cisco security day...cisco security day monitor blind spot of your network ... cognitive analytics...
TRANSCRIPT
Vedran Franjić, System Engineer Sales
Cisco Security Day
Monitor blind spot of your network
Agenda
• Common Network Problem
• Stealthwatch Overview
• Integration
• Use Cases
• PoV
NO VISIBILITY + NO SECURITY
“internal network traffic”
WHO
did this?
HOW
long?
WHAT was
accessed?
WHEN will
we know?
WHEN
did it
happen?
Network
Users
HQ
Data Center
Admin
SEEevery conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
Stealthwatch Overview
Routers
Switches
10.1.8.3
172.168.134.2Internet
Network as Data Source
Collecting data:
• Collect data across almost every device in your network
• Protocol : NetFlow, sFlow, IPFIX, NSEL, SPAN
• Ability to view north-south as well as east-west communication
Flow Information
Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS
172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Exporters of telemetry in network
Distribution/Core Switch
Access SwitchEndpoint Agent Firewall
Proxy IdentityAD & DNS
Talos
Global Intelligence
Isolated knowledge based on function and location
Cisco Stealthwatch: Is a collector and aggregator of network telemetry for the purposes of security analysis and monitoring.
Network Devices
Router A
10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router C
Scaling and optimization: deduplication
Deduplication• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
Router A: 10.1.1.1:80 10.2.2.2:1024
Router B: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80Router C: 10.2.2.2:1024 10.1.1.1:80
Duplicates
eth
0/1
eth
0/2
10.2.2.2 port 1024 10.1.1.1 port 80
Scaling and optimization : stitching
Start Time Interface Src IP Src Port Dest IPDestPort
ProtoPktsSent
Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
UnidirectionalTelemetry
Records
Start Time Client IPClient Port
Server IP
Server Port
ProtoClient Bytes
Client Pkts
Server Bytes
Server Pkts
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17eth0/1eth0/2
Bidirectional Telemetry Record
Conversation record
Easy visualization and analysis
Conversational Flow Record
Who WhoWhat
When
How
Where
• Stitched and de-duplicated
• Conversational representation
• Highly scalable data collection and
compression
• Months of data retention
More context
Arhitecture
Stealthwatch provides the security visibility you need
Stealthwatch Enterprise
Enterprise network monitoring
On-premises virtual or hardware appliance
On-premises network monitoring
Suitable for enterprises & large businesses
Stealthwatch Cloud
Private network monitoringPublic cloud monitoring
Suitable for enterprises & commercial businesses using public cloud services
On-premises network monitoringPublic cloud monitoring
Suitable for SMBs & commercial businesses
Software as a Service (SaaS) Software as a Service (SaaS)
Stealthwatch Enterprise System Components
UDP Director
• UDP Packet copier
• Forward to multiple destinations
• High Availability
Stealthwatch Flow Sensor
• Generate NetFlow from SPAN
• SRT/RTT
• DPI/NBAR/PAYLOAD
Stealthwatch Flow Collector
• Collect and analyze (2 LE)
• Store Flow info
• Send statistic to SMC
Stealthwatch Management Console
• Management and reporting
• Statistical view
• Top Alarms, Top hosts, Top
Applications
Endpoint Concentrator
• Collect AnyConect NVM flow data
and forward to Flow Collector
Cognitive
Analytics
Stealthwatch
CloudCognitive Analytics
• Cloud hosted Analytics
• Global Risk Map
Threat
Intelligence
License
Threat Intelligence
• Malicious IP
• Malicious URL
• Malicious processes
Learning engines
Stealthwatch Learning Engines
Cognitive Analytics
• Cloud Hosted
• Multi-layer Machine Learning
• Anomaly detection through statistical learning
• Encrypted Traffic Analytics
• Malware classification
Stealthwatch Cloud
• SaaS delivered
• Behavioural Analysis
• Anomaly detection through statistical learning
• Role Classification
Stealthwatch
• Behavioural Analysis
• Anomaly detection through statistical learning
Stealthwatch Enterprise
Logical alarms based on suspicious events
Sending or receiving SYN flood and other types of
data floods
DDoS Activity
Scanning, excessive network activity such as file copying or transfer, policy violation, etc.
Source or target of malicious
behavior
Port scanning for vulnerabilities or running services
Reconnaissance
Data hoarding and data exfiltration
Insider threats
Communication back to an external remote controlling
server through malware
Command and Control
Integration
Enriched with data from other sources
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Nexus switch
Tetration
Data Center
Catalyst
ETA enabled Catalyst
Switch
Web Proxy
Web
ISR
CSR
ASR
WLC
Router
AnyConnect NVM
Endpoint
ASA
FTD
Meraki
Firewall
Identity Services Engine (ISE)
Policy and User Info
Flow Sensor, SIEM
Other
Switch Router Router Firewall ServerUserCisco Identity
Services EngineWANServerDevice
ISE as a Telemetry Source
Authenticated Session Table
Cisco ISE
• IP to USER mapping
• USER generating malicious behaviour
pxGrid
SMCISE
Rapid Threat Containment
PX Grid Mitigation
Quarantine or Unquarantine infected hostContext
Proxy Effect on Flow
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Flow Information Packets
SOURCE ADDRESS 172.168.134.2
DESTINATION ADDRESS 216.58.213.100
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Problems
No NetFlow capabilities
Disconnected information
User
10.1.8.3
RoutersSwitches Proxy
172.168.134.2
Internet
Stealthwatch Proxy Ingestion
Flow Collector
Syslog Information Packets
TIMESTAMP 1456312345
ELAPSE TIME 12523
SOURCE IP 192.168.2.100
SOURCE Port 4567
DESTINATION IP 65.12.56.123
DESTINATION PORT 80
BYTES 400
URL http://cisco.com
USERNAME john
SYSLOG
Proxy Ingestion Provides
• HTTP Traffic Visibility
• Analysis continuity
• User information
Multi-Vendor Proxy Support
• Cisco WSA
• Bluecoat proxy
• Squid
• McAfee Web Gateway
ISEManagement
Console
Threat Feed License
CognitiveAnalytics
UDP 514
Proxy Visibility
Source IP/Port URL UsernameDestination IP/Port
USE CASES
Network Security
• Interface Status Report
• Investigating Slow Network Performance
• Detecting Policy Violations
• Relationship maps
• Detecting Malware Propagation
• Detect Rogue DNS Traffic
• Detecting Internal Brute Force Attacks
• Alarm Category: Data Hoarding
• Detecting Application Tunneling
PoV
What Interest the customer (Top Cases)
# Security Criteria
1 Botnet Activity on Network, Including Zero-Day Threats
2 Internal hosts posing the threat
3 Detect active Worms on the Network
4 Compliancy check (Host locking configuration, CSE)
5 Identify the IP Address of the User (ISE)
6 Audit Communications
7 Detect Threat inside Encrypted traffic
8 Associate traffic with URLs (visibility through Proxy)
# Network Criteria
1
Bandwidth Consumption by Applications and
by Host
2 Performance Maps (WAN, Applications)
3
Unusual Traffic Spikes in a Particular Area of
the Network
4 Exporter interface consumption
5 Server Vs. Network Response Time
Procedure
1. Define what data is critical to record – CORE and NGFW minimum
2. Define size of appliances
3. Define which deployment will be used
Virtual KVM, VMWARE
Physical UCS Servers
4. Install appliances
5. Configure NetFlow, Host Groups
6. Policy tuning after 2 weeks
7. Monitor data and analyze reports
ST-FR-BUN(for 3Y & 5Y terms)
ST-FR-1Y-BUN (for 1Y term)
Stealthwatch TERM Offer - Flow Rate Bundle
Optional Software:
FC Appliance
ST-FC4200-K9ST-FC5200-K9
FS Appliance
ST-FS1200-K9ST-FS2200-K9ST-FS3200-K9ST-FS4200-K9
UDPD Appliance
ST-UDPD2200-K9
SMC Appliance
ST-SMC2200-K9
Optional Hardware w/ fixed SW PID
Flow Rate LicenseL-ST-FR-LIC=
(Subscriptions for 1/3/5yr)
Required Software:
Stealthwatch Management Console
L-ST-SMC-VE-K9(Quantity based on FRL)
Stealthwatch Flow Collector
L-ST-FC-VE-K9(Quantity based on FRL)
Global Threat Analytics Proxy License
Endpoint License
L-ST-EP-LIC=
Flow Sensor
L-ST-FS-VE-K9
UDP Director
L-ST-UDP-VE-K9
Threat Intelligence
L-ST-TI-LIC=
Summary
• Using your network as THE 2nd line of defense for enforcement
• You already have the investment
• Agent/endpoint OS agnostic
• No device, IoT or not, can hide from the network itself
• Encrypted traffic a non-issue