Network management is complex and multi-layered. Our Tech Deep Dive series is made for cloud architects, engineers, developers, operations, platform, and security teams who want the deeper technical explanation of the Aviatrix solution. We’ll explore the particular details of what makes our dataplane, feature set, and configuration work, and how they empower networking teams.
In this post, Madhuri Kaniganti, Aviatrix Director of Product Management, describes the threat detection capabilities of Aviatrix's ThreatIQ features.
Bad actors across the globe are using new strategies to evade traditional network security measures. Enterprises with sprawling cloud networks – whether they operate in a single cloud, hybrid cloud, or multicloud environment – are managing what often feels like an impossible situation:
Achieving visibility of potential threats across clouds, environments, and locations
Evaluating and analyzing all potential threats
Enforcing security policies and stopping real threats before they do damage
The threats that slip past detection can significantly damage your organization through data exfiltration and malware. A successful data breach can cost millions in fees, not to mention the loss of brand trust and reputation.
Aviatrix’s ThreatIQ feature empowers security teams to find, analyze, and remediate suspicious activity quickly. This blog post will explore why ThreatIQ is necessary and how it works.
What You’ll Learn:
A brief overview of attacker strategies, including data exfiltration and botnets
Why distributed threat enforcement is essential
How ThreatIQ empower security teams to rapidly identify and remediate threats
What is Data Exfiltration?
Data exfiltration is data theft: unauthorized access to data that is re-rerouted to unapproved third-party destinations. This can cause reputational and financial damage to an organization.
How Does Data Exfiltration Happen?
Data exfiltration can happen when:
Corporate data falls into the hands of adversaries through phishing.
Malware spreads across an organization’s network and infiltrates other devices. Some types of malware lay dormant on a network to avoid detection by an organization’s security systems until data is exfiltrated subversively, or information is gradually collected over a period of time.
A compromised inside VM or host machine exfiltrate information and export sensitive data to a malicious host.
What is a Botnet?
A botnet is a network of hacked machines across the world that is controlled by an attacker using Command & Control (C2C) software running on a server used as the command center.
C2C software is used to send commands to systems compromised by malware to perform Distributed Denial-of-Service (DDoS) attacks on other organizations or critical infrastructure, steal data, send spam, and allow the attacker unrestricted access to the device and its connection.
Security in Complex Network Architectures
Cybercriminals use different techniques to remain undetected for months or years, while data exfiltration or botnet operations are detected only after the damage is done. To add to the complexity, organizations operating in a hybrid or multicloud environment may have an even harder time detecting data exfiltration or botnet operations if each cloud is managed by a different team within the enterprise, requiring more coordination between teams to implement the necessary security.
Here are some common security approaches:
Intrusion Detection System (IDS) – An IDS monitors a network, searches for known threats and suspicious or malicious traffic, and sends alerts upon detection of issues. An IDS relies on searching for available attack signatures and anomalies from normal network activity.
Third-party SaaS services – To support this method, traffic must be directed towards the service to perform inspection, which means shipping traffic out of the network for analysis. Many third-party SaaS services also depend on a default route or agents installed on workloads.
Third-party appliances – For this security method, traffic must be directed towards these appliances for inspection.
Potential problem with this method: Shadow IT may also spin up new environments or make changes redirecting egress traffic.
How Distributed Threat Enforcement Improves Security Posture
Internet access is pervasive in the cloud. This creates business risk because if the infrastructure has been compromised, data exfiltration, crypto-mining, and other activities may go unnoticed.
You can improve your security posture with distributed threat inspection, a service that complements existing security solutions to provide an added layer of protection.
This solution is simple: when you first own the network through a repeatable network architecture with a common data plane, you can implement distributed threat enforcement. Through threat visibility across all “gateways,” threats are identified more quickly, and remediation can be done automatically. This also makes it easier for your enterprise to simplify processes, workflows, and security investments, allowing you to reduce risk and accelerate resolution with actionable context.
Aviatrix Cloud Firewall with ThreatIQ
Aviatrix Cloud Firewall with ThreatIQ is a cloud network security feature within the Aviatrix platform that offers distributed threat inspection. It offers single-, hybrid, or multicloud native network security by identifying and blocking traffic to known malicious destinations.
Imagine distributed threat visibility and control built into the network data plane by default, providing a complementary security solution.
ThreatIQ is like a watchman at the watchtower. Threat inspection enabled as a smart group can dynamically discover malicious or knows bad IPs in the network at every hop. Aviatrix cloud firewall analyzes all traffic and compares it with a database of known malicious hosts.
This is a great example of when an intelligent data plane becomes security-aware. If Aviatrix Cloud Firewall enforcement is enabled, the firewall policies are pushed to the Aviatrix gateways in the data path, blocking the traffic in real-time. Cloud firewall policies can be defined granularly to enforce control based on Geo and Threat IP groups.
What Makes ThreatIQ Unique
Almost all cloud service providers (CSPs) have a native solution that provides a means of passing traffic from point A to point B using their network. From a security perspective, organizations routinely bolt-on third-party devices to this data path to inspect traffic leaving the network.
Aviatrix already provides a Cloud Native Security Fabric (CNSF) with a unified control plane that dynamically enforces security controls across all CSPs. ThreatIQ layers in security inspection and enforcement, which adds a layer of protection to complement third-party security devices and provides visibility of traffic leaving the cloud network.
How it works: detection, analysis, and enforcement
ThreatIQ is a detection mechanism that complements existing security solutions by monitoring traffic in real time as it crosses the network, providing an added layer of protection beyond NGFWs.
ThreatIQ also offers geographical visualization and threat analytics to show where the malicious hosts are located, time series analysis, and threat classifications/severity. You can also export a tabular representation of the threat intelligence for further analysis.
Aviatrix Cloud Firewall with ThreatIQ gives you control over firewall policies against malicious hosts, where the policies are automatically applied in the datapath in the cloud network.
Final Thoughts: Aviatrix Cloud Firewall with ThreatIQ Fortifies Your Security Posture
In the cloud, internet access has been extremely easy for workloads. For security personnel, safeguarding connectivity, gaining visibility, and remediating threats have never been more challenging. Even with next-generation firewalls, third-party toolsets, and automation, risks can enter your network in many ways, including unauthorized applications set up through shadow IT. Organizations must look for new ways to ensure critical business workloads are protected without slowing business agility.
Aviatrix Cloud Firewall with ThreatIQ is a cloud native security platform that truly takes advantage of the data plane in the cloud and improves the security posture. This feature:
Complements existing security services by providing visibility at the network layer
Eliminates dependencies on traffic being identified at the edge or in security pockets
Survives local changes which may allow Internet egress traffic to use alternative paths
Supports business agility and growth keeping consistent security guardrails through expansion
Enables a consistent single-, hybrid, or multicloud traffic inspection method independent of local next-generation firewall (NGFW) presence
Provides a cloud-agnostic approach to automated remediation
Learn more about the industry-leading security, visibility, and advanced networking features available through the Aviatrix Cloud Firewall.
Take a free security assessment to learn how you could strengthen your network security posture.