introducing savvius vigil
TRANSCRIPT
Corporate Overview 2
Mission
Savvius, Inc.
Headquarters San Francisco Bay Area
Customers Over 7,000: U.S., EMEA, APAC
Founded 1990
Formerly WildPackets
Create advanced, high-performance
products that provide unprecedented
insight into network performance issues
and security incident investigations.
Corporate Overview 3
Savvius Tools for Network Professionals
Software to view, analyze, and
investigate.
Network traffic capture and analytics appliances.
Corporate Overview 4
Data Center
Authenticate
Call Manager
Secure WEB
CITRIX
App Delivery Controller
App Delivery Controller
APP
APP
APP
SQL Cluster
Oracle Cluster
Core Switch
Firewall
Network Problems Occur in a Complex Environment
Remote Office Corporate Campus
Access Point
Access PointAccess Point
Access Point
Access PointAccess SwitchIntegrated Services Router
Wireless ControllerWireless Controller
Content?Performance? Connectivity?DelaysLatencySlowness
Network accessWLAN connectsIntermittent drops
Transaction verificationPersonnelSecurity
What is the problem?
© Savvius, Inc. ‹#›Confidential
Investigations “silo by silo” leave out critical insights.
The network is the first one to be blamed!
Computing Platforms
Database
Compute
Storage
Virtualization
Network
Wireless
Data Center
LAN
WAN
Application
Operations
Deployment
Test
Development
Security
Response
Detection
Forensics
Traditional Approaches Don’t Work!
© Savvius, Inc. ‹#›Confidential
Product Use Traffic Environment Storage
Omnipliance Packet Capture for Troubleshooting
Up to 16.5 GbpsData centers, remote
offices 4-128 TB
OmniplianceWiFi
WLAN troubleshooting including 802.11ac
Up to 3.8 Gbps Enterprise WLAN 8TB
Savvius Vigil Long-term packet storage for security investigations
IDS performance up to 9 Gbps
Cybersecurity infrastructure
64 or128 TB
OmniPeek Professional
Software for Analytics and Troubleshooting
Platform Dependent
Portable Network Analysis
N/A
OmniPeek Enterprise
High performancesoftware for Analytics and
Troubleshooting
Platform Dependent
Network Analysis N/A
Capture EngineFor OmniPeek
Software for remote troubleshootingand analysis
Platform Dependent
DistributedPlatform Dependent
USB WiFi Adapter for OmniPeek
WLAN adapter for portable analysis
200Mbps Portable N/A
Savvius Solutions
Corporate Overview 7
FinancialEducation Government
Health Care / Retail
Telecom Technology
Global Customers
Introducing Savvius Vigil.
Employing decades of network forensics expertise to enhance security investigations.
Network insight for performance and security
Corporate Overview 14
Five Savvius Vigil Assumptions
1 You have assets to protect Financial information, patient records, confidential data
2 Your perimeter isn’t perfect Your organization is penetrated right now
3 Delayed discovery is inevitable Data breaches are typically discovered six months later
4 Network packets are valuable Security investigations need more than logs and events
5 You can’t store all network traffic Months of network traffic requires petabytes of storage
Corporate Overview 16
How Savvius Vigil Works
IDS/IPSIDS/IPSIDS/IPSNetwork Traffic
An IDS/IPS generates events continuously‒ Often for immediate investigation
‒ Each event includes a very limited amount of data
Too many events to investigate each one‒ IDS/IPS systems are tuned to match security team’s capability
‒ “Breaches will slip by…”
It starts with your SIEM’s intrusion detection (or selected IP addresses)
Events
IDS Console
Corporate Overview 17
How Savvius Vigil Works
IDS/IPSIDS/IPSIDS/IPSNetwork Traffic
Savvius Vigil uses IDS/IPS events to filter packets out of the network traffic.
Events
IDS Console
Integration with: HP ArcSight, Cisco FireSIGHT, Snort, Suricata
More added regularly
In addition! All traffic to high-value IP addresses can be stored
Corporate Overview 18
How Savvius Vigil WorksNow5 minutes ago
IP #1
IP #2
IP #3
IP #4
IP #5
IP #6
Savvius Vigil buffers ALL network traffic (represented here by 6 IP addresses)
Step 1: An IDS event comes in, alerting on two IP addresses:
Step 2: All packets between those addresses for up to five minutes before and after (settable) are stored:
Step 3: Packets to or from one of those IP addresses are also stored (“Associated Conversations”) if desired:
Step 4: Packets that are not associated with either event IP address are ignored:
Corporate Overview 19
0 250 500 750 10000
250
500
750
1000
Days of Stored Events
Days
Events/Day from IDS/IPS
+/- 5 minutes
+/- 2 minutes
Note: Approximate, assuming 125 packets
per second per conversation, 750 bytes per
packet, multiple of 8.5 for Associated
Conversations.
Corporate Overview 20
Investigating With Savvius Vigil
Select and refine‒ Select by date range,
event(s), or IP addresses
‒ Refine by source, severity, and other characteristics
Export and view packets‒ Select time before and
after event and whether to include packets in Associated Conversations
‒ Save and view in OmniPeek
‒ Save standard packet files
Savvius Vigil makes packets available for immediate or long-term investigations.
Corporate Overview 21
Takeaways
Packets are critical to effective investigations‒ “Packets don’t lie”
‒ Investigating a security event without access to packets means all evidence is circumstantial and indirect
Most breaches aren’t discovered right away ‒ Storing packets for months requires intelligent packet storage
‒ Manually selecting which packets to store isn’t good enough
Savvius Vigil provides the answer ‒ Automatic, intelligent packet storage
‒ Organized access to relevant packets for immediate and long-term investigations
‒ See packets before and after events
‒ A vital addition to your existing security infrastructure