1. Novetta Cyber Analytics
Know your network. Arm your analysts.
An advanced network-traffic analytics solution.
Dramatically increase the efficiency and effectiveness of IT
security staff and threat responders by providing them with the
right information when they need it.
2. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 1
During network security investigations analysts frequently
encounter situations where a review of raw packet capture is
required to determine if an alert was accurate. This happens
often with SIEM systems and firewall consoles because
they either do not provide immediate access to raw PCAP
(depending on the solution), or do not allow for a broader
search of raw PCAP beyond the specific PCAP provided with
the alert.
On the other hand, leading Security Analytics platforms were
originally designed for PCAP analysis, but for forensics, and
have since grown their feature set to handle real-time detection
of threats, mainly through signature-based deep packet
inspection and unknown file sandbox detonation. But because
these solutions unravel all content and extract a large volume
of data about observed network traffic, even their metadata
databases are both enormous and distributed. And because
of this, especially at very large scale, ad hoc queries made
against these databases that are needed to confirm or deny the
criticality of an alert, or rapidly investigate an escalated incident,
often take minutes-to-hours-to-never to return comprehensive
answers. This lack of response is debilitating to a security
analyst, often forcing them into the tedious and time consuming
task of wrangling data from multiple systems attempting to piece
together what is happening on their network.
With both SIEMs and Security Analytics platforms, analysts
often quickly reach a point of frustration due to lack of rapid and
comprehensive answers to queries run against ground truth
PCAP data and/or lack of access to the right PCAP itself.
Introduction
The Problem: A PCAP Visibility Gap
The harsh reality of modern network
security is that determined attackers will
eventually breach enterprise networks‒–
attackers have an asymmetrical advantage
and only need to find a single vulnerability
to gain an initial foothold. Current security
tools, including SIEMs, IPS/IDSs, and
Security Analytics tools try to detect and
block these attacks, but even today’s
best commercially available mostly
automated solutions cannot guarantee
immunity from targeted attacks, zero-day
exploits, and sophisticated malware. To
combat these threats security teams must
be able to rapidly detect, assess, and
contain breaches with a deep but fast
network visibility and analysis solution.
Novetta Cyber Analytics is an advanced network-traffic analytics solution that empowers analysts with comprehensive, near real-time
cyber security visibility and awareness, filling a critical gap in today’s enterprise cyber security toolset. With queries that take only
seconds ‒– even at Petabyte network traffic scale ‒– the solution enables analysts to receive comprehensive answers to complex
questions “at the speed of thought,” then instantly access the ground truth network traffic needed for alert triage, incident response
and hunting. The solution dramatically increases the efficiency and effectiveness of IT security staff and threat response teams by
providing them with the right information when they need it.
Novetta Cyber Analytics substantially increases the efficiency and effectiveness of security teams.
3. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 2
Key Capabilities
Comprehensive contextual view
• Captures and processes packet
capture data at wire speed from
multiple strategically distributed
sensors across an entire network.
• Facilitates rapid, comprehensive
queries and immediate access to the
original PCAP.
• Creates synthetic sessions to make
individual host-to-host ‘conversations’
understandable to an analyst.
• Generates context-aware security
intelligence that fuses network traffic
data with threat intelligence and
enrichment sources.
Security team ‘super charger’
• Provides a feature-rich web interface
for alert triage, incident response, and
hunting at interactive speeds.
• Identifies behaviors that are
undetectable using signature-based
and forensics-focused solutions.
• Includes 100+ pre-built queries, built
from years of experience working
with network security experts at the
Department of Defense.
• Enables an analyst’s thoughts and
suspicions to be shared within the
database itself.
Key Features
Speed & scale
• Collects network traffic at wire speed
‒– up to 40 Gbps.
• Queries metadata representing
petabytes of network traffic in seconds
using Massively Parallel Processing
(MPP) and a columnar metadata
structure in a centralized analytics hub.
• Supports collection from Novetta
sensors, legacy devices, and packet
capture archives.
• Scales to enterprise levels using a
cluster-based distributed design.
Enriched session views
• De-duplicates, fuses, sessionizes
and centralizes metadata to create
a complete, near real-time, human-
understandable network view across
dispersed network sensors.
• Augments network data via threat
intelligence, registrar and passive DNS,
IP netblock owners, IP geolocation
data, as well as custom sources.
Built for analysts
• Provides an analytics-focused intuitive
web interface for rapid discovery and
analysis.
• Enables one-click immediate
reachback access to original PCAP
files.
• Provides an ability to ‘tag’ sessions and
IP addresses to share knowledge and
to label subnets (e.g. ‘Web Servers’)
• Integrates seamlessly with third party
tools such as SIEMs, Firewalls, and
Security Analytics solutions and into
existing workflows.
Key Benefits
Analysts see the truth—fast!
• See a complete enterprise-wide view of
the behavior associated with advanced
threats.
• Rapidly contextualize and distinguish
between acceptable network traffic
behavoir and suspicious or malicious
events.
• Understand the ground truth of activity
by rapidly going to the source — the
right network traffic.
• Drastically accelerate alert triage,
incident response, and breach
discovery.
• Increase the efficiency of cyber
security workers by an estimated
5X – 10X.
Improved security posture
• Be highly confident in the
thoroughness of alert and incident
response efforts.
• Empower cyber security workers to
think creatively about exactly how to
find intruders.
• Assist analysts in finding never-before-
seen — or even suspected — attacks.
• Maximize the value of existing
infrastructure by discovering
vulnerabilities.
The Solution
But there is a solution. With strategically placed sensors providing a comprehensive, broad, ground truth network view, and with its
core being a single contextually enriched columnar ‘table’ of observed network activity, Novetta Cyber Analytics answers complex
queries rapidly and completely, allowing an analyst to, for example, quickly find all related sessions and hosts related to a particular
threat or alert ‒– whether it be from a SIEM, firewall or Security Analytics console ‒– immediately drill into the directly related PCAP,
pivot and search through more remotely related PCAP, and then repeat. The rapidity of this iterative process provides an analyst
with the ability to quickly and comprehensively come to conclusions for alert triage, incident response, and pure network hunting.
4. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 3
System Architecture
Deployment Options
100% Novetta Sensors
The most effective way to deploy Novetta
Cyber Analytics is by instrumenting
Novetta sensor technology at all strategic
vantage points on the enterprise network.
Novetta sensors consist of proprietary
software run on standard commercial
off-the-shelf hardware. Novetta sensor
technology compresses and retains
PCAP data at the sensor site and makes
it available on demand to end users. This
design mitigates network congestion and
reduces ingest latency to achieve near
real-time network data processing in the
Cyber Analytics Hub.
100% Legacy Sensors
Customers are never locked into Novetta
sensor technology. The Novetta Cyber
Analytics Batch Ingest Module integrates
existing sensor hardware and PCAP
data repositories on enterprise networks.
Customers can schedule at any interval
the batch ingest of the data they collect
into the Hub.
Hybrid
Novetta Cyber Analytics adapts to the
needs of heterogeneous enterprise
networks. Customers often find that
they would prefer more visibility in
different sections of their network after
understanding the capabilities and
effectiveness of the solution. Any number
of existing sensors and Novetta sensors
can operate concurrently on a network.
Customers can easily swap out existing
sensors or Novetta sensors to fulfill their
unique requirements.
Key architectural notes: Strategically placed sensors, distributed raw PCAP storage, centralized metadata-based hub
Systems Integration
Novetta Cyber Analytics integrates seamlessly with existing security solutions by providing a RESTful web API, a Python API, and
a syslog message generation capability. The APIs give external systems direct and secure programmatic access to the Analytics
back-end engine with very minimal integration effort — an administrator simply adds a new menu item to launch an analytical search
and analysts have direct access to Novetta Cyber Analytics from within their primary workstation interface. The syslog message
generation capability enables the creation of syslog messages after the execution of an analytical search, which provides SIEM tools
and other monitoring solutions with greater context around network events.
Novetta Cyber Analytics is architected from front to back to enhance the speed and efficiency of security team members when doing
any sort of investigation. Even deployment is fast, with most installations up and running within two weeks — no tuning required.
5. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 4
Analytics
Pre-processing
Novetta Cyber Analytics eliminates
common barriers to network traffic
analysis by pre-processing data at ingest.
The solution performs the following tasks
to facilitate a seamless analytical workflow
that increases the operational tempo of
incident responders and network security
analysts:
• Reassembles sessions partitioned by
asymmetric routing paths.
• Disambiguates sessions from multiple
private IP address spaces across the
enterprise.
• Classifies sessions and nodes to
identify threat actors and traffic
patterns.
• Dissects application-layer services and
indexes parameters for major services.
• Batch-loads sources of existing PCAP
or other traffic data.
Performance
Novetta Cyber Analytics is designed
to process petabytes of network traffic
analysis at carrier-grade speed and
scalability. Novetta Cyber Analytics
represents the state of the art in the
application of network traffic analysis and
has proven itself on the premises of the
largest network in the world — the U.S.
Department of Defense.
• Sensors capture packets at up to 40
Gbps throughput.
• Only essential metadata is extracted
from PCAP and loaded into the
columnar-based centralized analytics
hub to ensure rapid query response
times.
• Queries on metadata representing
petabytes of network traffic run in just
seconds.
• PCAP is archived at the sensor and
retrieved on demand to mitigate
network congestion and latency.
Analyst Empowerment
Novetta Cyber Analytics empowers
incident responders and network security
analysts to ask questions at the speed of
thought, unencumbered by the chores
of remembering syntax, data formats, or
where they stored their network traffic.
Novetta Cyber Analytics exposes an
advanced query construction form and
provides interactive results exploration
features to create a productive analytical
experience. For example, the solution:
• Enables analysts to have total control
over their data via the advanced query
construction form.
• Includes 100+ pre-built, customizable
analytical queries.
• Enables analysts to easily drill down
and pivot within their data sets via the
web UI.
• Retrieves original packet capture from
sensor archives for forensic analysis.
• Distills PCAP data to extract and
decode embedded content.
A simple, clean, and efficient interface, ideal for analysts, incident responders and network hunters.
6. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 5
Contextualization
Novetta Cyber Analytics gives context to events by associating the communicating parties of a session with enrichment data
sources. Incident responders and network security analysts receive immediate insight into the agents communicating on their
networks. Novetta Cyber Analytics immediately integrates the following sources:
Collaboration
Novetta Cyber Analytics enables teams to create and share
knowledge. Incident responders and network security analysts
can humanize the traffic data to characterize threats, assets,
or activities on their system. This enables teams to effectively
discover and prioritize the triage of threats or targets on their
systems. To that, end users can:
• Create and share knowledge by tagging IP addresses and
sessions.
• Save, reuse, and share queries.
• Schedule queries and specify the conditions for sending
notifications.
• Enforce custom authentication and role-based access
control policies.
• City and country level geolocation for IP addresses.
• Historic domain names for publicly routable IP addresses.
• Domain name resolutions as observed passively on the wire.
• Whois IP address block assignments.
• Threat intelligence and blacklists.
• Custom subscriptions, spreadsheets, or lists.
An example of queryable session information made available to an analyst
Tags can be applied manually, in bulk, or automatically.
7. Novetta Cyber Analytics • 7921 Jones Branch Drive • McLean VA 22102 • contact@novetta.com 6
Let us prove to you just how effective this solution can be.
For more information:
844-NOVETTA (Toll Free)
contact@novetta.com
v
Product Specifications
Sensor
Hardware Software
Device Type: Commodity servers Operating System: RHEL-based Linux
Packet Capture
Storage:
On-board drives, Direct
attached storage, and/or
SAN/NAS
PCAP Compression
Ratio:
1.3:1 average
Packet Capture
Location:
SPAN port or Network
Tap
Metadata to Content
Ratio:
100:1 average
Network Traffic
Interface:
Commodity network
interface cards
Analytics Engine
Hardware Software
Device Type: Commodity servers Operating System: RHEL-based Linux
Data Storage: On-board drives User Interface: Thin client web
application
Database: Massively Parallel
Processing EDW
Query APIs: Web-based and Python
Example Installations
Medium Large Extra Large
Sensors 4x 1Gbps 8x 1 Gbps + 2x 10 Gbps 12x 10Gbps
Metadata Retention 30 Days 30 Days 120 Days
Metadata Storage 13.7 TB 93.8 TB 1.6 PB
PCAP Retention 7 Days 7 Days 7 Days
PCAP Storage 320 TB 2.1 PB 9.1 PB
Novetta Cyber Analytics runs proprietary software on commodity hardware. It is designed to be configurable to the requirements of
existing network systems. Please speak with a Novetta sales consultant today to learn how it can be integrated with your systems.