Data center virtualization has achieved large-scale deployment based on its inherent cost and performance benefits; however with a software designed data center (SDDC) there also comes a challenge of decreased visibility, which raises the risk of a network intrusion. With the explosion of server-server or what is also referred to as east-west traffic, traditional IDS/IPS and sandboxing solutions become unsuitable given their cost and the large amounts of resources and personnel required to manage these devices. A new, scalable approach is needed for increased network visibility and the ability to promptly and reliably detect the growing number of complex and malicious attacks targeted at the high value information stored within a data center.

The highly scalable Attivo Deception Platform is designed for friction-less deployment and efficient inside-the-data center threat detection for environments of large server workloads and widespread adoption of virtual machines (VMs) that are typically seen in data center and cloud networks. Using dynamic deception based on highly efficient luring techniques, Attivo does not rely on the compute and log intensive processes of monitoring traffic for known signatures or attack patterns. Instead, deception and decoys are used to lure in and deceive an attacker into revealing themselves. These deception techniques are a highly effective approach for promptly detecting zero day, stolen credential, insider, phishing, and ransomware attacks. Once the attacker is engaged with the BOTsink® engagement server, the attack and its lateral movement can be studied, alerts raised, and forensics provided for prompt incident response. Integrations with firewall, NAC, SIEM, and other security solutions are also available to automate the process and improve the time to remediation.

With the majority of a company’s data passing through their data center, it is critical to have clear visibility into threats that are inside the network. The Attivo solution integrated with the OpenStack Platform will support deployment as VMs in production subnets and with service chaining modules that can be deployed to inspect traffic against traffic classification rules and redirect policy violations to the BOTsink decoyss.

OpenStack Integration

The Attivo Deception Platform architecture now integrates with OpenStack providing organizations with efficient and effective detection of inside-the-network threats for virtualized SDDC. Once the BOTsink engages with an infected VM, it can automatically quarantine it by sending an ACL rule to the security group to stop the infected VM from infecting other systems on the network, blocking the backdoor and stopping any exfiltration attempts.

BOTsink engagement servers are easily installed in the OpenStack SDDC using a heat orchestration template from OpenStack management platforms like Contrail and others.