitness Platform XDR. You will see this updated branding across the NetWitness user interface. For further details on this identity shift, see the blog here.
Version 12 - The Detection Release
At the same time as we are adopting the XDR messaging, we are also releasing the first version of the 12.x line of NetWitness. This major release is not a massive architectural change, but a rededication to helping customers with detection. We do that in 3 ways:
- Making it easier for customers to find appropriate and effective threat detection content for their specific organization
- Simplifying the deployment and management of that content
- Providing visibility into the signals raised by that content
Some of the significant new and improved detection capabilities are summarized below.
Finding Content
To start, the content an organization needs to deploy, in order to extract and analyze meta data from their data sources, is now easier to find. This includes:
- Default / Out-of-the-box detection content
- Content bundles focused on techniques and tactics of interest
- Content bundles for specific industries
Making it easier to find the desired content is only part of the story. That content must then deliver actionable insights. New threat intelligence content – both 3rd party and home grown – is available and will be updated continuously.
Threat Intelligence Content Bundles
To better help our customers identify, download and deploy our threat intelligence content, our threat research team, FirstWatch, is creating new Threat Intelligence Content Bundles. While customers can still select our threat intelligence content on an individual, atomic basis, they can now also select bundles of pre-identified and curated content that work together to address specific needs. Bundles will be available in many categories, including:
- Sector (Public | Private)
- Industry Vertical
- Geographic Theater
- Threat Actor / Adversary
- Infrastructure
- Malicious Code & Content
- Tooling
- Tactics, Techniques, and Procedures
- Patterns of Behavior
New bundles will be released starting in Q3 2022 and continuously thereafter, independent of any major or minor platform releases.
Deploying Content
Once the right content has been identified, customers must deploy the pieces to the different components within their NetWitness ecosystem. This was previously a tedious and complex process. Beginning in the 12.0 release, with further enhancements planned for subsequent releases, we are introducing Centralized Content Management. This functionality will allow customers to manage the deployment of content across their infrastructure through a single, simple user interface. Groups and policies will be leveraged to easily deploy content to the right services, to keep that content up to date through subscriptions, and to manage the complete lifecycle of that content including content retirement.
Driving Detection
Improving how content is identified and managed is of little value if that content does not lead to better outcomes for the security operations center (SOC) team. Content is meant to drive threat detection and response, an active process engaging SOC personal personnel in making decisions and taking action. To that end, we’ve put significant effort into improving how detections are presented to help analysts focus on what’s most important. Several improvements within the “Springboard” analyst console highlight this:
- Rich out of the box Springboard Panels (visual improvements)
- Ability to convert a query into a Springboard Panel (reuse frequent queries - make it easier to use again and bring the info to the forefront)
- Analyst can build custom Springboards tailoring dashboards to their organization and job responsibilities for improved productivity
Detect AI – New Advanced Analytics in the Cloud
Launching later this year, we are pleased to announce Detect AI Insight, an exciting new analysis capability delivered from the cloud. Detect AI Insight classifies discovered assets and assesses risk. This helps the analyst understand the purpose of an asset during an investigation, as well as the relative importance of that asset within the organization. This information allows an analyst to quickly triage a large numbers of events, allowing them to prioritize their investigations and focus on those signals that would be the most impactful to their organization.
Detect AI is also adding User and Entitle Behavioral Analysis (UEBA) models focused on network data. Combined with models for log and endpoint data which have already been released, Detect AI now offers full coverage for UEBA from the cloud. This allows customers to deploy advanced analytic capabilities without the need for additional hardware. New models will be released within Detect AI as they become available, further enhancing the value of this offering.
Gaining an Edge - Endpoint Improvements
Drilling down a little, one class of detections that have been improved significantly in this release are Endpoint detection capabilities. Endpoint detection improvements include:
- Ability to capture endpoint detections using Imported File Hashes (import a file of known bad file hashes to help flag such issues)
- Use of Yara Rules on the Endpoint Agent, rather than on the backend, to detect threats
- Ability to filter IP traffic (to weed out insignificant traffic and focus on priority traffic) in the Endpoint Agent using CIDR Notation
- Bulk MFT Download (removing size limits to allow large MFT files to be downloaded)
- Reimagined Response to Endpoint Alerts (includes process tree inside alert page)
- Additional platform for detections to help ensure all your endpoints can be monitored: agent support for ARM Processor devices (e.g., Microsoft Surface tablets) and for Windows Server 2022, in addition to support for Windows 11 and Mac OS 12 which were in the 11.7.1 release
Managing the Process
Metrics are an all-important part of effective SOC management so we have added new measures of an incident’s progress:
- We now support Automatic Journaling and history capture around Incident changes
- This information drives Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) metrics - so you can monitor analyst productivity and responsiveness to users incidents.
In addition to these major new capabilities, there are numerous additional incremental improvements around user experience, performance, management. Be sure to check out the product advisory and release notes when v12 is made generally available in Q3 2022.
For further details and information, refer to the following reference sites and stay tuned for more details in the v12 Release Notes when available.
REFERENCE INFORMATION:
Product Advisory (release announcement): will be posted to the Community page linked here.
Product Documentation, including Release Notes: (watch this space!)
https://community.netwitness.com/t5/-/ct-p/netwitness-documentation
Be sure to watch this area of NetWitness.com for other technical blogs and product news.
Labels:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Latest Articles
- Using NetWitness to Detect Phishing reCAPTCHA Campaign
- Netwitness Platform Integration with Amazon Elastic Kubernetes Service
- Netwitness Platform Integration with MS Azure Sentinel Incidents
- Netwitness Platform Integration with AWS Application Load Balancer Access logs
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- The Sky Is Crying: The Wake of the 19 JUL 2024 CrowdStrike Content Update for Microsoft Windows and ...
- New HotFix: Addresses Kernel Panic After Upgrading to 12.4.1
- Automation with NetWitness: Core and NetWitness APIs
- HYDRA Brute Force
- DDoS using BotNet Use Case
Labels
-
Announcements
64 -
Events
12 -
Features
12 -
Integrations
15 -
Resources
68 -
Tutorials
32 -
Use Cases
31 -
Videos
119
