Gigamon Attacker Profiling and Visibility
Joint Solution Brief
Attacker Profiling and Visibility That Puts Hackers On Their Heels
Intrusion prevention systems at the perimeter may well flag known threats or malicious activity but persistent and sophisticated hackers have proven very adept at evading these protections. Organizations now need to operate on the presumption that they have been breached and take the necessary measures to augment their defenses with the ability to find where compromise has occurred. The faster that network defenders can locate malicious actors on the network, the better chance organizations have at limiting their risks and associated losses.
This may well be easier said then done. After the point of initial compromise, attackers may wait patiently for weeks and months operating “low and slow” to move further about the network in search of valuable data. The malicious actors may steal credentials; escalate their privileges on key servers; and ultimately, after finding their target information, exfiltrate data by sending it out of the network to collection points throughout the Internet.
Buried in all of this malicious actor activity and network movement is the attackers’ weakness. To capitalize on this weakness what is needed is complete and continuous traffic visibility as well as sophisticated breach detection—enter Gigamon and LightCyber.
Sophisticated attackers are easily evading the prevention systems at the perimeter and breaching networks using stealth to hide their activities, extend their footprint, and ultimately steal valuable information undetected.
LightCyber’s behavior-based profiling detects compromised users and devices on the network without the excessive false positives of alternatives. It uses Gigamon-provided pervasive visibility to network traffic to spot the anomalous patterns of attack behavior and enable response.
The Gigamon and LightCyber Joint Solution
There are two key challenges to be addressed with identifying malware and anomalous activity inside networks. The first is effective visibility across the entire network and all the critical traffic flows within. Since attackers can use every network segment and over potentially long periods of time, effective visibility means continuous access to the vast amounts of traffic flows and metadata across every corner of the network. The second is breach detection that is sophisticated and accurate enough so that hackers can’t evade discovery and security administrators are not flooded with false alerts.
LightCyber together with Gigamon delivers just that. It starts with Gigamon’s Security Delivery Platform and the ability to aggregate traffic flows via a family of high-density network TAPs and nodes that can then deliver copies of that traffic to LightCyber. Gigamon’s GigaSECURE® Security Delivery Platform forwards packets as well as traffic metadata in the form of unsampled NetFlow/IPFIX. Gigamon’s platform allows LightCyber Magna Detectors and Probes to see only the traffic they need by peeling off backup traffic or inbound traffic flows that may not be necessary for network and user profiling. Gigamon’s GigaSECURE also helps ensure that LightCyber breach detection is achieved at the highest possible network speeds by load balancing across LightCyber Magna Detectors sending the right flows to the right Magna Detector based on predefined policies.
LightCyber Magna then performs Active Breach Detection by using the network packets and metadata for behavior-based profiling to accurately detect active cyber attacks before damage is done. Multivariate Attack Detection identifies anomalous attack behavior throughout the entire attack lifecycle and is industry recognized for uniquely incorporating network (deep packet inspection), endpoint (agentless) context, and metadata (NetFlow).
Unlike alternatives, LightCyber Magna does not rely on technical artifacts that produce excessive false positives, and instead was designed by cyber warfare experts to detect anomalous attacker behaviors that attackers cannot conceal. The result is highly actionable alerts that include automatically generated investigative data to focus incident response, and stop attackers before real damage is done.
Joint Solution Benefits
- Pervasive and continuous network visibility
- Reduced attack dwell time and damage potential
- Network and endpoint investigation
- Faster SecOps response with actionable alerts
- Unobtrusive scaling of security and performance
How the Joint Solution Works
Typical deployments entail distributing Gigamon high density TAPs to all critical network segments including branches and virtualized environments. Gigamon nodes like the 1TB-capable GigaVUE-HC2 fabric nodes, aggregate the traffic, groom it and subsequently forward it to LightCyber devices that are directly connected to the 1Gb ports of the Gigamon-HC2 node. If the deployment requires multiple LightCyber Magna Detectors then the GigaVUE-HC2 node will load balance across them sending dedicated traffic to dedicated ports per predefined policies.
The architecture is very easy to scale. As network segments and branches are added, it is only a matter of placing additional network taps. Then that traffic will be forwarded to LightCyber Magna via the existing policies. Also as traffic density grows, additional LightCyber Magna Detectors can be very easily attached to the GigaVUE-HC2 fabric node in a “plug-n-play” fashion.
LightCyber is a leading provider of Behavioral Attack Detection solutions that provide accurate and efficient security visibility into attacks that have slipped through the cracks of traditional security controls. The LightCyber Magna™ platform is the first security product to integrated user, network and endpoint context to provide security visibility into a range of attack activity. Founded in 2011 and led by world-class cyber security experts, the company’s products have been successfully deployed by top-tier customers around the world in the financial, legal, telecom, government, media and technology sectors. For more information, please visit www.lightcyber.com or follow us on Twitter, LinkedIn and Facebook.
" – Marshall Wolf
Senior Director of IT