leverage the network
TRANSCRIPT
![Page 1: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/1.jpg)
Cisco Confidential© 2015 Cisco and/or its affiliates. All rights reserved. 1
Leverage the Network to Detect and Manage Threats
Matthew RobertsonTechnical Marketing Engineer
May 19, 2016
![Page 2: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/2.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
![Page 3: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/3.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
![Page 4: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/4.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
“The world is full of obvious things which nobody by any
chance observes.”
Sherlock Holmes, The Hound of the Baskervilles
![Page 5: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/5.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 5
About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within
![Page 6: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/6.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Insider Threat
![Page 7: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/7.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Stealthwatch
About this Session: Finding the Insider ThreatMonitoring the network interior to find the threats within
![Page 8: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/8.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
NetFlow
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Interfac
e
Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.22
1
eth0/1 10.2.2.
2
1024 10.1.1.
1
80 TCP 5 1025 100 1010 SYN,ACK,PSH
10:20:12.87
1
eth0/2 10.1.1.
1
80 10.2.2.
2
1024 TCP 17 28712 1010 100 SYN,ACK,FIN
Start Time Interfac
e
Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT TCP Flags
10:20:12.22
1
eth0/1 10.2.2.
2
1024 10.1.1.
1
80 TCP 5 1025 100 1010 SYN,ACK,PSH
![Page 9: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/9.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
NetFlow = Visibility
Router# show flow monitor CYBER-MONITOR cache
…
IPV4 SOURCE ADDRESS: 192.168.100.100
IPV4 DESTINATION ADDRESS: 192.168.20.6
TRNS SOURCE PORT: 47321
TRNS DESTINATION PORT: 443
INTERFACE INPUT: Gi0/0/0
FLOW CTS SOURCE GROUP TAG: 100
FLOW CTS DESTINATION GROUP TAG: 1010
IP TOS: 0x00
IP PROTOCOL: 6
ipv4 next hop address: 192.168.20.6
tcp flags: 0x1A
interface output: Gi0/1.20
counter bytes: 1482
counter packets: 23
timestamp first: 12:33:53.358
timestamp last: 12:33:53.370
ip dscp: 0x00
ip ttl min: 127
ip ttl max: 127
application name: nbar secure-http
…
A single NetFlow Record provides a wealth of information
![Page 10: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/10.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
NetFlow Deployment
Catalyst® 6500
Distribution
& Core
Catalyst® 4500
ASA
ISR
Edge
ASR
Each network layer offers unique NetFlow capabilities
Access
Catalyst®
3560/3750-X
Catalyst® 4500
Catalyst®
3650/3850
Endpoint
AnyconnectNetwork Visibility Module
![Page 11: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/11.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Stealthwatch System Components
Cisco Network
UDP Director
• UDP Packet copier
• Forward to multiple
collection systems
NetFlowStealthwatch Flow Sensor (VE)
• Generate NetFlow data
• Additional contextual fields
(ex. App, URL, SRT, RTT)
Stealthwatch Flow Collector
• Collect and analyze
• Up to 2000 sources
• Up to sustained 240,000
fps
Stealthwatch Management
Console
• Management and reporting
• Up to 25 Flow Collectors
• Up 6 million fps globally
Best Practice: Centralize
collection globally
![Page 12: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/12.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
NetFlow Collection: Flow Stitching
10.2.2.2port 1024
10.1.1.1port 80
eth
0/1
eth
0/2
Start Time Client IP Client
Port
Server IP Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
Client
SGT
Server
SGT
Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 100 1010 eth0/1
eth0/2
Uni-directional flow records
Bi-directional:
• Conversation flow record
• Allows easy visualization and analysis
Start Time Interface Src IP Src
Port
Dest IP Dest
Port
Proto Pkts
Sent
Bytes
Sent
SGT DGT
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 100 1010
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 1010 100
![Page 13: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/13.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
NetFlow Collection: De-duplication
Start Time Client
IP
Client
Port
Server
IP
Server
Port
Proto Client
Bytes
Client
Pkts
Server
Bytes
Server
Pkts
App Client
SGT
Server
SGT
Exporter, Interface,
Direction, Action
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 HTTP 100 1010 Sw1, eth0, in
Sw1, eth1, out
Sw2, eth0, in
Sw2, eth1, out
ASA, eth1, in
ASA, eth0, out, Permitted
ASA eth0, in, Permitted
ASA, eth1, out
Sw3, eth1, in
Sw3, eth0, out
Sw1, eth1, in
Sw1, eth0, out
10.2.2.2port 1024 10.1.1.1
port 80Sw1
Sw2
Sw3
ASA
![Page 14: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/14.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Host Groups
• Virtual Container of IP Addresses
• User defined
• Similar attributes
• Model any Process/Application
![Page 15: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/15.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
ISE as a Telemetry SourceMonitor Mode
• Open Mode, Multi-Auth
• Unobstructed Access
• No impact on productivity
• Profiling, posture
assessment
• Gain Visibility
Authenticated Session Table
Cisco ISE
• Maintain historical session table
• Correlate NetFlow to username
• Build User-centric reports
StealthwatchManagement
Console
syslog
![Page 16: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/16.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Global Intelligence
Stealthwatch
Threat
Intelligence
License
• Known C&C Servers
• Tor Entrance and Exits
![Page 17: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/17.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Conversational Flow Record
WhoWhoWhat
When
How
Where
• Stitched and de-duplicated
• Conversational representation
• Highly scalable data collection and compression• Months of data retention
More context
![Page 18: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/18.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Conversational Flow Record
ISE
Telemetry
NBAR
Applied situational
awareness
Flow Sensor
Geo-IP
mapping
Threat
Intelligence
![Page 19: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/19.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Conversational Flow Record: Exporters
Path the flow is taking through the network
![Page 20: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/20.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
NetFlow Analysis with Stealthwatch:
Identify additional Indicators of Compromise (IOCs)
• Policy & Segmentation
• Network Behaviour & Anomaly Detection (NBAD)
Better understand / respond to an IOC:
• Audit trail of all host-to-host communication
Discovery
• Identify business critical applications and services across the network
![Page 21: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/21.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
“There is nothing like first hand evidence”
Sherlock Holmes, A Study in Scarlett
![Page 22: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/22.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Flow Query Basics – The Flow Table
FilterFilter conditions
Details More details
![Page 23: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/23.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Flow Query Basics - Filtering
Select host to
investigate
All flows in which this host was
a client or server
![Page 24: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/24.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Hunting
![Page 25: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/25.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Host groups and reports make it
easier to hunt
![Page 26: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/26.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Types of Host Groups
• Inside Hosts:
• All Hosts specifically defined as part
of the network
• By Default – “Catch All” • Outside Hosts
• All Hosts not specifically defined as
part of the network
• Countries – GEO-IP
• SLIC Created
• Bogon
• Command & Control Servers
• Tor
![Page 27: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/27.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Inside Host Groups
Default Host Groups
• Catch All
• RFC 1918 Space
• By Function
• By Location
Include public IP space
![Page 28: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/28.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Host Groups: Parent-Child Relationship
Configuration trickles downInformation reports up
![Page 29: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/29.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Host Groups – Targeted Reporting
Geo-IP-based Host Group
Summary chart of traffic
inbound and outbound from
this Host Group
![Page 30: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/30.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Host Groups – Targeted Reporting
Traffic inbound
Traffic outbound
![Page 31: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/31.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Host Groups – Application Report
Applications outbound
Applications inbound
![Page 32: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/32.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Concept: Indicator of Compromise
IDS/IPS Alert
Log analysis (SIEM)
Raw flow analysis
Outside notification
Behavioural analysis
Activity monitoring
an artifact observed on a network or in operating system
that with high confidence indicates a computer intrusion• http://en.wikipedia.org/wiki/Indicator_of_compromise
Anomaly detection
File hashes
IP Addresses
![Page 33: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/33.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
IoC’s from Traffic Analysis
Behavioural Analysis:
• Leverages knowledge of known bad behaviour
• Policy and segmentation
Anomaly Detection:
• Identify a change from “normal”
![Page 34: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/34.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Stealthwatch NBAD Model
Algorithm Security
EventAlarm
Track and/or measure behaviour/activity
Suspicious behaviour observed or anomaly detected
Notification of security event generated
![Page 35: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/35.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Alarm Categories
Each category accrues points.
![Page 36: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/36.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Stealthwatch: Alarms
Alarms
• Indicate significant behaviour changes and policy violations
• Known and unknown attacks generate alarms
• Activity that falls outside the baseline, acceptable behaviour
or established policies
![Page 37: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/37.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Behavioural AnalysisLeverages knowledge of known bad behaviour
Mouse
![Page 38: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/38.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Segmentation Monitoring
Host Groups
Relationship
Forbidden relationship
![Page 39: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/39.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Policy Violation: Host Locking
Client groupServer group
Client traffic
conditions
Server traffic
conditions
Successful or
unsucessful
![Page 40: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/40.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Policy Violation: Host Locking
Communication in violation of policy
• Active alarm monitoring adherence to policy
![Page 41: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/41.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Policy Violation: Custom Security Events
Custom event
triggers on traffic
condition
Source Tag
Destination Tag
Rule name and
description
Object conditionsPeer conditions
Connection
conditions
![Page 42: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/42.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Policy Violation: Custom Security Events
Alarm dashboard showing all Policy alarms
Details of “Employee to Productions
Servers” alarm occurrences
![Page 43: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/43.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Anomaly DetectionIdentify a change from “normal”
Suit?
![Page 44: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/44.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Example Alarm Category: Concern IndexConcern Index: Track hosts that appear to compromising network integrity
66 different algorithms as of
v6.7.1.
![Page 45: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/45.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
High Concern IndexBaseline deviated by 2,432%!
![Page 46: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/46.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Identifying Internal Reconnaissance from CI
Scanning on TCP-445
across multiple subnets
Concern Index Events
![Page 47: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/47.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Example Event: Suspect Quiet Long Flow
An IP communication between an Inside and Outside host (with traffic in both directions)
that exceeds the “Seconds required to qualify a flow as long” duration and is suspiciously
small
Default Policy
![Page 48: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/48.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
Watching for Data Theft
Data Exfiltration
• Identify suspect movement from Inside Network to Outside
• Single or multiple destinations from a single source
• Policy and behavioral
![Page 49: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/49.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Data Hoarding
Suspect Data Hoarding:
• Unusually large amount of data
inbound from other hosts
Target Data Hoarding:
• Unusually large amount of data outbound
from a host to multiple hosts
![Page 50: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/50.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Suspect Data Hoarding
Data Hoarding
• Unusually large amount of data inbound to a host from other hosts
• Policy and behavioral
![Page 51: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/51.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
“The Science of Deduction.”
Chapter 1: The Sign of the Four
![Page 52: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/52.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
The Science of Deduction Gathering Evidence
Data Element
What did they get?
When did they get it?
Where did they go?
Are they still here?
Who is they?
IOC
![Page 53: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/53.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Investigating a Host Host report for 10.201.3.59
Behavior alarms
Quick view of host
group communication
Summary
information
![Page 54: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/54.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Investigating: Host Drilldown
User
informationApplications
![Page 55: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/55.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
Investigating: Applications
A lot of applications. Some
suspicious!
![Page 56: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/56.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Investigating: Audit Trails
Network behavior retroactively analyzed
![Page 57: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/57.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
It Could Start with a User …
Alarms
Devices and
Sessions
Active Directory
Details
Username
View Flows
![Page 58: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/58.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Adaptive Network Control
Quarantine/Unquarantine via pxGrid
Identity Services Engine
StealthwatchManagement
Console
![Page 59: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/59.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Key Takeaways
Insider threats are operating on the network interiorThreat detection and response requires visibility and
context into network traffic
NetFlow and the Cisco Stealthwatch System provide actionable security intelligence
![Page 60: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/60.jpg)
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
![Page 61: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/61.jpg)
Thank you.
![Page 62: Leverage the Network](https://reader034.vdocuments.us/reader034/viewer/2022042906/58a5e96b1a28aba5728b49bf/html5/thumbnails/62.jpg)