INTERVIEW WITH GIGAMON’S BASSAM KHAN: How automation in cybersecurity creates superior threat response

- Advertisement -

LAST month, cyber intelligence and security company Gigamon demonstrated its skills through a “deep observability pipeline that harnesses actionable network-level intelligence to amplify the power of observability tools.”

Gigamon has over 4,000 customers worldwide, 80 percent are in the Fortune 100 listing. It also serves nine out of the 10 largest mobile network providers globally as well as hundreds of governments and educational organizations worldwide.

In this interview Bassam Khan, Gigamon Vice President of Product and Technical Marketing Engineering Malaya Business Insight asked how Gigamon helps IT organizations to assure effective security and compliance as well as lower operation costs associated with managing hybrid and multi-cloud IT infrastructures needing protection. Using its proven speed root-cause analysis of performance bottlenecks, the company assures that “modern enterprises realize the full transformational promise of the Cloud.”

- Advertisement -spot_img

Malaya Business Insight (MBI): In the Philippines does Gigamon support threat intelligence integration and automated threat response? 

Bassam Khan (BK): First, Gigamon is designed from ground-up for automation, which is the only way for small IT security teams to keep up with high volume of threats. Gigamon can be programmed through Ansible scripting to automatically change the behavior of monitoring. For example, an organization may choose to implement “soft security” on all hosts, but if any host (PC/Mac/IoT device) shows suspicious behavior, that host’s traffic will automatically receive additional screening by gathering all of its traffic, decrypting its traffic and sending to more security tools for in-depth analysis.

Second, Gigamon provides intelligence about network traffic to existing security tools, such as a SIEM. For example, Gigamon can detect weal encryption keys (ciphers) being used in practice, it can detect use of non-standard TCP ports (AKA port spoofing), and it can detect existence of unsanctioned applications, such as peer-to-peer (eg bittorrent), shadow IT (eg Dropbox), or even crypto-jacking (eg Bitcoin, Etherium, Monero, etc.).

So, to summarize, yes we do. We have success stories of Threat Intelligence and Automated Threat Response integrations with NDR/EDR/XDR solutions in the likes of Darktrace, Vectra, ExtraHop, Trend Micro, etc. We help organizations gain network visibility and automate threat management in order to provide continuous monitoring of network traffic to pinpoint cyberattacks that may evade perimeter defenses.

(Updated reply added) MBI: Will local partners assist companies in building their network solutions issues?

BK: Yes. Most of our local partners have the skill set and facility in providing technical support and round-the-clock monitoring through their homegrown Network and Security Operations Center. They have the expertise and capability with offering optimum support backed up with global threat intelligence, advanced security services and 24×7 Service Desk Facility.

MBI: What is the deployment process for implementing Gigamon’s network security solution? Will it work on systems that are hard coded by IT programmers? For example, an internal company created accounting systems (which is very common for the PH), are there any specific network protocols or technologies that Gigamon specializes in securing?

BK: Starting with the last question, Gigamon’s primary function is to provide visibility into all network communications to security tools. You can’t secure what you can’t see, and Gigamon helps tools make sure there are no blind spots. Without Gigamon, blind spots typically include east-west traffic (intra-corporate), cloud and multi-cloud communications, container traffic, and encrypted traffic. On the last point, TLS 1.3 (with perfect forward secrecy) is notoriously difficult to decrypt and inspect.

The power of network visibility is that it will help secure any application that communicates over the network, whether on-prem or multi-cloud, changing weekly or hard-coded 30 years ago, internal or customer-facing, and off-the-shelf or custom.

Flexibility is the key to deploying Gigamon, where our installer automatically identifies and adjusts to any virtual platform. The tools and methodology for orchestration/automation of network traffic access varies greatly between vendors and platforms; from on-prem VMware VMs to Azure’s EKS containers to AWS instances. With Gigamon customers don’t need to learn, code and maintain this low-level “plumbing” because Gigamon ensures visibility into all traffic automatically even as workloads scale up and down. Also, for physical network tapping, customers have deployed Gigamon into 400gig network speeds.

MBI: How does Gigamon handle network segmentation and access control?

BK: Gigamon collects traffic from every segment of the network, using TAP or SPAN techniques, and controls the flow of that traffic to the dozens of monitoring and security tools every organization uses, like IDS/IPS, firewalls, network detection and response, network and application performance monitoring, SIEM and observability tools.

In highly micro-segmented networks, customer use Gigamon to gain visibility into intra-segment east-west communications. Even in highly micro-segmented networks, there is concern about threats moving laterally and the only way to detect and respond is by gaining visibility inside those segments.

MBI: When Gigamon does forensic analysis and incident response, is it the work of the system administrator or can Gigamon do it remotely?

BK: Gigamon provides software and hardware that customers deploy in their own environment, and we are not a service that’s managed remotely.

Also, Gigamon does not directly provide analytics and incident response capability. We are a telemetry platform that ensures existing tools have access to all traffic so that customers can get the most possible effectiveness and efficiency out of their current tools.

MBI: What level of customization and policy enforcement does Gigamon offer i.e. in the space of cryptocurrency or remote hybrid work, where systems are isolated from the network?

- Advertisement -spot_img

BK: It’s important to identify two types of networks; managed by the organization and unmanaged. Gigamon is not involved with the latter, for example when a user connects to say Office 365 from their house. When the user or application accesses anything running on-prem or IaaS on public clouds, that’s where Gigamon steps in; it collects all the traffic, filters out irrelevant data and sends only the traffic that each tool needs to do its job.

Based on network traffic patterns, Gigamon is able to detect 15 different crypto-mining software, like Etherium, Bitcoin, Monero/XMR, Ripple, etc.  Note that Gigamon will not block that traffic directly because our role is to provide network traffic and network-derived intelligence to tools, and those tools (i.e., IPS) will perform the actual policy enforcement. Without Gigamon, this type of crypto and other suspicious traffic are very difficult to detect, particularly for east-west traffic.

MBI: What interactions does Gigamon integrate with Security Information and Event Management (SIEM) systems i.e. User Behavior Analysis?

BK: There are over 7,000 unique “metadata attributes” that Gigamon is able to send to SIEMs, and observability tools such as Dynatrace, New Relic and Sumo Logic. Amongst the hundreds of threat and vulnerability detection use cases, examples include detecting weak SSL ciphers, identifying when TLS certificates will expire, non-standard port usage, DNS poisoning, DHCP starvation, and more.

It’s important to note that there are many performance and troubleshooting-related use cases from these metadata attributes. Gigamon can help tools detect slow network hops, HTTP errors, packet drops, high HTTP and TCP roundtrip times, etc.

In short, Gigamon complements log data with a much higher level of details that’s simply not available in any way other than through Gigamon’s “deep packet inspection” of network traffic.


This interview was conducted by the author by email.

Author

Share post: