Threat Intelligence Blog

Posted June 16, 2020

The latest Aeonik software release introduces real-time Cybersecurity Policy Orchestration & Enforcement, providing tunable security mitigation across a comprehensive set of attacks including SMBGhost.

In our prior software release, LookingGlass AeonikTM Security Fabric added support for AWS Cloud deployments, as well as upgraded the supported Zeek version for behavioral detection and mitigation.

With Aeonik’s new software release (v2.3), we address one of the challenges of managing an organization’s cybersecurity systems: how to orchestrate and tune those technologies to meet cybersecurity actions required by compliance, operational necessity, or even incident response.

Aeonik Security Fabric – Policy-based cybersecurity supporting dynamic adaptability of secure behaviors

Without Aeonik Security Fabric, many organizations have a patchwork of technologies, which often take significant operational effort to integrate and may still not provide the enhanced security protections that drove the purchase in the first place. Policy definition and enforcement across a disparate security stack is often difficult or impossible.

Aeonik 2.3 introduces a major enhancement that supports Policy Orchestration for the entire security stack deployed across the enterprise. Aeonik’s Policy Framework leverages technology from the open source project Open Policy Agent (OPA), which provides cloud native policy control for technologies such as Kubernetes.

Aeonik Security Fabric defines the three separate policy roles (administration, decision, and enforcement) as follows:

Figure 1 Aeonik Security Fabric Policy Architecture
Figure 1: Aeonik Security Fabric & Policy Architecture

To help put the power of policy orchestration in context, let us start with how organizations typically apply cybersecurity policy in practice.

Figure 2 Phases Of Cybersecurity Policy Application
Figure 2: Phases of Cybersecurity Policy Application

Policy Planning

As we highlighted in our blog on integrated cybersecurity, the Zero Trust framework has provided the cybersecurity industry with a useful reference on how to define, organize, and plan cybersecurity controls to protect an organization.

Aeonik Security Fabric Policy focuses on supporting organizational requirements across granular access, complete visibility, operational automation, and deployment flexibility as shown below.

Figure 3 Zero Trust Requirements For Policy
Figure 3: Zero Trust Requirements for Policy

Most organizations’ cybersecurity policies are typically applied based on a mix of compliance, strategic, and tactical requirements across the four key areas defined by Zero Trust.

For this reason, Aeonik supports the concept of multiple named policy lists that can be deployed and activated independently; each named policy list can be defined by separate departments, roles, and reasons.

Figure 4 Example Of Organizational Policy Lists
Figure 4: Example of Organizational Policy Lists

An organization’s compliance or risk team may choose to define the Baseline Policy List utilizing policy rules driven by compliance-standard requirements or corporate long-term strategies that define specific rules for detection and mitigation of cybersecurity threats.

For the Day-to-Day Policy List, the organization’s security operations team may define a set of policies that are focused on operational threats and the associated team playbooks.

Finally, the organization’s incident response team may define an Investigative Policy List containing policies they wish to apply to the environment at specific times. These policies serve to update how the security fabric behaves for specific incident investigations and resolution phases in which they are involved. Upon completion of an incident, the incident response team may choose to submit certain policies defined in the Investigative Policy List to the security operations team or compliance/risk team for inclusion in the other two policy lists.

Policy Control

With Aeonik Security Fabric, organizations are able to define policies across a broad range of requirements, whether it is Per Deployment, Per Security Aspect, Per Security Team Role, Per Temporal Condition, or some combination of all of these aspects.

Figure 5 Aeonik Policy Options
Figure 5: Aeonik Policy Options

In addition to supporting a variety of areas, the organization can define policy that encompasses threat detection and mitigation leveraging one, some, or all of the security engines available within the Aeonik Security Fabric.

Figure 6 Policy Controlling Security Detection Mitigation
Figure 6: Policy Controlling Security Detection & Mitigation

Policy Evaluation

As has been highlighted, there are many opportunities for an organization to leverage Aeonik Security Fabric Policy to enhance or define security operations to meet specific Zero Trust requirements.

Aeonik provides organizations with extremely flexible and comprehensive YAML policy language that includes the criteria that is matched against to the real-time traffic across the fabric. Upon a match between the criteria and the traffic including any engine analysis, Aeonik then applies the actions defined in the policy to the real-time traffic as well as any additional associated security behaviors.

The following three examples highlight some of the diverse policy enforcement capabilities supported by this language.

Example 1: Blacklist a known bad domain and override its intelligence score

Use Case: An organization has intelligence that known C2 domain baddomain.com has been identified controlling a specific botnet. The organization wishes to block access to baddomain.com, generate an alert when any asset in the enterprise reaches out to that C2, and correct the intelligence scoring assessment to a value of 20.

Figure 7 Policy Example For Blacklisted Domain
Figure 7: Policy Example for Blacklisted Domain

Example 2: Whitelist communications on a specific CIDR

Use Case: An organization has received intelligence that has produced high false-positive results in their alerting and response systems for CIDR 12.1.2.0/24. They have analyzed the CIDR and consider it to be risk-free to their organization; they wish to ignore any actions that require further detection, mitigation, or capture actions on CIDR 12.1.2.0/24 or any communications involving it.

Figure 8 Policy Example Of Whitelist
Figure 8: Policy Example of Whitelist

Example 3: Tuning false positive alerts

Use Case: An organization leverages Suricata and intelligence from many sources but has learned that any signature or intelligence hit that has a severity score less than 40 should be ignored by their alerting and mitigation systems. They have determined that tuning the system to not trigger further analysis or mitigation for severity events under a certain threshold allows both their limited computer and human assets greater ability to focus on higher severity alerts.

Figure 9 Policy Example Of Lowering False Positive Alerts
Figure 9: Policy Example of Lowering False Positive Alerts

Summary

Aeonik Security Fabric integrates Cybersecurity Policy and the Power of Three: Intelligence, Signature, and Behavior to automatically and instantaneously detect and mitigate  attacks as they traverse the network.

Organizations can shape, evaluate, and enforce cybersecurity policies across their entire network using the simplified security stack Aeonik provides with its new policy framework.

This significantly reduces the complexity of operational security whenever teams must apply detections across the entire organization, potentially in real-time.  Additionally, Aeonik simplifies and standardizes policy-defined mitigation actions without introducing significant manual or error-prone tasks across disparate technologies and teams.

Aeonik Security Fabric – Policy orchestration as threats and risk profiles change

At LookingGlass, we are embracing this approach to enterprise security monitoring and threat response to deliver a real-time, coordinated cyber defense response.

If you would like to discuss Aeonik 2.3, please contact me on Twitter @tweet_a_t.

Additional Posts

Need a (SMB)Ghost Buster?

Unfortunately, the cybersecurity industry saw this coming.  When you combine a remote code ...

Elevating Security Orchestration with CACAO

Cybersecurity experts join forces to present an overview of the new, emerging standard, designed to ...