Deter Attacks on the Inside: Niara + ClearPass

By Siram Ramachandran, Blog Contributor
Share Post

Whether it's IBM's 2016 Cyber Security Intelligence Index showing 60 percent of cyber security attacks coming from threats on the inside or the Verizon 2016 Data Breach Investigation Report finding that 63% of confirmed data breaches involved weak, default or stolen passwords, it's clear perimeter-focused protection is no longer sufficient. Today's targeted attacks are designed to stay "under the radar" by moving in small, but deliberate, steps over long periods of time – often with legitimate credentials coopted from a compromised user.

Safeguarding against cyber threats now requires a multi-layered security strategy. This includes the ability to detect and combat threats that have evaded other solutions in your security architecture and have compromised employees, contractors, partners or IoT devices.

Fortunately, innovative security solutions using machine learning-based analytics and big data platforms can now provide enterprises with a new dimension of protection that traditional security products lack.

Niara, a recognized leader in what Gartner calls User and Entity Behavior Analytics (UEBA), uses supervised and unsupervised machine learning to automatically baseline normal user and device behavior while detecting anomalous activity that may indicate a threat. When integrated with Aruba's ClearPass Exchange, an open third-party integration platform, the combined solution delivers three key security innovations: advanced attack detection, accelerated investigation and automated, policy-based response.

Industry-leading advanced analytics detect slowly gestating attacks before they do damage

Niara's UEBA solution automatically profiles every device that connects to your network. Once a baseline of normal behavior is established, we continuously look for potential anomalies, put them into context over time and raise an alert when the risk level reaches predetermined thresholds.

When Niara's alerts are passed to ClearPass, they can trigger automated, policy-based actions such as adaptive authentication or full quarantining of a device to contain the danger until an analyst can follow up. Simultaneously, ClearPass can send a message to the device's user, the user's supervisor or other designated individuals. In the case of IoT, the notification goes to the designated device owners to let them know there is likely a security issue and what ClearPass action was taken.

Niara-ClearPass Workflow.png

As Niara maintains a complete historical forensic record for each entity/device (optionally down to even the packet level), investigation and remediation decisions that traditionally take hours or days can now be done in minutes. Given the high quality of Niara machine learning-based alerts and the 90% reduction in time and effort required to resolve the incident, the ROI of the combined solutions is measurable and significant.

From IoT to personal devices, innovative partnership has you covered

To provide this advanced level of insider attack management, ClearPass provides Niara with information about each device that logs onto your network via a JSON feed. This includes data such as the time the device connected, the time it disconnected, where it's located, and what its role allows it to access.

Because Niara leverages ClearPass to identify the specific device and user accessing the network, a general access designation such as "Guest" now becomes available for individual profiling. As a result, Niara's baselining and analytics can differentiate between guest contractor "Joe," who operates within the rules, and guest vendor "Sam," who is probing for sensitive information. This precision profiling similarly applies to networks of IoT devices such as factory controllers or arrays of medical equipment.

When Niara detects devices deviating from baseline activity we use the REST-based APIs resident in ClearPass to share our analytics results, which includes a risk score and attack description for the specific device or user in question.

Integrated detection and response reduces window of vulnerability

A key trend in enterprise security is to deploy best-of-breed solutions in a seamlessly integrated framework. As a result, advanced security solutions that work together to close the window of vulnerability between attack detection and remediation are now critical components of an overall threat mitigation strategy. This makes Niara and ClearPass a potent combination to help address advanced and continuously evolving insider threats, no matter where in your environment they originate.