Cisco Stealthwatchgiver visibiliteti netværket€¦ · Switched Port Analyzer (SPAN)-based traffic...

Cisco Stealthwatch giver visibilitet inetværket

8/10 – 2019

Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified

Consulting Systems Engineer, Cyber Security, Denmark

© 2018 Cisco and/or its affiliates. All rights reserved.

Have you been compromised? How and when would you know? You have already made a lot of investment in network and security

…yet threats are getting through.


The Solution: Network + SecurityEnlist the rest of your network for security

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential

Network

Users

HQ

Data Center

Admin

Branch

SEEevery conversation

Understand what is NORMAL

Be alerted toCHANGE

KNOWevery host

Respond to THREATS quickly

Effective security depends on total visibility

Roaming Users

Cloud


Cisco Stealthwatch Enterprise: Scalable visibility and security analytics

SimplifiedNetwork Segmentation

AdvancedThreat Detection

AcceleratedThreat Response

Using existing network infrastructure

Most comprehensive visibility for effective security outcomes


Data collectionRich telemetry from the existing

network infrastructure

Security Analytics with Stealthwatch EnterpriseGlobal threat intelligence

(powered by Talos)Intelligence of global threat campaigns

mapped to local alarms for faster mitigation

Behavioral modelingBehavioral analysis of every activity within the network to pinpoint anomalies

Multilayered machine learningCombination of supervised and unsupervised techniques to convict advanced threats with high fidelity

Encrypted Traffic AnalyticsMalware detection without any decryption using enhanced telemetry from the new Cisco devices

Stealthwatch


12 Years of research70 ML scientists and engineers60+ Patents & filings200+ Publications

Cognitive IntelligenceBeyond Machine Learning

Threat ClassificationThreat Actor ModelsGlobal Risk Map

Anomaly DetectionBehavioral AnalyticsHost Categorization

Billons of network flows per dayMillions of protected devices

1500+ customers

Agentless Malware Detection

Encrypted Traffic Analytics

Web Proxy as a Sensor

File-less, memory-only malwareProcess and network behavioral analysis

Behavioral Breach DetectionDetection of infections bypassing the perimeter

Netflow & ETA analyticsBehavioral Breach Detection

Polymorphic & Emerging ThreatsCross-product correlation for malware detectionPredicting evolving threat infrastructure


Collecting and optimizing telemetry


Routers

Switches

10.1.8.3

172.168.134.2Internet

The network is a valuable data source

What it provides:• A trace of every conversation

in your network• Collection of records all across the

network (routers, switches, firewalls)• Network usage metrics• Ability to view north-south as well as

east-west communication• Lightweight visibility compared to

Switched Port Analyzer (SPAN)-based traffic analysis

• Indications of compromise (IOC)• Security group information

Flow Information PacketsSOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP


Enriched with data from other sources

Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters

Nexus switchTetration

Data CenterCatalyst

IEETA enabled Catalyst

Switch

Web Security Appliance (WSA)

Web

ISRCSR

ASRWLC

Router

AnyConnect

Endpoint

ASAFTD

Meraki

Firewall

Identity Services Engine (ISE)

Policy and User Info

Stealthwatch Flow Sensor

Other

Switch Router Router Firewall ServerUser Cisco IdentityServices EngineWANServerDevice


Contextual Actionable Intelligence

Client Server Translation Service User Application Traffic Group Mac SGTEncryption TLS/SSL version

1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2

Session Data | 100% network accountability

Visibility

InterfaceInformation

Policy Information

Network Telemetry

User Information

Threat Intelligence

NAT/Proxy LAYER 7Group /Segment

Encrypted Traffic

Analytics

Endpoint Cloud

10 101 10


Industry-leadingSecurity Analytics


Anomaly detection using behavioral modeling

Create a baseline of normal behavior

Alarm on anomalies and behavioral changes

Collect andanalyze telemetry

Flows

Number of concurrent flows

Time of dayBits per second

Packet per second

Number of SYNs sent

New flows created

Number of SYNs received

Rate of connection resets

Duration of the flow

~100 Security Events

Exchange Servers

Threshold

Anomaly detected in host behavior

Comprehensive data set optimized to remove redundancies

Security events to detect anomalies and known bad behavior

Alarm categories for high-risk, low-noise alerts for faster response


Logical alarms based on suspicious events

Sending or receiving SYN flood and other types of

data floods

DDoS Activity

Scanning, excessive network activity such as file copying or transfer, policy violation, etc.

Source or target of malicious

behavior

Port scanning for vulnerabilities or running services

Reconnaissance

Data hoarding and data exfiltration

Insider threats

Communication back to an external remote controlling

server through malware

Command and Control


Encrypted Traffic Analytics

Ensure cryptographic compliance

Detect malware in encrypted traffic

Cisco Stealthwatch Enterprise is the only solution providing visibility and malware detection without decryption


Initial data packet Sequence of packet lengths and times Global Risk Map

Data elements to analyze encrypted traffic

Self-Signed Certificate

Data Exfiltration

C2 Message

Make the most of unencrypted fields

Identify the content type through the size and timing of packets

Know who’s who of the Internet’s dark side


Identifying malicious encrypted traffic

Model

Google Search Page Download

src dst

Packet lengths, arrival times and durations tend to be inherently different

for malware than benign traffic

ClientSentPackets

ReceivedPackets

Server

Initiate Command and Control

src dst

Exfiltration and Keylogging

src dst


Accelerated Threat Response


Investigation


Alarms tied to specific entities

Quick snapshot of malicious activity

Suspicious behavior linked to logical alarms

Risks prioritized to take immediate action


Summary of aggregated host information

Observed communication patterns Historical alarming behavior

Investigating a host

Host Summary

User Name:Device Name:Device Type:Host Group:Location:Last Active Status:Session Information:Policies:

Quarantine Unquarantine

Flows History

12/jan 13/jan 14/jan 15/jan 16/jan

Alarms by Type

Data Hoarding Packet Flood

High Traffic Data Exfiltration

10.201.3.149

Withinorganization

Outsideorganization

Traffic by Peer Host Group


Apply machine learning to investigate threats

Threat propagation details

Malware behavior detected in encrypted traffic

Correlation of global threat behaviors

Threats ranked by overall severity to environment


Mitigation


Mitigate threats effectively

Quarantine identified threats using the network

An alarm can have an associated response• Notify in the alarm table• Generate an email• Generate a syslog message to a SIEM


StealthwatchManagement Console

Cisco®

Identity Services Engine

Rapid Threat ContainmentWithout any business disruption

PX Grid Mitigation

Quarantine or Unquarantine infected hostContext

Information shared with other network and

security products


Additional info determined

What kind of data was transmitted?

User identified

Where is the data being transmitted?

Device identified

Threat removed from network

Alarm triggered

Forensic investigation conducted

Detect and respond to advanced threats

NameLocationMAC addressLast seenPoliciesHost Group

Data hoarding and Data Exfiltration

Reduce incident response time from months to hours


Simplified Network Segmentation


Logical groupings customized to your business

Datacenter

VPN Users

Branch Office Guest Wireless

Confidential Servers

Employee Desktops

Identify every asset on the network

Set policies based on hosts as well as applications

Model policies before enforcing them


• A host group is grouping of hosts that share attributes and policies

• Host group are monitored to establish baseline behavior and thresholds

• Alerts are sent when hosts behave outside the group behavior

• 4 Ways to Segment 1. Manual Host Group Creation2. APIs using IPAM, IND,

Threat Intelligence data3. Host Classifier App4. Host Group Automation Service

Functional Network Segmentation by Groups

Employee

Guest Wireless

DNS Servers

Web Servers

Anti VirusInternet

Cloud

Printers

Partners

OutsideInside

Using Stealthwatch for Network Segmentation and Policy development


Host Segmentation ManagementManual Host Group Creation

Segment Hosts using Functional Groups

A Host can exist in multiple Host Groups

A Host cannot be simultaneously Inside and Outside

Define Groups using individual IPs, Ranges or Blocks of IPs

Each Group has specific policies

Using Stealthwatch for Network Segmentation and Policy development


Automated Host Grouping/SegmentationHost Classifier App

Predefined Auto Segmentation

Granular Segmentation Control


• Stealthwatch has REST API capabilities available to get, add, modify, and delete host groups.

• These APIs provide an easy programmatic mechanism to maintain host group configurations.

• Sample scripts are provided via DevNet to enable customers to use these API capabilities with success.

Automation with Stealthwatch APIs


A Fixed Service providing a logical means of categorizing network assets for improved visibility and control• Automate host-group updates and management to operate at maximum efficiency for alarm detection • Optimize Cisco Stealthwatch performance and reduce operational overhead to lower operating costs

while reducing errors and innocuous alerts• Enhance Stealthwatch system performance by automatically managing your specific IP address base

Host Group Automation Service

Automation

On-premises environment IP address management Stealthwatch


Introducing the Network Diagrams App

• Graphical Traffic Flows monitoring

• Investigation focus map

• Network Performance Visualization

• Faster Relationship Policy editing

• Import network maps created from prior Stealthwatch versions


Build Maps to Focus on Critical Metrics

Relationship Policy creation based on graphical

representation

Relationship policy

View triggered alarms brief per host groupsDrill down into alarms triggered per host group

Triggered Alarms Network Performance

Visualize Network Performance metrics

RTT, SRT, Packet Rate and Traffic bandwidth


Stealthwatch Enterprise architecture

Comprehensivevisibility andsecurity analytics

Endpoint License

ISE

Flow Collector

Management Console

Threat Intelligence

License

Global ThreatAnalytics

Security Pack

et

Analyzer

Packet Data

& Storage

Flow Sensor

Hypervisor with Flow Sensor VEVMVM

Non-NetFlow enabled equipment

Proxy Data

Stealthwatch Cloud

UDP Director

Other Traffic Analysis Software

NetFlow enabled routers, switches, firewalls

NetFlow

10 101 10

Telemetry for Encrypted Traffic Analytics

Flow Data(ETA Fields)

Alerts

CognitiveIntelligence


Key features

Visibility everywhereAnalyses enterprise telemetry from any source (NetFlow, IPFIX, sFlow, other Layer 7 protocols) across the extended network

Encrypted Traffic AnalyticsOnly product that can analyze encrypted traffic to detect malware and ensure policy compliance without decryption

Rapid Threat ContainmentQuarantine infected hosts easily using the Identity Services Engine (ISE) integration, collect and store network audit trails for deeper forensic investigations

Unique threat detectionCombination of multi-layer machine learning and behavioral modeling provides the ability to detect inside as well as outside threats

Smart segmentationCreate logical user groups that make sense for your business, monitor the effectiveness of segmentation policies through contextual alarms


How prepared are you for a breach?

Time

Late detectionHigh impact

Early detectionLow impact

1 in 4Risk of a major breach in the next 24 months


Out of the Box Security Assessment

Security Risk Reporting

Network Metrics Risk Country Monitoring

Report Generation

Detecting Rogue DNSMonitoring Remote AccessDetecting Malicious ScanningReporting traffic from specific geographies

Cisco Stealthwatchgiver visibiliteti netværket€¦ · Switched Port Analyzer (SPAN)-based traffic...

Documents

Transcript of Cisco Stealthwatchgiver visibiliteti netværket€¦ · Switched Port Analyzer (SPAN)-based traffic...