Dragos Security CyberLens
This month's First Look was a bit of a surprise to us. We are used to seeing IP devices being discoverable in the enterprise. There are plenty of products that will watch the network for new entries and let you know when one plugs in. These tools can inventory the enterprise and keep IT and security staff apprised of everything that is connected to the network at any given time. Everything, that is, except those pesky industrial control systems (ICS). They don't usually cooperate by using nice little IP protocols. They have their own – and most tools won't see them or the devices that spawn them. That's where CyberLens comes in. It does see. Everything.
On the surface, CyberLens does what other asset discovery tools do: identify the assets on the enterprise. But there are several important differences between this solution and the run-of-the-mill asset discovery tools. For starters, it is a completely passive listener. Its sensors identify devices on the network through their communications and they also listen for flows to identify traffic patterns. One of the keys to CyberLens is its open API. This allows you to use one of the existing lenses or roll your own. Lenses are extensions of CyberLens and are specific to a particular observation target. Most interesting, however, is its ability to discover non-IP protocols, particularly ICS packets and flows.
AT A GLANCE
Company Dragos Security
Price $2,800 annual subscription.
What it does Monitors a mixed network of IT and ICS assets.
What we liked Interesting mix of capabilities and good situational awareness.
The bottom line If you have a mixed network, you need this tool.
The CyberLens system has four components: sensor, server, API and viewer. The sensor is the data intake and may be run live or on packet captures (pcap format). The sensor performs deep-packet inspection and separates useful information in the raw packets from overhead. There are multiple versions of the sensor to fit just about any environment.
The second component is the server. This is the collection point for the data from the sensors. The data is aggregated. There are multiple versions of the server depending on the functionality you want – with more coming next year.
The third component is the database and the API. The database takes the raw data, parses it and stores it in a useful format that allows data mining. Integral to the database is the API. The API is the way that raw data in the database is accessed. It also is how the lenses (extensions used for customizing CyberLens) access the data.
The final module is the viewer. This is where humans interact with CyberLens and its collected data. The viewer is available in multiple versions based largely on the size of the enterprise on which the user has deployed CyberLens. CyberLens uses passive collection, meaning that it does not add materially to the traffic on the network due to probes or scans. The monitoring of flows allows traffic analysis, such as peer communications and communications across a presumed secure boundary. Of course this type of analysis is especially good for verifying – or discovering – network architecture and the devices and flows on it.
Lenses have a variety of purposes and there are lenses from the vendor, as well as the ability to build your own. Examples of pre-made lenses are alerting, blacklisting and whitelisting and enhanced reporting, as well as some for targeted deep packet inspection. Remote packet capture and traffic exploration currently round out the pre-made lens offerings. While the product sees both ICS and IT protocols, one should remember that it focuses particularly on ICS protocols, devices and flows. Being able to see both types of data and distinguish between them is a unique capability of CyberLans. This gives the operator a high level of situational awareness, allows baselining and allows the operator to spot anomalies rapidly.
We liked this product for its unique view of an enterprise that contains a mix of IT and ICS protocols. It is easy to deploy, not particularly expensive for what you get, and its website and user portal are clean. We especially liked that you can buy CyberLens and lenses right on the web in the CyberLens Marketplace. This was a new type of product for us, but it is one of those that makes you slap your forehead and exclaim, “Why didn't I think of that?” However, while the concept may seem simple, watching a split network – IT and ICS – is not trivial. Trivial or not, CyberLens does it and it does its tasks well.