About cognitix Threat Defender
cognitix Threat Defender (or Threat Defender for short) is an inline Threat Intelligence and Protection Platform (TIPP) that collects information from the network traffic in real time. Threat Defender enriches this network-specific data with up-to-date threat intelligence indicators of compromise (IoCs) and context from multiple external sources. With its behavior-based correlation and policy engine, Threat Defender correlates network data and events in real time to discover hidden patterns and behaviors and initiate responses to potential threats. Using dynamic network segmentation, Threat Defender dynamically executes policy rules. Threat Defender uses asset tracking to monitor and manage network assets as well as to apply policy rules to individual devices or groups of devices. The advanced interactive reporting system with drill-down capabilities of Threat Defender visualizes the collected information and complex network relationships to allow for in-depth analyses of the network behavior.
1. Threat Intelligence
Threat Defender obtains the constantly updated TI information from multiple open source and commercial threat intelligence feeds. These TI feeds provide various types of indicators of compromise, such as IPs, URLs, downloads of malware, usernames, file hashes, domains, emails, etc.
The TI subsystem of Threat Defender is continuously active so that Threat Defender integrates the threat intelligence at wire speed and in real time.
Threat Defender puts TI data in context with the data collected from the network as well as external metadata, such as geolocation, WHOIS data, URLs, domains, etc. This allows for a fine-grained differentiation and classification of threats. Using this contextualized threat data, you can carry out in-depth analyses of the current and historical network behavior to be able to design the required policies to protect the network using behavior-based correlation.
2. Behavior-based Correlation
Threat Defender uses behavior-based correlation to analyze the entire network traffic inline and in real time.
The single-pass correlation and policy engine of Threat Defender correlates current traffic flows as well as historical information from previous flows. This way, it detects anomalies such as hidden and unknown patterns in the behavior of users and devices within seemingly unrelated traffic flows and events. Based on this detected behavior, granular multi-level policy rules can be created. Threat Defender dynamically executes these rules. All rule scenarios are evaluated for each network flow and no traffic can pass Threat Defender without being handled by the correlation engine. This way Threat Defender can detect and stop attacks before they can do serious damage and spread through the network.
Behavior-based correlation is implemented using event tracking tables (ETTs), which track properties of the network traffic. Policy rules enter pairs of attributes into the tables and evaluate them. Based on the evaluation result, further actions can be taken, such as isolating certain hosts.
Threat Defender can add hosts to dynamic network objects based on their behavior, dynamically adapting the network segmentation.
3. Dynamic Network Segmentation
Threat Defender uses dynamic network segmentation to react to changes in the network behavior at runtime.
Dynamic network segmentation is enabled by dynamic network objects (DNOs), which are dynamic lists of IP and MAC addresses that can be used in source/destination conditions of policy rules. Dynamic network objects group assets dynamically and allocate them to network segments based on specific properties that they share. Rules add the respective assets to dynamic network objects. These dynamic network objects can then be used to match the source and destination of flows in other rules to dynamically apply policies to all traffic of an asset depending on the behavior of that asset. This means, a specific set of rules is applied to the assets depending on their behavior. This allows Threat Defender to react to changed or unwanted behavior on the fly without human intervention.
4. Asset Tracking
Threat Defender tracks the devices in the network based on their IP and MAC addresses. This way, all devices in the network can be clearly identified and managed. This asset data is enriched with specific metadata such as operating system type, last seen IP address, hostnames etc. Threat Defender assigns each asset a unique UUID. Asset information is logged in a dedicated asset log and used in the drill-down reporting system where information can be displayed by asset. Policy rules can add assets to network objects and event tracking tables. This means that rules can be applied to specific assets. Also, policy rules can be created for specific groups of assets, for example for all assets running Windows as an operating system.
5. Drill-down Reporting
The interactive drill-down reporting system of Threat Defender provides deep insights in real time into all of the network traffic. It uses interactive charts to visualize various network data and behavior to help identify threats and threat actors.
Threat Defender provides over 600 reporting matrixes and charts. The network traffic can be examined from multiple angles: by source and destination assets, IP addresses, applications/protocols, URLs, etc.
To provide external logging, Threat Defender supports the common non-proprietary and open protocols IPFIX and syslog. The standard IPFIX reporting is enriched with custom cognitix-specific events and information. The collected and analyzed data can be exported and made available to other security systems.
- For information on how to install and set up Threat Defender, refer to the Installation and Setup section.
- For examples that illustrate how to use Threat Defender, see Basic Usage and Advanced Usage.
- If you want to look up screens of the user interface and the settings options they contain, refer to Interface Reference.