HPE links behavior analytics product to network access management

In February HP Enterprise bought a startup called Niara, a behavioral security analytics firm whose software looks for evidence of attackers who have evaded firewalls and endpoint protection.

Today HPE’s Aruba networking division announced the product has been re-branded as IntroSpect, and that it can be linked to Aruba’s ClearPass network access control solutions to form what it calls a secure fabric for network protection.

It also announced a Standard version of IntroSpect for organizations that want a quicker and less expensive implementation than the full version, now called IntroSpect Advanced.

An IntroSpect screenshot

The Standard version can be implemented with as few as three data sources, such as Microsoft Active Directory or other equivalent authentication records, LDAP-based identity information, and firewall logs from sources such as Checkpoint, Palo Alto Networks or Aruba monitoring (AMON) logs from Aruba mobility controllers or IntroSpect packet processors.

IntroSpect’s machine-learning algorithms generate a risk score based on an attack, which helps prioritize incident investigations for security teams.

Existing Niara users automatically move to the Advanced version.

“This is a major strategic initiative for Aruba,” Larry Lunetta, vice president security solutions marketing for Aruba, said in an interview.

“Aruba has always been very strong delivering solutions primarily to the networking part of the organization. “With this announcement we’re branching out, integrating both networking and security into our solution stack.”

For most infosec pros, the interest in the announcement is the link between ClearPass and IntroSpect ClearPass usually authorizes users and devices. But when pared with IntroSpect and its analysis capabilities it can detect attacks. As a result, said Lunetta, its “new mission is attack response. The idea is we can use ClearPass as a central location and ability to put devices and users on and off the network as part of a closed loop of attack, detection and response.”

Because ClearPass gives a rich set of information about uses and devices, IntroSpect can use it in its analytics, he said. IntroSpect, which uses a Hadoop big data store, baselines individual entities (users/devices) continually over time, as well as performs what Lunetta calls peer-baselining – comparing an individual’s behavior to peers, such as in a business group – to see if there are any deviations. IntroSpect Advanced can now also be configured to watch devices -cameras, heart monitors, thermostats – to see if any of them are behaving differently than others in an environment.

This better attack detection “is one unique advantage in having the products integrated,” he said.

IntroSpect also gives a security analyst the ability to create policies directing ClearPass to react to a detection, such as force a re-authentication, throttle bandwidth, move a device or user to a more restricted part of the network or block a user or device. IntroSpect can also be configured to alert an analyst and forward information on similar attacks and possible action from its database.

It creates what Lunetta calls a closed-loop: Monitoring, detection and response.

“Clearly we’re seeing IntroSpect as an attractive upgrade for those (ClearPass) customers who want to add attack detection to their environment.”

IntroSpect is priced on the number of entities (users/devices) monitored, and is sold either as software alone or in a stackable 2U appliance with Hadoop. It can also run on Microsoft Azure or Amazon AWS. The Standard version is about 60 per cent less than the Advanced version.

IntoSpect also feeds into system event management suites like HPE’s ArcSight.

Lunetta estimated an implementation could cost a small organization at last US$100,000 a year for a software licence.

Since the Niara acquisition Aruba has been working on menu and feature-level integration with the products for messaging between them, Lunetta said. “It is as seamless as we can make it given these are two product families.” So, for example ClearPass can take an automated action which will be reflected in the IntroSpect console.

Industry analyst Zeus Kerravala said the announcement “is a strong one as it improves their security positioning.  I’ve always considered Aruba to be a security vendor that was dressed up as a network vendor, but it’s security capabilities were limited to very specific places in the network through a few products like ClearPass and its APs.  By having an end to end view of the network and traffic, Aruba is able to understand that norm, set baselines and then look for deviations that indicated a breach.  For example, if a worker’s mobile device starts to access internal servers it never has before, it may be compromised.  This can be particularly useful for IoT devices that are typically managed by the operational technology group and often have older operating systems that are easy to hack.”
Kerravala says 90 per cent of security spend is still focused on the perimeter, but only 27 per cent of breaches happen there. Aruba’s new solution addresses the security needs of digital organizations that are constantly changing.

HPE Aruba also said today that IntroSpect Advanced has gained new capabilities including

–Dynamic machine learning, which it says allows security teams to easily customize IntroSpect’s analytical models based on the current threat environment and protection priorities. Included is “chaining,” in which the 100+ out-of-the box machine learning models can be linked together to construct new detection scenarios and associated risk scores;

–Device Peer Grouping, which utilizes the ClearPass profiling functionality to build peer groups of devices even when known only by their IP address. For example, ClearPass will signal to IntroSpect that a device is a surveillance camera or a factory sensor, so that its behavior can be compared to its peers. Therefore, if an anomaly is not flagged in an individual profile, IntroSpect applies a second dimension of detection based on peer comparisons, which is important in extending UEBA functionality to the growing number of IoT devices.

–Integrated attack response, enabling a security analyst to perform an attack response using ClearPass directly from the IntroSpect console.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@] soloreporter.com

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now