stealthwatch - cisco · network threats are getting smarter industry average detection time for a...
TRANSCRIPT
Kerry ArmisteadDirector of Product Management
Stealthwatch
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
• Threat Landscape
• Stealthwatch
• Encrypted Traffic Analytics
• Stealthwatch Cloud
• Cisco Stealthwatch Online Visibility Assessment
Agenda
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Digital business has expanded the attack surface
Cloud
85% of
third-party cloud apps fall in the
medium to high-risk category
Internet of Things
By 2020, IoT devices that will access
the network
Acquisitions &Partnerships
90% of
organizations are not “fully aware” of the devices accessing their
networkEnterpriseMobility
By 2020, traffic from wireless and mobile
devices that will account for total
IP traffic
EncryptedTraffic
10 101 10
By 2020, 80%of all traffic will be
encrypted
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Network threats are getting smarter
Industry average detection time for a breach
Industry average time to contain a breach
Average cost of a data breach
Motivated and targeted adversaries
Insider ThreatsIncreased attack
sophistication
State sponsored
Financial/espionage motives
$1T cybercrime market
Compromised credentials
Disgruntled employees
Admin/privileged accounts
Advanced persistent threats
Encrypted malware
Zero-day exploits
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Network
Users
HQ
Data Center
Admin
Branch
SEEevery conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
Roaming Users
Cloud
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Cisco Stealthwatch: Scalable visibility and security analytics
SimplifiedNetwork Segmentation
AdvancedThreat Detection
AcceleratedThreat Response
Using existing network infrastructure
Most comprehensive visibility for effective security outcomes
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Industry-leadingSecurity Analytics
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Behavioral and anomaly detection
Create a baseline of normal behavior
Alarm on anomalies and behavioral changes
Collect andanalyze telemetry
Flows
Approximate time required to complete baseline
Number of concurrent flows
Time of dayBits per second
Packet per second
Number of SYNs sent
New flows created
Number of SYNs received
Rate of connection resets
Duration of the flow
~100 Security Events
Exchange Servers
Threshold
Anomaly detected in host behavior
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Power of multi-layer machine learning
Global Risk MapThreat Grid, TALOS
Requests received
Confirmed Incidents = 0.01% of Requests
Anomalous Traffic
Malicious Events
Threat Incidents
Increase fidelity of detection using best-in-class security analytics
Anomaly detection
Trust modeling
Event classification
Entity modeling
Relationshipmodeling
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Advanced Threat Detection
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Logical alarms based on suspicious events
Sending or receiving SYN flood and other types of
data floods
DDoS Activity
Scanning, excessive network activity such as file copying or transfer, policy violation, etc.
Source or target of malicious
behavior
Port scanning for vulnerabilities or running services
Reconnaissance
Data hoarding and data exfiltration
Insider threats
Communication back to an external remote controlling
server through malware
Command and Control
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Suspect Data Hoarding
Unusually large amount of data inbound from other hosts
Target Data Hoarding
Unusually large amount of dataoutbound from a host to multiple hosts
Insider threat example: data hoarding
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Network Boundary
Inside Outside
Insider threat example: data exfiltration
Data Exfiltration
Unusually large amount of dataoutbound from a host to
one or more external hosts
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Accelerated Threat Response
Mitigate threats easily without business shutdown by usingthe network
Pinpoint the source of the threat through visibility into each host
Conduct forensic investigations into past events by analyzing the network audit trails
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Investigate threats quickly
Investigation Mitigation
Drill-down into telemetry associated with security events
Malware propagation through infected hosts
Top security alarms by hosts
Contextual user and application info
Network audit trails for deeper forensics on past/long-running events
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Mitigate threats effectively
Investigation Mitigation
Quarantine identified threats using the network
An alarm can have an associated response
• Notify in the alarm table
• Generate an email
• Generate a syslog message to a SIEM
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Additional info determined
What kind of data was transmitted?
User identified
Where is the data being transmitted?
Device identified
Threat removed from network
Alarm triggered
Forensic investigation conducted
Detect and respond to advanced threats
Name
Location
MAC address
Last seen
Policies
Host Group
Data hoarding and Data Exfiltration
Reduce incident response time from months to hours
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Stealthwatch is available across all deployment methods
Stealthwatch Cloud Stealthwatch On-Prem
Private network monitoring On-Prem network monitoring
Enterprise & commercial customers
Monitor private network via on-premises virtual or hardware appliance
Complements Cisco public cloud offering
SMB & commercial companies
Monitors private network via SaaS
Complements Cisco public cloud offering
Any business using public cloud infrastructure
Monitors public cloud via SaaS
Complements Cisco Enterprise and Private Network
offering
Public cloud monitoring
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Encrypted Traffic Analytics
Encryption is changing the threat landscape
Percentage of the IT budget earmarked for encryption Source: Thales and VormetricExtensive deployment of encryption
Straight-lineprojection
16%
20% 19%22% 23% 23%
25%27%
30%
34%
41%
60%
50%
FY05 FY06 FY07 FY08 FY09 FY10 FY11 FY12 FY13 FY14 FY15 2016 2017
Based on Cisco threat grid analysis, 2017
Percentage of malware
Dec Jan Feb Mar Apr May
25%
10%
Gartner predicts that by 2019
80% of all traffic will be encrypted
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Encrypted Traffic Analytics
Ensure cryptographic compliance
Detect malware in encrypted traffic
Cisco Stealthwatch is the only solution providing visibility and malware detection without decryption
Malware traffic
Benign traffic
Watchlist
address
Prevalent
addresscisco.com
c15c0.com
afb32d75.com
Unusual fingerprint
Unusual cert
Typical fingerprint
Typical cert
Self-Signed Certificate
Data Exfiltration
C2 Message
Google search
Bestafera
ETA studied Internet encrypted data featuresCisco research
TCP/IP DNS TLS SPLT
Initial data packetSequence of packet
lengths and timesGlobal Risk Map
Detect malware in encrypted traffic
Self-Signed Certificate
Data Exfiltration
C2 Message
Make the most of the
unencrypted fields
Identify the content type through the
size and timing of packets
Know who’s who of the
Internet’s dark side
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
What is Mobile World Congress?
More than 107,000 visitors from 205 countries and territories
Stealthwatch monitored all the wireless traffic to and from the Internet with Encrypted Traffic Analytics
Over 55% of attendees held senior-level positions, including more than 7,700 CEOs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Topology Internet
Distribution Cat6K
ASR 1k
Router
SPAN
Management Console Flow Collector We enabled ETA on an ASR1001-X with the MWC’s Internet bound traffic SPAN’ed from a distribution Cat6K switch to the ASR1001-X on a GigE port
MWC Wireless
ETA Telemetry
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Summary of the traffic
More than 55 million flows captured
82% of all the web traffic was encrypted!
(19.5 million HTTPS flows, 3.5 million HTTP flows)
Sustained flow consumption at ~20k/FlowsPerSecond
More than 29 million TCP SessionsMore than 23 million UDP SessionsMore than 1.8 million ICMP Sessions
Over a million streaming audio/video application Over 850,000 flows of P2P file transfer
Over 30 applications detected to be using TLS1.0!
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Highly Confidential
Detection on 2/26 and 2/27Global Threat Analytics raised 350 events
Cryptomining
Android Trojans (Android.spy, Boqx, infected
firmware)
SALITY malware
SMB Service discovery malware
OSX Malware Genieo
Conficker
RevMob
Phishing
AdInjectors
Several Android mobile devices were identified to
have an infected firmware
Malware Trojans were identified that were using PowerShell to communicate to the C&C servers through HTTPS.
Several malwares / potentially unwanted applications that used Encrypted traffic* Over 13,500 alarms in Stealthwatch on 2/26
Over 18,500 alarms on 2/27
What is needed for ETA?Licensing, packaging…
Solution Element Software Version License
Enterprise switches
(Cisco® Catalyst® 9000 Series)*
C9300: Cisco IOS® XE 16.6.1C9400:
Included in Cisco DNA™
Advantage license/
Cisco ONE™ Advantage
Branch routers
(ASR 1000 Series, 4000 Series ISR,
CSR, ISRv)**
Cisco IOS® XE 16.6.2 (Oct) Included in SEC/k9 license
Stealthwatch® On-prem v6.9.2 (Available now)Management Console,
Flow Collector,
Flow Rate LicenseStealthwatch® On-prem
v6.9.2
Cryptographic compliance (Q3CY17)
Malware Detection (Q4CY17)
*Software support for C9500 is current on roadmap.**Available for Proof of Concept (PoC) with 16.6.1, General availability in 16.6.2 (Oct)
Technical Decision Maker
Cisco Stealthwatch Cloud
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Stealthwatch Cloud
Private network monitoring
SMB & commercial companies
Monitors private network via SaaS
Complements Cisco public cloud offering
Any business using public cloud infrastructure
Monitors public cloud via SaaS
Complements Cisco Enterprise and Private Network
offering
Public cloud monitoring
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Quick and easy security for dynamic environments
Stealthwatch Cloud
Public Cloud
• VPC Flow Logs• Other data sources
• NetFlow• Mirror port• Other data sources
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cover your entire cloud attack surface with ease
AWS Flow Logs
Additional AWS Data Sources
Config Lambda
Inspector IAM
Cloud Trail Cloud Watch
Stealthwatch Cloud
AWSVPC Flow
Logs
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Detect threats and see network activity using existing telemetry sourcesVirtual Sensors
Collect from all these sources
NetFlow
SIEM
IPFIX
DNS
Active Directory
Gigamon
Any Mirror/SPAN
Switches FirewallsApplication
Servers
DNS Lookup
IP Traffic Data
Threat Detection
Other Security Data
Use DNS Lookupsto link dynamics IPs
to a host name
Stealthwatch Cloud
Mirror/Span Ports
Load Balancers
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Using modeling to detect security events
Dynamic Entity Modeling
Collect Input Draw ConclusionsPerform Analysis
System Logs
Security Events
Passive DNS
External Intel
Config Changes
Vulnerability Scans
IP Meta Data
Dynamic Entity
Modeling
Group
Consistency
Rules
Forecast
Role
What ports/protocols does the device continually access?
What connections does itcontinually make?
Does it communicate internally only?What countries does it talk to?
How much data does the device normally send/receive?
What is the role of the device?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Get the full benefit of the cloud
Easy to use and deploy
Centrally managed
Flexible pricing
Secure data storage
SaaS-based security
Automatically scale
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Manage everything from a simple SaaS portal
SaaS Management Portal
Unlimited users
No patching necessary
Support available
Available anywhere
New features added monthly
http://www.cisco.obsrvbl.com/roles X
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Start today with a free 60-day trial
Schedule consultation with a security specialist
See results within hours
Learn more: cisco.com/go/
stealthwatch-cloud
Security Online Visibility Assessment
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Are you compromised today?
Network
Users
HQ
Data Center
Admin
Branch
• What are your risk areas?
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Largest risk areas are often things you think are already covered
• Lack of visibility allows risky activity to continue
Common areas of risk
Traffic to high risk countries
Server message block (SMB) traffic
Risky DNS traffic
Remote access breaches
Unclassified and unknown internal serversInternal and external telnet activity
Threats in encrypted traffic
Can you see…
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Online Visibility Assessment
A free, 14-day risk assessment
Focused on common areas of security risk
Provides an immediately actionable, detailed report
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Detailed results
• Can identify areas of risk and active threats
• Provide actionable intelligence to help you adjust security policies and guide purchase decisions
The Report
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Ready to start?
Schedule consultation with a security specialist
Learn more: cisco.com/go/stealthwatch-free-assessment