Cisco Stealthwatch

Network as a sensor

Dragan Novakovic
Security Consulting
Systems Engineer
Stealthwatch Enhances Visibility Across your
Entire Network
Monitor Detect CISCO STEALTHWATCH Analyze Respond

Extended Network Cloud

Branch Data Center

• Gain unique visibility • Enable your network to take action • Protect your critical information • Gain enhanced
across your business • Extend visibility and granular access • Simplify policy enforcement visibility into the cloud
• Simplify segmentation control to your remote branches and data center segmentation • Make the cloud a part of
throughout your networks • Prevent the lateral movement • Accelerate incidence response your segmentation strategy
• Address threats faster of threats in the data center • Identify threats quickly
and take action

Cisco Services and Customer Success

Visibility Through Netflow
Netflow Provides Flow Information Packets

SOURCE ADDRESS 10.1.8.3

• A trace of every conversation
10.1.8.3
in your network DESTINATION ADDRESS 172.168.134.2

• An ability to collect records SOURCE PORT 47321

everywhere in your network DESTINATION PORT 443

(switch, router, or firewall)
Switches
INTERFACE Gi0/0/0
• Network usage measurements IP TOS 0x00
• An ability to find north-south as IP PROTOCOL 6
well as east-west communication Routers
NEXT HOP 172.168.25.1
• Lightweight visibility compared to
TCP FLAGS 0x1A
Switched Port Analyzer (SPAN)-
based traffic analysis SOURCE SGT 100

• Indications of compromise (IOC) : :

Internet 172.168.134.2
• Security group information APPLICATION NAME NBAR SECURE-HTTP
Scaling Visibility: Flow Stitching

eth0/1

eth0/2
10.2.2.2 port 1024 10.1.1.1 port 80

Unidirectional Flow Records

Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

Bidirectional Flow Record

– Conversation flow record – Allows easy visualization and analysis

Client Server
Start Time Client IP Client Port Server IP Server Port Proto Bytes Client Pkts Bytes Server Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1
eth0/2
Scaling Visibility: NetFlow Deduplication
Router A: 10.2.2.2:1024 -> 10.1.1.1:80
Duplicates
Router B: 10.2.2.2:1024 -> 10.1.1.1:80
10.1.1.1 port 80
Router C: 10.1.1.1:80 -> 10.2.2.2:1024

Router B
• Without deduplication
Router C
• Traffic volume can be misreported
• False positives would occur Router A

• Allows for efficient storage of flow data

• Necessary for accurate host-level reporting
• Does not discard data

10.2.2.2 port 240

The General Ledger

Where

What
What
When Who Who

• • Highly
Stitchedscalable
and de-duplicated
(enterprise-class) collection
• • High compression
Conversational => long-term storage
representation
• Months of data retention
• Highly scalable data collection and compression
• Enables months of data retention

More context

Security group
See and detect more in your network
with Stealthwatch

Monitor Detect Analyze Respond

• Obtain comprehensive, • Detect and analyze • Collect and analyze • Accelerate network
scalable enterprise network behavior holistic network audit troubleshooting and threat
visibility and security anomalies trails mitigation
context
• Easily detect behaviors • Achieve faster root • Respond quickly
• Gain real-time linked to advanced cause analysis to threats
situational awareness persistent threats
of traffic (APTs), insider threats, • Conduct thorough • Continuously improve
distributed denial-of- forensic investigations enterprise security
service (DDoS) attacks, posture
and malware
Monitor the Network
Host Groups: Applied Situational Awareness

Virtual container of multiple IP

addresses/ranges that have Lab server grouping
similar attributes

Best practice:
Classify all known IP addresses
into one or more host groups
Locate Assets

Find hosts communicating on the network

• Pivot based on transactional data
Segmentation Monitoring with Stealthwatch

PCI Zone Map

Define communication policy

between zones

Monitor for violations

Modeling Policy: Alarm Occurrence

Alarm dashboard
showing all policy
alarms

Drill down into alarm

for hosts and targets
involved

Details of “Employee
to Production Servers”
alarm occurrences
Detect Threats
Behavioral and Anomaly Detection Model
Behavioral Algorithms are Applied to Build “Security Events”

Collect and Security Events (94+) Alarm Category Response

Analyze Flows
Addr_Scan/tcp
Addr_Scan/udp Concern
Bad_Flag_ACK**
Alarm table
Beaconing Host
Bot Command Control Server
Recon
Flows Bot Infected Host - Attempted Host snapshot
Bot Infected Host - Successful C&C
Flow_Denied
.
. Exploitation Email
ICMP Flood
.
. Data hoarding
Max Flows Initiated Syslog / SIEM
Max Flows Served
Exfiltration
.
Suspect Long Flow
Mitigation
Suspect UDP Activity DDoS target
SYN Flood
Stealthwatch Alarm Categories

Each category accrues points

Example Algorithm: Data Hoarding
Suspect Data Hoarding
• Unusually large amount of data
inbound from other hosts

Target Data Hoarding

• Unusually large amount of data
outbound from a host to multiple hosts
Network Behavior and Anomaly Detection

Alarm Model

Monitor activity and alarm on

suspicious conditions

Policy and behavioral

Analyze Behavior
Investigating a Host

Summary of aggregated
host information
Observed communication
patterns

Historical alarming behavior

Investigating: Host Drill-Down

User information
Investigating: Applications
Observed applications, some suspicious
Investigating: Audit Trails

Network behavior
retroactively analyzed
Respond to Incidents
 Cisco ISE and pxGrid Integration

Context Information
Stealthwatch
PX Grid

Mitigation
ISE
Real-Time Visibility into All Network Layers
• Data intelligence throughout network
• Discovery of assets
• Network profile Context
• Security policy monitoring
• Anomaly detection
• Accelerated incident response
Rapid Threat Containment

SMC

Cisco® StealthWatch
Identity Services Engine Management Console

Quarantine or unquarantine via pxGrid

The Stealthwatch System
Netflow Supported Platforms NetFlow Capable

User Switch Router WAN Router Firewall Data Center Server Cisco Identity
Switch Services Engine

NetFlow Exporters

Switch Router Data Center Switch

Catalyst 2960-X (FNF v9) Cisco ISR G2 (FNF v9 SGT support) Nexus 7000 (M Series I/O modules – FNF v9)
Catalyst 3560-X (SM-10G module only) Cisco ISR 4000 (FNF v9 SGT support) Nexus 1000v (FNF v9)
Catalyst 3750-X (SM-10G module only) Cisco ASR1000 (FNF v9 SGT support)
Catalyst 3850/3650 (FNF v9 SGT support) Cisco CSR 1000v (FNF v9 SGT support)
Catalyst 4500E (Sup7E/7LE) Cisco WLC 5760 (FNF v9)
Catalyst 4500E (Sup8) (FNF v9 SGT support) Cisco WLC 5520, 8510, 8540 (FNF v9)
Catalyst 6500E (Sup2T) (FNF v9 SGT support)
Catalyst 6800 (FNF v9 SGT support)
Firewall Servers and Appliances
ASA5500, 5500-X (NSEL) Cisco NetFlow Generation Appliance (FNF v9)
FTD (NSEL in v6.2 with Flex-Config) Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)
Cisco AnyConnect Client (IPFIX) *
Meraki MX/Z1 (v9)

For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
 Cisco
Stealthwatch
Identity ISE Threat Feed
Security Packet Services License
Management
Analyzer
Console

System
Proxy Flow
License Sensor
Non-NetFlow
enabled equipment

Comprehensive Packet Data &

Storage

Security Endpoint
Flow ESX with
Concentrator
and Collector Flow Sensor
VE

Network
Learning
Monitoring Legacy
UDP
Director
Cloud
License
Network
Manager
Traffic Analysis
Software

NetFlow enabled
routers, switches,
firewalls
Required Core Components
Stealthwatch Management Console (SMC)
• A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow
Collectors, Identity Services Engine (ISE), and other sources.
• User interface to Stealthwatch
Management Console
• Maximum 2 per deployment

Flow Collector (FC)

• A physical or virtual appliance that aggregates and normalizes netflow and application data
collected from exporters such as routers, switches, and firewalls.
• High performance NetFlow / SFlow / IPFIX Collector
• Maximum 25 per deployment

Flow collection license

• Collection, management, and analysis of netflow by the Stealthwatch system is licensed on the
basis of flows per second (FPS) and term.
Flow Collector
Extended Network Visibility
Flow Sensor
• Physical or virtual appliance

• Provides an overlay solution for generating netflow

data with infrastructure not capable of natively
producing un-sampled netflow data at line rates Identity ISE Threat Feed
Management Services License
Console
• Produces netflow for components without un-
sampled netflow support

• Deployed in environments where additional

security context is required
Flow
Sensor Non-NetFlow
enabled equipment

Flow ESX with

Collector Flow Sensor VE
UDP Director
• Physical or virtual appliance

• Allows netflow, syslog and SNMP data to be

sent transparently to multiple collection points Identity ISE Threat Feed
Management Services License
• Can repeat traffic to multiple Flow Collectors Console

Flow
Collector

UDP Director
Legacy Traffic NetFlow enabled Routers, switches, firewalls
Analysis Software
Stealthwatch Proxy License
Proxy License Provides Syslog Information Packets

• HTTP Traffic Visibility TIMESTAMP 1456312345

• Analysis continuity Identity ISE Threat Feed ELAPSE TIME 12523

Management Services License
• User information Console SOURCE IP 192.168.2.100

Multi-Vendor Proxy Support SOURCE Port 4567

• Cisco WSA DESTINATION IP 65.12.56.123

• Bluecoat proxy DESTINATION PORT 80

• Squid SYSLOG BYTES 400

Flow Collector
• McAfee Web Gateway
URL http://cisco.com

USERNAME john
Proxy Challenges
User Switches Proxy Routers

Internet
10.1.8.3 172.168.134.2

Flow Information Packets Problems Flow Information Packets

SOURCE ADDRESS 10.1.8.3 SOURCE ADDRESS 172.168.134.2
No Netflow capabilities
DESTINATION ADDRESS 172.168.134.2 DESTINATION ADDRESS 216.58.213.100

SOURCE PORT 47321

Lack of Visibility on a large SOURCE PORT 47321

DESTINATION PORT 443

portion of the customer traffic DESTINATION PORT 443

INTERFACE Gi0/0/0 Disconnected information INTERFACE Gi0/0/0

IP TOS 0x00 IP TOS 0x00

IP PROTOCOL 6 IP PROTOCOL 6

NEXT HOP 172.168.25.1 NEXT HOP 172.168.25.1

TCP FLAGS 0x1A TCP FLAGS 0x1A

SOURCE SGT 100 SOURCE SGT 100

: : : :

APPLICATION NAME NBAR SECURE-HTTP APPLICATION NAME NBAR SECURE-HTTP

Proxy License Visibility
Integration Protocols/Ports Integration Protocols/Ports
• Byte summary
• Proxy sends Syslog (UDP/514) information containing • User Name
Web access details to the Flow Collector • Session Duration
• URL
• The Flow Collector will associate the received logs • Source IP/Port
• URL Host
with the designated flows
• Destination IP/Port

Source IP/Port Destination IP/Port URL Username

Cisco AnyConnect Network Visibility Module

Enhanced Collector & Reporting

Endpoints Context Cisco/Partners

Enhance netflow records with endpoint/user data with application activity

Visibility Auditing Analytics

Stealthwatch Endpoint Visibility Solution

Identity ISE Threat Feed

Management Services License
Console

nvzFlow
Attributing a flow to:
• Process name Endpoint Flow
Concentrator Collector
• Process hash
• Process account
• Parent process name AnyConnect with Network
• Parent process hash Visibility Module
• Parent process account
Stealthwatch Endpoint Concentrator
• Global destination for nvzFlow records
• Forward flow records to the Flow Collector

nvzFlow

Stealthwatch Stealthwatch
Endpoint Concentrator Flow Collector

• Appears as a single exporter in the Flow Collector

AnyConnect with Network
Visibility Module • Required in order to collect endpoint flow records
• Endpoint fields are stitched into flow records
Flow Query of Endpoint Data
Major Use Cases:
• Identify known malware during an investigation

• Attribution determination – did a user or a

process initiate the flow

• Discover if known processes/applications are

active on the network

• Use endpoint data in advanced queries

Stealthwatch Threat Intelligence License
Actionable Threat Intelligence

Overview:
• Team performs feed validation and independent
research and analytics

User Interface • Threat research influences continued algorithm

Threat Feed development

• Works with Proxy License

Botnet Command • Ideally deployed with Flow Sensor(s)

& Control
• Enables alarming within Stealthwatch around:

• Host interaction with known bad URLs

Formerly known as “SLIC”, new behavioral
Internet • Host interaction with C&C servers
analysis algorithms updated as new threats are Scanning
discovered; updates performed using the Threat
Feed control channel and licensing Future Plans:
• Merge with Cisco TALOS for additional threat
Backscatter intelligence context and information
(DDoS Victims)
Stealthwatch in the branch – key benefits

Improves protection Provides deeper Delivers faster threat

against branch visibility across the detection and
network threats branch network response
Cisco Stealthwatch Learning
Network License
Brings self-learning attributes to the Cisco 4000 ISR

Needs no programming of firewall rules, malware

signatures, or access control lists (ACLs)

Uses machine learning, network context, and packet

capture to determine what’s normal and what’s not

Uses advanced analytics and models to identify and block

true anomalies

Adapts as conditions change

Learning Network Components

Learning Network Agent

Machine-learning security agent software for the Cisco 4000 Integrated
Services Router that collects and analyzes information, which it
communicates to the Manager.

Learning Network Manager

Virtual machine application software that provides advanced visualization
of the anomalies that the Learning Agents discover. It displays visuals
using the management application.
Overview of Learning Network Operation

Builds map of IP addresses

Discovers traffic paths 1 2 to learn about its environment

Identifies applications Studies traffic movement,

on NBAR and DPI 3 4 volumes, patterns, times of day

Precisely identifies anomaly;

Learns to distinguish normal
from anomalous 5 6 allows operator to take action
to remediate
Summary
Massively Scalable Architecture
• Aggregate up to 25 FlowCollectors
Visibility and
Management • Up to 6 million flows per second
Stealthwatch
• Integration with third-party security / network tools Management Console

Threat Feed License

• Store and analyze up to 4,000 sources at up FlowCollector

Aggregation, to 240,000 sustained flows per second

Analytics, • Identity, device, reputation, threat, proxy, Packet Analyzer
and Context and application feeds provide threat context
ISE Active Directory
• Continuous packet capture Proxy License
Identity Services

• Network telemetry data is generated by:

Exporters /
• Switches, routers, firewalls
Transactional
Monitors • FlowSensors in areas without flow support
Firewall, Routers, and ASA FlowSensor UDP Director
• Support up to 20 Gbps throughout per sensor
Key Takeaways
Monitor Detect CISCO STEALTHWATCH Analyze Respond

Extended Network Cloud

Branch Data Center

• The Stealthwatch system enhances your security across the enterprise, providing comprehensive network visibility
and intelligence
• Your network is a key asset for threat detection and control
• The Stealthwatch architecture ensures robust and flexible deployment