Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

Similar documents
Monitoring and Threat Detection

Cisco Day Hotel Mons Wednesday

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

Compare Security Analytics Solutions

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

Cisco Stealthwatch. Internal Alarm IDs 7.0

Cisco Cyber Range. Paul Qiu Senior Solutions Architect

Cyber Threat Defence. Cisco Public BRKSEC Cisco and/or its affiliates. All rights reserved.

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Advanced Threat Defence using NetFlow and ISE

Cisco Cyber Threat Defense Solution 1.0

Subscriber Data Correlation

Introduction. Learning Network License Introduction

Stealthwatch System v6.9.0 Internal Alarm IDs

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Seceon s Open Threat Management software

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Hidden Figures: Securing what you cannot see

Encrypted Traffic Analytics

Cisco Cyber Range. Paul Qiu Senior Solutions Architect June 2016

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Cognitive Threat Analytics Tech update

Security Monitoring with Stealthwatch:

Network Security Monitoring with Flow Data

Cisco Advanced Malware Protection against WannaCry

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Applied Advanced Network Telemetry: ETA and Beyond

Cisco Encrypted Traffic Analytics Security Performance Validation

Dynamic Datacenter Security Solidex, November 2009

Enhanced Threat Detection, Investigation, and Response

Cisco Stealthwatch Endpoint License

Using Lancope StealthWatch for Information Security Monitoring

Cisco Firepower NGFW. Anticipate, block, and respond to threats

RSA Security Analytics

Battle between hackers and machine learning. Alexey Lukatsky Cybersecurity Business Consultant April 03, 2019

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Cisco Secure Access Control

Cisco Ransomware Defense The Ransomware Threat Is Real

SAFE Architecture Guide. Places in the Network: Secure Campus

Aby se z toho bezpečnostní správci nezbláznili Cisco security integrace. Milan Habrcetl Cisco CyberSecurity Specialist Mikulov, 5. 9.

SIEM (Security Information Event Management)

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cisco Firepower NGFW. Anticipate, block, and respond to threats

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Automated Threat Management - in Real Time. Vectra Networks

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Flow Measurement. For IT, Security and IoT/ICS. Pavel Minařík, Chief Technology Officer EMITEC, Swiss Test and Measurement Day 20 th April 2018

Securing Your Microsoft Azure Virtual Networks

Intelligent and Secure Network

Comprehensive datacenter protection

Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com

Improved C&C Traffic Detection Using Multidimensional Model and Network Timeline Analysis

Cisco Exam Questions & Answers

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Network Security: Firewall, VPN, IDS/IPS, SIEM

Monitoring and diagnostics of data infrastructure problems in power engineering. Jaroslav Stusak, Sales Director CEE, Flowmon Networks

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Optimizing Security for Situational Awareness

Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Data Center Security. Fuat KILIÇ Consulting Systems

Cato Cloud. Solution Brief. Software-defined and Cloud-based Secure Enterprise Network NETWORK + SECURITY IS SIMPLE AGAIN

Rethinking Security: The Need For A Security Delivery Platform

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Stealthwatch Flow Sensor Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Threat Defense with Full NetFlow

White Paper. Why IDS Can t Adequately Protect Your IoT Devices

Securing Your Amazon Web Services Virtual Networks

SONICWALL SECURITY HEALTH CHECK PSO 2017

Implementing Cisco Network Security (IINS) 3.0

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

HOW TO ANALYZE AND UNDERSTAND YOUR NETWORK

Security Automation. Challenge: Automatizzare le azioni di isolamento e contenimento delle minacce rilevate tramite soluzioni di malware analysis

Corrigendum 3. Tender Number: 10/ dated

UDP Director Virtual Edition

Palo Alto Networks PCNSE7 Exam

Security, Internet Access, and Communication Ports

How Boards use the NIST Cybersecurity Framework as a Roadmap to oversee cybersecurity

Stop Threats Before They Stop You

Snort: The World s Most Widely Deployed IPS Technology

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

SONICWALL SECURITY HEALTH CHECK SERVICE

Not your Father s SIEM

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Cisco Network Admission Control (NAC) Solution

Cisco Advanced Malware Protection. May 2016

Check Point DDoS Protector Introduction

Cisco Security Exposed Through the Cyber Kill Chain

SONICWALL SECURITY HEALTH CHECK SERVICE

Network as a Sensor with Stealthwatch and Stealthwatch Learning Networks for Threat Visibility and Defense Deployment Guide

CloudSOC and Security.cloud for Microsoft Office 365

Incorporating Network Flows in Intrusion Incident Handling and Analysis

Implementing Cisco Edge Network Security Solutions ( )

CISCO EXAM QUESTIONS & ANSWERS

Transcription:

Stealthwatch ülevaade + demo ja kasutusvõimalused Leo Lähteenmäki

09:00-9:30 Hommikukohv ja registreerimine 09:30 11:15 Stealthwatch ülevaade + demo ja kasutusvõimalused 11:00 11:15 Kohvipaus 11:15 12:00 Cisco pilvepõhised turvalahendused koos demode ja kasutusvõimalustega: Cisco Umbrella/OpenDNS features for web content inspection Next generation malware protection for endpoint and email Securing cloud based assets with Cloudlock 12:00 13:00 Lõunasöök Taevas 22. korruse restoranis

Overview Stealthwatch for network engineer demo Stealthwatch in security Demo Deployment details

Traditional network security model Perimeter security Intranet Big Bad Internet Antivirus

US-CERT Recommendations Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions There has never been a greater need to improve network infrastructure security Alert TA16-250A, September 2016 Harden Network Devices Apply software updates/patches Restrict physical access Robust password and encryption policies Validate Integrity of Hardware and Software Buy from Authorized channel; Avoid grey market Inspect for hardware tampering Verify the software has not been modified Implement Supply Chain security

Secure digital businesses demand increased visibility KNOW every host RECORD every conversation Understand what is NORMAL Be alerted to CHANGE Respond to THREATS quickly HQ Branch Network Cloud Users Data Center Admin Roaming Users

Network Telemetry Telemetry: an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring. Talos Endpoint Agent Access Switch Distribution/Core Switch Firewall Proxy Identity Network Devices Isolated knowledge based on function and location AD & DNS Global Intelligence

What Is Stealthwatch? Monitor Detect CISCO STEALTHWATCH Analyze Respond Extended Network Cloud Branch Data Center Gain unique visibility across your business Simplify segmentation throughout your networks Address threats faster Enable your network to take action Extend visibility and granular access control to your remote branches Prevent the lateral movement of threats Protect your critical information Simplify policy enforcement and data center segmentation Accelerate incidence response in the data center Gain enhanced visibility into the cloud Make the cloud a part of your segmentation strategy Identify threats quickly and take action

Visibility Through Netflow Netflow Provides Flow Information Packets A trace of every conversation in your network 10.1.8.3 SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 An ability to collect records everywhere in your network (switch, router, or firewall) Network usage measurements An ability to find north-south as well as east-west communication Lightweight visibility compared to Switched Port Analyzer (SPAN)- based traffic analysis Switches Routers SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 Indications of compromise (IOC) Security group information Internet 172.168.134.2 : : APPLICATION NAME NBAR SECURE-HTTP URL, AppID,.

Stealthwatch System Overview Non-NetFlow-Capable Device SPAN Stealthwatch Flow Sensor Generate NetFlow Stealthwatch Flow Collector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4000 sources Up to 240,000 flows per sec Stealthwatch Management Console Management and reporting Up to 25 FlowCollectors Up to 6 million FPS globally

The General Ledger Use Cases Insider Threat Internal User Monitoring Firewall Planning Segmentation Network Operations Network Visualization TrustSec Event Data Security Events Behavioral Analytics Session Data 100% network accountability Client Server Translation Service User Application Traffic Group Mac SGT 1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 Visibility and Context User Information Interface Information TrustSec Threat Feed Group / NAT/Proxy LAYER 7 Segment Cloud

Demo time Stealthwatch for the network engineer

High level Solution Overview Context Visibility Flow Sensor End Point ISE Firewall Proxy Flow Sensor Intelligence Host Group and Classification Baselining Algorithms and intelligence Alarming and Reporting Network Packet ISE SIEM / Other Response Mitigation

Scaling Visibility: Flow Stitching eth0/1 eth0/2 Unidirectional Flow Records 10.2.2.2 port 1024 10.1.1.1 port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Bidirectional Flow Record Conversation flow record Allows easy visualization and analysis Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Interfaces

Conversational Flow Record Where When Who What Who Highly scalable (enterprise-class) collection High compression => long-term storage Months of data retention More context Security group

How could netflow data be useful in security?

April 8, 2014: Heartbleed Vulnerability The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by SSL 2014 Lancope, Inc. All rights reserved.

Cisco CSIRT Response to Heartbleed Preparation Scanned 1.2M vulnerable servers - 300 needed repair Helped develop signatures for Sourcefire and Cisco IDS Deployed signatures to IDS Monitoring and response Discovered 25 attacks: 21 benign, 4 malicious Researched attack via NetFlow analysis to discern normal connections from those that were anomalous and malicious

Heartbleed Benign Host

Heartbleed Malicious Host

Other security use cases Traffic anomaly Denial of service What happened with my customer data?

Behavioral Detection Model Detect Behavioral Change Security Events (94 +) Alarm Category Response Addr_Scan Recon Alarm Table Bad_Flag C&C Host Snapshot Beaconing Host Exploitation Email Bot Infected Host Successful Data Hoarding Syslog/ SIEM Brute Force Login Exfiltration Mitigation Fake Application Policy Violation Flow_Denied DDoS Target ICMP Flood Max Flows Initiated Max Flows Served Suspect Quiet Long Flow Suspect Data Loss SYN Flood UDP Received (+255 custom defined events) As flows are collected, behavioral algorithms are applied to build Security Events. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:

Demo time Stealthwatch for security

Stealthwatch Deployment Options Management Console Identity Services ISE Threat Feed License Flow Sensor Non-NetFlow enabled equipment Flow Collector ESX with Flow Sensor VE Legacy Traffic Analysis Software UDP Director NetFlow enabled routers, switches, firewalls

Netflow Supported Platforms NetFlow Capable User Switch Router Router Firewall Data Center Switch Catalyst 2K - Flexible Netflow Catalyst 3K - Flexible Netflow Catalyst 3650/3850 - Flexible Netflow Catalyst4500-X - Flexible Netflow Cat4500-E (SUP-8) - Flexible Netflow CAT6000-VS-S2T - Flexible Netflow CAT6880-X - Flexible Netflow CSR 1000v - Flexible Netflow ASA5500 - NSEL WLC5520, 5760, 8510, 8540 - Flexible Netflow UCS VIC 1224/1240/1280/1340/1380 - Flexible Netflow FTD (6.2+) - NSEL WAN NetFlow Exporters 800 Series - Flexible Netflow ISR1900 - Flexible Netflow ISR2900 - Flexible Netflow ISR3900 - Flexible Netflow ISR3845E - Flexible Netflow ISR3925E - Flexible Netflow ISRG2 - Flexible Netflow ISR4321 - Flexible Netflow ISR4331 - Flexible Netflow ISR4351 - Flexible Netflow ISR4431 - Flexible Netflow ISR4451-X - Flexible Netflow ASR1K - Flexible Netflow ASR1K-X - Flexible Netflow ASR9K - Netflow v9 7600-SUP32/MSFC2A - Netflow v9 7600-SUP720/MSFC3 - Netflow v9 Server Cisco Identity Services Engine N5548P - Sampled Netflow N5596UP - Sampled Netflow N56128P - Sampled Netflow N5624Q - Sampled Netflow N5648Q - Sampled Netflow N5672UP - Sampled Netflow N5696Q - Sampled Netflow N6001 - Sampled Netflow N6004 - Sampled Netflow N7004-SUP2 - Flexible Netflow N7004-SUP2-NPE - Flexible Netflow N7009-SUP1 - Flexible Netflow N7009-SUP2 - Flexible Netflow N7718-SUP1 - Flexible Netflow N7718-SUP2 - Flexible Netflow N93180YC-EX - Flexible Netflow N93108TC-EX - Flexible Netflow For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/itdit/cfn/jsp/index.jsp

Meraki MX & Z1 now with NetFlow https://documentation.meraki.com/mx-z/monitoring_and_reporting/netflow_overview

Other sources of telemetry

Stealthwatch Proxy License Proxy License Provides Syslog Information Packets HTTP Traffic Visibility TIMESTAMP 1456312345 Analysis continuity User information Management Console Identity Services ISE Threat Feed License ELAPSE TIME 12523 SOURCE IP 192.168.2.100 Multi-Vendor Proxy Support SOURCE Port 4567 Cisco WSA DESTINATION IP 65.12.56.123 Bluecoat proxy Squid McAfee Web Gateway SYSLOG Flow Collector DESTINATION PORT 80 BYTES 400 URL http://cisco.com USERNAME john

Stealthwatch + Packet Analyzer Security Packet Analyzer augments Stealthwatch flow analytics. Enables accelerated incident response based on targeted analysis of packets related to a security alarm or other suspicious activity using a purpose-built Cisco NAM based appliance for robust forensics investigation Security Packet Analyzer Packet Data & Storage Management Console Identity Services ISE Threat Feed License SEC-PA-2400-K9 Flow Collector

Cisco AnyConnect Network Visibility Module Enhanced Endpoints Context Collector & Reporting Cisco/Partners Enhance NetFlow records with endpoint/user data with application activity Visibility Auditing Analytics

AnyConnect NVM and Stealthwatch nvzflow differs from traditional IPFIX: Records are bi-directional Records produced only at end of flow Records created when client only No packet counts Byte counts are Layer 4 counts IP Address represents local network Stealthwatch Deployment Implications to Stealthwatch: Each endpoint is an exporter End of flow impacts near real-time analysis Lack of packet counts impact multiple algorithms local network address not relevant to enterprise Not all host transactions captured (only client)

Introducing the Endpoint Concentrator Global destination for nvzflow records Forward flow records to the Flow Collector nvzflow Stealthwatch Endpoint Concentrator Stealthwatch Flow Collector AnyConnect with Network Visibility Module Appears as a single exporter in the Flow Collector Required in order to collect endpoint flow records Endpoint fields are stitched into flow records

Stealthwatch Threat Intelligence License Actionable Threat Intelligence Overview: Team performs feed validation and independent research and analytics Threat Feed Formerly known as SLIC, new behavioral analysis algorithms updated as new threats are discovered; updates performed using the Threat Feed control channel and licensing User Interface Botnet Command & Control Internet Scanning Backscatter (DDoS Victims) Threat research influences continued algorithm development Works with Proxy License Ideally deployed with Flow Sensor(s) Enables alarming within Stealthwatch around: Host interaction with known bad URLs Host interaction with C&C servers Future Plans: Merge with Cisco TALOS for additional threat intelligence context and information

Stealthwatch Cloud License Management Console Identity Services ISE Threat Feed License VM Hosts with agent installed Encrypted Tunnel Flow Collector Cloud Concentrator TLS Netflow (IPFIX) Cloud Concentrator Cloud VM Hosts with Agent Running

Questions? Monitor Detect CISCO STEALTHWATCH Analyze Respond Extended Network Cloud Branch Data Center Gain unique visibility across your business Simplify segmentation throughout your networks Address threats faster Enable your network to take action Extend visibility and granular access control to your remote branches Prevent the lateral movement of threats Protect your critical information Simplify policy enforcement and data center segmentation Accelerate incidence response in the data center Gain enhanced visibility into the cloud Make the cloud a part of your segmentation strategy Identify threats quickly and take action

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback