Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 36

Cisco Cyber Vision Instant Demo v2

Created in Partnership with Technical Marketing Engineering

Last Updated: 06-November-2020

About This Demonstration

This is the Instant Demonstration of Cisco Cyber Vision. This instant demonstration offers ready access to an

overview of Cisco Cyber Vision with immediate access and no scheduling time involved. Some features may be

limited or unavailable because of the limited privileges of the demonstration user. Full access with administrator

privileges is available with the scheduled version: Cisco Cyber Vision Demo v2.1.

This guide for the preconfigured demonstration includes:

About This Demonstration

Requirements

About This Solution

Scenario 1. Cyber Vision Solution Overview

What’s Next?

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 36

Limitations

In this demo environment we have no real hardware attached to the network, therefore certain features are not

available as they would be in a production deployment. There are limitations on the instant demonstration user’s

privilege settings limiting access and execution of some features.

Customization Options

For streamlined client demos, the following customizations are suggested:

• Importing the user’s own PCAP file is an option available with the scheduled demo version, Cisco Cyber

Vision Demo v2.1, which the user is invited to explore.

Requirements

The table below outlines the requirements for this preconfigured demonstration.

Required Optional

Laptop

About This Solution

Cisco Cyber Vision provides organizations the ability to gain visibility into industrial environments including full

details of what assets are on the network, how those assets are communicating, and application level

understanding of operational information. As a result, Cisco Cyber Vision provides views and capabilities,

including integrations that can be leveraged by security teams, IT infrastructure teams, and operational teams to

ensure system integrity and protect against cyber risks.

In this lab, users will gain familiarity with Cisco’s Cyber Vision including:

• Overall system architecture

• Asset and flow visibility

• Organization and ease of viewing data in the system

o Presets

o Tags

• System events and quickly identifying changes in the environment

• Generating Reports for compliance and tracking

• Quickly identifying vulnerabilities

• Role Based Access Control

• Syslog Integrations (SIEM)

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 36

Cisco Cyber Vision is a passive solution that leverages deep packet inspection (DPI) with the ability to

understand or “decode” industrial protocols to identify assets, application flows, and compare against known

baselines to identify anomalies or operational changes.

There are two key components that make up the Cyber Vision solution, the Cyber Vision Center and the Cyber

Vision Sensor. The Cyber Vision Sensor is the component that receives raw traffic to analyze, identifies

important information, and then sends it to the Cyber Vision Center. The Cyber Vision Center receives the flow

and application information from the sensors and performs analysis to identify the assets, application flows and

activities, and attach additional information in the form of asset and activity tags. These tags provide a

mechanism for users of the tool to quickly and easily understand relevant information that has been identified.

Equipment Details

Name Description Username Password

Cyber Vision Center Enables the industrial network to collect the

information required to provide comprehensive

visibility, analytics, and threat detection.

Auditor@cisco.com C1sco12345

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 36

Scenario 1. Cyber Vision Solution Overview

Value Proposition: Cisco Cyber Vision provides organizations a deeper level of understanding of what industrial

devices are on the network, which devices are communicating with each other, as well as how and exactly

what is being exchanged. The tool is designed to be leveraged across an organization including operations, IT,

and security. In this section you will highlight the information the system is able to collect and the functions that

make it a valuable tool for all users.

1. After clicking the VIEW button it may take a few moments for the login landing page to appear. If necessary

the following credentials can be used to log in as Auditor@cisco.com using password C1sco12345

otherwise you should land on the Cisco Cyber Vision dashboard.

2. You will be at the main dashboard:

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 36

3. Note the system has already had data loaded for demo purposes. There is currently no live traffic in the

system.

4. This dashboard provides a quick view into system activity. Here we can get a quick count regarding:

• Components – Assets that Cyber Vision has discovered

• Groups – Method to organize components, typically tied to physical location

• Activities – A set of flows or communications between devices; multiple flows can make up a single

activity

• Vulnerabilities – Vulnerabilities that have been identified against the discovered components

• Variables – Memory pointer inside device/protocol that was sent across network

• PLC Program Download – Specific activity that results in modifying the code in a PLC

• System Events – System defined activities such as logging into the system, a new component being

discovered, or a component being changed. You will see these events organized in criticality (colored

circles).

5. Note the navigation bar on the left-hand side:

6. You will go through these sections as you navigate this demonstration. Also note the bar can be minimized

by clicking the left-hand pointer at the bottom of the bar (or expanded back by clicking the right-hand

pointer at the bottom when minimized.):

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 36

7. Select the Explore menu from the top left-hand side:

8. The first screen that loads is the Presets section. Note at the top of the screen the navigation bar shows you

the location where you are: Explore / All Presets /. This will change as we continue to navigate through the

screens.

9. In the Cyber Vision Center a preset is essentially a set of filters to only look at the information a user is

concerned with. This may be a method to filter to only look at a specific type of device or devices only in a

specific area.

10. Note there are two types of presets: system presets that are pre-populated and custom presets that users

create. Our demo system today has custom presets already created that are not part of a fresh install. All

custom (user created) presets are under the My preset section, all the others are system presets.

11. Scroll through the list and note the various types of system presets. Since Cyber Vision is a tool that can be

used by IT users, Operational Users, and Security professionals you can see how some of the automatic

presets can allow those personas to quickly access the information they are concerned with.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 36

12. Click the [Munich] OT Traffic preset under the My preset section (second from the left).

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Cyber VisionDesigned to meet the needs of all stakeholders

Security Leaders

CSO Office

Extends SOC capabilities

to OT domain

Enables collaboration

with OT teams

Industrial

Operations

Understands OT protocols

and process information

Provides critical insights to

ease day- to- day operations

IT

Infrastructure

Built into network equipment

for easy deployment

Helps drive network

segmentation projects

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 36

13. Note that when the page loads, the navigation at the top shows you are at the Explore / [Munich] OT

Traffic / Dashboard:

14. At any point you can change the preset or the view from the drop-downs in the navigation bar.

15. The Dashboard is another quick highlight view of all the devices inside the selected preset. In this case we

are looking at everything that is essentially Control System Behavior—not broadcast or ARP traffic. But first

we need to change the date frame of our fabric window. The following steps set a time frame that matches

our test network database since we do not have a live network available.

16. Notice there is a time frame shown near the top (actual times displayed will vary). This allows you to filter on

what time range you want to view data. By default, this view is set to LIVE for the last hour, though may be

different on the display due to the nature of the instant demonstration environment.

17. As mentioned, this system is looking at stale data so let us change that to look at a larger time frame.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 36

18. Now click over LIVE and select LAST DAY to change to the last 24 hours data.

19. Notice that various places in the interface use this time range. This ability to look at data from any point and

time provides the ability to go back and see what has changed over time or if any unexpected behavior has

occurred. This allows Cyber Vision to be the industrial networks ‘Flight recorder’. Some fields may differ

unless otherwise noted.

20. In the dashboard you will see similar information at the top of the page including the number of

components, activities, vulnerabilities, and variables. But there is also a count of the number of system

events and credentials. If Cisco Cyber Vision sees any credentials, here we will see a count of those (there

are none in this demo data). Actual values diplayed may differ from what is shown in the following

screenshot.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 36

21. Also note the tags at the bottom of the page.

• Component tags are applied to devices themselves

• Activity tags are assigned to activities

22. Multiple tags can be applied to a single device or activity. Tags are a method to simplify the information

learned about a device or an activity without requiring the user to understand all the specifics of what a

device is or how a protocol works. Tags are automatically applied by Cisco Cyber Vision and are not

modifiable here in the GUI. However, a user can create their own tags and rules on how they are applied via

the RESTful API, which is beyond the scope of this demonstration.

23. Note the filter information on the left-hand side. Browse by clicking the carat to the right of each entry or

the arrow to the left of the sub-entries.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 36

24. This allows you to include , exclude , or not use as part of the filter .

NOTE: If a device has multiple tags for example broadcast and arp, if you exclude broadcast, you still see the

device since it is also arp. Tags, groups, and source sensor are the high-level filters available here.

25. At the top navigation bar, choose the drop-down next to Dashboard and then select Map – Expert.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 36

26. The Map - Expert view allows a user to move components around and resize as needed. The map is

essentially showing a logical view of which devices and activities are part of the preset. If devices are

grouped, they show (in a colored box) what group they are part of. The activity between the devices is

shown in the form of links or arrows. Note, this is a logical view of how devices are communicating; it is not

a physical or topology view.

27. The devices are laid out by the system, but you can select the Camera fit icon in the lower-left corner

to return to the system default layout.

If what is displayed does not match the image above, click Explore from the left pane and then select the

[Munichj] OT Traffic preset. You can zoom in and out using the controls in the lower left of the graphic window:

28. New in Cyber Vision v3.1, PDF and CSV export across the platform, Several buttons are now available in

the GUI to download list or map as csv and pdf files.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 36

29. On the top right will see the Export to PDF icon, please click over the icon to generate the pdf file, now at

the bottom left of your screen will see the pdf file downloaded, click on the file to open the PDF MAP.

30. The legend in the top-left shows the color coding related to the activity between devices.

31. In this view we can quickly see there is important traffic and control system behavior that has been

observed between these devices. Icons of the device/vendor are applied to known devices. If there is a

device that does not have enough information or is unknown to Cyber Vision, it will show as a gear icon.

32. Vulnerabilities are shown as a number in a red circle on the top-left of the device icon. If it is a modular

system such as the Rockwell Automation device in this group, there will be a number in a black square.

33. Click the S7-400 station_1 icon.

34. A slider pane will appear from the right side and show more details about the device. From here the tags

quickly show what types of activities have been observed such as a Start CPU and Stop CPU command as

well as variables that have been read. This again shows the benefit of the automated tagging that quickly

bubbles up information without requiring a user to have a deep understanding or needing to look at all the

flow information.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 36

35. At the bottom of the slide out we can quickly see the number of flows, events, vulnerabilities, credentials,

and variables we have observed related to this device.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 36

36. Click the Technical Sheet link near the middle of the slide out:

37. Here are more details that Cyber Vision has learned about the device such as the vendor, model name, fw-

version, and more. If you scroll to the bottom you can also see an explanation of the component tags that

have been applied to the device.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 36

38. Click the Security tab.

39. Here users can see a number of vulnerabilities that are known about this device. Historically the vulnerability

information was provided via a curated list that users could upload to the system offline to update the

database. The Cyber Vision Center essentially is matching all the information it knows about the device with

known vulnerabilities against that type of hardware, version of firmware, etc.

40. Here users can see the issue, if there is a solution and what that is, the Common Vulnerability Scoring

System(CVSS) score, and any relevant links such as from the vendor or ICS-CERT. Users also have the

ability to acknowledge the issue or essentially say why they are not going to correct it, to reduce the

amount of displayed vulnerabilities against systems they cannot update or that are not relevant, i.e. a

vulnerability for a PLC WebServer that the user disabled.

41. Click the Automation tab.

42. Here a user can see which variables or memory pointers inside the device are being accessed and how. In

this case it is a Siemens device using an addressing scheme of M 300.0 for example and the data is being

read. A user can also see what device is accessing that data point, and when the first and last access

occurred. This screen can quickly identify, at an application layer, what information is being leveraged by

the process.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 36

43. Next click the Activity tab.

44. Here users can see a focused Minimap that shows only the activity and flows directly related to this device.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 36

45. There are more details such as when the flow was first and last observed, the number of packets and bytes,

and the direction of the flow. This also highlights the tags that are being applied to what flows which

highlights the application level information. Scrolling down in the window reveals the Flows table.

46. Click the line of the first flow (which has the Start CPU, Stop CPU, and S7 Tags).

47. This screen shows greater detail about the specific flow and protocol level details. Since this is a Siemens

device leveraging the S7 protocol, we can see several commands were issued including a plc-stop

command and a plc-control command.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 36

This detailed view provides a user more granular understanding of exactly what has been sent to the PLC,

such as commands and the number of occurrences, to identify any anomalous behavior or trace down any

changes to the environment. For a user who is an expert in industrial protocols this information is very

useful to gain an understanding of all that is happening. This also shows the benefit of the tags, as without

protocol level understanding, it may be difficult to look at these details and fully understand what has

occurred.

Click the in the top-right to return to the Map view.

48. At the top navigation choose the Map-Expert drop-down and then select the Map – Simple from the list.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 36

49. The simple map is just that, it removes any additional devices that may not be controls related. It is a fixed

view; you cannot re-orient the devices in this view.

50. At the top navigation choose the Map-Simple drop-down and then select Component list.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 36

51. The Component list is a table view of all the devices, within the preset, that have been discovered by the

Cyber Vision Center. Note we can quickly see information including the IP, MAC, associated tags, flows,

vulnerabilities, and variables, as well as the vendor, OS, Model, and Firmware where applicable. At any

point you can also click a device to view the device information on the right side slider, as in the Map view.

52. New in Cyber Vision v3.1, the Export to CSV is available in the component list, that can be found to the

right side top of the screen.

53. Now click over Export to CSV, at the bottom left of your screen will a CSV file, click on that to open, a text

Import form will appear, please click OK to open the file. Once the file is opened will see Name, Group,

Industrial Impact, First Activity, and other.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 36

54. At the top navigation choose the Component list drop-down and then select Activity list.

55. This view provides a table of all the activities that match the current preset. Note this is not flows, but a

high-level summation of the flows observed and the communication between the devices. Just as before

we can see information counts and tags associated with these activities.

56. New in Cyber Vision v3.1, the Export to CSV is available in the activities list, that can be found to the right

side top of the screen.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 36

57. You can select any activity and a more detailed view of that specific activity will show on the right-hand

slider. Please select S7-400 STATION_1 (DELL 192.168.105.241) activity as an example.

58. Click on the X in the upper right-hand corner when done to close the slider.

59. At the top navigation choose the Activity list drop-down and then select Purdue Model.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 36

60. The purpose of this view is to overlay the devices in a Purdue model approach (IEC 62443). The Purdue

model is an approach designed to identify devices in levels (0-5) dictated by their function.

Level 0 devices interact with the real world (proximity sensors, actuators, valves). Level 1 devices interact

with level 0 devices (I/O block), level 2 with level 1 (PLC) and so on. Since Cyber Vision has an

understanding of the devices, this is a view to overlay the device type against the levels.

Note that many devices could fall into different levels (such as a PLC) so the task of identifying the level is

difficult. The tags are what we use to assign the Purdue Level.

• Level 0 devices interact with the real world (proximity sensors, actuators, valves)

• Level 1 devices interact with level 0 devices (I/O block)

• Level 2 with level 1 (PLC) and so on

Since Cyber Vision has an understanding of the devices, this is a view to overlay the device type against the

levels. Note that many devices could fall into different levels (such as a PLC) so the task of identifying the

level is difficult. The tags are what are used to assign the Purdue Level.

61. On the left side select the Reports menu.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 36

62. While the data from Cyber Vision can be accessed via the GUI or via the RESTful API, there are scenarios

such as compliance where having a detailed report is beneficial or even required. The four types of reports

available are:

• The inventory report in the Cyber Vision Center including component details

• An Activity report including the details of flows between devices

• A Vulnerability report including details of why relevant

• A PLC report which focused on PLC specific information such as variable access

63. Select the Activity report.

64. In the History section select one the reports that has been previously generated. The figure below shows

an example of a previously created report. Click the download icon to view it in a new tab. For

demonstration purposes, this will save the time it takes for a new report to be created.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 36

65. You will see the report being opened viewed in a new browser tab.

66. Return to the Reports - Cisco Cyber Vision browser tab and then select Events on the left side.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 36

67. You get the Events Dashboard. Events are grouped by Severity (colored circles):

• Critical

• High

• Medium

• Low

68. Under the circles you see detected event types for every severity. You can change the timeframe for shown

events, by default the timframe is 1 day.

69. Click on Calendar in the top right corner to switch to the calendar view.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 36

70. In the calendar view you see events in the chronological order.

71. From this view you can select different timeframes to show: Day, Week, Month, Year.

72. You can filter events by severity clicking on corresponding colored rectangle. Click on the orange rectangle

to show only High Severity Events.

73. You can see the current filter applied on the top of the screen. Click X near high to reset the currently

applied filter by high severity.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 36

74. You can also search for specific events from the calendar view. On the top of the page there is Search an

event field. Write ‘Snort’ there and press Enter.

75. You get 2 Signature based Detection events. Click on the carat to the right the event to see detailed

information about the event.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 36

76. Return to the Reports - Cisco Cyber Vision browser tab and then select Monitor on the left side.

77. As part of the new features that have been added, new baselines can be created from the presets by

clicking on the ellipsis option. Then the Cyber Vision can detect changes happened to this baseline and

alert you about them. Demo Baseline has been created for All Data present in this lab. You can see that 8

changes happens after the baseline creation. Click on DemoBaseline to see the changes.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 36

78. You get the map view where you can see New (solid red line), Changed (dotted red line) and Unchanged

(solid grey line) components.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 36

79. Left from the map you see the menu which shows you the number of new or changed components or

activities. Click on 1 new component to see the details.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 36

80. You see 1 component has been added and 3 components have been changed for the created baseline.

Now click on 1 new activity to see the list of new/changed activities.

81. You see 1 new activity and 3 changed activities for the created baseline.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 36

82. Click on NEW activity to see details.

83. Return to the Reports - Cisco Cyber Vision browser tab and then select Search on the left side.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 36

84. Another very useful tool in Cisco Cyber Vision is this ability to search. Imagine Rockwell suddenly releases

an advisory for version 16.3 of their firmware and you need to know exactly where these devices are

located. One option is to do a search here. In the search bar type 16.3 and then click Search. Here you can

see the result is a 1756-L55/A and you could access the technical sheet for that device on the right side.

85. Now, let us do a search for all Rockwell devices. In the search bar type Rockwell and then click Search.

You will see every device that has Rockwell associated with it.

Demonstration Guide

Cisco dCloud

© 2020 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 36

What’s Next?

Check out the related information to learn how you can explore Cisco IoT and IoT Security.

Cisco IoT

Cisco IoT Security

Industrial Security Insights and Solutions

The scheduled version of this demonstration provides user with administrator level privileges and you are

encouraged to explore this version: Cisco Cyber Vision Demo v2.1. PCAP file replay and the ability for the user

to load their own PCAP files along with a few features not covered in this instant demonstration are available.