Cisco Blogs
Share

Attivo Networks ThreatDirect™ Deception in a Docker Container


June 10, 2019 - 0 Comments

Scaling with the Cisco Catalyst 9000 Family of Switches

Attivo Networks, Joseph SalazarThis blog is authored by Joseph Salazar,
Technical Marketing Engineer at Attivo Networks

Networks are constantly evolving to meet the demands of ever-expanding digital business infrastructure. Organizational networks can now include remote offices, branch offices, retail stores, or other sites outside of the headquarters network. Users no longer need to be tethered to a desktop with a patch cable or working from a corporate office. They are just as likely to access corporate services on a wireless network through the cloud or SaaS providers as they are to connect to a VPN. As more organizations have adopted virtual environments and infrastructures, they have also moved to reusable, portable, scalable applications for operational efficiency. This movement has given rise to Docker and other container solutions that can run applications anywhere, whether on a single system, a virtual machine, or in the cloud. Cisco Systems provides the Catalyst 9000 family of switches with an application hosting framework that can manage docker container applications that run on devices.

Attivo Networks provides the ThreatDefend™ threat detection platform that uses deception technology to identify and alert on in-network attackers, whether external or insider, as they attempt to steal credentials, conduct reconnaissance, and move laterally. The solution does not depend on signature matching, anomaly detection, or extensive analysis. The solution uses network, endpoint, application, and data deceptions, deploying decoys that are indistinguishable from real systems, driving the attacker into engaging with the deception environment, and thus revealing themselves. The platform is effective because it provides comprehensive deception and can scale across any attack surface. Wherever the attacker goes, deception is there to meet them.

One of the elements that make the ThreatDefend platform effective at scaling is the ThreatDirect™ solution, a virtual machine forwarder that deploys deception at remote offices, branch offices, or the cloud. The technology works by taking unused IP addresses at the remote sites or the cloud and forwarding any traffic it receives to an Attivo BOTsink® deception server for engagement. This BOTsink server could be appliance-based, virtual, or deployed in the cloud, and effectively scales the deception environment using the existing virtual infrastructure to the remote sites with little effort. Attivo Networks, as a Cisco Solution Partner, added the Attivo ThreatDirect solution as a container application to its ThreatDirect family of products. This Attivo ThreatDirect container application can be run in the Catalyst 9000 switches and managed by the Cisco DNA Center platform for ease of deployment and management. Remote offices and branches benefit from the same security coverage that Attivo Networks provides to the main corporate offices.

The partnership between Attivo Networks and Cisco Systems includes integrations with the ASA firewall, the ISE network protection platform using Cisco pxGrid, and hosting of the ThreatDirect solution. With the Cisco ASA firewall, the ThreatDefend platform can send attacker address to block any exfiltration attempts. With the Cisco ISE integration, the platform can send an attacker address to quarantine and prevent any lateral movement inside the network. Now, with the introduction of the ThreatDirect container application, organizations can deploy the ThreatDirect container application with Cisco Catalyst 9000 switches, providing organizations with more choice in how they deploy deception while leveraging their existing Cisco equipment for added value.

See the complete portfolio of open security APIs for use in third party integrations.

 

Joseph Salazar is a veteran Information Security professional. He began his career in Information Technology in 1995, and transitioned into Information Security in 1997. He is a retired Major from the Army Reserve, with 22 years as a Counterintelligence Agent, Military Intelligence Officer, and Cyber-Security Officer. In his civilian career, he’s been a Systems and Security Administrator, a Computer Security Incident Response Analyst, a Security Operations Manager, and a Computer Forensic Investigator. He maintains CISSP, CEH, EnCE certifications, and holds a BA in Legal Studies from UC Berkeley. At Attivo Networks he’s a Sales Engineering Manager, focusing on deception technologies.



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.