threat prevention based on network visibility & behavioral ... · security analytics with...

Luc Billot

Cyber Security Technical Architect - Cisco

April 2019

Threat Prevention based on Network Visibility & Behavioral Analytics

© 2019 Cisco and/or its affiliates. All rights reserved.

What if …..


Encrypted traffic growing rapidly due to increased total amount of traffic and % of traffic encrypted

Source: Google Transparency Report, Forbes, Cisco VNI

0

10

20

30

40

50

60

2017 2018 2019 2020 2021 2022

EB

per

month

Business IP Traffic

Business internet traffic Business managed IP traffic Business mobile data


Browsers and applications investigated

Browser users with the new protocols by default1 Websites that offer new protocols2

Browsers are quickly adopting the emerging standards; many will become the default settings on

in next releases. Applications are moving slower, but are beginning to adopt these standards.

TLS 1.3

66.7%

ESNI

Experimental

Only

DoH

Experimental

Only

HTTP/2

86.9%

QUIC3

28.8%

TLS 1.3

10.7%

ESNI

<1%

DoH4

<1%

HTTP/2

33.2%

QUIC3

1.4%

As of January 2019 1Based on % of users per browser version that supports standard by default 2SSL Labs’ review of the top 150K sites 3gQUIC 4DNS traffic

Source: caniuse.com, Cloudflare blog, Chromium blog, Mozilla blog, ZDNet


TLS website adoption

0.00%

10.00%

20.00%

30.00%

40.00%

50.00%

60.00%

70.00%

80.00%

90.00%

100.00%

TLS 1.1 (ratified 4/2006) TLS 1.2 (ratified 8/2008) TLS 1.3 (ratified 8/2018)

Source: SSL Labs


HTTP/2 and HTTP/3 website adoption

0%

5%

10%

15%

20%

25%

30%

35%

22-Apr-12 22-Apr-13 22-Apr-14 22-Apr-15 22-Apr-16 22-Apr-17 22-Apr-18

SPDY HTTP/2

Source: SSL Labs, W3Tech


Architecture in Cyber Security

© 2019 Cisco and/or its affiliates. All rights reserved. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

3rd Party Vuln Data

Security is an Integration Game

8

NGIPS

NGFW

Firepower Management Center

ISE

AMP for Endpoints

AMP

DataThreatgrid

Stealthwatch

Web Security

Umbrella

EmailSecurity

DNS

LoggingSEIM

Orchestration

Investigate

TetrationAD

Sending Datato SEIM

API transaction

Identity from ISE

3rd Party ThreatIntelligence


Network

Users

HQ

Data Center

Admin

Branch

SEE

every conversation

Understand what

is NORMAL

Be alerted to

CHANGE

KNOW

every host

Respond to

THREATS quickly

Effective security depends on total visibility

Roaming Users

Cloud


Understand ThreatDetection using Flows


Routers

Switches

10.1.8.3

172.168.134.2Internet

The network is a valuable data source

What it provides:

• A trace of every conversation

in your network

• Collection of records all across the

network (routers, switches, firewalls)

• Network usage metrics

• Ability to view north-south as well as east-

west communication

• Lightweight visibility compared to Switched

Port Analyzer (SPAN)-based traffic

analysis

• Indications of compromise (IOC)

• Security group information

Flow Information Packets

SOURCE ADDRESS 10.1.8.3

DESTINATION ADDRESS

172.168.134.2

SOURCE PORT 47321

DESTINATION PORT 443

INTERFACE Gi0/0/0

IP TOS 0x00

IP PROTOCOL 6

NEXT HOP 172.168.25.1

TCP FLAGS 0x1A

SOURCE SGT 100

: :

APPLICATION NAMENBAR SECURE-

HTTP


Router A

10.1.1.1 port 80

10.2.2.2 port 240

Router B

Router C

Scaling and optimization: deduplication

Deduplication

• Avoid false positives and misreported traffic volume

• Enable efficient storage of telemetry data

• Necessary for accurate host-level reporting

• No data is discarded

Router A: 10.1.1.1:80 10.2.2.2:1024

Router B: 10.2.2.2:1024 10.1.1.1:80

Router C: 10.2.2.2:1024 10.1.1.1:80Router C: 10.2.2.2:1024 10.1.1.1:80

Duplicates


eth

0/1

eth

0/2

10.2.2.2 port 1024 10.1.1.1 port 80

Scaling and optimization : stitching

Start Time Interface Src IP Src Port Dest IPDest

PortProto

Pkts

Sent

Bytes

Sent

10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025

10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712

UnidirectionalTelemetry

Records

Start Time Client IPClient

Port

Server

IP

Server

PortProto

Client

Bytes

Client

Pkts

Server

Bytes

Server

PktsInterfaces

10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17eth0/1

eth0/2

Bidirectional Telemetry Record

Conversation record

Easy visualization and analysis


Enriched with data from other sources

Stealthwatch Enterprise also enables telemetry ingestion from many third-party exporters

Nexus switch

Tetration

Data Center

Catalyst

IE

ETA enabled Catalyst

Switch

Web Security Appliance

(WSA)

Web

ISR

CSR

ASR

WLC

Router

AnyConnect

Endpoint

ASA

FTD

Meraki

Firewall

Identity Services Engine

(ISE)

Policy and User Info

Stealthwatch Flow

Sensor

Other

Switch Router Router Firewall ServerUserCisco Identity

Services EngineWANServerDevice


The general ledger

Client Server Translation Service User Application Traffic Group Mac SGT

Encryption

TLS/SSL

version

1.1.1.1 2.2.2.2 3.3.3.3 80/tcp Doug http 20M location 00:2b:1f 10 TLS 1.2

Session Data | 100% network accountability

Visibility

Interface

Information

Policy

Information

Network

Telemetry

User

Information

Threat

Intelligence

NAT/Proxy LAYER 7Group /

Segment

Encrypted

Traffic

Analytics

Endpoint Cloud

10 101 10


Security Analytics


Anomaly detection using behavioral modeling

Create a baseline

of normal behavior

Alarm on anomalies

and behavioral changes

Collect and

analyze telemetry

Flows

Number of

concurrent flows

Time of dayBits per second

Packet

per second

Number of

SYNs sent

New flows

created

Number of

SYNs received

Rate of

connection resets

Duration

of the flow

~100 Security Events

Exchange Servers

Threshold

Anomaly detected in

host behavior

Comprehensive data set optimized to

remove redundancies

Security events to detect anomalies

and known bad behavior

Alarm categories for high-risk,

low-noise alerts for faster response


Power of multilayered machine learning

Increase fidelity of detection using best-in-class security analytics

Global Risk Map

Network telemetry

Prioritized high fidelity

incidents

Anomaly detection

Trust modeling

Event classification

Entity Modeling

Relationshipmodeling

Anomalous Traffic

Malicious Events

Confirmed Incidents

Incidents


Encrypted Traffic Analytics

Ensure cryptographic

compliance

Detect malware

in encrypted traffic

Cisco Stealthwatch Enterprise is the only solution providing

visibility and malware detection without decryption


Initial Data Packet (IDP)

• HTTPS header contains several information-rich fields

• Server name provides domain information

• Crypto information educates us on client and server behavior and application identity

• Certificate information is similar to whois information for a domain

• And much more can be understood when we combine the information with global data

20


Sequence of Packet Lengths and Times (SPLT)

Client Server

Sent

Packets

Received

Packets

Exfiltration &

Keylogging

Google search

Page

Download

Initiate

Command

& Control

Model

Packet lengths, arrival times and

durations tend to be inherently

different for malware than benign

traffic.

21

https://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&uact=8&ved=0ahUKEwiZ6obE6JbUAhWmv1QKHT7GD3UQjRwIBw&url=https://pixabay.com/en/photos/laptop/&psig=AFQjCNGs6zMEFcfRqBTb53fXAqCsOoCvvw&ust=1496206104082196


Deployment


Stealthwatch Enterprise Architecture

Comprehensive

visibility and

security analytics

Endpoint License

ISE

Flow Collector

Management Console

Threat Intelligence

License

Global ThreatAnalytics

Security Packet Analyzer

Packet Data & Storage

Flow Sensor

Hypervisor with Flow Sensor VEVMVM

Non-NetFlow enabled equipment

Proxy Data

Stealthwatch Cloud

UDP

Director

Other Traffic

Analysis Software

NetFlow enabled routers, switches, firewalls

NetFlow

10 101 10

Telemetry for Encrypted Traffic Analytics


© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Example of Detection


Network Behavior and Anomaly Detection

25

Alarm Model

• Monitor activity and alarm on suspicious

conditions

• Policy and behavioral


Scoped Worm activity

26

Found 15 scanning systems

Scoped the investigation systems


Passive DNS attribution &

Global Risk Map tracks

servers likely to become

part of an attack

Original URL request

extracted from the new

ETA telemetry (IDP)

Sequence of Packet

Lengths and Times (SPLT)

Example Detection: Malware with encrypted C&C


Segmentation Monitoring with StealthWatch

PCI Zone Map

Define communication

policy between zones

Monitor for violations


Modeling Policy: Alarm Occurrence

Alarm dashboard showing

all policy alarms

Details of “Employee to

Production Servers”

alarm occurrences


From Visibility toRapid Threat Containement


Alarms tied to specific entities

Quick snapshot

of malicious

activity

Suspicious

behavior

linked to logical

alarms

Risks

prioritized to

take immediate

action


Top security events

Investigating a host

Understand why the

alarm was triggered

Easily determine if the

host is the source or

target of an attack

Drill down into associated

telemetry with just one click


Apply machine learning to investigate threats

Threat propagation details

Malware behavior detected in encrypted traffic

Correlation

of global

threat

behaviors

Threats ranked by overall severity to environment


StealthwatchManagement Console

Cisco®

Identity Services Engine

Rapid Threat ContainmentWithout any business disruption

PX Grid Mitigation

Quarantine or Unquarantine infected hostContext

Information shared

with other network and

security products


Closing


Data collectionRich telemetry from the existing

network infrastructure

Security Analytics with Stealthwatch Enterprise

Global threat intelligence

(powered by Talos)

Intelligence of global threat campaigns

mapped to local alarms for faster mitigation

Behavioral modelingBehavioral analysis of every activity within

the network to pinpoint anomalies

Multilayered machine learningCombination of supervised and unsupervised techniques

to convict advanced threats with high fidelity

Encrypted Traffic AnalyticsMalware detection without any decryption using

enhanced telemetry from the new Cisco devices

Stealthwatch

threat prevention based on network visibility & behavioral ... · security analytics with...

Documents