Savvius Vigil is the first network appliance able to intelligently store months of packet-level information to enhance security investigations. Savvius Vigil integrates with your existing SIEM platform to examine packets related to a breach weeks or months after the incident occurred. This information is often vital to a full understanding of the threat.
2. Corporate Overview 2
Mission
Savvius, Inc.
Headquarters San Francisco Bay Area
Customers Over 7,000: U.S., EMEA, APAC
Founded 1990
Formerly WildPackets
Create advanced, high-performance
products that provide unprecedented
insight into network performance issues
and security incident investigations.
3. Corporate Overview 3
Savvius Tools for
Network Professionals
Software to view,
analyze, and
investigate.
Network traffic capture and
analytics appliances.
4. Corporate Overview 4
Data Center
Authenticate
Call Manager
Secure WEB
CITRIX
App Delivery
Controller
App Delivery
Controller
APP
APP
APP
SQL Cluster
Oracle Cluster
Core Switch
Firewall
Network Problems Occur in a Complex Environment
Remote Office Corporate Campus
Access Point
Access Point
Access Point
Access Point
Access Point
Access Switch
Integrated Services Router
Wireless Controller
Wireless Controller
Content?Performance? Connectivity?
Delays
Latency
Slowness
Network access
WLAN connects
Intermittent drops
Transaction verification
Personnel
Security
What is the problem?
8. Introducing Savvius Vigil.
Employing decades of network
forensics expertise to enhance
security investigations.
Network insight for performance and security
14. Corporate Overview 14
Five Savvius Vigil Assumptions
1 You have assets to protect Financial information, patient
records, confidential data
2 Your perimeter isn’t perfect Your organization is
penetrated right now
3 Delayed discovery is inevitable Data breaches are typically
discovered six months later
4 Network packets are valuable Security investigations need
more than logs and events
5 You can’t store all network traffic Months of network traffic
requires petabytes of storage
16. Corporate Overview 16
How Savvius Vigil Works
IDS/IPSIDS/IPSIDS/IPS
Network Traffic
An IDS/IPS generates events continuously
‒ Often for immediate investigation
‒ Each event includes a very limited amount of data
Too many events to investigate each one
‒ IDS/IPS systems are tuned to match security team’s capability
‒ “Breaches will slip by…”
It starts with your SIEM’s intrusion
detection (or selected IP addresses)
Events
IDS Console
17. Corporate Overview 17
How Savvius Vigil Works
IDS/IPSIDS/IPSIDS/IPS
Network Traffic
Savvius Vigil uses IDS/IPS events to filter
packets out of the network traffic.
Events
IDS Console
Integration with: HP ArcSight, Cisco FireSIGHT, Snort, Suricata
More added regularly
In addition! All traffic to high-value IP addresses can be stored
18. Corporate Overview 18
How Savvius Vigil Works
Now5 minutes ago
IP #1
IP #2
IP #3
IP #4
IP #5
IP #6
Savvius Vigil buffers ALL network traffic (represented here by 6 IP addresses)
Step 1: An IDS event comes in, alerting on two IP addresses:
Step 2: All packets between those addresses for up to five
minutes before and after (settable) are stored:
Step 3: Packets to or from one of those IP addresses are
also stored (“Associated Conversations”) if desired:
Step 4: Packets that are not associated with either event
IP address are ignored:
19. Corporate Overview 19
0
250
500
750
1000
0 250 500 750 1000
Days of Stored Events
Days
Events/Day from IDS/IPS
+/- 5 minutes
+/- 2 minutes
Note: Approximate, assuming 125 packets
per second per conversation, 750 bytes per
packet, multiple of 8.5 for Associated
Conversations.
20. Corporate Overview 20
Investigating With Savvius Vigil
Select and refine
‒ Select by date range,
event(s), or IP addresses
‒ Refine by source,
severity, and other
characteristics
Export and view
packets
‒ Select time before and
after event and whether to
include packets in
Associated Conversations
‒ Save and view in
OmniPeek
‒ Save standard packet
files
Savvius Vigil makes packets available for
immediate or long-term investigations.
21. Corporate Overview 21
Takeaways
Packets are critical to effective investigations
‒ “Packets don’t lie”
‒ Investigating a security event without access to packets means all evidence
is circumstantial and indirect
Most breaches aren’t discovered right away
‒ Storing packets for months requires intelligent packet storage
‒ Manually selecting which packets to store isn’t good enough
Savvius Vigil provides the answer
‒ Automatic, intelligent packet storage
‒ Organized access to relevant packets for immediate and long-term
investigations
‒ See packets before and after events
‒ A vital addition to your existing security infrastructure
Purpose:
Teaching moment:
Complexity has only increased, solving the problem of “why it’s slow” is still a major undertaking
Even having visibility into all of these elements of the network (using silo’d tools) does not provide you with a quick answer to where the problem lies.
Guide for using this slide:
Key Purpose:
The primary purpose of this slide is to teach challenge the traditional approach of a single tool for each silo, and that the missing component is a focus on the end user’s delivery
Together these items can be thought of as the delivery fabric. And the amount of time that it takes the user to traverse these elements is typically not tracked.
Story line:
Despite the fact that the user interacts through all of these components, it’s typically the network that’s the first one to be blamed! That means that by default it’s the network team that’s responsible for End User Response Time (not by your choosing!).