Partner Training:

Introduction to Arbor Edge Defense

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 1

NETSCOUT Arbor: Industry Leading DDoS Protection
Amount of Internet traffic
Number of years Arbor has been 1/3 monitored by the ATLAS
20 delivering innovative security and
network visibility technologies &
products

Industry leader in DDoS attack

protection products and https://horizon.netscout.com
services.

NETSCOUT acquired Arbor Networks approx. 4 yrs ago.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 2

 What Is Arbor Edge Defense And What Does
It Mean For You?
 Arbor Edge Defense is a new product from NETSCOUT Arbor.
 It was ‘soft’ announced at Black Hat August 2018. Formal announcement is
targeted for October 2018.
 Arbor Edge Defense is NETSCOUT Arbor’s
evolution beyond just DDoS protection…
providing the ability to detect and stop all
types of inbound and outbound threats
using highly curated threat intelligence from
ASERT/ATLAS.

 Represents immediate and long term

revenue opportunity for Arbor partners.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 3
 More Than Just DDoS Protection Is Required
Internet
Internal Network / Data Center

DDoS Attack Traffic

Outbound Threat
Communication

Inbound Cyber Threat

Firewall
Cyber Attacks

 Organizations need protection that can stop all types of cyber threats
(inbound and outbound).
 Products must integrate into security process and reduce complexity.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 4

 By Leveraging Our Strengths We Are
Moving Beyond DDoS Protection

17

SERT
Number of years Arbor has
Security Engineering & Response Team
been delivering innovative
security and network visibility Much more than DDoS Threat
technologies & products Intelligence!!

Experience Expertise Technology

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 5
 APS Begins Evolution to Arbor Edge Defense

Internet Internal Network / Data Center

DDoS Attack Traffic

Other Cyber Threat

Outbound Threat
APS/AED Communication

 Arbor APS’(6.0) unique location on network edge +

stateless packet processing engine + ATLAS Global
Threat Intelligence = Arbor Edge Defense (AED)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 6
Arbor Edge Defense
First & Last Line of Smart Automated Defense
Unique
Global Threat
Intelligence

us
inuo
Cont e
Inbound Threats Upda
t

Outbound Threats

Stateless

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 7

 Arbor Edge Defense: First Line of Defense

Internet Internal Network / Data Center

DDoS Attack Traffic

Other Cyber Threats

AED Firewall

 Detect and Stop Inbound Threats:

 DDoS attacks.
 Malware and other advanced cyber threats.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 8

 Arbor Edge Defense: Last Line of Defense

Internet Internal Network / Data Center

DDoS Attack Traffic

Advanced Threat Outbound Threat

Communication
AED Firewall

 Outbound: Identify & stop outbound threat communication

 The ability to use stateless, reputation-based, technology to match
and block on IP addresses, domains and individual URLs
 Block pages that are serving up malware or used in C2
communications.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 9

 Example of Outbound Detection and Containment

Outbound Threat
Communication
Internet
AED

Internal Network / Data Center

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 10

The Security Stack is Complex……

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 11

The Industry is Changing Approach to Protection

• The average enterprise uses 75 security

products to secure their network
“Integration is
• Many enterprises have too many
the new best
security point tools and not enough time.
Downsides = complex operations, of breed.”
employee burnout, low ROI and
increased risk – Jon Oltsik, ESG Senior
Principal Analyst
https://www.csoonline.com/article/3192874/security/enterprise-security-technology-consolidation.html

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 12

 Availability Protection System (APS)
First Line of Defense
Availability Protection System
DDoS

NGFW
NGFW
Cyber Threat
Intelligence

IPS URL Blocking

Etc. …

Security
Process EDR
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 13
 Arbor Edge Defense – Evolution of the APS
First Line of Defense A
D
Arbor Edge
Arbor Defense
Edge (AED)
Defense D
E
DDoS D
DDoS TIG
V
A
TIG L
U
E

TIP NGFW
NGFW
Cyber Threat
Intelligence

IPS URL Blocking

Etc. …

Security
Process EDR
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 14
 AED, Consolidating Capabilities, Adding Value
Last Line of Defense A
Arbor Edge Defense (AED) D
D
DDoS TIG E
DDoS TIG D
Outbound Threat
Outbound Threat
DNS Analytics Outbound Threat
Filtering V
DNS Analytics Filtering A
Filtering L
Contextual Threat Intel
Contextual Threat Intelligence U
E
TIP
Cyber Threat

NGFW
Intelligence

IPS URL Blocking

Etc. …

Security
Process EDR
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 15
 APS & Arbor Edge Defense Futures
APS
APS 6.0 = AED 6.0
DDoS Cyber

DDoS Cyber
AED
DDoS Cyber

 Initially, APS 6.0 and AED 6.0 are essentially the same products (DDoS +
Advanced Cyber Threat Blocking)
 APS will continue to be sold, with enhancements mainly focused on DDoS
attack protection.
 AED will be a separate product with enhancements mainly focused on
Advanced Cyber Threat Blocking (DDoS functionality matches APS)
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 16
NETSCOUT AED v6.1

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 17

 NETSCOUT AED v6.1

 Released November 20, 2018

 Main Features Include:

 3M+ Indicators of Compromise (IoC)
 STIX/TAXII 2.0
 Contextual Threat Intelligence to blocked IoCs
 Federal Information Processing Standards (FIPS) and Common
Criteria for Information Technology Security Evaluation (CC).

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 18

 NETSCOUT AED v6.1

 Released November 20, 2018

 Main Features Include:

 3M+ Indicators of Compromise (IoC)
 STIX/TAXII 2.0
 Contextual Threat Intelligence to blocked IoCs

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 19

 NETSCOUT AED v6.1 Enables
Operationalization of Threat Intelligence

3M+ Indicators
of Compromise
(IoC) NETSCOUT AED
ATLAS
Intelligence Feed STIX/TAXII(2.0),
(AIF) REST API

Open
ISAC
Source
ASERT
Global Threat
Premium
Intelligence & Internal
3rd Party
Analytics

Threat Intelligence
Platform
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 20
 STIX/TAXII https://oasis-open.github.io/cti-docume

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 21

 NETSCOUT AED v6.1

 Released November 20, 2018

 Main Features Include:

 3M+ Indicators of Compromise (IoC)
 STIX/TAXII 2.0
 Contextual Threat Intelligence to blocked IoCs

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 22

 Edge Defense Manager (EDM) and ATLAS Integration

33
Using ATLAS Threat
ASERT Intelligence, additional context
22
AED blocks outbound Global Threat related to the alert/IoC is sent
communication and sends Intelligence & back to EDM.
Analytics
an alert/IoC to EDM and
ASERT.
Contextual
Threat Intel

DDoS attack
Outbound malicious communication
11 AED
AED blocks inbound DDoS 44
attack and sends alert to EDM consolidates all alerts, displays
EDM. details and additional context related
Edge Defense
Manager
IoCs.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 23

What Does Edge Defense Manager Do & Look Like?

Consolidation & Consolidation & Contexual Threat

Analysis of DDoS Analysis of Blocked Intelligence
Alerts
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 24

Outbound IoC Alerts

NETSCOUT AED v6.2 y 6.3

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 25

Overview of AED 6.2.2 and 6.3

ENHANCING
COMPLIANCE INTEGRATION
PROTECTION
AED 6.2.2 (GA June 2019) AED 6.3 (GA August 20, 2019) AED 6.3 (GA August 20, 2019)
 Federal Information  Anomali  GRE traffic mitigation
Processing  Splunk  Passing TLS 1.3 traffic
Standards(FIPS) and the  Outbound Geo location filtering
Common Criteria  Support for new 40Gbs NIC
Information Technology  Workflow enhancements
Security Evaluation
(Common Criteria)
standards.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 26

Overview of AED 6.2.2

ENHANCING
COMPLIANCE INTEGRATION
PROTECTION
AED 6.2.2 (GA June 2019) AED 6.3 (GA August 19, 2019) AED 6.3 (GA August 19, 2019)
 Federal Information  Anomali  GRE traffic mitigation
Processing  Splunk  Passing TLS 1.3 traffic
Standards(FIPS) and the  Chronicle (soon)  Outbound Geo location filtering
Common Criteria  Support for new 40Gbs NIC
Information Technology  Workflow enhancements
Security Evaluation
(Common Criteria)
standards.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 27

AED v6.2.2 FIPS & CC Compliance
 Federal Information Processing Standards (FIPS)
 FIPS is a government certification standard in the United States that
defines the requirements for cryptographic modules.
 AED meets FIPS 140-2 standard, Level-1
 Cert on NIST –
https://csrc.nist.gov/Projects/cryptographic-module-validation-program/
Certificate/3457
 The Common Criteria for Information Technology Security Evaluation (referred to as Common
Criteria or CC) is an international standard (ISO/IEC 15408) for computer security certification. It
is currently in version 3.1 revision 5.
 The AED (and APS) was evaluated against the Common Criteria’s Protection Profile for
Network Devices and is compliant with v3.1, rev 5. Final approval paperwork has been
submitted to NIAP – certificate expected in Sept 2019.

 Benefit:
 Since FIPS 140-2 sets a high security benchmark, other industries such as healthcare and
finance and other countries are also adopting the standard for securing their sensitive data.
 We can now sell AED in more environments than before.
COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 28
Overview of AED 6.3

Target:
SecOps buyer
ENHANCING
persona.
CERTIFICATION INTEGRATION
PROTECTION
Value:
AED is an
AED 6.2 (GA June 2019) AED 6.3 (GA August 20, 2019) AED 6.3 (GA August 19, 2019)
integrated
 Federal Information  Anomali  GRE traffic mitigation
Processing  Splunk
component of
 Passing TLS 1.3 traffic
Standards(FIPS) and the existing
 Outbound security
Geo location filtering
Common Criteria  Supportstack and
for new 40Gbs NIC
Information Technology  Workflow
process.
enhancements
Security Evaluation
(Common Criteria)
standards.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 29

AED 6.3 Integration with Security Stack and Process

Arbor
Cloud

Inbound
Inbound Threat
Internet

Threat ATLAS Threat

Intelligence

Stateless Reputational-Based
DDoS Protection IoC Blocking
Syslog (CEF,LEEF),
API, STIX / TAXII

NGFW 1 TIP (Anomali)

Stateful

Communication
Threat Communication
3rd Party Cyber Threat
Intelligence

End Point

Outbound Threat
2
SIEM (i.e. Splunk)
Outbound

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 30

 AED Integration with Anomali
 Anomali is a leading Threat https://www.anomali.com/platform
Intelligence Platform (TIP) vendor.

 TIP: Defined by its capability to

perform four key functions:
 Aggregation of intelligence from multiple
sources
 Curation, normalization, enrichment, and risk AED
scoring of data
 Integrations with existing security systems
(i.e. AED)
 Analysis and sharing of threat intelligence

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 31

 Anomali ThreatStream Integrator & AED
 Anomali ThreatStream Integrator is a software that allows one to
integrate the threat intelligence of Anomali’s ThreatStream with 3rd
party security tools – e.g. Arbor Edge Defense

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 32

 This is what we mean by
Integration and Enforcement of
Threat Intelligence (ATLAS or 3rd
rd

party )

• TAXII config is handled automatically by the Anomali plugin

• When traffic matches Anomali IoCs, Blocked Host alerts are generated and sent to SIEM (i.e. Splunk)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 33

 AED 6.3 Integration with Splunk
https://github.com/arbor/TA_netscout_aed
 New Splunk App that will
receive and parse either
CEF or LEEF syslog
messages coming from
AED.

 Available on GitHub as a
public distribution.

 Splunk Technical
Add-On for
NETSCOUT AED

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 34

AED Alert in Splunk
 Details of the
packet AED
blocked (src IP,
src port, dst IP,
dst port, and
protocol) are
available in the
alert details.
• Details that can
be used by other
security products.
(i.e. Arbor Threat
Analytics)

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 35

Overview of AED 6.3

Target:
NetOps buyer ENHANCING
CERTIFICATION persona.INTEGRATION (responsible
PROTECTION
for DDoS protection)
AED 6.2 (GA June 2019) Value:AED 6.3 (GA August 19, 2019) AED 6.3 (GA August 20, 2019)
 Federal Information Enhancements
 Anomali to  GRE traffic mitigation
Processing DDoS attack
Splunk  Passing TLS 1.3 traffic
Standards(FIPS) and the  Chronicle
provisioning, (soon)
tuning  Outbound Geo location filtering
Common Criteria  Support for new 40Gbs NIC
Information Technology
and protection.  Workflow enhancements
Security Evaluation
(Common Criteria)
standards.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 36

AED Inspection of GRE Traffic
2
Arbor Cloud (or MSSP) conducts in-cloud
mitigation and returns non-scrubbed traffic
back to AED via a GRE tunnel.
1
Arbor When AED executes a Cloud Signal, ALL
Missed attack traffic may reside in this return. Cloud traffic (attack and good) is redirected to Arbor
Cloud
Signal Cloud for mitigation.
Scrubbing
Center
G
RE
Tu
nn
The Internet el
In-Cloud On-Prem
Attack traffic
Botnet

Good traffic

AED

3
In v6.3, AED now inspects & blocks attacks in
returned traffic via GRE tunnel. In the past it did not
until cloud signal was deactivated.
Benefits:
Better Hybrid Protection against sophisticated,
multi-vector attacks.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 37

AED Properly Passes TLS 1.3 Traffic
 What is TLS 1.3?
 Transport Layer Security (TLS) is the more secure and faster successor to
Secure Sockets Layer(SSL).
 Many IP-based protocols, such as HTTPS, SMTP, POP3, FTP support TLS
to encrypt data between client and server.
 Released in August 2018, customers are migrating to TLS 1.3.
 In past AED’s TLS malformed countermeasures didn’t recognize the new options
in TLS 1.3 and would reject the TLS 1.3 traffic as malformed.
 In AED 6.3 this has been fixed and TLS 1.3 traffic is passed and inspected
properly.

 Benefit: Allows customers to deploy AED where they may not have been able to
before due to the dropped traffic.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 38

AED Support Outbound Geo Location Blocking

Internet On-Prem
Inbound Traffic Blocked from Geo Location
Outbound Traffic Blocked to Geo Location

AED

 Many customers (for example, financial institutions) seek to block

communications with computers located in sanctioned nations as a means
of complying with regulations prohibiting doing business with those
countries.
• Customers can currently do this for inbound communications with AED; in
AED v6.3 this can be done for outbound communication.

COPYRIGHT © 2018 NETSCOUT SYSTEMS, INC. | CONFIDENTIAL & PROPRIETARY 39