Dragan Novakovic

dnovakov@cisco.com

April 2017

Network as a sensor

Detect Threats Faster with Stealthwatch

One in four breaches are caused

by malicious insiders

95% of all cybercrime is triggered

by a user clicking on a malicious

link disguised to be legitimate

Two in three breaches exploit

weak or stolen passwords

With lateral movement of advanced

persistent threats, even external attacks

eventually become internal threats

External Internal

FW

IDS

IPS

Highlights

Source: Verizon Data Breach Investigations Report and Forrester research.

Realities of Modern Threats

New Networks Mean New Security Challenges

It’s Not IF You Will Be Breached . . . It’s WHEN

Expanded Enterprise Attack Surface

Organizations lack visibility

into the behavior of

devices on their network

Cloud usage is becoming more

prevalent, but so is the lack of

visibility into the cloud

Over 50 billion connected

“smart objects” are projected

by 2020

Acquisitions, joint ventures,

and partnerships are

increasing in frequency

ENTERPRISE

MOBILITY

ACQUISITIONS AND

PARTNERSHIPS CLOUD

INTERNET

OF THINGS

Changing

Business Models

Dynamic

Threat Landscape

Complexity

and Fragmentation

Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

You Can’t Defend Against What You Can’t See

0101

0100

1011

0101

0100

1011

0101

0100

1011

0101

0100

1011

Citrix

WebEx

SAP

Cisco Services and Customer Success

• Gain unique visibility

across your business

• Simplify segmentation

throughout your networks

• Address threats faster

• Enable your network to take action

• Extend visibility and granular access

control to your remote branches

• Prevent the lateral movement

of threats

• Protect your critical information

• Simplify policy enforcement

and data center segmentation

• Accelerate incidence response

in the data center

• Gain enhanced

visibility into the cloud

• Make the cloud a part of

your segmentation strategy

• Identify threats quickly

and take action

Extended Network

Branch Data Center

Cloud

Stealthwatch Enhances Visibility Across your Entire Business

Analyze Monitor Detect Respond CISCO STEALTHWATCH

Flow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS 172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAME NBAR SECURE-HTTP

Routers

Netflow Provides

• A trace of every conversation

in your network

• An ability to collect records

everywhere in your network

(switch, router, or firewall)

• Network usage measurements

• An ability to find north-south as

well as east-west communication

• Lightweight visibility compared to

Switched Port Analyzer (SPAN)-

based traffic analysis

• Indications of compromise (IOC)

• Security group information

Switches

Visibility Through Netflow

10.1.8.3

172.168.134.2 Internet

Switch Router Router Firewall Data Center

Switch

Server User

NetFlow Exporters

NetFlow Capable

Cisco Identity

Services Engine

For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp

Netflow Supported Platforms

Catalyst 2960-X (FNF v9)

Catalyst 3560-X (SM-10G module only)

Catalyst 3750-X (SM-10G module only)

Catalyst 3850/3650 (FNF v9 SGT support)

Catalyst 4500E (Sup7E/7LE)

Catalyst 4500E (Sup8) (FNF v9 SGT support)

Catalyst 6500E (Sup2T) (FNF v9 SGT support)

Catalyst 6800 (FNF v9 SGT support)

Cisco ISR G2 (FNF v9 SGT support)

Cisco ISR 4000 (FNF v9 SGT support)

Cisco ASR1000 (FNF v9 SGT support)

Cisco CSR 1000v (FNF v9 SGT support)

Cisco WLC 5760 (FNF v9)

Cisco WLC 5520, 8510, 8540 (FNF v9)

ASA5500, 5500-X (NSEL)

FTD (NSEL in v6.2 with Flex-Config)

Nexus 7000 (M Series I/O modules – FNF v9)

Nexus 1000v (FNF v9)

Cisco NetFlow Generation Appliance (FNF v9)

Cisco UCS VIC (VIC

1224/1240/1280/1340/1380)

Cisco AnyConnect Client (IPFIX) *

Meraki MX/Z1 (v9)

Servers and Appliances

Cisco NetFlow Generation Appliance (FNF v9)

Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)

Cisco AnyConnect Client (IPFIX) *

Meraki MX/Z1 (v9)

Router

Cisco ISR G2 (FNF v9 SGT support)

Cisco ISR 4000 (FNF v9 SGT support)

Cisco ASR1000 (FNF v9 SGT support)

Cisco CSR 1000v (FNF v9 SGT support)

Cisco WLC 5760 (FNF v9)

Cisco WLC 5520, 8510, 8540 (FNF v9)

Switch

Catalyst 2960-X (FNF v9)

Catalyst 3560-X (SM-10G module only)

Catalyst 3750-X (SM-10G module only)

Catalyst 3850/3650 (FNF v9 SGT support)

Catalyst 4500E (Sup7E/7LE)

Catalyst 4500E (Sup8) (FNF v9 SGT support)

Catalyst 6500E (Sup2T) (FNF v9 SGT support)

Catalyst 6800 (FNF v9 SGT support)

Firewall

ASA5500, 5500-X (NSEL)

FTD (NSEL in v6.2 with Flex-Config)

Data Center Switch

Nexus 7000 (M Series I/O modules – FNF v9)

Nexus 1000v (FNF v9)

WAN

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

Unidirectional Flow Records

Start Time Client IP Client Port Server IP Server Port Proto

Client

Bytes Client Pkts

Server

Bytes Server Pkts Interfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1

eth0/2

eth

0/1

eth

0/2

Scaling Visibility: Flow Stitching

10.2.2.2 port 1024 10.1.1.1 port 80

Bidirectional Flow Record – Conversation flow record – Allows easy visualization and analysis

Router C

• Without deduplication

• Traffic volume can be misreported

• False positives would occur

• Allows for efficient storage of flow data

• Necessary for accurate host-level reporting

• Does not discard data

Duplicates

Scaling Visibility: NetFlow Deduplication

Router A: 10.2.2.2:1024 -> 10.1.1.1:80

Router B: 10.2.2.2:1024 -> 10.1.1.1:80

Router C: 10.1.1.1:80 -> 10.2.2.2:1024 10.1.1.1 port 80

10.2.2.2 port 240

Router B

Router A

• Highly scalable (enterprise-class) collection

• High compression => long-term storage • Months of data retention

Who

More Context

When Who

Where

What Who

Security group

More context

What

The General Ledger

• Stitched and de-duplicated

• Conversational representation

• Highly scalable data collection and compression

• Enables months of data retention

• Obtain comprehensive,

scalable enterprise

visibility and security

context

• Gain real-time

situational awareness

of traffic

• Detect and analyze

network behavior

anomalies

• Easily detect behaviors

linked to advanced

persistent threats

(APTs), insider threats,

distributed denial-of-

service (DDoS) attacks,

and malware

• Accelerate network

troubleshooting and threat

mitigation

• Respond quickly

to threats

• Continuously improve

enterprise security

posture

Monitor Detect Analyze Respond

See and detect more in your network with Stealthwatch

• Collect and analyze

holistic network audit

trails

• Achieve faster root

cause analysis

• Conduct thorough

forensic investigations

Monitor the Network

Virtual container of multiple IP

addresses/ranges that have

similar attributes

Best practice:

Classify all known IP addresses

into one or more host groups

Lab server grouping

Host Groups: Applied Situational Awareness

Find hosts communicating on the network

• Pivot based on transactional data

Locate Assets

PCI Zone Map

Define communication policy

between zones

Monitor for violations

Segmentation Monitoring with Stealthwatch

Modeling Policy: Alarm Occurrence

Details of “Employee

to Production Servers”

alarm occurrences

Drill down into alarm

for hosts and targets

involved

Alarm dashboard

showing all policy

alarms

Detect Threats

Concern

Exfiltration

C&C

Recon

Data hoarding

Exploitation

DDoS target

Alarm table

Host snapshot

Email

Syslog / SIEM

Mitigation

Collect and

Analyze Flows

Flows

Behavioral and Anomaly Detection Model Behavioral Algorithms are Applied to Build “Security Events”

Security Events (94+) Alarm Category Response

Addr_Scan/tcp

Addr_Scan/udp

Bad_Flag_ACK**

Beaconing Host

Bot Command Control Server

Bot Infected Host - Attempted

Bot Infected Host - Successful

Flow_Denied

.

.

ICMP Flood

.

.

Max Flows Initiated

Max Flows Served

.

Suspect Long Flow

Suspect UDP Activity

SYN Flood

Each category accrues points

Stealthwatch Alarm Categories

Suspect Data Hoarding

• Unusually large amount of data

inbound from other hosts

Example Algorithm: Data Hoarding

Target Data Hoarding

• Unusually large amount of data

outbound from a host to multiple hosts

Alarm Model Monitor activity and alarm on

suspicious conditions

Policy and behavioral

Network Behavior and Anomaly Detection

Analyze Behavior

Summary of aggregated

host information

Investigating a Host

Observed communication

patterns

Historical alarming behavior

Investigating: Host Drill-Down

User information

Investigating: Audit Trails

Network behavior

retroactively analyzed

Active Directory

details

Username

View flows

Devices and

sessions

Extrapolating to a User

Respond to Incidents

PX Grid

Real-Time Visibility into All Network Layers • Data intelligence throughout network

• Discovery of assets

• Network profile

• Security policy monitoring

• Anomaly detection

• Accelerated incident response

Mitigation

Context Information Stealthwatch

Cisco ISE and pxGrid Integration

Context

ISE

Quarantine or unquarantine via pxGrid

StealthWatch Management Console

Cisco®

Identity Services Engine

SMC

Rapid Threat Containment

The Stealthwatch System

Learning

Network

Manager

Proxy

License

Cloud

License

Endpoint

Concentrator

UDP

Director Legacy

Traffic Analysis

Software

Flow

Sensor

ESX with

Flow Sensor

VE

Non-NetFlow

enabled equipment

Security Packet

Analyzer

Packet Data &

Storage

ISE Identity

Services

Flow

Collector

Management

Console

Threat Feed

License

NetFlow enabled

routers, switches,

firewalls

Cisco Stealthwatch

System

Comprehensive

Security

and

Network

Monitoring

Stealthwatch Management Console (SMC)

• A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow Collectors, Identity Services Engine (ISE), and other sources.

• User interface to Stealthwatch

• Maximum 2 per deployment

Flow Collector (FC)

• A physical or virtual appliance that aggregates and normalizes netflow and application data collected from exporters such as routers, switches, and firewalls.

• High performance NetFlow / SFlow / IPFIX Collector

• Maximum 25 per deployment

Flow collection license

• Collection, management, and analysis of netflow by the Stealthwatch system is licensed on the basis of flows per second (FPS) and term.

Flow Collector

Management Console

Required Core Components

Extended Network Visibility

• Physical or virtual appliance

• Provides an overlay solution for generating netflow data with infrastructure not capable of natively producing un-sampled netflow data at line rates

• Produces netflow for components without un-sampled netflow support

• Deployed in environments where additional security context is required

ISE Identity

Services

Flow

Collector

Management

Console

Non-NetFlow

enabled equipment

Threat Feed

License

Flow

Sensor

ESX with

Flow Sensor VE

Flow Sensor

ISE Identity

Services

Flow

Collector

Management

Console

Legacy Traffic

Analysis Software

Threat Feed

License

UDP Director

UDP Director

• Physical or virtual appliance

• Allows netflow, syslog and SNMP data to be sent transparently to multiple collection points

• Can repeat traffic to multiple Flow Collectors

NetFlow enabled Routers, switches, firewalls

Proxy License

ISE Identity

Services Management

Console

Threat Feed

License

Flow Collector

Syslog Information Packets

TIMESTAMP 1456312345

ELAPSE TIME 12523

SOURCE IP 192.168.2.100

SOURCE Port 4567

DESTINATION IP 65.12.56.123

DESTINATION PORT 80

BYTES 400

URL http://cisco.com

USERNAME john

SYSLOG

Stealthwatch Proxy License

Proxy License Provides

• HTTP Traffic Visibility

• Analysis continuity

• User information

Multi-Vendor Proxy Support

• Cisco WSA

• Bluecoat proxy

• Squid

• McAfee Web Gateway

Source IP/Port URL Username Destination IP/Port

Proxy License Visibility

Integration Protocols/Ports

• Proxy sends Syslog (UDP/514) information containing Web access details to the Flow Collector

• The Flow Collector will associate the received logs with the designated flows

Integration Protocols/Ports

• User Name

• URL

• URL Host

• Byte summary

• Session Duration

• Source IP/Port

• Destination IP/Port

Endpoint Concentrator

Enhanced

Endpoints Context

Enhance netflow records with endpoint/user data with application activity

Analytics Auditing Visibility

Cisco AnyConnect Network Visibility Module

Collector & Reporting

Cisco/Partners

AnyConnect with Network

Visibility Module

nvzFlow

Attributing a flow to: • Process name

• Process hash

• Process account

• Parent process name

• Parent process hash

• Parent process account

ISE Identity

Services

Flow

Collector

Threat Feed

License

Endpoint

Concentrator

Management

Console

Stealthwatch Endpoint Visibility Solution

Threat Intelligence

Botnet Command

& Control

Internet

Scanning

Backscatter

(DDoS Victims)

User Interface

Formerly known as “SLIC”, new behavioral analysis algorithms updated as new threats are discovered; updates performed using the Threat Feed control channel and licensing

Overview:

• Team performs feed validation and independent research and analytics

• Threat research influences continued algorithm development

• Works with Proxy License

• Ideally deployed with Flow Sensor(s)

• Enables alarming within Stealthwatch around:

• Host interaction with known bad URLs

• Host interaction with C&C servers

Future Plans:

• Merge with Cisco TALOS for additional threat intelligence context and information

Threat Feed

Stealthwatch Threat Intelligence License Actionable Threat Intelligence

Branch

Brings self-learning attributes to the Cisco 4000 ISR

Needs no programming of firewall rules, malware signatures, or access control lists (ACLs)

Uses machine learning, network context, and packet capture to determine what’s normal and what’s not

Uses advanced analytics and models to identify and block true anomalies

Adapts as conditions change

Cisco Stealthwatch Learning Network License

Learning Network Agent

Machine-learning security agent software for the Cisco 4000 Integrated

Services Router that collects and analyzes information, which it

communicates to the Manager.

Learning Network Manager

Virtual machine application software that provides advanced visualization

of the anomalies that the Learning Agents discover. It displays visuals

using the management application.

Learning Network Components

Discovers traffic paths Builds map of IP addresses

to learn about its environment

Studies traffic movement,

volumes, patterns, times of day

Identifies applications

on NBAR and DPI

Learns to distinguish normal

from anomalous

Precisely identifies anomaly;

allows operator to take action

to remediate

3

2

6

4

1

5

Overview of Learning Network Operation

Summary

Stealthwatch

Management Console

UDP Director FlowSensor Firewall, Routers, and ASA

FlowCollector

Threat Feed License

• Aggregate up to 25 FlowCollectors

• Up to 6 million flows per second

• Integration with third-party security / network tools

Visibility and

Management

Aggregation,

Analytics,

and Context

• Store and analyze up to 4,000 sources at up to 240,000 sustained flows per second

• Identity, device, reputation, threat, proxy, and application feeds provide threat context

• Continuous packet capture

Exporters /

Transactional

Monitors

• Network telemetry data is generated by:

• Switches, routers, firewalls

• FlowSensors in areas without flow support

• Support up to 20 Gbps throughout per sensor

Packet Analyzer

Proxy License

ISE Active Directory

Identity Services

Massively Scalable Architecture

• The Stealthwatch system enhances your security across the enterprise, providing comprehensive network visibility

and intelligence

• Your network is a key asset for threat detection and control

• The Stealthwatch architecture ensures robust and flexible deployment

Key Takeaways

Extended Network

Branch Data Center

Cloud

Analyze Monitor Detect Respond CISCO STEALTHWATCH

Stealthwatch Technical Use Cases Use Case Vertical Threat/Theme

A global oilfield services company discovered China was in their network when they

were contacted by the FBI. Stealthwatch was installed and, in less than a week, had

identified a local user who was logging in from China and exfiltrating gigabytes of

critical files. That user’s login information had been stolen and the thief now had

rightful access to anything they wanted on the network. This not only proved the

value of Lancope’s end-to-end internal visibility, but also further justification for a

global Cisco ISE deployment.

Energy/Utilities Compromised

Credentials

A large healthcare provider learned during their Lancope evaluation that they had

“internal users” logging in from China and Singapore to exfiltrate large files to

Dropbox. This was an immediate red flag since the company had no presence

outside the state of Texas.

Healthcare Compromised

Credentials

A large food services company learned during their Lancope evaluation that seven of

their servers suddenly began launching scanning attacks on various Department of

Defense networks. After some investigation, it was learned that a server admin had

loaded a “FREE” copy of Virtual Network Client on these boxes.

Food Services Malware –

Infected Hosts

Stealthwatch Technical Use Cases Use Case Vertical Threat/Theme

A large technology company discovered during a Stealthwatch evaluation that almost

half of their end-user workstations were infected with a custom piece of malware

written just for their network. The malware had been quietly stealing information for

an unknown period of time. There is no signature for a situation like this, but Lancope

was able to use behavioral analysis to identify the scanning, connecting, and

propagation activities of this malware, and build a forensic trail of every host that

needed to be removed from the network and cleaned up.

Technology Malware –

Infected Hosts

During their Lancope evaluation, a large healthcare provider found out that they had

a compromised server on their network exfiltrating gigabytes of patient data every

Saturday night when it received calls from a command & control server out on the

Internet. Further investigation revealed that this host had likely been compromised

for well over a year.

Healthcare Command &

Control Exfiltration

A large automotive distributor lost access to their most critical business application

during their Lancope evaluation. Within minutes, their network, server, and security

teams were able to come together and identify exactly where the issue was – a back-

end SQL virtual server was taking almost a minute to respond to each request. This

scenario would have historically pulled all of these teams into a war room for hours of

triage, while their business was at a stand-still. Instead, the server team now knew

exactly where the issue was and could fix it with minimal impact to the end-users.

Manufacturing Network & Server

Performance

cisco.com/go/stealthwatch