Fidelis XPS: See it, Study it, Stop it.

Last week, I was asked to present a Lunch and Learn session at the SANS What Works in Forensics and Incident Response Summit 2010. Before starting, I asked the audience if anyone had heard of Fidelis Security System and exactly one hand was raised in a room of forty to fifty people – much as I had anticipated. Fidelis has been playing in the network Data Leakage Prevention market for the past few years, but we never set out to build a data leakage solution. At the core of our technology is a real-time, content-aware, bi-directional, deep session inspection network sniffer with prevention capabilities. Data leakage was the first market to require such capability, that is, until DLP was re-defined as a “suite” of solutions including endpoint, data discovery, and network, where the network is concerned primarily with email and proxied HTTP traffic.

However, many of our customers are using our product, Fidelis XPS, for forensics and incident response. Therefore a second market opportunity for our technology has unfolded.. We titled our SANS presentation, “See it, Study it, Stop it” to describe how we see Fidelis XPS in this market.

“See it” refers to the Fidelis XPS Information Flow Map technology. Info Flow Map allows you to see all network activity, from layer 4 through to content. If your network activity can be visualized, then you can do something about it. “It” may be strange protocols on strange ports going to foreign countries; “it” may include sensitive data; “it” may be traffic bypassing your corporate secure email gateways and web proxies; “it” may be legitimate business traffic performed over unapproved channels or channels unknown to network security. “It” is typically not known until network security personnel can see evidence of the activity.

“Study it” refers to the ability to record network sessions of interest and to quickly study details about the session using the Fidelis XPS CommandPost management console Alert reports and Alert details. The concept of “sessions of interest” is what we’re calling Intelligent Forensics – instead of recording everything and later searching for the needle in the haystack, we record the needle when it happens. When viewing alert details, you can see all attributes about the session, the users involved in the transaction, the session itself, and gain one-click access to all layers of encoding and obfuscation. The one-click access is what Fidelis customers in the Forensics community continually talk about. This quick access to data makes for easy exchange with other security products built to decipher and identify malware code. We also hear our customers talking about the effectiveness of Fidelis XPS’ Deep Session Inspection technology –by analyzing the entire session, including every embedded file, threats that evade Deep Packet Inspection technology can be seen and analyzed.

“Stop it” refers to Fidelis XPS’ ability to prevent network sessions. The threat detected by “seeing it” or by “studying it” can easily be transferred to a Fidelis XPS sensor and configured to kill any network session when the threat is detected. In addition, “study it” may reveal the command and control link back to the attacker, which can also be easily terminated. Utilizing this step, you can stop the spread of the attack within your network and also kill the attacker’s command and control channel. Today’s threats involve attempts to steal information and transport it over your network. Our original application in the DLP market makes Fidelis XPS an excellent addition to Forensics and Incident Response teams. Not only can you detect and prevent a threat on the way into your network, but you can cutoff the channel used to send the stolen information home—allowing you to detect the threat, and do something about it with Fidelis XPS. I believe the attendees of the SANS summit in Washington DC accepted our message and were surprised to hear the idea of “Intelligent Forensics” and that there is a product that can take action in response to a detected threat. Fidelis XPS: See it, Study it, Stop it.