These guys are really interesting. We first came across them some time ago when we needed an impressive way to open a talk on cybersecurity. We found their attack map and started digging into what they had. If you think the map is cool, consider data centres in 140 countries and tens of terabytes per day of data that they are analysing. All of this is focused in the Norse DarkMatter Platform. DarkMatter collects data from sensors, geolocation, open source and a wide variety of other sources. It then uses advanced Big Data analytics to make sense of the massive amounts of data and then makes the analyses available to Norse customers in a variety of ways.
The deeper we dug into the Norse DarkWatch product the more impressed we were. Of course we expected honeypots. And Norse does use low interaction honeypots, but they account for only about 20 percent of the total data gathered. Additionally, using a tool it calls Anon-Proxy, Norse is watching somewhere around 200,000 TOR exit nodes on a daily basis. If you need a lot of cyber threat intelligence, this is a good way to get it.
AT A GLANCE
What it does Threat intelligence appliance that ties the Norse DarkMatter infrastructure to your network.
Access to Norse data is through the firm's API or through its portal. The Norse DarkWatch appliance is a pretty impressive tool itself. It updates from the same DarkMatter fire hose every five seconds and can alert or block. The dashboard for DarkWatch is straightforward and typical of dashboards we all are used to seeing. It is pretty plain but clearly laid out, and drill-down can get you just about anything you need.
Of course the key to ease of use is the drill-down capability. Drilling down from the main interface you can get to a lot of data, smartly arranged and nicely categorised. Finding malicious sites, crawling for new malware and developing analyses is an ongoing task and with the frequent updates to the device all of that is available to the user. An interesting example of this is capture of domains created using domain-generation algorithms sometimes thought of as polymorphic URL algorithms.
A typical difficult manual trace is the mapping of the architecture of a botnet. That is automated by Norse and reported to the user. Command-and-control servers can be geolocated to an accuracy of three or four decimal places and the system watches carefully for compromised devices, such as firewalls and routers. All of this is grist for the DarkMatter mill and all of it is available on the DarkWatch device on demand.
Finally, with the increasing emphasis on the Internet of Things, it is important to understand what "things" have been compromised. Whether it's your webcam or your refrigerator, you don't want hackers taking advantage of the fact that it is connected to the internet with an IP address. But compromises happen. When they do, the device very well may become a pivot for an attack or a zombie on a botnet. Norse follows those compromises and reports them back to the DarkWatch users.
DarkWatch is a policy-driven device. That means that users can develop or modify policies that are created and delivered by the policy engine. DarkWatch's policy engine is easy to use and very flexible. Setting up a policy is a matter of a few mouse clicks to define what you want to do, to what you want to do it and when you want the policy to kick in. A single web page on the web interface has everything you need. Actions can be blocked, alerts can be sent or simple notification is available if that is all you want for a particular event.
OUR BOTTOM LINE
This is the Cadillac of cyber-threat assessment tools. It is big, complete and it does just about everything you could want. Its user interface is well-organised and its data sources are extensive. DarkWatch comes as an appliance or as a virtual appliance but beware: the virtual appliance is power-hungry. It wants a 2.5GHz, six core processor and in VMware - which is where it runs - it needs vESXi virtual platform 5.0 or higher and an E-1000 network card. I would opt for the physical appliance.
One of the big differentiators for Norse is that it concentrates on real-time attack monitoring. It constantly audits the entire IPv4 network space and applies more than 1,500 variables to its analytics. The system can interact with such network tools as SIEMs, firewalls and IPSs.
This is one you should take very seriously. Typically we look for warts - however small - that our emerging products could take advantage to, perhaps, emerge a little faster. In this case, though, we found none. The Norse product suite is, as a whole, a sort of benchmark if there is such a thing in this product space - and it is well worth your attention.
DarkWatch, DarkViking and DarkList all add to the benefits that Norse customers can take advantage of but they all have in common the DarkMatter Platform. That is the secret sauce and pretty tasty it is, at that. The IPViking attack map is pretty cool, too.
Prices are US based and therefore indicative only.