SentryWire Packet Capture Tool
SentryWire is the next generation packet capture tool and network security platform that is based on a unique capture and storage architecture which breaks the performance, scalability and expense barriers of existing frameworks. The system supports capture rates from 1Mbps to 100Gbps, while providing real-time filtering, and allowing retention of network traffic for months and even years at price points that can be as little as 20% of the cost of other systems.
Imagine a Hadoop like architecture that is engineered to scale out compute and storage to provide the fastest search in the industry even in packet stores of 100PB’s. The SentryWire system has high-speed packet recording with real-time analytics, visualization, BPF-syntax filters and the Open Source “Security Onion” integrated into the GUI. The system detects intrusions, minimizes damage caused by breaches and enables complete packet level analysis of any incident.
The SentryWire packet capture platform allows an extended timeline of traffic to be recorded and analyzed at commodity prices using new or existing analytics. Why is it important to have an extended timeline of packet traffic stored? Because we know on average it takes 147 days to detect certain state sponsored intruders in a network and without a high fidelity recording of the network traffic enterprises can not make a definitive determination of when intruders got in, how they got in or exactly what data was ex-filtrated.
What We Do
- Full Packet Capture - Line rates 1Mbps to 100Gbps
- Real-Time Filtering - BPF filters for known signatures
- Retention of all Packets - Forensics for incident response activities
- Incredibly Fast Search - Large quantities of data can be reviewed quickly and efficiently
- Open Architecture - Use any commercial, open source or custom cyber tools
- Compression/Compaction - 5-30x amplification of raw storage capacity
- Commoditization - Compute, storage and analytics provide an incredibly affordable cyber solution
- Federation - Multiple form factors that scale from branch office to core systems implementation
What's Possible with SentryWire
Full Network Packet Capture - Line rates 1Mbps to 100Gbps, lossless and continuous capture. This isn’t just packet inspection and retention of the meta data from that inspection—we capture and store all the network IP packets so it can be filtered against known signatures and also be continuously inspected and analyzed for signatures that materialized after the traffic was filtered, collected and stored. We know, on average, perpetrators are in the network for 147 days before being discovered so it's critically important to have an extended timeline of packets available for analysis.
Search – Because of our architecture, we scale search when we scale compute and storage, meaning that our searches occur over smaller data stores, dramatically increasing search results. Searches often produce a very large PCAP file that we tranche down to digestible bites so that search results are streamed almost immediately, and don't bog down the network. Our search is incredibly fast!
Extended Packet Capture Timeline - Forensics for incident response and post-breach activities. Even with the best enterprise security tools deployed in multiple layers and depth, organizations that are breached find they need to reach back more than 147 days from the discovery of the breach to get to the root of the problem and determine which data were accessed and exfiltrated. Or for the non-security use cases, unscheduled outage root cause analysis often requires a similar timeline of high fidelity data to be accessible.
Capture Speed – We guarantee the best lossless capture performance on the market. Our capture rates, as well as the rates we move the packets around inside the appliance and the cluster nodes, have been architected and engineered to continuously capture, even the burstiest traffic. We can scale to the fastest current market bandwidths (100Gbps) and our architecture will continue to grow with network bandwidth capabilities.
Intrusion Detection – We include the open source and SNORT-centric Security Onion as our IDS, leveraging the rich intrusion visualization capabilities of this suite, and instrumenting our filtered data flows so that the various Security Onion components have the best data feeds for their intended purposes. We also provide connections to the industry’s leading IDS platforms.
Visualization – Bundled open source visualization capabilities, including a 3-D interface that allows engineers and users to isolate anomalous activity, along with a RESTful API connection to existing visualization platforms. For log correlation and aggregation visualization solutions, fast and seamless access to our metadata logs.
Analytics – Pre-analytics and real-time filtering, with a RESTful API allowing for integration with existing analytic tools and platforms. We’ve learned that with big data, you just don’t point analytic tools at large data sets and expect deep insights to spring out, SentryWire uses BPF syntax and primitives to filter large amounts of data down to a very manageable size so that customers can run additional tools, such as ELSA, SPLUNK, ArcSight... to uncover deeper insights regarding potential threats.