NetWitness will soon release NetWitness Platform XDR v12.0 for customer download! This post covers highlights of this upcoming release including the updated product name. For more information on features and functionality, follow the links at the bottom.
New Branding – NetWitness XDR
NetWitness has long been synonymous with world class visibility, enabling customers to hunt for, and respond to, threats observed in network traffic, log data, and on endpoint machines. This has been called many things, from Security Analytics to Evolved SIEM, but now it is commonly known as XDR, eXtended Detection and Response.
Our statement to the world: NetWitness is XDR. We’ve been doing it for years.
Fundamentally, XDR describes an architecture and an approach to threat detection and response that leverages data from multiple sources to provide analysts comprehensive visibility to protect their organizations. While we didn’t coin the phrase, we did invent the concept. NetWitness began merging network, log and endpoint data into a unified data model over a decade ago and have had a fully integrated solution since 2017.
We did XDR first, we do XDR best, and we will continue to deliver on the concept of XDR for years to come.
NetWitness Platform is now NetWitness Platform XDR. You will see this updated branding across the NetWitness user interface. For further details on this identity shift, see the blog here.
Version 12 – The Detection Release
As we adopt new XDR messaging, we are also releasing the first version of the 12.x line of NetWitness. This major release is a rededication to advanced threat detection in 3 ways:
- It is easier for customers to find appropriate and effective threat detection content for their specific organization
- Deployment and management of that content is simplified
- There is greater visibility and understanding of the alerts generated by threat detection
Some of the significant new and improved detection capabilities are summarized below.
To start, the content an organization needs to deploy, in order to extract and analyze meta data from their data sources, is now easier to find. This includes:
- Default / Out-of-the-box detection content
- Content bundles focused on techniques and tactics of interest
- Content bundles for specific industries
Making appropriate, targeted content easier to find is only part of the story. That content must also deliver actionable insights. New threat intelligence content – both 3rd party and home grown – is available and will be updated continuously.
Threat Intelligence Content Bundles
To better help customers identify, download, and deploy pertinent threat intelligence content, our threat research team, FirstWatch, is creating new Threat Intelligence content bundles. While customers can still select threat intelligence content on an individual, atomic basis, they can now also select bundles of pre-identified and curated content that work together to address specific needs. Bundles will be available in many categories, including:
- Sector (Public | Private)
- Industry Vertical
- Geographic Theater
- Threat Actor / Adversary
- Malicious Code & Content
- Tactics, Techniques, and Procedures
- Patterns of Behavior
New bundles will be released starting in Q3 2022 and continuously thereafter, independent of any major or minor platform releases.
Once relevant content has been identified, customers must deploy the pieces to the different components within their NetWitness ecosystem. This was previously a tedious and complex process. Beginning in the 12.0 release, with further enhancements planned for subsequent releases, we are introducing Centralized Content Management.
This functionality will allow customers to manage the deployment of content across their infrastructure through a single, simple user interface. Groups and policies ensure content is automatically deployed to the right services, kept up to date through subscriptions, and managed through its complete lifecycle, including retirement.
Improving how content is identified and managed should naturally lead to better outcomes for the security operations center (SOC) team. Content must drive threat detection and response, an active process engaging SOC personal personnel in making decisions and taking action. To that end, we’ve significantly improved how detections are presented to help analysts focus on what’s most important. Improvements within the “Springboard” analyst console highlight this:
- Rich out of the box Springboard Panels (visual improvements)
- Ability to convert a query into a Springboard Panel (reuse frequent queries – make it easier to use again and bring the info to the forefront)
- Analyst can build custom Springboards, tailoring them to their organization and job responsibilities for improved productivity
Detect AI – New Advanced Analytics in the Cloud
Launching later this year, we are pleased to announce Detect AI Insight, an exciting new analysis capability delivered from the cloud. Detect AI Insight classifies discovered assets and assesses risk. This helps the analyst understand the purpose of an asset during an investigation, as well as the relative importance of that asset within the organization. This information allows an analyst to quickly triage many events, helping them prioritize their investigations and focus on the most impactful signals.
Detect AI is also adding new User and Entitle Behavioral Analysis (UEBA) models focused on network data. Combined with existing models for log and endpoint data, Detect AI now offers full coverage for UEBA from the cloud. This allows customers to deploy advanced analytic capabilities without the need for additional hardware. New models will be released within Detect AI as they become available, further enhancing the value of this offering.
Gaining an Edge – Endpoint Improvements
Endpoint detection capabilities are significantly improved in this release. These improvements include:
- Ability to capture endpoint detections using Imported File Hashes (import a file of known bad file hashes to help flag such issues)
- Use of Yara Rules on the Endpoint Agent, rather than on the backend, to detect threats
- Ability to filter IP traffic (to weed out insignificant traffic and focus on priority traffic) in the Endpoint Agent using CIDR Notation
- Bulk MFT Download (removing size limits to allow large MFT files to be downloaded)
- Reimagined Response to Endpoint Alerts (includes process tree inside alert page)
- Additional platform for detections to help ensure all your endpoints can be monitored: agent support for ARM Processor devices (e.g., Microsoft Surface tablets) and for Windows Server 2022, in addition to support for Windows 11 and Mac OS 12 which were in the 11.7.1 release
Managing the Process
Metrics are an all-important part of effective SOC management, so we have added new measures of an incident’s progress:
- We now support Automatic Journaling and history capture of Incident changes
- This information drives Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) metrics – so you can monitor analyst productivity and responsiveness to incidents
In addition to these major new capabilities, there are numerous additional incremental improvements around user experience, performance, and management. Be sure to check out the product advisory and release notes when v12 is made generally available in Q3 2022.
Product Advisory (release announcement): will be posted to the Community page linked here.
Product Documentation, including Release Notes: https://community.netwitness.com/t5/-/ct-p/netwitness-documentation