Recently, at Cognitio Labs, we had the opportunity to test out some new technology from an innovative cyber security solution provider, Eastwind Networks. Eastwind Networks is one of a handful of companies pioneering enterprise ready, active breach detection capabilities. The assumption behind active breach detection is that it is no longer possible to keep every threat out of your network. Instead of focusing on perimeter defense, active breach detection focuses on analyzing, in real-time, and understanding activity on your network in order to rapidly identify anomalous attack behaviors before any damage is done. Eastwind Networks hopes to achieve this by leveraging shared and centralized cloud-based data analytics to parse through the metadata associated with every packet traversing your network. The goal of these behavioral analytics and threat intelligence capabilities in Eastwind’s Breach Detection Cloud is to establish a baseline of normal behavior across both your on-premise and cloud based infrastructure so it can later alert you of anything out of the ordinary.
Eastwind offers both an on-premise sensor as well as a cloud deployable, virtual sensor. For our purposes we decided to test the on-premise sensor. The on-premise sensor deploys in a tap configuration with a very straightforward setup, requiring only a single rack unit (along with minimal associated power and cooling needs) and, of course, the ability to provide the sensor with your network traffic via a SPAN or mirror port. Once powered on and connected to the SPAN port, the sensor immediately started to process and analyze the metadata from the packets traversing our network.
Within a few minutes of deploying the sensor we logged into Eastwind’s cloud-based web portal and were presented with a dashboard outlining all of our network traffic. There are also a few options to explore: current traffic, applications, and threats- all accessible through ad-hoc data exploration and analytics. We decided to let the sensor monitor normal traffic for a few days to see what it would find. After several days we had a great picture of what was happening on our network, but still, no threats, which left us wondering if something was wrong with our configuration.
Finally, we got our first notification, there was some suspicious DNS activity on the network. This alert was soon accompanied by an email from Eastwind Networks’ threat intelligence team, providing some additional detail and context for the threat. Armed with the details about the malicious activity and the infected host, I scrambled to intervene. When sharing this information with Cognitio’s CTO, Dan Cybulski, all I received in return was a curious grin. It turns out that Dan had purposely introduced an infected host into an isolated, but monitored, part of the network.
Overall, we are pleased with Eastwind’s ease of setup and its clean user interface. We have verified, by deploying some currently known threats, that the real-time monitoring, alerting, and threat intelligence capabilities of the Breach Detection Cloud worked flawlessly. However, as with any cyber focused analytic capability, further testing will be needed to evaluate the analytic underpinnings that comprise the customized threat anomaly detection.
For more information, check out eastwindnetworks.com