D2S4.Security Analytics Update

Security Analytics Update
Oct 2019 SEVT – Technical Session
Bryan Doerr, Rajat Gulati, Kyle Winters
Oct 2019
Global
#GST #CISCOVT #CISCOSE
Sales Training
Prevent where you can,
Block what you know,
For the rest, there’s Stealthwatch
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
Sales Training
At the end of this session, you should
be able to:
• Understand Stealthwatch Focus for
FY20
• State upcoming Stealthwatch
roadmap items
Key Learning • Communicate the vision for logging
Objectives and analytics for NGFW
• Know how to position the latest
Stealthwatch Professional Services
offering
• Access Stealthwatch REST API
content on DevNet
Sales Training
Today’s Agenda
Stealthwatch FY20 Focus
Stealthwatch FY20
Releases – SWE & SWC
Cisco Security and Logging
Stealthwatch Professional
Services & DevNet
Summary
Sales Training
Stealthwatch
Prof. Services
FY20 Focus FY20 Releases CSAL
+ DevNet
Sales Training
FY20 Strategy Summary
Strategic Imperatives
Enhance Automated Breach Detection

Increase threat landscape coverage and detection
precision
Expand Stealthwatch Ecosystem

Expand Total Addressable Market through Attach
and Integration
Protect Customers’ Journey to the Cloud

Accelerate Stealthwatch’s leadership position in
protecting Multi-Cloud IT Infrastructures
Stealthwatch Vision
Unify the Stealthwatch Experience

Provide Unified, Scalable User Experience On-prem,
Hybrid or in Cloud
Sales Training
FY20 Stealthwatch Detection Enhancements
Behavioral Detections Behavioral Detection
Today Tomorrow
Industry Leading
Highly Competitive Cisco Integrated
Team Enhancements Process Improvements Outcomes

• Threat Researchers added to • Align ATS Planning • Broader coverage of Mitre
Stealthwatch Team
• Improved Transparency • Improved Efficacy
• Embed Researchers on RET
• Quarterly Research Outcome • Acceleration of Detections to
• Talos Shared Research Reviews market
• Increased collaboration • Multi-telemetry: infrastructure,
between SW and Cognitive endpoint, application and
teams workload
Sales Training
PCM Addresses Public Clouds and Web-scale Apps
FY20: Expanded Marketplace Presence
PUBLIC
CLOUDS
FY20: IaaS Telemetry FY20: Cloud Event Management
Expansion Integration
ON-PREM NETWORK
PRIVATE
CLOUD HQ
Network
Stealthwatch Users
Cloud
Serverless Data Center
SWC
Container FY20: Compliance Support Sensor
Virtualization Admin
Sales Training
Stealthwatch Vision Stealthwatch
Today
Stealthwatch
Enterprise Cloud
• Respond to the market
direction toward SaaS
services Consistent
Common User product
95% Helpful,
• Support on-prem Actionable
Experience
Use cases/
integrations
across Cisco
Shared Alerts
preferences of larger Workflows Products and
Clouds
companies
• Achieve broad integration Stealthwatch
across the Cisco portfolio
SaaS Delivery On-Prem Delivery
• Provide customers with a
unified experience Tomorrow
Sales Training
The Journey
Functional Gap Filling

Stealthwatch Stealthwatch
Cloud SaaS
Continuous Upgrade
On-premises to SaaS migrations
Periodic Upgrade
Stealthwatch Stealthwatch
Enterprise On-Premise
Architectural Evolution
Sales Training
Stealthwatch
Prof. Services
+ DevNet
Sales Training
Two FY20 SWE Feature Releases
Nov 2019 April 2020

SWE SWE
7.1.2 7.2
FCS FCS
Sales Training
SWE 7.1.2
• Triple A with TACACs
• TACACS+: Remote Authentication
and Authorization for external
TACACS+ users with manual role
mapping
• SWE CTR Integration Phase 1

• Casebook Widget, Pivot Menu from
SWE to CTR, High Severity Alarms
and Enrichment push to CTR
• Phase 2 Custom alarms coming in 7.2
Sales Training
7.2 Smart Licensing
• Only customers with Term licenses
will be able to upgrade to 7.2 and
above.
• All Customers will need to have a
Smart Account and Term licenses
converted
• Smart Licensing will report
consumption and compliance or not
• Customers will be notified of
compliance, but not disabled
• Embedded trial license in SWE will
include a 90 day trial of Threat Intel
(SLIC), Proxy, and CTA
Sales Training
7.2 User Interface
• SBG Common Experience

• Common user experience across
all Cisco security products
• Report/Document Builder
MVP – Custom Dashboards
Sales Training
7.2 Response
Management
• Moving Response
management to the web UI
• Including custom alarm
activation of ISE policies
Sales Training
Response Management
Example: Services Delivering Radware Integration
Stealthwatch 3. DefenseFlow, Attack
LiveCycle Automation
Defense Messaging engine, triggers BGP
Diversion and pushes
Network Protection Policy to
DefensePro in the Scrubbing
Center.
2. Attack Detected by Cisco NOC / SOC
Stealthwatch.
Attack details Reported to
DefenseFlow Automation Engine. NetFlow
BGP
Diversion DefensePro
DDoS Server Farm
Security Policy Inline
DDoS DDoS DDoS

Attack Tools EDGE
& Router
Legit Users CPE
1. Volumetric DDoS
Attack targeting Core DDoS
Network & Devices.
DefensePro 4. Attack blocked by
DefensePro in the
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scrubbing Center Global
Scrubbing Center
Sales Training
7.2 Moving to Web UI
• DSCP Configuration
• Data Retention
Configuration
Alarm Severity
moving from Java •
to Web UI • Services
• Domain Properties
Sales Training
7.2 Host Lock Policies
Move to the Web UI
• Host Lock policies configured in Java UI,

will automatically be migrated to
Customizable Stealthwatch Events in
the Web UI
• Original Host Locks will no longer trigger
events
• Response Management rules that
include the Alarm type of “Host Lock
Violation” will be auto-updated.
Sales Training
7.2 Adding Talos Partnership
Current Next Future
Phase 1 Phase 2 – 7.2 Release
• Joint marketing efforts • Leverage Talos for event • Replace current threat feed
• Joint authoring with SWC and alert context, for all with Talos content and
content customers lookups
• Threat hunting with Cisco • Leverage Talos to augment
Talos and Cisco current Threat Intelligence,
Stealthwatch Cloud for Threat Intelligence
Whitepaper License customers
“Stealthwatch is backed by a world class threat research team that is unique to

Cisco ... Talos”
Sales Training
7.2 New Flow Sensor Model
• Replace FS4210 with FS4240
• 4210 will announce EOL when
the 4240 is orderable
• FS4240
• 4 x 10G Intel X710
• 2 x 40G FastLinq QL45412HLCU-CI
• User configuration option in UI to use either card but not both simultaneously
• Line rate speeds for either config for base netflow
(ETA or App ID would reduce throughput capacity)
• Future 100G connection capability would be a future new appliance model
Sales Training
7.2 Stealthwatch Datastore (ST-DS) Appliance
Query and Report Scalable Ingest

Scalable Storage Detection Analytics
Response
Queries and reports go Storage with built in HA Single cluster capable of Ability to add on SWC
from several hours to scales to needs without monitoring up to 3 detections and entity
minutes to return results adding FCs. Million+ FPS modelling that is not
vs. standard Stealthwatch possible with FC engine
Capable of adding nodes Capability of monitoring
for long term storage more hosts on each FC
and storing attach connected to cluster
telemetry
Sales Training
Andrea
7.2 CDS: Current Deployment vs New Deployment
• Maintenance cost and effort is lower

• Native scalability leads to expansion and more Flow
Rate License purchased
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential • G l o b aplatform
Architecture enables a better detection l with
higher customer helpfulness score
Sales Training
Stealthwatch Data Store (ST-DS)
Estimated Features Timeline
Feature SWE – Today SWE CDS – 7.2 SWE CDS – FY21
GOOD BETTER BEST
Query and
FC Placement and Post Improved Performance and
Report Processing for Scale Efficacy with CDS
Optimized Reporting
Response
Scalable Scale by adding FC Add Storage on Demand
Low Cost Long Term Storage
Storage With Storage High Availability
Scalable Inefficient scaling

3M FPS at Launch
Add Lite Weight Collectors Continued Scaling
Ingest Ingest New Telemetry
Detection Limited to FC engine Base for Top SWC detections

Analytics
© 2019 Cisco and/or its affiliates. All rights reserved.
Statistical based
Cisco Confidential
SWC Style Detections SWC classification and roles
Global
Sales Training
Two FY20 SWE Feature Releases
Nov 2019 Feb 2020 May 2020
SWC SWC … SWC

Q1 Q2 Q4
Sales Training
SWC Q1-Q4 FY20 Summary
• Cisco Security Analytics & Logging
• CDO/NGFW: Provide visibility & security
analytics
• Extending ETA to SWC
• Adding Groups and Policy
• Support for SBG SSO
• Integrations with CTR
• ISE beta (user) integration
• Detections & feature parity Azure and
GCP relative to AWS
• Threat Intelligence - Talos
Sales Training
FY20 Q1 SWC/CI
Integration
• SWC consumes Cognitive
Confirmed Threat Service (CTS)
• CTS powers new observations
and alerts in SWC
• SWC consumes ETA Telemetry
from CSR, ASR 1K, ASR 4K,
CAT 9K (9300/9400)
• Coming Soon
• Crypto Audit Report
• Official ETA support/EN Packages
Sales Training
FY20 Q1 Cisco Secure Sign-On
Secure Identity
Strong security that meets the
highest industry standards
Benefits to
Duo MFA Cisco Security
Centrally protected and managed • Drive portfolio adoption
credentials in one secure portal
• Gain insights into cloud
subscriptions
Seamless workflows • Central landing portal
for POVs and user
One login to access all your apps
and maintain context through flows communications
• Both CDO and SWC have enabled opt-in for Cisco Secure Sign-On on Oct 15, 2019
• Cross-launch between CDO and SWC is therefore seamless and using same credentials
© 2019 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential Global
Sales Training
FY20 SWC
Azure Capabilities
• New Azure roles created include:
ex. Azure Availability Set, Load
Balancer, etc
• New Azure alerts
ex. Permissive Security Group,
Permissive Storage Account
• New Azure functionality on the
roadmap include:
- Abnormal User alerting
- Automating Azure setup
- Integration with Marketplace
Sales Training
FY20 Grouping and Policy
• Focused on compliance and

segmentation use cases
• Create a group of network
entities
• Entities are raw IPs or Subnets
• Apply connection watchlist
monitoring for policy violations
Sales Training
Stealthwatch
Prof. Services
+ DevNet
Sales Training
Cisco Security Analytics & Logging
• Receives logs, events, and telemetry from Cisco Store & search logs in the cloud
SBG products (starting with CDO managed FTDs
and on-premise network elements) Security analytics for threats,
policy, and compliance
• Logging is the foundation for platform use cases
• Reporting, archival storage for compliance, forensics
Enrichment for incidents from
• Security analytics is the differentiator network logs
• Threat detection, asset discovery, policy tuning,
compliance validation
• Cisco product easy button, not a SIEM
• Enriches incidents by collecting logs from the network
• Offered in tiered subscriptions & can be white-labeled
Sales Training
Cisco Security Analytics & Logging Licenses
90-day rolling log retention (at 1, 5, 10, 15 or 25 GB per day) per tenant Commentary
SWC Analytics for PNM

Logging Service
Extend behavioral analytics • Storage amount needed to
inside the network store 90-days of logs at
chosen ingest rate.
SWC Analytics for NGFW SWC Analytics for NGFW • Ingest and storage shared
across all CDO managed
Behavioral Threat Detection on Behavioral Threat Detection on firewalls of tenant/
Per CDO tenant
Firewall Logs Firewall Logs

customer
Logging Service Logging Service Logging Service
Firewall Analytics
Near-Real time events viewer – • Behavioral Analytics
Near-Real time events viewer – Near-Real time events viewer –
search, sort, filter search, sort, filter search, sort, filter performed on logs sent at
the ingest rate.
Single Single Single
PID 1/3/5 Year Subscription PID 1/3/5 Year Subscription PID 1/3/5 Year Subscription Stealthwatch Private Network
Monitoring
• 50 endpoint licenses for
Lic LT - Logging and Lic FA - Firewall Analytics Lic TA -Total Network Analytics PNM included with 1GB/day
Troubleshooting (CDO UI) & Detections (SWC UI) & Detections (SWC UI) of NGFW ingest
Per FW
Cisco Defense Orchestrator (Mandatory for all licenses) purchased per Firewall
Logging Estimator
Single
1/3/5 Year Subscription (Required)
© 2019 PID
Cisco and/or its affiliates. All rights reserved. Cisco Confidential Global
Sales Training
Stealthwatch
Prof. Services
+ DevNet
Sales Training
Stealthwatch Professional
Services
Sales Training
Why Sell Stealthwatch Services
Increase Lock-in Renewal Accelerate and

Customer Value Revenue Increase
Realization Subsequent
Deals
Sales Training
“I always introduce services to my customers!
Professional Services ensures Stealthwatch is
properly installed and integrated, and worked
firmly into their security toolset. I know that a
happy customer will be an easy renewal when
the time comes, and it keeps my time free to
hunt for new opportunities. ”
💰
James Gill
Technical Solutions Architect
Sales Training
What Customers Are Saying…
Sales Training
Stealthwatch Customer Maturity Model
Services Services Services

• Stealthwatch Deployment • Host Group Automation Service • SIEM Integration Service
Service • Asset Discovery & Classification • Web Proxy Integration Service
• Flow Collector 5000 Series Service (NEW) • Flow Adapter Service
Deployment Service • Threat Assessment Service (NEW) • Tag Traffic Analytics Service (NEW)
1. Visibility 2. Detection 3. Integration

Deploy and Learn Tuning and Automation Integrate with External Systems
Services
• Subject Matter Expert Service
• Stealthwatch Implementation
Subscription Service
• Onsite Knowledge Transfer
Sales Training
Stealthwatch Asset Discovery
& Classification Service
Sales Training
Asset Discovery & Classification Service
• Provide maximum value to
customers through
enhanced visibility and
monitoring of asset
connectivity
• Find undiscovered devices
from various sources of
network data
• Dig into communication
vectors with easy-to-read
and interactive charts
Sales Training
Asset Discovery and Classification Service
ISE and Stealthwatch
Custom reportingHost ISE andStealthwatch
Stealthwatch Host Custom output
Groups
dashboards Groups
host groups connectors
Asset Discovery & ISE and Stealthwatch

Custom “rules” Host
ISE and Stealthwatch Host Groups Groups
Classification Service app/port, seed, PCI,…
ISEStealthwatch
and Stealthwatch Host
BiFlows
Metadata from “connectors”
Release Groups
6.8.2 and later
AD, Radius, other IPAM

Application enriched flow,
Flow Sensor, PaloAlto, Packet
Flow Flow Flow Shaper
ISE Tetration logs Collector Collector Collector
Stealthwatch
Server agent logs
host groups - Roadmap
Sales Training
Cluster Analysis
Sales Training
Cluster Contents
Sales Training
Asset Discovery & Classification Service Benefits
• Decrease manual efforts and increase
productivity through automation
• Sort and report on assets continuously
• Help reduce the complexity of
segmentation projects
• Receive detailed charts and connectivity
maps
• Improve policy and access decisions
• Design a more available and optimized
network
Sales Training
What’s Included
• Installation of Stealthwatch PoC and analysis software tools
• Data Collection
• Data Analysis for common communication profiles
• Classification rule definition
• Build Segments/Enclaves
• Report generation
• Connectivity vector chart
• Stealthwatch host groups creation
• Enclave population reports
Sales Training
Quoting, Pricing and Sizing
Quoting Pricing
• AS Subscription Tier 1 Tier 2 Tier 3

• Ordered via AS Estimator Less than 20,000 Between 20,000 and > 100,000 endpoints
• Quoted by Deal endpoints 100,000 endpoints -------------------
Acceleration Team (DAT) ------------------- ------------------- Target Net Price
• Pre-packaged template Target Net Price Target Net Price: $300,000
quotes $120,000 $210,000
• SKU is BCS-Stealthwatch
Implementation Sizing
• Approximate # of endpoints = # employees x 3x

• Any Device with an IP Address including IoT
Sales Training
What is DevNet?
Sales Training
DevNet Mission
Drive business growth for Cisco and its partners and customers
Build a fiercely loyal community and ecosystem
Make DevNet
Drive industry
Make innovation easy developers
transformation
successful
Drive API excellence and developer experience
Sales Training
DevNet Community
510,000+ 33,000+
Members Companies
72,500+ 60,000
Learning Labs completed Avg. Monthly Active Users
DevNet Data as of July 11, 2018 Sales Training
DevNet Community
Pivot Technology Solutions ITC DIMENSION DATA

TELSTRA CORPORATION LIMITED NETECH CORPORATION
TATA CONSULTANCY SERVICES LIMITED 5thColumn LLC NETDESIGN A/S AT&T SERVICES, INC
AIRBUS IBM Bell Canada ALPHAWEST SERVICES VERIZON SERVICES CORP.
ACCENTURE
BAE Systems BT WORLD WIDE TECHNOLOGY, INC
GENERAL ELECTRIC XIANS
HARRIS CORPORATION ITALTEL SPA AVODAQ AG Deloitte PROXIMUS TELINDUS LUXEMBOURG
SWISSCOM AGNWN CORPORATION

ITOCHU TECHNO-SOLUTIONS CORPORATION (CTC)
NETCRAFTSMEN Radware Ltd Ericsson AB ORANGE BUSINESS SERVICES CDW
Dell INSIGHT DIRECT USA INC TELUS COMMUNICATIONS CERNER CORPORATION
PRESIDIO
CenturyLink NETCLOUD AG
DEUTSCHE TELEKOM AG Vodafone GENERAL MOTORS
Purple WiFi Ltd MACROVIEW TELECOM BECHTLE LOGISTIK & SERVICE GMBH
Data from user profile page, sample size 20K Sales Training
Enabling end-to-end developer success
API Experience Developer Sandbox Training and Tutorials
Sample Code Co-Creations Developer Advocacy
build learn
</>
developer.cisco.com evolve
Sales Training
Stealthwatch & DevNet
Sales Training
Stealthwatch API Documentation
Sales Training
Stealthwatch API Sample Scripts
Sales Training
Stealthwatch Code Exchange
Scripts include:
• stealthwatch-csv-tools
• TalosBlacklistImporter
Coming soon! scripts to integrate with:

• Tetration
• Industrial Network Director (IND)
• Sentryo / CyberVision
Sales Training
Stealthwatch API Forum
Sales Training
New! Stealthwatch DevNet Sandbox
Sales Training
Coming Soon…
Stealthwatch Learning Labs Stealthwatch Cloud on DevNet
• API Documentation
• Sample Scripts
• Code Exchange
• Learning Labs
On demand Learning Resources!
Sales Training
What to do next?
• Start your DevNet Journey
developer.cisco.com/startnow/
• Stealthwatch DevNet Learning Resources
• Stealthwatch Enterprise REST API
documentation
• Set of Postman collections and Python sample
scripts
• Code Exchange for Stealthwatch Enterprise
• Cisco Forum for Stealthwatch APIs
• Other DevNet Resources

• Coding Fundamentals Learning Lab
• Network Programmability Learning Lab
https://developer.cisco.com/stealthwatch/
• Explore Code Exchange for ideas and code https://blogs.cisco.com/developer/stealthwatch-on-devnet
samples
Sales Training
Call to Action
• Sign-up for your Stealthwatch Cloud Account
• Go to the CDO Update Session on Tuesday
• Have your Customer Use the Sealthwatch DevNet Sandbox
• Make Money Selling Stealthwatch
Sales Training
It’s Survey Time!
Audience feedback is
crucial to continuous
improvement, be sure
to encourage survey
completion at the end
of your session...
Sales Training

D2S4.Security Analytics Update

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

D2S4.Security Analytics Update

Uploaded by

Copyright:

Available Formats

Security Analytics Update

Oct 2019 SEVT – Technical Session

Bryan Doerr, Rajat Gulati, Kyle Winters

Cisco Security and Logging

Enhance Automated Breach Detection

Expand Stealthwatch Ecosystem

Protect Customers’ Journey to the Cloud

Unify the Stealthwatch Experience

Team Enhancements Process Improvements Outcomes

Functional Gap Filling

On-premises to SaaS migrations

Nov 2019 April 2020

• SWE CTR Integration Phase 1

• SBG Common Experience

DDoS DDoS DDoS

• Host Lock policies configured in Java UI,

“Stealthwatch is backed by a world class threat research team that is unique to

Query and Report Scalable Ingest

7.2 CDS: Current Deployment vs New Deployment

• Maintenance cost and effort is lower

Scalable Inefficient scaling

Detection Limited to FC engine Base for Top SWC detections

Nov 2019 Feb 2020 May 2020

SWC SWC … SWC

• Focused on compliance and

SWC Analytics for PNM

Firewall Logs Firewall Logs

Increase Lock-in Renewal Accelerate and

Services Services Services

1. Visibility 2. Detection 3. Integration

Asset Discovery & ISE and Stealthwatch

AD, Radius, other IPAM

• AS Subscription Tier 1 Tier 2 Tier 3

• Approximate # of endpoints = # employees x 3x

Drive API excellence and developer experience

Pivot Technology Solutions ITC DIMENSION DATA

SWISSCOM AGNWN CORPORATION

Sample Code Co-Creations Developer Advocacy

Coming soon! scripts to integrate with:

• Industrial Network Director (IND)

On demand Learning Resources!

• Other DevNet Resources

You might also like