This is the first installment of several Razor blog posts. Razor is a network monitoring and deep content inspection appliance that sits on the perimeter of a network monitoring inbound and outbound traffic. I'm not going into any deep analysis or Policy creation details because it's a little too much information for one blog post. I wanted to touch on how fast Razor is able to give you network activity results once it's been set up.
As soon as you login you are brought to the Dashboard and can tell what has been happening on the network since your last check in. The Event Timeline displays the number of events and the time they occurred. The Event Timeline is the first stop I make after logging in to make sure there isn't any unusual influx in network traffic. The Event Distribution displays a pie chart representation of the total events observed. Between the both of them they can usually tell me what kind of a day I'm going to have within the first 30 seconds of logging in.
At this point I like to go into the events section to see what is causing the reported activity. There are several ways to sort but in this case we are sorting by Timestamp during the initial review. One of the new features in Razor (and Active Defense) I've found useful is the ability to drag a column up to the grouping bar which adds some extra sorting abilities. I will be cover this more in depth in a future blog.
Just like most other network devices you are able to pull back the PCAP (Packet Capture) file if applicable in the Results column and fire it up in Wireshark to view the packets for any anomalies. In the Actions column you have the ability to use the Create an Analysis Job if a .exe or PDF file is captured. Once an executable or PDF file is captured, an analysis "Job" is created for the captured sample (called a Specimen), and the sample is detonated inside of a guest VMware VMimage using REcon. REcon records and graphs malware behavior at runtime so you can extract critical data from an unknown executable. This feature is only available if you choose to Trace and Archive the activity when setting up the policy.
In my experience, most management will opt to use the Reset Session option while making the Policy to kill the connection rather then choose the Trace and Archive policy feature. Razor does not block any traffic like a firewall. Instead, it copies all traffic and injects a reset packet if there is a policy in place. Within the first minutes of logging in you already have actionable items for the day and if there are any and relevant information that needs to be relayed to management.
-- Charles Copeland