Pioneering Real-Time Cyber Situational Awareness
Modern enterprise IT infrastructure is virtualized, leveraging private, public or hybrid “clouds” consisting of internal and external compute resources. And increasingly, enterprise network users are doing business on mobile platforms – smartphones, tablets and notebooks. Traditional security and vulnerability assessment (VA) products already miss at least 40% of what was physically hardwired to the network because they don’t search for the unknown. Additionally, since VA scans stop, take too long to complete or consume too much network resource, they are often performed outside of normal business hours. This means IT security teams fail to gain cyber visibility into those mobile, virtual and cloud assets that simply aren’t present at the time the VA scan is looking.
Lumeta® Spectre, formerly ESI, offers real-time, context-driven security intelligence to address these problems. By enhancing Lumeta’s Recursive Network Indexing techniques with the context of network state change via analysis of network control plane protocols (OSPF, BGP, ARP, DHCP, DNS, ICMPv6, and others),
Lumeta Spectre is able to provide authoritative cyber situational awareness, in real-time, as mobile, virtual, cloud assets and even the physical/software defined network itself changes.
Network Infrastructure Analytics
- Installs as a “non-routing” (OSPF, BGP) router to monitor for real-time changes to the network address space/routing table in use
- Discovers changes to the network’s edge in real-time
- Authoritatively identifies new physical or virtual compute assets coming onto the network within minutes and provides dynamic visualization of changes
- Targets clientless/agentless profiling of new assets within minutes, while they remain present
Breach Detection Analytics
The Lumeta Spectre Cyber Threat Probe consumes open source and commercial threat intelligence data streams and correlates with Lumeta Spectre indexed metadata to:
- Discover newly compromised zombie computers that are operating on your network
- Discover within minutes whether known command and control (C2) infrastructure on the Internet is accessible from anywhere inside your network edge
- Discover within minutes whether known Dark Web (TOR) exit nodes are accessible from anywhere inside your network edge
- Provide real-time identification of nefarious TCP/UDP port usage by known malware exploits
- Provide real time identification of changes to TCP/UDP port usage which may be an indicator of compromise – i.e. RDP, FTP usage violations
- Adds the context of NetFlow and other data streams within the embedded Hadoop Distributed File System (HDFS) to provide deeper security intelligence, analysis and insights leading to faster remediation
Network Segmentation Analytics
- Discover newly active networks in real-time
- Discover networks that have become non-responsive, unreachable within minutes
- Find routed (L3) “leak paths” from critical internal networks to the Internet or in between network enclaves in real-time
- Issue network segmentation alarms and alerts into SIEM, GRC, device policy management tools for immediate remediation
Lumeta Spectre Technology
Cyber Situational Awareness
It is very useful to think of the need to defend networks in a similar context as military defense, which is where the concept of situational awareness originated. Situational awareness is the ability to perceive, comprehend and make timely predictions from critical elements of information concerning what is happening with regards to the mission. Quite simply, it’s knowing what is going on around you.
Lumeta’s Cyber Situational Awareness model has three phases:
- Gain perception by indexing the network. This is a step that needs to be exhaustive, or, recursive, in order to become authoritative. Since there are frequent changes to the network and those changes aren’t often well understood, have unintended consequences, maybe rogue or unauthorized, are usually poorly documented and tracked, allowing a newly discovered piece of information lead to a logical expansion of the indexing required is the only way to gain understand all of what’s present in reality.
- Comprehend what it is that you have indexed. The indexing step, even if done poorly, generates a lot of data. Many IT security teams simply get overloaded by the vast amounts of data that emerges from network and security tools. The current state which involves manual examination of voluminous data by highly trained experts – like finding a needle in a haystack – is not scalable, leaving insufficient time for preventing or fixing problems. Creating actionable, real time information which is distilled, in context and prioritized for remediation is the purpose of this phase. Lumeta are applying Hadoop big data analysis techniques for improving efficacy here.
- Finally, predicting in the context of network situational awareness involves the increasingly automated remediation of problems and ideally, prevention of key issues before they become problems – such as exfiltration of gigabytes worth of intellectual property or financial records across your network. This may involve delivering syslog or CEF notifications, email alerts and reports to the appropriate staff. Lumeta’s view is that it will increasingly involve API integrations with the network infrastructure itself to resolve, re-route, sandbox, patch, remediate.
Recursive Network Indexing Techniques
A key reason why network asset management, vulnerability assessment, network modeling and other tools in the security defense in depth stack have not been fully effective is that their starting point, e.g., what the client understands about their network, is assumed to be true. In our experience it never is. There is no current, authoritative perception of network state. Lumeta IPsonar uses a number of active probing techniques, in a recursive fashion, along with proprietary “stitching” analysis algorithms to provide a complete index of the network. Typically, this process leads to 20% more identified networks, devices, compute resources on a physical infrastructure. Lumeta Spectre further adds the ability to participate in the network control plane and monitor for change as it is occurring in real-time so that context can be applied to the same active probing techniques. This combination allows the organization to finally understand temporal infrastructure whether it’s mobile, virtual, cloud-based and the incremental impacts it is causing on the network from a cyber view.
Architecture & Delivery Options
Spectre is a subscription‐based offering hosted either in the client’s VMware infrastructure or in the Lumeta Cloud (the analytics engine would be hosted in the Lumeta Cloud). The subscription price includes Standard Maintenance & Support.
Spectre uses a distributed, two-tier model. The system includes the Spectre Command Center and Spectre Scouts:
- Spectre Command Center: A web-based management platform for administration, configuration, monitoring and reporting
- Spectre Scout: A distributed system for collection of network intelligence, reporting back to the Spectre Command Center
The size and configuration of the Spectre deployment will depend on the network topology and use case requirements. Deployments will vary in size from a single Spectre Command Center to more complex installations. Lumeta’s Account Management teams are available to assist in determining the optimal architecture and product configuration for your environment.