Meet WitFoo Precinct
Next-level Gear for the Good Guys
Pitch and Demo
We strive to be as transparent as possible with our customers and partners. This video is a full sales pitch with product demonstration. Relax, pop some popcorn and learn about what we have built. If you think we can help you, kick the tires by downloading a free trial. Want an even deeper dive? Get free certification at the WitFoo Community.
Data Pipeline – Modern, Big Data Processing
Building on industry standard big-data technologies, WitFoo Precinct allows data to be collected, indexed and analyzed both forward looking and retrospectively. Additionally, existing tools and data are incorporated via API interrogation. Data from all data sources are normalized into a common taxonomy allowing for simplified interaction. Data can be stored and accessed on the embedded VM or in external data clusters.
Investigative Engine – Learning & Augmenting the Investigator
Leads created via customizable signature language. Forward and retroactive analysis of artifacts. Events from all security tools in the organization are analyzed.
Cross data domain analysis of leads utilizing human thought and process. Reducing false positives and noise by 40%-90%. The system learns to model the suspicion of the investigator as work is performed.
Analysts are presented with a fraction of investigation-worthy incidents as Precinct then applies an algorithm based on common IR logic analysts use to discern risk and renders a Suspicion Score for each.
Investigations Complete In Minutes, Not Hours
Removing Hours of Busy Work
Precinct presents incidents to analysts complete with all case-relevant evidence from across tools and data domains. Events from affected hosts, users, files, network traffic, and name-spaces are correlated and provided in one place within minutes.
Incidents are displayed visually using the concepts of link-board analysis. The primary “suspects” and their relationships to each other are presented as nodes and edges allowing investigators to determine the scope of the nefarious activity.
Precinct facilitates tribal knowledge sharing across investigations and network hosts by allowing analysts to annotate insights and characterize incidents and resolution techniques.
SecOps Performance, Quantified
Metrics in Context of Business
Precinct analytics support managers with an ability to quantify the business contribution of their teams, inform decision-making, and to justify current and future investments.
Measuring the Craft
IR teams get full visibility into the lifecycle of an incident, displaying duration of time from event identification through closure, noise ratios, failure rates, etc. Metrics are organically collected, allowing fact-based communication across the organization.
Measuring the Tools
Precinct also provides visibility into the impact existing security tools have on incident detection including how many verified security incidents each tool is contributing and which are generating alarm noise. It also detects where tuning is needed across network tools.
WitFoo Precinct runs as a virtual machine (deployed as OVA) that in deployments of 10,000 or less endpoints can run in a single instance. In larger organizations, data clusters can be offloaded from the virtual appliance to allow for horizontal processing and storage scale. Details on deployment architecture can be found on the WitFoo Appliance Download page.
Precinct accepts syslog and NetFlow from the organization and connects to security and orchestration tool API.
|Tool||Syslog||Field Extraction||Network Communications||User Sessions||API||Lab Insights|
|Common Event Format (CEF)||Yes||Yes||Yes||Yes||–||–|
|NetFlow v5, v9||–||Yes||Yes||–||–||Yes|
|NSEL, jFlow, cFlow||–||Yes||Yes||–||–||Yes|
|Palo Alto NGFW||Yes||Yes||Yes||–||–||Yes|
Would you like to see a new integration? Create a Feature Request to see it in an upcoming release.