Running advanced correlation over time for each individual asset on a network can require a huge amount of compute resources so NetWatcher takes full advantage of the Cloud and it's compute power. The advantage our customers get is 24 x 7 advanced vulnerability and exploit analysis, as well as, immediate learning from all other tenants. As an example, if a bad actor is recognized on customer A, all other customers will immediately get that learning.
You can be assured that the data transfers safely over encrypted channels and is stored safely with incredible protection (more here). This article is about what data leaves the network and travels over those secure channels for advanced correlation.
First, you need to understand the NetWatcher workflow. Sensors and Endpoints produce EVENTS and those are sent to the NetWatcher cloud for Advanced Correlation and eventually may be used to determine if an ALARM is necessary.
If an ALARM is necessary it is sent to the customer based on how their account is setup. The ALARM contains IP/MAC/HOSTNAME of the asset and a detailed description and proposed remediation plan. The ALARM also contains the events that were correlated to determine the ALARM was necessary.
If you drill into one of the EVENTS you will find the technical details that will include PCAPS (the packet that proves the event occurred off of the Intrusion Detection System), LOG events (the log entry from the device that sent the log such as a firewall, wifi, switch, router, dhcp, server etc. or endpoint), HIDS log events from the endpoints (file integrity events, software install events, rootkit events etc.) or VULNERABILITY SCAN events from the NetWatcher scanner.
Here is an example of an IDS event:
and the corresponding network packet.
Here is an example of a log event:
Again, you can be assured that the data transfers safely over encrypted channels and is stored safely with incredible protection (more here).