A startup co-founded by the former cyber chief for the U.S. Department of Homeland Security today rolled out its first product -- a new, commercial version of a network forensics and monitoring tool that was first built for the intelligence community nearly 10 years ago.

NetWitness's new NetWitness NextGen tool captures all network traffic and uses that data to handle insider threat management, data leakage protection, malware activity detection, network performance management, and compliance verification and e-discovery, says Amit Yoran, chairman and CEO of Herndon, Va.-based NetWitness.

Yoran, who prior to his DHS job was co-founder and CEO of RipTech, and NetWitness president Nicholas Lantuh, a former vice president of NetWitness developer ManTech Security Technologies, led a management buyout of the tool in November of 2006. "This is not an internal control application. It's an audit/compliance/risk management tool," Yoran says.

The tool captures all data on the network and does session reconstruction and analysis up to the application layer, says Eddie Schwartz, CSO and vice president of marketing for NetWitness. "We can take an alert from an IDS or SIM and do an interactive deep-dive into the data," says Schwartz, the former CTO at ManTech Security Technologies. "We're providing the investigatory and forensics tools."

Security analysts say NetWitness's NextGen fills the gaps for security tools such as IDSes, IPSes, and content filters, which provide only basic data and alerts.

"Many resources can capture network information, but what NetWitness brings to the challenge is the ability to identify, capture, and correlate information that may be directly indicative of a security or compliance incident," says Scott Crawford, research director for security and risk management at Enterprise Management Associates. "This helps to alert the business to the existence of an actual threat, helps the business to more accurately identify the nature and scope of incidents, and gives a substantial leg up to the investigative process, improving its efficiency and reducing its total cost."

NetWitness's Yoran says the tool can hone in on user-level activity as well. "There are very few technologies that look for insider threats. Ours can show all attempts by your users to obfuscate their activities, for instance... like tunneling outside the network, or bypassing firewall polices."

Michael Montecillo, security and risk management analyst for EMA, says NetWitness's technology is "resistant" to anti-forensic tools that attackers increasingly are using to deter investigations of breaches, for instance. "NetWitness allows organizations to investigate user activities at a level that attackers and most users would find it difficult to tamper with."

NetWitness NextGen, which is made up of multiple server components, has a list price of $40,000.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.