Catbird’s software-defined security software resides on the hypervisor and is deployed in a hub and spoke architecture. The two architectural elements are:
- Catbird Control Center: the central hub which acts as the policy definition point, manages the other components and centralizes all the data gathered for visualization, analytics, alerting and reporting purposes.
- Catbird Virtual Machine Appliances (VMAs): a mesh of sensors collecting data and executing the technical controls. VMAs are not deployed on individual virtual machines but on the virtual network itself.
The Catbird Control Center is deployed as a separate Virtual Machine, and steers the VMAs. By distributing the security load across the VMA mesh, Catbird can scale across multiple physical locations and multiple virtual hosts. VMA’s are lightweight and not in-line, and as such do not impact network capacity. In this way, Catbird’s model of software-defined security can leverage cloud-scale economics.
Catbird Insight – How It Works
As part of Catbird Insight, Catbird VMAs detect asset information and network events via three independent functions: NAC, NetFlow and Hypervisor events. By correlating this data with the Hypervisor VM UUID captured from the cloud management platform, Catbird is able to show the ‘perfect inventory’ of all assets in the virtual fabric. Detection is ongoing and continuous, to ensure that security is maintained regardless of any changes to the VM population.
Following this automatic detection of VMs, Catbird assigns all VMs into logical policy groups, called Catbird TrustZones. Catbird TrustZones can be defined based on the needs of the business. They can be defined based on Data Center tiers, by application or application tiers, by user groups, by compliance requirements, by data classification level, or by any other parameter that makes most sense to your organization. As such Catbird TrustZones decouple how you view and manage your virtual assets from the underlying network infrastructure.
Based on all data collected, Catbird Insight delivers workload-centric visualization of your virtual universe and shows real-time traffic flowing in and out of your logical groups. When changes occur in the virtual fabric, the asset inventory and Catbird TrustZones are automatically updated.
In addition to intuitive visualization, Catbird Insight also provides a strong analytics capability. You can slice and dice network traffic between and inside of Catbird TrustZones. This makes Catbird Insight the ideal tool to find misconfigurations, detect anomalies, and facilitate fine-grained security policy (micro-segmentation) definition. Based on the defined policy, Catbird Insight will also generate alerts that can be integrated with a SIEM or ticketing platform.
Catbird Insight provides both networking and security teams with an exact inventory of all virtual assets, a real-time view of network traffic flows within the virtual fabric, and strong analytics and alerting capabilities. This makes Catbird Insight not only an invaluable day-to-day operational tool, but also a security and compliance assessment tool, and an aid when migrating to true micro-segmentation and Software-defined Networking (SDN).
Catbird Secure – How It Works
Running on top of Catbird Insight, Catbird Secure leverages the same Catbird TrustZones to assign security policies and apply them at runtime for enforcement and monitoring purposes. These security policies define how technical controls are orchestrated at both the Catbird TrustZone-level and the individual VM-level. The technical controls at your disposal include a firewall rule-set, Network Access Control (NAC), Intrusion Detection and Protection (IDS/IPS), NetFlow and vulnerability/configuration monitoring, and numerous other security tasks which can be executed via hypervisor interfaces.
Catbird Secure comes with policy templates that can easily be configured to define exactly which enforcement and monitoring options should apply to each Catbird TrustZone. These templates can be based on standard compliance frameworks, such as PCI, or configured in compliance with your organization’s own corporate policies. Security monitoring and enforcement actions defined in the policy are automatically pushed to VMAs. When virtual machines (VMs) are added to the Catbird TrustZones, either manually or via automated methods, all associated technical controls and policies are automatically configured and applied to the new asset. VMs not placed into a Catbird TrustZone are protected by a user-configured default security policy to ensure 100% asset coverage.
Catbird Secure continuously captures network, security and compliance events and tracks them by Catbird TrustZone and by individual VM across all controls. Based on those events, Catbird Secure generates alerts. These alerts assist with early detection of potential security incidents or violations of compliance obligations. Through a simple configuration you can export these alerts – using Syslog CEF - to your SIEM or ticketing system for further follow-up.
As part of Catbird Secure, the Catbird Control Center also delivers a rich UI for visualization of compliance posture by compliance category. Once you have assigned a specific compliance policy to a Catbird TrustZone, Catbird Secure will not only enforce the associated policy through the technical controls, but will also capture corresponding security events and measure them in real-time against the selected compliance framework. As a result, Catbird provides evidence and assurance of control that can be used to assert compliance against PCI DSS, FISMA, HIPAA and other compliance standards.
Events are correlated into seven compliance categories: Auditing, Inventory Management, Access Controls, Configuration Management, Change Management, Incident Response and Vulnerability Management. Events that deviate from the policy or standard are flagged, so control configurations can be corrected and compliance restored as needed. This closed loop approach validates the compliance requirements, providing demonstrable compliance that is mapped to specific sections of the compliance framework.
Catbird Secure’s intuitive way to define security policies for Catbird TrustZones and enforce them through a broad set of technical controls, its ability to define network, security and compliance alerts and pass those on for follow-up action, and its robust compliance reporting make it an indispensable tool that reduces the time, effort, and costs required to protect your virtual fabric and to demonstrate compliance during an audit.
Catbird Secure – Technical Controls
Catbird Secure steers and controls the following technical controls:
- Firewall: Catbird Secure integrates with VMware® vCloud Networking and Security App firewall (vCNS), VMware NSX DFW and Cisco VSG firewall app. Catbird Secure orchestrates the control of these virtual firewalls by automatically pushing ACLs to them. This not only saves time and costs, it also avoids human mistakes when manually configuring rule-sets.
- NetFlow: Visualizing network topology is a powerful tool used by security architects to configure network-based security controls. With an innovative network flow visualization display, Catbird provides the best possible view into network activity giving the security architect the capacity to easily configure access controls, manage vulnerabilities, or respond to security incidents.
- Network Access Control (NAC): Catbird Secure not only provides a superior combination of network-based security controls on the virtual switch fabric, but helps to protect physical infrastructure as well. The virtual switches in the hypervisor can be connected to physical switches that interconnect physical devices that may be on the same layer 2 networks as the virtualized asset. With Catbird’s Network Access Control (NAC), the security architect knows at all times what is directly connected at layer 2 on the physical switches, optionally giving them the power to implement logical zoning inclusive of these directly connected assets.
- Vulnerability Scanning: Catbird Secure includes a network-based vulnerability scanner for vulnerability management. Understanding the network-accessible vulnerabilities in virtualized infrastructure is the first step to tightening security posture and implementing a vulnerability management program for compliance. Catbird Secure enables the security architect to view detected vulnerabilities from the same tool that configures the firewall and Intrusion Prevention System, for a holistic view of the enterprise security posture. Catbird Secure also includes extensive configuration checks based on Security Content Automation Protocol (SCAP).
- Intrusion Prevention System (IPS): Positioned on the virtual switch fabric, Catbird Secure is in the optimal position to provide deep packet inspection for its Intrusion Prevention System. Monitoring all traffic traversing the virtual switch, Catbird Secure can detect hostile traffic entering the virtual Data Center, and more importantly, all hostile traffic between virtual machines themselves. By virtualizing the Intrusion Prevention System and distributing it across the virtual fabric, Catbird’s software-defined security approach provides a scalable solution for Intrusion Detection and Prevention available.
- Virtual Infrastructure Monitoring (VIM): Catbird is fully integrated with the VMware or OpenStack virtual infrastructure. The Catbird Virtual Infrastructure Monitor is the security operator’s eye into the virtual infrastructure, providing a real-time view of relevant network security virtual machine and switch configurations. When a policy has been violated, the Catbird Virtual Infrastructure Monitor can perform response actions, including disconnecting a virtual machine from the network or powering off the virtual machine. The Virtual Infrastructure Monitor restores the principle of separation of duties in virtual infrastructure by providing the security operator real-time monitoring of the virtual infrastructure administrator’s activities as they relate to network security.