Cyber Physical Test Bench (CPTB)

The Network Application Test and Validation Engine (NATVE) (See below) provides a unified repository for understanding and controlling authorized network flows within a given Network Enterprise and IoT environment. This is accomplished by populating the Enterprise Flow Database (EFDB).

NATVE finally delivers a solution that can track and validate authorized application flows as well as determine IoT device DoS thresholds, and prevent adverse effects on such devices by ensuring approved protection configurations are effectively applied. This is accomplished in pre-deployment and operational systems by leveraging the EFDB and Master Console (MC) algorithms as logically illustrated.

This system can also be the source of accurate flow imports into other Enterprise security tools (i.e. NIDS/NIPS/FW/etc.) to reduce false positives and assure an effective enterprise security posture and visibility.

Historically, next-generation firewall (NGFW) appliances were designed to deliver a very specific set of security services – firewall, intrusion prevention, and application control. Since being originally defined, the security threats and the technology available to combat those threats have significantly evolved, creating a demand for additional network firewall security services. As a result, other techniques and services have to be included in basic NGFW appliances such as SSL inspection, website filtering, QOS, antivirus inspection, and even sandboxing. While these additional services provide value to end users, it also confuses many people, making them wonder about the difference between an NGFW and UTM appliance.

Our unique approach to network firewall security focuses on bringing best-in-class, enterprise-grade security to any organization, regardless of size or technical expertise. Ideal for SMB, midsize, and distributed enterprise organizations, our firewall network firewall security solutions are designed from the ground up to focus on ease of deployment, use, and ongoing management, in addition to providing the strongest security possible.

Not only does TSSG offer the greatest collection of network firewall security services on a single platform, we do so in a way that has proven to be the most agile, able to adapt to new and evolving threat vectors faster than any other solution on the market. When running TSSG’s Total Security Suite, our network firewall security appliances offer the strongest firewall security against network threats.

Cyber Physical Test Bench

Cauldron

Cyber situational awareness determines timeliness, cost effectiveness, and success in preparing for and responding to attacks. Corporate success depends on complex computer networks, which are vulnerable to various types of attacks. Today, situational awareness capabilities are limited in many ways, such as inaccurate and/or incomplete and/or dated vulnerability analysis, failure to adapt to evolving networks and attacks, inability to transform raw data into cyber intelligence, and inability for handling anomalous data.

Cauldron technology provides advanced capabilities for cyber situational awareness. Cauldron maps all paths of vulnerability through networks, by correlating, aggregating, normalizing, and fusing data from a variety of sources. It provides sophisticated visualization of attack paths. Flexible modeling supports multi-step analysis of firewall rules as well as host-to-host vulnerability, with attack vectors inside the network as well as from the outside.

Consider the following: the Figure below is an attack graph generated by Cauldron, by correlating Nessus vulnerability scans with firewall policy rules. This graph includes all reported vulnerabilities, showing all the paths that attackers can penetrate through the network, vectoring step-by-step from one subnet to another. There are a total of 46,000 vulnerable connections among 16 subnets, with 1,200 endpoint hosts. This visualization represents a substantial remediation effort.

Attack graph before remediation.

The management challenge is to direct remediation efforts to achieve the most effective overall results. Cauldron can identify individual vulnerabilities (or selected groups of vulnerabilities), the number of hosts affected, and the number of vulnerable connections that attackers can exploit. Sorted and grouped vulnerabilities enable modeling for the greatest impact for remediation planning.

First prioritize by CVSS score, a traditional POA&M methodology a team typically uses for remediation. Include in the attack graph those vulnerabilities with CVSS score above 7 (CVSS ranges from zero to 10). This approach addresses vulnerabilities rated as high, ignoring their context within our network. For vulnerabilities with CVSS > 7, we get the second attack graph below.

Attack graph after 1st analysis.

The numbers have changed but the overall security profile remains the same. There are 15 distinct vulnerabilities with CVSS > 7 that need to be remediated across the network. While these are the 15 most “critical” vulnerabilities (in terms of attack complexity, authentication required, etc., as defined by CVSS), they do not take into account the organization access rules. The attack graph still allows nearly the same exploitation from subnet to subnet. While the remaining vulnerabilities are less critical, vulnerability to attack across subnets is nearly unchanged.

To better address vulnerabilities in the context of the network topology and access rules, select by number of hosts with a given vulnerability. Addressing only the 3 most common vulnerabilities by host, we get the attack graph below. This remediation plan has a significant overall improvement. After remediating only 3 vulnerabilities across the network, the number of vulnerability vectors is dramatically reduced.

Remediation after 2nd analysis - based on host vulnerabilities.

To remediate directly in the context of the attack vectors, select by number of connections (subnet-to-subnet vulnerabilities). Remediating only the top 3 vulnerabilities by vulnerable connection we get the attack graph below. This remediation plan has the greatest overall improvement.

For the same remediation effort (3 vulnerabilities) as prioritizing by host, there are only a very small number of remaining paths of vulnerability through the network.

Attack graph after thrid analysis – based upon connection.

Given the same raw data, Cauldron has a unique ability to pinpoint the most effective use of mitigation resources. Cauldron quickly finds the critical problems and improves security posture through proactive remediation.

Using the same analytical approach and including log files for activity based feeds, consider the following graph:

This visualization shows greater context and more actionable analysis by fusing endpoint data, ACL data and log based data for IP address and threat vectors.

Recon Network Monitor

Developed for and used by the Intelligence Community for over 10 years, the Recon Network Monitor is a powerful passive network traffic analyzer. Recon summarizes network activity, extracts information about device and user interactions (known as metadata) and reconstructs content (what information is exchanged).

Instead of relying on logs or summaries, Recon analyzes raw network traffic. This reveals activity that has been permitted by network defenses (despite what configurations may indicate), and enables detailed analysis of traffic content.

Logic for identifying protocols and applications can be customized for the networks that are being monitored, and analysts can define their own rules for metadata extraction and information forwarding.

It reduces expenses and lowers exposure by revealing true network loads and uses, reducing the time it takes to discover network breaches, and enabling rapid assessment of network data leakages.

  • Most detailed network view available in a passive monitor
  • Agentless discover of device and application activity
  • Investigate alerts from ID, firewall and NetFlow systems
  • Packet collection, analysis and export
  • Analyze networks for usage, optimization

Recon for Initial Assessment

Recon is a valuable tool for conducting a survey of a network. Quickly discover what devices are on your network, how they communicate and who they communicate with. Recon’s traffic geolocation reveals where devices and applications are sending data. The system can collect data from a live network traffic tap or can process previously collected pcap files.

Recon for Continuous Monitoring

Recon allows for a configurable amount of collection capacity, making it ideal Network Forensic Platform. Coupled with specialized reporting, Recon empowers teams to protect and optimize critical network resources and perform detailed investigations of security events.