Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
Cisco Stealthwatch giver visibilitet inetværket
8/10 – 2019
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
© 2018 Cisco and/or its affiliates. All rights reserved.
Have you been compromised? How and when would you know? You have already made a lot of investment in network and security
…yet threats are getting through.
© 2018 Cisco and/or its affiliates. All rights reserved.
The Solution: Network + SecurityEnlist the rest of your network for security
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Network
Users
HQ
Data Center
Admin
Branch
SEEevery conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
Roaming Users
Cloud
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Cisco Stealthwatch Enterprise: Scalable visibility and security analytics
SimplifiedNetwork Segmentation
AdvancedThreat Detection
AcceleratedThreat Response
Using existing network infrastructure
Most comprehensive visibility for effective security outcomes
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Data collectionRich telemetry from the existing
network infrastructure
Security Analytics with Stealthwatch EnterpriseGlobal threat intelligence
(powered by Talos)Intelligence of global threat campaigns
mapped to local alarms for faster mitigation
Behavioral modelingBehavioral analysis of every activity within the network to pinpoint anomalies
Multilayered machine learningCombination of supervised and unsupervised techniques to convict advanced threats with high fidelity
Encrypted Traffic AnalyticsMalware detection without any decryption using enhanced telemetry from the new Cisco devices
Stealthwatch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
12 Years of research70 ML scientists and engineers60+ Patents & filings200+ Publications
Cognitive IntelligenceBeyond Machine Learning
Threat ClassificationThreat Actor ModelsGlobal Risk Map
Anomaly DetectionBehavioral AnalyticsHost Categorization
Billons of network flows per dayMillions of protected devices
1500+ customers
Agentless Malware Detection
Encrypted Traffic Analytics
Web Proxy as a Sensor
File-less, memory-only malwareProcess and network behavioral analysis
Behavioral Breach DetectionDetection of infections bypassing the perimeter
Netflow & ETA analyticsBehavioral Breach Detection
Polymorphic & Emerging ThreatsCross-product correlation for malware detectionPredicting evolving threat infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Collecting and optimizing telemetry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Routers
Switches
10.1.8.3
172.168.134.2Internet
The network is a valuable data source
What it provides:• A trace of every conversation
in your network• Collection of records all across the
network (routers, switches, firewalls)• Network usage metrics• Ability to view north-south as well as
east-west communication• Lightweight visibility compared to
Switched Port Analyzer (SPAN)-based traffic analysis
• Indications of compromise (IOC)• Security group information
Flow Information PacketsSOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Enriched with data from other sources
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Nexus switchTetration
Data CenterCatalyst
IEETA enabled Catalyst
Switch
Web Security Appliance (WSA)
Web
ISRCSR
ASRWLC
Router
AnyConnect
Endpoint
ASAFTD
Meraki
Firewall
Identity Services Engine (ISE)
Policy and User Info
Stealthwatch Flow Sensor
Other
Switch Router Router Firewall ServerUser Cisco IdentityServices EngineWANServerDevice
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Contextual Actionable Intelligence
Client Server Translation Service User Application Traffic Group Mac SGTEncryption TLS/SSL version
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2
Session Data | 100% network accountability
Visibility
InterfaceInformation
Policy Information
Network Telemetry
User Information
Threat Intelligence
NAT/Proxy LAYER 7Group /Segment
Encrypted Traffic
Analytics
Endpoint Cloud
10 101 10
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Industry-leadingSecurity Analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Anomaly detection using behavioral modeling
Create a baseline of normal behavior
Alarm on anomalies and behavioral changes
Collect andanalyze telemetry
Flows
Number of concurrent flows
Time of dayBits per second
Packet per second
Number of SYNs sent
New flows created
Number of SYNs received
Rate of connection resets
Duration of the flow
~100 Security Events
Exchange Servers
Threshold
Anomaly detected in host behavior
Comprehensive data set optimized to remove redundancies
Security events to detect anomalies and known bad behavior
Alarm categories for high-risk, low-noise alerts for faster response
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Logical alarms based on suspicious events
Sending or receiving SYN flood and other types of
data floods
DDoS Activity
Scanning, excessive network activity such as file copying or transfer, policy violation, etc.
Source or target of malicious
behavior
Port scanning for vulnerabilities or running services
Reconnaissance
Data hoarding and data exfiltration
Insider threats
Communication back to an external remote controlling
server through malware
Command and Control
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Encrypted Traffic Analytics
Ensure cryptographic compliance
Detect malware in encrypted traffic
Cisco Stealthwatch Enterprise is the only solution providing visibility and malware detection without decryption
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Initial data packet Sequence of packet lengths and times Global Risk Map
Data elements to analyze encrypted traffic
Self-Signed Certificate
Data Exfiltration
C2 Message
Make the most of unencrypted fields
Identify the content type through the size and timing of packets
Know who’s who of the Internet’s dark side
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Identifying malicious encrypted traffic
Model
Google Search Page Download
src dst
Packet lengths, arrival times and durations tend to be inherently different
for malware than benign traffic
ClientSentPackets
ReceivedPackets
Server
Initiate Command and Control
src dst
Exfiltration and Keylogging
src dst
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Accelerated Threat Response
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Investigation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Alarms tied to specific entities
Quick snapshot of malicious activity
Suspicious behavior linked to logical alarms
Risks prioritized to take immediate action
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Summary of aggregated host information
Observed communication patterns Historical alarming behavior
Investigating a host
Host Summary
User Name:Device Name:Device Type:Host Group:Location:Last Active Status:Session Information:Policies:
Quarantine Unquarantine
Flows History
12/jan 13/jan 14/jan 15/jan 16/jan
Alarms by Type
Data Hoarding Packet Flood
High Traffic Data Exfiltration
10.201.3.149
Withinorganization
Outsideorganization
Traffic by Peer Host Group
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Apply machine learning to investigate threats
Threat propagation details
Malware behavior detected in encrypted traffic
Correlation of global threat behaviors
Threats ranked by overall severity to environment
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Mitigation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Mitigate threats effectively
Quarantine identified threats using the network
An alarm can have an associated response• Notify in the alarm table• Generate an email• Generate a syslog message to a SIEM
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
StealthwatchManagement Console
Cisco®
Identity Services Engine
Rapid Threat ContainmentWithout any business disruption
PX Grid Mitigation
Quarantine or Unquarantine infected hostContext
Information shared with other network and
security products
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Additional info determined
What kind of data was transmitted?
User identified
Where is the data being transmitted?
Device identified
Threat removed from network
Alarm triggered
Forensic investigation conducted
Detect and respond to advanced threats
NameLocationMAC addressLast seenPoliciesHost Group
Data hoarding and Data Exfiltration
Reduce incident response time from months to hours
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Simplified Network Segmentation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Logical groupings customized to your business
Datacenter
VPN Users
Branch Office Guest Wireless
Confidential Servers
Employee Desktops
Identify every asset on the network
Set policies based on hosts as well as applications
Model policies before enforcing them
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
• A host group is grouping of hosts that share attributes and policies
• Host group are monitored to establish baseline behavior and thresholds
• Alerts are sent when hosts behave outside the group behavior
• 4 Ways to Segment 1. Manual Host Group Creation2. APIs using IPAM, IND,
Threat Intelligence data3. Host Classifier App4. Host Group Automation Service
Functional Network Segmentation by Groups
Employee
Guest Wireless
DNS Servers
Web Servers
Anti VirusInternet
Cloud
Printers
Partners
OutsideInside
Using Stealthwatch for Network Segmentation and Policy development
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Host Segmentation ManagementManual Host Group Creation
Segment Hosts using Functional Groups
A Host can exist in multiple Host Groups
A Host cannot be simultaneously Inside and Outside
Define Groups using individual IPs, Ranges or Blocks of IPs
Each Group has specific policies
Using Stealthwatch for Network Segmentation and Policy development
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Automated Host Grouping/SegmentationHost Classifier App
Predefined Auto Segmentation
Granular Segmentation Control
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
• Stealthwatch has REST API capabilities available to get, add, modify, and delete host groups.
• These APIs provide an easy programmatic mechanism to maintain host group configurations.
• Sample scripts are provided via DevNet to enable customers to use these API capabilities with success.
Automation with Stealthwatch APIs
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
A Fixed Service providing a logical means of categorizing network assets for improved visibility and control• Automate host-group updates and management to operate at maximum efficiency for alarm detection • Optimize Cisco Stealthwatch performance and reduce operational overhead to lower operating costs
while reducing errors and innocuous alerts• Enhance Stealthwatch system performance by automatically managing your specific IP address base
Host Group Automation Service
Automation
On-premises environment IP address management Stealthwatch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Introducing the Network Diagrams App
• Graphical Traffic Flows monitoring
• Investigation focus map
• Network Performance Visualization
• Faster Relationship Policy editing
• Import network maps created from prior Stealthwatch versions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Build Maps to Focus on Critical Metrics
Relationship Policy creation based on graphical
representation
Relationship policy
View triggered alarms brief per host groupsDrill down into alarms triggered per host group
Triggered Alarms Network Performance
Visualize Network Performance metrics
RTT, SRT, Packet Rate and Traffic bandwidth
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Stealthwatch Enterprise architecture
Comprehensivevisibility andsecurity analytics
Endpoint License
ISE
Flow Collector
Management Console
Threat Intelligence
License
Global ThreatAnalytics
Security Pack
et
Analyzer
Packet Data
& Storage
Flow Sensor
Hypervisor with Flow Sensor VEVMVM
Non-NetFlow enabled equipment
Proxy Data
Stealthwatch Cloud
UDP Director
Other Traffic Analysis Software
NetFlow enabled routers, switches, firewalls
NetFlow
10 101 10
Telemetry for Encrypted Traffic Analytics
Flow Data(ETA Fields)
Alerts
CognitiveIntelligence
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Key features
Visibility everywhereAnalyses enterprise telemetry from any source (NetFlow, IPFIX, sFlow, other Layer 7 protocols) across the extended network
Encrypted Traffic AnalyticsOnly product that can analyze encrypted traffic to detect malware and ensure policy compliance without decryption
Rapid Threat ContainmentQuarantine infected hosts easily using the Identity Services Engine (ISE) integration, collect and store network audit trails for deeper forensic investigations
Unique threat detectionCombination of multi-layer machine learning and behavioral modeling provides the ability to detect inside as well as outside threats
Smart segmentationCreate logical user groups that make sense for your business, monitor the effectiveness of segmentation policies through contextual alarms
© 2018 Cisco and/or its affiliates. All rights reserved.
How prepared are you for a breach?
Time
Late detectionHigh impact
Early detectionLow impact
1 in 4Risk of a major breach in the next 24 months
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Partner Confidential
Out of the Box Security Assessment
Security Risk Reporting
Network Metrics Risk Country Monitoring
Report Generation
Detecting Rogue DNSMonitoring Remote AccessDetecting Malicious ScanningReporting traffic from specific geographies