Product Review: Savvius Vigil
Savvius Incorporated (formerly known as WildPackets) was founded in 1990 and made its name in the networking space. Historically the company’s products focused on rack-mounted hardware and network analysis solutions, with the addition of application analysis within the last decade. In more recent years, Savvius has begun an expansive effort to leverage its expertise with packet-based network solutions for use in the growing field of enterprise security. One of the greatest problems facing businesses today is data security. As more and more sensitive and valuable data becomes available, hackers become more motivated to steal it. Alerting data and security analysts about potential breaches is a daunting enough task on its own; following the bread crumbs that lead to the precise source of the breach (and any data being exfiltrated) only complicates issues further.
Savvius Vigil’s ability to store five minutes of packet data both before and after an alert allows users to go “back in time” to analyze exactly what caused the alert, providing two critical advantages. The first is that vital network data is not lost while the alert is being processed. The second is that only a very small percentage of the overall network traffic needs to be stored, so it frees up more storage. This allows data to be saved for extended periods of time, which is particularly helpful to security analysts. Other products on the market can’t do both of these things.
This time- and data-sensitive problem is what Savvius is addressing with Savvius Vigil, its latest product designed specifically to enable deep network forensics during security investigations. Savvius Vigil operates at the packet level so that the smallest unit of data is traceable and identifiable in the case of a breach. Since packets are the data equivalent of a finger print, hackers cannot modify them as they can with log data, so identifying precisely what data was compromised becomes easier. The data captured and stored by Vigil is easily searchable, and can be analyzed using a variety of tools such as Savvius Omnipeek. This makes it useful for both data analysts (thanks to near real-time data exchange) and security analysts (access to long-term storage and breach history for investigative and predictive purposes).
Related: Network Configuration Manager, bulk management and reliable backups for network device configurations
Savvius Vigil is designed to achieve two main tasks: buffer and report. No data or security analysis is done within the device itself, but it monitors potential security threats in a powerful and unique way. In a common scenario, Vigil can be connected to multiple IDS/IPS or SIEM appliances. As these appliances detect potential threats, they produce alerts which are categorized by levels of severity or priority. Most organizations do not have the resources to investigate every alert, so this is where Vigil comes in. The device constantly buffers the same network traffic that the IDS/IPS/SIEM solution is analyzing. When an alert is detected, Vigil stores five minutes of buffered data for just that alert, and continues to store and capture an additional five minutes of traffic after. If a particular data transfer looks suspicious to the IDS/IPS/SIEM, an alert is made and Vigil automatically traces the data packets included in the exchange, and copies those packets to disk. At the end of the day, only relevant data to potential security threats is saved, meaning less wasted storage space and less wasted time for security analysts down the road if they decide they need to come back and investigate it. This could be weeks or even months later, which are common lengths of time for a breach to be discovered.
Vigil’s ability to buffer, capture and store data in this way allows users to “go back in time” to see exactly what transpired during a breach. One of the huge advantages of selectively storing traffic data is that it frees up storage space, allowing data to be saved for extended periods of time, which is particularly helpful to security analysts. Competitors (like Netresec or NIKSUN) might be able to offer long-term storage or a similar “back in time” feature, Savvius Vigil is currently the only solution that can do both. This combination is what sets Savvius apart from the rest of the market.
Related: Log and Event Manager, monitors log data from devices and applications on the network. Alerts and takes action against suspicious and malicious activities detected
Key Features and Specifications
- Investigate security alerts as they happen or incidents months later.
- Intelligent capture of network traffic based on IDS/IPS alerts dramatically reduces required storage.
- Capture all network data from sensitive assets or suspicious protocols, all the time, to provide insight into attacks that IDS/IPS solutions miss.
- Retains the critical pre-alert packets that show how a breach occurred.
- Initiate full packet capture with the push of a button.
- Integrates seamlessly with existing IDS/IPS solutions.
- Instantly investigate packets related to suspicious activity.
- Stores relevant network packets for months.
- PCAP output for use in your current investigation workflow or with Omnipeek Connect (license included).
- 3U appliance with 1G and 10G interfaces.
- 64 TB of storage.
Vigil is used by companies of all sizes and especially in fields where sensitive data is concerned (e.g. healthcare and finance). Users are often incident hunters, security analysts, and others that crossover between network and security. Vigil can be used for outside threats as well as for testing purposes (i.e. monitoring self-attacks on a network to test security functions). Most users seek out Vigil after being breached because many businesses are unaware of the powerful nature of packet capture.
Savvius Vigil was recently awarded Best Security Hardware of 2016 by Network Product Guide’s IT World Awards. Other recent news for Vigil includes partnerships with Cisco and IBM as the product continues to gain popularity. Some of Savvius’ upcoming regional events include Data Connectors, IT Roadmap, as well as bi-monthly webinars. Savvius can also be found at annual trade shows including CiscoLIVE, RSA and Black Hat in 2017. A full list of upcoming events can be found here.
Savvius Vigil Designated Ready for IBM Security Intelligence by IBM PartnerWorld Press Release
Savvius Vigil Integrates with Cisco FirePOWER for Additional Risk Mitigation Press Release
Savvius Vigil™ Awarded Best Security Hardware 2016 Press Release
Data Sheets and Specs: