On monday of this week, we released Investigator 8.6, and we released it free.  I thought I would take to this poor, neglected blog and write some thoughts about it.  So far the reaction has been very positive.  It seems people like what they see, and we are very happy with the many blog posts, and positive feedback we are getting.  I thought I would answer some questions here directly.

The number one question from the press, blogs, and friends - was “Why?”

It would be easy to say that this is simply a good thing for the security community - and we wanted to contribute.  To be sure - there was a lot of that in our discussions.  But the truth is - we really don’t sell Investigator.  What we sell - are enterprise class, distributed network appliances that perform very high speed network capture, and all the analysis you see in Investigator — in real time — providing weeks and months of historic visibility.

Investigator - is simply the front end for that solution.  If you want to know what we do as a company, and what we sell — it is simple.  If you like what Investigator does on a gigabyte of packet captures - just imagine it working over 100 Terabytes or more.  Imagine having that power over every every bit and byte that has entered or left your network over the last month.  To be sure - there are reporting engines and alerting engines we sell that automate common analysis - but with Investigator you should get the idea of what we offer enterprise customers.

The number two question that we get - always seems to involve Wireshark, in some sort of competition skew.

Again - the simple truth is that the products are not competitive at all.  In fact, they work together to make both products better.  In the demonstration videos - I even show how easy it is to open sessions in wireshark.  We use wireshark every day.  And those of you who used to - will still use it.  What we hopefully let you do - is find those sessions that need to be looked at - 100 times faster than before.  Perhaps a thousand…  In the end - I bet wireshark developers will use Investigator as well.  The products compliment - not compete.

The next question is about registration.  It seems everyone thinks it is a bit cumbersome.

There are several reasons for this.  First - we are a small - private - commercial company.  We are not a charity, a think tank, or a group of cyber crime fighters.  So if we require people to register - it can help us see which industries we should be focusing on, and other marketing needs.  We are not going to be overzealous in this regard, but the information will help us be a better company.

Next - there are quite a few ways we have built in extensibility in the product.  From custom alert rules - to custom threat and intelligence feeds - to full on custom session protocol parsing - users of investigator can contribute by creating extensions.  I wanted - personally above all else as CTO - to get a community of users that are pushing the product forward.  That is why your registration also registers you for the community.  The video tutorial did not focus on this aspect yet - but I will extend it soon.  For now - if you are interested in those aspects - you will have to make do with the manuals and the community forums.

The last question - seems to be “Windows - Really?”

Well - remember - this is our front end client software to enterprise solutions.  We actually are working in the background to make the client more cross platform.  All of our enterprise solutions work on dedicated - very high speed, open Linux architectures.  As a small company - we can move faster by picking our battles with technology.  All of the database technology that we have written, all of the core components for processing and extracting data, essentially all of our core components - are all already cross platform.  When we have time - we will work on getting the UI components there as well.

In the end - we really hope you enjoy Investigator.  We hope it makes your jobs easier.  Please provide us feedback.  We will listen - and we will update often with new capabilities.

The recent public disclosures at Hannaford Bros of millions of credit card numbers lost to professional carder gangs again raises questions regarding the state of preparedness of retail security and other industries to protect customer data in the current cyber threat environment.  In the case of Hannaford, these gangs may have followed a pattern familiar to network forensics researchers with whom we work – a weak link in the security program is exploited as a foothold to open a command and control channel on the victim network.  After that, it is just a matter of time before critical POS servers or store terminals are Trojanized, and are automatically transmitting perfectly valid customer credit card numbers directly to carder gang members. 

The amount of ensuing punditry is astounding.  First, the horror and shock from some corners that PCI Standards did not prevent this debacle.  For good or bad, PCI was the credit card companies’ much needed attempt to enforce some level of basic information security on organizations with merchant accounts.  The security controls in PCI were designed years ago, and are focused on well-understood and documented threats and essential security practices.  But, PCI compliance, due to its very nature, is not going to provide adequate protection against a well-funded and committed professional adversary who can design specific malware to circumvent these basic security controls. 

There also have been calls to jettison PCI.  The premise in these statements is that if the card companies would simply take responsibility for the storage and security of credit card numbers from the moment of card-swiping forward, there would be no need for retailers to comply with some key aspects of PCI.  This position, while seemingly attractive at the surface from a security perspective, is untenable in a multi-trillion dollar consumer facing industry.  The reality is that the same architectural, procedural, technological, and financial constraints preventing retailers from adequately protecting their data in many cases will prevent the card companies from implementing the suggested changes. 

Having spent time with top retailers over the past several years, I can tell you that there are many very good security people working at these organizations, but with limited ability to get things done.  These I/T professionals would benefit greatly from two things:  1) A self-directed industry effort to develop voluntary, model security standards that would deal effectively with today’s actual threat environment, versus force them to follow check lists.  This process requires leadership, organization and resources; and 2) A greater focus on operational security efficacy.  PCI was only good in the sense that it jolted retailers to focus on “Security 101” but it is not the end – simply a catalyst.  Retailers and other industries that handle PII now must take matters in their own hands and move beyond PCI and other regulations to recognize that today’s threat environment requires a deeper degree of security monitoring and network visibility, especially at the application layer.   

You can’t get this visibility from once-a-quarter scanning, annual audits, or even from most of the perimeter sensors deployed today.  If you are not doing full packet capture and session analysis with NetWitness you will miss indications and warnings of these TJX and Hannafords-like problems, and also will lack the evidence to figure out the scope and damage of the incident.   – Eddie Schwartz