Embed Size (px)
Citation preview
1 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Securing Your Modern Network with Amazon Web Services (AWS) and Cisco Stealthwatch CloudA dynamic security solution for dynamic cloud workloads
Table of Contents
IntroductionWhat is Cisco Stealthwatch Cloud?How Cisco Stealthwatch Cloud worksCisco Stealthwatch Cloud and AWSWhat can I do with Cisco Stealthwatch Cloud?Conclusion
36781011
3 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
IntroductionHow is the changing threat landscape affecting network admins?
Network engineers and admins have always been tasked with ensuring that their organization’s network is performing in peak condition. Over the last decade, digital transformation has been a leading enterprise initiative. Cloud services, such as those offered by Amazon Web Services (AWS), have been one of the primary enablersof that strategic objective. Digital transformation and the rapid adoption of cloud services have brought several challenges to network admins and made the health of the network an even more crucial priority.
To accommodate globally dispersed and mobile workers, many organizations adopted bring-your-own-device (BYOD) strategies—both managed and unmanaged. As the Internet of Things (IoT) proved its worth, huge fleets of connected assets started sending sensor data across networks and into corporate data centers. As these cloud-native capabilities were rapidly adopted and expanded, traditional tools and processes were unable to keep pace.
More systems, more endpoints, and more distribution of corporate assets across the globe gave organizations more flexibility and efficiency. But it dramatically increased the volume of network traffic and the criticality of the data traveling over the network. This created an intensifying need for traffic monitoring over increasingly complex delivery paths. Soon, it became apparent that the scale of modern network traffic had outpaced a human’s ability to monitor it.
While the network was expanding, newer and more sophisticated security threats like zero-day malware, distributed-denial-of-service (DDoS) attacks, advanced persistent threats (APTs), and others began to emerge. With the introduction of ransomware, malicious parties realized that data was their target’s most valuable asset. By simply threatening to steal or destroy corporate data, attackers could extort organizations for large sums. Finding and exploiting a gap in an organization’s network security was no longer the realm of mischief or PR embarrassment. It became big business.
Modern networking capabilities place additional pressure on the admin role
As the threat landscape evolved and network traffic increased, the goal of monitoring moved beyond ensuring acceptable network performance. The security of the network, which was always important to the network admin, became a top priority. However, you can’t fix what you can’t see, and monitoring the sheer volume of network traffic across the expanded network became difficult with existing tools.
Some tools provided visibility into specific parts of a network. But most were created with only on-premises environments in mind and multiple tools from a variety of vendors just added to the burden. This left network admins with a difficult balancing act: maintain network performance and reliability at the low est possible cost, while allowing for digital growth and innovation without compromising security.
• How can I ensure the uptime and security of the network?
• As we move workloads to the cloud, which of my existing security, tools, and processes will continue to work?
• How can I maintain a secure network with my existing staff?
• How can we do all this at the lowest possible cost?
Why monitoring and securing modern networks has become critical
Introduction: How is the changing threat landscape affecting network admins?
This left network admins asking:
4 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Network admins need a solution that operates at the scale and pace of their global networks, monitors all traffic between every user and endpoint, and helps network and security teams make decisions quickly. With the help of a sophisticated and comprehensive network monitoring solution, network and security personnel can decide what areas of their network may truly be under threat, without wasting precious time and letting their other responsibilities fall by the wayside.
Cisco and AWS believe in making it easier for you to connect, protect, and consume cloud services.
Cisco cloud portfolio
CloudConnect
CloudProtect
CloudAdvisory
CloudConsume
Design, plan, accelerate,and de-risk cloud migrations
Deploy, monitor and optimize applications in the cloud and container environments
Securely extend private networks- DC, branch and campus, into the cloud and ensure the application experience
Protect cloud users, identities, direct-to-cloud connectivity, infrastructure, data, and applications including SaaS
Design, plan, accelerate, and strengthen security of cloud migrations
Securely extend private networks- DC, branch and campus, into the cloud and ensure the application experience
Deploy, monitor and optimize applications in the cloud and container environments
Protect cloud users, identities, direct-to-cloud connectivity, infrastructure, data, and applications including SaaS
Cisco Stealthwatch® Cloud, one of the products in the “Cloud Protect” category of Cisco’s cloud portfolio, is a software-as-a-service (SaaS) offering that improves security and incident response across the distributed network, from on-premises to the public cloud. By detecting threats in real time, providing actionable security intelligence, and reducing false positives, it enables you to secure your network more efficiently. And it was built to work well with a variety of AWS services as well as hybrid cloud environments.
Learn more
According to the 2019 Cybersecurity CISO Benchmark study:
of respondents said it was somewhat or very challenging to orchestrate alerts from multiple vendor products.
1https://www.cisco.com/c/dam/global/en_uk/solutions/cloud/overview/cloud_business_cloud_advisor_infobrief_eng_FY18Q3.pdf
79%
The need for security monitoring at cloud scaleIntroduction: How is the changing threat landscape affecting network admins?
5 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
6 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Cisco Stealthwatch Cloud ingests and analyzes massive amounts of data to give even the largest, most dynamic networks complete visibility and improved response time across the entire network. It helps network and security operations teams gain real-time situational awareness of all users, devices, and traffic on the network, in the data center, and in the cloud, so they can quickly and effectively respond to threats.
Stealthwatch Cloud is deployed without software agents, instead relying on native sources of telemetry such as Amazon Virtual Private Cloud (VPC) Flow Logs. It models all IP traffic generated by an organization’s resources and functions whether they are inside the VPC, between VPCs, or at external IP addresses. Stealthwatch Cloud
also works with additional AWS services like AWS CloudTrail, Amazon CloudWatch, AWS Config, Amazon Inspector, AWS Identity and Access Management (IAM), AWS Lambda, and more.
Automatic alerts make the security team more efficient and effective, and since Stealthwatch Cloud consistently delivers accurate alerts—with 95% of security alerts rated as “helpful” by customers—security teams do not waste time chasing false alarms.
Stealthwatch Cloud provides visibility and threat detection in both AWS and hybrid infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly.
What is Cisco Stealthwatch Cloud?
Dynamic Entity ModelingCollect Input Draw ConclusionsPerform Analysis
System Logs
Security Events
Passive DNS
External Intel
Config Changes
Vulnerability Scans
IP Meta Data
Dynamic Entity
Modeling
Group
Consistency
Rules
Forecast
Role
What ports/protocolsdoes the device continually access?
What connectionsdoes itcontinually make?
Does it communicate internally only?What countries does it talk to?
How much data does the device normally send/receive?
What is the role of the device?
Stealthwatch Cloud provides an easy way for you to see your network activity, understand what “normal” entity behavior is, and identify the signs of potential threats by leveraging a practice called dynamic entity modeling.
• Stealthwatch Cloud ingests AWS log information and analyzes every network-connected device, or “entity.” When it detects something unusual -- from data hoarding, policy violations, and DDoS attacks to malicious recon scanning, data exfiltration, and more -- it alerts the security team automatically.
• It identifies this suspicious activity based on behavioral modeling. Stealthwatch Cloud creates a baseline of normal behavior for network devices, including activity thresholds that you can set. It learns by comparing this baseline against real-time traffic info, and when it detects behavior that falls outside the baseline or acceptable parameters you defined, you can investigate that behavior to quickly determine if it may represent malicious activity.
• Over time, it continually refines its behavioral models as it monitors both your AWS and hybrid environments, improving its detection capabilities over time. This dramatically increases staff efficiency and reduces the costs associated with manual security checks and updates.
Here’s how it works:
7 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
How Cisco Stealthwatch Cloud worksDynamic entity modeling explained
8 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Stealthwatch Cloud consumes network traffic data, including Amazon VPC Flow Logs, from your AWS network. It then performs dynamic entity modeling by running analytics on that data to detect threats and indicators of compromise. Stealthwatch Cloud consumes VPC Flow Logs directly from your AWS account using a cross-account IAM role with the proper permissions.
VPC Flow Logs facilitate logging of all the IP traffic to, from, and across your network. These logs are stored as records in special Amazon CloudWatch log groups and provide the same kind of information as Cisco NetFlow data would in a traditional on-premises environment.
You can use VPC Flow Logs as the input for entity modeling. Cisco Stealthwatch Cloud can automatically retrieve VPC Flow Logs as a primary or supplementary data source for entity modeling, which means you can gain visibility across all network traffic to detect all types of potential threats.
• Which IP entities are communicating inside and outside the VPC
• Which protocols (such as transmission control protocol, or TCP and user datagram protocol, or UDP) are being used
• How much traffic is sent and received by every network-connected device
• Whether the flow was allowed or blocked by the security policy
VPC Flow Log integration
Specifically, Amazon VPC Flow Logs contain the following information:
Cisco Stealthwatch Cloud and AWS
9 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Role Created forStealthwatch Cloud
in Account
Permissions allowStealthwatch Cloud
to read AWS services
AmazonCloudWatch
Amazon Account
AWSCloudTrail
API
SaaS Portal
StealthwatchCloud
AmazonInspector
AmazonVPC
AmazonVPC
AmazonVPC
AmazonInspector
AWSConfig
AmazonGuardDuty
AWSLambda
Amazon VPC Traffic Mirroring provides a full one to one packet capture of all traffic in and out of an Amazon VPC environment. This feature enables customers to produce network and security analytics across the entire flow of traffic in an AWS environment. Cisco Stealthwatch Cloud is fully enabled to utilize VPC Traffic Mirroring for transactional network conversation visibility, threat detection and compliance risk alerting.
Stealthwatch Cloud has the ability to learn “known good” for API keys, user accounts and other entry points into the environment that customers need to be concerned about. Combine this unique set of rich AWS backend telemetry with the traffic analytics that Stealthwatch Cloud can perform with either VPC Flow Logs or VPC Traffic Mirroring, and you can provide protection regardless of where the threat vector into your AWS deployment may exist – at the VPC ingress/egress, at the AWS web login screen, or leveraging API keys. By leveraging the AWS API, Stealthwatch Cloud is able to provide even deeper insights and protection. With the ability to retrieve a broad spectrum of telemetry from the AWS backend, it provides a full picture of what’s happening within an AWS environment.
VPC Traffic Mirroring IntegrationCisco Sealthwatch Cloud and AWS
Stealthwatch Cloud polls CloudWatch metrics. Therefore, an AWS Lambda function invoked many more times than normal, likely due to abuse from the outside, would generate an alert.
Stealthwatch Cloud helps the analyst understand how something like a 21- to 182-value jump came about and the proper corrective action to take in order to close that hole and prevent it from happening again. Additionally, Stealthwatch Cloud learns from that new, improved access policy and prevent this problem from occurring again.
Having been alerted to the likelihood of a problem, your staff can now quickly review your access policies related to that alert and understand how it’s being utilized—or if it’s been breached.
Example: abnormal AWS Lambda usageCisco Sealthwatch Cloud and AWS
10 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Cisco Stealthwatch Cloud automatically learns your specific network environments, extending across both AWS and your on-premises network. You gain real-time visibility for network resources that are interacting with your cloud assets as though they were traditional servers and architecture in your on-premises environment—but at cloud scale. This allows you to sort through the noise to quickly identify real threats and vulnerabilities with extremely low false positives and automated remediation guidance.
Business units are dictating the need for analytics capabilities, so you must be able to support potential changes across cloud-native environments and web-based front ends that would use them. The ability to bring in new feeds and new log types from AWS is required, but you don’t have to try to manage all the collection, configuration, and review of these new log types. Stealthwatch Cloud automatically analyzes the network and cloud data, so you and your staff can quickly understand what’s happening across your on-premises and AWS environments without needing any specialized training.
By extending visibility across your entire network, Cisco Stealthwatch Cloud also helps you maintain compliance with industry regulations such as the Payment Card Industry (PCI) standard, the Health Insurance Portability and Accountability Act (HIPAA), and the Federal Information Security Management Act (FISMA). StealthWatch Cloud can be configured to monitor for resources that are out of compliance, then automatically alert users so they can quickly apply the changes needed to bring them back into compliance.
Detect threats quickly across your hybrid environment
Secure your network with existing staff
Maintain regulatory compliance
What can I do with Cisco Stealthwatch Cloud?
11 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
12 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Not only can Stealthwatch Cloud save you money by improving security efficiencies, it can also help you find abandoned or rogue AWS instances that are costing you money. Many organizations spin up an AWS instance at the start of a project, and when that project is complete, they forget to turn it off. Or in some cases, individuals even provision rogue instances to support a personal project without alerting IT. When this happens, your organization may be paying for instances that are no longer in use, and leaving the door open for data breaches, crypto mining, or other potential compute theft operations that use “orphaned” AWS instances as an attack vector.
Stealthwatch Cloud, together with AWS Lambda, allows you to set parameters for normal network activity, automatically shut down any instances that fail to meet those parameters, and alert staff to analyze the relevant information. Then they can decide to spin it back up, leave it off, or perhaps create a new instance with new parameters. Significant savings can be found by simply assessing and shutting down rogue instances, not to mention the tremendous savings inherent in avoiding a data breach.
Save money and gain efficiencies
ConclusionAvoid dangerous and embarrassing data breaches and maintain regulatory compliance using a simple and automated system at cloud scale that helps prepare your organization for the future. With Cisco Stealthwatch Cloud on AWS, all of this can be done without needing to hire new personnel or retrain existing staff, which constitutes even more cost and efficiency gains.
13 | Securing Your Modern Network with AWS and Cisco Stealthwatch Cloud
Next stepsTo learn more about Stealthwatch Cloud on AWS, visit our webpage or get started with a 60-day free trial from AWS Marketplace.
• AWS Marketplace product listing
• On-Demand Customer Story Webinar: New Tools For Protecting Cloud Services From Emerging Threats
Resources
