Digitization and increased mobility have complicated network visibility and security. Threats are more numerous, complex, and use encryption to evade detection. Cisco Stealthwatch provides holistic security through network-based visibility and analytics. It transforms networks into security sensors to see all traffic, contain threats, and detect encrypted threats. Advanced machine learning and behavioral modeling detect anomalies and threats without relying on endpoint agents. Stealthwatch integrates with Cisco Identity Services Engine to rapidly quarantine infected hosts.
John Shaw, VP of Product management at Sophos, introduced us to the world of Project Galileo. What is Sophos doing to bring Network Security and Endpoint security together? How do we make these two pillars of IT security work together?
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
John Shaw, VP of Product management at Sophos, introduced us to the world of Project Galileo. What is Sophos doing to bring Network Security and Endpoint security together? How do we make these two pillars of IT security work together?
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
Targeted attacks need targeted Defense
What protocol should we use for CTI information exchange?
How should we describe our indicators of compromise
Structured threat information expression (STIX)
How we can keep information within our defined trust boundaries?
Where to store IOCs?
Threat Intelligence Feeds Lifecycle
How to measure the CTI process?
This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
What is ISO 27005? How is an ISO 27005 Risk Assessment done effectively? Find out in this presentation delivered at the ISACA Bangalore Chapter Office by Dharshan Shanthamurthy.
There are three main factors that influence how information security is dealt with these days – (1) the presumed risk if we don’t do it (or do it badly), (2) the pace at which technologies and business styles change and (3) the lack of a structure behind any infosec activities.
It’s clear to me that these are just some of the challenges infosec teams must deal with nowadays. This talk will open the floor to a discussion of blockers, challenges and drivers discussing the evolution of the roles associated with infosec and later merging best practice recommendations with an infosec strategy to dealing with risks. Finally, once a strategy is adopted, the presentation will present some ideas on how to gauge progress– such that efforts to improve are both meaningful and measurable.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Raffael Marty
Extended Detection and Response, or XDR for short, is one of the acronyms that are increasingly used by cybersecurity vendors to explain their approach to solving the cyber security problem. We have been spending trillions of dollars on approaches to secure our systems and data, with what success? Cybersecurity is still one of the biggest and most challenging areas that companies, small and large, are dealing with. XDR is another approach driven by security vendors to solve this problem. The challenge is that every vendor defines XDR slightly differently and makes it fit their own “challenge du jour” for marketing and selling their products.
In this presentation we will demystify the XDR acronym and put a working model behind it. Together, we will explore why XDR is a fabulous concept, but also discover that it’s nothing revolutionarily new. With an MSP lens, we will explore what the XDR benefits are for small and medium businesses and what it means to the security strategy of both MSPs and their clients. The audience will leave with a clear understanding of what XDR is, how the technology matters to them, and how XDR will ultimately help them secure their customers and enable trusted commerce.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Solar winds supply chain breach - Insights from the trenchesInfosec
On December 13 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to immediately “disconnect or power down SolarWinds Orion products” as they were being actively exploited by malicious actors.
Infosec Skills author and KM Cyber Security managing partner Keatron Evans is helping numerous clients respond to the breach and mitigate any potential damage. Join him as he discusses:
-What we know about the breach so far
-How his clients have responded to the incident
-What to look for in your environment to see if you’ve been affected
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
Security Delivery Platform: Best practicesMihajlo Prerad
Security Delivery Platform: Best practices
The traditional Security model was one that operated under simple assumptions. Those assumptions led to deployment models which in todays’ world of cyber security have been proven to be quite vulnerable and inadequate to growing amount and diversity of threats.
A Security Delivery Platform addresses the above considerations and provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such platform delivers visibility into the lateral movement of malware, accelerate the detection of ex-filtration activity, and could significantly reduce the overhead, complexity and costs associated with such security deployments.
In today’s world of industrialized and well-organized cyber threats, it is no longer sufficient to focus on the security applications exclusively. Focusing on how those solutions get deployed together and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cyber security strategy.
In Hands-on Encrypted Data Analytics, you’ll learn how to configure this new telemetry in Cisco routers and switches, use Stealthwatch to identify non-compliant devices and malware without encryption and speed up incident response and forensics.
Resources:
Watch the related TechWiseTV episode: http://cs.co/9003DzrjT
TechWiseTV: http://cs.co/9009DzrjN
There are three main factors that influence how information security is dealt with these days – (1) the presumed risk if we don’t do it (or do it badly), (2) the pace at which technologies and business styles change and (3) the lack of a structure behind any infosec activities.
It’s clear to me that these are just some of the challenges infosec teams must deal with nowadays. This talk will open the floor to a discussion of blockers, challenges and drivers discussing the evolution of the roles associated with infosec and later merging best practice recommendations with an infosec strategy to dealing with risks. Finally, once a strategy is adopted, the presentation will present some ideas on how to gauge progress– such that efforts to improve are both meaningful and measurable.
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
In order to effectively defend your organization, you must think about the offensive strategy as well. But before we get ahead of ourselves let’s talk briefly about the building blocks of a good offense. First is an architecture that is built around a security policy that is aligned with the business risk. Risk must be understood and a cookie cutter approach must be avoided here because again every organization is different and so are their risks.
What We’ve Learned Building a Cyber Security Operation Center: du Case StudyPriyanka Aash
The cybersecurity landscape is rapidly evolving, with new threats and threat actors emerging, and traditional security operations centers (SOCs) need to be augmented accordingly. This session will detail the journey of du in building and continually enhancing its SOC, physically and philosophically, to best deal with attack detection (offensively and defensively) and response.
(Source: RSA Conference USA 2017)
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Cyber Threat Intelligence is a process in which information from different sources is collected, then analyzed to identify and detect threats against any environment. The information collected could be evidence-based knowledge that could support the context, mechanism, indicators, or implications about an already existing threat against an environment, and/or the knowledge about an upcoming threat that could potentially affect the environment. Credit: Marlabs Inc
Extended Detection and Response (XDR)An Overhyped Product Category With Ulti...Raffael Marty
Extended Detection and Response, or XDR for short, is one of the acronyms that are increasingly used by cybersecurity vendors to explain their approach to solving the cyber security problem. We have been spending trillions of dollars on approaches to secure our systems and data, with what success? Cybersecurity is still one of the biggest and most challenging areas that companies, small and large, are dealing with. XDR is another approach driven by security vendors to solve this problem. The challenge is that every vendor defines XDR slightly differently and makes it fit their own “challenge du jour” for marketing and selling their products.
In this presentation we will demystify the XDR acronym and put a working model behind it. Together, we will explore why XDR is a fabulous concept, but also discover that it’s nothing revolutionarily new. With an MSP lens, we will explore what the XDR benefits are for small and medium businesses and what it means to the security strategy of both MSPs and their clients. The audience will leave with a clear understanding of what XDR is, how the technology matters to them, and how XDR will ultimately help them secure their customers and enable trusted commerce.
As we get to know what life in the digital domain is like, one of the revelations we've had is that many large and plenty of smaller organisations are targets of espionage, of the nefarious APT.
During the last decade, it has become gospel to wait, watch, analyse and learn if you detect such an attacker in your infrastructure. Why? Because you get one chance to do the eviction of the attacker right. And if you fail, all your efforts will eventually have been for nothing.
But for how long should you wait and watch? When have you watched long enough? When have you learned enough? And how do you make that decision?
That is the challenge I hope the Cyber Threat Intelligence Matrix can help you face in a more structured manner.
Solar winds supply chain breach - Insights from the trenchesInfosec
On December 13 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to immediately “disconnect or power down SolarWinds Orion products” as they were being actively exploited by malicious actors.
Infosec Skills author and KM Cyber Security managing partner Keatron Evans is helping numerous clients respond to the breach and mitigate any potential damage. Join him as he discusses:
-What we know about the breach so far
-How his clients have responded to the incident
-What to look for in your environment to see if you’ve been affected
by Nathan Case, Sr. Consultant, AWS
Insider threat detection! How do we use AWS products to find an insider threat. We will cover Macie, GuardDuty and lambda to review a production account actions and remediate findings as they arise . We will also cover the utilization of CloudWatch to unify our finds into a single pane of glass. Level 400
Security Delivery Platform: Best practicesMihajlo Prerad
Security Delivery Platform: Best practices
The traditional Security model was one that operated under simple assumptions. Those assumptions led to deployment models which in todays’ world of cyber security have been proven to be quite vulnerable and inadequate to growing amount and diversity of threats.
A Security Delivery Platform addresses the above considerations and provides a powerful solution for deploying a diverse set of security solutions, as well as scaling each security solution beyond traditional deployments. Such platform delivers visibility into the lateral movement of malware, accelerate the detection of ex-filtration activity, and could significantly reduce the overhead, complexity and costs associated with such security deployments.
In today’s world of industrialized and well-organized cyber threats, it is no longer sufficient to focus on the security applications exclusively. Focusing on how those solutions get deployed together and how they get consistent access to relevant data is a critical piece of the solution. A Security Delivery Platform in this sense is a foundational building block of any cyber security strategy.
In Hands-on Encrypted Data Analytics, you’ll learn how to configure this new telemetry in Cisco routers and switches, use Stealthwatch to identify non-compliant devices and malware without encryption and speed up incident response and forensics.
Resources:
Watch the related TechWiseTV episode: http://cs.co/9003DzrjT
TechWiseTV: http://cs.co/9009DzrjN
In January IBM Security Systems has announced a new solution wherein it combines the security intelligence capabilities of QRadar SIEM and Big Data + analytics to
Overall Security Process Review CISC 6621Agend.docxkarlhennesey
Overall Security Process Review
CISC 662
1
Agenda
Review of the following technologies and current products:
SIEM
CASB
EDR (Enterprise Detection and Response)
NGFW (Next Generation Firewalls)
Threat Intelligence
Summary of Term
SANS Technology Institute - Candidate for Master of Science Degree
What is a SIEM?
SIEM - Security Information Event Management
Logging and Event Aggregation
Network (router,switch,firewall,etc)
System (Server,workstation,etc)
Application (Web, DB )
Correlation Engine
2+ related events = higher alarm (1+1=3)
3
At first glance SIEM's appliances and software look like an event aggregator. While a SIEM has the advantage of aggregating logs what puts them apart from the event aggregator market are the correlation engines.
The correlation engines allow the ability to uncover threats/attacks across multiple related events which by themselves would not be a cause for alarm.
SIEM
4
What is a SIEM?
5
Security information and event management (SIEM) is the technology that can tie all your systems together and give you a comprehensive view of IT security.
IT security is typically a patchwork of technologies – firewalls, intrusion prevention, endpoint protection, threat intelligence and the like – that work together to protect an organization’s network and data from hackers and other threats. Tying all those disparate systems together is another challenge, however, and that’s where SIEM can help.
SIEM systems manage and make sense of security logs from all kinds of devices and carry out a range of functions, including spotting threats, preventing breaches before they occur, detecting breaches, and providing forensic information to determine how a security incident occurred as well as its possible impact.
Using SIEM
How do SIEM Products help the following Security concerns?
Countermeasures to detect attempts to infect internal system
Identification of infected systems trying to exfiltrate information
Mitigation of the impact of infected systems
Detection of outbound sensitive information ( DLP)
6
These questions are a core part of a companies overall security architecture. If a SIEM isn't providing answers or solutions to these questions what is it doing?
If you aren't using your SIEM to solve issues like these it may just be an expensive log aggregator/collection system sitting in your network collecting dust.
SIEM Advantages
Correlation of data from multiple systems and from different events detecting security and operational conditions
Anomaly detection by using a baseline of events over time to find deviations from expected or normal behavior
Comprehensive view into an environment based on event types, protocols, log sources, etc
APT (advanced persistent threat) protection through detection of protocol and application anomalies
Prioritization based on risk of threat to assets, staff can triage the most vulnerable targets
Alerting and monitoring on events of interest to escalate pri ...
Using Your Network as a Sensor for Enhanced Visibility and Security Lancope, Inc.
Driven by the mobility, cloud computing, and Internet of Everything megatrends and fueled by increasingly sophisticated cybercriminals, today’s information landscape is more dynamic and more vulnerable than ever before.
Join Cisco and Lancope for a complimentary webinar to learn how you can implement a comprehensive, network-enabled approach to cybersecurity.
During the webinar we will discuss:
Using the Network as a Security Sensor with Lancope’s StealthWatch System and Flexible NetFlow and to obtain visibility at scale, monitor network activity efficiently, discover security incidents quickly, and help achieve compliance.
Using the Network as a Security Enforcer with Cisco TrustSec to ensure policy-based access control and network segmentation for containment of the network attacks, assist compliance and reduce risks of data-breaches.
Cisco Network Insider: Three Ways to Secure your NetworkRobb Boyd
These are the slides from our Tuesday Jun 14, 2016 webinar featuring three building block technologies for quickly adding a ton of value to your security efforts.
Watch the Replay: http://bit.ly/1UhUZ1J
We covered:
- Identity Services Engine (ISE)- visibility and control…along with a solid set of sharing capabilities. Using ISE you can see the device types and control access to the network – and share what they see with Stealthwatch.
- Stealthwatch - Visibility with even more network elements…work in conjunction with ISE but adds behavioral analysis Using Stealthwatch you can see the behaviors of the devices and determine if they are infected with malware or ransomware – and then use the network to take action to contain from a single screen.
- Cisco Defense Orchestrator (CDO) - Cloud platform that analyzes security policy configurations for Cisco ASA Firewalls and OpenDNS. It identifies and resolves policy inconsistencies, models policy changes to validate their impact, and orchestrates policy changes to achieve consistency and clarity of your security posture.
The Cloud and Mobility revolution, intensified by the quickly evolving threat landscape, heightens the
challenge for businesses to secure their IT infrastructure. Now they must fight security threats that target
their employees, applications, and other assets - not just on-premises, but throughout all of cyberspace.
Mobile Devices & BYOD Security – Deployment & Best PracticesCisco Canada
Subjects covered will include mobile devices OS security, state of malware on mobile devices, data loss prevention, VPN and remote access, 802.1x and certificate deployment, profiling, posture, web security, MDMs and others. For more information please visit our website: http://www.cisco.com/web/CA/index.html
Key Elements of a Security Delivery PlatformJohn Pollack
You can't secure what you can't see. See how a security delivery platform enables visibility, optimize existing security tool deployments, and allow for a more flexible security tool architecture.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
2. Security andVisibility for the
Modern Networks
RossTraynor,Cybersecurity Specialist,Cisco
Eric Rennie, Systems Engineer, Cybersecurity, Cisco
3. Digitization complicates visibility
Market demands have taken the network beyond your perimeter
Threats are more
numerous and complex
Threats are using encryption
to evade detection
More IoT devices
connect everyday
Users work anywhere
across many devices
By 2020, 2/3rds of all IP traffic will
come from wireless and mobile
devices
Over 20B connected “things" will
be in use by 2020
Companies experienced a 27.4%
average increase in security
breaches in 2019
3X increase in encrypted
communication from malware in a
12-month period
4. The vendor buffet is not a strategy
Adding point solutions adds complexity & can make you less secure
55% Of customers rely on more
than 5 vendors to secure their network1
54% Of legitimate security alerts
are not remediated due to lack of
integrated defense systems2
100 days Industry average
to detect a common threats3
1 Cisco 2019 Annual Cybersecurity Report
2 Cisco 2019 Annual Cybersecurity Report
3 Cisco 2019 Mid-Year Cybersecurity Report
Complexity
Capabilities
5. The Solution: Network + Security
Activate your network for more holistic security
See everything
Transform the network into
a powerful security sensor
for complete visibility
Contain and isolate threats
Dynamically enforce software-defined
segmentation based on business roles
Detect encrypted threats
Use advanced analytics to automatically
detect encrypted threats without
decryption
Understand behavior
Identify host role and monitor
behavior without endpoint
agents
6. Cisco Stealthwatch
Gain confidence in your security effectiveness
Predictive
threat analytics
Contextual
network-wide visibility
Automated
detection and response
Machine learning
Global threat
intelligence
Behavioral modeling
Using existing network infrastructure
Insider threat
Encrypted malware
Unknown threats
Policy violations
7. Stealthwatch Use Cases
Context-Aware
Visibility
Network, application,
and user activity
Monitor lateral
movement using
the network as
a sensor
Advanced persistent
threats
Insider threat
DDoS
Data exfiltration
In-depth, flow-based
forensic analysis of
suspicious incidents
Scalable repository of
security information
Network segmentation
to profile application /
device traffic
Capacity planning
Performance monitoring
Application awareness
Cisco ISE
Monitor privileged
access
Policy enforcement
Threat
Detection
Incident Response
Network Planning
& Diagnostics
User
Monitoring
Customer Use Cases:
https://www.techvalidate.com/product-research/cisco-stealth-watch/facts
8. Key features
Visibility
everywhere
Analyses enterprise
telemetry from any
source (NetFlow, IPFIX,
sFlow, other Layer 7
protocols) across the
extended network
Encrypted
Traffic Analytics
Only product that can
analyze encrypted traffic
to detect malware and
ensure policy compliance
without decryption
Rapid Threat
Containment
Quarantine infected hosts
easily using the Identity
Services Engine (ISE)
integration, collect and store
network audit trails for deeper
forensic investigations
Unique threat
detection
Combination of multi-layer
machine learning and
behavioral modeling
provides the ability to detect
inside as well as outside
threats
Smart
segmentation
Create logical user groups
that make sense for your
business, monitor the
effectiveness of
segmentation policies
through contextual alarms
11. Scaling and Optimization: deduplication
Router A
10.1.1.1 port 80
10.2.2.2 port 240
Router B
Router C Deduplication
• Avoid false positives and misreported traffic volume
• Enable efficient storage of telemetry data
• Necessary for accurate host-level reporting
• No data is discarded
Router A: 10.1.1.1:80 10.2.2.2:1024
Router B: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80
Router C: 10.2.2.2:1024 10.1.1.1:80
Duplicates
13. Anomaly detection using behavioral
modeling
Create a baseline
of normal behavior
Alarm on anomalies
and behavioral changes
Collect and
analyze telemetry
Flows
Number of
concurrent flows
Time of day
Bits per second
Packet
per second
Number of
SYNs sent
New flows
created
Number of
SYNs received
Rate of
connection resets
Duration
of the flow
Analysis of multiple threat behaviors
Exchange Servers
Threshold Anomaly
Comprehensive data set optimized to
remove redundancies
Security events to detect anomalies
and known bad behavior
Alarm categories for high-risk,
low-noise alerts for faster response
Threat
14. Behavioral & Anomaly Detection Model
Behavioral Algorithms are Applied to Build “Security Events”
Alarm table
Host snapshot
Email
Syslog / SIEM
Mitigation
Response
Concern
Exfiltration
C&C
Recon
Data hoarding
Exploitation
DDoS target
Alarm Category
Security Events
Collect and
Analyze Flows
Flows
Addr_Scan
..
Bad_Flag_ACK**
Beaconing Host
Bot Infected Host - Successful
Brute Force Login
Fake Application
Flow_Denied
..
ICMP Flood
..
Max Flows Initiated
Max Flows Served
..
Suspect Data Hoarding
Suspect Data Loss
Suspect Long Flow
..
UDP Received
15. Logical alarms based on suspicious
events
Sending or receiving
SYN flood and other
types of data floods
DDoS
Activity
Scanning, excessive
network activity
such as file copying
or transfer, policy
violation, etc.
Source or target
of malicious
behavior
Port scanning for
vulnerabilities or
running services
Reconnaissance
Data hoarding and
data exfiltration
Insider
threats
Communication
back to an external
remote controlling
server through
malware
Command
and Control
16. Alarms tied to specific entities
Quick snapshot
of malicious
activity
Suspicious
behavior
linked to logical
alarms
Risks
prioritized to
take immediate
action
17. Investigating a host
Summary of aggregated
host information
Observed communication
patterns
Historical alarming behavior
Host Summary
User Name:
Device Name:
Device Type:
Host Group:
Location:
Last Active Status:
Session Information:
Policies:
Quarantine Unquarantine
Flows History
12-Jan 13-Jan 14-Jan 15-Jan 16-Jan
Alarms by Type
Data Hoarding Packet Flood
High Traffic Data Exfiltration
10.201.3.149
Within
organization
Outside
organization
Traffic by
Peer Host Group
19. EncryptedTraffic Analytics (ETA)
Visibility and malware detection with decryption
Cryptographic compliance
Malware in Encrypted Traffic
Is the payload within the TLS
session malicious?
• End to end confidentiality
• Channel integrity during inspection
• Adapts with encryption standards
How much of my digital business uses
strong encryption?
• Audit for TLS policy violations
• Passive detection of
Ciphersuite vulnerabilities
• Continuous monitoring of network opacity
20. Detect malware in encrypted traffic
Initial data packet
Sequence of packet
lengths and times
Global Risk Map
Self-Signed Certificate
Data Exfiltration
C2 Message
Make the most of the
unencrypted fields
Identify the content type through the
size and timing of packets
Know who’s who of the
Internet’s dark side
21. Identifying malicious
encrypted traffic
Model
Packet lengths, arrival times and
durations tend to be inherently different
for malware than benign traffic
Client
Sent
Packets
Received
Packets
Server
Google Search Page Download
src dst
Initiate Command and Control
src dst
Exfiltration and Keylogging
src dst
23. Cisco Identity Services Engine (ISE)
Send contextual data collected from users, devices, and network
to Stealthwatch Enterprise for advanced insight
Network and User Context
Stealthwatch Security
Analytics
Identity Services
Engine
Who What
Where When How
24. RapidThreat Containment
Without any business disruption
Cisco®
Identity Services Engine
PX Grid Mitigation
Quarantine or Unquarantine infected host
Context
Information shared
with other network and
security products
Stealthwatch
Management Console
26. Required core
components
Stealthwatch Management Console (SMC)
• A physical or virtual appliance that aggregates, organizes,
and presents analysis from Flow Collectors, Identity
Services Engine (ISE), and other sources
• User interface to Stealthwatch
• Maximum 2 per deployment
Flow Collector (FC)
• A physical or virtual appliance that aggregates and
normalizes NetFlow and application data collected from
exporters such as routers, switches, and firewalls
• High performance NetFlow / SFlow / IPFIX Collector
• Maximum 25 per deployment
Flow Rate License
• Collection, management, and analysis of telemetry by
Stealthwatch Enterprise
• The Flow Rate License is simply determined by the
number/type of switches, routers, firewalls and probes
present on the network
Flow Rate
License
Flow Collector
Management Console
27. Stealthwatch Enterprise architecture
Comprehensive
visibility and
security analytics
Endpoint License
ISE
Flow Collector
Management Console
Threat
Intelligence
License
Cognitive
Intelligence
Flow
Sensor
Hypervisor with
Flow Sensor VE
VM
VM
Non-NetFlow enabled
equipment
Proxy Data
Stealthwatch
Cloud
UDP
Director
Other Traffic
Analysis Software
NetFlow enabled routers,
switches, firewalls
NetFlow
10 101 10
Telemetry for
Encrypted Traffic
Analytics
28. Solution lifecycle for Cisco Stealthwatch Enterprise and
StealthwatchCustomer Experience
Visibility across your entire network
Utilization with Cisco and 3rd party solutions
Detection based on your business needs
Stealthwatch
Services
Learning
Support
Professional
Error free deployment
Highest performance flow collection
Train your staff
24x7Customer Support
Adopt and improve threats detection fidelity
Reduce time to detection and response of threats
Tactical workshops for use cases
Integrate with your incident response plan
Integrate with your telemetry stack
Virtual labs and e-learning courses
24x7Customer Support
29. How Stealthwatch
CX has helped
Provide network visibility across IT
network
Challenges
• SIEM integration with Stealthwatch Enterprise is extremely
difficult to do on your own
• Many SOC teams place strong emphasis on working out of
a SIEM
• SIEM is viewed as the “single pane of glass” for their
security workflow
Results
• Through an extended set of REST API capabilities that are
installed for the customer, Professional Services works
directly with the customer to understand their investigation
workflow
• Integrate these API capabilities into their SIEM through
either apps, add-ons, or right-click pivot capabilities
• Reduce the mean time to resolution for customers by
enriching the data they use for investigation with Cisco
Stealthwatch data
• Provide a clearer picture as to the nature and behaviour of
the suspicious host in question, giving them a higher
degree of accuracy in securing their networks faster.
SIEM dashboard
X
Stealthwatch Enterprise
Go to Stealthwatch
Get top peer report
Today, market demands have caused the network to expand far outside of the perimeter.
Every day, more IoT devices are connected–a trend that promises to accelerate in the coming years. It is estimated that 1 million new devices will go online every hour in 2020.
The ability to work remotely and from mobile devices is no longer a perk, its an expectation. Users now work everywhere across multiple devices, and by 2020, it is projected that 2/3 of all IP traffic will come form wireless or mobile devices.
As the network expands beyond the perimeter, companies are faced with threats that are growing in number, and increasing in complexity – a trend which recently culminated in a 27.4% average increase in security breaches in 2019.
Finally, more threats are using encryption to mask their communications. Cisco analyzed 400,000 malware samples and found a threefold increase in encrypted network communication used by inspected malware samples over a 12 month period (Nov. 2019 – Oct. 2019).
[TRANSITION] While this new era of digitization has generated new opportunities for businesses, it’s certainly come with a cost.
[CLICK]
To create an advanced defense against security threats, often times new point solutions will be added to the network. In fact, the average customer relies on more than 5 vendors to secure their network.
These solutions may work for a while but adding solutions that don’t seamlessly integrate with your existing setup can add unnecessary complexity to your environment and actually make you less secure.
The more point solutions, the more difficult it is to correlate information between them to gain a clear picture of what is going on in your business. Every new solution comes with another management interface, and each one demands human resources and management hours to set up, set policy, and respond to alerts. You’ve now added complexity without much overall incremental effectiveness since your security solutions don’t work together or share information with each other.
This complexity can also hinder your threat defense. A lack of integrated defense systems can lead to up to 54% of legitimate security threats not being remediated. These threats continue to sit in your environment for far longer than they should, pushing the industry’s average of time to detect threats up to 100 days.
T: Often times, implementing these point security solutions means sacrificing the efficiency and effectiveness of the network. It’s time for a different approach.
<Click>
Instead, what’s needed is a holistic approach to enterprise security.
A network might have 100 network devices for every firewall. Imagine if you could recruit all of those devices to secure your network without impacting its performance?
[CLICK]
By using the right technology, you can transform your network into an always-on security sensor, capable of seeing everything and understanding normal behavior.
By taking these steps, you can empower your network to dynamically adapt and defend itself – identifying threats, even in encrypted traffic and isolating effected machines.
[TRANSITION] This is the Cisco Network Security Analytics
[CLICK]
Stealthwatch Cloud provides
1. Contextual network-wide visibility – Stealthwatch is able to ingest and analyze telemetry from multiple network devices such as routers, switches and firewalls. It can also natively collect telemetry from the public cloud infrastructure. Stealthwatch uses entity modeling to classify all the devices or entities connected to the network such as servers, printers, etc. to efficiently determine normal behavior of these entities so it can alarm on any anomalies. Another unique capability of Stealthwatch is to eliminate duplicate network flows as well as stitch them together to make sense of the communications. This means that Stealthwatch can not only detect a threat, but provide additional contextual information about the source of the threat, like where else it might have propagated, which user has been compromised, and other info such as location, device type, time-stamp, etc. Stealthwatch can also store telemetry for a certain period of time to forensically investigate past or long-running events. In addition, Stealthwatch integrates with other security solutions to infuse user and application data, web information, etc. for faster threat investigation and response.
2. Predictive threat analytics – Attackers use multiple methods to compromise your security so why should you employ just one defense technique? Stealthwatch uses a three-pronged approach to detect advanced threats before they turn into a breach. The first is behavioral modeling. Stealthwatch constantly observes network activities to create a baseline of normal behavior, and alarms on any anomalies using close to 100 different heuristics. It also has knowledge of known bad behavior that it alarms on. So if attackers are using lost or stolen credentials to gain access, or if you are dealing with a malicious employee involved in hoarding or exfiltrating sensitive data, Stealwatch can alarm on it right away. Secondly, Stealthwatch applies a funnel of machine learning techniques to reduce large amount of telemetry to anomalies, to eventually high-fidelity threat detections. So your security team can now focus on investigating critical threats. This cloud-based machine learning engine can also determine malicious servers across the world and flags any communication to these, in order to detect unknown or targeted attacks. And lastly, Stealthwatch uses global threat intelligence powered by the industry-leading Talos platform to correlate local threats globally, and thwart attackers’ rinse-and-repeat tactics of infecting multiple victims with the same malware. All these analytical techniques work together to identify early indicators of compromise like constant pinging/beacoming, port scanning, communications to malicious domains, etc. in order to detect threats before they turn into an attack.
3. Automated detection and response – The combination of this context-driven enterprise-wide visibility and the application of advanced analytical techniques leads to high-fidelity and advanced threat detection. Security teams see alarms that are prioritized by threat severity, and have additional information to take actions easily. No need to analyze large amounts of data in order to detect and investigate incidents.
An alarm can have an associated response:
Notify in the alarm table
Generate an email
Generate a syslog message to a SIEM
And you can quarantine identified threats using the network (Rapid Threat Containment using the ISE integration)
How we optimize the collected telemetry so that the solution scales easily is very important and unique to Stealthwatch. It involved deduplication and stitching as shown here.
How we optimize the collected telemetry so that the solution scales easily is very important and unique to Stealthwatch. It involved deduplication and stitching as shown here.
Why not enlist your existing investment, the network, to secure your organization? The network telemetry is a rich data source that can provide useful insights about who is connecting to the organization and what they are up to. Everything touches the network, so this visibility extends from the HQ to the branch, data center, roaming users, and smart devices. And also from the private to the public cloud. Analyzing this data can help detect threats that may have found a way to bypass your existing controls, before they are able to have a major impact.
Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. With a single, agentless solution, you get comprehensive threat monitoring, even in encrypted traffic.
Stealthwatch has a very extensive network behavior and anomaly detection engine. It also has understanding of known bad behavior, and the ability to distinguish malicious behavior from an anomaly.
Complete and efficient data set - Netflow, IPFIX, sFlow as well as other layer 7 protocols
Telemetry from routers, switches, firewalls, data center, cloud
Optimized enterprise telemetry with deduplication and restitching
Security Events or heuristics based on anomalous behavior - Addr_Scan, Beaconing Host, Brute Force Login, Max Flows Initiated, Suspect Data Hoarding, Suspect Data Loss
Over 100 algorithms applied
Deep understanding of known bad behavior
Ability to detect change in “normal” behavior
High level alarm categories - Concern, Recon, C&C, Exploitation, DDoS, Data Hoarding, Exfiltration, Policy Violation
Alarms tied to specific hosts and telemetry for easy investigation
Logical alarms based on advanced attacks
Alarms organized by time, users, user groups, applications, etc. to prioritize risks
<Click>
Stealthwatch has a very extensive Network Behavior and Anomaly detection engine.
Behaviour Detection – requires understanding of known bad behavior.
Anomaly detection – identify a change from “normal”
Stealthwatch security model:
Security Events – composed of algorithms that analyze flows and activity looking for certain patterns. Over 94 algorithms.
Events feed into high level alarm categories; which can generate an alarm. Some security events can alarm on their own.
An alarm can have an associated response such as notify in the alarm table or generate a syslog message to a SIEM.
A few examples of the high level alarm categories the Stealthwatch Security Events feed into. There are 11 high level alarm categories; mapping to the kill chain or the attack lifecycle.
Top alarming categories and hosts are prominently displayed for quick drill down and investigation.
The algorithms base line activity using a point system; points are averaged over a day, week, month period. Algorithms can be applied to both a host and a host group. All algorithms have thresholds to alarm on hosts that exceed what is expected behavior. This is to help prevent learning bad behavior, as well as to tune the algorithms to be very precise in well understood or critical environments such as data centers.
User information about who is logged into a suspect host can be obtained via Identity Services Engine (ISE), and attributed to observed activity
You can also look at traffic from a specific host group inside or outside the organization
There’s also a timeline of alarms triggered by a specific hosts provided for quick assessment of the behavior of the host
Cisco is innovating by enhancing Netflow with new telemetry for encrypted traffic analytics. This telemetry does not require decryption or deep packet inspection of payload.
<T> So how do we inspect encrypted traffic?
There are three key actors that allow for analysis and discrimination of legitimate vs. malicious traffic.
The first one is the Initial Data Packet or IDP
The initial packets of any connection contain valuable information about the content. IDP allows the analytics engine to access the SSL headers of the HTTPS flows and application headers of related connections. That helps us make the most of the unencrypted fields
Next, the Sequence of Packet Lengths and Times (SPLT) and Byte Counts
The SPLT field gives us visibility beyond the first packet of the encrypted flows. We measure the size of packets and the timing differences to see what kind of content (video, web, voice, or downloads) is being delivered within the connection.
And finally, Stealthwatch Enterprise applies security analytics in the form of multi layer machine learning to these data elements. It employs a Global Risk Map, that maintains very broad behavioral statistics about the servers on the Internet. We pick servers that are related to attacks, may be exploited, or may be used as a part of an attack in the future. This is not a blacklist, but a holistic picture of the server in question from a security perspective. </T>
Cisco Identity Services Engine (ISE) provides powerful user and device contextual information. This information includes what kind of device an endpoint is, what user is associated with it, where it connected to the network, when it connected, and how. ISE sends this information to Stealthwatch, which helps accelerate incident response investigations by readily providing crucial identity information.
In addition, ISE facilitates rapid threat containment. In response to alerts within Stealthwatch, ISE can quickly quarantine a host from the rest of the network, preventing a threat from spreading or communicating over the Internet.
The Cisco® pxGrid (Platform Exchange Grid) is an open, scalable and IETF standards-driven data-sharing and threat control platform. It allows multiple security products to work together using one API for open, automated data sharing and control between more than 50 security products. Stealthwatch leverages this to communicate with ISE, pulling user, session and device information from it and accessing ISE’s mitigation capabilities.
The two primary components to this system required for operation are the Flow Collector and Management Console appliances. The can be deployed as physical appliances and as virtual machines.
The flow collector aggregates all of the network telemetry data Stealthwatch uses to conduct its analysis. It performs stitching and deduping operations on the incoming data to create the “general ledger” of every observed network transaction across your network. It builds databases of these events encompassing months of activity, and conducts most of the analytic heavy lifting for the Stealthwatch system.
The Management Console is your micro and macro lens into this sea of information, providing an interface that surfaces observed anomalous activities, as well as providing a means to query into the datastore present on the Flow Collector.
Stealthwatch licensing is based on the Flow Rate Lecense, which depends on the number/types of routers, switches, firewalls and probes present in the network.
The Stealthwatch system is comprised of a number of components to provide a robust and comprehensive view of activity occurring the enterprise network.
The Flow Collector and the Management Console are the core appliances for the solution… every Stealthwatch deployment will have both of these. The Flow Collector is the work horse of the system, collecting, aggregating and storing all incoming telemetry, building the database and performing much of the analytics against the data.
The SMC is the window into this vast amount of data... Alerting you to detected threats and giving the means to dig into the data. Both of these appliances are available as physical and virtual appliances.
The Flow Rate license helps collect network telemetry from the routers, switches and firewall, including telemetry for ETA.
<click>
The Flow Sensor is an optional component of Stealthwatch Enterprise and produces telemetry for segments of the switching and routing infrastructure that can’t generate NetFlow natively. It also provides visibility into the application layer data. In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context to enhance the Stealthwatch security analytics. Advanced behavioral modeling and cloud-based multilayered machine learning is applied to this dataset to detect advanced threats and perform faster investigations.
<click>
The Endpoint License allows Stealthwatch to work with endpoints running AnyConnect 4.4+ with the Network Visibility Module (NVM) to pull in process and MD5 hash information on applications running on the endpoint and correlate it to observed network activity.
<click>
Stealthwatch is also capable of ingesting proxy data from the Cisco WSA and other vendors. Stealthwatch can associate that with observed flows and give you visibility into otherwise “dark” areas of those communications.
<click>
Our integration with the Cisco Security Packet Analyzer turns Stealthwatch into a kind of scalpel for performing traffic forensics. You can view suspect traffic and alerts within Stealthwatch, zero in on the suspicious communications and then pivot from SW into the packet analyzer appliance and have it reach into it’s rolling buffer and pull back the contents of the communication and perform analytics on it using the Packet Analyzer’s built in tools.
<<click>>
Finally, with Stealthwatch Cloud we now have a SaaS based offering to gain visibility into your public and private cloud installations. Additionally, Stealthwatch Cloud can also support SMB-sized customers (<1-2k users), opening up this market for visibility.
<<< This is a build slide, meant to be used as a quick overview of the entirety of the Stealthwatch System.
Ideally, you should be able to summarize the functionality of each component in a sentence or two when using this slide. From there, you would cover individual components more in depth, depending on the interests of your audience/customer. >>>
<For when starting presentation with maturity model only>
The industry isn’t just changing, it has already changed. Data itself is at the very least, a critical component of today’s business environment, and in some cases the actual product.
With this shift, it is no wonder that threats to your system continue to evolve and become more sophisticated. On top of this threat landscape, networks themselves become more complex due to the increasing:
Number of end-points
Integration requirements
Volume of data being transmitted
It isn’t realistic to manage these threats with a traditional security solution. They can’t provide the scale or insight to be successful, nor can they flex and adjust for the threats that will come tomorrow. <For when starting presentation with maturity model only>
Stealthwatch Services combined with Cisco Stealthwatch Enterprise is fundamentally different. Our solution lifecycle is based around 3 key phases:
Drive visibility across your entire network
Detect threats based on your specific network environment
Integrate with other Cisco and 3rd party solutions
Over the course of these 3 phases, you get a maturing solution that will continue to make your life easier as you truly to protect an increasingly complex network from increasingly complex threats.
First is Visibility across your entire network and end-points. This phase focuses on the initial installation, starting here you are able to get a newfound visibility into aspects of the activity on your network you have never had before.
Once it’s up and operational, the second phase is mainly around threat Detection and making sure the system tuned in a way specific for your business and so you have actionable alarms.
The third phase is about Integration, where we’re focusing on integrating Stealthwatch Enterprise with all the other systems in the customer’s environment whether they are part of Cisco’s portfolio or 3rd party solutions.
Once you have gone through the integration phase you enter into a virtuous cycle where that integration creates additional visibility and new process to further enhance your detection and tuning.
Throughout this process, Stealthwatch Customer Experience team provides targeted services offerings to help you get the most at each stage of the Stealthwatch Enterprise lifecycle, whether it is:
Professional Services
Learning Services
Support Services
All together, Cisco Stealthwatch Enterprise provides continuous visibility and it makes it easier for you to detect anomalous behavior on your network. With its constant monitoring and real-time insight, you can continuously improve your enterprise security posture to prevent future incidents in your network. And it integrates with many Cisco and other Security solutions. Stealthwatch Enterprise helps you continuously monitor your network to ensure that you are obtaining value to improve your enterprise security posture.
The Customer Experience team delivers a critical and unique lifecycle experience that provides high touch engagement for all customers of the Stealthwatch Enterprise solution
T: Looking a little closer at “visibility” <click>
The Cisco Stealthwatch SIEM Integration service improves the security investigation and incident response process for customers and reduces their mean time to resolution and increasing accuracy, thus ensuring their networks stay as secure as possible. We integrate your Stealthwatch solution with Splunk, ArcSight, Qradar, and other 3rd party vendors to make sure you get a comprehensive view of what is going on.
What was the customer challenge:
In today’s security world, many SOC teams place strong emphasis on working out of a SIEM, some even going as far as to treat it as a “single pane of glass” in their security workflow, but they’re not getting all the data they need from just their SIEM console. They are in need of an easier way to work out of their SIEM, but across other threat monitoring and analytics consoles.
How did Stealthwatch Enterprise and the Stealthwatch Customer Experience Team deliver results:
Through an extended set of REST API capabilities that are installed for the customer (valuable API capabilities beyond what the product currently provides), Cisco Professional Services works directly with the customer to understand their investigation workflow and integrate these API capabilities into their SIEM through either apps, add-ons, or right-click pivot capabilities. These integrated capabilities reduce the mean time to resolution for customers by enriching the data they use for investigation with Cisco Stealthwatch data.
Individual use case conclusion: By being able to quickly and efficiently view such things as the top peers, the top ports used, or even raw NetFlow helps provide a clearer picture as to the nature and behavior of the suspicious host in question, giving them a higher degree of accuracy in securing their networks faster.