threat intelligence gateway - bandura cyber · 2020-05-06 · challenges operationalizing it. these...

© 2019 Bandura Cyber. All rights reserved. [email protected] www.banduracyber.com© 2019 Bandura Cyber. All rights reserved. [email protected] www.banduracyber.com

Every day millions of attacks target organizations’ networks and assets, attempting to

gain access to and steal data and/or disrupt business. To combat today’s cyber threats,

organizations are increasingly adopting threat intelligence as a critical component of their

security strategy. In addition to providing businesses with a much needed, broader view

of the threat landscape, threat intelligence also delivers valuable contextual information

that can improve an organization’s ability to prevent, detect, and rapidly respond to cyber

threats. This includes information regarding threat actor tactics, techniques, procedures,

and the resources (i.e. IP addresses, domains, and other indicators) from which they attack.

As organizations increase their use of threat intelligence, many experience

challenges operationalizing it. These challenges include managing and maintaining

multiple threat feeds and integrating this intelligence into existing security

controls to be able to take action to protect their networks. On the latter, it is

well documented that many next-generation firewalls (NGFWs) have significant

limitations integrating third-party threat intelligence feeds, inhibiting organizations’

ability to take action with threat intelligence. Setting aside the capacity constraints

of NGFWs, many organizations experience significant challenges managing and

maintaining access control lists, blacklists, and policies required to take action

with threat intelligence. The result includes increased cyber risk due to security

coverage gaps and increased manual workload on an already overburdened staff.

Exacerbating these challenges, the ever-changing nature of threats means that threat intelligence is

highly dynamic. Reputation scores for IPs and domains are constantly changing. Indicators are rapidly

being added to or deleted from blacklists. An IP address that is malicious now may be benign in ten

minutes. Therefore, it is critical that threat intelligence and the protection policies it drives be constantly

updated within the security tools that process it, and it is equally critical that this is done in an automated

manner.

This solution brief will provide a comprehensive overview of how the Bandura Cyber Threat Intelligence

Gateway (TIG) helps organizations of all sizes to fully leverage threat intelligence and overcome the

challenges of operationalizing threat intelligence. When deployed as a key component of a perimeter

security strategy, the Bandura Cyber TIG improves both the effectiveness and efficiency of a company’s

security operations.

S O L U T I O N O V E R V I E W

THREAT INTELLIGENCE GATEWAY

85,000 New Malicious IPs Launched Daily

8M Spam and Phishing Attacks Daily

30-50 Million Malicious Domains at any moment

SOLUTION OVERVIEW: THREAT INTELLIGENCE GATEWAY| 2

© 2019 Bandura Cyber. All rights reserved. [email protected] www.banduracyber.com

THE BANDURA CYBER TIG

The Bandura Cyber TIG is a threat intelligence solution that aggregates, automates, and operationalizes massive amounts of threat intelligence to block known threats and unwanted traffic from entering and exiting your network (physical or virtual). The Bandura Cyber TIG provides organizations with an additional layer of security that can improve the effectiveness and efficiency of their cyber defense and security operations, including:

■ Improved cyber situational awareness and network defense by leveraging threat intelligence to gain a broader view of cyber threat activity.

■ Attack surface reduction through more effective and efficient GEO-IP filtering.

■ Improved security staff efficiency through reduced manual workloads related to threat feed management, firewall rule and access control list (ACL) management, alert reduction, and fewer manual firewall log reviews.

■ Increased return on existing security technology investments, including next-generation firewalls, SIEMs, and threat intelligence feeds and platforms.

The Bandura Cyber TIG is frequently described by customers as “simple but elegant.” This reflects the powerful and versatile nature of the solution as it is adopted by organizations that span all sizes and security maturity levels.

Small and midsized enterprises turn to Bandura Cyber TIG for a turnkey threat intelligence solution. Bandura Cyber TIG enables them to significantly increase their use of threat intelligence to improve cyber defenses without having to overburden already scarce resources (staff and budget).

Larger enterprises are also deploying Bandura Cyber TIG to expand their use of threat intelligence and to better operationalize their existing threat intelligence. The latter includes improving the efficiency of threat feed management, analysis, and—perhaps most importantly—the ability to take action with threat intelligence in a scalable and automated way that many existing network security controls like next generation firewalls (NGFWs) don’t allow.

HOW IT WORKS

For an organization to truly protect their network from the massive volume of unique IP and domain threats that are attacking their network at any given moment, they must choose a solution that helps them operationalize threat intelligence as part of a holistic protection strategy. Bandura Cyber helps our customers achieve this by delivering:

■ Automated & Actionable Threat Intelligence

■ Flexible & Scalable Solutions for Organizations of All Sizes

■ Powerful, Easy-to-Use Management, Logging, and Reporting



AUTOMATED & ACTIONABLE THREAT INTELLIGENCE

The Bandura Cyber TIG provides organization with a turnkey, automated threat intelligence solution that combines the three key components of successful threat intelligence: Access, Aggregation, and Action. Automation underpins all aspects of the Bandura Cyber TIG solution, enabling organizations of all sizes to use and take action with threat intelligence in an easy, scalable, and automated way.

THREE KEY COMPONENTS OF THREAT INTELLIGENCE

THREAT INTELLIGENCE ACCESS

Bandura Cyber TIG provides significant out-of-the-box access to a massive volume of threat intelligence from a wide range of sources. This arms IT and security teams with comprehensive, up-to-date, actionable threat intelligence feeds. Available as part of either a standard or premium subscription, Bandura Cyber TIG delivers feeds from various sources including:

COMMERCIAL:

Bandura Cyber sources threat feeds from leading commercial vendors, including Webroot, Symantec, DomainTools, and Proofpoint (EmergingThreats). Webroot’s BrightCloud® IP Reputation feed and a malicious domain feed powered by DomainTools is delivered standard with every Bandura Cyber TIG.

OPEN SOURCE:

Bandura Cyber TIG offers a large volume of high fidelity open-source threat intelligence. Examples include AlienVault’s Open Threat Exchange, Blocklist.de, CI Army List, Emerging Threats Rules, and others.

GOVERNMENT:

Bandura Cyber actively participates in the U.S. Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS) and its Cyber Information Sharing and Collaboration Program (CISCP) enabling us to provide this threat intelligence within Bandura Cyber TIG. Bandura Cyber TIG also provides

Automated and Actionable Threat Intelligence

Access Aggregate Act



threat intelligence from other government sources, such as a threat feed from the State of Missouri’s security operations center.

INDUSTRY/SHARING COMMUNITY LISTS:

Sector-based Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs) collect, analyze, and disseminate actionable threat information to their members and provide tools, such as threat feeds, to mitigate risks and enhance resiliency. The Bandura Cyber TIG easily integrates threat feeds from ISACs and ISAOs, as well as other industry sources.

GEO-IP

Understanding where network traffic is coming from is critical. One of the easiest ways to reduce an attack surface is to block network traffic from countries that have no business being on your network. However, because of the global nature of business, not all organizations have the ability to block traffic from entire countries. In either case, the Bandura Cyber TIG provides robust and easy-to-use GEO-IP filtering capabilities that provide clear visibility into where traffic is originating and the ability to block traffic from countries simply by clicking on a map (See Figure 1). Country IP ranges are auto-updated.

Key ISACs & ISAOs ~ Automotive ISAC ~ Aviation ISAC ~ Communication ISAC ~ Defense Industrial Base ISAC ~ Downstream Natural Gas ISAC ~ Electricity ISAC ~ Emergency Management and Response ISAC

~ Energy Analysis Security Exchange ~ Financial Services ISAC ~ Health ISAC ~ Healthcare Ready ISAC ~ Information Technology ISAC ~ Legal Services ISAO

~ Maritime ISAC ~ Multi-State ISAC ~ National Defense ISAC ~ National Retail Federation ~ Oil & Natural Gas ISAC ~ Real Estate ISAC ~ Research and Education Networks ISAC

~ Retail and Hospitality ISAC ~ Surface Transportation, Public Transportation And Over-The-Road Bus ISAC

~ Water ISAC

Figure 1: Geo-IP Map



Bandura Cyber TIG’s whitelist and exception list capabilities provide the ability to block countries while allowing access from specific organizations in those countries.

AUTONOMOUS SYSTEM NUMBER (ASN)

In addition to the “where,” the “who” is also important. Bandura Cyber TIG identifies traffic to organizations based on ASN, enabling organizations to filter traffic and adjust policies based on the organization. This is useful both from a blacklisting and a whitelisting perspective. For example, an organization may want to block traffic from a certain country but allow traffic from specific organizations from that country.

Bandura Cyber TIG also incorporates different threat intelligence types including blacklists, whitelists, graylists, as well as reputation-based threat feeds. List-based threat intelligence is binary: malicious or not. Reputation-based intelligence is dynamically scored intelligence that is commonly also categorized. For example, the Bandura Cyber TIG’s IP Reputation feed has 19 threat categories that are dynamically scored from one to 100 with one being benign and 100 being malicious. As figure 2 shows, customers are able to easily activate and deactivate threat categories and change the risk threshold. The risk threshold represents the score at which the Bandura Cyber TIG will allow or deny traffic.

Importantly, threat feeds in Bandura Cyber TIG are dynamically updated in near real-time. Customers also have flexibility to adjust the frequency of updates.

Bandura Cyber is continually identifying and adding more sources of threat intelligence to Bandura Cyber TIGs in an effort to constantly improve threat coverage as well as in response to customer requests to add specific sources of threat intelligence. As you will see next, the Bandura Cyber TIG is an open and flexible platform making it easy for customers to integrate additional threat intelligence sources.

An Autonomous System Number (ASN) is a unique number that is available

globally to identify an autonomous system and

which enables that system to exchange exterior routing

information with other autonomous systems.

Figure 2: Risk Thresholds



THREAT INTELLIGENCE AGGREGATION & ANALYSIS

The Bandura Cyber TIG provides a central aggregation point for multiple sources of threat intelligence that enables multiple sources of threat intelligence to be easily managed and analyzed. Bandura Cyber TIG is also an open platform, which enables security organizations to easily integrate additional sources of threat intelligence. The Bandura Cyber TIG is built on an open architecture and supports industry standards like STIX/TAXII. This feature gives users the flexibility to tailor the Bandura Cyber TIG to their specific threat intelligence needs.

Threat feeds are aggregated and updated at our cloud-based threat intelligence management layer called the Bandura Cyber Global Management Center (GMC). GMC in turn delivers updated threat intelligence information down to Bandura Cyber TIGs, which use this information to rapidly filter inbound and outbound network traffic. Because the indicators are stored locally, the Bandura Cyber TIG is able to filter traffic against over 100 million unique IP and domain indicators in software at near line speeds.

The ability to aggregated multiple threat feeds into a powerful, centralized, security solution, where they are automatically updated, helps organizations simplify their management of threat intelligence, reduce staff workload, and improve network protection.

STIX and TAXII are components and standards that support sharing programs, tools, and software. Where STIX states the what of threat intelligence, TXII defines how that information is relayed. Unlike previous sharing methods, both STIX and TAXII are machine-readable and therefore easily automated. Both possess an active community of developers and standards, and are therefore focused on the shared goal of an improved and holistic approach to threat intelligence.

Structured Threat Information eXpression (STIX) is a standardized language developed by MITRE and the OASIS Cyber Threat Intelligence (CTI) Technical Committee for describing threat information. It has been adopted as an international standard by various intelligence sharing communities and organizations. It is designed to be shared via TAXII as well as other means.

Trusted Automated eXchange of Intelligence Information (TAXII) defines how cyber threat information can be shared via services and message exchanges. As an international standard, it was designed specifically to support STIX information by defining an API that aligns with common sharing models. The three principal models for TAXII include:

■ Hub and Spoke ■ Source/subscriber ■ Peer to Peer



In addition to being the Bandura Cyber TIG’s threat intelligence command and control center, GMC also provides the capability for customers to easily integrate their own sources of threat intelligence (See Figure 3). Common examples include:

■ Third-Party Threat Feeds. Integration of third-party threat feeds a customer is already using

■ TIPs & SIEMS. Integration with threat intelligence platforms and SIEMs

■ Custom Blacklists. Creation and integration of custom blacklists

While Bandura Cyber TIG’s threat intelligence aggregation capabilities significantly ease the management of threat intelligence, it also enables analytics to be applied to a wide range of threat intelligence, which serves to increase the context of the threat intelligence. For example, if an IP or domain indicator is appearing on an increasing number of threat feeds, this provides valuable context that influences the level of maliciousness ascribed to that indicator.

THREAT INTELLIGENCE ACTION

Arguably, the most critical aspect of threat intelligence is the ability to take action at the scale required to protect your network. The Bandura Cyber TIG adds this critical element, enabling you to filter network traffic based on massive volumes of threat intelligence in an easy, scalable, and automated way that can’t be done with existing security tools, such as NGFWs.

Bandura Cyber TIG filters inbound and outbound network traffic based on IP and domain threat indicators, allowing or denying network connections based on one or a combination of the following factors:

■ Presence on a blacklist, whitelist, and graylist

■ Reputation-based scoring threshold (i.e. block botnets with a score of 90 and above)

■ GEO-IP (country source)

■ Autonomous System Number (ASN)

Figure 3: Customized Threat Lists



Bandura Cyber TIG enables threat intelligence-based blocking of inbound threats, such as port scanning, network probes, and other malicious IPs attempting to enter your network. Bandura Cyber TIG also enables the blocking of outbound connections to malicious IPs and domains, such as an attempted outbound request to an IP associated with a malicious command and control server. For outbound traffic, Bandura Cyber TIG acts as a transparent DNS proxy, enabling you to block outbound connections to malicious domains.

Bandura Cyber TIG can drop connections silently without any response or send an ICMP unreachable message or TCP reset back to the sender.

For customers that don’t want to deploy Bandura Cyber TIG in-line, the solution can be deployed in monitor-only mode off of a network tap or SPAN port. This provides organizations with visibility into network activity but limited enforcement capabilities via TCP resets.

WHITELISTS & EXCEPTION LISTS

Bandura Cyber TIG also offers robust whitelist and exception list capabilities, enabling users to allow traffic from trusted sources. One cool feature of Bandura Cyber TIG is the dynamic whitelisting capabilities available via GMC. This feature enables users to automate the whitelisting of a domain and its associated IPs.

RISK ADJUSTMENTS

Another cool feature that can be accessed through the Bandura Cyber GMC is Risk Adjustments. The Risk Adjustments feature enables users to set risk score adjustments for ASN and country. This feature enables

the whitelisting or blacklisting of entire ASNs. This combined with GEO-IP capabilities provides flexible policy control. For example, through an ASN Risk Adjustment, you can block a country but whitelist an organization based on ASN. Conversely, you could allow a country but blacklist specific organizations based on ASN.

Risk Adjustments also represent scoring adjustments that are applied to reputation scores of indicators. For example, if a specific country or organization (ASN) is deemed to become more malicious, one can make a Risk Threshold adjustment to increase the score of traffic from this country or organizations and vice versa.

NGFWs & Threat Intelligence Performance Limitations The inevitable next question is, “Isn‘t this what my next gen firewall should do?” The answer is that it should, but it doesn’t. While NGFWs offer a plethora of their own threat intelligence, for performance reasons, most NGFWs can only handle a few hundred thousand third-party indicators. Even if we were to assume this number was a few million, this is insufficient in light of threat feeds that commonly range in the millions. For example, Webroot’s Brightcloud IP Reputation feed ranges from four to six million IPs at any given moment. NGFWs & Policy Management Issues Even if we set aside the scale problem, NGFWs were not designed to operate in world where access control lists, blacklists, and policies are highly dynamic. The end result is a cumbersome process for managing lists and policies that involves a high degree of manual work for already overburdened staff and introduces the risk of security coverage gaps driven by manual response times and potential configuration errors



AUTOMATED BLOCKING OF IPS AND DOMAINS FROM OTHER SECURITY SYSTEMS

As mentioned previously, Bandura Cyber TIG is an open platform that easily integrates with other security solutions. The Bandura Cyber REACT capability enables Bandura Cyber TIG to automatically ingest malicious IPs and domains from other security systems including SIEMs, Security Orchestration Automation & Response (SOAR) solutions, NGFWs, IPS, endpoint, and other security controls. REACT enables organizations to programmatically integrate Bandura Cyber TIG with other security controls, enabling automated and semi-automated blocking of malicious IPs and domains detected by these systems. Organizations can also manually add entries to REACT. REACT enables the use of automation to improve the time from detection to response.

FLEXIBLE AND SCALABLE SOLUTIONS

Bandura Cyber TIG is easy to deploy with installations typically taking 30 minutes or less. The Bandura Cyber TIG offers flexible and scalable deployment options, depending on an organization’s preferences and goals. Typically deployed between the firewall and external network, the Bandura Cyber TIG acts as an OSI Level 2 network bridge, protecting the network while remaining invisible to the internet. Alternatively, the solution can be deployed behind your firewall, providing visibility into threats and unwanted traffic that’s bypassing your firewall.

FIGURE 4: The Bandura Cyber TIG In Action



The Bandura Cyber TIG is currently available on dedicated appliances that span three network throughput levels, including 500 Mbps, 1 Gb, and 10 Gb. We also offer a 1 Gb Bandura Cyber TIG virtual appliance for VMware. Over the next several months, we will be launching Bandura Cyber TIG for public cloud environments, including Amazon Web Services, Microsoft Azure, and Google Cloud.

From a network deployment perspective, Bandura Cyber TIG is predominantly deployed in-line in front of the firewall. In this configuration, the Bandura Cyber TIG serves as a first line of defense, blocking known threats ahead of the firewall and reducing the need for more processor-intensive deep packet

inspection (DPI) cycles that are conducted by an NGFW or an intrusion prevention system (IPS). While Bandura Cyber TIG is most commonly deployed in front of the firewall, the Bandura Cyber TIG can also be deployed behind the firewall as well as in other parts of the network.

POWERFUL BUT EASY-TO-USE MANAGEMENT, LOGGING, AND REPORTING

The Bandura Cyber TIG is not only easy to deploy but is also easy to manage. The solution provides a rich array of data that is showcased via intuitive dashboards and robust reporting.

SIMPLIFIED, CENTRALIZED MANAGEMENT

The Bandura Cyber TIG is easily managed utilizing the Global Management Center (GMC). The Bandura Cyber Global Management Center (GMC) provides a single point-of-control for configuration, management, and reporting, as well as managing multi-Bandura TIG deployments—whether on premises, on a virtual machine, or in the cloud.

FIGURE 5: Flexible Deployment Options

Bandura Cyber TIG does not replace an NGFW or an IPS, rather, it complements these solutions. The Bandura Cyber TIG does not provide deep packet inspection (DPI), a critical component of network protection. However, DPI is also performance-intensive, typically resulting in a 50%+ throughput reduction when the threat prevention capabilities of NGFWs are turned on. Customers that deploy the Bandura Cyber TIG typically find an improvement in the efficiency of their firewalls, reducing the need to upgrade expensive firewall equipment. By allowing the Bandura Cyber TIG to block the massive volume of known threats at the perimeter, the Bandura Cyber TIG enables the NGFW to focus more resource intensive DPI inspection cycles on a reduced amount of cleaner traffic.



GMC not only provides single pane-of-glass management but also enables consistent security policies to be deployed across on premises and cloud environments, as well as across multi-cloud environments. The Bandura Cyber GMC delivers:

■ Simplified Initial Set-up and Configuration ■ A graphical dashboard providing up-to-the-minute stats and summaries ■ User-friendly configuration options for policy, devices, lists, risks, and accessibility rules ■ Comprehensive Logging Utility ■ Pre-Configured and Advanced reporting

RICH LOG DATA

The Bandura Cyber TIG provides a rich array of log information that can be leveraged for threat detection and investigations as well as threat hunting. Bandura Cyber TIG logs every connection request, providing details on:

■ Source and destination IP ■ Source and destination Port ■ Protocol ■ ASN ■ Risk information including threat category, score, and the risk threshold

Users can drill down into specific IPs and domains and gain more granular information. Bandura Cyber TIG log information is easily exported via syslog enabling organizations to integrate Bandura Cyber TIG’s powerful, threat intelligence-driven network context to be analyzed and correlated with their other security data.

FIGURE 6: The GMC Dashboard


ABOUT BANDURA CYBER

Bandura Cyber enables companies of all sizes to use and take action with threat intelligence in an easy, automated, and scalable way, improving network protection and the efficiency of security operations. Based on patented technology, the Bandura Cyber TIG solution is purpose-built to filter network traffic against a massive volume of threat intelligence (IP and domain indicators). Bandura Cyber TIG aggregates, automates, and operationalizes massive amounts of threat intelligence, blocking known threats and unwanted traffic in a more efficient way than traditional network security controls.

The Bandura Cyber TIG helps organizations:

Strengthen Edge Defenses: Powerful day one edge protection with significant “out of the box” threat intelligence from multiple sources. Easily integrate and take action on threat intelligence from any source, providing threat intelligence flexibility and choice. Massively scalable with the ability to filter traffic against over 100+ million unique IP and domain indicators at near-line speeds.

Reduce Staff Workload: Helps to reduce alert overload. Eliminates manual threat feed management and reduces the burden of managing highly-dynamic access control lists (ACLs), blacklists, and firewall rules.

Maximize the Value of Current Security Investments: Increases the value of existing threat intelligence investments (feeds, SIEMs, TIPs, SOAR) through automated threat detection and blocking, and enhanced threat intelligence-driven context. Improves the ROI and efficiency of existing network security controls like Next Generation Firewalls (NGFWs) and Intrusion Prevention Systems (IPS) by reducing the volume of traffic requiring deep packet inspection and firewall rule processing.

Organizations worldwide use Bandura Cyber TIG to increase the intelligence and efficiency of their edge security. To learn more about how Bandura Cyber TIG visit banduracyber.com.

BANDURA CYBER TIG: DELIVERING ACTIONABLE THREAT INTELLIGENCE FOR COMPANIES OF ALL SIZES

WANT TO SEE A THREAT INTELLIGENCE GATEWAY IN ACTION?

REACH OUT TO BANDURA CYBER FOR MORE INFORMATION, LIVE DEMO, OR A RISK-FREE 30 DAY TRIAL OF THE BANDURA CYBER TIG.

[email protected] ext. 3

threat intelligence gateway - bandura cyber · 2020-05-06 · challenges operationalizing it. these...

Documents