Introducing Savvius Vigil

Savvius VigilEnhancing Security Investigations With Critical Packet Data

Corporate Overview 2

Mission

Savvius, Inc.

Headquarters San Francisco Bay Area

Customers Over 7,000: U.S., EMEA, APAC

Founded 1990

Formerly WildPackets

Create advanced, high-performance

products that provide unprecedented

insight into network performance issues

and security incident investigations.


Savvius Tools for Network Professionals

Software to view, analyze, and

investigate.

Network traffic capture and analytics appliances.


Data Center

Authenticate

Call Manager

Secure WEB

CITRIX

App Delivery Controller

App Delivery Controller

APP

APP

APP

SQL Cluster

Oracle Cluster

Core Switch

Firewall

Network Problems Occur in a Complex Environment

Remote Office Corporate Campus

Access Point

Access PointAccess Point

Access Point

Access PointAccess SwitchIntegrated Services Router

Wireless ControllerWireless Controller

Content?Performance? Connectivity?DelaysLatencySlowness

Network accessWLAN connectsIntermittent drops

Transaction verificationPersonnelSecurity

What is the problem?

© Savvius, Inc. ‹#›Confidential

Investigations “silo by silo” leave out critical insights.

The network is the first one to be blamed!

Computing Platforms

Database

Compute

Storage

Virtualization

Network

Wireless

Data Center

LAN

WAN

Application

Operations

Deployment

Test

Development

Security

Response

Detection

Forensics

Traditional Approaches Don’t Work!

© Savvius, Inc. ‹#›Confidential

Product Use Traffic Environment Storage

Omnipliance Packet Capture for Troubleshooting

Up to 16.5 GbpsData centers, remote

offices 4-128 TB

OmniplianceWiFi

WLAN troubleshooting including 802.11ac

Up to 3.8 Gbps Enterprise WLAN 8TB

Savvius Vigil Long-term packet storage for security investigations

IDS performance up to 9 Gbps

Cybersecurity infrastructure

64 or128 TB

OmniPeek Professional

Software for Analytics and Troubleshooting

Platform Dependent

Portable Network Analysis

N/A

OmniPeek Enterprise

High performancesoftware for Analytics and

Troubleshooting

Platform Dependent

Network Analysis N/A

Capture EngineFor OmniPeek

Software for remote troubleshootingand analysis

Platform Dependent

DistributedPlatform Dependent

USB WiFi Adapter for OmniPeek

WLAN adapter for portable analysis

200Mbps Portable N/A

Savvius Solutions


FinancialEducation Government

Health Care / Retail

Telecom Technology

Global Customers

Introducing Savvius Vigil.

Employing decades of network forensics expertise to enhance security investigations.

Network insight for performance and security

Savvius Vigil does not prevent breaches. After all …

… perimeter defenses have become quite sophisticated. But …

perimeter security is never perfect. And …


… breaches are expensive.

Source: Pixlcloud


Making packet data available for security investigations


Five Savvius Vigil Assumptions

1 You have assets to protect Financial information, patient records, confidential data

2 Your perimeter isn’t perfect Your organization is penetrated right now

3 Delayed discovery is inevitable Data breaches are typically discovered six months later

4 Network packets are valuable Security investigations need more than logs and events

5 You can’t store all network traffic Months of network traffic requires petabytes of storage

Savvius Vigil automatically extends the packet-enabled investigation window from hours to months.


How Savvius Vigil Works

IDS/IPSIDS/IPSIDS/IPSNetwork Traffic

An IDS/IPS generates events continuously‒ Often for immediate investigation

‒ Each event includes a very limited amount of data

Too many events to investigate each one‒ IDS/IPS systems are tuned to match security team’s capability

‒ “Breaches will slip by…”

It starts with your SIEM’s intrusion detection (or selected IP addresses)

Events

IDS Console


How Savvius Vigil Works

IDS/IPSIDS/IPSIDS/IPSNetwork Traffic

Savvius Vigil uses IDS/IPS events to filter packets out of the network traffic.

Events

IDS Console

Integration with: HP ArcSight, Cisco FireSIGHT, Snort, Suricata

More added regularly

In addition! All traffic to high-value IP addresses can be stored


How Savvius Vigil WorksNow5 minutes ago

IP #1

IP #2

IP #3

IP #4

IP #5

IP #6

Savvius Vigil buffers ALL network traffic (represented here by 6 IP addresses)

Step 1: An IDS event comes in, alerting on two IP addresses:

Step 2: All packets between those addresses for up to five minutes before and after (settable) are stored:

Step 3: Packets to or from one of those IP addresses are also stored (“Associated Conversations”) if desired:

Step 4: Packets that are not associated with either event IP address are ignored:


0 250 500 750 10000

250

500

750

1000

Days of Stored Events

Days

Events/Day from IDS/IPS

+/- 5 minutes

+/- 2 minutes

Note: Approximate, assuming 125 packets

per second per conversation, 750 bytes per

packet, multiple of 8.5 for Associated

Conversations.


Investigating With Savvius Vigil

Select and refine‒ Select by date range,

event(s), or IP addresses

‒ Refine by source, severity, and other characteristics

Export and view packets‒ Select time before and

after event and whether to include packets in Associated Conversations

‒ Save and view in OmniPeek

‒ Save standard packet files

Savvius Vigil makes packets available for immediate or long-term investigations.


Takeaways

Packets are critical to effective investigations‒ “Packets don’t lie”

‒ Investigating a security event without access to packets means all evidence is circumstantial and indirect

Most breaches aren’t discovered right away ‒ Storing packets for months requires intelligent packet storage

‒ Manually selecting which packets to store isn’t good enough

Savvius Vigil provides the answer ‒ Automatic, intelligent packet storage

‒ Organized access to relevant packets for immediate and long-term investigations

‒ See packets before and after events

‒ A vital addition to your existing security infrastructure

Demonstration

Network insight for performance and security

Savvius VigilEnhancing Security Investigations With Critical Packet Data