cisco stealthwatch 7.0 v1 - instant demo · 2019-08-29 · stealthwatch is uniquely suited to...

Instant Demo Guide Cisco dCloud

© 2019 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. of 31

Cisco Stealthwatch 7.0 v1 - Instant Demo

Last Updated: 29-August-2019

About This Instant Demo

This guide for the preconfigured demonstration includes:

About This Instant Demo

Requirements

About This Solution

Scenario 1. Real-time Risk

Scenario 2. Policy Validation

Scenario 3. Data Theft Forensics

Scenario 4. Cognitive Analytics Integration

Scenario 5. ETA Cryptographic Assurance

What’s Next?



Requirements

The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop Cisco AnyConnect®



About This Solution

The Stealthwatch System provides enhanced visibility into advanced threats by identifying suspicious patterns of traffic within an enterprise network. These suspicious patterns are supplemented with contextual information from other devices to improve the overall analytics and establish specific threat levels associated with an activity. The solution delivers the following capabilities:

• Discover and mitigate advanced threats more quickly and before sensitive information is lost or critical business operations are disrupted.

• Gain network-wide visibility by turning the entire network into a sensor.

• Detect advanced malware propagation across the network.

• Build on your existing network infrastructure investments for advanced threat detection and response.

• Provide end to end visibility on traffic passing through network devices.

• Stores traffic flows for suspicious and normal traffic for long period for investigation and analysis.

• Allows Encrypted traffic analysis for compliance and for malware encrypted communication detection.

The value of Stealthwatch helps customers preserve revenue generation by protecting operations, save money by avoiding loss and exposure, and lowering the risk associated with a Digital Enterprise.

The key components of the solution are:

• Aggregation and analysis of Netflow telemetry and other data to detect threats and anomalous behavior, provided by the Stealthwatch System.

• Network-wide security telemetry, provided by Netflow export from Cisco Catalyst® switches, Cisco routers, Cisco ASA 5500 Series Adaptive Security Appliances (ASA), and Cisco Netflow Generation Appliances.

• Identity context for users and devices, including authentication, posture validation, and device profiling, provided by the Cisco Identity Services Engine (ISE).



Scenario 1. Real-time Risk

Value Proposition: An overview of the Stealthwatch Dashboard can be used to gain a view of the real-time threat environment within a customer’s network. If a customer’s primary concern is answering the question “What threats exist in my network right now,” this is the place to start. Traditionally network security has relied on perimeter devices. One of the limitations of that method is gaining insight into what is happening throughout the network. By enabling Netflow across all devices in the network and by sending that information to the Stealthwatch system, we can gain network-wide threat visibility and turn the entire network into a security sensor.

Challenge - Focus on Risk

• Secure perimeter does not mean secure network as insider threats remain invisible to perimeter security

Benefits - Focus on Lower Risk

• Enable the entire network to gain real time visibility into security threats and anomalous behavior across the environment

Steps

NOTE: When we first login into the system, we are presented with a dashboard showing our current threat environment.

1. In the User Name field, enter amdemo1 and in the Password field, enter C1sco12345, and then click Sign In.



2. View the Alarming Host widget across the top of the Dashboard to see the current security events.

NOTE: Events are generated when policies, anomalies, attacks, exploitations or other security related violations are detected.

NOTE: The trend numbers within the categories will change and refresh on a regular basis. This is normal behavior and reflects the real-time data collection within the Stealthwatch Demo System.

3. Here is a breakdown of alarm categories:

• Concern Index – Hosts behaving as bad actors in the network.

• Target Index – Hosts that are the target or recipient of scans or other malicious attacks.

• Recon – Indicates the presence of unauthorized and potentially malicious scans using TCP or UDP and being run against hosts inside the network. These scans, referred to as reconnaissance are early indicators of attacks against your network, and the scans may come from inside or outside your network.

• C&C – Indicates the existence of bot-infected servers or hosts in your network attempting to contact a C&C Server.

• Exploitation – Tracks direct attempts by hosts to compromise each other, such as through worm propagation and brute force password cracking.

• DDoS Source – Host acting as a denial of service source.

• DDoS Target – Host acting as denial of service target.

• Data Hoarding – A host that is downloading unusually large volume of data from one or more hosts inside the network.(east -west).

• Exfiltration – Tracks inside and outside hosts to which an abnormal amount of data has been transferred.( South – North).

• Policy Violation – Any violation of a rule(s) within a policy.

• Anomaly – Tracks events that indicate that hosts are behaving abnormally or generating traffic that is unusual, but is not consistent with another category of activity.

4. The information presented above is great for gaining insight into what is happening now. If we look at the various dashboards below the current alarms, we can see threats over time.



5. In the Alarms by Type widget, view a breakdown of all the alarms by type and frequency over the last week



6. In the Today’s Alarms widget, view a snapshot of all the alarms that have fired since the last archive hour.



7. In the Top Application widget, view the top applications over the last 24 hours.



8. In the Flow Collection Trend widget, view the total amount of flow data through the network for the last 48 hours. This is useful to visually inspect the normal baseline trend in flow volume and provides immediate visual indications of abnormal behavior.

Summary

Most organizations invest in a perimeter-based approach to network security. While effective at the perimeter, security does not end at the network boundary. The Stealthwatch System translates the information provided by Netflow into actionable intelligence, allowing security teams to detect even the stealthiest attackers. From real-time current threats to the daily and weekly summaries, Stealthwatch enables to customers to have immediate access to data resulting in lower risk.

9.



Scenario 2. Policy Validation

Value Proposition: This scenario uses the comprehensive Flow Query tool to manually validate network segmentation between host device communities. If a customer is concerned with keeping business units, manufacturing devices, IOT sensors, medical devices, etc. secured and separated from other organizations and devices, this demo can be used to demonstrate the effectiveness of those segmentation efforts. What methods do you have to quickly discern the effectiveness of your security efforts?

When we think of security at the network level, we immediately call to mind firewalls, access control lists, and other complex, static methods of security enforcement. Alternative techniques for separating traffic or secluding host communities often rely on even more complexity, such as VRFs. Agility becomes a challenge with these static methods. Costs increase as we add more devices into the network for security enforcement or complexity increases in trying to maintain a consistent, network wide policy. While these challenges are in themselves barriers to success, perhaps an even bigger challenge is in validation and ongoing knowledge of whether these efforts are working or effective at achieving the intended goal.

Stealthwatch is uniquely suited to validating the results of your security investment by providing full disclosure of what is happening in the network before and after deploying security measures.

For many customers, segmentation or separation is a critical element to their security framework. For manufacturing, IP enabled robotics or plant systems need to be segmented from the general office worker systems. In healthcare, medical devices remain separate and independent from other parts of the network. In many cases, it is difficult and time consuming to verify device level segmentation. Even then, it is impossible to know if fully automated endpoints are only able to communicate with other automated endpoints. Full, ongoing visibility is the only means of verifying your security efforts are functioning as intended.

Validation can be automated via policy creation for long-term use, but for this demonstration we will do a manual verification to provide an idea of how Stealthwatch can be used to validate your security measures. This manual example can be automated, modified or adapted to provide ongoing verification.


• No automated mechanism for validating the application of security policy


• Enable the entire network to gain real time visibility into security threats and anomalous behavior across the environment



Steps

1. In the top navigation section, navigate to Analyze > Flow Search.

2. In the Time Range drop down, select Last 7 Days, so we can view any flows that have happened in the last 7 days. Since we do not know when, or if a conversation has happened, we want to cast a wide net to see if our security measures are working as we expect.



3. The next part of our query, in the left-hand pane where the Search Subject is listed, we are going to narrow the search down to devices in the Machines hosts. Our focus in this demo is to ensure our automation hosts in the Machines group, are only talking to the ControlSystems group.

• We need to do a little drill down here. Stealthwatch can organize hosts in a hierarchical fashion; we will click on the Host Groups button. Inside Hosts is the default setting, but we will narrow this down to the ControlSystems hosts. This group of hosts has been defined by their IP Address in the Stealthwatch Management Console Application as part of this demo.

• Our goal is to identify any traffic that may have reached the Machine hosts from anything other than the Control System hosts. The easiest way to do this is to look for all flow data to our Search hosts (Machines group), excluding anything from the ControlSystem group.

4. In the Subject and Peer sections, click Select, click Inside Hosts, click Machines, and then click Apply.

NOTE: In the Peer section, repeat the steps above.



5. Now we will exclude any Control Systems group flow data from our query in the Subject and Peer sections, click Select, click Exclude, click ControlSystems, and then click Apply.

NOTE: In the Peer section, repeat the steps above.



NOTE: We have defined what devices we want to see conversations between, our Machines group and anything outside of that group, we need to specify what type of traffic we are looking for. In our case, we are looking for any flows (traffic) that is outside Machines to ControlSystems, so it is unnecessary to narrow down our search definition any further.

6. To run the Flow Search query, click Search



NOTE: It will take a few moments for the query to run. The system is processing every flow record generated within the network for the last week. The more flow data that exists, the longer the query will take. What is truly amazing is how fast this is given the workload underway. In just a few moments, the system is processing thousands or possibly millions of flow records.

Summary

If our network policies are functioning correctly, when the query completes, we should see no flow records. If any flow records were returned as part of this query, we would know that the customers changed to their environment, whether a firewall/segmentation/ACL/etc. Also, we can see that the security effort was faulty because the ControlSystems group should be sending or receiving traffic flows with hosts outside Machines.

All companies want some reassurance of security and that their security efforts are making a difference. How many companies can say they have real-time, pervasive visibility into the effectiveness of those efforts? Have the investments, both in money and effort, made a positive impact in securing the infrastructure? Stealthwatch provides ongoing, visible and demonstrable evidence and feedback on the measures undertaken to secure the Digital Enterprise.

This flow query identifies unwanted traffic and can be transformed to an automated detection mechanism using Custom Security Events capability in Stealthwatch, which provides the ability to detect these traffic violations automatically without having to repeatedly search for such traffic. The automated detection will trigger a policy violation alarm that can be associated with a response action.



Scenario 3. Data Theft Forensics

Value Proposition: Unfortunately, data theft happens daily. Where in the past, attackers were primarily focused on disrupting services; today’s security breaches are focused on theft. Stealthwatch works across the attack continuum, providing early behavioral insight to detect attacks and security breaches early in their reconnaissance cycle, identification of attacks in progress and post-incident forensics. In fact, when Stealthwatch is coupled with ISE, Incident response goes from guesswork to context aware, user centric analysis.

Network forensics and investigation into suspected data theft of confidential or critical information. When customers are concerned that confidential information and data integrity is maintained, this demo is effective in showing how Stealthwatch can be used to track down data breaches. If a data breach were to occur, how quickly would you be able to identify when it happened, what device was used, who was on the device, where it happened and the methodology?

Not all threats are easily detected or based on malicious traffic. Social engineering coupled with valid traffic types can still result in lost revenue or damaged credibility. The integrity of sensitive data such as partner or supplier information can easily be intentionally or unintentionally exposed to a third party. What part can Stealthwatch play in assisting with network forensics?

Let us say there is a rumor circulating that partner data or some other sensitive information is being sent off-site. At this point, it is just a suspicion, but it needs to be investigated.


• No simple way to gather data during a security incident


• Full audit trail of all network transactions for detecting anomalous traffic and performing more effective forensic investigations

Steps

1. Start at the Navigation Pane and click on Monitor > Hosts.



2. What we see now is the hosts view. This is a complete listing of all internal hosts, sorted by alarm severity. The severity level is determined by a composite rating across the event categories tracked by Stealthwatch.

3. We also see details of when the host first came on the network, when it was last seen on the network, and the categories of events generated or identified as associated with the host. The color-coding assists in quickly assessing whether an event requires immediate attention or intervention.

4. In the Filter Results By: section, select Exfiltration.

NOTE: What we are looking for is a data theft or exfiltration. Since we do not know when it happened, remember we are investigating a rumor, we will scan down the left-hand side and see a list of the individual alarm types that are supported. We can see that there are exfiltration alarms that have been triggered within the last 24 hours. We may have more than just a rumor.



5. Let us see what information we can get from Stealthwatch regarding this exfiltration alarm.

6. We can see that host 10.210.7.38 was one possible host that triggered the alarm.

NOTE: The demo environment is using pre-recorded Netflow data from a live customer environment. The data is replayed, with slight variation, every 24 hours. This may result in one, or more hosts generating the Exfiltration alarm. Host 10.210.7.38 is expected.

7. In this demonstration, we will focus on 10.210.7.38, however in a live network; it would be prudent to recommend that all alarms be investigated.

8. Right now, we have a suspicion and confirmation that some exfiltration event happened, since we have a hit against the exfiltration policy. However, we do not know if this is a legitimate data transfer or data theft. Let us see if we can get more detail.

9. Let us dig one-step deeper by clicking on the IP address 10.201.3.149.



10. Now we see that this host is part of the End User Devices host group, (left side of screen lists host details) and it has been communicating with some host in China at least once a day (center of screen shows flow peers).

11. We now know what organizational unit the host belongs to which may also tell us something about the type of data this host, and user have access to and whether we should be concerned.

12. The chart to the upper-right shows Suspected Data Loss and Data Exfiltration events over the last 7 days.

13. To run a flow query on the external host involved, in the Traffic by Peer Host Group (last 12 hours) section, click the End User Devices host line, and then click View Flows.



14. Wait for the Flow Search to finish (100%).

15. To view the summary and application traffic, in the Subject Host column, click End User Devices.

.



Summary

Based on the information uncovered by Stealthwatch, we have enough information to warrant quarantine for the host, a user name to associate with the exfiltration event, and the confirmed knowledge that data was indeed transferred offsite in violation of our current policy rules.

Threats to the integrity of your data are not just from external sources, they are also found internally. How do we detect, locate and verify these internal threats? Stealthwatch can see what other systems miss – legitimate traffic being used for illegitimate purposes or against company policy. The linkages between user and event, the forensic trail, rather than taking days or weeks via conventional methods, is immediately available and accessible via Stealthwatch.



Scenario 4. Cognitive Analytics Integration

Value Proposition: This feature can use both Netflow and proxy data taken in via Proxy Integration feature. When the feature is enabled, relevant network traffic details are sent up into the Cognitive Analytics Cloud for analysis. Threats detected are displayed on the Stealthwatch SMC. Cognitive Analytics provide Stealthwatch with enhanced, machine learning based behavioral analytics against traffic crossing the network perimeter.

Steps

1. Navigate to Dashboard > Network Security, and in the bottom left part of the page, view the Cognitive Threat Analysis widget.



2. To view the Cognitive Threat Analysis in the Host Report page, click on any host.

3. The Host Report screen cognitive widget displays detected anomalous/hostile activity from (top to bottom) newest to oldest.

4. For the event shown in the Host Report Screen, you would read the information panel as the initial detection of tor relay activity, causing initial threat classification (4 to 6), with communication to a known malicious host increasing severity level to 9, and an upgrade to 10 once the threat was identified and classified as a Ransomware threat. In this case, the threat has wormlike spreading behavior and is a large threat to the rest of the network. Hovering over the numbers will explain all of this to users.

NOTE: Most parts of the Cognitive related UI is mouse-over enabled, giving additional information about the element. In a pinch, you can mouse over an element and read the explanatory text that is displayed.



5. The numerical ratings indicate severity of observed activity (1=minor to 10=critical).

6. The numerical indicators with a circle indicate an identified campaign (for example, WannaCry) vs detected suspicious behavior (TOR relay, persistent anomalous traffic, large data transfers, etc.).

7. The identified attack campaigns (for example, specific worm or malware outbreak) are listed with hashtag identifiers (for example, #CWNC01).

8. Clicking on #Identifier brings up a plain English write-up about the detected event, including:

• Detailed information about the campaign.

• Methods to mitigate and remediate the threat.

• Number of affected hosts within entirety of the enterprise network, as well as broader trends around number of companies and users affected.

• Events with the blue ENCRYPTED tag are detected via analysis of encrypted traffic behaviors (using ETA data collected by Stealthwatch FCs).



9. View Dashboard will take you to the Cognitive cloud-based dashboard (opens in a new tab).

10. Information immediately presented:

• Health Status—Overall number of hosts exhibiting anomalous/threatening behavior detected by Cognitive.

• Relative Threat Exposure—A comparative overview of your enterprise's threat activity level, compared to other organizations of the same type.

• Specific Behaviors—Detected threat types in the network.

• Highest Risk—Hosts exhibiting behavior posing the highest risk to the network.

• Top Risk Escalations—Incidents most recently increasing in overall severity.



NOTE: Most elements on the Dashboard can be clicked and drilled down into.

11. On the Host Report page, in the Cognitive Threat Analytics widget, click Incident Detail to bring up details about the event.



13. Details presented:

• Event classification—Clicking on #HASHTAG identifier (if available) brings up a plain english write-up about the detected event campaign.

• Affecting—Details on the affected host in your network environment.

• Occurrence—How long the incident has been active on the network.

• Severity Filter—Allows filtering of the activities/flows for the detected event by degree of severity (click the various numbers, if active).

• Activities and Flows—Visual display of the suspicious/malicious activities that triggered the alarm. Shows the Activity > Contacted Domains > IP address(es) of domains with GEO-IP data > the registered systems that own the IP address(es).

• Detailed listing of network activity above that triggered the alarm—Of interest to point out here in the left side Type column, communications with an E beside them were encrypted and analyzed using data provided by Stealthwatch parsing encrypted (ETA) data. An N in the Type column denotes a Netflow connection analyzed, and a W denotes a web proxy log.



Scenario 5. ETA Cryptographic Assurance

Value Proposition: Stealthwatch can retain encryption related attributes of observed network connections and display it in the SMC, enabling Crypto auditing and assurance use cases. This does not require Cognitive.

Steps

1. To view ETA provided crypto details in a flow, navigate to Analyze > Flow Search on the top navigation panel and enter the following:

a. In the Time Range drop down, click Last 8 Hours.

b. In the Subject section, in the Host IP Address field, enter 10.201.3.51.

c. In the Connection section, in the Port/Protocol field, enter 443/tcp.

d. In the Connection section, click on the Advanced Connection Options.

e. Scroll down to click on the Select button under Encryption.

NOTE: Once the Select Option is Clicked, a panel will appear on the left.

f. Within the Encryption Panel on the left, click inside the Encryption TLS/SSL Version field.

g. This will bring up versions for filtering the search. Select TLS 1.0 and click Apply.

NOTE: This will filter the results to only display flows using TLS 1.0.

2. Scroll up and click Search.



3. Once the flow results are loaded you will need to add the related ETA columns, as they are not displayed by default. Click Manage Columns and in the Connection section, select all the Encryption column options, and click Set.



4. To sort results as descending (arrow down), click on the Encryption MAC column heading twice.

Summary

This Stealthwatch capability is based on the ETA functionality with Cisco Catalyst 9000 switches, ASR, ISR, CSR routers and the Stealthwatch Flow Sensor in version 7.1 and does not require sending flow data to Cognitive Intelligence Cloud. In this example we detected TLS 1.0 traffic flows, TLS 1.0 is not recommended or accepted as reliable protocol by multiple including PCI and NIST. This will help verify crypto compliance and indicates where the customer will require higher levels of TLS to avoid dangerous attacks related to TLS 1.0 such as Heartbleed, Poodle, Beast, etc.



What’s Next?

Check out the related information on Demo Zone.

https://www.cisco.com/c/en/us/products/demos.html?solution=stealthwatch

cisco stealthwatch 7.0 v1 - instant demo · 2019-08-29 · stealthwatch is uniquely suited to...

Documents