Securing the network was a major focus at the recent Black Hat 2018 conference. For vendors like ProtectWise, Awake, Webroot and Gigamon, network security is one of their main value propositions. I spoke with each company at the event. They offer distinct points of view on the state of network security and what can be done to improve it.
ProtectWise offers cloud-based Network Detection and Response (NDR). The Denver-based company has raised $77 million to date. Founded in 2013, it operated for two years in stealth mode. It has been in-market for three years.
The company originated from a series of discussions with major enterprises about the security challenges they faced. “We talked to a lot of big companies,” said Gene Stevens, Co-Founder and CTO of ProtectWise. “What emerged was truly fascinating. The biggest security challenge they had was essentially an HR problem. People building technology cannot get enough employees on board to identify and respond to network-based threats.”
With that insight, ProtectWise set out to create an improvement over what Stevens considers a deficient model of network protection. “Right now, the dominant mode of network security involves real time detection of threats as they arise,” Stevens explained. “This makes you vulnerable to targeted advanced attacks executed over long time. Your defense tends to be myopic, like ‘is this email or packet good or bad?’ This is good for understanding and blocking attacks, but it’s not suited to advanced attacks. These are harder to investigate using existing tools.”
ProtectWise created a new way for enterprises to acquire and manage security. They shift core network security functionality away from the data center and to the cloud. Their solution deploys across all architecture as a result, making copies of data for network transactions. They can perform analytics on this data in the cloud, which helps provide visibility that was difficult to achieve previously. ProtectWise takes a platform approach that integrates existing endpoints, firewalls and so forth.
“The biggest security challenge they had was essentially an HR problem. People building technology cannot get enough employees on board to identify and respond to network-based threats.” – Gene Stevens, Co-Founder and CTO of ProtectWise
Rahul Kashyap, CEO of Awake Security, was also focused on the security personnel shortage. “You are never going to have enough people for the threat activity you see on the average network,” Kashyap said. “We need to augment to abilities of each network security analyst.”
Awake uses AI and machine learning (ML) to identify the most serious threats affecting the network. Many vendors at Black Hat are leveraging AI and ML, but each has it own, differentiated approach. Awake focuses on correlating device-to-device communication. “Our solution wants to understand what is normal versus what stands out that should not be happening given the nature of the devices,” Kashyap added. Awake is designed to make itself smarter over time. By compiling and continuously analyzing current and historical network data, Awake can identify and “fingerprint” attackers, learning to spot lateral movement in the network. For example, if an IoT device is leaking data to a foreign country, Awake will spot the problem.
Alerts in Awake are based on correlation and interpretation. The solution is designed not to produce an excessive number of single-event alerts. This can cause burnout in SecOps and enable attackers to overwhelm defenses.
Architecturally, Awake works through an OS-agnostic, advanced network traffic analysis plug-in product. It’s agentless, which makes it lightweight and relatively easy to manage and change. “We light up the network and tell you what’s going on,” Kashyap said. The plug-ins enumerate all the assets on the network and learn which is communicating with which. “People sometimes find things they didn’t realize were on their networks,” Kashyap noted. “Or, they’d forgotten. Without really doing much, we can quickly reveal previously unknown attack surfaces. That’s already a win for most SecOps teams.
“Security has been too ad hoc,” said Shehzad Merchant, CTO of Gigamon. “We see this so often. An enterprise has deployed a set of boxes that then must contend for access to traffic. Security solutions are challenged to keep up with traffic volume, but the solution is to throw more tools at the problem. This results in a tension between network and security operations.” A better approach, in his view, is to get access to network data and then distribute it for analysis. This is the Gigamon model.
“Security solutions are challenged to keep up with traffic volume, but the solution is to throw more tools at the problem. This results in a tension between network and security operations.” – Shehzad Merchant, CTO of Gigamon
Gigamon, which recently acquired Iceberg, enables users to select their own security and analytics tools. “This solves a lot of problems,” Merchant added. “You can load balance. You can change tools. We’re agnostic.” Their approach leads to what Merchant calls a convergence of security and network operations. “With our next generation packet broker, you can more easily see threats across cloud, hybrid and on-premises environments. You can deploy resources faster where they’re needed.” With Gigamon, security solutions only see traffic they are meant to see. The solution deals with SSL TLS encryption one time, rather than the alternative, which is to have every tool execute the process.
Webroot sees things a little differently. They’re not a pure network security vendor, but their predictive threat intelligence offerings figure into network security. Using AI, they are able to identify threats lurking amid billions of web pages worldwide. Armed with threat data, network admins are better able to block malicious content and traffic.
The company takes a broader view, however. “Network security today needs to start with a realization that the perimeter model is dead,” said Gary Hayslip, CISO of Webroot. “Rather, we need to be secure at the data layer. It’s a dynamic process. Data is like water that flows between biz units. What’s important? What data can third parties access? That’s where we need to focus our security efforts. It’s all about visibility.” These perspectives are informing the Webroot strategy and roadmap.