The introduction of AIF comes at a time when organisations are feeling ill-prepared for the variety of threats targeting their networks. According to a recently-released global survey of CISOs and senior IT executives that was sponsored by Arbor and conducted by the Economist Intelligence Unit, only 17 percent of business leaders feel fully prepared for an incident. The report, titled Cyber Incident Response: Are business leaders ready? also found that 41 percent of business leaders noted that a better understanding of potential threats would help them feel better prepared to respond to those threats. The ATLAS Intelligence Feed helps to address this problem of visibility and threat context that business leaders are looking for.
Dynamic, Global Attack Intelligence
Arbor Networks has built a massive, global intelligence network centered around ATLAS, a unique collaboration with nearly three hundred service provider customers who have agreed to share anonymous traffic data with Arbor. This massive traffic data set, totaling 80Gbps, is combined with information from a global honeypot network of sensors in dark IP address space as well as strategic partnerships, such as the Red Sky Alliance.
This rich data set is then turned into actionable intelligence from ongoing research and analysis performed by Arbor’s Security Engineering & Response Team (ASERT). ASERT is one of the largest dedicated research organisations in the security industry, combining 25 security analysts with a diverse set of expertise, including Fortune 25 Computer Emergency Response Teams (CERTs) to former law enforcement, threat mitigation vendors and well-known malware researchers. Viewing the attack landscape with this security lens, and utilising custom tools for malware indexing and botnet simulation, ASERT develops threat intelligence for customers, complete with the security context required to detect and stop specific threats, and continuously enhance their security posture over time.
“Many vendors can identify attacks and create signatures that can recognise and block these attacks but this is an outdated and reactive approach. What ASERT does is not only identify attacks, but analyse and catalog attack infrastructures and methods so that more proactive security policies can be deployed by customers. Context matters. We’re not just looking at a botnet or piece of malware, but reverse engineering entire botnets and malware families,” said Arbor Networks Director of Security Research, Dan Holden.
In addition to updating security policies in Arbor’s products, ASERT shares this operational intelligence with hundreds of international CERTs and with thousands of network operators around the world. Examples of ASERT’s unique insight and analysis can be found on their blog. Recently published research includes a detailed look at Point of Sale malware, NTP reflection/amplification DDoS attacks and the Zeus Gameover banking Trojan.
True Reputation Analysis Enhances ATLAS Intelligence Feed
On a daily basis, ASERT gathers approximately over 100,000 malware samples from ATLAS and other sources, with a focus on Advanced Persistent Threats, geo-political campaigns, financial fraud and DDoS. The malware samples are then run through an automated threat analysis system where they are classified. Unique attacks are stored in a database with millions of such analyses. When a new botnet or application-layer attack is detected, an attack policy is created, distributed and installed in Arbor’s Pravail products via the ATLAS Intelligence Feed.
Unlike many other solutions, which rely on signatures for policy creation, ASERT assigns reputation policies based on actual malware reverse engineering and botnet analysis. Rather than relying purely on signatures or commonly used industry lists, ASERT has engineered an extremely high-fidelity threat identification technology that can be fully relied upon. ASERT collects security data from hundreds of thousands of malware samples and other threat intelligence. The data and indicators are analysed using a rich malware analysis and patent pending backend system comprised of both external partner technology along with internally built analysis and processes. Key indicators of an attack are extracted; these can include IP addresses, ports, domain names, URLs or regular expressions. To ensure the most comprehensive analysis, ASERT compares the identified attack indicators with other industry reports, as well as data from the Red Sky Alliance. The team then classifies and categorises these indicators into policies that are uploaded at multiple daily intervals to Pravail appliances via the ATLAS Intelligence Feed. AIF provides the backbone of security data for Pravail, enabling rapid detection of attack activity with valuable detail to help prioritise and enable remediation.
Arbor’s Pravail Product Family
“Organisations are looking for solutions that help them deal with the problem of advanced threats hidden within their networks. Arbor has a unique combination of NetFlow, packet capture and global threat intelligence from their ATLAS infrastructure to address today's dynamic threats that evade signature-based solutions,” said John Grady, research manager for Security Products at IDC.
Informed by the knowledge and expertise of ATLAS and ASERT, Arbor’s Pravail products are designed to protect enterprises against advanced threats and DDoS attacks.
Pravail® Network Security Intelligence acts as the central nervous system for security deployments. It sits inside the network and collects information on network traffic patterns and security events that are occurring throughout the network, alerting security teams to those events that indicate an attack or breach is in progress. Pravail Network Security Intelligence helps customers protect intellectual property and data from theft or loss caused by advanced malware threats, internal network misuse or abuse, or via infected mobile devices connected to the network.
Pravail Security Analytics brings meaningful context to massive amounts of data so that security teams can focus on the critical few, react faster and identify the threats lurking within their network environment before they impact the business. It can be used for real-time attack response decisions, and by storing the data for future reviews, it can be looped to identify previously undetected attacks using the latest threat intelligence. Pravail Security Analytics also enables customers to perform forensic analysis to determine effectiveness of controls, tighten security and support various compliance requirements.
A free demo of the Pravail Security Analytics cloud solution is available that leverages pre-existing data sets. This enables the user to test drive the solution and see its powerful capabilities firsthand. A free trial of the cloud solution is also available, enabling users to quickly analyse their own network packet captures for threats, anomalies and misuse. The free trial allows users to upload up to 1GB of their data for 30 days.
The Pravail Availability Protection System helps secure the enterprise perimeter from threats to the availability of a business' applications and services -- in essence, its livelihood. Specifically, the Pravail Availability Protection System helps protect enterprises against application-layer DDoS attacks, and was built to stop attacks promptly without upfront configuration or any user interaction. It delivers DDoS attack identification and mitigation capabilities that can be rapidly deployed, even during an attack.