How NSS Labs' CAWS finds and fixes network threats

The public instance of the CAWS Continuous Security Validation Platform from NSS Labs is a valuable tool for alerting IT teams about real threats with the ability to breach their defenses. But for networks with high security needs, the product's private instance is worth the high price tag.

binary monitor tech digital moody hacker threat

Vulnerability management works best when the limitations of cyber defenses can be located and fixed before an attacker is able to exploit them. Many vulnerability management programs take one aspect of that process, either managing known vulnerabilities or the penetration testing to find them, and stand up great tools around that. The CAWS Continuous Security Validation Platform from NSS Labs instead tackles the complete process, and does it in a way that doesn’t add any extra risk or drain to network resources.

At its core, CAWS is a testing lab dedicated to finding and fixing threats against networks. Customers who make use of the program can elect to use one of two flavors of the product, both of which could be tremendously helpful when planning defenses and trying to manage vulnerabilities.

The CAWS public instance

NSS Labs maintains a huge bait network of target systems around the world, some of which they own and others that are leased. Each of these professional victim systems have software on them that mimics normal behavior for a device of that type, or even human users doing things like surfing the web.

CAWS Bait Network John Breeden II/IDG

The bait network that CAWS employs to capture threats has been around for seven years and comprises over 80,000 client systems. When a system is compromised, information about the attacking threat is automatically collected before the bait computer is restored.

Threats attack the bait systems, which are designed to capture all data about the attack and send it back to NSS Labs before the system is automatically wiped and put back into service. There are currently over 80,000 systems in the bait network. Between that network and a program where people can submit threats, NSS Labs looks at over 100,000 new cyberthreats every month.

CAWS public exploits John Breeden II/IDG

The CAWS program tracks threats against all types of endpoints, using almost any kind of cybersecurity defense. It can identify hidden vulnerabilities with the capability of breaching defenses.

In the public instance, those threats are thrown at a test network with all the most common cybersecurity defenses from endpoint protection to security information and event management (SIEM) consoles, next generation firewalls and everything in between. Threats that get through any of those defenses are identified along with their capability to do downstream damage. Subscribers to the CAWS public instance can log in and view reports about those threats, as well as get detailed information about how to patch their own networks to eliminate vulnerabilities. For SMBs and organizations with smaller networks, CAWS can be an invaluable tool at that level, alerting IT teams about real threats with the ability to breach their defenses.

CAWS threats from John Breeden II/IDG

The level of detail collected by CAWS is impressive, including where data might exfiltrate to if fixes are not made.

The CAWS private instance

The private instance of CAWS is a more expensive service, but probably worth it for Fortune 500 type companies, financial institutions, government organizations, and those with either large networks or networks that are high value targets for attackers.

The interface for the private instance of CAWS is almost identical to the public instance. Clients access their unique private instance using a secure VPN connection, and only they have access. The difference is the level of customization that goes into a private network. Each private instance of CAWS is designed to exactly mirror the defenses of the subscribing organization, right down to the settings used to tweak security appliances and programs. It can be set so that as a device or program on the real host network is changed, those updates are automatically mirrored to the test network. In this way, customers can get a real-world view of actual vulnerabilities affecting their network, with up-to-the-second accuracy.

Setting up a private instance of CAWS is no small feat, though NSS Labs does most of the heavy lifting. Companies need to provide licenses for security products they are using so that NSS can set them up in the mirror network. Or, actual hardware units can also be shipped to NSS. Not every firewall needs to have a mirror, just every one with a unique configuration. So, if an organization has three different configurations for their network firewalls, perhaps depending on branch location or company division, then three units will need to be shipped to NSS Labs.

In addition to mirroring the front end cybersecurity protection, CAWS also puts back end clients in place. For that to happen, organizations that subscribe to the private instance need to send NSS Labs their golden images for systems.

It takes between eight and ten business days on average to configure a private instance of CAWS. Once complete, CAWS offers a perfect mirror of the real network that it will ultimately be protecting. NSS Labs sets up connectors as well, so that changes made on the real network are also made on the mirror.

Once ready, threats can be run against the mirror network. The threats can be highly destructive and don’t have to be neutered in any way, since they are only going to ravage the test network. In our testing, not only did the private CAWS network identify threats that could breach real defenses, it was also able to show how those threats could move laterally and compromise new systems on the back end using the mirrored test environment. 

CAWS threat chain John Breeden II/IDG

Because NSS Labs stands up both front end defenses and mirrored clients behind them, CAWS can show not only which threats might breach a network, but how they can move should that happen.

Depending on the preference of the organization sponsoring the private instance, patches for cybersecurity defenses can either be automatically delivered from CAWS back to the real network to protect against discovered vulnerabilities, or delivered in the form of highly detailed reports that IT teams can follow. All the information about vulnerabilities is also available to clients logging into the private instance through their VPN as well. If IT teams get used to checking CAWS, they can stay on top of new vulnerabilities and threats as part of their daily routine.

The public version of CAWS does an excellent job of unmasking threats and finding vulnerabilities in most cyber defenses. The private version, which is also sold as a subscription service, is much more expensive and requires some amount of work to ensure that the mirrored network remains an exact copy of the protected one. But having a whipping boy type of network to take the punishment and reveal vulnerabilities — with no risk whatsoever to the actual network — is an invaluable tool for networks with high security needs.

More on vulnerability management:

New! Download the State of Cybercrime 2017 report