Attivo Networks ThreatDirect™ Deception in a Docker Container – Scaling with the Cisco Catalyst 9000 Family of Switches
Written by: Joseph Salazar, Technical Marketing Engineer – Networks are constantly evolving to meet the demands of ever-expanding digital business infrastructure. Organizational networks can now include remote offices, branch offices, retail stores, or other sites outside of the headquarters network. Users no longer need to be tethered to a desktop with a patch cable or working from a corporate office. They are just as likely to access corporate services on a wireless network through the cloud or SaaS providers as they are to connect to a VPN. As more organizations have adopted virtual environments and infrastructures, they have also moved to reusable, portable, scalable applications for operational efficiency. This movement has given rise to Docker and other container solutions that can run applications anywhere, whether on a single system, a virtual machine, or in the cloud. Cisco Systems provides the Catalyst 9000 family of switches with an application hosting framework that can manage container applications that run on devices.
Attivo Networks provides the ThreatDefend™ threat detection platform that uses deception technology to identify and alert on in-network attackers, whether external or insider, as they attempt to steal credentials, conduct reconnaissance, and move laterally. The solution does not depend on signature matching, anomaly detection, or extensive analysis. The solution uses network, endpoint, application, and data deceptions, deploying decoys that are indistinguishable from real systems, driving the attacker into engaging with the deception environment, and thus revealing themselves. The platform is effective because it provides comprehensive deception and can scale across any attack surface. Wherever the attacker goes, deception is there to meet them.
One of the elements that make the ThreatDefend platform effective at scaling is the ThreatDirect™ solution, a virtual machine forwarder that deploys deception at remote offices, branch offices, or the cloud. The technology works by taking unused IP addresses at the remote sites or the cloud and forwarding any traffic it receives to an Attivo BOTsink® deception server for engagement. This BOTsink server could be appliance-based, virtual, or deployed in the cloud, and effectively scales the deception environment using the existing virtual infrastructure to the remote sites with little effort. Attivo Networks, as a Cisco Solution Partner, added the Attivo ThreatDirect solution as a container application to its ThreatDirect family of products. This Attivo ThreatDirect container application can be run in the Catalyst 9000 switches and managed by the Cisco DNA Center platform for ease of deployment and management. Remote offices and branches benefit from the same security coverage that Attivo Networks provides to the main corporate offices.
The partnership between Attivo Networks and Cisco Systems includes integrations with the ASA firewall, the ISE network protection platform using Cisco pxGrid, and hosting of the ThreatDirect solution. With the Cisco ASA firewall, the ThreatDefend platform can send attacker address to block any exfiltration attempts. With the Cisco ISE integration, the platform can send an attacker address to quarantine and prevent any lateral movement inside the network. Now, with the introduction of the ThreatDirect container application, organizations can deploy the ThreatDirect container application with Cisco Catalyst 9000 switches, providing organizations with more choice in how they deploy deception while leveraging their existing Cisco equipment for added value.