Don’t Get Left Out in the Cold

cognitix Threat Defender enhances its IPS capabilities with Indicators of Compromise (IoC) feeds to identify a range of possible attacks. This threat intelligence is used to prevent these attacks.

To successfully counteract and prevent attacks, it helps to know when you’re being targeted in the first place.

cognitix Threat Defender enhances its IPS capabilities with Indicators of Compromise (IoC) feeds to identify a range of possible attacks. This threat intelligence is used in conjunction with behavior-based rules and inline real-time correlation to prevent these attacks. Threat Defender introduces a paradigm shift by applying IoCs in real time to the security policies.

IoC consist of one or several artifacts (e.g. IP addresses, domain names) that provide a reliable indication that certain security incidents have occurred. To achieve this reliability, an IoC places observables (measurable events and stateful properties) in their relevant context (e.g. time range).

IoCs are powerful tools to determine whether a network has been subjected to a security incident. They help to identify and implement suitable countermeasures.

As IoCs can be shared within the community, resources are pooled to document and publicize threats. This increases the effectiveness of IoCs in detecting and mitigating zero-day attacks.

cognitix Threat Defender integrates IoC feeds in its set of IPS categories. The IoC feeds are included in firewall rules and in correlation scenarios. These scan the network traffic for the indicators in real time. If an IoC is discovered, the affected devices are isolated immediately using dynamic network objects. Threat Defender reacts to threats while they are still in progress, disrupting the kill chain before it is too late.

Rules and correlation scenarios can also be defined in advance using the IoC information. This supports a proactive posture to prevent attacks before they actually take place.

Context is essential to provide meaningful cyber threat intelligence. For example, you need to know which user or service caused the IoC and also to collect timestamps, geolocation data and other metadata. Without this data, it is impossible to identify and eliminate false positives and investigate suspected attacks in detail.

An activated logging function exports detailed information from the syslog to external services to facilitate the documentation and sharing of IoC information.


Dynamic Network Segmentation

Blog If You’re Not in Real Time, You Have to Suffer

Dynamic network objects protect the network by automatically adapting to behavioral anomalies in the network. The automatic reaction to incidents frees administrators from manual intervention.

Both enriched and dynamic networks objects are used in firewall rules. Enriched network objects are static and require human intervention to be modified. Dynamic network objects categorize devices on the fly and in real time based on the legitimacy (or harmfulness) of the device behavior. Based on the assessment, the dynamic network objects can add two actions to firewall rules: add or remove the IP or MAC address to the source or destination of flow to the dynamic network object. The two actions provide extra qualities and possibilities to the management of firewall rules. Firewall policies add entries to the dynamic network object automatically in runtime. Entries are removed either by a firewall policy or automatically after a pre-defined timeout.

Dynamic network objects protect the network by automatically adapting to behavioral anomalies in the network. Administrators do not need to manually maintain huge and unwieldy lists of network objects. The automatic reaction to incidents frees administrators from manual intervention. The dramatically reduced reaction time allows for a proactive response to attacks. This minimizes the vulnerability of the network.

Dynamic network objects place measurable events and stateful properties in context using behavior and time. Behavioral and time-based dependencies lead to more granular and targeted firewall policies. Threat Defender combines these policies with isolated actions in a comprehensive security approach. Using the timeout functionality prevents over-reaction to incidents and frees up the network.


Application Detection

Judge Me by My Acts and Not My Words

cognitix Threat Defender detects changes in network behavior and reacts automatically in real time using behavior-based policies. It filters the network traffic for specific behavior patterns.

Threat Defender analyzes the network in real time and correlates millions of network traffic events over time and across network flows to detect patterns and connections between seemingly unrelated communication events. Threat Defender sets up policies and complex rule scenarios to manage network traffic based on the detected behavior. Unlike in conventional solutions, these policies are enforced with immediate effect as soon as anomalous behavior suggests a threat to the network.

The conventional method of traffic correlation uses off-the-rack SIEM systems. These systems correlate the data based on logs provided by firewalls, servers and endpoint devices. The danger with this approach is that these logs were created by potentially infected devices and cannot be trusted. Importantly, the standard SIEM system only correlates events and behavior in retrospect — after a device has already been compromised.

cognitix Threat Defender takes an entirely different approach to solve these problems. Threat Defender detects changes in network behavior and reacts automatically in real time using behavior-based policies. Threat Defender is not dependent on the integrity of the device logs because it models the network behavior to implement policies on the network level. Threat Defender analyzes the communication between the devices in real time and from within the network. This allows it to see the actual device behavior. Threat Defender tracks and examines various communication parameters (such as protocols, source and destination IP addresses, etc.) over time and across traffic flows to implement the inline real-time correlation. It filters the network traffic for specific behavior patterns. Threat Defender can instantly take the required actions to mitigate the effects of any undesirable or suspicious behavior it detects. It enforces the behavior-based rules, such as isolating the affected devices and blocking their traffic. This holistic approach to network security takes the behavior and relationships between devices in the entire network into account instead of individual events.

Take, as an example, a device that has been infected by encryption-based ransomware. The device will spread the ransomware by communicating with other devices. When the first neighboring device is contacted, the endpoint security of the target device will notice and log the problem. The Threat Defender intervenes at this point, drastically reducing reaction time. The infected device is isolated before it can spread the virus, nipping the infection in the bud. The interactive reporting, using multiple intuitive predefined and personalized dashboards, ensures that the required policies are in place and that the infection can be contained in real time and without human intervention.


Security Is a Moving Target

Network segmentation is implemented to contain threats and reduce the attack surface. cognitix uses enriched network objects to add a logical overlay network to provide additional segmentation.

Network segmentation is implemented in networks to contain threats, reduce the attack surface and to provide points of control. Segmentation uses the physical network topology. It is typically enforced on layer 3 using firewalls in routers to manage the lateral traffic flows within the network. cognitix Threat Defender uses enriched network objects to add a logical overlay network to provide additional segmentation. Enriched network objects are static and offer a multilayered categorization of devices in the network based on the inclusion or exclusion of one or a combination of individual IP addresses and whole CIDR-notated networks in IPv6 and IPv4, the physical network interface on the firewall, VLAN tags and MAC addresses.

Additional logical segmentation allows a flatter topology, reducing the number of segmentations needed on layer 3.  Fewer segmentation on layer 3 simplifies the network management. Devices can be added and removed without the need to change the network topology. The additional segmentation using enriched network objects isolates devices to dramatically reduce the attack surface of the network. The additional points of control provide additional information to enable greater transparency of the activity within the network. The additional information allows for a comprehensive security posture. The overlay network manages the flows within the layer 3 segment to ensure the hygiene within it, not just between segments. This disrupts the cyber kill chain by quarantining affected devices. Isolating devices on an individual level prevents the propagation of malware within the network.

Dynamic segmentation using device attributes and categories to group devices is flexible. A device can be assigned membership to multiple groups. This ability to overlap segments allows a granular application of firewall policies down to the single device. Group membership also ensures consistent firewall policies and simplifies the roll-out of new policies throughout the network. The use of intuitive group membership based on functions and behavior simplifies the assignment of devices to a policy to eliminate implementation errors.


New Threat Defender release including IoC feeds

You Cannot Fight What You Cannot See

The potency of advanced persistent threats has changed the focus for a robust defense posture. A corrective strategy includes remedial and preventive actions.

Attacks to the network are gaining in sophistication. The potency of advanced persistent threats has changed the focus for a robust defense posture. Malicious content is camouflaged within legitimate behavior, disassembled, time-shifted and sent in innocuous fragments. To be then introduced into the network via a myriad of channels and a number of devices. The perimeter firewall is bypassed. The blind spots within the network are a favorite target from which to launch an attack on the network as a whole. Trojans can lie dormant, quietly accumulating resources over time before infecting the rest of the network. Threat Defender drills down to the device level to reveal the communication activity and eliminate these blind spots.

Cyber resilience assumes a breach when devising appropriate countermeasures for known and unknown attacks. Pattern-based intrusion detection and protection deep within the network is effective for known attacks. A corrective strategy includes remedial and preventive actions. Prevention includes anticipation and is founded on correlating actions with expected behaviors within the network. The data needed to successfully process the analysis must be as comprehensive as possible. Data is needed in depth from layer 2 up to layer 7. Threat Defender’s drill-down reporting accesses all the necessary data. The interactive reporting uses multiple intuitive dashboards and schedules to include historical and current data.

Attacks on the system are increasingly complicated, drawing on assets/devices distributed within the system. cognitix Threat Defender provides all the necessary inputs needed to construct a robust defense. The solution checks indicators of compromise in all incoming and outgoing traffic. This mitigates the behavior of Trojans within the system, seeking to contact their external “command and control” centers using Instagram comments. One attack vector is to re-combine/reassemble disparate code, not just within one physical network segment. Thus, making the information from all segments visible is an important factor to counter this attack.

The interactive reporting, using multiple intuitive predefined and personalized dashboards and schedules, includes historical and current data. More than 600 reporting combinations, graphs and matrices are available. The data is presented to reflect the qualities of malicious attacks to highlight potential threats. Schedules are used to take into account attacks using time lag and accumulation over time. Interaction between the various reports display threats which access different assets, behaviors and protocols within the network.


How Threat Defender deals with malware and spam

I Put a Layer 2 Analyzer in My Network: You Won’t Believe the Things I Found

Gathering information on layer 2, you see external and internal traffic flows results in a reporting system that details over 600 parameters and metric combinations with virtually endless drill-down.

The provision of timely, accurate and comprehensive data is essential for network hygiene. The traffic data is accessed at neuralgic points within the network to paint a complete picture of the behavior of each device. Detecting the communication activities of each device ensures the quality of the data, its completeness, accuracy, recency and location. Capturing data at source, on layer 2, guarantees this quality. This data is processed, correlated, and analyzed to determine which actions are taken. The appropriate response is pushed out immediately to isolate the contaminated part of the network.

Gathering information on layer 2 avoids the limitations of relying solely on information collected for behavior at the perimeter, delineated network segment boundaries and endpoint logging. Classic layer 3 segmentation only divides large blind spots in the network into smaller blind spots. Accessing external and internal traffic flows results in a reporting system that details over 600 parameters and metric combinations with virtually endless drill-down. Informed decisions for network policies are based on real device behavior, not on assumptions or an incomplete or false understanding of the situation.

It has long been understood that layer 2 switches are the ideal place for reporting. However, the lack of processing power on layer 2 to sensibly analyze and process the captured traffic has stalled the implementation of a solution at this layer. cognitix Threat Defender resides on layer 2 with enough processing power to determine all the actionable intelligence of layers 2 to 7. Data is aggregated in intervals ranging from one minute to one month. Network operators use the historic information for retrospective analysis to create targeted policies. The real-time data is processed automatically to enforce policies to counteract any potential threat as soon as it emerges.


Now You See Me, Now You Don't.

cognitix Threat Defender is incorporated as a next generation firewall into a layer 2 device. This new approach makes the firewall a part of the very fabric of the network. Threat Defender is invisible, or transparent to the network. It acts as a “bump in the wire” with no perceptible effect on the throughput or latency. The device is inserted in the cable between existing devices at any point within the network. It still accesses the layer 7 classification, IPS, URL classification, inline real-time correlation and enhanced reporting capabilities on all, or only targeted, segments of the network. Working on layer 2 within the network, Threat Defender delivers the required and focused response immediately and directly to the identified devices.

Introducing security within a network often comes at a cost because it adds complexity to the communication system. This complexity reduces flexibility, stifles migration, inhibits virtualization, throttles performance, increases costs and raises the risk of configuration errors.

The cognitix approach avoids adding an extra layer of complexity to the communication system and keeps the network topology as flat as possible.

The transparency on layer 2 allows Threat Defender to be inserted throughout the network, not just at the network segment interfaces. Security is added as an overlay network, separating the network topology from security relationships. This flexibility mitigates the need to constantly create or modify network segmentation to reflect changing security requirements. The ability to place Threat Defender at each source of communication is the equivalent of a security level with a network segmented for each individual device. cognitix accomplishes this without the need to change the existing network configuration.

The freedom that transparency offers in placing the devices anywhere within the network increases the granularity of the security instructions. Targeting specific devices with specific rules eliminate the risk of collateral damage. There is no need to “throw the baby out with the bathwater” to stop compromised devices on the same layer 2 network from accessing other devices on the same network. The conventional solution to avoid this problem is to add complex features to switches, such as VLANs. This comes at the cost of also blocking legitimate traffic between devices. A more elegant solution allows hosts to communicate with each other freely, while ensuring that their access can be automatically monitored and automatically restricted using context policies on layer 7. This is implemented on layer 2 to solely target the identified devices and activities.