Vedran Franjić, System Engineer Sales

vfranjic@cisco.com

Cisco Security Day

Monitor blind spot of your network

Agenda

• Common Network Problem

• Stealthwatch Overview

• Integration

• Use Cases

• PoV

NO VISIBILITY + NO SECURITY

“internal network traffic”

WHO

did this?

HOW

long?

WHAT was

accessed?

WHEN will

we know?

WHEN

did it

happen?

Network

Users

HQ

Data Center

Admin

SEEevery conversation

Understand what is NORMAL

Be alerted toCHANGE

KNOWevery host

Respond to THREATS quickly

Effective security depends on total visibility

Stealthwatch Overview

Routers

Switches

10.1.8.3

172.168.134.2Internet

Network as Data Source

Collecting data:

• Collect data across almost every device in your network

• Protocol : NetFlow, sFlow, IPFIX, NSEL, SPAN

• Ability to view north-south as well as east-west communication

Flow Information

Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

Exporters of telemetry in network

Distribution/Core Switch

Access SwitchEndpoint Agent Firewall

Proxy IdentityAD & DNS

Talos

Global Intelligence

Isolated knowledge based on function and location

Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of security analysis and monitoring.

Network Devices

Router A

10.1.1.1 port 80

10.2.2.2 port 240

Router B

Router C

Scaling and optimization: deduplication

Deduplication• Avoid false positives and misreported traffic volume

• Enable efficient storage of telemetry data

• Necessary for accurate host-level reporting

• No data is discarded

Router A: 10.1.1.1:80 10.2.2.2:1024

Router B: 10.2.2.2:1024 10.1.1.1:80

Router C: 10.2.2.2:1024 10.1.1.1:80Router C: 10.2.2.2:1024 10.1.1.1:80

Duplicates

eth

0/1

eth

0/2

10.2.2.2 port 1024 10.1.1.1 port 80

Scaling and optimization : stitching

Start Time Interface Src IP Src Port Dest IPDestPort

ProtoPktsSent

Bytes Sent

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

UnidirectionalTelemetry

Records

Start Time Client IPClient Port

Server IP

Server Port

ProtoClient Bytes

Client Pkts

Server Bytes

Server Pkts

Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17eth0/1eth0/2

Bidirectional Telemetry Record

Conversation record

Easy visualization and analysis

Conversational Flow Record

Who WhoWhat

When

How

Where

• Stitched and de-duplicated

• Conversational representation

• Highly scalable data collection and

compression

• Months of data retention

More context

Arhitecture

Stealthwatch provides the security visibility you need

Stealthwatch Enterprise

Enterprise network monitoring

On-premises virtual or hardware appliance

On-premises network monitoring

Suitable for enterprises & large businesses

Stealthwatch Cloud

Private network monitoringPublic cloud monitoring

Suitable for enterprises & commercial businesses using public cloud services

On-premises network monitoringPublic cloud monitoring

Suitable for SMBs & commercial businesses

Software as a Service (SaaS) Software as a Service (SaaS)

Stealthwatch Enterprise System Components

UDP Director

• UDP Packet copier

• Forward to multiple destinations

• High Availability

Stealthwatch Flow Sensor

• Generate NetFlow from SPAN

• SRT/RTT

• DPI/NBAR/PAYLOAD

Stealthwatch Flow Collector

• Collect and analyze (2 LE)

• Store Flow info

• Send statistic to SMC

Stealthwatch Management Console

• Management and reporting

• Statistical view

• Top Alarms, Top hosts, Top

Applications

Endpoint Concentrator

• Collect AnyConect NVM flow data

and forward to Flow Collector

Cognitive

Analytics

Stealthwatch

CloudCognitive Analytics

• Cloud hosted Analytics

• Global Risk Map

Threat

Intelligence

License

Threat Intelligence

• Malicious IP

• Malicious URL

• Malicious processes

Learning engines

Stealthwatch Learning Engines

Cognitive Analytics

• Cloud Hosted

• Multi-layer Machine Learning

• Anomaly detection through statistical learning

• Encrypted Traffic Analytics

• Malware classification

Stealthwatch Cloud

• SaaS delivered

• Behavioural Analysis

• Anomaly detection through statistical learning

• Role Classification

Stealthwatch

• Behavioural Analysis

• Anomaly detection through statistical learning

Stealthwatch Enterprise

Logical alarms based on suspicious events

Sending or receiving SYN flood and other types of

data floods

DDoS Activity

Scanning, excessive network activity such as file copying or transfer, policy violation, etc.

Source or target of malicious

behavior

Port scanning for vulnerabilities or running services

Reconnaissance

Data hoarding and data exfiltration

Insider threats

Communication back to an external remote controlling

server through malware

Command and Control

Integration

Enriched with data from other sources

Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters

Nexus switch

Tetration

Data Center

Catalyst

ETA enabled Catalyst

Switch

Web Proxy

Web

ISR

CSR

ASR

WLC

Router

AnyConnect NVM

Endpoint

ASA

FTD

Meraki

Firewall

Identity Services Engine (ISE)

Policy and User Info

Flow Sensor, SIEM

Other

Switch Router Router Firewall ServerUserCisco Identity

Services EngineWANServerDevice

ISE as a Telemetry Source

Authenticated Session Table

Cisco ISE

• IP to USER mapping

• USER generating malicious behaviour

pxGrid

SMCISE

Rapid Threat Containment

PX Grid Mitigation

Quarantine or Unquarantine infected hostContext

Proxy Effect on Flow

Flow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

Flow Information Packets

SOURCE ADDRESS 172.168.134.2

DESTINATION ADDRESS 216.58.213.100

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

Problems

No NetFlow capabilities

Disconnected information

User

10.1.8.3

RoutersSwitches Proxy

172.168.134.2

Internet

Stealthwatch Proxy Ingestion

Flow Collector

Syslog Information Packets

TIMESTAMP 1456312345

ELAPSE TIME 12523

SOURCE IP 192.168.2.100

SOURCE Port 4567

DESTINATION IP 65.12.56.123

DESTINATION PORT 80

BYTES 400

URL http://cisco.com

USERNAME john

SYSLOG

Proxy Ingestion Provides

• HTTP Traffic Visibility

• Analysis continuity

• User information

Multi-Vendor Proxy Support

• Cisco WSA

• Bluecoat proxy

• Squid

• McAfee Web Gateway

ISEManagement

Console

Threat Feed License

CognitiveAnalytics

UDP 514

Proxy Visibility

Source IP/Port URL UsernameDestination IP/Port

USE CASES

Network Security

• Interface Status Report

• Investigating Slow Network Performance

• Detecting Policy Violations

• Relationship maps

• Detecting Malware Propagation

• Detect Rogue DNS Traffic

• Detecting Internal Brute Force Attacks

• Alarm Category: Data Hoarding

• Detecting Application Tunneling

PoV

What Interest the customer (Top Cases)

# Security Criteria

1 Botnet Activity on Network, Including Zero-Day Threats

2 Internal hosts posing the threat

3 Detect active Worms on the Network

4 Compliancy check (Host locking configuration, CSE)

5 Identify the IP Address of the User (ISE)

6 Audit Communications

7 Detect Threat inside Encrypted traffic

8 Associate traffic with URLs (visibility through Proxy)

# Network Criteria

1

Bandwidth Consumption by Applications and

by Host

2 Performance Maps (WAN, Applications)

3

Unusual Traffic Spikes in a Particular Area of

the Network

4 Exporter interface consumption

5 Server Vs. Network Response Time

Procedure

1. Define what data is critical to record – CORE and NGFW minimum

2. Define size of appliances

3. Define which deployment will be used

Virtual KVM, VMWARE

Physical UCS Servers

4. Install appliances

5. Configure NetFlow, Host Groups

6. Policy tuning after 2 weeks

7. Monitor data and analyze reports

ST-FR-BUN(for 3Y & 5Y terms)

ST-FR-1Y-BUN (for 1Y term)

Stealthwatch TERM Offer - Flow Rate Bundle

Optional Software:

FC Appliance

ST-FC4200-K9ST-FC5200-K9

FS Appliance

ST-FS1200-K9ST-FS2200-K9ST-FS3200-K9ST-FS4200-K9

UDPD Appliance

ST-UDPD2200-K9

SMC Appliance

ST-SMC2200-K9

Optional Hardware w/ fixed SW PID

Flow Rate LicenseL-ST-FR-LIC=

(Subscriptions for 1/3/5yr)

Required Software:

Stealthwatch Management Console

L-ST-SMC-VE-K9(Quantity based on FRL)

Stealthwatch Flow Collector

L-ST-FC-VE-K9(Quantity based on FRL)

Global Threat Analytics Proxy License

Endpoint License

L-ST-EP-LIC=

Flow Sensor

L-ST-FS-VE-K9

UDP Director

L-ST-UDP-VE-K9

Threat Intelligence

L-ST-TI-LIC=

Summary

• Using your network as THE 2nd line of defense for enforcement

• You already have the investment

• Agent/endpoint OS agnostic

• No device, IoT or not, can hide from the network itself

• Encrypted traffic a non-issue