Data SHeet

reaL-time Network ViSibiLity & breacH DetectioN

HigHLigHtS

authoritative network baseline and real-time visibility.

validate/confirm known and unknown ip addresses on the network.

real-time leak path detection.

embedded Hadoop Distributed File System (HDFS) for cybersecurity breach analytics (identify threat flows, access to known trojan or malware ports, zombies) in conjunction with ingested ‘feeds’ such as threat intelligence or flow data.

real-time alerts and notifications flag departures from the network steady state.

Combined active scanning and passive listening techniques.

Comprehensive, detailed network topology maps.

Highly scalable to accurately index the largest networks.

Little to no impact on network performance, and easy to deploy (agentless).

Snapshot reports available to build an audit trail.

Complementary with deployed security stack/platforms.

automates key Center for internet Security (CiS) Critical Security Controls.

aligns with Continuous monitoring (uS) and protective monitoring (uK) security programs.

*Refer to the “Real-Time Network Behavior Analytics & Cybersecurity Breach Detection with Lumeta Spectre” Solution Brief for cybersecurity use cases.

you caN attaiN reaL-time Network ViSibiLity uSiNg Lumeta® Spectre.

Running in an always-on mode, Lumeta Spectre delivers network indexing, leak path detection, visualization and cybersecurity breach analytics to provide cyber situational awareness – across the enterprise network including physical, mobile, virtual and cloud. Lumeta Spectre helps you address network vulnerabilities and cybersecurity threats* as they occur.

reaL-time Network ViSibiLity & breacH DetectioN

Network iNFraStructure aNaLySiS

Because of network change – which is accelerating as networks move to virtual, cloud, SDN – there is a “visibility gap” (difference between assumed/ known and what is actually found), typically 20% or more in larger networks.

Lumeta Spectre hunts for dynamic changes to the network edge and changes caused by virtual, cloud, mobile assets on your network. recursive Network indexing provides a real-time, authoritative view of your network infrastructure.

Index of the network and all attached endpoints for a true view of the network (what devices are connected to the network, and how; what address space is in use)

Dynamic Network Edge Definition Identification of rogue networks and devices Map “shadow IT” (virtual, cloud, mobile)

Real-time Network Infrastructure Updates (Broadcast, OSPF, BGP, etc.)

Unreachable Network Segment Identification

Device Indexing/Profiling

Enterprise-wide Certificate Identification

Network Topology Mapping

Port Mapping/Usage

cyberSecurity breacH DetectioN

Lumeta Spectre hunts for anomalous behavior to find meaning in the data and to quickly prioritize any issues for remediation. Spectre includes the ability to ingest third-party threat intelligence feeds (Accenture iDefense subscription is included) to correlate with network data:

Threat Flows: Find live communications occurring with adversaries (correlate NetFlow to malware command and control servers)

Highlight internal use/accessibility of known Trojan and malware ports (“red” and malicious ports)

Hunt for unauthorized (zombie) communications flows to known bad actor sites.

Network SegmeNtatioN aNaLySiS

Lumeta Spectre hunts for leak paths to the Internet or in between firewalled enclaves.

Leak Path Identification: Layer 3 segmentation analytics identify leak paths to the Internet or rogue paths between enclaves which may be exploited for malicious activity

• Unauthorized Internet Connectivity

• Multi-homed Host Identification

• Split Tunneling Identification

• Unauthorized Bridging Device Identification

• Hybrid Physical/Virtual Segmentation

Unknown Network Identification: Lumeta validates your known versus found networks

• Forwarding Device Census

• Rogue Network/Forwarder Identification

big Data aND aDVaNceD aNaLyticS

The Lumeta Spectre platform has an embedded Hadoop Distributed File Store (HDFS) – which allows for the collection, storage and analysis of huge amounts of unstructured data in real-time.

Lumeta Spectre can ingest external data streams – such as NetFlow data and Threat Intelligence feeds – to correlate with Spectre’s real-time indexing data. This allows for deeper drill-down analytics to rapidly find more meaning in large amounts of data, and help organizations address network vulnerabilities and cybersecurity threats as they occur.

1

recurSiVe Network iNDexiNg

Lumeta Spectre uses a unique “always on” technique to produce an authoritative network summary – a recursive cycle of targeting, indexing, tracing, monitoring, profiling, and displaying a network’s state.

Combines passive indexing (listening) for newly connected network infrastructure, devices and previously unmanaged assets,

and …

Then targets active indexing, techniques – in context – to crawl the network when and where those changes occur.

2

www.lumeta.com

iNDexiNg type wHat iS tHiS? beNeFit

Network Discovery (ND), Layer 2 Discovery (L2)

Actively index forwarders and paths using ICMP, TCP, UDP, DNS via TTL-tracing, responses.

Index network infrastructure devices, route tables, ARP tables, switch TCAM, VLANs using SNMP, LLDP.

Authoritatively identifies the full address space in use and the edge of the managed enterprise network, through use of recursive additions of newly identified address targets.

Host Discovery (HD)

Actively index devices attached to network via ICMP, TCP, UDP, DNS, SNMP interrogation and responses

Provides the authoritative census of devices are there, now, connected to network.

Device profiling (Dp)

Actively fingerprints the indexed census of devices on the network using TCP (OS detection), CIFS, HTTP/S, SNMP

Provides a high confidence (agent-less) assessment of device type, manufacturer, OS, certificates and certificate status.

Service (port) Discovery (SD)

Actively index ports within the profiled census of devices using a configured list or a full port scan by using TCP SYN/ACK response

Authoritatively identifies TCP ports in use and highlight deviations/violations from policy.

Leak Discovery (LD)

Actively index leak-paths that exist in the L3 routed domain between network segments using Lumeta proprietary TCP packet spoofing.

Authoritatively identifies network segmentation violations between networks at L3.

enhanced perimeter Discovery (epD)

Index L2 bridging and forwarding devices using ARP listening to assemble candidate MAC/IP pairs and Lumeta proprietary active TCP packet injection targeting each MAC/IP pairs’ default gateway.

Authoritatively identifies L2 bridging and forwarding violations within multi-homed hosts or devices with multiple interfaces.

Network control plane context

Probe and index network change by participating in control domain using OSPF, BGP, ICMPv6, ARP, DHCP, DNS analysis (others to come).

Authoritatively identifies the presence of cloud, virtual/mobile devices and network infrastructure (NFVs) in real-time.

reaL-time Network ViSibiLity & breacH DetectioN

Steady state – Upon initial deployment of Spectre, a baseline of normal network behavior is established over a short period of time. This baseline describes the network’s steady state – that range of behavior indicating health and normalcy on the network. Once certain parameters have been defined as normal, Spectre continuously monitors and flags any departure from one or more of them as anomalous.

progress to auto-pilot – As new infrastructure elements are discovered, results are automatically tuned and refined. Discoveries trigger new threads of collection activity. The raw data backing map nodes is automatically updated. Maps refresh to display newly discovered entities. IT professionals are alerted to precisely those network events that merit attention. All in real time.

Indexing Stats Dashboard on the Command Center showing device counts, event counts, and event types across zones and featuring drill-down capability

3

ViSuaL aNaLyticS

Visualization, mapping, reporting and alerting capabilities allow network security analysts to quickly make relevant decisions about incidents, while still providing forensic experts with details about any incidents and its relation to other historical anomalies.

Dashboards – An operational overview of Zones, Notifications, Cyber Threats and Network Anomalies. Dashboards are configurable and user-definable, and provide comprehensive visibility into the entire network infrastructure – including data about network connections and devices. When new devices connect to the network, IT professionals are notified in real-time.

Zones – Create discovery zones, with individual rules and policies, to partition the continuous monitoring of security controls for compliance with regulatory and internal information security policies. This allows for discovery of enclaves, segregated networks, overlapping IP spaces, and more.

Dynamic mapping – An interactive network topology map enabling global visibility across the enterprise – from high-level to specific devices. The map updates in real-time as the network changes and includes sound alerts, visual effects and on-screen messaging to make it easier to stay apprised of changes.

robust reporting – Displaying a specific Zone’s index of findings, real-time reporting tools track network asset information and quickly identify changes in the network infrastructure. Next-generation reports include compliance reports and custom reports – all with drill- down capabilities. Historical Reporting is also available, letting you schedule snapshot-in-time reports to run on a regular, automated basis –-building a useful audit trail against which you can identify changes in your network over time.

advanced analytics using Query builder & advanced Search – You’ll be able to work with ingested data to write SQL-backed queries (via direct SQL queries or using the Query Builder) that draw on the relationship between network, flow, and intelligence data. You can work “big data,” asking and answering questions of interest to your enterprise, and then filter the returned data set with an unprecedented level of control and specificity.

4

www.lumeta.com

Lumeta Spectre dashboard showing network-based core indices

reaL-time Network ViSibiLity & breacH DetectioN

“Layer Zero” oF tHe Security & Network maNagemeNt ecoSyStem arcHitecture

Lumeta Spectre is integrated with the ecosystem of security and network management tools such as IPAM,

Modeling Tools, HVA, SIEM, GRC, Endpoint Detection & Response, Threat Intelligence.* Use of Lumeta Spectre’s foundational intelligence maximizes the effectiveness and protects your investment in those tools.

Lumeta Spectre zone and indexing configuration.

Lumeta Spectre map.

5

ScaLabLe to tHe worLD’S LargeSt NetworkS witH two-tier arcHitecture

Lumeta Spectre does not disrupt operations in order to completely index a network - no matter how far-flung or numerous the resources are. Spectre scales to handle large data sets as easily as it does small data sets.

Lumeta Spectre is available in a Cloud or Virtual Machine, and uses a distributed, two-tier model – proven at the world’s most complex networks. The system includes the Spectre Command Center and Spectre Scouts.

Spectre command center: A web-based management platform for administration, configuration, monitoring, visualization and reporting. The Command Center performs network architecture and segmentation analysis.

Spectre Scout: A distributed system for collection of network intelligence, reporting back to the Spectre Command Center. “Smart” sensors perform active and passive indexing. They can be connected (virtually) to multiple zones or regions.

Lumeta Spectre Breach Detection dashboard showing zombie and Tor devices on the enterprise network, netflow to/from Tor and open ports associated with nefarious activity.

6

www.lumeta.com

Lumeta Corporation 300 atrium Drive Suite 302 SomerSet nJ 08873 uSa +1.732.357.3500 www.lumeta.com

© 2017 Lumeta Corporation. all rights reserved. Lumeta, the Lumeta logo and ipsonar are registered trademarks of Lumeta Corporation in the united States and other countries.all other trademarks or service marks are the property of their respective owners.

Lumeta Spectre portaL

The Lumeta Spectre Portal enables you to gather and centralize insights from multiple Lumeta Spectre Command Centers and stay apprised of their operational status. Using it, you can view the geographical position of Command Centers and know immediately when a priority event has occurred in a network associated with your Spectre infrastructure. Portal users can also view the dashboards, maps, reports, and device details for any deployed Command Center.

Priority notifications for a particular Command Center will appear in real time on the Portal. The number and severity of notifications issues at the Command Center level are transmitted to the Portal and displayed in

beaconing and badge indicators on its map. Notification details also display below the map. The Notifications table provides details on the 50 most-recent ALERT, WARN and ALERT level notifications issued by all of your Command Centers.

The Portal stays continuously in sync with the Command Centers and communication between the two occurs securely over TCP port 443 using HTTPS with SSL encryption.

The Lumeta Spectre Portal shares the same code base, operating system, support libraries, and versioning as Lumeta Spectre Command Centers and Lumeta Spectre Scouts and are intended to be used together.

Lumeta Spectre Portal home screen displaying a few Lumeta Spectre Command Centers drawn against a geo-map.