Monitoring and Threat Detection

Similar documents
Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Cisco Day Hotel Mons Wednesday

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Compare Security Analytics Solutions

Cyber Threat Defence. Cisco Public BRKSEC Cisco and/or its affiliates. All rights reserved.

Cisco Stealthwatch. Internal Alarm IDs 7.0

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Advanced Threat Defence using NetFlow and ISE

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Stealthwatch System v6.9.0 Internal Alarm IDs

Subscriber Data Correlation

Cisco Cyber Threat Defense Solution 1.0

Network Security Monitoring with Flow Data

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Business Decision Series

Enhanced Threat Detection, Investigation, and Response

Seceon s Open Threat Management software

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Flow-based Traffic Visibility

ProCurve Network Immunity

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Cisco Tetration Analytics

Security Monitoring with Stealthwatch:

Stealthwatch System Hardware Configuration Guide (for Stealthwatch System v6.10)

Security Considerations for Cloud Readiness

Cisco Stealthwatch Endpoint License

Using Lancope StealthWatch for Information Security Monitoring

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Threat Defense with Full NetFlow

CNIT 121: Computer Forensics. 9 Network Evidence

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

Hidden Figures: Securing what you cannot see

Automated Threat Management - in Real Time. Vectra Networks

Rethinking Security: The Need For A Security Delivery Platform

Network Management & Monitoring

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Encrypted Traffic Analytics

Exam Questions Demo Cisco. Exam Questions

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Introduction. Learning Network License Introduction

FloCon Netflow Collection and Analysis at a Tier 1 Internet Peering Point. San Diego, CA. Fred Stringer

Scrutinizer Flow Analytics

Covert channel detection using flow-data

We re ready. Are you?

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Introduction to Netflow

Behavior-Based IDS: StealthWatch Overview and Deployment Methodology

Technology Overview. Overview CHAPTER

McAfee Network Security Platform 9.1

Network Management and Monitoring

Network as a Sensor with Stealthwatch and Stealthwatch Learning Networks for Threat Visibility and Defense Deployment Guide

Configuring Anomaly Detection

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Segment Your Network for Stronger Security

UDP Director Virtual Edition

CSE 565 Computer Security Fall 2018

Configuring Anomaly Detection

Lesson 9 OpenFlow. Objectives :

Več kot SDN - SDA arhitektura v uporabniških omrežjih

Maximize Network Visibility with NetFlow Technology. Adam Powers Chief Technology Officer Lancope

USM Anywhere AlienApps Guide

Configuring AVC to Monitor MACE Metrics

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

DDoS Protection in Backbone Networks Deployed at Trenka Informatik AG (

AMP-Based Flow Collection. Greg Virgin - RedJack

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Stop Threats Before They Stop You

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Configuring Anomaly Detection

Implementing Coarse, Long- Term Traffic Capture

Rethinking Security CLOUDSEC2016. Ian Farquhar Distinguished Sales Engineer Field Lead for the Gigamon Security Virtual Team

DDoS Protection in Backbone Networks

Visibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Secure Access Control

The Cognito automated threat detection and response platform

Intelligent WAN NetFlow Monitoring Deployment Guide

Flexible Netflow Configuration Guide, Cisco IOS Release 15S

CNT Computer and Network Security: BGP Security

EXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.

McAfee epolicy Orchestrator

Corrigendum 3. Tender Number: 10/ dated

Listening to the Network: Leveraging Network Flow Telemetry for Security Applications Darren Anstee EMEA Solutions Architect

68 Insider Threat Red Flags

Identity Based Network Access

Affordable High-Speed Sensors Everywhere. ntop Meetup Flocon 2016, Daytona Beach Jan 13th 2016

Configuring SNMP. Understanding SNMP CHAPTER

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Cisco Tetration Analytics Demo. Ing. Guenter Herold Area Manager Datacenter Cisco Austria GmbH

STEALTHWATCH SYSTEM VERSION RELEASE NOTES

Configuring Application Visibility and Control for Cisco Flexible Netflow

Cisco Stealthwatch. Installation and Configuration Guide 7.0

Stealthwatch Flow Sensor Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

Transcription:

Monitoring and Threat Detection with Netflow Michael Belan Consulting Systems Engineer Cisco GSSO January 2017

AGENDA What is SW? Where does it fit in overall Cisco Security framework? What is SW? What does it do? And How does it work? Components: Netflow and Product Architecture Visibility: Host and Network Use Cases: Forensic and Insider Threat Review Demo

The Cyber Threat Defense 2.0 Model

NETWORK as a SENSOR NETFLOW NETFLOW! Anomalies Policy violations Inside the network StealthWatch High Visibility for Very Low Touch

Site C CE Internet TIC PE PE Site B CE PE MPLS CLOUD PE PE Site A CE CE Data Center

South Traffic North Internet Trusted internet connection Wide Area Network (MPLS/VPLS) Enterprise LAN User/Host User/Host User/Host Datacenter East Traffic West

Visibility Through NetFlow 172.168.134.2 10.1.8.3 Switches Routers NetFlow is Metadata, key fields describing conversations Unidirectional, two records per conversation Established, versions include v5, v9, and IPFIX Supported by open source and commercial tools NOT full packet capture Benefits include Visibility across entire network Independent of agents, sensors, signatures Lightweight vs. packet capture for storage/forensics Unhindered by encryption Flow Information Packets SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE IP TOS Gi0/0/0 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 APPLICATION NAME : : NBAR SECURE- HTTP Internet

Open Source Flow Tools Ntop Flowscan Flow-tools/cflowd EHNT SiLK among others

Scaling Visibility: Flow Stitching Unidirectional Flow Records 10.2.2.2 port 1024 eth0/1 eth0/2 10.1.1.1 port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Bidirectional Flow Record Conversation flow record Allows easy visualization and analysis Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Interfaces

Scaling Visibility: NetFlow Deduplication Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 Duplicates 10.1.1.1 port 80 Without deduplication Traffic volume can be misreported False positives would occur Allows for efficient storage of flow data Necessary for accurate host-level reporting Does not discard data Router C 10.2.2.2 port 1024 Router B Router A

Massively Scalable Architecture Stealthwatch Management Console Presentation Integration 25 Collectors per Manager 6 million flows-per-second Flow Collector Flow Collection Profiling 240,000 flows-per-second Stitching, Deduplication Unsampled flow Flow Sensor Flow Export Payload sample Certificate data URLs

Stealthwatch Architecture StealthWatch Management Console Cloud License FlowCollector Packet Analyzer Cisco ISE ISE PIC Cisco AnyConnect FlowSensor NetFlow enabled infrastructure FlowSensor Virtual User And Device Information Feeds of emerging threat information

Host Centric Visibility: Host Snapshot

Host Centric Visibility: continued User information

Regional Visibility: Relational Flow Maps

The Attack Lifecycle

Attack Lifecycle: Detecting Command & Control

Attack Lifecycle: Detecting C&C Channels with SLIC

Attack Lifecycle: Country-based Detection

Attack Lifecycle: Detecting Internal Reconnaissance

Attack Lifecycle: Detect Internal Recon with Concern Index

Attack Lifecycle: Detecting Internal Propagation

Attack Lifecycle: Detect Propagation with Host Locking Users Resources/Datacenter A A ALARM B B

Attack Lifecycle: Detect Propagation with Worm Tracker

Attack Lifecycle: Detecting Data Exfiltration

Attack Lifecycle: Detect Data Hoarding 2GB per day Resource Group A User ALARM

Attack Lifecycle: Detecting Data Exfiltration Internet Internal Network ALARM Resource Group A User

Use Cases

ALERT: Incident Response Scenario: You have been notified of an unauthorized data transfer and need to pull back historical conversations. The notification could be from: Internal auditor External authority Security response team Below is an example notification received List of infringing content ------------------------------ Taylor Swift Fearless ------------------------------ INFRINGEMENT DETAIL ------------------------------ Infringing Work : Fearless Filename : Taylor Swift - Fearless First found (UTC): 3:59:00 PM Last found (UTC): 4:24:59 PM File size : 79176908 bytes IP Address: 209.182.184.7 IP Port: 14001 Network: BitTorrent Protocol: BitTorrent Pull back all historical conversations around a host, port, application, or traffic type. 10.201.3.51.. 50.23.115.72

ALERT: Insider Threat 1.Internal user connects to Terminal Server 10.201.3.18 10.201.0.23.. Scenario: An internal user is stealing data! The user could be a: Disgruntled employee Person about to leave the company Person with privileged credentials Person stealing and selling trade secrets Security events have triggered indicating a user is connecting to a terminal server, collecting data from a sensitive database, and tunneling the traffic out of the network using P2P through UDP port 53 (DNS port). 1.Terminal server used to collect sensitive data from within the same subnet inside the datacenter. 10.201.0.23.. 10.201.0.55 1.Terminal server used to encrypt data and tunnel through DNS port to an upload server 10.201.0.23.. 74.213.99.97

NETWORK as a SENSOR NETFLOW NETFLOW! Anomalies Policy violations Inside the network StealthWatch

NETWORK as ENFORCER! Policy violation detected! PxGrid isolate host NETFLOW ISE StealthWatch

Review: It s about Visibility Flow based independent of agents, sensors, signatures Metadata Light weight, efficient, unhindered by encryption Profile Hosts based on behavior, traffic sent and received Enforce Policy Identify the known bad Detect Anomalies Find and alert on outliers High Visibility for Very Low Touch

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback