Enterprise Situational Intelligence

Transcription

1 DATA SHEET Enterprise Situational Intelligence You can attain a real-time, authoritative view of your network infrastructure using Lumeta ESI. Running in an always-on mode, ESI delivers network indexing, leak path detection, visualization and analytics to provide network situational awareness across the enterprise network including physical, virtual and cloud. ESI s Big Data and Advanced Analytics help you address network vulnerabilities and cybersecurity threats* as they occur. It can be a daunting undertaking to keep track of network change. Change is constant. Traditional perimeter security methodologies are challenged by Cloud, BYOD and mobility programs, as well as a growing number of cyber threats. Evolving network architectures such as Software-defined Networks (SDN) are rapidly increasing network complexity. M&A, consolidation and outsourcing programs are accelerating the speed of change within the enterprise. The need for real-time, accurate network situational awareness is vital for any security risk management program. The ultimate goal is to: aidentify and monitor 100% of network connections and devices aunderstand all aspects of the network environment physical, mobile, virtualized, cloud (private, public and hybrid) aexpose potential problems, such as cyber threats, unplanned Internet connections, unmanaged devices and unsecured ports amonitor in real-time for instant visibility and quick response Lumeta s network situational awareness platform is the authoritative source for network infrastructure and cybersecurity analytics. Lumeta ESI delivers foundational intelligence to power realtime network situational awareness of the entire enterprise. It automatically discovers the entire enterprise and creates comprehensive, detailed network topology maps in realtime. ESI yields accurate network and device intelligence, while issuing alerts and notifications as the enterprise changes and evolves. This foundational intelligence is a critical underpinning for network vulnerability management and cybersecurity breach detection strategies to be truly effective. Highlights a Aligns with Continuous Monitoring (US) and Protective Monitoring (UK) security programs. a Combined active scanning and passive listening techniques provide the most comprehensive, accurate, best-of-breed results. a Embedded Hadoop Distributed File System (HDFS) for cybersecurity breach analytics (identify threat flows, access to known Trojan or malware ports, zombies) in conjunction with ingested feeds such as threat intelligence or flow data. a Highly scalable to accurately discover the largest networks. a Lightweight, causing little to no impact on network performance. a Zones give flexibility to partition and organize discovery. a Visualize complex network topology maps in real-time. a Real-time alerts flag departures from the network steady state, facilitating immediate remediation of out-of-policy events and network vulnerabilities. a Real-time leak path detection. a ESI can be configured to test the security posture of IPv6- enabled devices to ensure they are properly configured and to detect possible vulnerabilities. a Lumeta Network Index allowing for best practices based scoring (risk metrics) of ESI results. a Integration with third-party products to maximize their results and value. *Refer to the Real-Time Network Behavior Analytics & Cybersecurity Breach Detection with Lumeta ESI Solution Brief for cybersecurity use cases.

2 ESI Intelligence via Multisource Identification Techniques Lumeta ESI uses a unique always on technique to produce comprehensive network visibility a continuous recursive cycle of targeting, indexing, tracing, monitoring, profiling, and displaying of a network. a Passive Indexing (listening) for newly connected network infrastructure, devices and previously unmanaged assets. This is agent-less, with no impact to the network. ESI largely relies on ARP traffic and the routing plane and uses route analytics / routing protocols and traffic monitoring (DHCP, etc.). a Active Indexing (scanning), in context, to crawl the network when and where those network infrastructure changes occur. This is a benign exploration that s especially useful in identifying a network s perimeter. ESI sends packets to a surmised target, and learns from the target s response. Active discovery continuously incorporates data uncovered via passive discovery, yielding the broadest and most comprehensive results in the industry. This is largely achieved using TTL and multiple protocol ping. a Targeted System Inquires (device profiling or system access) is the close inspection of a known device or entity. It uses SNMP, and includes Port Discovery and DNS Lookups. Targeted inquiries leverages the intelligence accumulated from ESI s hybrid active/passive approach to discovery to provide rich data gathered from network equipment. ESI uses advanced profiling techniques that detect newly connected devices and previously unmanaged assets. ESI automatically detects changes to the network topology, alerts of possible security policy violations and network vulnerabilities in real-time, and documents network changes for regulatory compliance. ESI identifies events or configurations linked to adversarial or anomalous conditions at the enterprise level. Recursive network indexing and the various multisource identification techniques used by ESI provide intelligence regarding network segmentation and network architecture: What network enclaves are able to reach others? What are the unknowns in the network? What does the network really look like? What devices are attached to the network and how? Does this violate policy? Big Data and Advanced Analytics The underlying architecture/infrastructure of ESI includes an embedded Hadoop Distributed File Store (HDFS) which allows for the collection, storage and analysis of huge amounts of unstructured data in real-time. ESI can ingest / take in new external data feeds/streams such as NetFlow data and Threat Intelligence feeds to correlate with ESI s real-time indexing data. This allows for deeper drill-down analytics to rapidly find more meaning in large amounts of data. What Does ESI Identify? Discover the Network ESI maps the entire enterprise, discovers all networks and connections including previously unknown portions of the network and defines the network perimeter, partner connections, and cloud connectivity. It provides an integrated OSI Layer 2 / Layer 3 understanding of the network infrastructure. Discover the Hosts ESI takes a census of all active devices (including IPv6 enabled network devices*) attached to the network and finds stealthy devices. Profile Devices ESI identifies the types of devices connected to the enterprise, highlighting those devices that fall outside of policy or are considered rogue in nature. Discover Network Leak Paths ESI reveals connectivity between networks (business units, partners, spin-offs, secure zones, etc.), or the corporate enterprise and the Internet. Through this intelligence IT professionals can determine whether the connectivity is authorized, or if proper security controls are in place. Steady state Upon initial deployment of ESI, a baseline of normal network behavior is established over a short period of time. This baseline describes the network s steady state that range of behavior indicating health and normalcy on the network. Once certain parameters have been defined as normal, ESI continuously monitors and flags any departure from one or more of them as anomalous. Progress to auto-pilot As new infrastructure elements are discovered, results are automatically tuned and refined. Discoveries trigger new threads of collection activity. The raw data backing map nodes is automatically updated. Maps refresh to display newly discovered entities. IT professionals are alerted to precisely those network events that merit attention. All in real time. All continuously. * Refer to the Lumeta ESI IPv6 Discovery Solution Brief for full details.

3 Real-time Network Architecture Analytics a true view of what the network really looks like (what devices are attached to the network, and how) a Authoritative Network Census a Real-time Network Infrastructure Updates (Broadcast, OSPF, BGP, etc.) a Address Space Validation a Network Edge Definition a Unreachable Network Segment Identification a Device Indexing/Profiling a Enterprise-wide Certificate Identification a Network Topology Mapping a Port Mapping/Usage Real-time Network Segmentation Analytics advanced intelligence needed to verify network segmentation and understand the network architecture relative to an organization s policy Leak Path Identification: a Unauthorized Internet Connectivity a Multi-homed Host Identification a Split Tunneling Identification a Unauthorized Bridging Device Identification a Hybrid Physical/Virtual Segmentation Unknown Network Identification: a Forwarding Device Census a Rogue Network/Forwarder Identification Real-time Cybersecurity Breach Detection & Analytics using ingested feeds, detect nefarious activity in your network, in real-time a Threat Flows: Find live interactions with adversaries (NetFlow correlation to malware command and control servers) a Hunt zombies/bots a Identify internal use/accessibility of known Trojan and malware ports Cyber Threat Dashboard incorporating real-time indexing with external feeds, such as threat intelligence and flow data

4 Visual Analytics Visualization, mapping, reporting and alerting capabilities make the abstract, logical, and virtual aspects of your network visible allowing network security analysts to quickly make relevant decisions about incidents, while still providing forensic experts with details about any incidents and its relation to other historical anomalies. Zone Segmentation Create discovery zones, with individual rules and policies, to partition the continuous monitoring of security controls for compliance with regulatory and internal information security policies. This allows for discovery of enclaves, segregated networks, overlapping IP spaces, and more. Zones can be as simple or as complex as defined by an organization and can be comprised of logical networks and subnets, regardless of where they are physically deployed around the world (e.g., geographic zones, business unit / mission zones, corporate/guest/partner zones). Enterprise Dashboard An operational overview of Zones, Notifications, Cyber Threats and Network Anomalies. Dashboards are configurable and user-definable, and provides comprehensive visibility into the entire network infrastructure including data about network connections and devices. When new devices connect to the network, IT professionals are notified via the dashboard, in real-time. The dashboard consolidates and communicates relevant security status in real-time, translating raw data into actionable information, (e.g., policy compliance and anomaly alerts). The dashboard can be zone-specific or can provide a consolidated view of all zones. Users have the option to create custom dashboards. Dynamic Mapping An interactive network topology map enabling global visibility across the enterprise from high-level to specific devices. The map updates in real-time as the network changes. Robust Reporting Displaying a specific Zone s index of findings, real-time reporting tools track network asset information and quickly identify changes in the network infrastructure. Next-generation reports include compliance reports and custom reports all with drill-down capabilities. Historical Reporting: Now you can schedule snapshot-in-time reports to run on a regular, automated basis -building a useful audit trail against which you can identify changes in your network over time. Advanced Analytics using Query Builder & Advanced Search You ll be able to work with ingested data to write SQL-backed queries (via direct SQL queries or using the Query Builder) that draw on the relationship between network, flow, and intelligence data. You can work big data, asking and answering questions of interest to your enterprise, and then filter the returned data set with an unprecedented level of control and specificity. Indexing Stats Dashboard on the Command Center showing device counts, event counts, and event types across zones and featuring drill-down capability Map of a Zone, labeled by IP address and grouped by third octet. Acknowledged nodes display in blue. The focal node is circled in green.

5 Scalable to the World s Largest Networks with Two-tier Enterprise Architecture Lumeta ESI is available in a Cloud or Virtual Machine deployment. ESI does not disrupt operations in order to completely index a network - no matter how far-flung or numerous the resources are. ESI scales to handle large data sets as easily as it does small data sets. Thus, ESI is a true enterprise application, able to work efficiently in both large and small deployments. ESI uses a distributed, two-tier model proven at the world s most complex networks. The system includes the ESI Command Center and ESI Scouts. a ESI Command Center: A web-based management platform for administration, configuration, monitoring, visualization and reporting. The Command Center performs network architecture and segmentation analysis. It has an embedded Hadoop Distributed File System (HDFS) for breach and cyber analysis in conjunction with ingested feeds such as threat intelligence or flow data. a ESI Scout: A distributed system for collection of network intelligence, reporting back to the ESI Command Center. Smart sensors perform active and passive indexing. They can be connected (virtually) to multiple zones or regions. The size and configuration of the ESI deployment will depend on the network topology and use-case requirements. Deployments will vary in size from a single ESI Command Center to more complex installations. A Lumeta consultant will work with you to determine the best architecture and product configuration for your environment. Extensibility of Foundational Intelligence Without a means to obtain network situational awareness, security analysts largely rely on locally focused specialty products and manual data analysis from complex systems, like network management suites, to gain a level of insight into the network infrastructure. While a variety of monitoring products exist, continuous network monitoring without visibility into the state of the enterprise as a whole leaves inherent gaps in defenses. ESI offers flexible integration options to provide seamless access of its foundational intelligence to third-party products, such as security incident and event management (SIEM), vulnerability management (VM), intrusion prevention systems (IPS) and network access control (NAC). ESI data can be exported to other network security products via an open API, to provide simplified integration options to ESI s rich, salient data. This type of integration improves analytical capabilities, allowing organizations to fully understand their IT environment. Real-time integration of external threat intelligence sources ESI includes the ability to ingest open source threat intelligence feeds. The combination of ESI real-time, comprehensive network indexing and real-time security information services provides up-to-date intelligence 1) to identify any internal use/accessibility of known Trojan/malware ports; 2) to correlate NetFlow data to malware command and control (C2) servers; or 3) for zombie hunting. Lumeta ESI is Layer Zero of the network security architecture. Lumeta Corporation 300 Atrium Drive, Suite 302 Somerset, NJ USA Lumeta Corporation. All rights reserved. Lumeta, the Lumeta logo and IPsonar are registered trademarks of Lumeta Corporation in the United States and other countries. All other trademarks or service marks are the property of their respective owners.