Five things to know about NETSCOUT Arbor Edge Defense
7 February 2019
NETSCOUT AED serves as the first and last line of defence against multiple types of inbound and outbound threat.
NETSCOUT AED occupies a unique position on the network edge, lying outside the firewall, between the enterprise and the internet. Why is this important? Read on for five ways that AED redefines the cyber-security stack to serve as the first and last line of defence against multiple types of inbound and outbound threat.
- AED is built for a new era of internet-scale threats. As the architecture of enterprise networks changes, so too do the increasingly sophisticated and persistent techniques of attackers. “Data centre and network architectures have distributed toward the edge, straining traditional perimeter enforcement points,” said Jeff Wilson, IHS Markit Research Director for Cybersecurity.
Today’s campaigns target a wide variety of sources for a wide variety of reasons, from increasing geopolitical unrest to intellectual property theft. Attackers often use supply chains as a conduit, a tactic that allows them to attack their main target via the intertwined relationships of partners and suppliers.
Threat actors continue to expand and weaponise their capabilities, as traditional malware adds worm modules, allowing the malicious software to spread faster and more easily. One example is “NotPetya”, where threat actors planted a backdoor in a popular Ukrainian accounting software package. The malware quickly proliferated across Ukraine, France, Germany, Italy, Poland, the United Kingdom, Russia and the United States.
“The unique combination of stateless filtering, rigorous curation of custom threat intelligence, as well as ingestion of third-party feeds, allows NESTCOUT AED to block outbound threats with the same level of confidence [with which] they’ve been blocking inbound DDoS threats for years,” continued IHS’s Wilson.
- AED extends protection beyond the firewall. Traditional perimeter security devices such as next-gen firewalls, intrusion prevention solutions, and load balancers are susceptible to botnet-driven state-exhaustion attacks. In fact, NETSCOUT’s 13th Annual Worldwide Infrastructure Security Report (WISR) found that 52 per cent of enterprise respondents had firewalls that experienced a failure or contributed to an outage during a DDoS attack.
AED is deployed in front of these solutions, protecting them from DDoS attacks that target their availability. NETSCOUT’s stateless packet-processing engine detects and mitigates most DDoS attacks without tracking any session state. In cases where tracking is required, AED only stores minimal information for a short period of time. As a result, AED can withstand targeted attacks that overwhelm state tables in these other security products and threaten availability.
- AED blocks inbound and outbound threats.In addition to protecting perimeter solutions from availability-based threats such as DDoS attacks, AED adds a layer of enforcement by blocking communications to known suspicious destinations. Operationalising these reputation lists, commonly referred to as indicators of compromise (IoCs), is best used by stateless devices due to the speed and scale.
Detecting and disrupting command and control communications at the edge requires stateless packet process at internet scale. AED is a purpose-built device designed to keep pace with attackers as they evolve their tradecraft, reducing the performance load of expecting stateful devices to perform functions that are outside of their primary purpose.
- Automated threat mitigation. AED is enhanced by threat intelligence via the ATLAS Intelligence Feed (AIF). Developed by NETSCOUT’s ATLAS Security Engineering & Response Team (ASERT), AIF includes geolocation data and automates the identification of attacks from known botnets and malware while ensuring that updates for new threats are automatically delivered without intrusive software upgrades.
Extending this enforcement, AED supports standards such as STIX/TAXII for ingestion of third-party threat intelligence. It also provides a robust REST API to integrate threat detection and blocking telemetry into existing security operations workflows and management tools.
- AED provides actionable threat intelligence. NETSCOUT believes that effective threat intelligence not only identifies attacks, but also provides context to understand and catalogue attack infrastructure, methods and related indicators to help security professionals make faster, more confident security decisions. Contextual intelligence not only links IoCs to known threats, but also current data that correlates seemingly unconnected inbound/outbound communications to expose targeted campaigns. Armed with this data, security professionals can see the bigger picture, giving them a much better chance of quickly linking inbound malicious traffic with outbound communications. Such threat intelligence is critical for quickly detecting interrelated components of orchestrated, botnet-driven attack campaigns. It also helps them quickly find and disrupt attacks before they do real damage.
To learn more about the new era of internet-scale attacks, read NETSCOUT’s Threat Intelligence Report
by Kevin Whalen, a business and technology writer focusing on networking and security