Breach Detection

PSOSPM-2037
Enhanced Visibility & Breach

Detection in Mobility Networks
Stealthwatch for Service Providers
Andrew Turner
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#PSOSPM-2037
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
At the end of the session, you will be able
to:
• Understand the use cases for

Stealthwatch in a mobile network.
• Understand the value Stealthwatch

provides to the operator.
If you firewall everything, why do you need this?
PGW
MME
Firewalls at Perimeter
Firewalls between Nodes

SGW
How do you know your firewall is working?
Rulesets
Configure
Denied
Reporting
Allowed
Allowed Connection
Blocked Connection
Breaches are more than Hacking
Hacking Human Error System Failure

47% 28% 25%
Operational Integrity
Knowing what people, processes and systems are doing, what
they are supposed to be doing & when they are NOT doing it
2017 Cost of Data Breach Study by Ponemon Institute
PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
And the complexity is ever growing
Virtualization + MM2M Coexistence of

Slicing Communication New + Legacy
Increasing Increasing Increasing

Threat Surface Threat Vectors Complexity
Threats focused on in this session
Infrastructure not Subscriber Analytics
Segmentation Policy Compliance
Weaknesses in Mobile Security Authentication
Threats from Trusted Insiders
Data Classification and Leaks
Would you like to know more?
BRKSPM-2010 –Applying Security in a 5G World
Mike Geller Pramod Nair
Threats are real, cheap and easy
From Blackhat Europe in 2015

to the NDSS Symposium in Feb
2018.
Attack costs start as low as

$1300!
https://www.blackhat.com/docs/eu-15/materials/eu-
15-Borgaonkar-LTE-And-IMSI-Catcher-Myths.pdf
https://www.documentcloud.org/documents/4392401-
4G-LTE-attacks-paper.html
Recent Example in the News
https://www.cnet.com/news/homeland-security-detected-phone-spying-devices-in-dc/
Stealthwatch in a Nutshell
Actionable Outcomes
Identity
Network Transactional Analytics Contextual Intelligence

Engine
Data Model Classification
Cisco Stealthwatch: Is a collector and aggregator of network telemetry for

the purposes of data modelling, security analysis and monitoring.
The general ledger
A trace of every conversation in your network
Session Data | 100% network accountability

Encryption
Client Server Translation Service User Application Traffic Group Mac SGT TLS/SSL
version
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2
Visibility
10 101 10
User Network Interface Policy Threat Encrypted Group / NAT/Proxy LAYER 7 Endpoint Cloud
Information Telemetry Information Information Intelligence Traffic Segment
Analytics
Stealthwatch value
Policy Anomaly
Monitoring Detection
Leverages Identify a
knowledge of change from
known bad “normal”
behavior
Policy Monitoring
If you understand the relationship between objects,

you can define what is bad behavior
Internet Payment
Anomaly Detection
Suspicion is not proof of guilt
Anomaly in
Traffic Pattern
100 Gbps
Normal High
Normal Low
0Gbps Server A
Server B
Policy Modeling in the Packet Core
Policy is defined by :-
3GPP standards for communication between nodes in the packet core
Allowed by standards
SGW
MME
Should never communicate
according to the standards.
PGW 18
Policy Monitoring in the Packet Core
Telemetry sent To Stealthwatch
from the network such as
Routers, Switches and Firewalls
Stealthwatch
Stealthwatch adds context by
knowing what is a MME, PGW
SGW and SGW
MME Stealthwatch understands the

policy between nodes and
highlights a violation
PGW 19
Operational Integrity between 5G Slices
If communications occurs
between these host groups, we
Stealthwatch know that the defined policy has
been violated.
AMF
Slice A The question is why?
PCF Was this Hacking?

Slice A Was this Human Error?
Was this System Failure?
AMF
Slice B PSOSPM-2037 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Rogue Node Detection
Stealthwatch alerts the Service
Provider every time a new
eNodeB first comes up on the
network
Service Provider can

then determine if a
new eNodeB is being
I am an MME commissioned or if it is
eNodeB Rogue
Traffic Anomalies
Incorrect Prefix Redistributed into Routing
Infrastructure Communication
Stealthwatch
Cell Site Multiple alarms
Operational Integrity through Stealthwatch’s generated
Network Accountability
“Often legitimate credentials are compromised,
enabling intruders to get in, and masquerade as
legitimate users, coming after the network.”
Rob Joyce, Tailored Access Operations, NSA
https://www.youtube.com/watch?v=bDJb8WOJYdA
Insider Threat
Who’s Behind the What Tactics do they

Breaches? use?
81% of hacking-
25% involved related breaches
internal Actors leveraged stolen
and/or weak
passwords
Verizon 2017 Data Breach Report http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/
Be Like Mike
Employee Employee
Trusted Trusted
Authorized Authorized
Admin Admin
Pramod Mike
Be Like Mike
Employee Employee
Trusted Trusted
Authorized Authorized
Admin Admin
Pramod Mike
Insider Threat Detection
Internet
Corp
DCN IT
Firewall
Data
Firewall Exfiltration
Data Billing Database

Firewall Hoarding
IMS Mike
IMSI
MSISDN
EPC Physical Address
Payment Details
Insider Threat Detection
Deploy
Corp
DCN IT Stealthwatch
across the network
Firewall
Firewall
to maximize the
ability to spot
IMS
Firewall anomalies
EPC
Stealthwatch
Data Hoarding and Exfiltration Alarms in
Stealthwatch
Details on the Host
Lots of Traffic to
Confidential Servers
Much more than we would

expect
Host Classification
What else might be leaking?
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Validating Core Segmentation
Perimeter What passes

Connections through the
Known firewall?
What data leaves
Segments Core the network?
Identified
Segments What is the data

Enforced by classification?
Firewalls
Validating Core Segmentation
If you can’t What passes

see the data through the
firewall?
You can’t What data leaves
classify it Core the network?
You can’t What is the data

control it classification?
General Data
Protection Regulation
Fines of up to 4% of
global revenue
Presentation ID © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
What data leaves the network?
For example, how would you know if your equipment calls home?
External Connection
Vendor
Operator Internet
Network
Comprehensive Operational Integrity
General Ledger allows forensic queries and

understanding of what is communicating
Are the eNodeB’s talking to the

Outside world?
Enhanced Visibility in the Evolved Packet Core
Detect miscommunication Detect rogue behavior

within nodes in the Policy Insider from trusted actors
EPC Compliance Threat inside the perimeter
Evolved
Packet
Core
Visibility
Detect Rogue eNodeB Rogue Identify flows in and out
Data
& Small Cell turn up Node of the EPC for data
Classify
Detection Classification
"The theme I want you to take away is, if
you really want to protect your network,
you really have to know your network."
Rob Joyce, Tailored Access Operations, National Security Agency
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#PSOSPM-2037
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Breach Detection

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Breach Detection

Uploaded by

Copyright:

Available Formats

PSOSPM-2037

Enhanced Visibility & Breach

• Understand the use cases for

• Understand the value Stealthwatch

Firewalls between Nodes

Hacking Human Error System Failure

Virtualization + MM2M Coexistence of

Increasing Increasing Increasing

Segmentation Policy Compliance

Weaknesses in Mobile Security Authentication

Threats from Trusted Insiders

Data Classification and Leaks

BRKSPM-2010 –Applying Security in a 5G World

Mike Geller Pramod Nair

From Blackhat Europe in 2015

Attack costs start as low as

Network Transactional Analytics Contextual Intelligence

Data Model Classification

Cisco Stealthwatch: Is a collector and aggregator of network telemetry for

Session Data | 100% network accountability

If you understand the relationship between objects,

MME Stealthwatch understands the

PCF Was this Hacking?

Service Provider can

Who’s Behind the What Tactics do they

Data Billing Database

Much more than we would

Perimeter What passes

Segments What is the data

If you can’t What passes

You can’t What is the data

General Ledger allows forensic queries and

Are the eNodeB’s talking to the

Detect miscommunication Detect rogue behavior

Don’t forget: Cisco Live sessions will be available for viewing

Demos in Meet the Related

You might also like