In February HP Enterprise bought a startup called Niara, a behavioral security analytics firm whose software looks for evidence of attackers who have evaded firewalls and endpoint protection.
Today HPE’s Aruba networking division announced the product has been re-branded as IntroSpect, and that it can be linked to Aruba’s ClearPass network access control solutions to form what it calls a secure fabric for network protection.
It also announced a Standard version of IntroSpect for organizations that want a quicker and less expensive implementation than the full version, now called IntroSpect Advanced.
The Standard version can be implemented with as few as three data sources, such as Microsoft Active Directory or other equivalent authentication records, LDAP-based identity information, and firewall logs from sources such as Checkpoint, Palo Alto Networks or Aruba monitoring (AMON) logs from Aruba mobility controllers or IntroSpect packet processors.
IntroSpect’s machine-learning algorithms generate a risk score based on an attack, which helps prioritize incident investigations for security teams.
Existing Niara users automatically move to the Advanced version.
“This is a major strategic initiative for Aruba,” Larry Lunetta, vice president security solutions marketing for Aruba, said in an interview.
“Aruba has always been very strong delivering solutions primarily to the networking part of the organization. “With this announcement we’re branching out, integrating both networking and security into our solution stack.”
For most infosec pros, the interest in the announcement is the link between ClearPass and IntroSpect ClearPass usually authorizes users and devices. But when pared with IntroSpect and its analysis capabilities it can detect attacks. As a result, said Lunetta, its “new mission is attack response. The idea is we can use ClearPass as a central location and ability to put devices and users on and off the network as part of a closed loop of attack, detection and response.”
Because ClearPass gives a rich set of information about uses and devices, IntroSpect can use it in its analytics, he said. IntroSpect, which uses a Hadoop big data store, baselines individual entities (users/devices) continually over time, as well as performs what Lunetta calls peer-baselining – comparing an individual’s behavior to peers, such as in a business group – to see if there are any deviations. IntroSpect Advanced can now also be configured to watch devices -cameras, heart monitors, thermostats – to see if any of them are behaving differently than others in an environment.
This better attack detection “is one unique advantage in having the products integrated,” he said.
IntroSpect also gives a security analyst the ability to create policies directing ClearPass to react to a detection, such as force a re-authentication, throttle bandwidth, move a device or user to a more restricted part of the network or block a user or device. IntroSpect can also be configured to alert an analyst and forward information on similar attacks and possible action from its database.
It creates what Lunetta calls a closed-loop: Monitoring, detection and response.
“Clearly we’re seeing IntroSpect as an attractive upgrade for those (ClearPass) customers who want to add attack detection to their environment.”
IntroSpect is priced on the number of entities (users/devices) monitored, and is sold either as software alone or in a stackable 2U appliance with Hadoop. It can also run on Microsoft Azure or Amazon AWS. The Standard version is about 60 per cent less than the Advanced version.
IntoSpect also feeds into system event management suites like HPE’s ArcSight.
Lunetta estimated an implementation could cost a small organization at last US$100,000 a year for a software licence.
Since the Niara acquisition Aruba has been working on menu and feature-level integration with the products for messaging between them, Lunetta said. “It is as seamless as we can make it given these are two product families.” So, for example ClearPass can take an automated action which will be reflected in the IntroSpect console.
HPE Aruba also said today that IntroSpect Advanced has gained new capabilities including
–Dynamic machine learning, which it says allows security teams to easily customize IntroSpect’s analytical models based on the current threat environment and protection priorities. Included is “chaining,” in which the 100+ out-of-the box machine learning models can be linked together to construct new detection scenarios and associated risk scores;
–Device Peer Grouping, which utilizes the ClearPass profiling functionality to build peer groups of devices even when known only by their IP address. For example, ClearPass will signal to IntroSpect that a device is a surveillance camera or a factory sensor, so that its behavior can be compared to its peers. Therefore, if an anomaly is not flagged in an individual profile, IntroSpect applies a second dimension of detection based on peer comparisons, which is important in extending UEBA functionality to the growing number of IoT devices.
–Integrated attack response, enabling a security analyst to perform an attack response using ClearPass directly from the IntroSpect console.