In February HP Enterprise bought a startup called Niara, a behavioral security analytics firm whose software looks for evidence of attackers who have evaded firewalls and endpoint protection.

Today HPE’s Aruba networking division announced the product has been re-branded as IntroSpect, and that it can be linked to Aruba’s ClearPass network access control solutions to form what it calls a secure fabric for network protection.

It also announced a Standard version of IntroSpect for organizations that want a quicker and less expensive implementation than the full version, now called IntroSpect Advanced.

An IntroSpect screenshot

The Standard version can be implemented with as few as three data sources, such as Microsoft Active Directory or other equivalent authentication records, LDAP-based identity information, and firewall logs from sources such as Checkpoint, Palo Alto Networks or Aruba monitoring (AMON) logs from Aruba mobility controllers or IntroSpect packet processors.

IntroSpect’s machine-learning algorithms generate a risk score based on an attack, which helps prioritize incident investigations for security teams.

Existing Niara users automatically move to the Advanced version.

“This is a major strategic initiative for Aruba,” Larry Lunetta, vice president security solutions marketing for Aruba, said in an interview.

“Aruba has always been very strong delivering solutions primarily to the networking part of the organization. “With this announcement we’re branching out, integrating both networking and security into our solution stack.”

For most infosec pros, the interest in the announcement is the link between ClearPass and IntroSpect ClearPass usually authorizes users and devices. But when pared with IntroSpect and its analysis capabilities it can detect attacks. As a result, said Lunetta, its “new mission is attack response. The idea is we can use ClearPass as a central location and ability to put devices and users on and off the network as part of a closed loop of attack, detection and response.”

Because ClearPass gives a rich set of information about uses and devices, IntroSpect can use it in its analytics, he said. IntroSpect, which uses a Hadoop big data store, baselines individual entities (users/devices) continually over time, as well as performs what Lunetta calls peer-baselining – comparing an individual’s behavior to peers, such as in a business group – to see if there are any deviations. IntroSpect Advanced can now also be configured to watch devices -cameras, heart monitors, thermostats – to see if any of them are behaving differently than others in an environment.

This better attack detection “is one unique advantage in having the products integrated,” he said.

IntroSpect also gives a security analyst the ability to create policies directing ClearPass to react to a detection, such as force a re-authentication, throttle bandwidth, move a device or user to a more restricted part of the network or block a user or device. IntroSpect can also be configured to alert an analyst and forward information on similar attacks and possible action from its database.

It creates what Lunetta calls a closed-loop: Monitoring, detection and response.

“Clearly we’re seeing IntroSpect as an attractive upgrade for those (ClearPass) customers who want to add attack detection to their environment.”

IntroSpect is priced on the number of entities (users/devices) monitored, and is sold either as software alone or in a stackable 2U appliance with Hadoop. It can also run on Microsoft Azure or Amazon AWS. The Standard version is about 60 per cent less than the Advanced version.

IntoSpect also feeds into system event management suites like HPE’s ArcSight.

Lunetta estimated an implementation could cost a small organization at last US$100,000 a year for a software licence.

Since the Niara acquisition Aruba has been working on menu and feature-level integration with the products for messaging between them, Lunetta said. “It is as seamless as we can make it given these are two product families.” So, for example ClearPass can take an automated action which will be reflected in the IntroSpect console.

Industry analyst Zeus Kerravala said the announcement “is a strong one as it improves their security positioning.  I’ve always considered Aruba to be a security vendor that was dressed up as a network vendor, but it’s security capabilities were limited to very specific places in the network through a few products like ClearPass and its APs.  By having an end to end view of the network and traffic, Aruba is able to understand that norm, set baselines and then look for deviations that indicated a breach.  For example, if a worker’s mobile device starts to access internal servers it never has before, it may be compromised.  This can be particularly useful for IoT devices that are typically managed by the operational technology group and often have older operating systems that are easy to hack.”
Kerravala says 90 per cent of security spend is still focused on the perimeter, but only 27 per cent of breaches happen there. Aruba’s new solution addresses the security needs of digital organizations that are constantly changing.

HPE Aruba also said today that IntroSpect Advanced has gained new capabilities including

–Dynamic machine learning, which it says allows security teams to easily customize IntroSpect’s analytical models based on the current threat environment and protection priorities. Included is “chaining,” in which the 100+ out-of-the box machine learning models can be linked together to construct new detection scenarios and associated risk scores;

–Device Peer Grouping, which utilizes the ClearPass profiling functionality to build peer groups of devices even when known only by their IP address. For example, ClearPass will signal to IntroSpect that a device is a surveillance camera or a factory sensor, so that its behavior can be compared to its peers. Therefore, if an anomaly is not flagged in an individual profile, IntroSpect applies a second dimension of detection based on peer comparisons, which is important in extending UEBA functionality to the growing number of IoT devices.

–Integrated attack response, enabling a security analyst to perform an attack response using ClearPass directly from the IntroSpect console.



Related Download
Technology's role in data protection - the missing link in GDPR transformation Sponsor: Micro Focus
Technology’s role in data protection – the missing link in GDPR transformation

Register Now