Identify and Lock down 100% of your Leaks. Detect Suspicious Network Behaviors

Transcription

1 DATA SHEET REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT AND ICS LUMETA SPECTRE FOR THE INTERNET OF THINGS (IOT) AND INDUSTRIAL CONTROL SYSTEMS (ICS) IS THE ONLY SOLUTION TO DELIVER 100% REAL-TIME INFRASTRUCTURE VISIBILITY, REAL-TIME NETWORK CHANGE MONITORING AND THREAT DETECTION FOR PREVENTING SUCCESSFUL BREACHES. The adoption of IP-Enabled infrastructure and commercially available operating systems challenges organizations to keep up with identifying and securing unknown, rogue and shadow networks, endpoints and other IoT infrastructure, while also monitoring for changes, unauthorized network activity, segmentation violations and leak paths to the Internet across both IT and OT environments. Lumeta Spectre provides unmatched real-time cyber situational awareness enabling network and security teams to not only identify even the darkest corners of your IPenabled critical infrastructure but also monitor for changes or unusual behaviors without agents to detect and prevent threats that target these common gaps in visibility Eliminate 100% of your Infrastructure Blind Spots See 100% of Dynamic Network Changes Identify and Lock down 100% of your Leaks Detect Suspicious Network Behaviors Find, on average, 40% more IPs and even whole networks beyond any other visibility or security solution Monitor for Every Network and Endpoint Add/Drop or Path Change especially between IT and OT environments Within minutes uncover unauthorized movement, segmentation violations and leak paths to the Internet Detect unauthorised flows, encryption, Zombies, C2 activity and other attack vectors common to advanced attacks that target critical infrastructure

2 REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT AND ICS NETWORK INFRASTRUCTURE ANALYSIS The shift to less proprietary technologies whether in manufacturing, healthcare, utilities, banking or retail has torn down the natural barriers that prevented cyber criminal and nation states from easily targeted these critical systems. Lumeta Spectre 's patented Recursive Network Indexing provides a real-time, authoritative view of your network infrastructure, across IT and OT networks, remote locations and into the cloud and then hunts for dynamic changes to limit and identify points of potential compromise. Index of the network and all attached endpoints for a true view of the network (what devices are connected to the network, and how; what address space is in use) Dynamic Network Edge Definition Identification of rogue networks and devices Map shadow IT (virtual, cloud, mobile) Real-time Network Infrastructure Updates (Broadcast, OSPF, BGP, etc.) Unreachable Network Segment Identification Device Indexing/Profiling Enterprise-wide Certificate Identification Network Topology Mapping Port Mapping/Usage THREAT AND BREACH DETECTION With our Real-Time understanding of the network and dynamic changes, Lumeta Spectre then hunts for anomalous behavior paired with third-party threat intelligence feeds (Accenture idefense subscription is included) to quickly spot threat and breach activity. LEAKS AND SEGMENTATION VIOLATION DETECTION Lumeta Spectre hunts for leak paths, across IT/OT, to the Internet or in between network segmented or firewalled enclaves. Leak Path Identification: Layer 3 segmentation analytics identify leak paths to the Internet or rogue paths between enclaves which may be exploited for malicious activity Unauthorized Internet Connectivity Multi-homed Host Identification Split Tunneling Identification Unauthorized Bridging Device Identification Hybrid Physical/Virtual Segmentation Unknown Network Identification: Lumeta validates your known versus found networks Forwarding Device Census Rogue Network/Forwarder Identification BIG DATA AND ADVANCED ANALYTICS The Lumeta Spectre platform has an embedded Hadoop Distributed File Store (HDFS) which allows for the collection, storage and analysis of huge amounts of unstructured data in real-time. Lumeta Spectre can ingest external data streams such as NetFlow data and Threat Intelligence feeds to correlate with Spectre s real-time indexing data. This allows for deeper drill-down analytics to rapidly find more meaning in large amounts of data, and help organizations address network vulnerabilities and cybersecurity threats as they occur. Threat Flows: Find live communications occurring with adversaries (correlate NetFlow to malware command and control servers) Highlight internal use/accessibility of known Trojan and malware ports ( red and malicious ports) Hunt for unauthorized (zombie) communications flows to known bad actor sites. 1

3 RECURSIVE NETWORK INDEXING Lumeta Spectre uses a unique always on technique to produce an authoritative network summary a recursive cycle of targeting, indexing, tracing, monitoring, profi ling, and displaying a network s state. Combines passive indexing (listening) for newly connected network infrastructure, devices and previously unmanaged assets, and Then targets active indexing, techniques in context to crawl the network when and where those changes occur. INDEXING TYPE WHAT IS THIS? BENEFIT Network Discovery (ND), Layer 2 Discovery (L2) Actively index forwarders and paths using ICMP, TCP, UDP, DNS via TTL-tracing, responses Index network infrastructure devices, route tables, ARP tables, switch TCAM, VLANs using SNMP, LLDP Authoritatively identifies the full address space in use and the edge of the managed enterprise network, through use of recursive additions of newly identified address targets Host Discovery (HD) Actively index devices attached to network via ICMP, TCP, UDP, DNS, SNMP interrogation and responses Provides the authoritative census of devices are there, now, connected to network Device Profiling (DP) Actively fingerprints the indexed census of devices on the network using TCP (OS detection), CIFS, HTTP/S, SNMP Provides a high confidence (agent-less) assessment of device type, manufacturer, OS, certifi cates and certifi cate status Service (Port) Discovery (SD) Actively index ports within the profiled census of devices using a confi gured list or a full port scan by using TCP SYN/ACK response Authoritatively identifies TCP ports in use and highlight deviations/violations from policy Leak Discovery (LD) Actively index leak-paths that exist in the L3 routed domain between network segments using Lumeta proprietary TCP packet spoofing Authoritatively identifies network segmentation violations between networks at L3 Enhanced Perimeter Discovery (EPD) Index L2 bridging and forwarding devices using ARP listening to assemble candidate MAC/IP pairs and Lumeta proprietary active TCP packet injection targeting each MAC/IP pairs default gateway Authoritatively identifies L2 bridging and forwarding violations within multi-homed hosts or devices with multiple interfaces Network Control Plane Context Probe and index network change by participating in control domain using OSPF, BGP, ICMPv6, ARP, DHCP, DNS analysis, etc. Authoritatively identifies the presence of cloud, virtual/mobile devices and network infrastructure (NFVs) in real-time 2

4 REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT and ICS Steady state Upon initial deployment of Spectre, a baseline of normal network behavior is established over a short period of time. This baseline describes the network s steady state that range of behavior indicating health and normalcy on the network. Once certain parameters have been defined as normal, Spectre continuously monitors and flags any departure from one or more of them as anomalous. Progress to auto-pilot As new infrastructure elements are discovered, results are automatically tuned and refined. Discoveries trigger new threads of collection activity. The raw data backing map nodes is automatically updated. Maps refresh to display newly discovered entities. IT professionals are alerted to precisely those network events that merit attention. All in real time. Indexing Stats Dashboard on the Command Center showing device counts, event counts, and event types across zones and featuring drill-down capability 3

5 REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT AND ICS VISUAL ANALYTICS Visualization, mapping, reporting and alerting capabilities allow network security analysts to quickly make relevant decisions about incidents, while still providing forensic experts with details about any incidents and its relation to other historical anomalies. Dashboards An operational overview of Zones, Notifi cations, Cyber Threats and Network Anomalies. Dashboards are confi gurable and user-defi nable, and provide comprehensive visibility into the entire network infrastructure including data about network connections and devices. When new devices connect to the network, IT professionals are notifi ed in real-time. Zones Create discovery zones, with individual rules and policies, to partition the continuous monitoring of security controls for compliance with regulatory and internal information security policies. This allows for discovery of enclaves, segregated networks, overlapping IP spaces, and more. Dynamic Mapping An interactive network topology map enabling global visibility across the enterprise from high-level to specifi c devices. The map updates in realtime as the network changes and includes sound alerts, visual effects and on-screen messaging to make it easier to stay apprised of changes. Robust Reporting Displaying a specific Zone s index of findings, real-time reporting tools track network asset information and quickly identify changes in the network infrastructure. Next-generation reports include compliance reports and custom reports all with drilldown capabilities. Historical Reporting is also available, letting you schedule snapshot-in-time reports to run on a regular, automated basis -building a useful audit trail against which you can identify changes in your network over time. Advanced Analytics using Query Builder & Advanced Search You ll be able to work with ingested data to write SQL-backed queries (via direct SQL queries or using the Query Builder) that draw on the relationship between network, flow, and intelligence data. You can work big data, asking and answering questions of interest to your enterprise, and then filter the returned data set with an unprecedented level of control and specificity. Lumeta Spectre for IoT/ICS dashboard showing network-based core indices 4

6 REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT AND ICS LAYER ZERO OF THE SECURITY & NETWORK MANAGEMENT ECOSYSTEM ARCHITECTURE Lumeta Spectre is integrated with the ecosystem of security and network management tools such as IPAM, Modeling Tools, HVA, SIEM, GRC, Endpoint Detection & Response, Threat Intelligence.* Use of Lumeta Spectre s foundational intelligence maximizes the effectiveness and protects your investment in those tools. Lumeta Spectre for IOT/ICS zone and indexing configuration Lumeta Spectre for IoT/ICS map Lumeta Spectre for IoT/ICS technology integration dashboard 5

7 REAL-TIME CYBER SITUATIONAL AWARENESS FOR IOT AND ICS Lumeta Spectre for IoT/ICS Breach Detection dashboard showing zombie and Tor devices on the enterprise network, netfl ow to/from Tor and open ports associated with nefarious activity SCALABLE TO THE WORLD S LARGEST NETWORKS WITH TWO-TIER ARCHITECTURE Lumeta Spectre does not disrupt operations in order to completely index a network - no matter how far-fl ung or numerous the resources are. Spectre scales to handle large data sets as easily as it does small data sets. Lumeta Spectre is available in a Cloud or Virtual Machine, and uses a distributed, two-tier model proven at the world s most complex networks. The system includes the Spectre Command Center and Spectre Scouts. Spectre Command Center: A web-based management platform for administration, confi guration, monitoring, visualization and reporting. The Command Center performs network architecture and segmentation analysis. Spectre Scout: A distributed system for collection of network intelligence, reporting back to the Spectre Command Center. Smart sensors perform active and passive indexing. They can be connected (virtually) to multiple zones or regions. PRODUCT HIGHLIGHTS Authoritative network baseline and real-time visibility Validate/confirm known and unknown IP addresses on the network WITHOUT AGENTS Real-time leak path detection Embedded Hadoop Distributed File System (HDFS) for cybersecurity breach analytics (identify threat flows, access to known Trojan or malware ports, zombies) in conjunction with ingested feeds such as threat intelligence or flow data Real-time alerts and notifi cations flag departures from the network steady state. Combined active scanning and passive listening techniques Comprehensive, detailed network topology maps Highly scalable to accurately index the largest networks Little to no impact on network performance, and easy to deploy (agentless) Snapshot reports available to build an audit trail Complementary with deployed security stack/ platforms Automates key Center for Internet Security (CIS) Critical Security Controls Aligns with Continuous Monitoring (US) and Protective Monitoring (UK) security programs *Refer to the Real-Time Network Behavior Analytics & Cybersecurity Breach Detection with Lumeta Spectre Solution Brief for cybersecurity use cases. 6

8 LUMETA SPECTRE PORTAL The Lumeta Spectre Portal enables you to gather and centralize insights from multiple Lumeta Spectre Command Centers and stay apprised of their operational status. Using it, you can view the geographical position of Command Centers and know immediately when a priority event has occurred in a network associated with your Spectre infrastructure. Portal users can also view the dashboards, maps, reports, and device details for any deployed Command Center. Priority notifi cations for a particular Command Center will appear in real time on the Portal. The number and severity of notifi cations issues at the Command Center level are transmitted to the Portal and displayed in beaconing and badge indicators on its map. Notifi cation details also display below the map. The Notifi cations table provides details on the 50 most-recent ALERT, WARN and ALERT level notifi cations issued by all of your Command Centers. The Portal stays continuously in sync with the Command Centers and communication between the two occurs securely over TCP port 443 using HTTPS with SSL encryption. The Lumeta Spectre Portal shares the same code base, operating system, support libraries, and versioning as Lumeta Spectre Command Centers and Lumeta Spectre Scouts and are intended to be used together. Lumeta Spectre Portal home screen displaying a few Lumeta Spectre Command Centers drawn against a geo-map. LUMETA CORPORATION 300 ATRIUM DRIVE SUITE 302 SOMERSET NJ USA Lumeta Corporation. All rights reserved. Lumeta, the Lumeta logo and Lumeta Spectre are registered trademarks of Lumeta Corporation in the United States and other countries. All other trademarks or service marks are the property of their respective owners.