Introducing NetworkSage

Author's Note
Before I get into the announcement, I wanted to simply say thank you. Thank you for your efforts in the field every day, fighting a constantly-evolving battle with adversaries ranging from skiddies to nation-states. The variety and complexity of security challenges is incredible, and you were in mind as we built this first version of NetworkSage.
The security community is facing an endless onslaught of challenges that evolve quickly and require collaboration to address effectively. If we are to keep our enterprises, organizations, and employees secure, new platforms and methods must rise to the occasion. Today I am overjoyed to introduce NetworkSage! As the name suggests, NetworkSage is a new platform that analyzes network traffic, interprets it, and provides contextual information that leads to answers in seconds.
We created NetworkSage because in my experience -- both personally and while working with hundreds of analysts over my career -- the biggest problems with network traffic are:
  1. It is exceptionally hard to understand quickly
  2. Sharing real network traffic in a meaningful way doesn't exist

A Picture is Worth a Thousand Words

To understand, let’s look at an example. Say you receive an alert from your NDR tool, and you want to take a deeper look around the time of that alert in order to validate it. What you are presented with will vary by vendor, but ultimately will be similar to the following:
Wireshark Conversations View

Figure 1: Wireshark Conversations View for Sample

Each of the above sessions occurred within a 90 second window, and each of them is encrypted. As an analyst, you’ll have to make a quick decision based on this data, and your decision will affect whether you identify (and respond to) a True Positive, spend minutes to hours investigating a False Positive, or ignore it (and therefore run the risk of a False Negative). I don’t know anyone -- myself included -- who can look at that data and make a confident decision in a reasonable amount of time.
This is where NetworkSage, the security’s first Network Interpreter, shines. By transforming the sample’s raw data into labeled flows, correlating the information provided with the community’s existing knowledge, and overlaying just the right amount of information, the answer becomes much clearer:
NetworkSage Events View

Figure 2: NetworkSage Events View for Sample

The above sample (which you can review here) was created within seconds after an analyst shared their network data with NetworkSage, despite all of the sessions being encrypted! If they want to dig deeper into the data -- for example, to understand what the community knows about the OpenText File-Sharing Platform -- that information is just one click away.NetworkSage Events View

Figure 3: Community Knowledge for OpenText File-Sharing Platform

By taking a curated “wisdom of crowds” approach to identifying different kinds of network activity, correlated with built-in knowledge about commonality, any analyst can instantly operate as a network expert and make high-confidence decisions in seconds!

Where We're Headed

A funny thing happened on the way to launching NetworkSage. We were actually planning to wait a little bit longer until we had the next major feature ready, which turns the context found above into an incredibly clear and concise visualization:NetworkSage Activity Visualization View (Mock-Up)

Figure 4: NetworkSage Activity Visualization View (Mock-Up) for Sample

We know that having this level of additional visual clarity will help all users understand what's going on in their traffic nearly instantaneously. But then we used our platform to discover a massive phishing attack. This made us realize that the security community needs NetworkSage now. Besides, what we're introducing today is just the beginning of what we have planned!

Additional Resources

To dig deeper into what NetworkSage has to offer, I recommend the following resources:
Or, if you just want to get out and start exploring, you can register for a free account and start submitting samples now!