The Defender Lifecycle Model

A new approach to security

Automate and Accelerate Threat Mitigation

The Defender Lifecycle Model is designed to automate and accelerate the identification and mitigation of threats. Focused on four key pillars — prevention, detection, prediction, and containment — the new model integrates machine learning, artificial intelligence (AI) and security workflow automation to shift control and advantage away from the attacker and back to the defender.

Security operations teams now face greater challenges in combatting data breaches due to the insufficient time for threat inspection based on the ever-increasing speed of network data, as well as the vast number of attackers and resources available to breach traditional defenses and the ability to propagate undetected across most networks.

This traditional security focus is increasingly ineffective and is hampered by limited visibility, extraordinary costs and reliance on manual processes to address incidents.  A new approach is needed.

The GigaSECURE Security Delivery Platform Enables the Defender Lifecycle Model

The GigaSECURE® Security Delivery Platform better integrates security technologies that detect, predict and contain threats throughout your network. It moves the advantage from the attacker back to the defender by integrating machine learning and AI-based technologies, and automating security workflows. Security professionals can map out the role of security technologies involved in the threat “kill chain”, gain a better understanding of overall security readiness, and strengthen their organization’s overall security risk posture.

Four Key Pillars of the Defender Lifecycle Model

Prevention

GigaSECURE empowers the right inline security tools – such as Cisco Intrusion Prevention System (IPS), FireEye Advanced Threat Prevention (ATP) and Imperva Web Application Firewall (WAF) – to see, secure and prevent intrusions within growing network traffic and during software upgrades. It brings threat traffic to the front of the line, offloads decryption and boosts resiliency to help make your network more accurate, efficient and economical.

To maximize threat prevention while maintaining network availability, GigaSECURE offers Inline Bypass Protection.

Inline bypass acts as a fail-safe access port for inline security tools. As of now, inline security tools can be single points of failure in a network. If a tool loses power or has its software fail or is taken offline for updates, traffic can no longer flow through this protective link. And failing inline tools can disrupt the very applications and services they are meant to protect.

Inline bypass removes any failure points by automatically switching traffic via bypass mode – keeping critical network traffic and protection up and running.

Detection

For most security teams, there’s simply too little time and too few resources to efficiently gather the information needed to make accurate predictions on potential security threats.  

To effectively detect threats throughout the IT environment, organizations deploy a variety of security and monitoring solutions. But how do you ensure that your tools are receiving the right information?  

Security and monitoring tools must ingest specific types of data to assess the network for threats. For example, security incident and event management (SIEM) systems consume metadata, whereas data loss prevention (DLP), intrusion detection systems (IDS) and advanced threat protection (ATP) tools require packet data.  

GigaSECURE enables security operation teams to both generate metadata and gain packet-level visibility to ensure an effective detection posture across the enterprise.

Prediction

Identifying anomalies allows you to build the next phase of a Defender Lifecycle Model: prediction. Prediction is key to understanding intent, for example, what the bad actor is intending to do or has already done. Identifying a single anomaly does not mean much, nor does it provide context of the entire threat behavior. You need to understand the intent of the bad behavior, which is where artificial intelligence and cognitive solutions come into play.

Since many of the malware and command-and-control threats are essentially “existing” frameworks that have been rented or purchased, it follows that subsequent actions in the attack cycle may mimic behaviors that have been learned or seen in the past, albeit morphed or disguised. AI-based solutions attempt to uncover patterns in the face of polymorphism and guise to predict intent, to surface underlying patterns of behavior and to generate a set of actions that lead to the next stage in the defender lifecycle: containment.

Containment

Once you’ve uncovered intent, you can take action to contain, remediate or even allow contained detonation of the threat to better understand the intent.

Today, the threat containment process is manual and time intensive, requiring coordination across multiple groups and actions across endpoints, routers and switches, firewalls and IPSs. Ownership and change management for many of these steps rest within different departments of an organization, and each requires a different set of procedures, skills and review processes. This must change. Organizations need to hasten containment through streamlined processes, minimized touch points and the development and deployment of automation and security workflow orchestration solutions.

WHITEPAPER

SOC Automation of Threat Investigation

Read how the Gigamon SOC detects threats, automates full pcaps and empowers investigation, response and remediation.

WHITEPAPER

Accelerate Threat Mitigation

Prevent, detect, predict and contain network threats quickly and effectively.

ON-DEMAND WEBINAR

Shift the Advantage

Automate and accelerate the fight against security threats.   

Trusted by today's leading organizations

Related Pages

CORE SOLUTION

GigaSECURE

Route the right traffic to the right tools.

Abstract city lines background.

BLOG

A Security Immune System

The Defender Lifecycle Model is a new approach for a more effective security strategy.

USE CASE

Threat Prevention

Stop intrusions before they start.

USE CASE

Threat Detection

Give tools what they need to detect threats.