cisco connect dubrovnik · multilayered machine learning ... encrypted traffic analytics malware...
TRANSCRIPT
Cisco Connect DubrovnikCroatia
Global vision.Local knowledge.
Dragan NovakovićConsulting Security EngineerMarch 2019
Efikasno iskoristavanje vidljivosti i Machine LearningaStealtwatch sigurnosna analitika
Network
Users
HQ
Data Center
Admin
Branch
SEEevery conversation
Understand what is NORMAL
Be alerted toCHANGE
KNOWevery host
Respond to THREATS quickly
Effective security depends on total visibility
Roaming Users
Cisco Stealthwatch: Scalable visibility and security analytics
SimplifiedNetwork Segmentation
AdvancedThreat Detection
AcceleratedThreat Response
Using existing network infrastructure
Most comprehensive visibility for effective security outcomes
Data collectionRich telemetry from the existing
network infrastructure
Security Analytics with StealthwatchGlobal threat intelligence
(powered by Talos)Intelligence of global threat campaigns
mapped to local alarms for faster mitigation
Behavioral modelingBehavioral analysis of every activity within the network to pinpoint anomalies
Multilayered machine learningCombination of supervised and unsupervised techniques to convict advanced threats with high fidelity
Encrypted Traffic AnalyticsMalware detection without any decryption using enhanced telemetry from the new Cisco devices
Stealthwatch
Collecting and optimizing telemetry
Evolution of enterprise telemetry
Stealthwatch Enterprise can analyze a robust spectrum of telemetry across the extended network
Digital enterprise is globally distributed with multiple network devices such as routers, switches and firewalls
These devices might generate various types of telemetry in addition to NetFlow
Routers
Switches
10.1.8.3
172.168.134.2Internet
The network is a valuable data source
What it provides:• A trace of every conversation
in your network• Collection of records all across the
network (routers, switches, firewalls)• Network usage metrics• Ability to view north-south as well as
east-west communication• Lightweight visibility compared to
Switched Port Analyzer (SPAN)-based traffic analysis
• Indications of compromise (IOC)• Security group information
Flow Information PacketsSOURCE ADDRESS 10.1.8.3
DESTINATION ADDRESS 172.168.134.2
SOURCE PORT 47321
DESTINATION PORT 443
INTERFACE Gi0/0/0
IP TOS 0x00
IP PROTOCOL 6
NEXT HOP 172.168.25.1
TCP FLAGS 0x1A
SOURCE SGT 100
: :
APPLICATION NAME NBAR SECURE-HTTP
Router A
10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router C
Scaling and optimization: deduplication
Deduplication• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
Router A: 10.1.1.1:80 à 10.2.2.2:1024
Router B: 10.2.2.2:1024 à 10.1.1.1:80
Router C: 10.2.2.2:1024 à 10.1.1.1:80Router C: 10.2.2.2:1024 à 10.1.1.1:80Duplicates
eth0
/1
eth0
/2
10.2.2.2 port 1024 10.1.1.1 port 80
Scaling and optimization : stitching
Start Time Interface Src IP Src Port Dest IP DestPort Proto Pkts
SentBytes Sent
10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
UnidirectionalTelemetry
Records
Start Time Client IP Client Port
Server IP
Server Port Proto Client
BytesClient Pkts
Server Bytes
Server Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1eth0/2
Bidirectional Telemetry Record
Conversation record
Easy visualization and analysis
Enriched with data from other sources
Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters
Nexus switchTetration
Data CenterCatalyst
IEETA enabled Catalyst
Switch
Web Security Appliance (WSA)
Web
ISRCSR
ASRWLC
Router
AnyConnect
Endpoint
ASAFTD
Meraki
Firewall
Identity Services Engine (ISE)
Policy and User Info
Stealthwatch Flow Sensor
Other
Switch Router Router Firewall ServerUserCisco Identity
Services EngineWANServerDevice
The general ledger
Client Server Translation Service User Application Traffic Group Mac SGTEncryption TLS/SSL version
1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2
Session Data | 100% network accountability
Visibility
InterfaceInformation
Policy Information
Network Telemetry
User Information
Threat Intelligence
NAT/Proxy LAYER 7Group /Segment
Encrypted Traffic
Analytics
Endpoint Cloud
10 101 10
Industry-leadingSecurity Analytics
Anomaly detection using behavioral modeling
Create a baseline of normal behavior
Alarm on anomalies and behavioral changes
Collect andanalyze telemetry
Flows
Number of concurrent flows
Time of dayBits per second
Packet per second
Number of SYNs sent
New flows created
Number of SYNs received
Rate of connection resets
Duration of the flow
~100 Security Events
Exchange Servers
Threshold
Anomaly detected in host behavior
Comprehensive data set optimized to remove redundancies
Security events to detect anomalies and known bad behavior
Alarm categories for high-risk, low-noise alerts for faster response
Power of multilayered machine learning
Increase fidelity of detection using best-in-class security analytics
Global Risk Map
Network telemetry
Prioritized high fidelity incidents
Anomaly detection
Trust modeling
Event classification
Entity Modeling
Relationshipmodeling
Anomalous Traffic
Malicious Events
Confirmed Incidents
Incidents
Advanced Threat Detection
Logical alarms based on suspicious events
Sending or receiving SYN flood and other types of
data floods
DDoS Activity
Scanning, excessive network activity such as file copying or transfer, policy violation, etc.
Source or target of malicious
behavior
Port scanning for vulnerabilities or running services
Reconnaissance
Data hoarding and data exfiltration
Insider threats
Communication back to an external remote controlling
server through malware
Command and Control
Suspect Data HoardingUnusually large amount of data
inbound from other hosts
Target Data HoardingUnusually large amount of data
outbound from a host to multiple hosts
Insider threat example: data hoarding
Network Boundary
Inside Outside
Insider threat example: data exfiltration
Data ExfiltrationUnusually large amount of data
outbound from a host to one or more external hosts
Encrypted Traffic Analytics
Ensure cryptographic compliance
Detect malware in encrypted traffic
Cisco Stealthwatch Enterprise is the only solution providing visibility and malware detection without decryption
Initial data packet Sequence of packet lengths and times Global Risk Map
Data elements to analyze encrypted traffic
Self-Signed Certificate
Data Exfiltration
C2 Message
Make the most of unencrypted fields
Identify the content type through the size and timing of packets
Know who’s who of the Internet’s dark side
Identifying malicious encrypted traffic
Model
Google Search Page Download
src dst
Packet lengths, arrival times and durations tend to be inherently different
for malware than benign traffic
ClientSentPackets
ReceivedPackets
Server
Initiate Command and Control
src dst
Exfiltration and Keylogging
src dst
ETA Cryptographic AuditAnalyze encrypted traffic for cryptographic compliance
1
1. View traffic by SSL/TLS version2. View traffic by cipher suite3. Get more details about encrypted traffic4. Download CSV or generate printable report
• Utilizes Encrypted Traffic Analytics (ETA)• Provides an assessment of the “quality” of
encryption being used – helpful to audit cryptographic compliance (e.g. using SSL or early TLS violates PCI compliance)
• Helps analyze trends and changes in the amount and type of encryption
2
3
4
Note: The app needs ETA to be enabled. However, it doesn’t need Cognitive Intelligence integration, or an internet connection, as the analysis is performed on-premises.
Example Detection: Combining ETA Data Elements
Initial Data Packet Sequence of Packet Lengths and Times Global Risk Map
Sequence Packets Lengths and Timing
(SPLT)
Multi layer machine learning
Vector of ETA behaviors
Host history indicates high probability of
becoming part of C&C
IDP: SNI (Hostname)
Passive DNS (pDNS)
Validated Domain
Passive DNS attribution & Global Risk Map tracks
servers likely to become part of an attack
Original URL request extracted from the new
ETA telemetry (IDP)
Sequence of Packet Lengths and Times
(SPLT)
Example Detection: Malware with encrypted C&C
Accelerated Threat Response
Alarms tied to specific entities
Quick snapshot of malicious activity
Suspicious behavior linked to logical alarms
Risks prioritized to take immediate action
Summary of aggregated host information
Observed communication patterns Historical alarming behavior
Investigating a host
Host Summary
User Name:Device Name:Device Type:Host Group:Location:Last Active Status:Session Information:Policies:
Quarantine Unquarantine
Flows History
12-Jan 13-Jan 14-Jan 15-Jan 16-Jan
Alarms by Type
Data Hoarding Packet Flood
High Traffic Data Exfiltration
10.201.3.149
Withinorganization
Outsideorganization
Traffic by Peer Host Group
Top security eventsInvestigating a host
Understand why the alarm was triggered
Easily determine if the host is the source or
target of an attackDrill down into associated
telemetry with just one click
Apply machine learning to investigate threats
Threat propagation details
Malware behavior detected in encrypted traffic
Correlation of global threat behaviors
Threats ranked by overall severity to environment
Investigating: Audit trails
Export search results
Filter telemetry search results in place without running a new query
Analyze network telemetry
retroactively
Control what you see
Mitigation
Mitigate threats effectively
Quarantine identified threats using the network
An alarm can have an associated response• Notify in the alarm table• Generate an email• Generate a syslog message to a SIEM
StealthwatchManagement Console
Cisco®
Identity Services Engine
Rapid Threat ContainmentWithout any business disruption
PX Grid Mitigation
Quarantine or Unquarantine infected hostContext
Information shared with other network
and security products
Additional info determined
What kind of data was transmitted?
User identified
Where is the data being transmitted?
Device identified
Threat removed from network
Alarm triggered
Forensic investigation conducted
Detect and respond to advanced threats
NameLocationMAC addressLast seenPoliciesHost Group
Data hoarding and Data Exfiltration
Reduce incident response time from months to hours
Simplified Network Segmentation
Logical groupings customized to your business
Datacenter
VPN Users
Branch Office Guest Wireless
Confidential Servers
Employee Desktops
Identify every asset on the network
Set policies based on hosts as well as applications
Model policies before enforcing them
Comprehensive visibilityAccount for all of the network’s digital assets
Find and categorize any host communicating on
the network
Search for assets based on transactional data -
for example, protocol (HTTP/S server, FTP server, etc.) or applications being served
Policy Modeling and Monitoring
“Custom Events” can be created to model policies before enforcing them
Bypass of implemented firewall ACLs
Communication between PoS terminals and the Internet
Unapproved communication to servers containing critical or confidential information (PCI, source code data, HR records)
Violation of established communication policy (e.g. no intra-branch location communication)
SMB traffic from inside hosts to outside hosts
Host Classifier AppDynamic discovery and classification of core assets in the network
1. Assets are currently classified into 7 core groups
2. Classification algorithm tunes itself based on user feedback
21
• Useful for initial system configuration as well as to continuously maintain host classification
• Well-defined host groups lead to contextual and accurate alarms
• Analysis is performed on-premises
Stealthwatch Enterprise architecture
Stealthwatch Enterprise architecture
Comprehensivevisibility andsecurity analytics
Endpoint License
ISE
Flow Collector
Management Console
Threat Intelligence
License
Global ThreatAnalytics
Security Packet
Analyzer
Packet Data & Storage
Flow Sensor
Hypervisor with Flow Sensor VEVMVM
Non-NetFlow enabled equipment
Proxy Data
Stealthwatch Cloud
UDP Director
Other Traffic Analysis Software
NetFlow enabled routers, switches, firewalls
NetFlow
10 101 10
Telemetry for Encrypted Traffic Analytics
Required core componentsStealthwatch Management Console (SMC)• A physical or virtual appliance that aggregates, organizes,
and presents analysis from Flow Collectors, Identity Services Engine (ISE), and other sources
• User interface to Stealthwatch
• Maximum 2 per deployment
Flow Collector (FC)• A physical or virtual appliance that aggregates and
normalizes NetFlow and application data collected from exporters such as routers, switches, and firewalls
• High performance NetFlow / SFlow / IPFIX Collector
• Maximum 25 per deployment
Flow Rate License• Collection, management, and analysis of telemetry by
Stealthwatch Enterprise
• The Flow Rate License is simply determined by the number/type of switches, routers, firewalls and probes present on the network
Flow Rate LicenseFlow Collector
Management Console
Flow Sensor• Produces telemetry for network
infrastructure that can’t generate NetFlow natively
• Provides additional security context to enhance the Stealthwatch security analytics
• High fidelity detections and faster investigations with visibility into:
• Layer 7 application data• URL information for web traffic• TCP flag details • RTT (Round trip time)• SRT (Server Response Time)• Retransmissions
• Available as physical or virtual appliances
Flow Collector
Management Console
Flow Sensor
Hypervisor with Flow Sensor VEVMVM
Non-NetFlow enabled equipment
UDP Director
• Physical or virtual appliance • Allows NetFlow, syslog and SNMP data
to be sent transparently to multiple collection points, including Flow Collectors and other tools
• Provides additional flexibility and ease of deployment
Flow Collector
Management Console
NetFlow enabled routers, switches, firewalls
UDP Director
Other Traffic Analysis Software
Stealthwatch Threat Intelligence License (powered by Talos)
Global threat intelligence• Intelligence of global threat campaigns
mapped to local alarms for faster mitigation
• Benefit of a large intelligence dataset
o 1.5 million daily malware sampleso 16 billion daily web requestso 100+ threat intelligence partnerso Millions of telemetry agents
Syslog Information Packets
TIMESTAMP 1456312345
ELAPSE TIME 12523
SOURCE IP 192.168.2.100
SOURCE Port 4567
DESTINATION IP 65.12.56.123
DESTINATION PORT 80
BYTES 400
URL http://cisco.com
USERNAME john
SYSLOG
Stealthwatch Proxy LicenseProxy ingestion provides• HTTP Traffic Visibility• Analysis continuity• User informationMulti-Vendor Proxy Support• Cisco WSA• Bluecoat proxy• Squid• McAfee Web Gateway
Flow Collector
Management Console
AnyConnect with
Network Visibility Module
Attributing a flow to:
• Process name• Process hash• Process account• Parent process name• Parent process hash• Parent process account
Stealthwatch Endpoint License
nvzFlow
EndpointConcentrator
Flow Collector
Management Console
ISE & ISE - PIC• User Session information is obtained via pxGrid• Enables mitigation actions from SMC via pxGrid• True Single Source of Identity information• No Longer Need Separate Connection to AD,
LDAP, etc
ISE - Passive Identity Connector (ISE - PIC)• ISE - PIC provides an alternate identity solution
for Stealthwatch Identity customers• Generic syslog parsers available for input into
pxGrid• Only available on ISE 2.2+ and Stealthwatch 6.9+• Passive Identity Only - No Authorization. No
Policies
ISE
Flow Collector
Management Console
Input to ISE-PIC / ISE
Rest APISyslogWMIKerberosSPAN
Custom Apps
EndpointProbe
Same User?Still There?
ISE-PICAgent
BlueCatNetworks
F5
Almost Anything Blue Coat
Windows Terminal Services
Citrix
Infoblox
Identity context from almost anywhere
Management Console
ISE
Switch Router Router FirewallData Center
Switch ServerUser
NetFlow/sFlow Export is available across the Cisco portfolio
Cisco IdentityServices Engine
The above is a non-exhaustive list of Cisco exporters. For individual platform features, reference the Cisco Feature Navigator: http://cfn.cloudapps.cisco.com/ITDIT/CFN/jsp/index.jsp
WAN
Servers, Software and AppliancesCisco Stealthwatch Flow Sensor (IPFIX)Cisco NetFlow Generation Appliance (FNF v9)Cisco UCS VIC (VIC 1224/1240/1280/1340/1380)Cisco AnyConnect Client (IPFIX)
RouterCisco ISR G2 (FNF v9 SGT support)Cisco ISR 4000 (FNF v9 SGT support)Cisco CSR 1000v (FNF v9 SGT support)Cisco ASR 1000 (FNF v9 SGT support)Cisco ASR 9000 (FNF v9)Cisco WLC 5760 (FNF v9)Cisco WLC 5520, 8510, 8540 (v9)
SwitchCatalyst 2960-X (FNF v9 SGT support)Catalyst 3560/3750-X (SM-10G module only)Catalyst 3650/3850 (FNF v9 SGT support)Catalyst 4500E (Sup7E/7LE/8) (FNF v9 SGT support)Catalyst 6500E (Sup2T) (FNF v9 SGT support)Catalyst 6800 (FNF v9 SGT support)Catalyst 9300/9400 (FNF + ETA)IE 40000 (NetFlow Lite)
FirewallASA 5500-X (NSEL)FTD (NSEL in v6.2 with Flex-Config)Meraki MX/Z1 (v9)
Data Center SwitchNexus 3000 (sFlow) Nexus 7000 (M Series I/O modules – FNF v9)Nexus 1000v (FNF v9)Nexus 9200/9300 (sFlow) Nexus 93180-EX (v9)
ServerDevice
End-to-End Visibility
Stealthwatch provides the security visibility you need
Stealthwatch Enterprise
Enterprise network monitoring
On-premises virtual or hardware appliance
On-premises network monitoring
Suitable for enterprises & large businesses
Stealthwatch Cloud
Private network monitoringPublic cloud monitoring
Suitable for enterprises & commercial businesses using public cloud services
On-premises network monitoringPublic cloud monitoring
Suitable for SMBs & commercial businesses
Software as a Service (SaaS) Software as a Service (SaaS)
Gain visibility, intelligence, and automationNetwork as a Sensor
Stealthwatch
Provides unique visibility across your entire network
Detects anomalies and threats faster with real-time analysis and advanced forensics capabilities
Generates notifications automatically when anomalies are detected on the network
Leverage information from other solutions to gain complete network visibility and security analytics
Company Host
Everything must touchthe network
Knowevery host
Access Audit
Recordevery
conversation
Understand what’s normal
Posture
Get alerted to change
Detect
Stealthwatch
Stealthwatch Cloud makes it simple to see everything
Get complete visibility of activity in the public cloud
Detect threats automatically
Deploy and manage easily
Key features
Visibility everywhereAnalyses enterprise telemetry from any source (NetFlow, IPFIX, sFlow, other Layer 7 protocols) across the extended network
Encrypted Traffic AnalyticsOnly product that can analyze encrypted traffic to detect malware and ensure policy compliance without decryption
Rapid Threat ContainmentQuarantine infected hosts easily using the Identity Services Engine (ISE) integration, collect and store network audit trails for deeper forensic investigations
Unique threat detectionCombination of multi-layer machine learning and behavioral modeling provides the ability to detect inside as well as outside threats
Smart segmentationCreate logical user groups that make sense for your business, monitor the effectiveness of segmentation policies through contextual alarms
Accelerate value with Stealthwatch Services
Gain the most value from your Stealthwatch deployment with the proactive and ongoing support you need
Advanced Services
Optimize deployments to meet business requirements, increase
productivity, and reduce risk
Educational Services
Offer training and customer enablement to improve security posture and respond to threats
Support Services
Provide proactive and reactive engagement along with ongoing
customer management