Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Similar documents
Downloading and Licensing. (for Stealthwatch System v6.9.1)

Flow Sensor and Load Balancer Integration Guide. (for Stealthwatch System v6.9.2)

Proxy Log Configuration

External Lookup (for Stealthwatch System v6.10.0)

Proxy Log Configuration

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Cisco CSPC 2.7x. Configure CSPC Appliance via CLI. Feb 2018

Stealthwatch System v6.9.0 Internal Alarm IDs

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

SAML SSO Okta Identity Provider 2

Cisco Meeting Management

Application Launcher User Guide

Cisco TelePresence FindMe Cisco TMSPE version 1.2

Cisco CSPC 2.7.x. Quick Start Guide. Feb CSPC Quick Start Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.2

Cisco Jabber IM for iphone Frequently Asked Questions

Cisco FindIT Plugin for Kaseya Quick Start Guide

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.5

TechNote on Handling TLS Support with UCCX

Cisco Meeting App. What's new in Cisco Meeting App Version December 17

Cisco Unified Communications Self Care Portal User Guide, Release

Cisco Proximity Desktop

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.7. User Guide July 2018

Cisco Unified Communications Self Care Portal User Guide, Release 11.5(1)

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Cisco Meeting Management

Cisco Meeting Management

Cisco Prime Home Device Driver Mapping Tool July 2013

Cisco Jabber for Android 10.5 Quick Start Guide

Cisco Meeting App. Release Notes. WebRTC. Version number September 27, Cisco Systems, Inc.

Deploying IWAN Routers

Validating Service Provisioning

Wireless Clients and Users Monitoring Overview

Migration and Upgrade: Frequently Asked Questions

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 5.0

Cisco TelePresence Management Suite Extension for Microsoft Exchange 5.6

Stealthwatch System Hardware Configuration Guide (for Stealthwatch System v6.10)

Media Services Proxy Command Reference

Cisco Meeting App. Cisco Meeting App (OS X) Release Notes. July 21, 2017

Cisco Expressway with Jabber Guest

Cisco Meeting Management

Cisco Nexus 1000V for KVM Interface Configuration Guide, Release 5.x

Cisco Meeting App. Cisco Meeting App (OS X) Release Notes. October 24, Cisco Systems, Inc.

Cisco Meeting App. Cisco Meeting App (ios) Release Notes. October 06, 2017

Cisco IOS Flexible NetFlow Command Reference

Troubleshooting guide

Tetration Cluster Cloud Deployment Guide

Cisco Jabber Video for ipad Frequently Asked Questions

Recovery Guide for Cisco Digital Media Suite 5.4 Appliances

Cisco Connected Grid Design Suite (CGDS) - Substation Workbench Designer User Guide

CPS UDC MoP for Session Migration, Release

Cisco TelePresence Management Suite Extension for Microsoft Exchange Software version 3.1

Access Switch Device Manager Template Configuration

Cisco Services Platform Collector 2.7.4

Cisco UCS Director F5 BIG-IP Management Guide, Release 5.0

Assurance Features and Navigation

Cisco TelePresence Server 4.2(3.72)

Method of Procedure for HNB Gateway Configuration on Redundant Serving Nodes

Cisco Expressway Web Proxy for Cisco Meeting Server

Managing Device Software Images

Deploying Devices. Cisco Prime Infrastructure 3.1. Job Aid

HTTP Errors User Guide

Cisco Report Server Readme

Cisco Meeting App. Cisco Meeting App (Windows) Release Notes. March 08, Cisco Systems, Inc.

Cisco TelePresence TelePresence Server MSE 8710

Cisco Connected Mobile Experiences REST API Getting Started Guide, Release 10.2

Cisco Evolved Programmable Network System Test Topology Reference Guide, Release 5.0

Quantum Policy Suite Subscriber Services Portal 2.9 Interface Guide for Managers

Wired Network Summary Data Overview

Cisco TelePresence Management Suite Provisioning Extension 1.6

Cisco TelePresence MCU MSE 8510

Cisco Terminal Services (TS) Agent Guide, Version 1.1

NetFlow Configuration Guide

Installation and Configuration Guide for Visual Voic Release 8.5

Cisco UCS C-Series IMC Emulator Quick Start Guide. Cisco IMC Emulator 2 Overview 2 Setting up Cisco IMC Emulator 3 Using Cisco IMC Emulator 9

Cisco UC Integration for Microsoft Lync 9.7(4) User Guide

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.0

Cisco IOS Optimized Edge Routing Command Reference

Cisco Meeting Server. Cisco Meeting Server Release 2.0+ Multi-tenancy considerations. December 20, Cisco Systems, Inc.

Cisco Unified Communications Manager Device Package 8.6(2)( ) Release Notes

Cisco Expressway ENUM Dialing

Host Upgrade Utility User Guide for Cisco UCS E-Series Servers and the Cisco UCS E-Series Network Compute Engine

Cisco UCS Performance Manager Release Notes

Cisco StadiumVision Management Dashboard Monitored Services Guide

Applying QoS Features Using the MQC

Cisco Unified Communications Manager Device Package 10.5(1)( ) Release Notes

Cisco Terminal Services (TS) Agent Guide, Version 1.0

Cisco Terminal Services (TS) Agent Guide, Version 1.1

Cisco TEO Adapter Guide for

Cisco Cloud Services Platform 2100 Quick Start Guide, Release 2.2.5

Videoscape Distribution Suite Software Installation Guide

Cisco TelePresence Supervisor MSE 8050

Cisco TelePresence Video Communication Server Basic Configuration (Single VCS Control)

Cisco Prime Network Registrar IPAM 8.3 Quick Start Guide

VCS BSS/OSS Adaptor (BOA) 17.2 Release Notes

Cisco TelePresence MCU MSE 8510

Cisco Discovery Protocol Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 920 Series)

Cisco UCS Director REST API Cookbook

Cisco TelePresence Video Communication Server. Getting started

Cisco Meeting Management

Transcription:

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Copyrights and Trademarks 2018 Cisco Systems, Inc. All rights reserved. NOTICE THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED "AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. All printed copies and duplicate soft copies are considered un-controlled copies and the original on-line version should be referred to for latest version. Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at www.cisco.com/go/offices.

Contents Contents iii Introduction 1 Data 2 Stealthwatch Flow Records 2 Web Log Data 2 Configuring the Stealthwatch Management Console 4 Dashboard Component 4 Inside Hosts 5 Configuring the Flow Collector 6 Verification 7 Docker Services 7 ETA Integration 7 Related Resources 9 Contacting Support 9 iii

Introduction Cisco Cognitive Analytics quickly detects suspicious web traffic and/or Stealthwatch flow records and responds to attempts to establish a presence in your environment and to attacks that are already under way. Stealthwatch sends flow records to the Cognitive Analytics cloud for analysis once it is enabled on the Stealthwatch System. By default, Cognitive Analytics processes Stealthwatch flow records for inside/outside host group traffic and DNS requests. You can also specify additional host groups to monitor inside traffic. Cognitive Analytics provides better analysis and detection if you use both Stealthwatch flow records and web traffic data. While no additional licenses are required to send Stealthwatch flow records to Cognitive Analytics, Stealthwatch Proxy Log is required to send web traffic data from the Stealthwatch System to Cognitive Analytics. See Related Resources at the end of this document for links to more information about these products. Notes: Cognitive Analytics has migrated to Amazon Web Services (AWS) Cloud, which results in new URLs and IP addresses. Refer to the Field Notice for more information. The Stealthwatch Management Console and Flow Collector can be configured to connect to the Internet via a proxy server. Cognitive Analytics supports HTTP/HTTPS proxies with SSL inspection disabled. Stealthwatch does not support SOCKS proxy. For more information on how to set up web proxy, refer to Configuring the Stealthwatch Management Console. Cognitive Analytics does not work with Stealthwatch trial licenses. For more information on Stealthwatch licenses, refer to Downloading and Licensing Stealthwatch Products. Cognitive Analytics is only available for the default domain or site within Stealthwatch; multiple domains or sites is not supported. Cognitive Analytics is not supported on the Flow Collector sflow. 1

Data Two categories of data are sent to the Cognitive Analytics data center in London over SCP and HTTPS and the AWS data center in Dublin: Stealthwatch flow records, if any of the following conditions are met: o o Records for inside/outside host group traffic Records for specific internal host group traffic (See "Inside Hosts") o Records for DNS requests if the server port is 53 Web log data, if you have Stealthwatch Proxy Log Stealthwatch Flow Records The Stealthwatch flow records include: IP address of host endpoint start time last active time autonomous system number TCP or UDP port port range mac address group IDs VM ID payload* SYN packet count RST packet count number of bytes and packets sourced per period TrustSec security group tag id and name FIN packet count well-known service port protocol number of total bytes and packets since flow started packet shaper application flow identifier application ID ID service ID flow sensor application ID NBAR application ID Palo Alto application ID VLAN ID connection count username retransmit count server response time MPLS label list of exporters flow sequence number round trip time Flow Collector IP Address SVRD metric *If the advanced settings on the Flow Sensor are enabled, this field will contain the configured amount of application payload data. Alternatively, this field could contain a URL provided by a Cisco IOS device with NBAR enabled. Web Log Data The web log data includes: timestamp elapsed time client IP address server IP address client username (optional) server name 2

client TCP ports server TCP ports requested URL/URI bytes transferred from Client to Server HTTP referrer header user-agent string bytes transferred from server to client HTTP response status code response Mime Type or Content Type HTTP request method HTTP location header action taken by the web security proxy 3

Configuring the Stealthwatch Management Console Dashboard Component To configure the Cognitive Analytics component on the Stealthwatch Management Console, complete the following steps: 1. Configure your network firewall to allow communication from the Stealthwatch Management Console to the following IP address and port 443: AWS Elastic IPs: o 34.242.41.248 o 34.242.94.137 o 34.251.54.105 Cisco Streamline IPs: o 146.112.59.0/24 o 208.69.38.0/24 Note: If public DNS is not allowed, you will need to configure the resolution locally on the Stealthwatch Management Console. 2. Log in to Stealthwatch Management Console. 3. Go to Administer Appliance. 4. Click Configuration > System Time and NTP. Click the Enable Network Time Protocol check box to set up a NTP server. Note: If the system does not have accurate time, the appliance will not connect properly to Cognitive Analytics. 5. Click Home. Under Docker Services, click Configure for Cognitive Threat Analytics Dashboard Component. 6. Select the Dashboard Component check box to enable the Cognitive Analytics component on the Security Insight Dashboard and the Host Report. 7. (Optional) Select the Automatic Updates check box to enable Cognitive Analytics to send updates automatically from the cloud. Note: The automatic updates will mostly cover security fixes and small enhancements for the Cognitive Analytics cloud. These updates will also be available through the normal Stealthwatch release process. You 4

can disable this option any time to stop the automatic updates from the cloud. If you enable automatic updates on the Stealthwatch Management Console, you need to enable it on the Flow Collector(s). 8. Click Apply. Note: It will take a few minutes for the Docker service to update and show the Cognitive Analytics component on the Security Insight Dashboard and the Host Report. 9. (Optional) To upload internet proxy, go to Configuration > Services. Scroll down to the Internet Proxy section and enter your proxy IP and Ports, then click Apply. Inside Hosts By default, Cognitive Analytics processes Stealthwatch flow records for inside/outside host group traffic and DNS requests. By configuring an internal host group to send Stealthwatch flow records, the user adds additional data to be sent to the cloud for analysis. Adding specific host groups to Cognitive Analytics monitoring is used for company internal servers (e.g. mail servers, file servers, web servers, authentication servers etc.) adding traffic from the end users to those servers can improve the visibility of the exposure of data that can be potentially misused by malware running on the affected devices. Please don't check all the host groups for sending the data but only check the host groups representing internal servers. To allow Cognitive Analytics to monitor Inside Host traffic, complete the following steps: 1. Log in to the SMC client interface. 2. Right click on the applicable Inside Host Group and click Configuration > Host Group Properties. Note: This feature enables monitoring traffic for all host groups under the selected parent host group. We recommend only enabling this option on child host groups to avoid potential performance issues. 3. Select the Send Flow to Cognitive Threat Analytics (CTA) check box. 4. Click OK. 5

Configuring the Flow Collector To configure the Cognitive Analytics component on the Flow Collector NetFlow, complete the following steps: Note: You will need to configure the Cognitive Analytics Data Uploader on each Flow Collector NetFlow to get accurate results. 1. Configure your network firewall to allow communication from the Flow Collector(s) to the following IP addresses and port 443: AWS Elastic IPs: o 34.242.41.248 o 34.242.94.137 o 34.251.54.105 Cisco Streamline IPs: o 146.112.59.0/24 o 208.69.38.0/24 o 108.171.128.86 Note: If public DNS is not allowed, you will need to configure the resolution locally on the Flow Collector(s). 2. Log in to Flow Collector NetFlow. 3. Click Configuration > System Time and NTP. Click the Enable Network Time Protocol check box to set up a NTP server. Note: If the system does not have accurate time, the appliance will not connect properly to Cognitive Analytics. 4. Click Home. Under Docker Services, click Configure for Cognitive Threat Analytics Data Uploader. 5. Select the Data Uploader check box to enable sending data from your Flow Collector to the Cognitive Analytics engine. 6. (Optional) Select the Automatic Updates check box to enable Cognitive Analytics to send updates automatically from the cloud. Note: The automatic updates will mostly cover security fixes and small enhancements for the Cognitive Analytics cloud. These updates will also be available through the normal Stealthwatch release process. You can disable this option any time to stop the automatic updates from the cloud. If you enable automatic updates on the Flow Collectors, you need to enable it on the Stealthwatch Management Console. 7. Click Apply. 6

Verification Docker Services To verify that the Cognitive Analytics Docker Services are configured properly, complete the following steps: Note: To disable Cognitive Analytics, go to the docker container in Administer Appliance, click Configure and un-select the check boxes. If you click Stop, the docker container will stop sending data, but it will re-enable if the Flow Collector reboots. 1. Check that Docker Services on the Stealthwatch Management Console and the Flow Collector(s) show Enabled. 2. Check that the Cognitive Analytics component has appeared on the Security Insight Dashboard and Host Report. 3. From the navigation menu, click Dashboard > Cognitive Threat Analytics. The Cognitive Analytics Dashboard page will open. Click Device Accounts from the menu in the upper-right corner of the page. Check that the account for each configured Flow Collector is uploading data and has a ready status. Note: After configuration, allow two days for the Cognitive Analytics engine to learn how your network behaves. ETA Integration Cognitive Analytics implements malware detection capability within the Encrypted Traffic Analytics (ETA) solution. To verify the ETA solution is set up correctly, CTA can generate ETA test incidents using specific test site domains. To generate these test incidents, browse to one of the following test sites using a host where the HTTPS session is passing through an ETA enabled switch and router:: Malware: https://examplemalwaredomain.com Botnet: https://examplebotnetdomain.com Phishing: https://internetbadguys.com Note: The detection may initially show up as a risk rating of 5. The risk rating can increase with additional bad or repetitive behavior, such as going to multiple of the above URLs or repeatedly visiting the same URL. TOR detection: Download and install the TOR browser from https://www.torproject.org/projects/torbrowser.html.en. Launch the browser and go to a few websites. Note: The TOR detection will display as "TOR relay" or "Possibly Unwanted Application" with a risk rating of 4. 7

8

Related Resources For more information about Cognitive Analytics, go to their website at https://cognitive.cisco.com or their product documentation at http://www.cisco.com/c/en/us/td/docs/security/web_security/scancenter/administrator/guide/b_scancenter_administrator_guide/b_scancenter_administrator_ Guide_chapter_011110.html For more information about Cloud Terms and Offer Descriptions for all Cisco cloud products: http://www.- cisco.com/c/en/us/about/legal/cloud-and-software/cloud-terms.html For more information about the Cisco Universal Cloud Agreement: http://www.cisco.com/c/dam/en_us/- about/doing_business/legal/docs/universal-cloud-agreement.pdf For more information about the omnibus offer description: http://www.cisco.com/c/dam/en_us/- about/doing_business/legal/docs/omnibus-cloud-security.pdf For more information about Stealthwatch Proxy Log and web proxy: https://www.- cisco.com/c/dam/en/us/td/docs/security/stealthwatch/proxy/sw_6_10_x_proxy_log_configuration_ DV_1_1.pdf Contacting Support If you need technical support, please do one of the following: Contact your local Cisco Partner Contact Cisco Stealthwatch Support o o o o To open a case by web: http://www.cisco.com/c/en/us/support/index.html To open a case by email: tac@cisco.com For phone support: 1-800-553-2447 (U.S.) For worldwide support numbers: www.cisco.com/en/us/partner/support/tsd_cisco_worldwide_ contacts.html 9

SW_6_10_x_Stealthwatch_and_Cognitive_Analytics_DV_1_2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback