FireEye Stories

Accelerating the Network Forensics Process via a Singular Workbench to Help Accelerate and Simplify Investigations

We are excited to announce one of the most extensive enhancements to our Enterprise Forensics product line. This new release further accelerates the network forensics investigation process with a workbench that simplifies investigations and reduces risk with expanded visibility into lateral spread activity. 

One of the major new features is an updated UI. This updated UI consolidates functions into a singular workbench that provides incident response (IR) analysts an aggregate view of IOC alerts from other FireEye products and allows pivoting back into those products should additional information be required. Analysts can create and view gadgets tracking multiple items, such as surveying top/bottom email senders, bandwidth consumers and FTP users, and protocol usage statistics over time to visualize network usage anomalies. Individual dashboards can be customized with drag-and-drop gadgets enabling visualization of abnormal network activity and metadata. 

The updated UI allows IR analysts to work from a singular workbench to quickly build the context, scale and scope of an attack with enhanced and easy to use network forensics query tools. 

Among these new tools are integrations with the FireEye Global Threat Management Platform, which enables IR analysts to pivot from the context built from network forensics activity into the IOC alerts from the FireEye Network Security, Email Security and Endpoint Security products to further corroborate and conduct deeper investigations across areas of the IT infrastructure that may contain evidence of the attack. Along with the additional aggregated alerts, IR analysts can now submit suspicious reconstructed files directly to the FireEye Malware Analysis function or team for immediate malware analysis. 

Additional intelligence on IOCs will be available for customers who have a subscription to the iSIGHT ThreatScape threat intelligence platform. From this single workbench, IR analysts can receive further insight on threats such as malware, botnets and command and controls, thus gaining a better understanding of the outbreak velocity, observed behaviors, backgrounds of threats and motivations of attackers. This information will help IR analysts prioritize and narrow the focus of their investigations. 

As with every network forensics update, FireEye is always expanding the protocol decoding for increased visibility of lateral spread within the network. Among the newly supported decoded protocol are IRC and RDP. IRC provides visibility into attackers who may utilize an IRC channel to communicate outbound, which is common with certain types of malware. RDP provides visibility into attackers traversing from endpoint to endpoint within a network and provides insight into where the attacker started and where they went.

There are many more new features and functions in this very exciting our Enterprise Forensics release. I encourage you to engage your account manager for more information and request a demo of our Enterprise Forensics to see the new features, take the new UI out for a test drive and try out the new integrations with other FireEye products.