orchestrated threat management: a new paradigm … whitepaper - otm- a new paradigm.pdf2.3.1 deep...

ORCHESTRATEDTHREATMANAGEMENT:ANEWPARADIGMINCYBERSECURITY

Confidential

ORCHESTRATEDTHREATMANAGEMENT:ANEW

PARADIGMINCYBERSECURITYSynchronizingSecuritywithReal-TimeNextGeneration

Networks

7/25/2016 1.0.0

ContributedbyWedgeNetworks,Inc.


Confidential

©Copyright 2016WedgeNetworks. All rights reserved. Nopart of this publication including text,examples,diagramsor illustrationsmaybereproduced, transmitted,or translated inanyformorbyany means, electronic, mechanical, manual, optical or otherwise, for any purpose, without priorwrittenpermissionofWedgeNetworksInc.

Whitepaper

VersionOTM-WP-v1.0.0

Trademarks

Cloud Network Defense is a pending Trademark ofWedge Networks. Other product and companynamesused inthisdocumentareusedfor identificationpurposesonly,maybetrademarksofothercompanies,andarethepropertyoftheirrespectiveowners.

WedgeOS™andassociatedsoftwareareprotectedby,orforuseunder,oneormoreofthefollowingU.S.provisionalPatents:60/521,551,60/522,513.

RegulatoryCompliance

FCCClassAPart15CSA/CUS

Fortechnicalsupport,pleasevisithttp://www.wedgenetworks.com/

Send information about errors or omissions in this document or any Wedge Networks [email protected].

OrchestratedThreatManagementWhitepaper

Confidential

ABSTRACT

Enterprisedatastorage,computing,andmorerecentlynetworksareevolving,becomingvirtualized,software-defined,anddynamicallyconfigured,ororchestrated,eliminatingthestaticboundariesandtangibleattributesthat once defined the enterprise and enterprise resources. These changes enable powerful new businessopportunities with compelling economics. They also introduce new challenges and new opportunities forsecuringtheenterprise;theproblemofmalwaredetectionisincreasinglydifficultformanycompaniestosolveastheorganizationperimetermoves.Mobileaccessandtheemergenceofnewthreatactorshasmovedmostorganization cyber perimeters. Further adding to the challenges is the need to maintain real-timecommunicationsoverthesevaryingnetworks.Traditional cyber security platforms need to evolve to address the challenges now faced in next generationnetworks.Newcybersecuritytoolsneedto:1)beabletocapturedatainmotionwithnoqueueing,2)havefullvisibilityofLayer3-7datacontent,3)beabletoapplymultiplesecuritypoliciesefficientlytothecontentwithnolatencyinducedreprocessing,4)identifyanomalousactivitieswithahighdegreeofaccuracyincludingzerodaythreats and5) capture andprovideusable analytics that canquickly assist thosemonitoring to recognize theanomalousactivitiesaswellasassistinthemachinelearningofthesystemtoimproveefficiency.WedgeNetworks’CloudNetworkDefenseOrchestratedThreatManagement(OTM)representsaprogressioninnetworksecurityevolution,andacompellingnewapproachforsynchronizingsecuritywithtoday’smoreopen,agile, and orchestrated real-time networks and IT infrastructures. It supports virtually unlimited scale, whileproviding in-depth event reporting and archiving, along with analytical dashboards that can assist withimprovingthecybersituationalawareness. WedgeNetworks’CloudNetworksDefensedeliversthe industry’smost robust deep data inspection engines, with best of breed threat security intelligence, and actionableanalytics on an elastic environment enabled with event service chaining for an effective and adaptive cyberdefense.ThiswhitepaperexploresthecapabilitiesenabledbytheWedgeNetworks’Platform.

1 Introduction:ANewSecurityParadigm

The purpose of this paper is to describe a new, cloud-based, security paradigm that can encompass theextended enterprise, inclusive of mobile devices, BYOD, IoT, public and hybrid clouds, and dynamicallyprovisioned network resources. This new cloud-based layer of network security subsumes many of theenterpriseperimeter security functionsofNGFWsorUTMappliances. Examples include: anti-spam (AS), anti-malware (AM),URL filtering,web filtering (WF),data lossprevention (DLP),applicationcontrol (AC), intrusiondetection/preventionsystems(IDS/IPS),webaccessfirewalls(WAF),DDoSmitigationandmore.Applyingthesefunctions at the cloud layer closes critical security gaps and provides the opportunity to implement thesefunctions in a cloud environment, for more open, agile and orchestrated real-time network security, withvirtually unlimited scale. It also creates the opportunity for premises-based appliances to be refocused onperimeter-centric security functions that are well within the scale of those appliances. The new securityparadigm isanOrchestratedThreatManagement (OTM)approachasdelivered fromWedgeNetworks’CloudNetworkDefense.

2 OrchestratedThreatManagement

The goal of Orchestrated ThreatManagement is to implement NGFW or UTM type functions using a cloud-based,software-definedandorchestratedplatformarchitectureforsuperiorscalability,operationalagility,andadaptability. The concept of OTM is to replace the closed (proprietary hardware with imbedded proprietary


Page2 CONFIDENTIAL

software), inflexible,hardware-defined,single-vendorproductattributesofthepastappliances(Figure1)with

the centrallymanaged,open, agile, software-defined,multi-vendorattributesof today’s rapidlyevolvingdatacentersandnetworks(Figure2).Let’sconsiderOTMfurtherbyreviewingeachofthearchitecturallayers.

2.1 ComputeInfrastructureLayerOTM platforms eliminate the dependency on proprietary hardware and the need to purchase oversizedhardware appliances in pursuit of solution longevity. OTM’s decoupling of software from hardware providesmultipledegreesoffreedomforthehardwarecomputelayer.Forexample,thesoftwaremaybedeployedasanappliance runningona generic x86 server, using commercial-off-the-shelf (COTS)hardware;ordeployedas avirtual appliance, running on a virtual machine (VM); or ideally deployed in a cloud compute environmentcontrolledbyacloudmanagementsystemsuchasOpenStackorVMware.Inthecaseofanx86-basedCOTSappliance,thesoftwarecanbetransferredtoadifferentx86serverwithmorecomputepowerandhigher speednetwork interfacesas traffic loads increaseand requiremorecapacity.Theformerx86servercanthenberedeployedforotherapplicationsthatcanbesupportedwithin itscapabilities.This approach allows customers to purchase their own server hardware and eliminates the legacy applianceissue of stranded hardware and software when the capacity or performance requirements of proprietaryapplianceareexceeded.In the case of a VM, the software can be loaded on a virtual machine running VMware, KVM or othervirtualizationoperatingsystem.Thisprovidestheflexibilitytorunmorethanonevirtualmachineonaserverforthe benefits of avoiding the purchase and installation of a separate dedicated server. One caveat forconsideration with a VM is that a portion of the server’s memory and compute power is allocated to theoverheadassociatedwithcreatingandsustainingeachvirtualmachine.Additionally,otherVMsrunningontheserveralsoconsumeresources.Sosystemperformancecanbeaconsideration if theserver isheavily loaded.

Figure1)TraditionalUTMApplianceArchitecture

Figure2)OrchestratedThreatManagementPlatformArchitecture


Page3 CONFIDENTIAL

However,itcanbeanidealapproachinmanyusecases,bothinthedatacenterandatacustomer’spremises.Inthefuture,theuseofacontainertechnologysuchasDocker,andLXCwillreducethisissue.Within a cloud computing environment, OTM implementation is the ideal compute infrastructure. Cloudcomputingprovidestheoptiontodynamicallyspinupmorevirtualmachinesacrossavirtuallyunlimitednumberofserversfornearlyunlimitedscalability.AsOTMcomputerequirementsincreaseovertimeorpossiblysurge,suchasinthecaseofadenialofservice(DOS)attack,moreVMscanbedynamicallyspunupandallocated.Asrequirementsdecrease (i.e., followingaDOSattack) theVMscanbe spunbackdownandmadeavailable forother applications running in the same cloud environment. This dynamic scalability assures that OTMperformance is not constrained by statically defined system capabilities. It also delivers powerful economicswhencomparedagainstthepurchaseanddeploymentofdedicatedappliancehardwarethatmustbeoversizedtosupportpeakdemands.

2.2 SecurityMediationLayerThe security mediation layer provides the core OTM operating system, system administration, resourcemanagement,andsecuritymediationservicesfortheOTMplatform.OneofthekeyOTMattributesofthislayerincludestheabilitytoconductprimarysecuritymediationfunctionssuchasopeningpacketsforinspectionandpossibly reconstructing content for inspection and applying one or more security functions to the availablecontent. Another key attribute ofOTM is the support for an open service bus to allowoneormore securityapplications,developedbyoneormorevendors,topluginandapplysecurityfunctionstotheinspectedpacketsand/orcontent.Insomecases,certainprimarysecurity functions,SSLdecryptionandencryption, reportingandotherprimarysystem functionsmay be included as part of the securitymediation layer. However, in general, a variety ofsecurity functionsshouldbeavailable in the formof individualapplications so thatcustomersmayselectandapply different functions based on their individual and application specific needs. This framework will alsoprovide the ability for security applications and technologies developed bymultiple vendors to be available,givingcustomersmorefreedomandchoiceinselectingfromarangeofsecurityapplicationsandchangingthemasrequiredovertime.

2.3 SecurityApplicationsLayerA core attribute of OTM is that applications are developed independent of the securitymediation layer andeasilyaddedor removedbasedoncustomerpreference. Ideally, the industrywill specifyastandard interfaceallowinganythirdpartysecurityapplicationdevelopertocreatetheirownapplicationandmakeitavailableforusewithinanyvendor’sOTMsystem.However,atthistimenosuchindustrystandardhasbeenestablished.Inthe interim, visionarymarket innovators suchasWedgeNetworkshavedeveloped theirownAPI so they cansystematicallyadaptsecuritytechnologiesfromthirdpartyvendorsintoOTMcompatibleapplications.Bydoingso,theseapplicationscanapplysecurityfunctionstothepacketsandcontentthatarealreadybeinginspectedat the security mediation layer. This inspect once and expose to multiple applications model minimizes thelatencyassociatedwithconductingtheinspectionprocessforeachapplicationandminimizescomputeresourcerequirements.In some instances, it may be more practical for third party applications to operate as a standalone virtualnetwork function (VNF) that runs independentof the securitymediation layer.Of course this applicationwillneed to be controlled by the security orchestration layer to be considered as part of theOTM.Otherwise it


Page4 CONFIDENTIAL

wouldsimplybean independentsecurityVNF.Possibleexamplesofthisformof implementation includeWebApplicationFirewalls(WAF),Sandboxing,andpacketlevelEncryption.The primary benefits of disaggregating applications via OTM is the ability for applications to evolveindependentlyofthesecuritymediationandorchestrationlayers,tobedevelopedbythirdparties,andtoeasilybeintroducedorremovedfromtheOTMconfigurationasrequired.

2.3.1 DeepLearningforImprovedSecurityApplicationIdentificationofZeroDayThreat

WithinanOTM,securityagainstmalwareisaprioritycybersecurityapplication.TheabilityoftheOTMtosystematicallyadaptnewsecuritytechnologiesenablestheOTMtoevolvetheofferedcyberprotectionasnewermethodologiesformalwareidentificationbecomeavailable.Moreover,theabilityoftheOTMtoorchestratemultiplethirdpartysecurityapplicationstobeorchestratedtogetherprovidestheabilitytoadoptnewemergingmethodsofmalwareidentificationwhilestillleveragingcurrentprovenmethods.WithintheWedgeNetworks’OTM,deeplearninghasbeenincorporatedwithindustrybestofbreedsignatureandheuristic-basedmethodstoprovidethefirstcloudbasedartificialneuralnetwork(ANN)implementationof

malwaredetectionthatisnotonlyhighlyaccuratebutprocessedinreal-time.Additionally,theWedgeNetworksOTMutilizesmachinelearningtoimprovemalwaredetectioninthat:

• thepatentedSubsonicDCIengineallowstherapidpropagationof“learned”intelligencetootherWedgeOSsystems,henceenhancingtheimmunesystemofthewholenetwork.

• theWedgeOSandrelatedthird-partyVNFshavetheabilitytogathercontextualdatafromL3-L7forBigDataacquisition,storage,andindexing.TheWedgeIQusesadistributeddatastoragearchitectureallowingarchivalandindexingthedatasetinreal-time;and

• theWedgeIQusesadvanceddatavisualizationtechnologytoeffectivelycommunicatetherelationshipofthe

elementsinathreatdomaintohumananalystswithimprovedcognitionefficiency.TheOTMenablestheinclusionofemergingmachineanddeeplearningapplicationstoseamlesslybeintegratedintotheorchestratedenvironmenttoconstantlyevolvethecybersecuritysolutiontoadapttothechangingthreatlandscape.SomeotherareasofmachinelearningthatareunderresearchwithWedgeNetworks’OTMinclude:theuseofGoogle’sDeepLearningforanti-spampurposes;andtheuseaTensorFlowmachinelearningalgorithm

forwebfilteringpurposes–thisalgorithmallowstheautomaticclassificationofawebpagebasedonitsattributessuchasthepageslinkedto/fromthepage.

2.4 SecurityOrchestrationLayer

The Security Orchestration layer is functionally similar to an SDN and network functions virtualization (NFV)orchestrator,howevertheprimaryscopeislimitedtocontrollingtheOTMresources.Itisalsodesirablefortheorchestrator to support a limited setof SDN switch functions toautomate theprovisioningof security in-linewithdataservicesandpossibleremediationofcertainsecuritythreats.Ata rudimentary level, theSecurityOrchestratorprovides theadministrationof theOTMplatform’ssoftwareand hardware resources,much like an elementmanagement system controls a UTM security appliance. Themajordifferenceisthattheorchestratoroperatesonaparadigmofabstraction,whereorchestrationsoftwareisdecoupledfromintricaciesofthe lower levelhardwareandsoftware.Theresult is theOTMplatformishighlyprogrammableandeasilycustomizabletosupportawiderangeofusecasesandanexpandingsetofsecurityapplications.


Page5 CONFIDENTIAL

TheSecurityOrchestratorcandirectlycontrolthehardwareorinterfacewithOpenStackorVMwaretocontrolthe virtualized compute resources. Similarly, it can directly control the applications and coordinate with theSecurityMediationlayerresources,ormanageanindependentVNFaspartoftheOTMecosystem.Additionally,theSecurityOrchestratormaycontrolavirtualizedEthernetswitchusingOpenFlow™tofacilitatetheautomatedmappingofserviceflowsthroughtheOTMplatform.ThisrangeofcontrolpositionstheSecurityOrchestratortofacilitateservicechainingofarangeofsecurityfunctions,applyingsecuritytechnologiesandapplicationsfrommultiplevendors,withcommonoperationsusingasinglepaneofglass.

2.4.1 WhyUseaDedicatedSecurityOrchestrator?Some have asked why a separate and dedicated security orchestrator is required, as opposed to using anexisting cloud or network orchestrator. The short answer is that in most cases those orchestrators are notpresentinproductionnetworks,andwhentheyare,mostwillnotbefocusedtoefficientlymanagethesecurityapplicationsandsecuritymediation functionswith thesame levelofefficiencyandgranularity.Atsomepointtheindustrymayspecifyinternationalstandardstofacilitatethatcapability,howeverthatprocesswilllikelytakeseveralyearstomaterialize.Intheinterim,theconceptofSDNandorchestrationprovidestheoptionforhigherlevel orchestrators to interfacewith and control lower level application specific orchestrators. So the serviceorchestratorwillhaveaproductiveroleevenashigherlevelorchestratorsareintroducedovertime.

2.5 AlternativeApproachesforCloud-LayerSecurity

ManyincumbentvendorshavebegunmarketingtheirexistingUTMandNGFWappliancesfordeploymentatthecloud-layer to cover expanding premises-based security gaps. The following sections address the numerousreasonswhythisapproachisundesiredandwhyOTMisapreferredapproach.

2.5.1 PhysicalAppliances:GoodforVendors,NotsoGoodforEnterprises,ServiceProvidersor

EmergingNetworks

Muchlikerouterandswitchvendors,conventionalsecurityappliancevendorslovetodevelopandsellhardwareappliances.Vendor investments inhardwareaccelerationtechnologyandproprietaryASICdevelopmentsgaveearly security vendors tangible differentiation thatwas costly and difficult for competitors tomatch. Once acustomer deployed their solution, it was difficult for another vendor’s product to displace the incumbentsolution due to operational complexities with a phased transition or upfront displacement costs with a fullcutover.Whatmadethisappliancebusinessmodelevenmoreattractiveforvendorswasthatthemodelofembeddingoperating system (OS) and application software in these appliances locked the software in the associatedhardwareappliance.Ifthehardwarewasretired,thesoftwarewastoo.Eachappliancewasdesignedtosupporta specific maximum capacity of traffic, so customers naturally purchased appliances with substantially morecapacity than theyneeded initially toextend theuseful lifeof theasset fora longerdepreciationperiod. Theresult was that Enterprise customers received no credit for the software they previously paid for whenupgrading,andtheytypicallypaidforsubstantiallymoresecuritycapacitythantheyinitiallyrequired,upfront.Thiswasagreatmodelforvendors,butnotsogreatforEnterprisesorserviceprovidersplanningtousetheirappliances.When you consider the scale and pace at which traffic is growing today, particularly with cloud-based datacentersandapplications,theprojectedtrafficcapacityrequirementstranslateintoaneedformassivelyscalablesystemswhicharenotwelladdressedbystatic,fixed-capacityappliances.Furthermore,theevolvingsoftware-


Page6 CONFIDENTIAL

defined nature of networks and the emergence of NFV is creating the opportunity for networks to becomedynamically configured, scaling capacity up and down over time, and reconfiguring to support changingconnectivityrequirements.Thefixedcapacityandstaticallymanagednatureofsecurityappliancesissimplynotwellalignedwithrapidlyevolvingmoreagileandorchestratednetworks.Securityplatformsmustalsoevolvetoembrace cloud-based computing to scale as flexibly and dynamically as the services being protected. Thesoftware must become abstracted from the proprietary appliance hardware, and designed to operate oncommercialoff the shelf (COTS)hardware.And ideally, the software shouldallow foroperation inaSDNandNFVorchestratedenvironmenttoachievetheagility,performanceandscaleoftheservicesandnetworksbeingprotected.

2.5.2 VirtualAppliances:Necessary,ButinManyCaseNotSufficient

The dramatic industry movement toward NFV has started an irreversible trend toward virtualizing legacyapplianceproductstorunassoftwareontopofindustrystandardserverhardware.ThistrendhasputpressureonnearlyallequipmentvendorstoofferVNFinstancesoftheirphysicalappliances,oftenreferredtoasvirtualappliances. Inmost cases, conventional security appliance vendors have little history or expertise inworkingwith higher level operational software trends like SDN or NFV orchestration. So it’s only natural that mostsecurity vendors have simply focused on taking their existing software and adapting it to run on as a virtualmachine(VM),andthenmarketingthemasavirtualappliance.

2.5.2.1.1 VNFsRequireanOrchestrator,FrequentlyNotAvailable

WhiledevelopingVNFsisanimportantstepintherightdirection, inmostcasestheresultstodatehavebeenmixed for vendors and their customers alike. The first challenge is thatwhile SDNandNFVorchestrators areevolvingrapidly,very feware inoperationforanythingotherthan largescaledatacentercloudcomputeandstorageapplications.AhandfulofSDNandNFVorchestrationvendorshavetakenonthetaskofintegratinghighlevelservicechainingsupport foravarietyofsoftwaredefinednetworkelementsandVNFproducts,howeververyfewoftheseorchestrationsystemsareinplaceandreadytosupportfullscalesecurityorchestrationtoday.Consequently, the majority of security VNF deployments have been in proof of concept trials and labs todemonstratetheconceptofspinningupvirtualappliancesaspartofaservicechainedend-to-endservice.

2.5.2.1.2 PortingLegacySoftwaretoRunasaVNFisNotOptimal

AnothermajorproblemwithmostofthesesecurityVNFinitiativesisthattakingsecurityappliancesoftwarethatwasoriginallydevelopedtorunoncustomhardwarewithspecializedhardwareaccelerationdoesnotperformwellonCOTShardware.Unfortunately,mosttraditionaltesthousesthatbenchmarktherelativeperformanceofsecurity appliances have not yet developed comparative test methodologies for objective comparativeperformancedata.Socustomershavetypicallyacceptedamarginallyperformingvirtualapplianceorpurchasedanotherphysicalappliance.WhileVNFsdocreateachoice,thevastmajorityofsecurityVNFsrepresentthesameproprietary,singlevendorattributes of physical appliance solutions. They typically lack the open, multivendor technology choices thatwereadrivingobjectivewithSDNandNFV.Giventheinherentincumbentvendorbenefitsofsellingover-capacitydesignedappliancesratherthansoftwarescaled to support actual demand, it’s unlikely that this situationwill dramatically change, at least until OTMplatformsbecomerecognizedasacompellingalternative.


Page7 CONFIDENTIAL

2.5.3 Multi-TenancyVersusvCPEOptimized

Most securityVNFofferingshavebeenoptimized for thevirtual customerpremisesequipment (vCPE)model.The driver behind this model is to eliminate truck rolls by deploying traditional premises-based securityfunctionsusingaVNFthatcanbedownloadedtorunonanx86serverinthepremises.Whilethismodelhasitsmerits,it’sonceagainfocusedonthetraditionalparadigmofprotectingthepremisesanddoesnotaddresstherequirementforcloudlayersecurity.Serviceproviders requirea cloud-layer security solution that supportsmulti-tenancy, so thatonecloud-basedsecurityplatform(physicalorvirtual)canbeusedtoprovidecloud-layersecuritytohundreds,thousands,tensofthousandsandpotentiallyhundredsofthousandsofdifferentendcustomers,eachwiththeirownuniquelyspecified setof securitypolicies.The singlecustomerorientationof today’svCPEsecurityVNFsdonot satisfythis requirement. In theory, theserviceprovidercouldspinupauniqueVNF instance foreveryendcustomerserviced from the cloud,however the computeand storageoverheadassociatedwith creatingandmanaginglargenumbersofVNFinstancesatasingledatacenterlocationisdramaticallylessefficientthanhavingasinglecloud-basedsecurityplatformwithmulti-tenancysupport.

3 EvolvingManagementandAnalyticsforContinuouslyImprovingtheOTM

Theprevioussectionsstroveto illustratehowanOTMplatformisanevolution incyberdefenseandhowit isabletoadaptmoreeasilytothechangingthreatlandscape.TheOTMprovidestheadvantagesofbeingabletoapplymultiplesecuritypoliciesefficientlytothecontenttoidentifyanomalousactivitieswithahighdegreeofaccuracy including zeroday threats. But, for theplatformtomaximize its capability itmustalsocaptureandprovideusableanalyticsthatcanquicklyassistthosemonitoringtorecognizetheanomalousactivitiesaswellasassistinthemachinelearningofthesystemtoimproveitsefficiency.Combiningdatacollection,aggregationandBigDataanalyticswithmachine learningprovidegreater insightsontheevolutionofthreats;this inturnallowsthemonitorstobetteradapttheOTM,ifneeded,tobetterpredictandrespondtonetworksecurityintrusions.The adapting OTM is able to populate the system with better information (including information from theprivate sector, the government and academia), and provide cyber situational awareness across monitoredentities,withtheabilitytospotanomalousactivities,analyzethoseactivitiesandrapidlyrespond.Examplesofadvanceduseabledatacollection,analyticsandpresentationwhichcanassistthosemonitoringinclude:

• Indexedeventreporting:providingsearchableinputsfromL3toL7ofsessionsandcontentforadvancedanalytics;• Policy-triggeredcontentcapture,export,indexingandarchiving:providingpowerfuldatacaptureforforensicsand

advancedanalytics;• Elastic search document-based distributed database support: providing an elastic full text search database

capabilityfortheindexingandarchivingofeventlogs,exportedpayloads,mirroredtraffic,etc.;• Event timeline reporting: providing time-line visualization of individual events or sets of events for timeframe-

basedforensicsandanalytics

• Analysis Visualization: providing intuitive insights into the threat landscape including a source and destinationmaptoaidinanalytics.


Page8 CONFIDENTIAL

3.1 WedgeIQ:AModelforUseableAnalyticswithinanOTM

UsingWedgeNetworks’OTMmanagementtool,WedgeIQ,asamodel,thefollowingsectionsprovidedetailintothe bullets listed above as an example of analytics that can quickly assist thosemonitoring to recognize theanomalousactivitiesaswellasassistinthemachinelearningofthesystemtoimproveitsefficiency.

3.1.1 IndexedEventReporting

WedgeIQprovidessearchableinputsfromL3toL7ofsessionsandcontentforadvancedanalyticsthroughtheuseofsessionreconstruction.WithintheWedgeOS,dataispassedthroughbothDPIandDCIscannersprovidingfullL3toL7visibility.ThepropermanagementofeventsfromtheDCIEngineandDPIEngineisputinplacesothattheseeventscanbeindexed.Sessionreconstructionworksdifferentlyforeachservicetype:

1) DPI–WithDeepPacket inspection, trafficmirroring (packetmirroring) is setupand is triggeredwhencertaincategoriesaretriggered.Forexample,iftrafficmirroringissetupfor“Chat”,whenevertheDPIengine triggerson that rule, itwill copyand forwardallpackets toa serverwhere thesessioncanbereviewed.InoneWedgedeployment,theMolochinterfacewasusedtoreconstructtheTCPsessions.

2) DCI–WithDeepContent Inspection,thisreconstructionwasdevelopedbyWedgewhereby ifanyDCIpolicyistriggered,the“payload”thatitwastriggeredonissenttotheEventArchiveserverwhereMailandHTTPsessionreconstructiontakesplace.

OnceinformationfromDPIandDCIarecapturedandindexedinElasticSearch(ES),theWedgeIQDashboards/Investigations / Log Drill Downs / Etc. simply read from the ES document database to populate its UserInterfaces. Each dashboard / page has the ability to filter or even search on any content that has beendisplayed.

3.1.2 Policy-TriggeredContentCapture,Export,IndexingandArchiving

FileattachmentsandemailsthatareexportedfromWedgeOSandWedgeOSinstancesinWedgeCloudNetworkDefenseare indexedandarchived. Thisprovidespowerfuldatacapture for forensicsandadvancedanalytics.ThisreliesontheDPIandDCIIndexedEventReportingdescribedearlier,withDPIusingtrafficmirroringandDCIusing event exporting, to get the data to the ElasticSearch function. The data is then populated in theUserInterfaces. ThekeywithWedgeIQisthat itonlyexportsdatawhenapolicyistriggeredandwhenthesystemhasthe“exportflag”setto“on”;sothesystemknowstoexportthepayload. Ifexportingisturned“off”,thepayloadisremovedfromWedgeOSafteritisscannedanddeliveredtoitsdestination(theclientorserver).


Page9 CONFIDENTIAL

3.1.3 ElasticSearchDocument-BasedDistributedDatabaseSupport

This feature of WedgeIQ provides an elastic and full text search database capability for the indexing andarchiving of event logs, exported payloads, mirrored traffic, etc. A full text search database ElasticSearchtechnologyischosenfortheindexandarchiveoftheeventlogs,exportedpayloads,andmirroredtrafficfromWedgeOS,WebApplicationFirewall (WAF), andWedgeCloud Network Defense.The ElasticSearch solutionprovides an expandablecluster-based solution thatcan grow in computationaland archiving capability. ItalsoprovidesasimpleRESTAPI to retrieve data forvisualization or externalanalysis. ElasticSearch isused on the back-end ofWedgeIQ to store all ofthese events as “JSONdocuments”. Once thedata is in, users can searchand filter based on thecontent. Searching by IPaddress (or client), Tenant,DCI categories that weretriggered, etc. are allpossible.

3.1.4 EventTimelineReporting

Event TimelineReporting providestime-line visualizationof individual events orsets of events fortimeframe-basedforensics and analytics.The WedgeIQ EventTimeline is an analysisvisualization thatallows for a timeline-basedanalysisofwhenevents are occurring.The types of eventsthat provide thetimeline lanes of thevisualization isselectable by the user,

Figure6)SampleEventTimeline

Figure5)SampleDataCenterDashboard


Page10 CONFIDENTIAL

alongwith the timeframe of interest. Individual events can be isolated and details can bemade visible. Theeventscanbefilteredfurthertoprovideafocusedtimelineview.ThisisoneofthedashboardsthatisprovidedinWedgeIQalongwiththeSecurityShield.Itallowsvisualizationof“time”componentstoprovideinformationonwhenaneventorseriesofeventsoccurredonthenetwork.ItisgroupedbycategoryontheY-axissothateventscanbegroupedbythetypeorcategorythattheybelongto.Forexample,ausercouldseeallWebFiltercategoriesthatweretriggered,alongwithwhentheyweretriggered.

3.1.5 AnalysisVisualization

TheWedgeIQSecurityShieldisananalysisvisualizationthatallowsforintuitiveanalysisofsecurityeventsthatare most commonlytriggeredandthesourceordestinationendpointsinvolved. The types ofevents that define thevisualization can beselected by the useralong with thetimeframe of interest.The visualization can befiltered further. Theendpoints or theselected parameter inthe visualization canalso be highlighted sothatrelationshipscanbeviewed. This is one ofthe dashboards that isprovided inWedgeIQalongwith theEventTimelinedescribedearlier. It is a visualization thathasa “shield”superimposedontheeventsthatweretriggered.Thisallowsuserstoidentifywheretheattackcamefrom(thesourceaddress)alongwithwhatisbeingattacked(thedestinationaddress).Thisvisualizationhelpstoquicklyidentifywhattypesofattacksareoccurring,aswellasifanattackisagainstasingleserveroragainstmultipleservers.

3.2 Real-TimeProtectionofNetworks

For adequate Real-Timeprotection of networks, security decisionsmust bemadewithinmilliseconds, beforepacketsaredropped.Thus,inorderforcyberdefensetobeeffective,itneedstooffer:1)L3-L7DataDiscovery,2)Bothpatternmatchingandartificialintelligenceanalysis(ascomparedtothreatintelligence),and3)Decisionmaking,oracourseofaction,withinthismillisecondswindow.Inaddition,aneffectivesolutionshouldprovideactionablefeedbackforquickidentificationofthreats,aswellasprovidealearningenvironmenttoimproveonthethreeitemsmentioned.WedgeIQprovidesReal-TimeprotectionthroughWedgeCloudNetworkDefense,whichusesacombinationofitsWedgeOSplatform,multiplesecurityNFVs,andWedgeIQanalyticsandpolicyenforcement.WedgeIQisthedata science based service that provides Big Data functionality, employing unique threat detection andremediationalgorithms,alongwithavarietyofpattern-matchingandmachine learning techniques to identify

Figure7)SampleofWedgeIQSecurityShield


Page11 CONFIDENTIAL

targetedcyberthreatsagainstend-users.Itenablesreal-timeresponsetosecurityoutbreaksandpresentstheresultsinavarietyofeasytounderstandanalytics.

EachofthevariousWedgeOSinstancesdeployedgloballyarecontinuallycollectingandprocessingnetworkdatainreal-timewithnoqueuing.WedgeOShasfullvisibilityofLayer3-7datacontentandscansalltraffic,providingthe Deep DataDiscovery, patternmatching and artificialintelligence analysis,and ultimately thedecision making orcourse of action; all inreal-time with noperceptible latency.Intelligence on the datais communicated backto WedgeIQ, whichoffers more detailedanalytics andcontinuously updatesthe new intelligence,along with any updatedpolicy enforcement,back to each of theWedgeOS instances. WedgeIQ alsomonitors the health of theWedgeOS instances andensuresthateachinstanceisupdatedwithallofthelatestintelligencefromsecuritypartnersaswellasitsownartificial intelligence analytics. This feedback loopof real-time scanning, analysis, decision-making andpolicyenforcement betweenWedgeOS andWedgeIQ, alongwith the provision of usable analytics that can quicklyassistthosemonitoringtorecognizeanomalousactivities,arewhatenablesaneffectivenetworkcyberdefense.

4 ConcludingtheCaseforOTMOrchestratedThreatManagementrepresentsthenextlogicalstepintheimplementationofsecurityfunctions.It represents anopportunity to overcomemanyof theundesirable constraints of dedicatedproprietaryUTMand NGFW appliances of the past, and incorporate the new capabilities and attributes of rapidly evolvingsoftware-defined,programmablenetworksthatpromisetorevolutionizethecommunicationsindustry.WhileOTMplatformscanbedeployedinanyenvironment,themaximumbenefitsofOTMareachievedwhendeployed in a cloud computing environment. Most of today’s government, leading enterprises and serviceproviders have invested heavily in establishing their own scalable cloud computing environments, so addingOTMasasecurityapplicationisalogicaluseofthatresourceandanidealwaytoestablishamassivelyscalablecloud-layerofsecurity.By deploying OTM at the cloud layer, government, enterprises and service providers can begin to offloadsecurity functions from premises-based appliances, allowing those devices to remain in place and support asubsetof securityapplications thatarewellwithin the scopeof theirhardwareconstraints.Thisprovides theperfect combination of closing critical security gaps, providing a cap-and-grow strategy for the incumbent

Figure8)Real-TimeProtectionwithWedgeIQ


Page12 CONFIDENTIAL

securitysystems,andpositionforthemassivelyscaling,moredynamicrequirementsofemergingnetworksandbusiness.Astheindustry’sfirstOTMplatform,WedgeNetworks’CloudNetworkDefensewithWedgeIQprovideexampleofcapabilitiesanOTMcanprovideaswellasthevarietyofreporting,archivingandanalyticaltoolsthatcouldimprovecybersituationalawarenessacrossgovernmentagenciesand theability todetectandrespondmuchmorerapidlytothreatsthanitiscurrentlyableto.WedgeNetworksCloudNetworkDefenseprovidesreal-timeability to capture data in motion with full visibility of Layer 3-7 data content, and is able to apply multiplesecuritypoliciesefficientlytothecontentwithnolatencyinducedreprocessingtoidentifyanomalousactivitieswiththehighestdegreeofaccuracyincludingzerodaythreats. Furthermore,WedgeIQcapturesandprovidesimproved visual analytics that can quickly assist those monitoring to recognize the anomalous activities. Inaddition,WedgeIQassistsinthemachinelearningofthesystemtoimproveefficiency.

orchestrated threat management: a new paradigm … whitepaper - otm- a new paradigm.pdf2.3.1 deep...

Documents