Securing Your Network with Anomaly Detection using Distributed Learning Architecture (Learning Networks)

Transcription

1

2 Securing Your Network with Anomaly Detection using Distributed Learning Architecture (Learning Networks) Alex Honoré, CCIE #19553, Technical Leader, Engineering BRKSEC-3056

3 Self Learning Networks: A terrific Journey of Innovation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 3

4 What Self Learning Networks is About... SLN is fundamentally a hyper-distributed analytics platform... Putting together analytics and networking... Goldmine of untouched data on networking gear (sensing) Network learns and computes models on premise (analytics) The Network adapts, modifies its behavior (control) SLN for Security: attacks are incredibly sophisticated and targeted, exfiltration of data being a major concern, requiring a next-generation approach => Stealthwatch Learning Network License True Technology disruption... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

5 Botnets and Data Ex-Filtration Techniques Size can range from thousands to millions of compromised hosts Botnet can cause DDoS & other malicious traffic (spam,...) to originate from the inside of the corporate network C&C (C2) servers become increasingly evasive Fast Flux Service Networks (FFSN), single or double Flux DGA-based malware (Domain Generation Algorithms) DNS/NTP Tunneling Peer-to-Peer (P2P) protocols Anonymized services (Tor) Steganography, potentially combined with Cryptography Social media updates or messages Mixed protocols... Timing Channels Internet C&C Server(s) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

6 A true paradigm shift (Current) Generation of Security Architectures and Products Specialized security gear connected to the network (FW, IPS,...) Heavily signature-based... to detect known malwares Dynamic update of signatures SLN is Machine Learning-based and pervasive Use of adaptive Machine Learning (AI) technology to detect advanced, evasive Malware: build a model of normal patterns and detect outliers (deviations) High focus on 0-day attacks Use every node in the network as a security engine to detect attacks Complementary to all other technologies (FW, IPS,...) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 6

7 Network as a Sensor in the Branch Learning Network License: Algorithmic Based Anomaly Detector ISR 4K only Stealthwatch: Historical/Statistical Based Anomaly Detector Learning Network License Stealthwatch Behavioral Analytics with Machine Learning Packet Capture at the Branch Level Immediate Local Detection with Machine Learning communication Together Find zero day attacks immediately and find historical trends 30, 60, 90 days in the past Netflow and Behavioral Analytics for Branch Level Security Complete Broad and Deep Branch Level Visibility Behavioral Analytics Based on Rules and Statistical Analysis Packet Capture Integration with Security Packet Analyzer Central Detection with Full Historical Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

8 Joint Use Case: Retail Stealthwatch Management Console Cisco ISE Stealthwatch Learning Manager Retail Store ISR4K with Learning Network License Internet Headquarters MPLS Retail Store ISR4K with Learning Network License Stealthwatch Flow Sensor Netflow and Behavioral Analytics for Branch Level Security Integrated Threat Intelligence with Cisco Identity Services Engine (ISE) Complete Broad and Deep Branch Level Visibility Better Together BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

9 SLN Architecture

10 SLN Architecture Principles For Security Fundamentally distributed, building models for visibility and detection at edge Uses Machine Learning (ML) Context enrichment (using ISE integration, Threat Intelligence,... ) Ability to adapt to user feed-back (Reinforcement Learning) Advanced control for fine-grained mitigation BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 10

11 Agent Manager SLN Architecture ISE Orchestration of Learning Network Agents Advanced Visualization of anomalies Centralized policy for mitigation Interaction with other security components such as ISE and Threat Intelligence Feeds North bound API to SIEM/Database (e.g. Splunk) using CEF format Evaluation of anomaly relevancy Manager WAN Threat Intel Internet Sensing (knowledge): granular data collection with knowledge extraction from NetFlow but also Deep DLA Packet Inspection on control and data plane & local states Machine Learning: real-time embedded behavioral modeling and anomaly detection Control: autonomous embedded control, advanced networking control (police, shaper, recoloring, redirect,...) Agent 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

12 An Open Architecture (Manager / SCA) Identity Services Engine Context Enrichment: IP Address (key) Audit session ID User AD Domain MAC address NAS IP & port (!!) Posture TrustSec, SGT,... CEF export (syslog transport) pushing anomalies as events into DB and SIEM SIEM, DB ISE Manager Public/Private Internet Agent Threat Intel Internet TALOS, potentially others FW, IPS/IDS API triggering Mitigation form external Sources such as Firewall, IPS/IDS,... Abstracting networking complexity 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

13 Agent An Open Architecture (Agent / DLA) Manager ISE Threat Intel Threat Grid, OpennDNS, WBRS,... Other TI feeds Northbound API TIP DLC PCM Internet NSC NCC Public/Private Internet Netflow DPI Local Other States Agent BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

14 SOLT & Traffic Modeling

15 Before we start... A few (random) facts: Two camps... Super Pro ML and Anti-ML, both have good arguments Extremely wide range of ML algorithms with no one-size-fits-all "No Free Lunch" theorem ML/AI incredibly powerful if applied to solve the right problems Hard to tune? Yes if naively applied... Interpretability, scalability & user experience are essential BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15

16 Discussing Recall, Precision, FP,... Few simple notions required when discussing Machine Learning: False Positive (FP), True Positive (TP), False Negative (FN), True Negative (TN), Recall and Precision. Take a Classifier C trained to detect if an event E is relevant (Like) or not (irrelevant). TP: E is classified as relevant and is indeed an relevant FP: E is classified as relevant and is in fact irrelevant (noise) TN: E is classified as irrelevant and is indeed irrelevant FN: E is classified as irrelevant and is in fact an relevant Recall = TP / ( TP + FN) (notion of sensitivity) Precision = TP / (TP + FP) (positive predictive value) Accuracy ACC = (TP + TN) / (TP + TN + FP + FN), Example: if a classifier that is trained to detect dogs in a picture detects 15 dogs, only 10 of them are dogs, and there are 20 dogs in the picture then the Precision = 10/15 = 0.66 and Recall = 10/20 = 0.50 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

17 Clusters, Self Organizing Learning Topology and Anomalies Key question: how can we model host behaviors? Modeling mixed-behaviors unavoidably leads to hiding anomalies... The fundamental idea of dynamics clustering is to group devices according to behavioral similarity Self Organizing Learning Topologies (SOLT): ability to build Virtual topologies used to learn models between dynamic clusters Clusters become nodes of a graph, traffic becomes the edges Example: find model for HTTP traffic from cluster A to cluster B BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

18 Dynamic Clustering Internet DLA Cluster: known/internal/network Public/Private Internet Branch 2 Cluster: known/internal/collab Agent Cluster: known/internal/inet::windows Branch 1 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 18

19 Dynamic Clustering Learning of cluster assignment is a dynamic task, and hosts are allowed to transition BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19

20 SOLT Clustering Statistics Total # clusters quickly converges towards the mark Hosts gradually transition to known state as the system collects more and more samples Behavioral transitions keep occurring as behaviors evolve and/or addresses get reassigned BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

21 Life of an Anomaly Agent Manager Anomaly Clustering: dynamic clustering according to behavioral degree of similarity SOLT NSC NSC : Traffic analysis from multiple data feeds

22 Hierarchical ML Models Model Germany Boston Scr/Dest Cluster Layer Collab models C1-D1, C1-D2, C1-D3, C2-D1,... NYC File Transfer models C1-D1, C1- D2, C1-D3, C2-D1,... Collab models from C1, from C2, from C3 Collab File Transfer File Transfer models from C1, from C2, from C3 Cluster Layer Voice Printing Application Layer Collab File Transfer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

23 Inside a Model... Germany Internet High number of dimensions extracted from multi feeds (Netflow, DPI) Public/Private Internet (hundreds of dimensions)... Multi-dimensional and Hierarchical models using stateless/statefull features Rich DNS features: avr names length, # of consecutives vowels, average entropy of characters,... Multi-layer: cluster-clusterapp, cluster-app, app DLA BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

24 Computing SOLT Scores Each scored flow update is evaluated against prior observations, computing the rank of the score over a sliding time window. Flow updates are then marked as anomalous or not based a set of criterion to be met (Maximum rank to be considered as anomalous, Score value, # of samples contributing to model, Maturity of the model (# of samples, time,...). Boosting based on Expert knowledge (application sensitivity, # of features,...) Computes an anomaly score and select TOP anomalies BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

25 Life of an Anomaly Agent Manager Anomaly Clustering: dynamic clustering according to behavioral degree of similarity Modeling SOLT NSC Modeling: dynamically learned baseline with multiple layers, high dimensions space, anomaly detection NSC : Traffic analysis from multiple data feeds

26 Demo

27 In this demo, we will show - Smart Dashboard: stats on anomalies,... - SLN System state after learning: cluster,... - DLA states: CPU, memory, Cisco and/or its affiliates. All rights reserved. Cisco Public

28 Selective Anomaly Forwarder (SAF) & Selective Anomaly Pullers (SAP)

29 Selective Anomaly Forwarder (SAF) and Selective Anomaly Puller (SAP) Manager 1. When an anomaly is detected by an Agent, its Selective Anomaly Forwarder decides whether this anomaly is worth being sent to the Manager (every Agent is given a "budget" of anomalies it may report) 2. If the SAF decides to forward the anomaly, a digest of the anomaly is sent to the Manager 3. When a digest of an anomaly is received by the Manager, its Selective Anomaly Puller decides whether this anomaly is worth being completely pulled 4. If the SAP decides to pull the anomaly, all the information about this anomaly is requested to the Agent WAN Agent BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29

30 Selective Anomaly Forwarder (on the DLA) SAF role is to select the most interesting anomalies to be forwarded to the SCA according to Score of the anomaly, According to a forwarding Budget, with exploration Forwarded Anomalies available budget Considered for exploration Forwarded with probability proportional to importance and available budget BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30

31 ANOMALY SHOWN TO USER Selective Anomaly Pullers (on SCA) SAP role is to select the most interesting anomalies from all DLAs to be shown to the user, according to Score of the anomaly for a given DLA and across all DLAs (ensuring good diversity of anomalies), local Budget with exploration Distributed Relevance Learning explained later in great details pull like Inbox Puller (relevance) do not pull Exploration Puller (importance) do not pull DRL prediction pull Discarded Puller (-relevance) ANOMALY IS NOT PULLED dislike do not pull pull BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 31

32 Life of an Anomaly Agent Anomaly Anomal 9 y 6 A Anomal maly Ano y 4 A n maly n o om 5 aly 1 o m 2 m a al a l y y l 3 y 7 Manager Anomaly Scoring & Ranking Selective Anomaly Forwarder: select the most interesting anomalies according to their score, with exploration Clustering: dynamic clustering according to behavioral degree of similarity Modeling SOLT NSC Modeling: dynamically learned baseline with multiple layers, high dimensions space, anomaly detection NSC : Traffic analysis from multiple data feeds

33 Demo

34 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

35 Killing False Positives with Distributed Relevance Learning

36 ISE SCA Threat Intel Controller Public/Private Internet DLA 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

37 Traditional Anomaly Detection Systems Focus on Detection (wrong) SCA Core challenge is not Detection itself but Precision (avoid False Threat Intel Positive / Irrelevant alarms) Controller Public/Private Internet ISE DLA 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

38 Traditional Anomaly Detection Systems Focus on Detection (wrong) SCA Core challenge is not Detection itself but Precision (avoid False Threat Intel Positive / Irrelevant alarms) SLN Approach Efficient detection and Precision Controller Public/Private Internet Make the Network learn form its own mistakes DLA and eliminate False Positive! There is a notion of subjectivity too Not a feature but an Architecture ISE 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

39 Distributed Relevance Learning Manager Public/Private Network Reinforcement Learning: Actor Agent training data Statistical Classifier predictions Optimal Forwarder BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

40 Up to 5000 distributed agents analyzing 9 billion networking events Agent Heuristics Optimal Forwarder Pre-trained heuristic selects relevant events Agent Agent WAN Manager Optimal Forwarder ML Model Inbox supervised training Agent 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

41 Relevance can be subjective too! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41

42 Behind the scenes...

43 Challenges... Design an algorithm with the following properties: 1) Remove False Positive (FP) (anomalies that are not of interest) 2) Do not remove true positive (anomalies that are relevant) 3) Learn quickly (do not require too much feed-back from the user) 4) Be consistent across data set (robustness) 5) Handle inconsistency between users, changing decisions (unlearn) Sophisticated architecture involving several components: 1) Deep Neural Networks (DNN) 2) Classifiers trained with Supervised Learning 3) Active Learning to request labeling of specific elements of a set based on an importance function BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43

44 SLN may improperly discard an actual anomaly... (False Negative of the Like Class) => The user can correct mistakes too thanks to the Discarded Box. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

45 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

46 SLN asking for help... (remember exploration?) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

47 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

48 Life of an Anomaly Agent Anomaly Anomal 9 y 6 A Anomal maly Ano y 4 A n maly n o om 5 aly 1 o m 2 m a al a l y y l 3 y 7 Manager Selective Anomaly Puller: select the most interesting anomalies according to their score per Agent and across all Agents, with exploration Relevancy Learning Anomaly Selection Anomaly Distributed Relevancy Learning: Likelihood of relevancy (False Positive reduction) DRL Scoring & Ranking Modeling SOLT Selective Anomaly Forwarder: select the most interesting anomalies according to their score, with exploration Modeling: dynamically learned baseline with multiple layers, high dimensions space, anomaly detection Clustering: dynamic clustering according to behavioral degree of similarity NSC NSC : Traffic analysis from multiple data feeds

49 Packet Capture & Mitigation

50 PBC Agent DLC PCAP of Anomalous Traffic TIP Northbound API DLC PCM Anomaly Detected: The DLC detects an anomaly in the traffic and gathers all the details to characterize it: time, IP etc. PBC Message: Sends a message to the PBC with the characteristics of the anomaly Circular Buffer NSC Netflow DPI Local Other States Compressed PCAP Files PBC SPAN Traffic Branch Traffic Anomaly Message: Receives the anomaly details from the DLC PBC Search and Extract: Searches for all the packets that match the anomaly characteristics and extracts them to a compressed PCAP file PCAP storage: Maintains list of files per anomaly and purges unused files periodically Push files: Pushes all PCAP files for an anomaly from the Agent when a user requests it Packet Details: File contains packets that have either source or destination IP of the anomaly. Allows to see all activity around the anomaly PCAP Size: Typically ~ 10KB-100KB, 10K-500K packets 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

51 On-Premise Edge Control Honeypot (Forensic Analysis) Controller infrastructure Manager Control Policy Smart Traffic flagging Traffic segregation & selection Network-centric control (shaping, policing, divert/redirect) Public/Private Internet Agent Agent Agent Shaping BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 51

52 In this demo, we will show Mitigation triggered by a user from a given anomaly 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

53 System Requirements

54 Stealthwatch Learning Network License Requirements Learning Network Manager VMWare ESXi 5.5 Memory 16 Gb 4 Virtual CPUs 1 Virtual NIC 200 Gb of hard disk SCA Manager is Smart Enabled Requires Smart Account on CCO Learning Network Agent ISR 4000 (4451, 4431, and ISR 4351, 4331) ISR 4321 and 4421 support in process for Container, Spring 2017 As a SW Only Agent we require IOS-XE S / 15.4(3)S1 > LXC Container APPX license Application Experience ISR AX, AXV and C1 Bundle includes APPX 8 to 16G memory upgrade (included in all ISR 4K C1 Bundles) Option to add NIM-SSD 200Gb Storage for PCAP Can also be deployed on UCS Blade ISR 28/ Cisco and/or its affiliates. All rights reserved. Cisco Public

55 ISR 4K w/learning Agent inside IOS XE IOSd Control Plane Learning Agent Linux Service Container Linux OS Netflow and NBAR Data Platform-Specific Data Plane Cisco ISR 4000 Platform Security monitoring now built inside your Cisco NG ISR 4K Router with dedicated core for AD Agent 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

56 Findings

57 Quick Status on SLN... Findings? The system does learn, as expected Relevant detected anomalies (time of day, volume, unexpected flows, long live flows,...) SLN detected anomalies it was not explicitly programmed for (Cognitive Computing) Does it detect everything without False Positive? No, such systems simply do not exist but SLN learns and quickly adjusts to customer relevancy learning The Place In the Network (PIN) is fundamental => dramatically extending the protection surface and visibility BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

58 Anomaly: Tor client on corporate network Tor = anonymous/tunneled browsing system based on encryption and multiple hops Host on Beta customer network opened SSL connection to 3 Tor nodes 2 are located in Europe, a 3 rd one has a Japanese hostname but is geolocated in the US BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

59 Anomaly: retail branch subnet scanned for Telnet & SSH Host external to the branch performing a scan of ports TCP/22 & TCP/23 Very subtle scan on a narrow scope and probing only two ports per host BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59

60 Anomaly: branch printer making numerous DNS requests over TCP & UDP Abnormally high number of DNS requests for a printer Mix of UDP and TCP for DNS is also unusual BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

61 Anomaly: branch device scanning across the WAN Branch host is scanning addresses located elsewhere on the corporate network Wide port scan, NMAP-style BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

62 Anomaly: new branch host detected at night New host appears on branch network and starts Windows logon sequence Behavior is unusual at this time of day (after 6pm local time) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

63 Anomaly: SSH session causing a large number of TACACS+ requests Branch network device performs 280 TACACS+ requests in a few seconds Occurs while an SSH session to the device was active Most likely command authorization and/or accounting requests BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 63

64 Anomaly: branch host transfers 2GB from SSH server running on HTTPS port Branch host downloads 2GB of data from an SSH server on the internet SSH connection terminates on port 443 which is assigned to HTTPS Manual check confirms port misuse, most likely to evade simple L4 firewalls BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 64

65 Anomaly: branch host performs miniature SYN Flood on server Nearly a thousand incomplete TCP handshakes to a CIFS server within <1 minute; almost like a miniature SYN Flood attempt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 65

66 Anomaly: malware Command & Control using DNS as covert channel Active malware Command & Control (C2) channel going to another country Using DNS as covert channel (not fully RFC compliant, but enough to be classified as DNS) Only detected by SLN, although FW and IPS/IDS were active on the network BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 66

67 Conclusion

68 Manager ISE Threat Intel Controller Internet Public/Private Internet Agent Agent Agent X 1,000s... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 68

69 Manager ISE (Hyper) Distributed Architecture... Scale This *is* the challenge Threat Intel Controller Internet Public/Private Internet Agent Agent Agent X 1,000s... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 69

70 Manager ISE (Hyper) Distributed Architecture... Scale This *is* the challenge Threat Intel Controller Internet Public/Private Internet Learning... Adaptive, Ease of Use With dynamic False Positive Reduction Agent Agent Agent X 1,000s... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 70

71 Manager ISE (Hyper) Distributed Architecture... Scale This *is* the challenge Threat Intel Controller Internet Public/Private Internet Learning... Adaptive, Ease of Use With dynamic False Positive Reduction Agent Agent Agent X 1,000s Lightweight... Pervasive... BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

72 Product Roadmap (subject to change) FCS 1.0 and X 3.X Enter market & gain validation Extended capability & context enrichment Expanded footprint HW HW ISR 4431/51, 4351, 4331,and UCS-E Blade HW: add ISR 4321, ISR 4221, ENC 5400 w/isrv, and CSR HW: ASR 1001/1002, investigate NG Switching SW ML driven detection of security anomalies network, Reinforcement Learning Initial mitigation capabilities (API) Central viewing of anomalies on the Learning Manager Dynamic cluster creation PCAP Integration with SMC (new SCA Dashboard in SMC ) Support for Polaris IOS XE 16.4,.5 Reporting with and POV Reports External anomaly context enrichment : Talos and ETTA Continue SMC Console integration Real-time alerting ( )* Mix of Manual/Automatic cluster definition IPV6 Investigate SLNL (QoS) shaping and ACL capability Q4 FY16 FY17 2H FY17 * SLN DLA (Agent Arch) is specifically targeted for new NG HW from Cisco that support LXC Container, as a Cisco feature differentiator 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

73 SLNL Part Numbers and Orderability Part Number L-SW-LN-44-1Y-K9 L-SW-LN-44-3Y-K9 L-SW-LN-43-1Y-K9 L-SW-LN-43-3Y-K9 L-SW-LN-UCS-1Y-K9 L-SW-LN-UCS-3Y-K9 L-SW-SCA-K9 L-SW-LN-44-K9= L-SW-LN-43-K9= L-SW-LN-UCS-K9= Product Description Cisco Stealthwatch Learning Network License for Cisco 4400 Series Integrated Services Routers 1 Yr Term Cisco Stealthwatch Learning Network License for Cisco 4400 Series Integrated Services Routers 3 Yr Term Cisco Stealthwatch Learning Network License for Cisco 4300 Series Integrated Services Routers 1 Yr Term Cisco Stealthwatch Learning Network License for Cisco 4300 Series Integrated Services Routers 3 Yr Term Cisco Stealthwatch Learning Network License for Cisco UCS 1 Yr Term Cisco Stealthwatch Learning Network License for Cisco UCS 3 Yr Term Stealthwatch Learning Network Centralized Agent Manager Cisco Stealthwatch Learning Network Software for 4400 Series Cisco Stealthwatch Learning Network Software for 4300 Series Cisco Stealthwatch Learning Network Software for UCS Series The 1Y and 3Y SKU s above indicate the software term. The price for each is on Cisco Global Price List and in Cisco Commerce (CCW). An equal sign (=) in the SKU denotes the software you download and is the master SKU for Ordering BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 73

74 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74

75 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings LTRSEC-2011 SLN Deployment Lab (instructor-led) Thu 14:00 18:00 (this afternoon!) Hall 2 Level 1, Lab Room 601 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

76 Thank You

77