Exploring Arista NDR: Architecture and Key Use cases

Arista Networks acquired Awake Security in 2020, integrating Awake’s advanced network detection and response (NDR) capabilities into its own cognitive cloud networking solutions. Mr. Rahul Chander Kashyap founded Awake Security to address the challenges faced by security teams, particularly the overwhelming number of alerts and the difficulty in identifying and investigating real threats. The platform developed by Awake uses network traffic analysis to autonomously identify and profile all devices within an enterprise, including IoT and shadow IT devices, providing comprehensive visibility and threat detection.  This integration has allowed Arista NDR to offer a robust security solution that continuously evolves by adding new “skills” to tackle emerging security threats, much like how Amazon’s Alexa platform operates. This approach ensures that Arista NDR remains relevant and effective in the ever-changing landscape of cybersecurity

Arista NDR Platform Architecture and Key Use Cases

---

Arista NDR stands out from other network detection and response solutions by parsing over three thousand protocols and processing data from layer 2 through layer 7. The platform also excels in analyzing encrypted protocols, identifying critical context such as the nature of traffic (e.g., file transfer, interactive shell), the applications involved, and any remote access, all without requiring data decryption.

---

The key use case of Arista NDR is summarized below

Arista NDR Components

Below five Functional components compose the Arista NDR platform

• Sensors
• Nucleus
• AVA (Autonomous Virtual Assist)
• Console or UI
• Analyst Portal

Sensors :

Sensors are connected to the locations in the network at which traffic will be monitored. They capture the packets, store the forensic packet log, parse and extract data from the network protocols found in those packets, summarize that data in the form of activities, and forward those activities to the Nucleus.

There are multiple options for the deployment of the sensors. You can use any combination of physical, virtual, and/or cloud-hosted sensors, depending on the network topology and bandwidth of the monitored links. In addition to various models of standalone sensors, you can deploy the AVA sensor package on existing or newly installed Arista Campus switches. When combined with a cloud-based nucleus, this setup provides a zero-touch security monitoring solution.

Nucleus:

The Nucleus stores a 3-6 month log of the activity extracted by sensors and applies a large suite of sophisticated AI and ML analytics to that data to discover, track, and characterize entities observed on the network as well as detect malicious and unwanted behavior in that activity using an automatically updated library of detections maintained by our team of expert threat hunters, ultimately summarizing threats in easy to understand reports called situations. In addition, it provides extensive tools for querying and analyzing all of this data, including customizable dashboards, both simple entity search, and a Turing-complete query programming language, visual tools for summarizing and exploring query results, and more.

Autonomous Virtaul Assist (AVA)

The Arista NDR Platform comes standard with AVA, a virtual security analyst that handles large amounts of seemingly unrelated traffic from one or several Sensors, makes associations, finds patterns, and identifies situations that need attention. AVA automates many of the mundane and time-consuming tasks normally undertaken by human analysts, dramatically accelerating their work. AVA includes a cloud component that utilizes a number of data sources, including OSINT to enhance the knowledge of the risk assessments, much like having a new expert security analyst on your team.

Console/UI:

The console or the UI is the primary user interface through which the analyst interacts with the platform. It is a web application served to the user’s browser from the Nucleus cluster or the Analyst Portal. In addition to presenting the results of the automated analysis done by AVA, the console provides extensive tools to manually query and analyze all the data in the Nucleus. This allows analysts to quickly confirm the results of AVA analysis as well as manually hunt for threats the platform has not yet surfaced automatically.

Analyst Portal:

It is an opt-in feature that provides a single pane of glass (hosted in the cloud but can also be hosted on-prem) to interface with Arista-NDR Nucleus deployments in a diverse set of topological configurations. You can obtain a console on any NDR Nucleus cluster from a single host address, easily switch between the different deployments in your installation, and perform the exact same functions as if you were visiting the Nucleus node directly on your network.

Deployment Models and BoQ

You can deploy Arista NDR in two modes, depending on customer requirements and network architecture:

All-in-one The AVA Sensor and AVA Nucleus in this case are deployed on a single appliance. This deployment is ideal for customers who deploy a single instance of Arista NDR or would like to maintain an isolated view of their deployment.

All-in-one

In this case, the AVA Sensor and AVA Nucleus are deployed on a single appliance. This deployment is ideal for customers who deploy a single instance of Arista NDR or would like to maintain an isolated view of their deployment

Split

You deploy the AVA Sensor and AVA Nucleus separately in this mode. Deploy AVA Sensors in various form factors, including on Arista switches, physical or virtual appliances, and within AWS or the GCP. You can also use the AVA Nucleus as on-premises hardware. Which you can configure in cluster mode to support higher performance requirements. It is also available as a SaaS service from Arista. A central console provides a unified analyst portal with complete role-based access control across multiple Nucleus deployments.

Summary:

The Network Detection and Response (NDR) market is highly competitive, but NDR remains a crucial component in cybersecurity. NDR solutions analyze network traffic to detect anomalies and provide insights into your digital infrastructure’s activities. Arista NDR is highly rated by key global analyst firms such as Forrester, IDC, Kuppingercole, and Tolly Group. One should evaluate the requirement, use cases and commercial CAPEX and OPEX advantage when evaluating the NDR solutions. For more related content and learning, please visit our page