Competitive Analysis. Version 1.0. February 2017

Transcription

1 Competitive Analysis Version 1.0 February

2 Introduction This document discusses competitive advantages between Systems security appliances and other security solutions in the market. The current state of the security industry is that existing technologies are rapidly becoming outdated and even obsolete. Most of today s security appliances were designed many years ago when the threat landscape was very different to what it is today. Internet traffic rates were lower. Smart phone and tablet use was still in its infancy. Hackers and their malwares were significantly less advanced and state sponsored hacking activities were not as widespread as they are today. Systems was incorporated with the goal to design and market a new generation of security appliances and solutions that are better designed to combat today's more advanced malwares and threats. Hackers never stop inventing new methods for penetrating networks, so the same should apply to security providers. Who would believe that security appliances designed in the early 2000s will still be able to combat malwares of today s complexities? This document discusses differences in s architecture and highlights competitive advantages against other existing security appliances. General Design Concepts All Systems appliances are designed using the very latest technologies for Ethernet packet transfers and content inspection. Our appliances are built using 100% standard components. The appliances contain no custom made electronics and no custom made metal. This results in many advantages for us. Quality Building our appliances on top of high-quality server hardware is of very high importance to us. has a strong OEM relationship with HPE. Our appliances benefit from the rigid quality of the HPE servers and allow us to offer our products to the most demanding customers. HPE servers gives us a product with excellent quality which is required if the appliances are to be offered to demanding corporations and data centers. Lower Cost Basing our appliances on available server platforms and NIC cards offers us a way to control production costs. We do not want to get involved with production of custom metal enclosures, nor do we want to produce our own electronics or network cards. Future Proof Technology The centerpiece in our appliances is the software that delivers its security functionality. This software is designed so that it can be easily ported to function with new faster hardware components. As the industry starts looking at 40 GBytes and 100 GBytes Ethernet based networks, will be ready with matching security appliances. Since our security software can be reused for new appliances, it results in significant cost savings that can be passed on to our customers. 2

3 Feature Comparison Stack Based Versus Stack-less Design appliances are stack-less designs. There are no network stacks being used in the critical network packet path, nor do they rely on an operating system for their packet filtering. Instead, special custom designed software is being used together with hardware accelerated network interface cards from Intel. The result is that packets can be inspected at close to the Ethernet line rate which then means the appliance can be installed in-line with the Internet traffic. The appliances are invisible on the network since they do not require their own IP or MAC addresses. The Ethernet ports are completely transparent to any traffic on the network. Many existing, older designs use network stacks for their Ethernet ports. This has many disadvantages. Performance will suffer because the network packets have to go through two full network stacks and this costs performance. Stack based designs are sensitive to hacker attacks. Examples are SYN floods, fragmentation attacks and denial-of-service attacks. A hacker can actually bring down (crash) such appliances with cleverly crafted packets. Inline Versus Tap Port Installations All our appliances are capable of being installed in-line with Ethernet traffic. The most common configuration is to position the appliance between the Internet router and the main switch. Because our appliances are stack-less designs, packets can travel through them at the highest possible line rate. Deep packet inspection as well as reputational detection take place on the fly and have little impact on performance. Some competitors offer solutions that are installed on the side, listening to traffic from a switch tap port. Snort deep packet inspection software is typically used in these solutions. This technique provides absolutely no protection against network penetrations, data exfiltration, C&C communication and more, nor is it possible to inspect and filter outgoing Internet traffic. These types of installations are pretty much useless against today's advanced malware. The packet inspection rate is typically in the 10-20,000 packets per second rate which is way below full Gigabit Ethernet packet rates at several hundred thousand packets per second. Some competitors' appliances are able to be installed in-line with the Internet traffic. Some of these devices are marketed as next generation firewalls. These devices are exactly this; firewalls with additional added filtering functionalities. They are capable of performing some limited amount of filtering, mostly only checking IP addresses against threat lists. Most do not include hard disk storage which means they are not capable of generating event logs and packet logs the way the devices do. 3

4 Log Generation and Management All our appliances have built in disk drives that are primarily used for storing log files. Any type of security related events are written to a log file. The log files are time and date stamped and rotated on a daily basis. The files can be downloaded for external processing such as for further analysis and report generation. appliances log events as text files in JSON format and Ethernet packets in PCAP format. This allows for using third-party software tools for analysis of these log files. Many of our competitors do not offer their appliances with built in disk or SSD storage. Examples are so called next generation firewalls from Cisco and others. These appliances are therefore not capable of storing log data for later analysis. Being able to log both events and packets is critical in today s security environments. A security appliance without this capability is not worth much in today's sophisticated threat environments. Deep Packet Inspection (DPI) has developed a proprietary high-speed engine for deep packet inspection. This engine has been designed with performance as the number one criterion. To be able to operate in-line and in real-time requires the DPI engine to be very fast and streamlined. s solution provides industry leading performance, outperforming other solutions in the market such as Snort and Suricata. s DPI engine is paired with a web GUI for rule generation. Using a GUI for rule generation makes it simple and intuitive to generate DPI rules. offers a cloud based feed of system rules that are generated and maintained by s security researchers. is able to generate rules for a new emerging threat and distribute these rules to all its customers seamlessly without any user intervention. To start with, many commonly used security appliances do not incorporate deep packet inspection (DPI). This makes these appliances blind to all hacker attacks based on packet contents. Today, this is the absolute majority of all attacks and malware. Without a DPI capability these networks are open to even the simplest type of attacks. A few existing security appliances use one of two available DPI tools: Snort or Suricata. Both these tools offer protection against packet based attacks and malware. The problem though is their very low performance. A Snort engine is capable of processing a few tens of thousands of packets per second only. This is far from enough to allow such engines to operate in-line with network traffic. A modern network generates packet rates at several hundreds of thousands of packets per second. This requires a new technical solution to DPI. Writing Snort and Suricata rules is complicated and is nothing a typical end user can do. The syntax is complex and difficult to understand. 4

5 Reputation Detection Engine The reputation detection engine monitors the source and destination IP addresses inside the network packets. These IP addresses are extracted in real-time and compared against internal threat lists. Network packets that are found to originate from, or are destined for, hosts with IP addresses flagged as malicious can be dropped to protect against any damage. One of the most unique and exciting features of all is the use of pre generated DGA addresses. Many competitors use reputation detections similar to s. The differences are not in the engine itself, but in the data feeds that provide data for the detection process. Bidirectional Packet Inspection All appliances perform threat monitoring and filtering of both incoming and outgoing network packets. We believe it is equally important to also monitor outgoing network packets. If a network becomes infected by a malware, such as ransomware, it is possible to detect this and prevent extensive damage by monitoring outgoing packets. Most of our competition does not perform inspection of outgoing network packets; only packets coming in from the Internet are inspected. This is especially true with the so called next generation firewalls. These firewalls focus only on detection of incoming network packets. Cloud Hosted Threat Intelligence Feed provides a cloud based threat intelligence data feed that contains hundreds of thousands of IP addresses, URLs and domains known to be involved in malicious activities. This threat feed is updated every hour around the clock. The appliances perform automatic updates of their own internal threat lists from this cloud based feed. What is unique in the industry about s threat feed is that in addition to normal threat intelligence, it also contains three additional components: System DPI rules, DGA generated domain names and Tor network endpoint IP addresses. System DPI rules are used by the deep packet inspection engine to perform inspections of packets. Users that prefer not to write their own rules can rely on to provide rules. provides these rules as system rules and they are delivered to the appliance through our threat data feed. DGA generated domain names are random looking domain names generated by a software algorithm. This advanced technique is commonly used by ransomwares and other malwares that rely on communication with a command and control (C&C) server. s threat feed includes a large list of these DGA addresses that are being generated by real DGA engines harvested from real malwares in the wild. The list includes domain names that have been generated during the past 48 hours, and will be generated in the next 24 hours. This provides a 72 hour floating window of predicted DGA domains that allows for blocking these 5

6 malwares from connecting with their C&Cs. This feature is one of the most important and valuable features in the appliance family. It sets us apart from the competition in a very strong way. Tor network endpoint IP addresses are IP addresses of servers that are sitting at the edge of the Tor anonymizing network. The Tor network allows hackers, as well as legitimate users, to stay anonymous on the Internet. It is difficult, if not impossible to trace a network packet's real origin if it has arrived from a Tor endpoint. The Tor network is widely used by hackers, so by blocking packets originating from the Tor network it is possible to block many attacks before they have a chance to cause any harm. Blocking of Tor network packets is optional and can be disabled if required. The use of the Tor network is justified in countries that suppress freedom of speech and allows journalists and others to remain anonymous on the Internet to avoid prosecution. s use of a cloud based threat intelligence feed is not unique. What is unique with s feed is that in addition to traditional threat intelligence, it also contains DPI rules, DGA generated domain names and Tor network endpoint IP addresses. Remote Monitoring Systems offers a software tool named Multi. This SIEM style tool can be installed on a monitoring server or on a virtual server in the cloud. The tool allows for monitoring multiple appliances remotely. Any number of appliances located at different geographical locations can easily be monitored. Log files and syslog files can be downloaded for local processing and safekeeping. Since this tool is developed by it is fully integrated with our appliances and it is offered at a very attractive price. s appliances also support Netflow data generation. Netflow is a standard that has been around for many years and is considered outdated. still supports this format to make our appliances compatible with existing third party monitoring tools. Most competitors do not provide their own developed tools for monitoring, instead they rely on expensive third party tools. These solutions typically use Netflow streams for collecting data from the appliances. Smart Phone Applications A free of charge mobile phone application can be downloaded from the Play Store or App store. This application allows for remote event monitoring of multiple appliances. Events are presented in real time with severity ratings and more. This is a very useful tool for monitoring smaller networks since the tool is easy to use and is provided for free. Competition Most competitors do not offer any type of smart phone applications for monitoring their appliances. 6

7 About Cloud Based Security Solutions Some companies offer cloud based security solutions. It is s opinion that such products offer little or no security value for most types of network, but since they are being marketed as competitive alternatives to hardware appliances, their disadvantages should be known. With a cloud based solution, all network packets must be sent up to the cloud which consists of just another piece of server hardware. This results in a significant performance penalty. Network packets must be sent to the cloud server and back from the cloud server before they reach the network which is being protected. This traffic travels over the Internet which also means the packet rate drops down to whatever the upper bandwidth limits are for the user's Internet connection. The cloud servers are network stack based, meaning all network packets must travel through two network stacks before they reach the destination network. This generates a huge overhead and the result is a loss in network performance. The physical network is still open to penetration attempts, denial of service attacks, port scans, vulnerability scans and more. These attacks can only be prevented by physical end-point protection devices such as the Systems appliances. Can the cloud service provider be trusted? Where is this service located? What guarantees are there that this network data will not be leaked or stolen? Are you willing to trust your corporate data flow to a third party cloud service? About Next Generation Firewalls Some security vendors market appliances called next generation firewalls. Most of these devices are nothing more than regular firewalls with added on extra security features. Some contain DPI inspection capabilities, others have simple reputation checking engines. But the bottom line is these are just firewalls with added on extra security features. They are by no means full featured security appliances. Their value is questionable and their use is not recommended unless they are being deployed to protect small and less sensitive networks. considers this family of appliances outdated and not suitable for modern threat protection. Not Made In The USA or China It is common knowledge that most, if not all, security appliances designed in the US or China contain backdoors that allow these vendors and their governments to secretly collect information from the user s network data. Systems' appliances are not designed or produced in these countries. Systems is under no government pressure to add such backdoors into its appliances. This is a major competitive advantage when offering these appliances for sale in countries that are concerned about this issue. 7

8 SOLIDA SYSTEMS INTERNATIONAL CO., LTD. 1000/19-20 Liberty Plaza Building, Floor 12A, Thonglor, Sukhumvit Soi 55, Klongtan Nua, Wattana, Bangkok, Thailand, Tel Website 8