Using the Visibility Assessment Application

Use Case Abstract

Customer situation
Monitoring an enterprise-level network can be a daunting task for security administrators. Digging through thousands of
security events and telemetry data to determine the best security policies to implement, or to determine the best tuning
strategy, can take some time to assess and implement.

Solution
Security administrators can use the Cisco Stealthwatch ® Visibility Assessment application to determine areas of focus when
creating security policy, host group, and tuning strategies, and generate network security status reports. The app is easily
deployed, and will start showing the value of Stealthwatch with minimal configuration. For Stealthwatch users who already
have the tool configured based on their environment, the Visibility Assessment provides an easy way to generate a report
about the security status of the organization.

Minimum requirements
The Cisco Stealthwatch Enterprise system configuration minimum requirements are:

 Visibility of all host-to-host traffic from the core/distribution

 Visibility Assessment Application (Download from the download center)

 Stealthwatch Release 7.0 or greater

Page 1 of 11
Using the Visibility Assessment Application

Stealthwatch App Manager

As of Stealthwatch Release 7.0, Central Management includes a new interface called the App Manager. The App Manager
allows you to install applications that are available in the Flexera Download Center. These applications can be installed in
Stealthwatch starting with Release 7.0, and can be uninstalled or updated outside of normal Stealthwatch updates.

Access the Central Management interface via the Stealthwatch Management Console (SMC) Web User Interface (UI).

The Central Management page displays. Click App Manager. You can then install, uninstall, or update Stealthwatch apps.

Page 2 of 11
Using the Visibility Assessment Application

Using the Visibility Assessment Application

The Visibility Assessment application can be quickly installed and provides visibility into the network with little or no
configuration. Once the application is installed, a new dashboard will appear in the Web UI. To access the application, click
Dashboards and choose Visibility Assessment.

The Visibility Assessment dashboard displays.

Generating a report
To create a PDF report of all the risks found on the network, click Generate Report.

Page 3 of 11
Using the Visibility Assessment Application

The report contains the following information:

Internal monitored network: Modern organizations need internal visibility to understand the state of their network and its
traffic. Stealthwatch continuously monitors and protects internal assets, observes data transferred between servers and the
Internet, processes traffic flows, and then displays this data in Visibility Assessment. These metrics and others help security
and network personnel quantify the hosts, systems, and resources on their network, making sure there is nothing present
that they don't know about. It also helps identify critical assets, validate policies, audit and demonstrate compliance, and
make better decisions based on data. The Visibility Assessment provides network visibility that requires minimal server
classification and no policy tuning.

Internal network scanners: Internal scanning can be the result of malware installed on internal machines, malicious users
searching for additional resources inside the network, or advanced attacks looking for additional systems to connect to and
steal data from. Stealthwatch can uncover any internal systems performing reconnaissance through network scanning to
help find misbehaving systems.

This summary contains Inside Hosts that are not in the Network Scanners host group, have at least one addr_scan/tcp
event, and have accumulated over 300,000 concern index (CI) points.

Remote access breach: Remote network access services such as VNC and RDP are common in today's organizations, but
they are also popular among attackers. If compromised, these services give threat actors the same privileges of legitimate
users. By classifying authorized remote access servers exposed to the Internet, Stealthwatch can quickly identify illegitimate
access.

This summary contains bidirectional communication from an Outside Host (client) to an Inside Host (server) for which the
packet count is greater than 10 (five transmitted in each direction) and uses any of the following services:

 pcAnywhere (5631/tcp, 5631/udp)

 RDP (3389/tcp)

 Telnet (23/tcp)

 VNC (5800-5999/tcp)

 XWindows (6000-6063/tcp, 6000-6063/udp)

SMB risk: Threat actors frequently target organizations by exploiting the server message block (SMB) protocol to gain
control of hosts. SMB is commonly used in many organizations, and attackers use it to mask their activities on the network.
Targeted destructive malware, such as Conficker, exploit vulnerabilities in SMB to deploy mechanisms such as proxy tools
and backdoors. Stealthwatch monitors for hosts involved in many SMB sessions with hosts outside the network, which is
consistent with worm propagation.

Malicious entities use targeted destructive malware to exploit vulnerabilities in SMB to deploy the following:

 Backdoors

Page 4 of 11
Using the Visibility Assessment Application

 Proxy tools

 Hard drive destructive tools

 Target cleaning tools

This summary contains attempts by an Inside Host (client) to communicate with an Outside Host using 445/tcp (SMB).

Vulnerable protocol servers: Telnet is a vulnerable protocol that puts you at risk for credential compromise and data loss.
Mainframes and other systems that store sensitive data, financial systems, and customer information often run Telnet,
leaving them open to attacks. Since 1994, the CERT Division of Software Engineering Institute has recommended using
something other than plain text authentication, such as with Telnet, due to potential network monitoring attacks. This
summary contains bidirectional communication from any host (client) to an Inside Host (server) for which the packet count is
greater than 10 (5 transmitted in each direction) and uses Telnet (23/tcp).

DNS risk: DNS servers are critical to normal network function because they translate hostnames to IP addresses. Many
organizations use specific DNS servers to safeguard their network and enforce policies. Hosts using an unauthorized DNS
server could indicate malicious activity or a policy violation. Malware can make a host's DNS server forward requests to sites
used for phishing or exploit delivery. Likewise, network users may use unauthorized DNS servers to access web resources
forbidden by internal policies.

Unauthorized DNS servers can do the following:

 Direct hosts to bad websites to download malware or exploitation tools

 Prevent monitoring of DNS traffic for data loss, command and control activity, and exploitation

 Control or block access to software updates from vendors

This summary contains communication from an Inside Host (client) to any host (server) that is not in the DNS host group and
which uses DNS (53/udp).

Traffic to high-risk countries: Attacks can come from distant regions of the world, and a common way to identify
compromises is to detect traffic coming from those hosts located in high-risk countries as well as from internal hosts. When
organizations do not conduct business with a certain region, there should be minimal traffic with hosts located there. If you
observe a large amount of data being sent to countries you have designated as high risk, this could indicate that data
exfiltration is occurring.

Traffic involving high-risk countries could be a sign of any of the following:

 Data exfiltration

 Advanced persistent threats (APTs)

 Command and control (C&C) activity

Page 5 of 11
Using the Visibility Assessment Application

Detecting Risks
The widget across the top of the Visibility Assessment dashboard displays the number of risks detected in each category.
For more information about the risks, click the numbers.

For this example, we are looking at the 3 DNS risks. These are hosts that were performing DNS functions but that do not
belong to the DNS host group. For more information, click the host IP address.

A Host Report displays, showing who this host is communicating with, details about alarms that this host is triggering, and
security events. You can classify the host if it actually does belong in the DNS host group.

Page 6 of 11
Using the Visibility Assessment Application

Page 7 of 11
Using the Visibility Assessment Application

Designating High-Risk Countries

The world map in the dashboard will display traffic between your network and a designated high-risk country. To set the
high-risk countries, click the setting icon.

The Select High-Risk Countries window displays. Check the boxes next to the countries you want to watch. Click Apply. For
our example, we chose China.

Page 8 of 11
Using the Visibility Assessment Application

The change will take effect on the next hourly update. If traffic is detected going to or from this country, the country will turn
red in the map. To see the amount of traffic that has been detected, click the country.

Page 9 of 11
Using the Visibility Assessment Application

Internal Monitored Network Data

Data about your network displays on the dashboard under Internal Monitored Network. It continuously displays data, giving
you a flow record analysis, the amount of encrypted traffic traversing your network, traffic exchanged between your network
and the internet, and more.

Page 10 of 11
Using the Visibility Assessment Application

Additional Resources
The following use cases provide more information on the topics covered in this use case:

 Using the Security Event Workflow

 Using Stealthwatch for Network Segmentation and Policy Development

1
DISCLAIMER WARRANTY: THIS CONTENT IS BEING PROVIDED "AS IS" AND AS SUCH MAY INCLUDE TYPOGRAPHICAL, GRAPHICS, OR FORMATTING
ERRORS. CISCO MAKES AND YOU RECEIVE NO WARRANTIES IN CONNECTION WITH THE CONTENT PROVIDED HEREUNDER, EXPRESSED, IMPLIED,
STATUTORY OR IN ANY OTHER PROVISION OF THIS CONTENT OR COMMUNICATION BETWEEN CISCO AND YOU. CISCO SPECIFICALLY DISCLAIMS ALL
IMPLIED WARRANTIES, INCLUDING WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE, OR ARISING
FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE.

Page 11 of 11