Threat Intelligence Blog

Posted February 26, 2016


Risk Mitigation

Todd Beine from the LookingGlass® Chief Technology Office discusses the new CS-4000E as a secure foundation for LookingGlass threat intelligence enabled security solutions to reduce your organization’s risk profile.

The key to understanding and using threat intelligence to reduce your risk profile is to learn from past experiences and apply that knowledge actively to address the risk at hand. But with limited time, knowledge, and personnel how do you effectively operationalize threat intelligence to make it work for you?

LookingGlass recently announced the rollout of additions to an entire ecosystem created to address this problem and enhance threat mitigation. This includes updates to the existing LookingGlass DNS Defender® and LookingGlass NetDefender.

  • LookingGlass DNS Defender® – dynamic threat defense integrated into the DNS infrastructure to block communication between embedded malware and command and control (C2) servers using access control lists provisioned by LookingGlass ScoutVision or the customer.
  • LookingGlass NetDefender  –  a network perimeter cybersecurity solution allowing multiple and independent advanced malware defenses to work together to stop attacks sooner by harnessing LookingGlass deep packet processing for traffic steering and inline threat mitigation.

These updates round out a portfolio that includes LookingGlass ScoutVision™ – threat intelligence analysis and management system – and Virus Tracker® – world’s largest botnet and malicious domain monitoring system. Through these products LookingGlass generates customer relevant machine readable threat intelligence (MRTI) delivered via new MRTI-enabled applications to empower security operations and threat intelligence teams to actively defend against cyber attacks.


The entire LookingGlass threat-centric mitigation portfolio is available on a new CS-4000E 40Gbps network security appliance.


The Deep Packet Processing (DPP) architecture of the CS-4000E was first introduced in 2001 and quickly gained traction with the world’s most security conscious organizations, given the performance and flexibility it provided for responding to the barrage of cyber attacks from the world’s most sophisticated threat actors. Still actively deployed today for advanced cyber countermeasures, the LookingGlass DPP capability is available in a commercial package that retains the performance and security pedigree of earlier iterations, but delivers improved operational efficiency and management.

The Deep Packet Processing Modules (DPPM) in the CS-4000E provide high-speed threat detection and mitigation through per-packet inspection and tagging, search and replace payload modification, and traffic steering. Each DPPM supports up to 40 Gigabits per second (Gbps) of packet processing and up to 60M packets/sec enabled by:

  • A dedicated Regular Expression (Regex) accelerator to search unstructured network data for specific patterns or values associated with malicious traffic coming through the system.
  • A proprietary Flow Acceleration Subsystem (FAST) for 40Gbps of network and transport layer pre-processing to accelerate the more complex application processing required in advanced line-rate security capabilities.
  • A high-speed memory-resident relational database situated directly in the dataplane and scaling to millions of entries for efficient real-time tracking of flow status and associated actions.

When combined with the LookingGlass ScoutVision Threat Intelligence Management system to task real-time dynamic threat mitigation rules, the CS-4000E DPP provides highly-scalable, highly-flexible threat detection and mitigation capabilities.

CS-4000E mitigation operates transparently in a customer’s network to avoid detection and attack (or evasion) by bad actors. The datapath is very low latency and the network interfaces have no default Mac or IP address, which means there’s no exploitable attack surface visible from the network. This transparent, in-line deployment allows customers to take advantage of LookingGlass threat mitigation solutions quickly without costly configuration changes to existing network infrastructure.

The platform integrates DPP with high-performance general purpose computing to consolidate solution footprint and lower cost. The Content Processing Accelerator (CPA) is a multi-core Intel x86 processor module with a LookingGlass custom network interface card (NIC) for I/O acceleration that runs the LookingGlass packetLinux performance-tuned linux distribution. In the CS-4000E chassis, solutions utilize any combination of up to three DPPM and CPA modules for flexibility and scale.

The CS-4000E maintains the CS-4000 security pedigree (the DCID 6/3 PL5 accreditable predecessor) but reduces the cost and complexity by removing the anti-tamper protections. Customers now have access to the same proven, high performance, trusted architecture at a lower price point with reduced operational complexity. Some of the secure features of the platform include:

  • Strict separation between the control and data planes in the chassis.  No application or policy modifications are possible from the dataplane — the platform has been proven to be unattackable from the network, reducing the risk of exploitation or compromise of protected signatures.
  • A virtualized operating environment runs multiple, isolated “software DPP appliances” to reduce equipment, power, space, cooling, and personnel cost.
  • Dynamic application and dataset updates allow customers to remove/add new capabilities without packet loss, delay, or network downtime. This makes the CS-4000E platform an effective choice against today’s evolving threat landscape as capabilities can change without new hardware/firmware.

The CS-4000E is ideal for large enterprises, service providers, Telcos, and government agencies. Its carrier-grade chassis supports redundant AC and DC power and cooling, and all modules are fully hot-swappable and designed for NEBS Level-3 and RoHS compliance. At a compact 4RU, the platform helps customers realize a high “protected bandwidth” per rack-unit metric.

Learn more about our threat centric ecosystem here. You can also connect with Todd on Twitter at @ToddBeine or leave a comment on this blog.  


Additional Posts

Weekly Phishing Report – February 29, 2016

The following data offers a snapshot into the weekly trends of the top industries being targeted by ...

LookingGlass sees new CS-4000E enterprise network security platform as strong channel play

This platform, the CS-4000E, is a version of the CS-4000 the company has been selling to government ...