How WitFoo Precinct along with Gigamon and FireEye enable Ardalyst’s SOC of the Future.
WitFoo Company Background
WitFoo was founded in 2016 by veterans of the US Military, law enforcement and cybersecurity to develop tools and data that will aid in maturing the craft of cybersecurity operations. From 2016 to 2019, WitFoo conducted research with organizations ranging from higher education to the Fortune 500 to develop a comprehensive cybersecurity platform. In January 2020, WitFoo Precinct 6.0 was released for General Availability (GA) as the world’s first Diagnostic SIEM. WitFoo Precinct is available via distribution partner SYNNEX Westcon/Comstor commercially and via GSA Schedule. WitFoo sells exclusively through reselling partners to ensure customer success.
WitFoo Precinct Overview
WitFoo Precinct combines the best practices from the crafts of cybersecurity, US Military, and law enforcement to deliver comprehensive craft metrics and workflows.
Precinct accepts data over diverse transports including syslog (udp/tcp/tls), NetFlow/IPFIX and Kafka message clusters. Additionally, Precinct supports Elastic Beats agent data and connection to a growing number of API integrations with technology partners. For a complete list of current data sources, visit https://www.witfoo.com/tech-specs.
All messages are analyzed using semantic framing. An approach from Natural Language Processing (NLP), to fully comprehend the meaning of each message, extract data elements and map them to a common schema. Unknown message types are sanitized and submitted to WitFoo Library for analysis by WitFoo researchers, to create new semantic frames for the message type. New messages are researched with our technology partners to fully understand the intent and syntax of the messages. Precinct checks for new parsing frames every 5 minutes. New semantic frames are generally developed in under three (3) business days. This approach allows all WitFoo customers to benefit from the collection of thousands of frames without needing to expend labor to support new or changing data sources.
Precinct inserts messages with the raw message, forensic data (sending source, timestamps, etc) and extracted fields. The search interface allows operators to search all data-sources without needing to understand a query language or the message data formats.
Using investigative models borrowed from law enforcement, WitFoo Precinct builds relationships of all network computers, users, files, and emails. Precinct evaluates them for potential nefarious behavior by analyzing data, objects, and relationships for matches against the modus operandi of attackers.
Normalized incidents are analyzed using high-level Security Orchestration, Automation & Response (SOAR). WitFoo SOAR checks entire incidents for all observations that an expert analysis would run. The results of these observations impact the suspicion of incidents. Suspicion informs investigators if there is sufficient evidence to act against attacking hosts or compromised credentials.
Precinct analyzes every incident to determine if the security architecture successfully disrupted (blocked/quarantined, etc.) an attack. These incidents are closed as “disrupted” and generally do not require action by the local operator.
SOAR actions are available via API integrations, which are triggered using RBAC permissions. SOAR actions can also be triggered remotely from enabled Aggregation clusters.
Proactive Diagnostic Metrics
Precinct provides readiness metrics by inventorying all security controls and evaluating the operational efficiency of each tool.
Precinct clusters can be as small as a single node with 24GB of RAM and 8 CPU cores. Clusters can consist of an infinite number of data and processing nodes to allow for infinite ingestion, processing and storage. Precinct can deploy on physical hardware, virtual hypervisors, public and private cloud, or in combination. Details can be found at https://www.witfoo.com/tech-specs.
WitFoo Precinct can operate in offline or intermittent communication networks. For completely disconnected deployments, WitFoo Coordinator can be used to allow for air-gapped operation (https://community.witfoo.com/forums/topic/witfoo-precinct-offline-mode-using-coordinator/).
WitFoo Precinct operates in two separate modes: Normal and Aggregation.
Normal Operation Mode
Normal Operation Mode collects and analyzes local data, producing incidents and metrics. Deployments running in Normal mode can be configured to send data to clusters operating in Aggregation mode. Connections to Aggregation clusters are one way (Normal as client, Aggregation as server) over HTTPS (443/tcp.)
Aggregation Operation Mode
Deployments in Aggregation Operation Mode can receive full Incident information (including raw messages) from other Precinct Deployments configured to send to it. These deployments can be running in Normal or Aggregation Modes. Sending data to Aggregation clusters are queued and delivery is confirmed to account for unstable internet connections.
Aggregation clusters can publish:
- Response actions for downstream Normal nodes to execute.
- Search jobs to execute and forward results.
- Detection rules for downstream Normal nodes to use in creating incidents.
WitFoo Support and Training
WitFoo Certified User (WFCU) training is available at no cost on https://community.witfoo.com (sign up required.) WFCU course covers WitFoo philosophies, mechanics, configuration and workflows. Additional training can be obtained through WitFoo Gold Partners. Email, web and phone support is available 8×5 via WitFoo personnel. Additional support options are available through WitFoo Partners.
WitFoo – SOC of the Future (SOTF) for US Navy
Fleet Deployments– US Navy shore, mobile expeditionary and afloat nodes, including shore infrastructure and permanently installed shipboard components. Fleet Deployments run in WitFoo Precinct Normal Operating Mode.
Shore SOC – Centralized Security Operation Centers with advance personnel skillsets monitoring many Fleet Deployments. Shore SOC deployments run in WitFoo Precinct Aggregation Mode.
In Fleet Deployments, WitFoo receives data telemetry from Gigamon visibility fabric, FireEye Endpoint & Network solutions and deployment level logging technologies at the ship level. Using WitFoo Precinct adaptive parsing, proprietary message types will be understood by custom semantic frames. All data will be analyzed at the fleet deployment. Fleet deployments will periodically check in with Shore SOC (every minute when communications allow.) Shore SOC receives full incident data from Fleet Deployments, can publish response actions via FireEye (or other supported integrations) to remediate attacks, queue up search jobs and publish detection logic to those Fleet Deployments. Fleet Deployment readiness is available for review at the Shore SOC.