Federal Agency Fortifies Its Network Against Cyberattacks

As critical infrastructure becomes more connected and complex, cyberthreats put US security at risk. To address this issue, the National Institute of Standards and Technology (NIST) created a framework to guide organizations in preventing, detecting, and responding to cyberattacks

In part to comply with the NIST cybersecurity architecture, a US federal government agency instituted a department-wide initiative to achieve notable improvements to its cybersecurity posture. The agency conducted an internal network and risk mitigation assessment for cybersecurity monitoring, threat detection, and automated response capabilities.

As part of this effort, the agency realized the need for enhanced visibility to properly support its security architecture. The project included an evaluation of network packet brokers (NPBs). The goal was to start with an out-of-band deployment and later add inline security monitoring to its architecture. The agency wanted one future-proof solution that would satisfy both objectives.

The customer chose Keysight’s Vision ONE series of NPBs and Flex Taps as the solution. The Keysight SecureStack feature set provides Secure Sockets Layer (SSL) / Transport Layer Security (TLS) decryption. Keysight’s AppStack feature set provides application-layer filtering and NetFlow offload.

Company:

• US federal agency

Key Issues:

• immediate need to fortify out-of-band network security

• a future-proof solution able to support inline security

Solutions:

• Vision ONE NPBs to filter data to DLPs and IDS

• passive SSL / TLS decryption for improved data inspection

• Flex Taps and iBypass external bypass switch

Results:

• 15% increase in detection of malware

• 20% decrease in mean time to detection of security threats

• simplified data filter creation with GUI

The Key Issues: Data Visibility and Concurrent Features

At the start of the NPB solution analysis, the customer thought all NPBs were the same and could perform the same functions. The truth ended up being much different. The agency tested the top NPB vendors for performance and throughput and came up with an unexpected result: While the Keysight NPB did not drop any packet data, other NPB vendors did. In addition, those missing packets had a clear impact on the intrusion detection system (IDS) and data loss prevention (DLP) tool. Both of these security appliances missed threats in the non-Keysight NPB scenario. This situation illustrates the primary reason every government agency needs lossless visibility

The customer also wanted to run multiple features at one time. Some manufacturers can’t support running concurrent features. This surprised the agency’s engineers. One of the vendors that dropped packets also had a feature-blocking issue. In contrast, the Keysight Vision ONE solution can run all of its features (such as deduplication, header stripping, and NetFlow) concurrently and at full speed, all the way up to 100GE. If you can’t use your equipment to its fullest potential, then why buy it?

The Keysight architecture enables the non-blocking capability by using field-programmable gate arrays to process data instead of a CPU running software. The CPU-software combination has inherent issues because every line of code steals bandwidth

Ease of use

Ease of use was another concern. Again, the customer thought all NPBs were the same — until it saw the Keysight graphical user interface (GUI). The Keysight interface ended up being more than two times faster at creating data filters. In addition, the interface was so intuitive, engineers did not require any training. They clicked, double-clicked, and drew lines from one point to another to create filters. They needed no command line interface or menu-driven interface