ESG Lab Spotlight ProtectWise: Shifting Network Security to the Cloud Date: March 2015 Author: Tony Palmer, Senior Lab Analyst and Aviv Kaufmann, Lab Analyst Abstract: This ESG Lab Spotlight examines the ProtectWise Cloud Network DVR, designed to offer visualization, detection, and response to network security events including intrusions, advanced persistent threats (APTs), data exfiltration, and many others. Attacks are detected automatically as they happen and retrospectively, at any phase of the attack, on any device on the network, without prescribing limits on the retention window for network data. ProtectWise is engineered to deliver full-fidelity forensic capability, a striking visual experience, and an on-demand deployment model. The Challenges Network security is no longer a quiet quid-pro-quo game played out in silence behind the scenes by superhero security professionals and mastermind cybercriminals in dark labs. Data breaches have become fodder for mainstream media outlets, and IT organizations are under constant internal and external scrutiny to guarantee the security of the network. Malware is becoming more sophisticated, and the volume and number of targeted attacks is on the rise. This coupled with the upsurge in network traffic due to an increasing number of overall devices and users with access to the network, and the growing use of cloud computing for corporate use means that the task of network security professionals is becoming increasingly difficult. It is no surprise then, that in a recent ESG poll of IT security professionals, a move towards continuous monitoring of all assets on the network was clearly identified as the number one primary objective associated with organizations network security strategy moving forward. 1 Traditional threat detection solutions are simply not agile enough to keep up with the volume and intelligence of today s advanced persistent threats. Security is generally monitored by complex point in time solutions that rely on intelligence gathered from a complex collection of services and devices. Today s security professionals need a solution that can analyze, detect, and enable response to threats in real time, with the ability to leverage historical data, and to correlate combinative intelligence across cloud scale environments. ProtectWise ProtectWise is designed to shift network security to the cloud with the ambitious goal of dramatically improving visibility and detection of threats while simultaneously enabling effective incident response. ProtectWise enables enterprises to place an unlimited number of lightweight software sensors on their network that passively capture, optimize, and replay network traffic into the ProtectWise secure cloud platform. This creates a long-term network memory in the cloud the ProtectWise Cloud Network DVR for continuous analysis and automated surveying of historical network traffic. ProtectWise aims to deliver unique advantages over current network security solutions by leveraging cloud economies of scale to provide an unlimited retention window with full-fidelity forensic capability, information rich security visualization, and an on-demand deployment model designed for ease and cost savings. Unlike traditional perimeter security systems, ProtectWise is deployed in the cloud. For many organizations, trust, security, and privacy concerns are presented by cloud technology of any kind. The ProtectWise cloud platform was 1 Source: ESG Research Report, Network Security Trends in the Era of Cloud and Mobile Computing, August 2014. All ESG research references and charts in this brief have been taken from this report. The goal of ESG Lab reports is to educate IT professionals about data center technology products for companies of all types and sizes. ESG Lab reports are not meant to replace the evaluation process that should be conducted before making purchasing decisions, but rather to provide insight into these emerging technologies. Our objective is to go over some of the more valuable feature/functions of products, show how they can be used to solve real customer problems and identify any areas needing improvement. ESG Lab s expert third-party perspective is based on our own hands-on testing as well as on interviews with customers who use these products in production environments. This ESG Lab report was sponsored by ProtectWise.
ESG Spotlight: ProtectWise 2 designed with these concerns top of mind. Customers are given complete control over their data based on a set of key features designed to enable: Flexible network coverage models Customers can deploy sensors at the gateway, in the DMZ, in the corporate cloud, and in the network core. Policy Based Sensor Configuration the ability to capture netflow, metadata, truncated flows or full-fidelity packet capture (PCAP) by protocol and application via Adaptive Network Capture. Customers also have the ability to control visibility to any network flow through locally enforced policies. Preserved and persistent encryption provides security for data at rest and in motion with customer key management. Obfuscation and scattering of data across the cloud platform using proprietary, patent-pending Network Shattering technology. Figure 1. The ProtectWise Network Security Platform The ProtectWise Cloud Network DVR was built from the ground up by a team of software-as-a-service security (SaaS) security industry veterans. Trust, security and privacy controls are core components of the architecture, the application and the day-to-day operations of ProtectWise. The ProtectWise Wisdom Engine provides continuous, correlated realtime threat detection combined with the ability to go back in time to uncover previously unknown threats by correlating Cloud Network DVR data against proprietary research algorithms, commercial threat intelligence feeds, advanced network intelligence, and advanced traffic analysis. Emerging threat intelligence automatically triggers retrospective analysis of network data for continuous discovery of old but unknown indicators of compromise. ProtectWise Visualizer offers advanced threat visualization at-a-glance, real-time situational analysis, alarm management, and a deeper forensics workbench with kill-chain charting, network connection graphs, event timelines and more. Forensic capabilities manage policies for sensors, replay traffic and users, and create alert notifications.
ESG Lab Tested ESG Spotlight: ProtectWise 3 ESG Lab participated in a hands-on demonstration hosted by ProtectWise of the ProtectWise Cloud Network DVR deployed in live production environments. The ProtectWise heads-up display (HUD), part of the Visualizer, as shown in Figure 2, provides a live, animated graphical representation of all activity detected in the network. It is challenging to do this display any justice in a single, static image, as the presentation represents a tremendous amount of real-time data, from the general network bandwidth being consumed by each type of application to the very specific the precise threats active on the network, the geographies the threats are originating and terminating in, and the risk of each threat color-coded for easy identification of the highest priorities. Figure 2. The ProtectWise Visualizer Heads Up Display Retrospection In Figure 3, ESG Lab is looking at a remote buffer overflow exploit, which has been assigned a very high priority. ProtectWise provides the security analyst with a plethora of useful information about this activity including the categories the attack might fall into like malware as well as the stages of the cyber kill chain that are active. In this case, compromise, command and control, reconnaissance, and data theft.
ESG Spotlight: ProtectWise 4 Figure 3. The ProtectWise Visualizer Heads Up Display ProtectWise provides this same level of detail and analytics for historical data, as seen in Figure 3, which shows a retrospective view of exploits and attacks. Clicking on a specific exploit shows the details for that threat. ESG Lab examined the remote buffer overflow exploit. As seen in Figure 4, detailed observations surrounding the threat are readily available, such as source and destination IP, as well as the start and stop time of the event, amount of data transferred, and direction of data movement. Figure 4. Examining Specific Threats and Exploits
The Bigger Truth ESG Spotlight: ProtectWise 5 Security professionals often describe their work environment as a constantly accelerating treadmill. Cyber adversaries enhance their attack methods, security vendors respond with countermeasures, and security professionals are expected to keep up with developments on both sides of this war while maintaining their organization s information security policies, procedures, and controls. The constant state of escalation makes network security more difficult 28% of security professionals believe that network security has become much more difficult than it was two years ago while 51% say that network security has become somewhat more difficult than it was two years ago. Businesses tie this uptick in complexity back to a myriad of internal and external circumstances. The most common factor cited by security professionals surveyed by ESG is the sheer increase in sophisticated malware that may be able to circumvent traditional network security controls (38%), while 32% point to an increase in targeted attacks that many be able to circumvent traditional network security controls. In addition, security professionals are also concerned about changes associated with devices and users accessing their networks. The increase in the number of devices that have access to the network, the number of mobile devices, and the number of users were all cited as factors contributing to more difficult network security. Clearly, network technology must balance the requirement for strong malware detection/prevention with scalability to accommodate more network nodes (including Internet-of-things-related sensors and actuators) and users moving forward. Traditional security is implemented at the organization s perimeter. With modern BYOD, devices live both inside and outside the perimeter fence, and are subject to infection and compromise at any time. Perimeter and endpoint security technology rely on signatures of known compromises, and fail to prevent infections implemented with previously unseen exploits. ProtectWise is offering a new security tool that addresses these challenges with the aim of increasing an organization s visibility into network activity, detection of threats in real time and historically via continuous collective analysis, and the ability to respond quickly and effectively to threats via an advanced, information-rich heads up display and deep forensic analysis. Rather than relying on traditional signatures to identify threats, ProtectWise records network behavior over time and implements correlated, cloud-scale analysis. With access to all network traffic both inside and outside the firewall, ProtectWise detects and prioritizes threats by finding patterns in network traffic that indicate the behavior of exploits and attacks throughout their lifecycle. When an exploit is used to infect a host, the attack goes through specific lifecycle stages, progressing from infection to internal reconnaissance, infiltration, command and control, data acquisition, and eventually, data theft. ProtectWise analyzes all network activity for the specific behaviors of each of these attack stages, and is able to precisely identify and classify threats according to severity and provide actionable context enabling security analysts to respond effectively. ProtectWise presents results in an active, dynamic graphical presentation, guiding the security professional to the most urgent infections and activities that must be immediately addressed. Detailed information, including the detailed history of threats and the captured network traffic, further guides the security professional, helping to identify and remediate compromised systems. ProtectWise is architected to provide an integrated solution with visibility and detection of enterprise threats and accelerated incident response. ESG Lab was impressed with the ability of the Cloud Network DVR to record, retain, and retrospectively analyze full-fidelity network data for a potentially unlimited forensic window with an arresting user interface. ESG Lab would recommend taking that any organization interested in gaining deep insight into their network activity while improving their overall cybersecurity posture would be smart to take a closer look at ProtectWise technology today. All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.