GuardiCore Data Centre Security Suite
This was one of our favourites because it exhibits characteristics of both active breach detection and threat deception plus a whole lot more. The GuardiCore suite detects lateral movement both within devices and within the data centre as a whole. As with other tools, it performs real-time attack analysis and forensics and adds real-time response. To do this, the suite engages with the attacker - starts detailed monitoring, not hack-back - and does detailed forensics in real time.
The suite addresses an abbreviated version of the kill chain: detect, analyse and respond. Detection focuses on all VM-to-VM traffic and looks specifically for lateral movement. Analysis uses attack semantics and generates an actionable report. And Respond mitigates spread and remediates infected hosts. Overall, the monitoring and analysis is excellent.
There are three main functions in the suite: distributed detection, centralised analysis and response. The detection is particularly interesting because it uses deception technology to simulate decoys. Once the attacker is lured to a decoy, the deception engine routes the attacker to a honeypot. This is where a lot of the attack analytics occur. The honeypots are high interaction as you would expect and they use real assets, operating systems and IPs. This works very well in hybrid environments where there is both a software-defined datacentre and a hardware datacentre.
At a glance
Product Data Centre Security Suite
Price Starts at £17,633 per year, annual subscription.
What it does Active breach detection with deception technology.
What we liked This tool is the whole package: active breach detection, deception technology, advanced analytics, forensic analysis in real time, and real-time remediation.
The suite is deployed both in the cloud and on-premises. The on-premises part resides on the hypervisor of the virtual datacentre. Analysis is done by a set of tools the company refers to as "semantic analysis" in that they analyse the semantics of an attack. The honeypots run on virtual machines.
The dashboard is clean, well-organised and very easy to read at a glance. All of the important statistics are there as well as an indication of ongoing incidents that need to be resolved. A left-hand panel contains a concise function menu and each function - such as assets - displays a series of tabs when opened. From most screens there are additional drill-downs for a lot more detail.
We liked that an incident on one honeypot can be "tagged" so that aspects of the incident can be found easily on other targets. That greatly simplifies analysis of lateral movement. On a Windows machine/VM you get a very detailed recording of the event as well as a summary. The recording can even include screen shots. In all cases where a malicious payload is unknown, the automated forensics still creates a report so that the malicious activity can be analysed.
Once the attacker is lured into a honeynet, he cannot escape back into the system. Thus, he cannot use the system as a pivot to attack upstream networks. Filtering is so easy that it can be done during an attack. We get a mental picture of the hypothetical game of chess resolving into a real back and forth between attacker and defender and the defender slowly maneuvers the attacker into a checkmate.
Event and analysis data can be exported via syslog and STIX. We really like the STIX output because once an attack, campaign, observable or actor is resolved into a STIX file, there is a wealth of information that can be shared between devices that consume STIX data format.
Setup and management is easy but, as you would expect, there is a lot of creativity available to you if you want to use it. Policy development is mostly point and click and it is easy to add and remove assets from the honeynet. One of the policies that need to be added is a set of policies for the various kinds of detectors, such as stack detectors or human attacker detector. You can create these and the suite comes with a lot of them out of the box.
These detectors really are algorithms that perform a particular collection and analysis task. Another thing we liked is that even though the attacker sees an asset and even thinks that he is manipulating it, he never actually touches a live asset since he is redirected to the honeynet. This greatly adds to the realism of the honeynet and reduces the likelihood that the attacker will discover that he has been trapped and his efforts minutely analysed. Of course, there is a PCAP (packet capture) generated for every session.
Support for the product comes in two levels: Gold and Premium, both at extra cost. Pricing is by annual subscription and is quite reasonable, and the website is very good, if a bit spartan.