Dragan Novakovic
April 2017
Network as a sensor
Detect Threats Faster with Stealthwatch
One in four breaches are caused
by malicious insiders
95% of all cybercrime is triggered
by a user clicking on a malicious
link disguised to be legitimate
Two in three breaches exploit
weak or stolen passwords
With lateral movement of advanced
persistent threats, even external attacks
eventually become internal threats
External Internal
FW
IDS
IPS
Highlights
Source: Verizon Data Breach Investigations Report and Forrester research.
Realities of Modern Threats
New Networks Mean New Security Challenges
It’s Not IF You Will Be Breached . . . It’s WHEN
Expanded Enterprise Attack Surface
Organizations lack visibility
into the behavior of
devices on their network
Cloud usage is becoming more
prevalent, but so is the lack of
visibility into the cloud
Over 50 billion connected
“smart objects” are projected
by 2020
Acquisitions, joint ventures,
and partnerships are
increasing in frequency
ENTERPRISE
MOBILITY
ACQUISITIONS AND
PARTNERSHIPS CLOUD
INTERNET
OF THINGS
Changing
Business Models
Dynamic
Threat Landscape
Complexity
and Fragmentation
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
You Can’t Defend Against What You Can’t See
0101
0100
1011
0101
0100
1011
0101
0100
1011
0101
0100
1011
Citrix
WebEx
SAP
Cisco Services and Customer Success
• Gain unique visibility
across your business
• Simplify segmentation
throughout your networks
• Address threats faster
• Enable your network to take action
• Extend visibility and granular access
control to your remote branches
• Prevent the lateral movement
of threats
• Protect your critical information
• Simplify policy enforcement
and data center segmentation
• Accelerate incidence response
in the data center
• Gain enhanced
visibility into the cloud
• Make the cloud a part of
your segmentation strategy
• Identify threats quickly
and take action
Extended Network
Branch Data Center
Cloud
Stealthwatch Enhances Visibility Across your Entire Business
Analyze Monitor Detect Respond CISCO STEALTHWATCH
Flow Information Packets
SOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Routers
Netflow Provides
• A trace of every conversation
in your network
• An ability to collect records
everywhere in your network
(switch, router, or firewall)
• Network usage measurements
• An ability to find north-south as
well as east-west communication
• Lightweight visibility compared to
Switched Port Analyzer (SPAN)-
based traffic analysis
• Indications of compromise (IOC)
• Security group information
Switches
Visibility Through Netflow
10.1.8.3
172.168.134.2 Internet
Switch Router Router Firewall Data Center
Switch
Server User
NetFlow Exporters
NetFlow Capable
Cisco Identity
Services Engine
For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
Netflow Supported Platforms
Catalyst 2960-X (FNF v9)
Catalyst 3560-X (SM-10G module only)
Catalyst 3750-X (SM-10G module only)
Catalyst 3850/3650 (FNF v9 SGT support)
Catalyst 4500E (Sup7E/7LE)
Catalyst 4500E (Sup8) (FNF v9 SGT support)
Catalyst 6500E (Sup2T) (FNF v9 SGT support)
Catalyst 6800 (FNF v9 SGT support)
Cisco ISR G2 (FNF v9 SGT support)
Cisco ISR 4000 (FNF v9 SGT support)
Cisco ASR1000 (FNF v9 SGT support)
Cisco CSR 1000v (FNF v9 SGT support)
Cisco WLC 5760 (FNF v9)
Cisco WLC 5520, 8510, 8540 (FNF v9)
ASA5500, 5500-X (NSEL)
FTD (NSEL in v6.2 with Flex-Config)
Nexus 7000 (M Series I/O modules – FNF v9)
Nexus 1000v (FNF v9)
Cisco NetFlow Generation Appliance (FNF v9)
Cisco UCS VIC (VIC
1224/1240/1280/1340/1380)
Cisco AnyConnect Client (IPFIX) *
Meraki MX/Z1 (v9)
Servers and Appliances
Cisco NetFlow Generation Appliance (FNF v9)
Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)
Cisco AnyConnect Client (IPFIX) *
Meraki MX/Z1 (v9)
Router
Cisco ISR G2 (FNF v9 SGT support)
Cisco ISR 4000 (FNF v9 SGT support)
Cisco ASR1000 (FNF v9 SGT support)
Cisco CSR 1000v (FNF v9 SGT support)
Cisco WLC 5760 (FNF v9)
Cisco WLC 5520, 8510, 8540 (FNF v9)
Switch
Catalyst 2960-X (FNF v9)
Catalyst 3560-X (SM-10G module only)
Catalyst 3750-X (SM-10G module only)
Catalyst 3850/3650 (FNF v9 SGT support)
Catalyst 4500E (Sup7E/7LE)
Catalyst 4500E (Sup8) (FNF v9 SGT support)
Catalyst 6500E (Sup2T) (FNF v9 SGT support)
Catalyst 6800 (FNF v9 SGT support)
Firewall
ASA5500, 5500-X (NSEL)
FTD (NSEL in v6.2 with Flex-Config)
Data Center Switch
Nexus 7000 (M Series I/O modules – FNF v9)
Nexus 1000v (FNF v9)
WAN
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
Unidirectional Flow Records
Start Time Client IP Client Port Server IP Server Port Proto
Client
Bytes Client Pkts
Server
Bytes Server Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1
eth0/2
eth
0/1
eth
0/2
Scaling Visibility: Flow Stitching
10.2.2.2 port 1024 10.1.1.1 port 80
Bidirectional Flow Record – Conversation flow record – Allows easy visualization and analysis
Router C
• Without deduplication
• Traffic volume can be misreported
• False positives would occur
• Allows for efficient storage of flow data
• Necessary for accurate host-level reporting
• Does not discard data
Duplicates
Scaling Visibility: NetFlow Deduplication
Router A: 10.2.2.2:1024 -> 10.1.1.1:80
Router B: 10.2.2.2:1024 -> 10.1.1.1:80
Router C: 10.1.1.1:80 -> 10.2.2.2:1024 10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router A
• Highly scalable (enterprise-class) collection
• High compression => long-term storage • Months of data retention
Who
More Context
When Who
Where
What Who
Security group
More context
What
The General Ledger
• Stitched and de-duplicated
• Conversational representation
• Highly scalable data collection and compression
• Enables months of data retention
• Obtain comprehensive,
scalable enterprise
visibility and security
context
• Gain real-time
situational awareness
of traffic
• Detect and analyze
network behavior
anomalies
• Easily detect behaviors
linked to advanced
persistent threats
(APTs), insider threats,
distributed denial-of-
service (DDoS) attacks,
and malware
• Accelerate network
troubleshooting and threat
mitigation
• Respond quickly
to threats
• Continuously improve
enterprise security
posture
Monitor Detect Analyze Respond
See and detect more in your network with Stealthwatch
• Collect and analyze
holistic network audit
trails
• Achieve faster root
cause analysis
• Conduct thorough
forensic investigations
Monitor the Network
Virtual container of multiple IP
addresses/ranges that have
similar attributes
Best practice:
Classify all known IP addresses
into one or more host groups
Lab server grouping
Host Groups: Applied Situational Awareness
Find hosts communicating on the network
• Pivot based on transactional data
Locate Assets
PCI Zone Map
Define communication policy
between zones
Monitor for violations
Segmentation Monitoring with Stealthwatch
Modeling Policy: Alarm Occurrence
Details of “Employee
to Production Servers”
alarm occurrences
Drill down into alarm
for hosts and targets
involved
Alarm dashboard
showing all policy
alarms
Detect Threats
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm table
Host snapshot
Syslog / SIEM
Mitigation
Collect and
Analyze Flows
Flows
Behavioral and Anomaly Detection Model Behavioral Algorithms are Applied to Build “Security Events”
Security Events (94+) Alarm Category Response
Addr_Scan/tcp
Addr_Scan/udp
Bad_Flag_ACK**
Beaconing Host
Bot Command Control Server
Bot Infected Host - Attempted
Bot Infected Host - Successful
Flow_Denied
.
.
ICMP Flood
.
.
Max Flows Initiated
Max Flows Served
.
Suspect Long Flow
Suspect UDP Activity
SYN Flood
Each category accrues points
Stealthwatch Alarm Categories
Suspect Data Hoarding
• Unusually large amount of data
inbound from other hosts
Example Algorithm: Data Hoarding
Target Data Hoarding
• Unusually large amount of data
outbound from a host to multiple hosts
Alarm Model Monitor activity and alarm on
suspicious conditions
Policy and behavioral
Network Behavior and Anomaly Detection
Analyze Behavior
Summary of aggregated
host information
Investigating a Host
Observed communication
patterns
Historical alarming behavior
Investigating: Host Drill-Down
User information
Investigating: Audit Trails
Network behavior
retroactively analyzed
Active Directory
details
Username
View flows
Devices and
sessions
Extrapolating to a User
Respond to Incidents
PX Grid
Real-Time Visibility into All Network Layers • Data intelligence throughout network
• Discovery of assets
• Network profile
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Mitigation
Context Information Stealthwatch
Cisco ISE and pxGrid Integration
Context
ISE
Quarantine or unquarantine via pxGrid
StealthWatch Management Console
Cisco®
Identity Services Engine
SMC
Rapid Threat Containment
The Stealthwatch System
Learning
Network
Manager
Proxy
License
Cloud
License
Endpoint
Concentrator
UDP
Director Legacy
Traffic Analysis
Software
Flow
Sensor
ESX with
Flow Sensor
VE
Non-NetFlow
enabled equipment
Security Packet
Analyzer
Packet Data &
Storage
ISE Identity
Services
Flow
Collector
Management
Console
Threat Feed
License
NetFlow enabled
routers, switches,
firewalls
Cisco Stealthwatch
System
Comprehensive
Security
and
Network
Monitoring
Stealthwatch Management Console (SMC)
• A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow Collectors, Identity Services Engine (ISE), and other sources.
• User interface to Stealthwatch
• Maximum 2 per deployment
Flow Collector (FC)
• A physical or virtual appliance that aggregates and normalizes netflow and application data collected from exporters such as routers, switches, and firewalls.
• High performance NetFlow / SFlow / IPFIX Collector
• Maximum 25 per deployment
Flow collection license
• Collection, management, and analysis of netflow by the Stealthwatch system is licensed on the basis of flows per second (FPS) and term.
Flow Collector
Management Console
Required Core Components
Extended Network Visibility
• Physical or virtual appliance
• Provides an overlay solution for generating netflow data with infrastructure not capable of natively producing un-sampled netflow data at line rates
• Produces netflow for components without un-sampled netflow support
• Deployed in environments where additional security context is required
ISE Identity
Services
Flow
Collector
Management
Console
Non-NetFlow
enabled equipment
Threat Feed
License
Flow
Sensor
ESX with
Flow Sensor VE
Flow Sensor
ISE Identity
Services
Flow
Collector
Management
Console
Legacy Traffic
Analysis Software
Threat Feed
License
UDP Director
UDP Director
• Physical or virtual appliance
• Allows netflow, syslog and SNMP data to be sent transparently to multiple collection points
• Can repeat traffic to multiple Flow Collectors
NetFlow enabled Routers, switches, firewalls
Proxy License
ISE Identity
Services Management
Console
Threat Feed
License
Flow Collector
Syslog Information Packets
TIMESTAMP 1456312345
ELAPSE TIME 12523
SOURCE IP 192.168.2.100
SOURCE Port 4567
DESTINATION IP 65.12.56.123
DESTINATION PORT 80
BYTES 400
URL http://cisco.com
USERNAME john
SYSLOG
Stealthwatch Proxy License
Proxy License Provides
• HTTP Traffic Visibility
• Analysis continuity
• User information
Multi-Vendor Proxy Support
• Cisco WSA
• Bluecoat proxy
• Squid
• McAfee Web Gateway
Source IP/Port URL Username Destination IP/Port
Proxy License Visibility
Integration Protocols/Ports
• Proxy sends Syslog (UDP/514) information containing Web access details to the Flow Collector
• The Flow Collector will associate the received logs with the designated flows
Integration Protocols/Ports
• User Name
• URL
• URL Host
• Byte summary
• Session Duration
• Source IP/Port
• Destination IP/Port
Endpoint Concentrator
Enhanced
Endpoints Context
Enhance netflow records with endpoint/user data with application activity
Analytics Auditing Visibility
Cisco AnyConnect Network Visibility Module
Collector & Reporting
Cisco/Partners
AnyConnect with Network
Visibility Module
nvzFlow
Attributing a flow to: • Process name
• Process hash
• Process account
• Parent process name
• Parent process hash
• Parent process account
ISE Identity
Services
Flow
Collector
Threat Feed
License
Endpoint
Concentrator
Management
Console
Stealthwatch Endpoint Visibility Solution
Threat Intelligence
Botnet Command
& Control
Internet
Scanning
Backscatter
(DDoS Victims)
User Interface
Formerly known as “SLIC”, new behavioral analysis algorithms updated as new threats are discovered; updates performed using the Threat Feed control channel and licensing
Overview:
• Team performs feed validation and independent research and analytics
• Threat research influences continued algorithm development
• Works with Proxy License
• Ideally deployed with Flow Sensor(s)
• Enables alarming within Stealthwatch around:
• Host interaction with known bad URLs
• Host interaction with C&C servers
Future Plans:
• Merge with Cisco TALOS for additional threat intelligence context and information
Threat Feed
Stealthwatch Threat Intelligence License Actionable Threat Intelligence
Branch
Brings self-learning attributes to the Cisco 4000 ISR
Needs no programming of firewall rules, malware signatures, or access control lists (ACLs)
Uses machine learning, network context, and packet capture to determine what’s normal and what’s not
Uses advanced analytics and models to identify and block true anomalies
Adapts as conditions change
Cisco Stealthwatch Learning Network License
Learning Network Agent
Machine-learning security agent software for the Cisco 4000 Integrated
Services Router that collects and analyzes information, which it
communicates to the Manager.
Learning Network Manager
Virtual machine application software that provides advanced visualization
of the anomalies that the Learning Agents discover. It displays visuals
using the management application.
Learning Network Components
Discovers traffic paths Builds map of IP addresses
to learn about its environment
Studies traffic movement,
volumes, patterns, times of day
Identifies applications
on NBAR and DPI
Learns to distinguish normal
from anomalous
Precisely identifies anomaly;
allows operator to take action
to remediate
3
2
6
4
1
5
Overview of Learning Network Operation
Summary
Stealthwatch
Management Console
UDP Director FlowSensor Firewall, Routers, and ASA
FlowCollector
Threat Feed License
• Aggregate up to 25 FlowCollectors
• Up to 6 million flows per second
• Integration with third-party security / network tools
Visibility and
Management
Aggregation,
Analytics,
and Context
• Store and analyze up to 4,000 sources at up to 240,000 sustained flows per second
• Identity, device, reputation, threat, proxy, and application feeds provide threat context
• Continuous packet capture
Exporters /
Transactional
Monitors
• Network telemetry data is generated by:
• Switches, routers, firewalls
• FlowSensors in areas without flow support
• Support up to 20 Gbps throughout per sensor
Packet Analyzer
Proxy License
ISE Active Directory
Identity Services
Massively Scalable Architecture
• The Stealthwatch system enhances your security across the enterprise, providing comprehensive network visibility
and intelligence
• Your network is a key asset for threat detection and control
• The Stealthwatch architecture ensures robust and flexible deployment
Key Takeaways
Extended Network
Branch Data Center
Cloud
Analyze Monitor Detect Respond CISCO STEALTHWATCH
Stealthwatch Technical Use Cases Use Case Vertical Threat/Theme
A global oilfield services company discovered China was in their network when they
were contacted by the FBI. Stealthwatch was installed and, in less than a week, had
identified a local user who was logging in from China and exfiltrating gigabytes of
critical files. That user’s login information had been stolen and the thief now had
rightful access to anything they wanted on the network. This not only proved the
value of Lancope’s end-to-end internal visibility, but also further justification for a
global Cisco ISE deployment.
Energy/Utilities Compromised
Credentials
A large healthcare provider learned during their Lancope evaluation that they had
“internal users” logging in from China and Singapore to exfiltrate large files to
Dropbox. This was an immediate red flag since the company had no presence
outside the state of Texas.
Healthcare Compromised
Credentials
A large food services company learned during their Lancope evaluation that seven of
their servers suddenly began launching scanning attacks on various Department of
Defense networks. After some investigation, it was learned that a server admin had
loaded a “FREE” copy of Virtual Network Client on these boxes.
Food Services Malware –
Infected Hosts
Stealthwatch Technical Use Cases Use Case Vertical Threat/Theme
A large technology company discovered during a Stealthwatch evaluation that almost
half of their end-user workstations were infected with a custom piece of malware
written just for their network. The malware had been quietly stealing information for
an unknown period of time. There is no signature for a situation like this, but Lancope
was able to use behavioral analysis to identify the scanning, connecting, and
propagation activities of this malware, and build a forensic trail of every host that
needed to be removed from the network and cleaned up.
Technology Malware –
Infected Hosts
During their Lancope evaluation, a large healthcare provider found out that they had
a compromised server on their network exfiltrating gigabytes of patient data every
Saturday night when it received calls from a command & control server out on the
Internet. Further investigation revealed that this host had likely been compromised
for well over a year.
Healthcare Command &
Control Exfiltration
A large automotive distributor lost access to their most critical business application
during their Lancope evaluation. Within minutes, their network, server, and security
teams were able to come together and identify exactly where the issue was – a back-
end SQL virtual server was taking almost a minute to respond to each request. This
scenario would have historically pulled all of these teams into a war room for hours of
triage, while their business was at a stand-still. Instead, the server team now knew
exactly where the issue was and could fix it with minimal impact to the end-users.
Manufacturing Network & Server
Performance
cisco.com/go/stealthwatch