FAQ:  PX-IA and Enterprise Forensics

Version 6




    This article answers common questions asked by customers new to the FireEye PX are introduced to the platform.




    What is Enterprise Forensics?


    Enterprise Forensics enhances detection coverage, quantifies impact and provides broader contextual awareness for an incident.  It enables organizations to answer key questions once an alert has been raised; examples include the following:

    • How long have I been under attack?
    • How did the attacker get in? What was the intrusion vector?
    • What was the extent of the damage?
    • How many systems are affected by an attack?
    • Were any credentials compromised?


    Today, a clear need exists for an integrated security and investigative solution that shortens the time between detection and resolution of advanced attacks, by accelerating the investigative process and broadening incident awareness.



    What is the Investigation Analysis System Platform?


    The Investigation Analysis System (IA Series), is an appliance that works hand-in-hand with the PX Series to accelerate the investigative process.  The PX Series provides ultra-fast packet captures and query forensics, while the IA Series extends that functionality with application contextualization, activity visualization, and campaign management.  The additional contextualization and visualization ultimately provides the analytics to identify threats that wouldn’t have otherwise been recognized, and to accelerate the investigative process.


    The IA Series is a standalone appliance, with an application context add-on on the PX Series enabling Layer 7 enhanced IPFIX exports providing application-level visibility.


    Key Features:

    • Customizable dashboards with drag-and-drop gadgets for visualizing network metadata and activity
    • Centralized, and flexible application-level queries and investigation
    • RESTful API access to flow and metadata indices for easy integration with third-party tools
    • Integrated case management for archiving PCAP files from cyber investigations and sharing amongst analysts
    • Indexed metadata from protocols such as HTTP/SMTP/POP3/IMAP/ SSL/TLS/FTP/SMB for powerful application-level search
    • Session reconstruction on connected PX probes



    Who should consider the PX/IA platform?


    Any enterprise or government institution with SOC/IT administration staff who have requirements to secure intellectual property or sensitive data.


    Existing FireEye NX/EX can leverage existing integration  to pivot directly from an alert into the PX Series to gather better contextual information for an alert.


    Existing Managed Defense customers can also leverage the enterprise forensics platform to gather longer back-in-time visibility in the network.



    How is the FireEye platform different from the competitors in the space?


    Our key advantage is performance. The FireEye platform supports lossless packet capture at 20 Gbps, the only product to have that capability in the market. We also:

    • record traffic in standard nanosecond timestamped pcap format
    • provide multi-level indexing of connections and packets and export of connection records in Netflow v9
    • search over large datasets (1 PB) at a speed many orders of magnitude faster than the competition
    • provide comprehensive RESTful Web API for searching recorded data and downloading PCAP



    How does the PX Series achieve such high performance?


    FireEye uses a specially engineered hardware platform to accomplish high-performance capture vs. the commodity platforms of our competitors. We have patents around the technology required to write to disk and index traffic at these speeds, and also for the tiered indexing which enables searching and retrieving packets orders of magnitude more quickly than other solutions.





    How many Network Forensics Nodes can each Investigation Analysis System support?


    This depends on the level of traffic on the network as well as the packet capture nodes themselves. Our Systems Engineers will help you properly size the deployment of the Investigation Analysis System.


    What is the deployment architecture?


    In order to support highly distributed architectures with a scalable and flexible deployment, the Investigation Analysis System is designed to aggregate meta data hierarchically.  It can be configured to function as a meta data aggregator or to operate at the highest level of the hierarchy to conduct queries across nodes that are aggregating meta data.



    What is the PX 004S Network Forensics Platform model?


    The PX 004S Network Forensics Platform can capture packets at up to 500 Mbps and has 2 TB of on-board storage.  It is ideal for locations with smaller bandwidth connections, such as remote offices. Visibility of the overall network infrastructure can be aggregated in the Investigation Analysis System (IA Series), a centralized, easy-to-use analytical interface to the PX Series.



    Which model should we buy?


    The correct model is dependent on the record speed and storage requirements.  Storage requirements can be determined based on a combination of the capture time interval, the capture rate, and the retention requirements.  Our Systems Engineers have access to a storage sizing tool to help determine the best mode for your implementation.




    What is the 264 TB external SAS storage shelf, and why is it important?


    The storage shelf provides additional storage that is delivered at a higher density and is included within a 4U form factor.


    There are two key reasons to choose the SAS storage shelf:

    • Expand and simplify storage architecture:  With the introduction of a standalone 264 TB external shelf, companies can increase the amount of external SAS storage that is available, while simplifying their storage architecture with high-density storage disks.  Rather than 24 or 48 TB external SAS storage options that are each 2U, customers can now choose a 4U options that delivers nearly 6 times the amount of storage.|
    • Improve storage flexibility: With the larger density, companies now also have larger storage options should they be looking for the flexibility that comes with deploying SAS-based storage rather than vendor-specific SAN storage.



    What is the usable storage on the 264 TB external storage shelf?


    Currently, 192 TBs are usable for storage.



    What is the tradeoff between full PCAP and Meta-Data as I determine my storage requirements?


    The greatest reason to keep full PCAPs is for file extraction:  to know precisely what data was exfiltrated. Full packets do not provide any analytical/query advantage (as all analysis is done on meta-data), but they do provide "ground truth."



    How much history should be stored?


    While many organizations' information governance requires 90 days of history, the cost of storing that much information for many companies will be prohibitive. FireEye generally recommends 7-30 days of full packet capture, but 12 months or more of meta-data.  The meta-data includes about 80% of the content of full packet data, but at about 10% of the storage cost.


    In our experience, the mean time to detection of a breach is 229 days, which is why we recommend that customers have meta-data beyond that.