Singapore .

16 April 2019
#CiscoConnectSG
Security and Visibility for the
Modern Networks
Ross Traynor, Cybersecurity Specialist, Cisco
Eric Rennie, Systems Engineer, Cybersecurity, Cisco
Digitization complicates visibility
Market demands have taken the network beyond your perimeter

More IoT devices Threats are more numerous

connect everyday and complex
Over 20B connected “things" will Companies experienced a 27.4%
be in use by 2020 average increase in security breaches
in 2019

Users work anywhere Threats are using encryption to

across many devices evade detection
By 2020, 2/3rds of all IP traffic will come 3X increase in encrypted
from wireless and mobile devices communication from malware in a 12-
month period
The vendor buffet is not a strategy
Adding point solutions adds complexity & can make you less secure

55% Of customers rely on more than

5 vendors to secure their network1

ity
Complexity
54% Of legitimate security alerts are
plex
Com not remediated due to lack of integrated
defense systems2

100 days Industry average to

Capabilities detect a common threats3

1
Cisco 2019 Annual Cybersecurity Report
2
Cisco 2019 Annual Cybersecurity Report
3
Cisco 2019 Mid-Year Cybersecurity Report
 The Solution: Network + Security
Activate your network for more holistic security

Understand behavior Contain and isolate threats

Dynamically enforce software-defined
Identify host role and monitor
segmentation based on business roles
behavior without endpoint agents

See everything
Transform the network into a
powerful security sensor for
complete visibility Detect encrypted threats
Use advanced analytics to automatically
detect encrypted threats without decryption
 Cisco Stealthwatch
Gain confidence in your security effectiveness

Contextual Predictive Automated

network-wide visibility threat analytics detection and response

Behavioral modeling Unknown threats

Machine learning Insider threat

Global threat intelligence

Encrypted malware

Using existing network infrastructure

Policy violations
 Stealthwatch Use Cases

Context-Aware Threat Network Planning & User

Detection Incident Response
Visibility Diagnostics Monitoring
 Network, application,  Advanced persistent  In-depth, flow-based  Network segmentation  Cisco ISE
and user activity threats forensic analysis of to profile application /
suspicious incidents device traffic  Monitor privileged
 Monitor lateral  Insider threat access
movement using  Scalable repository of  Capacity planning
the network as  DDoS security information  Policy enforcement
a sensor  Performance monitoring
 Data exfiltration
 Application awareness

Customer Use Cases:

https://www.techvalidate.com/product-research/cisco-stealth-watch/facts
Key features

Visibility Encrypted Rapid Threat

everywhere Traffic Analytics Containment
Analyses enterprise Only product that can Quarantine infected hosts easily
telemetry from any source analyze encrypted traffic to using the Identity Services Engine
(NetFlow, IPFIX, sFlow, detect malware and ensure (ISE) integration, collect and store
other Layer 7 protocols) policy compliance without network audit trails for deeper
across the extended network decryption forensic investigations

Unique threat Smart

detection segmentation
Combination of multi-layer Create logical user groups
machine learning and that make sense for your
behavioral modeling provides business, monitor the
the ability to detect inside as effectiveness of segmentation
well as outside threats policies through contextual
alarms
Collecting and optimizing
telemetry
Scaling and Optimization: stitching
Scaling and Optimization: deduplication

Router A: 10.1.1.1:80  10.2.2.2:1024

10.1.1.1 port 80
Router B: 10.2.2.2:1024  10.1.1.1:80
Duplicates
Router B
10.2.2.2:1024  10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80
Router A

Router C Deduplication
• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
10.2.2.2 port 240
Industry-leading
Security Analytics
Anomaly detection using behavioral
modeling

Collect and Create a baseline Alarm on anomalies

analyze telemetry of normal behavior and behavioral changes

Comprehensive data set optimized to Security events to detect anomalies and Alarm categories for high-risk,
remove redundancies known bad behavior low-noise alerts for faster response

Threat

Analysis of multiple threat behaviors

Threshold Anomaly
Number of New flows Number of
concurrent flows created SYNs received

Packet Number of Rate of

per second SYNs sent connection resets

Duration
Bits per second Time of day
of the flow

Flows
Exchange Servers
Behavioral & Anomaly Detection Model
Behavioral Algorithms are Applied to Build “Security Events”

Collect and Security Events Alarm Category Response

Analyze Flows
Addr_Scan
.. Concern
Bad_Flag_ACK**
Alarm table
Beaconing Host
Bot Infected Host - Successful Recon
Brute Force Login Host snapshot
Fake Application
Flow_Denied
C&C
..
ICMP Flood Exploitation Email
Flows ..
Max Flows Initiated
Max Flows Served Data hoarding
.. Syslog / SIEM
Suspect Data Hoarding
Suspect Data Loss Exfiltration
Suspect Long Flow
.. Mitigation
UDP Received DDoS target
 Logical alarms based on suspicious
events

Source or target of Command DDoS Insider

malicious behavior Reconnaissance
and Control Activity threats

Scanning, excessive Port scanning for Communication back Sending or receiving Data hoarding and
network activity such vulnerabilities or to an external remote SYN flood and other data exfiltration
as file copying or running services controlling server types of data floods
transfer, policy through malware
violation, etc.
Alarms tied to specific entities

Quick snapshot
of malicious
activity

Suspicious
behavior
linked to logical
alarms

Risks prioritized
to take
immediate action
Investigating a host

Host Summary
Traffic by Alarms by Type
Peer Host Group
Flows History

User Name:
Device Name:
Device Type:
Host Group:
Location:
10.201.3.149 12-Jan 13-Jan 14-Jan 15-Jan 16-Jan
Last Active Status:
Session Information:
Policies: Data Exfiltration High Traffic Packet Flood
Within Outside
organization organization Data Hoarding
Quarantine Unquarantine

Summary of aggregated
Observed communication patterns Historical alarming behavior
host information
Encrypted Traffic Analytics
Encrypted Traffic Analytics (ETA)
Visibility and malware detection with decryption
Malware in Encrypted Traffic
Is the payload within the TLS
session malicious?
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
Cryptographic compliance
How much of my digital business uses
strong encryption?
• Audit for TLS policy violations
• Passive detection of
Ciphersuite vulnerabilities
• Continuous monitoring of network opacity
Detect malware in encrypted traffic

Sequence of packet
Initial data packet Global Risk Map
lengths and times

C2 Message
Data Exfiltration
Self-Signed Certificate

Make the most of the Identify the content type through the Know who’s who of the
unencrypted fields size and timing of packets Internet’s dark side
 Identifying malicious
encrypted traffic Google Search Page Download

src dst

Model Initiate Command and Control

Sent
Packets
Client Received
Server src dst

Packets

Packet lengths, arrival times and durations

tend to be inherently different for malware Exfiltration and Keylogging
than benign traffic
src dst
Accelerated Threat Response
Cisco Identity Services Engine (ISE)

Stealthwatch Security
Network and User Context Analytics

Who What

Where When How Identity Services

Engine

Send contextual data collected from users, devices, and network

to Stealthwatch Enterprise for advanced insight
Rapid Threat Containment
Without any business disruption

PX Grid Mitigation

Information shared with

other network and
security products

Context Quarantine or Unquarantine infected host

Cisco® Stealthwatch
Identity Services Engine Management Console
Stealthwatch Enterprise
Architecture and integrations
Required core
components
Stealthwatch Management Console (SMC) Management Console
• A physical or virtual appliance that aggregates, organizes, and
presents analysis from Flow Collectors, Identity Services Engine
(ISE), and other sources
• User interface to Stealthwatch
• Maximum 2 per deployment
Flow Collector (FC)
• A physical or virtual appliance that aggregates and normalizes Flow Rate
NetFlow and application data collected from exporters such as Flow Collector License
routers, switches, and firewalls
• High performance NetFlow / SFlow / IPFIX Collector
• Maximum 25 per deployment
Flow Rate License
• Collection, management, and analysis of telemetry by
Stealthwatch Enterprise
• The Flow Rate License is simply determined by the number/type
of switches, routers, firewalls and probes present on the network
 Stealthwatch Enterprise architecture
Management Console

Comprehensive ISE Threat

Intelligence
Cognitive
Intelligence
License
visibility and Flow Collector
security analytics Other Traffic Analysis
Software
Stealthwatch
Cloud

UDP Flow Hypervisor with

Director Telemetry for Sensor VM VM Flow Sensor VE
Encrypted Traffic
NetFlow Analytics

10 101 10

Proxy Data
NetFlow enabled routers, Endpoint License Non-NetFlow enabled equipment
switches, firewalls
Solution lifecycle for Cisco Stealthwatch Enterprise and
Stealthwatch Customer Experience
Visibility across your entire network
 Error free deployment
 Highest performance flow collection
 Train your staff
 24x7 Customer Support

Stealthwatch
Services
Detection based on your business needs
 Adopt and improve threats detection fidelity
 Reduce time to detection and response of threats
Professional
 Tactical workshops for use cases
Learning

Support
 Integrate with your incident response plan
Utilization  Integrate with yourrd telemetry stack
with Cisco and 3 party solutions
 Virtual labs and e-learning courses
 24x7 Customer Support
How Stealthwatch
CX has helped
Provide network visibility across IT network
Challenges X

• SIEM integration with Stealthwatch Enterprise is extremely

SIEM dashboard
difficult to do on your own
• Many SOC teams place strong emphasis on working out of a Stealthwatch Enterprise
SIEM
Go to Stealthwatch
• SIEM is viewed as the “single pane of glass” for their
security workflow
Get top peer report
Results
• Through an extended set of REST API capabilities that are
installed for the customer, Professional Services works directly
with the customer to understand their investigation workflow
• Integrate these API capabilities into their SIEM through either
apps, add-ons, or right-click pivot capabilities
• Reduce the mean time to resolution for customers by enriching
the data they use for investigation with Cisco Stealthwatch data
• Provide a clearer picture as to the nature and behaviour of the
suspicious host in question, giving them a higher degree of
accuracy in securing their networks faster.
Demo
Singapore . 16 April 2019
#CiscoConnectSG