Advanced Threat Detection and the Internet of Everything

Cisco IT Insights

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. May 2015 Page 1 of 3

What

The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise

networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to

access and attack the connected network.

This IoE security challenge is reflected in two critical questions for information security departments:

How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of

which cant be secured?

How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential

attacks and risks?

Security managers will need the ability to leverage IoE data not only to identify specific threats, but also to learn about what types

of traffic or activity represent an actual risk, says Logan Wilkins, program manager, Cisco InfoSec.

Building a Security Data Infrastructure

For Cisco IT, answering the questions about IoE security means first looking to the network level, which is the best place for getting

security-related information and where security measures can have the most effect.

To gather IoE security information within Cisco, we are deploying a system to collect network traffic data that reaches a volume of

billions of records per day. The initial focus of the system is Domain Name System (DNS) data, which as of mid-2015 means

collecting up to three billion events daily, even before weve started to deploy massive numbers of IoE sensors. We started with

DNS data because of these factors:

The volume is large enough to validate that our data collection and processing systems will be adequate to handle the

higher data volumes generated by IoE elements.

DNS records provide an easy, fast way to find many security problems.

DNS also provides an important foundation for deeper analysis into other protocols that may be involved in a breach or

attack.

In the future, we plan to expand data collection to include NetFlow, which will help us automatically detect and handle more

security threats.

Machine Learning for Data Filtering and Correlation

To make all of this information useful to Cisco security teams, we are applying machine learning technology. Sophisticated

learning algorithms classify and correlate the data to identify unusual events, outlier values, and unexpected behaviors. Examples

of how we will apply machine learning to IoE security data include:

Using advanced learning algorithms to recognize with a high degree of confidence those external hosts that are likely to

have malicious intent.

Analyzing the behavior of hosts and devices on our network to discern unusual activity that would indicate malware or

unauthorized control of the device.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. May 2015 Page 2 of 3

Security Data System Deployment

Cisco IT tested the new security data system in a proof-of-concept project that included the following elements:

Cisco Unified Computing System

(Cisco UCS) servers for the data processing and access applications

MapR file system for data storage as well as a time-based database for events that are generated as a time series

Splunk for automated filtering and initial analysis of events, which creates more useful information for detailed assessment

by the Cisco security team

Lancope StealthWatch hardware for monitoring and ad hoc searches in the NetFlow data

Figure 1 presents a high-level architecture view of the data collection and processing system.

Figure 1. Cisco IT Architecture for Security Data Analysis

Why

We know that defending the Cisco network as it connects more IoE sensors and devices will require the ability to quickly identify

new threats. Thats why were focusing on two critical capabilities in the security data infrastructure: scalability and automation.

Scalability to Handle Huge Data Volumes

Scalability is first about handling an enormous and ever-growing volume of network data. If we have the infrastructure to handle

billions of events today, then we can be confident about handling the even higher volumes of data that come with IoE, says Jeff

Bollinger, senior investigator, Cisco InfoSec.

We also want a scalable infrastructure design that will allow us to collect and process log data from other IoE monitoring programs

as well as data from sources outside the network.

Automated, Intelligent Event Processing

Continual improvement in the machine learning capabilities will allow our automated event processing to become more intelligent

over time. Increasing automation will also reduce the number of events that will need to be evaluated by a Cisco security analyst,

even as IoE brings more data and new threats.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. May 2015 Page 3 of 3

We also apply automated event processing with machine learning to identifying risks in outbound network traffic. For example, our

internally developed iCAM software analyzes user behavior (including outbound data transfers) and generates alerts when that

behavior violates Cisco security policies.

However, There will always be a place for human analysis because we cant know for sure in some situations whether something

is really bad or not, so we cant set up all events for automated handling, says Bollinger. We need the knowledge of our security

analysts to identify which events indicate a false positive and which indicate a true problem.

For More Information

Cisco IT Case Study: How Cisco Automates Protection of Intellectual Property

Cisco IT Case Study: Using Lancope StealthWatch for Information Security Monitoring

Cisco Unified Computing System

To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT

To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events

Note

This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to

the results and benefits described. Cisco does not guarantee comparable results elsewhere.

CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,

INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.