Strengths: Excellent visualisation and ease of use.
Weaknesses: Pricing is a bit convoluted and the support, if one selects the Gold option, could get quite pricey we believe.
Verdict: This has long been one of our favourite products and it is well worth considering.
Catbird Secure enables automated enforcement of security policies, including microsegmentation rule sets, across Catbird TrustZones. The platform detects and alerts on potential security incidents, initiates corrective enforcement actions, provides instant compliance reporting for major standards and allows users to visualise/analyse virtual lateral traffic patterns.
Virtual machine appliances (vMA) are installed on each hypervisor and communicate securely with a control centre. The resources for a vMA start at 4GB of memory and 2 vCPUs. Control center requirements start at 8 GB of memory and 4 vCPUs.
We dropped into the landing page, which contained an inventory of virtual machines in the software-defined data centre. The VMs are arranged into trust zones. Policies are applied to the trust zone and they affect each of the VMs in the zone. The VMs are monitored on layers 2-4 as correlated with the hypervisor. Hypervisors supported are VMware, OpenStack with Amazon AWS coming soon.
In addition to Catbird Secure, there is a read-only version called InSight. The purpose of InSight is to monitor the same things that Secure does - but without permitting changes to be made. Once you have your trust zones set up, you can move to the graphical interface. This is an impressive page. The GUI shows a wheel with trust zones around the perimeter. Within the wheel there are color-coded connections between zones showing the flow activity at any given time.
The color-coded lines are generated automatically based on raw flows between endpoints. An example might be flows showing that a firewall was misconfigured. That could mean a failed or blocked connection or a connection that should not have been allowed. You can use the ingress-egress mappings to set up microsegmentation policies. Heavy filtering is available so you can customise with just about as much granularity as you need.
We really liked the visualisation on this one because it is clear and instantly readable. Spending a bit of time to get used to it and how your enterprise looks when it is behaving will pay big dividends in being able to spot an anomaly quickly and effectively. We also liked the ease with which trust zones could be characterised with friendly names. It seems that just about everything about this tool is designed to make it faster and easier to spot anomalistic behaviour on your enterprise.
One of the important uses of trust zones and whitelists is that you can apply policies to the zone rather than having to focus on individual assets. Whitelists, likewise, can be applied on a zone basis and zones can have their own access control lists - a sort of "zone ACL."
Catbird Secure can integrate with a SIEM and can be operated "headless" so that the SIEM provides the user interface. However, we like the tool's visualisation and we probably would not use it in a headless environment.
Catbird offers no-cost basic support and there is gold support available that is priced based on the environment. The gold package starts at £19,800 and the price can go up depending on environment size, platform and third-party integration options. We believe that the starting point is a bit steep but we would encourage you to determine what is included in that price relative to your individual environment. Also, we found that pricing "per hypervisor" can generate confusion as to what that actually means. Some products price by the number of cores in the host, for example. This appears to be a per-host pricing without regard to how many cores are in the host or how many virtual machines it is hosing. This implies that our lab - which hosts on average 10-30 VMs and are set up as individual clusters - would price the same as a much larger host that hosts 150 VMs.