cisco security day...cisco security day monitor blind spot of your network ... cognitive analytics...
TRANSCRIPT
![Page 1: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/1.jpg)
Vedran Franjić, System Engineer Sales
Cisco Security Day
Monitor blind spot of your network
![Page 2: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/2.jpg)
Agenda
• Common Network Problem
• Stealthwatch Overview
• Integration
• Use Cases
• PoV
![Page 3: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/3.jpg)
NO VISIBILITY + NO SECURITY
“internal network traffic”
WHO
did this?
HOW
long?
WHAT was
accessed?
WHEN will
we know?
WHEN
did it
happen?
![Page 4: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/4.jpg)
Network
Users
HQ
Data Center
Admin
SEEevery conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
![Page 5: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/5.jpg)
Stealthwatch Overview
![Page 6: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/6.jpg)
Routers
Switches
10.1.8.3
172.168.134.2Internet
Network as Data Source
Collecting data:
• Collect data across almost every device in your network
• Protocol : NetFlow, sFlow, IPFIX, NSEL, SPAN
• Ability to view north-south as well as east-west communication
Flow Information
Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
![Page 7: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/7.jpg)
Exporters of telemetry in network
Distribution/Core Switch
Access SwitchEndpoint Agent Firewall
Proxy IdentityAD & DNS
Talos
Global Intelligence
Isolated knowledge based on function and location
Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of security analysis and monitoring.
Network Devices
![Page 8: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/8.jpg)
Router A
10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router C
Scaling and optimization: deduplication
Deduplication• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
Router A: 10.1.1.1:80 10.2.2.2:1024
Router B: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80Router C: 10.2.2.2:1024 10.1.1.1:80
Duplicates
![Page 9: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/9.jpg)
eth
0/1
eth
0/2
10.2.2.2 port 1024 10.1.1.1 port 80
Scaling and optimization : stitching
Start Time Interface Src IP Src Port Dest IPDestPort
ProtoPktsSent
Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
UnidirectionalTelemetry
Records
Start Time Client IPClient Port
Server IP
Server Port
ProtoClient Bytes
Client Pkts
Server Bytes
Server Pkts
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17eth0/1eth0/2
Bidirectional Telemetry Record
Conversation record
Easy visualization and analysis
![Page 10: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/10.jpg)
Conversational Flow Record
Who WhoWhat
When
How
Where
• Stitched and de-duplicated
• Conversational representation
• Highly scalable data collection and
compression
• Months of data retention
More context
![Page 11: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/11.jpg)
Arhitecture
![Page 12: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/12.jpg)
Stealthwatch provides the security visibility you need
Stealthwatch Enterprise
Enterprise network monitoring
On-premises virtual or hardware appliance
On-premises network monitoring
Suitable for enterprises & large businesses
Stealthwatch Cloud
Private network monitoringPublic cloud monitoring
Suitable for enterprises & commercial businesses using public cloud services
On-premises network monitoringPublic cloud monitoring
Suitable for SMBs & commercial businesses
Software as a Service (SaaS) Software as a Service (SaaS)
![Page 13: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/13.jpg)
Stealthwatch Enterprise System Components
UDP Director
• UDP Packet copier
• Forward to multiple destinations
• High Availability
Stealthwatch Flow Sensor
• Generate NetFlow from SPAN
• SRT/RTT
• DPI/NBAR/PAYLOAD
Stealthwatch Flow Collector
• Collect and analyze (2 LE)
• Store Flow info
• Send statistic to SMC
Stealthwatch Management Console
• Management and reporting
• Statistical view
• Top Alarms, Top hosts, Top
Applications
Endpoint Concentrator
• Collect AnyConect NVM flow data
and forward to Flow Collector
Cognitive
Analytics
Stealthwatch
CloudCognitive Analytics
• Cloud hosted Analytics
• Global Risk Map
Threat
Intelligence
License
Threat Intelligence
• Malicious IP
• Malicious URL
• Malicious processes
![Page 14: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/14.jpg)
Learning engines
![Page 15: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/15.jpg)
Stealthwatch Learning Engines
Cognitive Analytics
• Cloud Hosted
• Multi-layer Machine Learning
• Anomaly detection through statistical learning
• Encrypted Traffic Analytics
• Malware classification
Stealthwatch Cloud
• SaaS delivered
• Behavioural Analysis
• Anomaly detection through statistical learning
• Role Classification
Stealthwatch
• Behavioural Analysis
• Anomaly detection through statistical learning
Stealthwatch Enterprise
![Page 16: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/16.jpg)
Logical alarms based on suspicious events
Sending or receiving SYN flood and other types of
data floods
DDoS Activity
Scanning, excessive network activity such as file copying or transfer, policy violation, etc.
Source or target of malicious
behavior
Port scanning for vulnerabilities or running services
Reconnaissance
Data hoarding and data exfiltration
Insider threats
Communication back to an external remote controlling
server through malware
Command and Control
![Page 17: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/17.jpg)
Integration
![Page 18: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/18.jpg)
Enriched with data from other sources
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Nexus switch
Tetration
Data Center
Catalyst
ETA enabled Catalyst
Switch
Web Proxy
Web
ISR
CSR
ASR
WLC
Router
AnyConnect NVM
Endpoint
ASA
FTD
Meraki
Firewall
Identity Services Engine (ISE)
Policy and User Info
Flow Sensor, SIEM
Other
Switch Router Router Firewall ServerUserCisco Identity
Services EngineWANServerDevice
![Page 19: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/19.jpg)
ISE as a Telemetry Source
Authenticated Session Table
Cisco ISE
• IP to USER mapping
• USER generating malicious behaviour
pxGrid
![Page 20: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/20.jpg)
SMCISE
Rapid Threat Containment
PX Grid Mitigation
Quarantine or Unquarantine infected hostContext
![Page 21: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/21.jpg)
Proxy Effect on Flow
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Flow Information Packets
SOURCE ADDRESS 172.168.134.2
DESTINATION ADDRESS 216.58.213.100
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Problems
No NetFlow capabilities
Disconnected information
User
10.1.8.3
RoutersSwitches Proxy
172.168.134.2
Internet
![Page 22: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/22.jpg)
Stealthwatch Proxy Ingestion
Flow Collector
Syslog Information Packets
TIMESTAMP 1456312345
ELAPSE TIME 12523
SOURCE IP 192.168.2.100
SOURCE Port 4567
DESTINATION IP 65.12.56.123
DESTINATION PORT 80
BYTES 400
URL http://cisco.com
USERNAME john
SYSLOG
Proxy Ingestion Provides
• HTTP Traffic Visibility
• Analysis continuity
• User information
Multi-Vendor Proxy Support
• Cisco WSA
• Bluecoat proxy
• Squid
• McAfee Web Gateway
ISEManagement
Console
Threat Feed License
CognitiveAnalytics
UDP 514
![Page 23: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/23.jpg)
Proxy Visibility
Source IP/Port URL UsernameDestination IP/Port
![Page 24: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/24.jpg)
USE CASES
![Page 25: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/25.jpg)
Network Security
• Interface Status Report
• Investigating Slow Network Performance
• Detecting Policy Violations
• Relationship maps
• Detecting Malware Propagation
• Detect Rogue DNS Traffic
• Detecting Internal Brute Force Attacks
• Alarm Category: Data Hoarding
• Detecting Application Tunneling
![Page 26: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/26.jpg)
PoV
![Page 27: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/27.jpg)
What Interest the customer (Top Cases)
# Security Criteria
1 Botnet Activity on Network, Including Zero-Day Threats
2 Internal hosts posing the threat
3 Detect active Worms on the Network
4 Compliancy check (Host locking configuration, CSE)
5 Identify the IP Address of the User (ISE)
6 Audit Communications
7 Detect Threat inside Encrypted traffic
8 Associate traffic with URLs (visibility through Proxy)
# Network Criteria
1
Bandwidth Consumption by Applications and
by Host
2 Performance Maps (WAN, Applications)
3
Unusual Traffic Spikes in a Particular Area of
the Network
4 Exporter interface consumption
5 Server Vs. Network Response Time
![Page 28: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/28.jpg)
Procedure
1. Define what data is critical to record – CORE and NGFW minimum
2. Define size of appliances
3. Define which deployment will be used
Virtual KVM, VMWARE
Physical UCS Servers
4. Install appliances
5. Configure NetFlow, Host Groups
6. Policy tuning after 2 weeks
7. Monitor data and analyze reports
![Page 29: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/29.jpg)
ST-FR-BUN(for 3Y & 5Y terms)
ST-FR-1Y-BUN (for 1Y term)
Stealthwatch TERM Offer - Flow Rate Bundle
Optional Software:
FC Appliance
ST-FC4200-K9ST-FC5200-K9
FS Appliance
ST-FS1200-K9ST-FS2200-K9ST-FS3200-K9ST-FS4200-K9
UDPD Appliance
ST-UDPD2200-K9
SMC Appliance
ST-SMC2200-K9
Optional Hardware w/ fixed SW PID
Flow Rate LicenseL-ST-FR-LIC=
(Subscriptions for 1/3/5yr)
Required Software:
Stealthwatch Management Console
L-ST-SMC-VE-K9(Quantity based on FRL)
Stealthwatch Flow Collector
L-ST-FC-VE-K9(Quantity based on FRL)
Global Threat Analytics Proxy License
Endpoint License
L-ST-EP-LIC=
Flow Sensor
L-ST-FS-VE-K9
UDP Director
L-ST-UDP-VE-K9
Threat Intelligence
L-ST-TI-LIC=
![Page 30: Cisco Security Day...Cisco Security Day Monitor blind spot of your network ... Cognitive Analytics •Cloud hosted Analytics • Global Risk Map Threat Intelligence License ... Command](https://reader031.vdocument.in/reader031/viewer/2022011822/5ece23d06ac8c1544574e6e5/html5/thumbnails/30.jpg)
Summary
• Using your network as THE 2nd line of defense for enforcement
• You already have the investment
• Agent/endpoint OS agnostic
• No device, IoT or not, can hide from the network itself
• Encrypted traffic a non-issue