Threat Defender uses a concept of enriched network objects to apply policy rules specifically to traffic initiated from and/or directed to specific assets and groups of assets in the network. Using static network objects (SNOs) and dynamic network objects (DNOs), Threat Defender provides a virtual overlay security network with a dynamically changing topology on top of the physical network. These network objects are used to adapt the network segmentation dynamically and at runtime based on asset/user behavior without requiring a change in the existing network topology.
Network objects can be used in multiple rules simultaneously. This means it is possible to apply a set of rules to a group of assets without redefining the group for each rule. If an asset is part of several network objects, multiple policies can be layered and applied to that asset.
The following simplified example workflow illustrates how network segmentation using static and dynamic network objects can be effected:
Static network objects (SNOs) segment the network based on the purpose of the assets. Dynamic network objects (DNOs) segment the network based on the asset behavior.
In this example, the DNO called “RC” is used to contain clients that are remotely accessed. This way, specific rules can be applied to them, e.g. to deny them access to the internal servers.
Using rules, Threat Defender monitors the communication behavior in the network.
If suspicious or unwanted behavior is detected, a rule adds the respective client to dynamic network objects.
In this example, client B is remotely accessed. Therefore it is added to the DNO “RC”.
Another rule rejects all communication from clients in this dynamic network object to the internal servers.
Static Network Objects¶
Static network objects are used to group hosts and devices. They are used globally, meaning they are available for all rules. The following attributes can be used to assign devices to a static network object:
Inclusion and exclusion of individual MAC addresses and MAC address ranges
You can define static network objects using just one or any combination of these attributes.
For example, it is possible to have a network object that matches all devices in VLAN 21.
But you can also have very specific conditions, e.g. only devices with IP network
10.10.10.0/27 in VLAN 5 match.
See Creating Static Network Objects for further information.
Dynamic Network Objects¶
Dynamic network objects are used to track the state of hosts and create host groups with common behavior on the fly. The hosts of the group share a specific characteristic or property that is not static but depends on events happening dynamically in the running system. Based on this behavior, a specific set of policies is applied to them. This allows the policy engine to adapt to changing situations. It dynamically controls what rules are applied to different groups of hosts in real time.
Dynamic network objects are lists of individual IPv6/IPv4 addresses and/or MAC addresses. IP and MAC addresses can be added dynamically and are removed either by an explicit rule action or automatic timeout.
cognitix Threat Defender adds a new type of action to the policy rule language to add the source or destination IP/MAC address of a flow to a dynamic network object. These dynamic network objects can then be used to match the source and destination of flows in other rules to dynamically apply policies to all traffic of a device depending on the behavior of that device. This allows for automatically safeguarding the network without the need to manually maintain long, unordered network object lists.
In combination with the Behavior-based Correlation engine, the dynamic network objects allow you to react to changing, unwanted or suspicious behavior by enforcing policies that are applied to all the flows generated by certain hosts and not just to individual flows.
Dynamic network objects can be global (available for all rules) or be defined and used within a correlation scenario for individual hosts or groups of hosts.
Using dynamic network objects, you can for example:
Define a policy that automatically adds all source hosts in the network that trigger a certain number of threat intelligence incidents to a dynamic network object. You can then implement various access restriction policies for that object.
Using the timeout feature of dynamic network objects, you can block hosts for a certain amount of time.
For information on the settings options of network objects, see Network Objects.
For examples on segmenting your network using Threat Defender, see Using Network Segmentation.