Staying Atop Your IoT Game with Visibility & Security
As Originally Posted On Aruba Airheads Community Site
No organization wants to become the next victim of a breach caused by the rapidly changing IoT and mobility-enabled landscape, where well-funded attackers continue to mount increasingly sophisticated assaults. With Verizon reporting that 70-90 percent of today’s malware is unique to a specific company, making detection difficult, it’s understandable why cyber threats may be keeping you awake at night.
Even if your company doesn’t experience a dreaded zero-day attack, there’s still plenty to worry about. In its “M-Trends 2016” report, cyber-security firm Mandiant noted that hackers spend an average of 146 days inside of systems before they’re detected, regardless of the entry method. This is a generous amount of time for all types of vectors to establish a foothold, infect other systems, gather critical data and exfiltrate information.
That’s why Attivo’s “threat deception” solution is designed to fortify your defenses by quickly detecting in-network threats and creating high-fidelity alerts. It is especially potent when deployed in conjunction with Aruba ClearPass.
Innovative partnership neutralizes threats in minutes
The Attivo ThreatMatrix Deception Platform essentially turns your entire network into an intelligent and self-learning malware mousetrap. It deceives and misdirects attackers by creating virtual decoy devices that lure attackers into engaging and revealing themselves. Simultaneously, Attivo alerts you in real-time if your network, data center, cloud, industrial control system (ICS), supervisory control and data acquisition system (SCADA) or IoT devices are infected.
By integrating with ClearPass, our combined solution enables the automatic quarantining, or disconnecting, of devices infected with attack vectors, including evasive polymorphic attacks. As a result, threats that once required days to locate and remove manually (after they were actually detected) can now be detected and neutralized almost immediately.
Attivo can also provide the attack’s full Indicators of Compromise (IOC) for quick hunting and remediation.
Deception lures attackers and enables ClearPass to quarantine infections
The joint Attivo/Aruba solution leverages ClearPass Exchange, an open third-party integration platform for endpoint controls and policy-based threat response.
Specifically, upon detecting an attack, Attivo dynamically and automatically alters itself, constantly generating fresh bait while remaining in stealth to even the most sophisticated attacker.
Next, the Attivo technology determines the type of attack and collects forensic data, capturing the full tactics, techniques and procedures (TTP) of the attacker, from the time of infiltration onwards, plus various signatures and the attackers’ command and control (C&C) information. Additionally, it compiles the IP addresses of the infected devices or systems, which can help automate blocking and isolating the compromised systems.
After aggregating this information into a Syslog, it’s converted into a Common Event Format (CEF) file. Then, Attivo interacts with ClearPass via REST-based APIs resident in the Aruba solution. From there, ClearPass takes action based on the information Attivo provides in conjunction with the policies previously established by the user.
Proven, award-winning technology protects prestigious Fortune brands
In the real world, Attivo has proactively detected botnets, zombies and many other advanced threats that have evaded traditional security measures. Our zero-day detection capabilities have resulted in the discovery of threat vectors that are now part of global cyber security databases at industry leaders such as McAfee and Symantec.
Just one example comes from the world of manufacturing, where robots populate automated assembly lines. With Attivo and ClearPass resident, an attempt to infiltrate an ICS-SCADA system could be prevented along with collateral economic damage to the affected company.
What makes IoT vulnerable and what you can do about it
In the case of IoT, any type of industry can be involved – given the proliferation of network-connected door locks, surveillance systems, plumbing pipe monitors and more critical infrastructure, like fuel pump sensors and other energy controls.
However, securing IoT devices hasn’t always been a top priority, and standards have been slow to evolve. Unfortunately, modern cyber criminals can (and do) use IoT as a virtual backdoor to the rest of a company’s wired and wireless networks, or as a launch pad for a cyber-attack. This makes a more proactive stance critical to ensuring the IoT vulnerability onramp is closed.
Regardless of your enterprise’s size or type, and no matter how robust your resident protection methodologies, network attacks will persist as attackers continue devising new ways to outsmart even the best security prevention systems.
With this in mind, your best security defense is having a strong security offense. Denying attackers the time to carry out their activities is an extremely effective way to safeguard your network. The combined strengths of Attivo and ClearPass can help empower companies of all sizes by providing proactive attack detection and mitigation, along with the ability to accelerate incident response.
Marc Feghali is Co-founder and VP of Product Management at Attivo, an award-winning leader in deception technology for real-time detection, analysis, and acceleration of incident response to cyber-attacks. Fremont, California-headquartered Attivo is trusted by companies spanning a wide range of industries, including the most prestigious Fortune brands.