Stealthwatch ülevaade + demo ja kasutusvõimalused Leo Lähteenmäki
09:00-9:30 Hommikukohv ja registreerimine 09:30 11:15 Stealthwatch ülevaade + demo ja kasutusvõimalused 11:00 11:15 Kohvipaus 11:15 12:00 Cisco pilvepõhised turvalahendused koos demode ja kasutusvõimalustega: Cisco Umbrella/OpenDNS features for web content inspection Next generation malware protection for endpoint and email Securing cloud based assets with Cloudlock 12:00 13:00 Lõunasöök Taevas 22. korruse restoranis
Overview Stealthwatch for network engineer demo Stealthwatch in security Demo Deployment details
Traditional network security model Perimeter security Intranet Big Bad Internet Antivirus
US-CERT Recommendations Organizations can no longer rely on perimeter devices to protect the network from cyber intrusions There has never been a greater need to improve network infrastructure security Alert TA16-250A, September 2016 Harden Network Devices Apply software updates/patches Restrict physical access Robust password and encryption policies Validate Integrity of Hardware and Software Buy from Authorized channel; Avoid grey market Inspect for hardware tampering Verify the software has not been modified Implement Supply Chain security
Secure digital businesses demand increased visibility KNOW every host RECORD every conversation Understand what is NORMAL Be alerted to CHANGE Respond to THREATS quickly HQ Branch Network Cloud Users Data Center Admin Roaming Users
Network Telemetry Telemetry: an automated communications process by which measurements and other data are collected at remote or inaccessible points and transmitted to receiving equipment for monitoring. Talos Endpoint Agent Access Switch Distribution/Core Switch Firewall Proxy Identity Network Devices Isolated knowledge based on function and location AD & DNS Global Intelligence
What Is Stealthwatch? Monitor Detect CISCO STEALTHWATCH Analyze Respond Extended Network Cloud Branch Data Center Gain unique visibility across your business Simplify segmentation throughout your networks Address threats faster Enable your network to take action Extend visibility and granular access control to your remote branches Prevent the lateral movement of threats Protect your critical information Simplify policy enforcement and data center segmentation Accelerate incidence response in the data center Gain enhanced visibility into the cloud Make the cloud a part of your segmentation strategy Identify threats quickly and take action
Visibility Through Netflow Netflow Provides Flow Information Packets A trace of every conversation in your network 10.1.8.3 SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 An ability to collect records everywhere in your network (switch, router, or firewall) Network usage measurements An ability to find north-south as well as east-west communication Lightweight visibility compared to Switched Port Analyzer (SPAN)- based traffic analysis Switches Routers SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 Indications of compromise (IOC) Security group information Internet 172.168.134.2 : : APPLICATION NAME NBAR SECURE-HTTP URL, AppID,.
Stealthwatch System Overview Non-NetFlow-Capable Device SPAN Stealthwatch Flow Sensor Generate NetFlow Stealthwatch Flow Collector NetFlow / NBAR / NSEL Network Devices Collect and analyze Up to 4000 sources Up to 240,000 flows per sec Stealthwatch Management Console Management and reporting Up to 25 FlowCollectors Up to 6 million FPS globally
The General Ledger Use Cases Insider Threat Internal User Monitoring Firewall Planning Segmentation Network Operations Network Visualization TrustSec Event Data Security Events Behavioral Analytics Session Data 100% network accountability Client Server Translation Service User Application Traffic Group Mac SGT 1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 Visibility and Context User Information Interface Information TrustSec Threat Feed Group / NAT/Proxy LAYER 7 Segment Cloud
Demo time Stealthwatch for the network engineer
High level Solution Overview Context Visibility Flow Sensor End Point ISE Firewall Proxy Flow Sensor Intelligence Host Group and Classification Baselining Algorithms and intelligence Alarming and Reporting Network Packet ISE SIEM / Other Response Mitigation
Scaling Visibility: Flow Stitching eth0/1 eth0/2 Unidirectional Flow Records 10.2.2.2 port 1024 10.1.1.1 port 80 Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 Bidirectional Flow Record Conversation flow record Allows easy visualization and analysis Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 Interfaces
Conversational Flow Record Where When Who What Who Highly scalable (enterprise-class) collection High compression => long-term storage Months of data retention More context Security group
How could netflow data be useful in security?
April 8, 2014: Heartbleed Vulnerability The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by SSL 2014 Lancope, Inc. All rights reserved.
Cisco CSIRT Response to Heartbleed Preparation Scanned 1.2M vulnerable servers - 300 needed repair Helped develop signatures for Sourcefire and Cisco IDS Deployed signatures to IDS Monitoring and response Discovered 25 attacks: 21 benign, 4 malicious Researched attack via NetFlow analysis to discern normal connections from those that were anomalous and malicious
Heartbleed Benign Host
Heartbleed Malicious Host
Other security use cases Traffic anomaly Denial of service What happened with my customer data?
Behavioral Detection Model Detect Behavioral Change Security Events (94 +) Alarm Category Response Addr_Scan Recon Alarm Table Bad_Flag C&C Host Snapshot Beaconing Host Exploitation Email Bot Infected Host Successful Data Hoarding Syslog/ SIEM Brute Force Login Exfiltration Mitigation Fake Application Policy Violation Flow_Denied DDoS Target ICMP Flood Max Flows Initiated Max Flows Served Suspect Quiet Long Flow Suspect Data Loss SYN Flood UDP Received (+255 custom defined events) As flows are collected, behavioral algorithms are applied to build Security Events. Security Events will add points to an alarm category to allow for easy summarization higher degree of confidence of the type of activity detected:
Demo time Stealthwatch for security
Stealthwatch Deployment Options Management Console Identity Services ISE Threat Feed License Flow Sensor Non-NetFlow enabled equipment Flow Collector ESX with Flow Sensor VE Legacy Traffic Analysis Software UDP Director NetFlow enabled routers, switches, firewalls
Netflow Supported Platforms NetFlow Capable User Switch Router Router Firewall Data Center Switch Catalyst 2K - Flexible Netflow Catalyst 3K - Flexible Netflow Catalyst 3650/3850 - Flexible Netflow Catalyst4500-X - Flexible Netflow Cat4500-E (SUP-8) - Flexible Netflow CAT6000-VS-S2T - Flexible Netflow CAT6880-X - Flexible Netflow CSR 1000v - Flexible Netflow ASA5500 - NSEL WLC5520, 5760, 8510, 8540 - Flexible Netflow UCS VIC 1224/1240/1280/1340/1380 - Flexible Netflow FTD (6.2+) - NSEL WAN NetFlow Exporters 800 Series - Flexible Netflow ISR1900 - Flexible Netflow ISR2900 - Flexible Netflow ISR3900 - Flexible Netflow ISR3845E - Flexible Netflow ISR3925E - Flexible Netflow ISRG2 - Flexible Netflow ISR4321 - Flexible Netflow ISR4331 - Flexible Netflow ISR4351 - Flexible Netflow ISR4431 - Flexible Netflow ISR4451-X - Flexible Netflow ASR1K - Flexible Netflow ASR1K-X - Flexible Netflow ASR9K - Netflow v9 7600-SUP32/MSFC2A - Netflow v9 7600-SUP720/MSFC3 - Netflow v9 Server Cisco Identity Services Engine N5548P - Sampled Netflow N5596UP - Sampled Netflow N56128P - Sampled Netflow N5624Q - Sampled Netflow N5648Q - Sampled Netflow N5672UP - Sampled Netflow N5696Q - Sampled Netflow N6001 - Sampled Netflow N6004 - Sampled Netflow N7004-SUP2 - Flexible Netflow N7004-SUP2-NPE - Flexible Netflow N7009-SUP1 - Flexible Netflow N7009-SUP2 - Flexible Netflow N7718-SUP1 - Flexible Netflow N7718-SUP2 - Flexible Netflow N93180YC-EX - Flexible Netflow N93108TC-EX - Flexible Netflow For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/itdit/cfn/jsp/index.jsp
Meraki MX & Z1 now with NetFlow https://documentation.meraki.com/mx-z/monitoring_and_reporting/netflow_overview
Other sources of telemetry
Stealthwatch Proxy License Proxy License Provides Syslog Information Packets HTTP Traffic Visibility TIMESTAMP 1456312345 Analysis continuity User information Management Console Identity Services ISE Threat Feed License ELAPSE TIME 12523 SOURCE IP 192.168.2.100 Multi-Vendor Proxy Support SOURCE Port 4567 Cisco WSA DESTINATION IP 65.12.56.123 Bluecoat proxy Squid McAfee Web Gateway SYSLOG Flow Collector DESTINATION PORT 80 BYTES 400 URL http://cisco.com USERNAME john
Stealthwatch + Packet Analyzer Security Packet Analyzer augments Stealthwatch flow analytics. Enables accelerated incident response based on targeted analysis of packets related to a security alarm or other suspicious activity using a purpose-built Cisco NAM based appliance for robust forensics investigation Security Packet Analyzer Packet Data & Storage Management Console Identity Services ISE Threat Feed License SEC-PA-2400-K9 Flow Collector
Cisco AnyConnect Network Visibility Module Enhanced Endpoints Context Collector & Reporting Cisco/Partners Enhance NetFlow records with endpoint/user data with application activity Visibility Auditing Analytics
AnyConnect NVM and Stealthwatch nvzflow differs from traditional IPFIX: Records are bi-directional Records produced only at end of flow Records created when client only No packet counts Byte counts are Layer 4 counts IP Address represents local network Stealthwatch Deployment Implications to Stealthwatch: Each endpoint is an exporter End of flow impacts near real-time analysis Lack of packet counts impact multiple algorithms local network address not relevant to enterprise Not all host transactions captured (only client)
Introducing the Endpoint Concentrator Global destination for nvzflow records Forward flow records to the Flow Collector nvzflow Stealthwatch Endpoint Concentrator Stealthwatch Flow Collector AnyConnect with Network Visibility Module Appears as a single exporter in the Flow Collector Required in order to collect endpoint flow records Endpoint fields are stitched into flow records
Stealthwatch Threat Intelligence License Actionable Threat Intelligence Overview: Team performs feed validation and independent research and analytics Threat Feed Formerly known as SLIC, new behavioral analysis algorithms updated as new threats are discovered; updates performed using the Threat Feed control channel and licensing User Interface Botnet Command & Control Internet Scanning Backscatter (DDoS Victims) Threat research influences continued algorithm development Works with Proxy License Ideally deployed with Flow Sensor(s) Enables alarming within Stealthwatch around: Host interaction with known bad URLs Host interaction with C&C servers Future Plans: Merge with Cisco TALOS for additional threat intelligence context and information
Stealthwatch Cloud License Management Console Identity Services ISE Threat Feed License VM Hosts with agent installed Encrypted Tunnel Flow Collector Cloud Concentrator TLS Netflow (IPFIX) Cloud Concentrator Cloud VM Hosts with Agent Running
Questions? Monitor Detect CISCO STEALTHWATCH Analyze Respond Extended Network Cloud Branch Data Center Gain unique visibility across your business Simplify segmentation throughout your networks Address threats faster Enable your network to take action Extend visibility and granular access control to your remote branches Prevent the lateral movement of threats Protect your critical information Simplify policy enforcement and data center segmentation Accelerate incidence response in the data center Gain enhanced visibility into the cloud Make the cloud a part of your segmentation strategy Identify threats quickly and take action