Arista Plugs Awake Into Attack Surface Assessment
Arista Networks today announced a threat hunting and incident response service that uses technology from its Awake Security acquisition earlier this year.
Arista Networks today announced a threat hunting and incident response service that uses technology from its Awake Security acquisition earlier this year.
The new Attack Surface Assessment service, which identifies risks from devices, users, or third-party systems, becomes especially relevant in light of the recent SolarWinds supply chain attack, said Rudolph Araujo director of marketing at Awake Security, which is now the NDR Security Division of Arista Networks.
In fact one customer didn’t know they used SolarWinds products in their IT environment until Arista’s NDR team discovered the device’s unique fingerprint, Araujo said. To be clear: the customer’s environment didn’t contain the Sunburst malware used in the breach, “but their question was: ‘Do we have SolarWinds in our environment? We don’t think we do?’”
They were wrong.
This highlights the importance of visibility across the attack surface and into all devices connecting to enterprise networks. It also exposes glaring gaps in companies’ security programs, Araujo said.
“Simply knowing what you’re protecting is important, and SolarWinds is just an example here,” he added. “This applies to your contractor and IoT devices. We’ve seen threats where the attacker is targeting the voice over IP phone system, or targeting the TVs in the conference room connected to the internet. That’s one gap. The second gap is on the threat hunting side.”
The Attack Surface Assessment aims to close both of these gaps in three steps.
“The first step is really getting an understanding of what it is that you’re protecting,” Araujo said. “Most customers are only aware of 40% or 50% of their attack surface. Such as the third-party systems you’re not tracking because someone in DevOps role spun it up unbeknownst to IT.”
The new security services uses Awake’s artificial-intelligence (AI)-based network detection and response (NDR) platform for this step, along with Arista’s CloudVision technology — which provides network-wide workload orchestration and work flow automation — and Arista’s switching infrastructure. “Because the network sees it all,” Araujo said. “Even if it’s an unauthorized software system or contract, they hit the network at some point.”
Step two involves calling in the humans, aka the Awake Labs team, to hunt for threats, which usually takes about 30 days, Araujo said.
Finally, step three includes an incident response retainer. “We have an incident response team within the Awake Labs practice, and so if you find something that is a breach, we can very quickly pivot into incident response and forensics,” Araujo said.
This is Arista’s second product integration that uses Awake’s technology this month. The other is its new Arista DANZ Monitoring Fabric (DMF), which combines Aista’s legacy Data Analyzer (DANZ) with another acquisition — Big Switch’s monitoring fabric software — plus Awake’s technology to deliver traffic to various NDR ingests points for zero-trust security. DMF runs on Arista’s switching platform.
“That for us is a very natural integration, and I think you’ll see more on that side of the business where they’re providing visibility — they, being the DMF team — and how can we tap into some of that visibility,” to improve security, Araujo said.
CloudVision is another area where Araujo expects to see further integrations. Customers’ security teams can benefit from CloudVision’s network visibility and orchestration capabilities. For example, if Awake’s NDR platform says a particular device has been compromised, then the IT team can use CloudVison to logically disconnect it from the network. “And on the flip side of that, CloudVision can get Awake’s risk-oriented view of the devices in the user’s environment,” to limit risky devices’ access or isolate a device, Araujo added.
“We really view this as an opportunity to move from network security to a secure network,” he said. “So we make the infrastructure just secure by default.”
