mo at ccr.org
Thu Feb 18 12:45:45 CST 2010
I know a bit about NetWitness.
the technology is remarkably brute-force
I called it "The Romanian Solution".
they simply record *every* packet that flows through a network.
then they apply some very clever data-mining software that can
reconstruct essentially anything that was on the network at
any time in the past, and then go looking for other things
that "look sorta like this".
yes - it's not easy and it takes a lot of storage. for some
organizations (eg financial services with hideous compliance
requirements), it's the easiest way to deal with it.
it is arbitrarily-deep packet inspection across
all time with massive inter-event correlation.
More information about the Tacos