Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation

Transcription

1 Bricata Next Generation Intrusion Prevention System A New, Evolved Breed of Threat Mitigation Iain Davison Chief Technology Officer Bricata, LLC

2 The Need for Multi-Threaded, Multi-Core IDPS solutions Intrusion Detection & Prevention Systems (IDPS) analyze network traffic for malicious activities and report findings from events that intend to compromise the security of computers and other equipment. IDPS looks into both headers and payloads of the network packets to identify possible intrusions. Bricata makes vast improvements in the way network traffic is analyzed and in how it can scale to large throughputs reaching as high as 300 Gbps. IDPS models that only use Central Processing Units (CPU), such as Snort, have in the last decade struggled as the CPU has become a system bottleneck. Network traffic has increased more rapidly than CPU clock-speed. Although CPUs have gained more cores, they lack a method for multi-core implementation and are unable to cope with the increase in bandwidth and content rich applications. This requires advanced hardware modifications designed to adapt to the constant changes within any given infrastructure. Increased bandwidth and content rich applications overload the IDPS and lead to packet loss, allowing malware, exploits and intrusion attempts to pass by unchecked, leading to an increased false-negative rate. The main cause of these detection failures is the throughput limitation imposed by single-threaded processing on the deep packet inspection (DPI) module in the IDPS detection engine. By designing an architecture that can take advantage of today s advanced processing power using multiple core CPU s and multi-threaded processing, IDPS systems could perform massive amounts of parallel calculations and gain high performance boosts to reduce or completely eliminate packet loss. Bricata, through extensive research to determine how to segment data for efficient and parallel processing, has created architecture and algorithms for fast and reliable intrusion prevention performance. By understanding how different hardware components interact and how to exploit the components and their APIs in new ways to create high-performance algorithm solutions, Bricata has made significant strides in Next Generation Intrusion Prevention System (NGIPS) technology. In this white paper, we present data on Bricata s implementation of known string search algorithms. Bricata makes vast improvements in the way network traffic is analyzed and in how it can scale to large throughputs reaching as high as 300 Gbps. Multi-Threaded Parallel Processing Model Many approaches have attempted to take parts of IDPS and split them into elements for basic multi-threading parallelism realized by normal CPU multi-core processors. Attempts at accelerating IDPS through special hardware other than a CPU have also been made for years. Application-Specific Integrated Circuits 2

3 (ASIC) or Field-Programmable Gate Arrays (FPGA) chips designed and programmed solely to run a single algorithm or a small system. Both methods were quite fast, but found to be extremely expensive in implementation and speed limitations allow them to only provide a single fast lane of processing, even when placed in a distributed model where an aggregator would essentially spray the traffic across multiple FPGAs to gain more speed. Chip circuits such as FPGAs also have the downside that when changing a rule or adding a new rule set, one must program a whole new circuit and then recompile the whole automaton, thus limiting the overall life span of a device that is often sold at a premium. Through the use of innovative programming techniques, Bricata has been capable of harnessing computational power in an extremely efficient parallel processing model using various techniques. The Bricata programming model gives direct access to the hardware natively without the need of other APIs and has proven to provide the fastest and most consistent operating speeds. After performing many tests, we discovered that the delta between Bricata NGIPS and existing IDPS solutions becomes the difference between dropping traffic vs not dropping any traffic: In comparison, Bricata NGIPS has achieved performance levels that far exceed the capabilities of existing IDPS technology. After performing many tests, we Bricata Performance Comparison 3

4 discovered that the delta between Bricata NGIPS and existing IDPS solutions becomes the difference between dropping traffic vs not dropping any traffic: Bricata s approach was to offload traffic, where possible, to multiple CPU cores. This allowed us to address large amounts of traffic in a short period of time while maintaining the state of the traffic and applying policy and rules to it. Bricata was built on the Suricata engine, re-engineered in new ways to make it better, faster and more reliable. matching detection. Not only has Bricata included this NGIPS technology on its entire product portfolio, it has also included custom algorithms that enable the inspection to be turned up a few steps higher to process more traffic while providing deeper analysis. Many people have asked if this is just a fancy Deep Packet Inspection (DPI) engine that can process traffic at high speeds. The answer is that behind every good IDPS is an even better deep packet inspection engine. Not to say that is all this system does! Ignite Your Security with Bricata Bricata was built on the Suricata engine, re-engineered in new ways to make it better, faster and more reliable. Our engine can detect not just a list of rule sets for testing but also provide more anomalous detection combined with a hybrid blend of pattern matching detection. Many have asked how this stacks up against other solutions in the IDPS market place. According to Gartner and NSS Labs, Snort-based solution SourceFire is the most accurate and has been leader in the industry for the past two years. Bricata s solution is a fraction of the cost, provides double the performance in a single appliance, and is based on a technology that has proven that it is more accurate, scalable and faster than the technology supporting the market leader. Bricata: What s Missing from Today s Cyber Security Solution Sets? After looking closer into what is missing from the total cyber security equation, Bricata found a large delta in interoperability of security applications and devices. This issue brought more focus on how it equates to real life security operations centers and how people were managing their environments. Bricata looked hard at the overall issues and not just found that the cyber security industry as a whole isn t focused on being a solution, they are focused on being the only solution. This is where Bricata disagrees. It s about being a part of the solution. For example, in a world where technology is moving to cloud infrastructure and virtual environments, we need to provide technology to support those environments. Being available for cloud allows us to offer greater security to all custom- 4

5 ers, while being flexible enough to offer a virtualized solution with the ability to move the solution across data center environments to other existing supported platforms. This also allows us to support the traditional data centers and small businesses that require hardware solutions. Bricata will have differing implementation models that allow for flexibility in cloud environments, enabling the customer to purchase Bricata directly from the market place to add to their pool of available resources. This allows growth along with customer needs so that, for example, the customer with small amounts of data over limited connectivity who suddenly grows has access to the functionality needed for expanded cloud resource capability. What s also missing from today s cyber security is event visibility across all security tools, commonality in logging, intelligence sharing, and the ability to share that information across platforms in such a way that it doesn t lose meaning or representation. Bricata has spent a significant amount of time working to close these gaps and provide enterprise as well as small and medium sized businesses ways to interoperate without having to rip and replace all security equipment. With the use of dedicated data bus memory, Bricata is able perform direct I/O and achieve a fast fast data path solution Bricata is closing these gaps by introducing methods for threat/network intelligence sharing between peers and by using the spare cycles on the tier 1 IDPS sensors to perform some of the analytics using dynamic cryptographic tables, which works not only for a single entity or organization solving a correlation problem of a large dataset, but also for organizations that have may have partnering agreements and need to share the larger correlation analysis across external entities. This also allows for a community blog and threat analysis community to assist and aid with correlation assistance. Bricata also provides a log correlation tool for those entities that don t currently have one to provide additional visibility across the organizations network. For those organizations that have an existing SIEM, Bricata has created integration commands for several market-leading SIEM technologies. Our professional services team will be more than happy to perform automation integrations for any SIEM for which we don t have pre-existing interoperability. Bricata also addresses the issue of attribute based access controls (ABAC) and role base access controls (RBAC) correlated events. These events are often overlooked by many other technologies. We provide a decision engine that sits on top of the correlated events and can make decisions based on events, traffic and data exfiltration to outbound sources including GEOIP-defined locations that be customized based on net blocks and ranges as defined by the customer. With the use of dedicated data bus memory, Bricata is able to perform direct I/O and achieve a fast fast data path solution while many other solutions can only achieve a fast or a fast slow path. The fast fast path enables Bricata to not only 5

6 perform amazing speed and performance in the form of IDPS, it also allows for the seamless integration of future technology. In the first release there will be support of network access control that will also take on the retrieval of the attribute access controls and will add the capability to better work with existing privileged identity access management, or identity broker tools, for validation of a user s credentials feeding into the greater decision engine for automated actions. For more information [email protected] In short, Bricata is clearly not your everyday next generation IDPS but a new, evolved breed of threat prevention technology designed to handle greater network throughput and deeper packet inspection that ensures a more complete cyber threat defense envisioned by NGIPS. About Bricata Bricata is a leading developer of innovative, high-throughput network security and data protection solutions. Our Bricata ProAccel Appliances are based on Next Generation Intrusion Prevention Systems (NGIPS) technology, enabling both small and large enterprises to secure and protect data and networks cost effectively, without sacrificing performance or creating bottlenecks that inhibit productivity. Using our high-speed solutions to automate the capture, analysis and disposition of threats to network security at the core, Bricata offers more efficient threat protection across network and cloud-based devices. Built on the open source Suricata engine, and augmented with proprietary software and hardware to make it faster, more reliable and more user friendly, Bricata delivers double the throughput and detection performance in a single appliance at roughly half the cost of traditional IPS solutions.now deployed across both the public and private sectors, Bricata s security products are enabling its clients to do more with less, providing the means for customers to minimize the time, risk and expense of maintaining a reliable intrusion prevention infrastructure so that they can be more productive, competitive and compliant at a dramatically reduced cost. Bricata is a trademark of Bricata, LLC. All other brands or products are trademarks or registered trademarks of their respective holders. Copyright 2015 Bricata, LLC. Bricata, LLC 8000 Towers Crescent Dr., Suite 1350 Vienna, VA [email protected]