Security startup records a year's network data

Lightweight sensors record network data so admins can go back and analyze it

Security startup ProtectWise can record all network data for analysis, which is then viewable through a slick front end.

Security startup ProtectWise can record all network data for analysis, which is then viewable through a slick front end.

A security startup has developed a platform that gives security professionals a much larger picture of what has happened on their network, even if they might have missed the initial signs of an intrusion.

It comes from ProtectWise, a 30-person company based in Denver, which is revealing more information on its technology after lying low since its founding in April 2013.

ProtectWise's broad aims are to consolidate many threat detection functions for which companies use a variety of products, said Scott Chasin, the company's CEO, who was McAfee's CTO from 2009 through 2012.

The company has developed what it calls the ProtectWise Cloud Network DVR, which is compromised of a cluster of lightweight sensors that are deployed at points on a network.

Those sensors record network data and ship it securely to Amazon's cloud, where ProtectWise performs a variety of analyses on it to determine if something strange is going on.

Chasin said that kind of data retention has typically been very expensive, and there is usually only a small retention window.

"We like to use the analogy of a camera because it's software that can be massively distributed that is always recording," Chasin said. "It's that level of visibility that is missing from the industry."

Customers can choose what they want to record, but the sensors can capture everything, Chasin said. The advantage for administrators is that they can go back and "replay" network activity from the past during forensic investigations, where the first signs of attack might not have been noticed.

Companies are struggling to detect data breaches, and studies show there may be a gap of up six months between when an organization is attacked and when it finds out a breach has occurred.

Security companies see overwhelming amounts of data on attacks and malware activity daily. But in many cases, only later after a detailed forensic analysis is performed does the full scope of an attack become clear.

While ProtectWise's platform is intended to help spot attacks that are underway, it's also designed to let administrators use forensic data gained from other attacks to figured out if they have been victimized as well.

The startup has built a very slick front end -- which ProtectWise terms a "head-up display" -- to view attack data. It's an active display that is designed not be overwhelming but to give a view of the network activity in real time. The same interface can be used to go back in time to view historical network data.

"One thing that gives ProtectWise a fair claim to uniqueness is the way they analyze and present that data," said Tony Palmer, a senior engineer and analyst with the Enterprise Strategy Group who visited ProtectWise's facility to view a demo of the application. "That's definitely something that really impressed us."

For those who are worried about shipping their entire network data to the cloud, ProtectWise has developed a way to make its storage more secure.

It calls the method "network shattering," and it involves splitting up data sent to its cloud platform and scattering it. The data is encrypted, of course, but it's also spread across ProtectWise's storage infrastructure. An attacker capturing part of the data couldn't reconstruct it or identify which organization it belongs to.

ProtectWise's customers hold all the decryption keys and can revoke those keys to make the data inaccessible, said Gene Stevens, ProtectWise's CTO.

ProtectWise charges based on how much data a customer wants to record and how long they want it retained. Its standard offering is one year of data retention, but it can be more if a customer chooses, Chasin said.

Universal Music Group has been testing ProtectWise.

"Until now, it was a luxury to be able to retain and continuously analyze full packet capture for more than a two-week period, and it was impossible to automatically play it back for retrospective analysis and detection," said Arthur Lessard, senior vice president and chief information security officer at Universal Music Group, in an email comment.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags securityProtectWise

More about Customers

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place