SWOT Assessment: Arbor

Networks Spectrum, Version 2.1

Analyzing the strengths, weaknesses,
opportunities, and threats

Summary
Catalyst
Arbor Networks Spectrum is a network-based platform that has been designed to make the
investigation of security threats faster and more effective for both expert and less experienced
security analysts. In the context of today's complex threat detection and management environment,
Arbor Spectrum is a proactive, analytics-based hunting solution that is tasked with identifying all forms
of threat activity including zero-day and advanced and persistent threats. It interrogates business
networks to piece together the core components of attack campaigns and focuses on the faster
detection and identification of the threats that each business faces and the risks to normal business
activities they represent. Arbor Spectrum leverages Arbor's ATLAS intelligence threat feed to match
attacks found and validated in the global Internet to traffic within a corporate network.

Key messages

All perimeter incursions leave traces of their activities on the network and attackers
find it difficult to avoid leaving their footprint; Arbor Spectrum uses the network to
build a detailed picture of each attack and the threats involved.

Arbor Spectrum combines real-time network packet inspection and flow data with the
use of archived threat information.

In addition to core network sources, threat intelligence is gathered from the Arbor
ATLAS Intelligence Feed and other third-party resources.

Its workflow-based approach helps security teams to manage all elements of the
threat lifecycle, including incident discovery, investigation, and forensics.

Ovum view
Information security and improving the way that data is protected are issues that every organization
needs to address. Attackers continue to find new ways of getting past traditional layered security
defenses and, despite increases in security spending, breach numbers continue to rise.
The response requirement is twofold. Security managers need to have better and more accurate
information about the threats that are coming their way, including the targeted information needed to
prioritize incidents. Secondly, accepting that every organization and its systems and networks will at
some stage be infected by malware or breached by social-engineering campaigns, more effort needs
to be focused on finding the threats as they occur and dealing with the remediation issues before
major data losses occur. In this context, network traffic is a reliable source of meaningful indicators of
compromise.

Recommendations for enterprises

Why consider Arbor Spectrum?
Arbor Spectrum deals with the threat identification issues that security managers need to address on
a day-to-day basis. Security professionals have concerns about zero-day and advanced persistent

threats (APTs), and their ability to spot serious attempts to steal sensitive data among all the other
noise generated by everyday traffic flowing across their networks.
Arbor Spectrum combines the delivery of global attack intelligence with the network visibility needed
to identify suspicious activity as it happens. Its network-based platform has been designed to make
security investigations more focused and help security managers deal with the threats that matter
most to their organizations. Arbor Spectrum's core capabilities include the ability to investigate all
network traffic which, alongside its access to a complete network threat archive, helps identify good
and bad behavior patterns. Its workflow-based functionality enables security teams to pivot between
threat discovery, incident investigation, and the forensics of recovery from within a common user
interface. Multiple threat intelligence sources from Arbor and third parties are available to improve
threat detection, and flexible deployment options allow organizations to install Spectrum quickly
across the entire enterprise network.

SWOT analysis
Strengths
Arbor Spectrum provides protection for medium-to-large enterprises, including
data center environments
Arbor Spectrum offers a combination of network-based packet analysis and flow protection that suits
medium-to-large enterprises and includes data center environments. Its packet collectors can be
deployed at the Internet and data center edge as well as within the network core, and its flow
capabilities provide broad visibility across enterprise networks. Its combined and integrated
architecture offers a comprehensive approach to threat analysis and security management.

Arbor Spectrum takes a proactive approach to threat detection

Arbor Spectrum's advanced threat detection facilities are used to search internal networks, and to
investigate, detect, and prove the existence of active attack campaigns. Its threat-hunter approach
uses the network and its traffic flows to highlight suspicious activity and build an inclusive picture of
attack campaigns. An enterprise network carries most of the traffic an organization needs to fulfill its
business objectives. It is the vehicle for legitimate transactions and, as such, also an unavoidable
route for the delivery and lateral movement of most forms of malware. Arbor's assertion is that all
threat incursions are visible on the network, and that Spectrum's inclusive investigative capabilities
can be used to speed up threat identification and deal with threats as they occur.

Analysis and archive facilities combine to identify suspicious network activity

Arbor Spectrum takes a comprehensive approach to threat detection. It combines the detailed
analysis and archiving of packets and flow within a single inclusive network-monitoring solution.
Packet analysis and the archive operate at critical points of each business network to extract and
deliver threat intelligence, and Arbor NetFlow facilities provide traffic-flow visibility across the whole
network.

Weaknesses
Spectrum controller and collector licenses can only be used on Arbor
appliances
Virtual software licenses for the Arbor Spectrum controller and collector functions are on the roadmap
and expected to be accessible sometime during the second half of 2016. Once available, they should
add flexibility of use within network function virtualization (NFV) and software-defined network (SDN)
environments.

Opportunities
Arbor Spectrum combines the use of new and established Arbor products and
services
Arbor Spectrum offers real-time traffic flow analysis and threat detection. It also utilizes Arbor ATLAS
intelligence and user-supplied threat feeds to identify threat indicators. The Arbor ATLAS
infrastructure sees more than one-third of the world's Internet traffic and, operating alongside the
company's advanced malware research and botnet infiltration services, generates an extensive range
of threat detection data.

Established threat detection tools add to the overall data protection

proposition
For packet analysis, Arbor combines the use of URL, domain, and IP reputation facilities to identify
threat indicators based on matches with known bad actors and ongoing attack campaign
infrastructures.

Threats
Establishing differentiation from other threat detection approaches will require
market education
Most next-generation security vendors claim the ability to detect zero-day threats and deal with
advanced forms of malware. For enterprise clients it is becoming increasingly difficult to determine
which of the many solutions available will suit their protection requirements. The Arbor Spectrum
approach of using the network to piece together a larger picture of threats and attack campaigns is
positioned as a discernable differentiation from competitor solutions that focus on logs, alerts, and
alarms and that only provide a singular threat indicator. However, more education is needed to
highlight the completeness of the Spectrum solution and its ability to prioritize severe threat activity on
behalf of the security professions who benefit from its services.

Data sheet
Key facts about the solution
Table 1: Data sheet: Arbor Networks Inc.
Product name

Arbor Networks Spectrum

Product classification

Advanced threat
protection

Version number

2.1

Release date

April 2016

Industries covered

All

Geographies covered

Global

Relevant company sizes

All Spectrum is deployed

by Fortune 100
organizations, global
brands, large government
organizations, and nonprofits with single-person
security teams.

Platforms supported

Microsoft Windows,
Linux, Solaris, AIX,
HP/UX, Mac OS, and
z/OS

Languages supported

English

Licensing options

Perpetual, term, and

SaaS, with virtual
software licenses
available from 2H16

Deployment options

On-premise

Routes to market

Direct and channel

URL

www.arbornetworks.com

Company headquarters

Burlington,
Massachusetts, US

European headquarters

Bracknell, Berkshire, UK

North America headquarters

Burlington,
Massachusetts, US

Asia-Pacific headquarters

Singapore

Source: Ovum

Appendix
Methodology
Ovum SWOT Assessments are independent reviews carried out using Ovum's evaluation model for
the relevant technology area, supported by conversations with vendors, users, and service providers
of the solution concerned, and in-depth secondary research.

Further reading
On the Radar: iboss Network Security, IT0022-000111 (August 2014)
"Trend Micro ups network security clout with TippingPoint buy," IT0022-000549 (December 2015)

Author
Andrew Kellett, Principal Analyst, Infrastructure Solutions
andrew.kellett@ovum.com

Ovum Consulting
We hope that this analysis will help you make informed and imaginative business decisions. If you
have further requirements, Ovum's consulting team may be able to help you. For more information
about Ovum's consulting capabilities, please contact us directly at consulting@ovum.com.

Copyright notice and disclaimer

The contents of this product are protected by international copyright laws, database rights and other
intellectual property rights. The owner of these rights is Informa Telecoms and Media Limited, our
affiliates or other third party licensors. All product and company names and logos contained within or
appearing on this product are the trademarks, service marks or trading names of their respective
owners, including Informa Telecoms and Media Limited. This product may not be copied, reproduced,

distributed or transmitted in any form or by any means without the prior permission of Informa
Telecoms and Media Limited.
Whilst reasonable efforts have been made to ensure that the information and content of this product
was correct as at the date of first publication, neither Informa Telecoms and Media Limited nor any
person engaged or employed by Informa Telecoms and Media Limited accepts any liability for any
errors, omissions or other inaccuracies. Readers should independently verify any facts and figures as
no liability can be accepted in this regard - readers assume full responsibility and risk accordingly for
their use of such information and content.
Any views and/or opinions expressed in this product by individual authors or contributors are their
personal views and/or opinions and do not necessarily reflect the views and/or opinions of Informa
Telecoms and Media Limited.

CONTACT US
www.ovum.com
askananalyst@ovum.com

INTERNATIONAL OFFICES
Beijing
Dubai
Hong Kong
Hyderabad
Johannesburg
London
Melbourne
New York
San Francisco
Sao Paulo
Tokyo