Five Things to Know About NETSCOUT Arbor Edge Defense

NETSCOUT AED occupies a unique position on the network edge, lying outside the firewall, between the enterprise and the internet. Why is this important? Read on for five ways that AED redefines the cyber security stack to serve as the first and last line of defense against multiple types of inbound and outbound threats.

1. AED is built for a new era of internet-scale threats. As the architecture of enterprise networks changes, so too do the increasingly sophisticated and persistent techniques of attackers. “Data center and network architectures have distributed toward the edge, straining traditional perimeter enforcement points,” said Jeff Wilson, IHS Markit research director for cybersecurity .

Today’s campaigns target a wide variety of sources for a wide variety of reasons, from increasing geopolitical unrest to intellectual property theft. Attackers often use supply chains as a conduit, a tactic that allows them to attack their main target via the intertwined relationships of partners and suppliers.

Threat actors continue to expand and weaponize their capabilities, as traditional malware adds worm modules, allowing the malicious software to spread faster and more easily. One example is “NotPetya” where threat actors planted a backdoor in a popular Ukrainian accounting software package. The malware initially targeted the Ukraine, where more than 80 businesses were affected. It quickly proliferated across France, Germany, Italy, Poland, the United Kingdom, Russia, and the United States.

These attacks caused serious commercial damage around the world, forcing global organizations such as Federal Express, shipping giant Maersk and consumer products giant Mondelez to miss earnings and lose out on hundreds of millions in lost revenue.

AED is built to combat such internet-scale intrusions. “The unique combination of stateless filtering, rigorous curation of custom threat intelligence as well as ingestion of third-party feeds, allows NESTCOUT AED to block outbound threats with the same level of confidence they’ve been blocking inbound DDoS threats for years,” continued IHS’ Wilson.

2. AED extends protection beyond the firewall. Traditional perimeter security devices such as Next-gen firewalls, Intrusion Prevention Solutions, and load balancers are susceptible to botnet driven state-exhaustion attacks. In fact, NETSCOUT’s 13th Annual Worldwide Infrastructure Security Report (WISR) found that 52 percent of enterprise respondents had firewalls that experienced a failure or contributed to an outage during a DDoS attack.

AED is deployed in front of these solutions, protecting them from DDoS attacks that target their availability. NETSCOUT’s stateless packet processing engine detects and mitigates most DDoS attacks without tracking any session state. In cases where tracking is required, AED only stores minimal information for a short period of time. As a result, AED can withstand targeted attacks that overwhelm state tables in these other security products and threaten availability.

3. AED blocks inbound and outbound threats. In addition to protecting perimeter solutions from availability-based threats such as DDoS attacks, AED adds a layer of enforcement by blocking communications to known suspicious destinations. Operationalizing these reputation lists, commonly referred to as Indicators of Compromise (IoCs), are best used by stateless devices due to the speed and scale.

Detecting and disrupting Command & Control communications at the edge requires stateless packet process at internet scale. AED is a purpose-built device designed to keep pace with attackers as they evolve their tradecraft, reducing the performance load of expecting stateful devices to perform functions that are outside of their primary purpose. 

4. Automated threat mitigation. AED is enhanced by threat intelligence via the ATLAS Intelligence Feed (AIF). Developed by NETSCOUT’s ATLAS Security Engineering & Response Team ( ASERT), AIF includes geo-location data and automates the identification of attacks from known botnets and malware while ensuring that updates for new threats are automatically delivered without intrusive software upgrades.

Extending this enforcement, AED supports standards such as STIX/TAXII for ingestion of third-party threat intelligence. It also provides a robust REST API to integrate threat detection and blocking telemetry into existing Security Operations workflows and management tools.

5. AED provides actionable threat intelligence. NETSCOUT believes that effective threat intelligence not only identifies attacks, but also provides context to understand and catalogue attack infrastructure, methods, and related indicators to help security professionals make faster, more confident security decisions. Contextual intelligence not only links IoCs to known threats, but also current data that correlates seemingly unconnected in-bound/out-bound communications to expose targeted campaigns. Armed with this data, security professionals can see the bigger picture, giving them a much better chance of quickly linking in-bound malicious traffic with outbound communications. Such threat intelligence is critical for quickly detecting interrelated components of orchestrated, botnet-driven attack campaigns. It also helps them quickly find and disrupt attacks before they do real damage.

To learn more about the new era of internet-scale attacks, read NETSCOUT’s Threat Intelligence Report.