Attack Visibility - Breadth and Depth
Tools today are narrowly focused in terms of their visibility from an architectural and data model perspective. Examples include:
- Authentication information from operating system logs is valuable data that is not necessarily available ‘on the wire’. Additionally, certain types of fragmented authentication attacks will be available on the wire, but not always in the operating system logs. Having both sources of telemetry data feeding common, normalized data that can be used for further analysis is most complete.
- Similar to the above, taking the attack down to the link layer by poisoning the ARP cache of unsuspecting victims – suggesting that the MAC of the hacker is associated with the legitimate default gateway address – is a classic man-in-the-middle (MITM) attack. Once the hacker is in the middle of the communication, an authenticated session can be hijacked.
- Numerous hypervisor-style attacks allow attackers to jump between guest VM's and their host, all under the context of the account running the hypervisor, a system-level admin.
- Social vectors enable an attacker to convince a victim to reveal their credentials for physical access controls, ATM withdrawals, etc.
Click Security RtSA Response
Unlike point products – often placed strategically throughout the infrastructure to maintain unilateral perspective – Click gains breadth from broader attack visibility of a wider range of products across the estate. The idea of depth is also important as you consider that different sources of telemetry data operate at a variety of positions on the stack. The example described above discusses similar authentication-style attacks, launched at different layers of the protocol stack. This is important since point products that are network-based, for example, would not have visibility to application-layer attacks. Likewise, application and network-layer attacks are oblivious to those that are happening at the data link-layer. Click brings each of these elements together, normalizes the data and provides enterprise-wide perspective – a feat we believe no other product can achieve.