Post on 06-Apr-2017
Darrin PierceSecurity CSEMarch 03, 2016
Behavioral Analytics & Detection
2© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Modern Cyber Threat
3© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why Security Matters
Technology Value
Time
4© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BYOD
90%of organizations are not fully aware of all
devices on the network
Social Media
29% of successful breaches
used social media to target the end user
App Stores
138Bapps downloaded worldwide in 2014
ChangingBusiness Models
Dynamic Threat Landscape
Complexityand Fragmentation
Gartner 2013Frost & Sullivan 2014 Cisco Mid-Year Security Report 2014
Security Challenges
5© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
of data is stolen inHOURS
60% 62%of breaches remain undiscovered for MONTHS
51%
increase of companies reporting a $10M loss or more in the last 3 YEARS
2015
ChangingBusiness Models
Dynamic Threat Landscape
Complexityand Fragmentation
PWC Global State of Information Survey 2014Verizon Data Breach Report 2013 Verizon Data Breach Report 2013
Security Challenges
6© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Startups Receiving VC funding in last 5 years
1208 $7.3B
Security Vendors for Some Customers
54Demand for
Security Talent
12x
ChangingBusiness Models
Dynamic Threat Landscape
Complexityand Fragmentation
Cisco Annual Security Report 2014CB Insights, Feb. 2015Cisco Research 2014
Security Challenges
7© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Development of Malware• Exploits: $1000 – $300,000• Mobile Malware: $150• Commercial Malware Dev: $2500
• Other services?• ‘Cleaning Bitcoin’• Selling taxpayer data• Creating fake documents• Sales of Intellectual Property
• Information Sales:• Social Security Number: $1• Bank Account Numbers: $100• Medical Records: $50• Credit Card Numbers: $0.25 - $60• Facebook Account: $1 for 1 account with
15 friends
• Services• DDOS (Boot Services): 7 dollars an hour• Spam Mail: $50 for 500K Emails
It’s cheaper and easier than ever before to be a Cyber Criminal
Economics of Crime
8© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Control access to the network, limit the threat’s chance of success.”
“A file matches the pattern”
“See the threat and stop it before it gets in.”
Application Control (Next Gen Firewall)
Firewall/VPN
Intrusion Detection & Prevention
Network Access Control / Identity Access Management
Anti-Virus
Public Key Infrastructure / Encryption
“Block, Allow, Encrypt”
“Control the applications, control the threat”
“No key, no access.”
Sandboxing
“Look for new and unknown threats”
History of Security Products
9© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Standards
10© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Less than half of security practitioners leverage critical security tools.
Identity Administration and Provisioning
Patching and configuration as defense
Pen-testing
Quarantine malicious applications
43%
35%
39%
55%
Even the Basics Are Not Being Covered
99.9% of the exploited vulnerabilities were compromised more than a year after the CVE was published. - Verizon Data Breach Investigation Report 2015
11© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
“Exploits” are not always required:
• I don’t need to deliver an exploit to you all the time to compromise your computers.
• A persistent attacker just needs YOU to run their malicious code.
• Or just steal your password (even better when you give it to them).
Not All Attacks are High Tech
12© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Report CardWhy Do Our Security Approaches Keep Failing?• It is not a fair fight• People, Processes, and Technology Issues
13© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Covers the entire Attack ContinuumCollective Security Intelligence
Network-Integrated,Broad Sensor Base,Context sharing and
Automation
Continuous Advanced Threat Protection,
Cloud-Based Security Intelligence
Leading products working together as a system
Built for Scale, Consistent Control, Management
Visibility-Driven Threat-Focused Platform-BasedStrategic Imperatives
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Detect Block Defend
DURING
A Security Model with Simple Clear Goals
14© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What would you do differently if you KNEW you were going to be compromised?
15© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Register Workstation
WAN
Data CenterNetwork
PCI
PCI Non-
PCI
Non-PCI
PCI Server Server PCI Solution: Validated by Verizon Business
PCI Device
PCI DeviceSo
urce
Protected AssetsNon-PCI Device
PERMIT DENY
Non-PCI Device PERMITDENY
www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/trustsec_pci_validation.pdf
16© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatchNetwork Behavioral Analysis for Threat Detection
17© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential17
10.2.2.2port 1024
10.1.1.1port 80
eth0
/1
eth0
/2
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent
Bytes Sent
TCP Flags
10:20:12.221
eth0/1 10.2.2.2
1024 10.1.1.1
80 TCP 5 1025 SYN,ACK,PSH
10:20:12.871
eth0/2 10.1.1.1
80 10.2.2.2
1024 TCP 17 28712 SYN,ACK,FIN
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent
Bytes Sent
TCP Flags
10:20:12.221
eth0/1 10.2.2.2
1024 10.1.1.1
80 TCP 5 1025 SYN,ACK,PSH
An Introduction to NetFlow
18© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential18
Router# show flow monitor CYBER-MONITOR cache… IPV4 SOURCE ADDRESS: 192.168.100.100IPV4 DESTINATION ADDRESS: 192.168.20.6TRNS SOURCE PORT: 47321TRNS DESTINATION PORT: 443INTERFACE INPUT: Gi0/0/0IP TOS: 0x00IP PROTOCOL: 6ipv4 next hop address: 192.168.20.6tcp flags: 0x1Ainterface output: Gi0/1.20counter bytes: 1482counter packets: 23timestamp first: 12:33:53.358timestamp last: 12:33:53.370ip dscp: 0x00ip ttl min: 127ip ttl max: 127application name: nbar secure-http…
A single NetFlow Record provides a wealth of information
NetFlow = Visibility
19© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scaling Visibility: Flow Stitching
10.2.2.2port 1024
10.1.1.1port 80
eth0
/1
eth0
/2
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025
10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712
Bidirectional Flow Record• Conversation flow record• Allows easy visualization and analysis
Unidirectional Flow Records
Start Time Client IP Client Port Server IPServer Port Proto
Client Bytes Client Pkts
Server Bytes
Server Pkts Interfaces
10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1eth0/2
20© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Scaling Visibility: NetFlow Deduplication
Router A
Router B
Router C
10.2.2.2port 1024
10.1.1.1port 80
• Without deduplication• Traffic volume can be misreported• False positives would occur
• Allows for efficient storage of flow data• Necessary for accurate host-level reporting • Does not discard data
Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024
Duplicates
21© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch + ISE = Better Context, Better Security
pxGrid
Real-time visibility at all network layers• Data Intelligence throughout network• Assets discovery• Network profile• Security policy monitoring• Anomaly detection• Accelerated incident response
Cisco ISEMitigation Action
Context InformationNetFlow
Send contextual data collected from users, devices, and networks to StealthWatch for advanced insights and NetFlow analytics
22© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch + ISE = Better Context
• Highly scalable (enterprise class) collection• High compression Long term storage
• Months of data retention
When Who
Where
WhatWho
Security Group
More Context
How
23© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch Identity / Device Table:
24© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NetFlow for Dynamic Network AwarenessUnderstand Network Behavior and Establish a Network’s Normal
A Powerful Information Source for Every Network Conversation
• Each and every network conversation over an extended period of time
• Source and destination IP address, IP ports, time, data transferred, and more
• Stored for future analysis
A Critical Tool to Identify a Security Breach
• Identify anomalous activity
• Reconstruct the sequence of events
• Gain forensic evidence and regulatory compliance
• Use NetFlow for full details, NetFlow-Lite for 1/n samples
Achieve pervasive network visibility and security forImproved threat defense and incident response
25© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sampled NetFlow• Subset of traffic, usually less than 5%, • Gives a snapshot view into network
activity • Similar to reading every 20th word of a
book• Suitable for detecting large scale DDoS
attacks, but not extended, slow attacks
Full NetFlow• All traffic is collected• Provides complete view of all network
activity • Similar to reading every word, page of a
book• Suitable for detecting large scale as well
as extended, slow attacksComplete Visibility is the key and only Cisco can provide
Why Unsampled NetFlow?
26© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Turn the Network into a Security Sensor Grid
InternetAtlanta
San Jose
New York
ASR-1000
Cat6k
UCS withNexus 1000v
ASACat6k
3925 ISR
3560-X
3750-XStack(s)
Cat4kDatacenter
WAN
DMZ
Access
NetFlowNetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlow
NetFlowNetFlow
27© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Devices
StealthWatch FlowCollector
StealthWatch Management
Console
NetFlow
Users/Devices
Cisco ISE
NBAR NSEL
StealthWatch Solution Components
StealthWatch FlowSensor
StealthWatch FlowSensor
VE
NetFlow
StealthWatch FlowReplicator
Other tools/collectors
28© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Collect and Process 130 Unique Flow
Statistics
ApplyOver 130
StealthWatchAlgorithms
GenerateAlarms, Alerts,and Reports
Build Profile of 90+ Host Attributes Send SYSLOG,
SNMP, and Emails
Perform Mitigation Action
Display in UI
Mirror Port, SPAN, or Tap
Cisco (NetFlow)
Foundry (sFlow)
GenerateProfile-Enhanced
Alarms, Alerts,and Reports
Store Detailed Log of All Flows
StealthWatch: Functional Overview
29© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Granular Visibility – Down to End User
Gain Context-Aware Security
EVERYTHING must touchthe network
KNOWevery host
RECORD every
conversation
Know what is NORMAL
Be alerted toCHANGE
Quickly respond to THREATS
What elsecan the networktell me?
CompanyNetwork AssessAssess Audit Posture Detect Response Context
30© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch for Macro-Level VisibilityFight advanced threats with actionable intelligence and analytics
• Obtain comprehensive, scalable enterprise visibility and security context
• Gain real-time situational awareness of traffic
• Benefit from network segmentation using
Cisco®TrustSec
• Detect and analyze network behavior anomalies
• Easily detect behaviors linked to advanced persistent threats (APTs), insider threats, distributed denial-of-service (DDoS) attacks, and malware
• Collect and analyze holistic network audit trails
• Achieve faster root cause analysis
• Conduct thorough forensic investigations
• Accelerate network troubleshooting and threat mitigation
• Respond quicklyto threats bytaking action to quarantine through
Cisco® Identity Services Engine
• Continuously improve enterprise security posture
Monitor Detect Analyze Respond
31© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Can StealthWatch Provide Your Organization
• Continuously monitor devices, applications, and users throughout distributed networks
• Aggregate and analyze advanced telemetry to establish a security baseline of your network
• Monitor the entire network and data center to help ensure that there are no policy or network access violations
• Obtain contextual threat intelligence with a historical audit trail of NetFlow data
• Achieve enhanced visibility and context to accelerate threat detection
• Improve incident response and forensic analysis through actionable intelligence
• Isolate the root cause of an incident within seconds for mitigation
Extended Visibility
Policy and Access
Management
Advanced Threat
Protection
Accelerated Response
32© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch’s Value to Cisco’s Security andBest-in-Class Portfolio
• Enables detection of threat-based anomalies over time
• Integrates with the network as an enforcer for automated containment
• Accelerates incident response and forensic analysis through actionable intelligence
StealthWatch Enhances Cisco’s Security Everywhere Strategy, Enabling Network Security and Visibility Across the Extended Enterprise
Extended Visibility Accelerated Response
• Turns the entire network into a security sensor to gain broad visibility into all network traffic
• Provides contextual threat intelligence with historic audit trail of NetFlow data
• Enhances network planning, diagnostics, compliance validation, and software-defined segmentation
Network as a Sensor
• Continuously monitors distributed networks from core to access to edge, whether on-premises or in the cloud
• Reduces risk by showing how, when, where, and why users and devices connect to the network
• Aggregates and analyzes advanced telemetry to establish a security baseline of your network
33© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Card Processor
Hacked Server
POS Terminals
ASA Firewall
Private WAN
(trusted)
Credit Card Processor
ASA Firewall
Stores Data CenterU
pdat
es fr
om
POS
Serv
er
HTT
PS
Credit Card Processing HTTPS
Internet
ISR G2 Routers
ISR G2 Routers
Wireless AP
Wireless POS
C3850 Unified Access
Network as a Sensor Host Lock Violation and Suspect Data Loss
Public Intern
etCompromised
Server
StealthWatch FlowCollector
StealthWatch Management
Console
Exfiltration of Credit Cards OR Commands from Attacker
Cisco ISE
Command and Collect
34© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch within Cisco’s Security Portfolio
StealthWatchDetect breaches and insider threats faster
Accelerate analysisand understanding
of incidents
Discover and monitor traffic baseline for the network
Enable the deployment of granular, software-based
segmentation
StealthWatch
BEFOREDetect Block Defend
DURING AFTERControlEnforce Harden
ScopeContain
Remediate
Attack Continuum
StealthWatch Insider Threat
36© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
All Threats Are Insider Threats
With lateral movement of advanced persistent threats,even external attacks eventually become internal threats
95% of all cybercrimeis user-triggered bydisguisedmalicious links
One out of four breaches are caused by malicious insiders
Two out of three breaches exploit weak
or stolen passwords
37© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Identifying Insider ThreatsAccording to the Ponemon Institute, “Over reliance on A/V and IDS solutions has weakened the collective security posture, as these solutions cannot stand up in the face of the advanced threats we now see. New solutions focused on network and traffic intelligence are seen as the best way to combat advanced threats, and much broader adoption is required.”
According to Forrester, “Today, information security success is no longer defined by preventing attacks, but instead how quickly organizations can detect and contain breaches.”
38© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The “Kill Chain”
39© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NetFlow – The Heart of Network as a SensorNetFlow in Action: As an Attack Progresses
Breach Stages DetectionVulnerability ExplorationAttacker Scans IP Addresses and Ports to Explore Vulnerabilities (OS, User, App.)
1 NetFlow Can Detect on Scans Across IP Address Ranges NetFlow Can Detect on Scans Down IP Ports on Every
IP Address
Install Malware on 1st HostAttacker Installs Software to Gain Access 2 NetFlow Can Detect on Inbound Admin Traffic From an
Unexpected Location
Connection to “Command and Control”Malware Creates Outbound Connection With C&C System for Further Instructions
3 NetFlow Can Detect Outbound Connections to Known C&C IP Addresses
Spreading Malware to Other HostsAttack Other Systems on the Intranet Through Vulnerability Exploitation
4 NetFlow Can Detect Scans Across IP Address Ranges
by Internal Hosts NetFlow Can Detect Scans Down IP Ports on Every IP
Address by Internal Hosts
Data ExfiltrationExport Data to a 3rd Party Server5
NetFlow Can Detect Extended Flows (HTTP, FTP, GETMAIL, MAPIGET and More) and Data Transfer to New External Hosts
40© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Identifying Insider Threats
Context Aware Security Analytics for Threat Detection
StealthWatch
Unauthorized Access
Policy Violations
Internal Reconnaissance
Target Data Hoarding
Suspect Data Hoarding
Suspect Data Loss
StealthWatch and the Cisco Secure Data Center Solution
42© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Time- consuming
provisioning
Data Center is a Challenging Environment
Complexdata flows
Unpredictable data volume
43© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Sacrifice Security to Gain Performance
Incomplete security coverage
Inconsistent levels of security
Compromised configuration
Proliferating user access
44© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Data Centers Require Specialized Security
Standard edge security Data center security
Sees symmetric traffic only
Scales statically for predictable data volume, limited by edge data connection
Monitors ingress and egress traffic
Deployed typically as a physical appliance
Deploys in days or weeks
Requires asymmetric traffic management
Must scale dynamically to secure high volume data bursts
Needs to secure intra-data-center trafficRequires both a physical and virtual solution
Must deploy in hours or minutes
45© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Attackers with Credentials
Visibility Challenges in the Data Center
Evasive Modern Attacks
Create scaling issues for packetinspectors
Slow moving threats result in more difficult detection
Compromised credentials gainaccess to privileged resources
High Traffic Volume
46© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Defense
Lancope for Secure Data Center
Segmentation• Establish boundaries: network, compute, virtual• Enforce policy by functions, devices, organizations, compliance• Control and prevent unauthorized access to networks,
resources, applications
• Stop internal and external attacks and interruption of services
• Patrol zone and edge boundaries• Control information access and usage, prevent data loss
Visibility• Provide transparency to usage• Apply business context to network activity • Simplify operations and compliance reporting
47© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Lancope StealthWatch SystemNetwork Reconnaissance Using Dynamic NetFlow Analysis
Monitor Detect Analyze Respond
Understand your network and data center normal
Gain real-time situational awareness of all traffic
Leverage Network Behavior Anomaly detection & analytics
Detect behaviors linked to APTs, insider threats, DDoS, and malware
Collect & Analyze holistic network audit trails
Achieve faster root cause analysis to conduct thorough forensic investigations
Accelerate network troubleshooting & threat mitigation
Respond quickly to threats by taking action to quarantine through Cisco ISE
48© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Nexus 7000
StealthWatch FlowCollector
StealthWatch Management
Console
https
NetFlowSteatlhWatch FlowSensor
Cisco ASA
SPAN
Lancope in The Data Center
Nexus 1000v
Cisco UCS
NetFlow Enabled Device
49© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Massively ScalableStealthWatch architecture
StealthWatch Management Console
UDP DirectorFlowSensorFirewall, Routers,and ASA
FlowCollector
SLIC Threat FeedStealthWatchIDentity
Cisco ISE
Aggregate up to 25 FlowCollectors Up to 6 million flows per second Integration with third-party security / network
tools
Visibility and Management
Aggregation, Analytics, and
Context
Store and analyze up to 4,000 sources at up to 240,000 sustained flows per second
Identity, device, reputation, threat, proxy, and application feeds provide threat context
Continuous packet capture
Exporters / Transactional
Monitors
Network telemetry data is generated by: Switches, routers, firewalls FlowSensors in areas without flow support Support up to 20 Gbps throughout per
sensor
PacketWatch
ProxyWatch
StealthWatch Management Center
51© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network SummaryNetwork Summary• Understand what
applications are running within any given network segment
• Monitoring the trend of traffic flow to identify anomalies
• Report on who is transferring the most data
• Report on where the data is going to/from the Internet
52© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Alert Data Alert Data• Summarize the security
event data to detect suspicious hosts
• Top Concerning Hosts – reputation scoring of suspect host behavior
• Top Scanning Hosts – view any internal recon activity
• Top Source of Alarms – aggregate multiple alarm conditions to find suspect behavior
• Top Target of Alarms – aggregate multiple alarm conditions to find target hosts
53© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Audit Report
Host Audit Report• Have complete visibility into
any host communicating within any given segment
• This report may be applied to any logical network segment or group
54© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential54
Behavior Based Analysis
55© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Behavior-Based Attack DetectionHigh Concern Index indicates a significant
number of suspicious events that deviate from established baselines
56© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch: Alarms
56
Alarms• Indicate significant behavior changes and policy violations• Known and unknown attacks generate alarms• Activity that falls outside the baseline, acceptable behavior
or established policies
57© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch + ISE = Adaptive Network Control
Quarantine/Unquarantine via pxGrid
Identity Services Engine
StealthWatch Management
Console
StealthWatch Summary
59© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
NetFlow – The Heart of Network as a SensorExample: NetFlow Alerts With Cisco StealthWatch
Denial of ServiceSYN Half Open; ICMP/UDP/Port Flood
Worm PropagationWorm Infected Host Scans and Connects to the Same Port Across Multiple Subnets, Other Hosts Imitate the Same Above Behavior
Fragmentation AttackHost Sending Abnormal # Malformed Fragments.
Botnet DetectionWhen Inside Host Talks to Outside C&C Server
for an Extended Period of Time
Host Reputation ChangeInside Host Potentially Compromised or
Received Abnormal Scans or Other Malicious Attacks
Network ScanningTCP, UDP, Port Scanning Across Multiple Hosts
Data ExfiltrationLarge Outbound File Transfer VS. Baseline
60© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch Provides
Superior forensic investigation
Extensive network behavior anomaly detection
Deep, granular visibility into all traffic
61© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Can the Network Do for You? Network as Sensor
Detect Anomalous Traffic Flows, Malwaree.g. Communication with Malicious Hosts, Internal Malware Propagation, Data Exfiltration
Detect App Usage, User Access Policy Violationse.g. Maintenance Contractor Accessing Financial Data
Detect Rogue Devices, APs and Moree.g. Maintenance Contractor Connecting an Unauthorized AP in Bank Branch to Breach
62© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What Can the Network Do for You? Network as an Enforcer
Decrease Time to Remediatione.g. SourceFire Integration for Network-Wide Rapid Threat Detection and Mitigation
Automate Configuration and Provisioninge.g. ACL, QoS, and Secure Branch Automation
Enable Open, Programmable Network Abstractione.g. RESTful API Integration, CLI Hardware Compatibility
For More Info
64© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
StealthWatch & Cisco Validated DesignsCisco Cyber Threat Defense v2.0http://www.cisco.com/c/en/us/support/security/cyber-threat-defense-2-0/model.html
65© 2015 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Links:
www.cisco.com/go/cvdwww.cisco.com/go/stealthwatchhttps://www.youtube.com/user/LancopeStealthWatch