Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
18 views54 pages

VOD-3262 - Security With StealthWatch Using NetFlow

The document provides an introduction to Cisco Stealthwatch, focusing on network telemetry for security analysis and monitoring. It outlines the architecture, core components, and features of Stealthwatch, as well as the importance of data classification and security models. Additionally, it discusses user management, configuration, and the process for detecting indicators of compromise (IoC) within network traffic.

Uploaded by

babytobaba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
18 views54 pages

VOD-3262 - Security With StealthWatch Using NetFlow

The document provides an introduction to Cisco Stealthwatch, focusing on network telemetry for security analysis and monitoring. It outlines the architecture, core components, and features of Stealthwatch, as well as the importance of data classification and security models. Additionally, it discusses user management, configuration, and the process for detecting indicators of compromise (IoC) within network traffic.

Uploaded by

babytobaba
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 54

Introduction to StealthWatch

Copyright © www.ine.com
Agenda
Introduction

Harnessing Network Telemetry

Data Classification

Security Model

Summary

Copyright © www.ine.com
Network Telemetry

Telemetry : An automated communications process by which measurements and other data are collected at remote or
inaccessible points and transmitted to receiving equipment for monitoring

Switch ASA Access Point ASR (Router) Endpoint (AnyConnect)

Network Devices

Copyright © www.ine.com
Cisco Stealthwatch

Cisco Stealthwatch : Is a collector and aggregator of network telemetry for the purposes of security analysis and
monitoring

Switch ASA Access Point ASR (Router) Endpoint (AnyConnect)

Network Devices

Copyright © www.ine.com
Effective security depends on total
visibility
KNOW SEE Understand what is Be alerted to Respond to
every host every conversation NORMAL CHANGE THREATS quickly

HQ
Network

Branch Cloud Users

Data Center
Roaming Users

Admin

Copyright © www.ine.com
Stealthwatch Enterprise Architecture (I)

Copyright © www.ine.com
Stealthwatch Enterprise Architecture
(II)
Management Console

Comprehensive ISE Threat Global Threat Security Packet Packet Data & Storage
Intelligence Analytics Analyzer
visibility and License
security analytics Flow Collector
Other Traffic Analysis Stealthwatch
Software Cloud

UDP
Director
Flow Hypervisor with
Telemetry for Sensor VM VM Flow Sensor VE
Encrypted Traffic
NetFlow Analytics

10 101 10
Endpoint License
Proxy Data
NetFlow enabled routers, Non-NetFlow enabled
switches, firewalls equipment

Copyright © www.ine.com
Required Core Components
Stealthwatch Management Console (SMC)
A physical or virtual appliance that aggregates, organizes, and presents analysis from Flow
Collectors, Identity Services Engine (ISE), and other sources
User interface to Stealthwatch

Flow Collector (FC)


A physical or virtual appliance that aggregates and normalizes NetFlow and application data
collected from exporters such as routers, switches, and firewalls
High performance NetFlow / SFlow / IPFIX Collector

Flow Rate License


Collection, management, and analysis of telemetry by Stealthwatch Enterprise
The Flow Rate License is simply determined by the number/type of switches, routers, firewalls
and probes present on the network

Copyright © www.ine.com
Agenda
• Introduction

• Harnessing Network Telemetry


Telemetry Processing : NetFlow
Stitching

Copyright © www.ine.com
Telemetry Processing: NetFlow De-
duplication

Copyright © www.ine.com
Conversation Flow Record: General Ledger

Copyright © www.ine.com
Contextual Conversation Flow Record

Copyright © www.ine.com
Agenda
• Introduction

• Harnessing Network Telemetry

• Data Classification
Hosts Group
• The more hosts that are classified by their
function, the more valuable is the solution.

• Traffic processing and report will be more


meaningful when we have as small amount of
Undefined traffic as possible

• Types of Hosts
• Inside Hosts
• Outside Hosts
• Threat Intelligence created hosts [C&C, Tor]
Agenda
• Introduction

• Harnessing Network Telemetry

• Data Classification

• Security Model
Security Model

Copyright © www.ine.com
Summary

Copyright © www.ine.com
Getting Started with
Stealthwatch [System
Installation]

Copyright © www.ine.com
Copyright © www.ine.com
Module Overview

Appliance Setup Tool [AST]

Stealthwatch System Setup Tool [SST]

Appliance Post-Install Configuration

Appliance Post-Install Verification

Copyright © www.ine.com
Copyright © www.ine.com
Stealthwatch Enterprise Topology

Flow Sensor
Active Directory Workstation 1

UDP Director
Vlan-Primary

Flow Collector

Traffic Generator
Stealthwatch Management Console

Copyright © www.ine.com
Copyright © www.ine.com
SMC Configuration

Copyright © www.ine.com
Copyright © www.ine.com
Features

SMTP

SNMP

Licenses

ISE Integration

Active Directory Lookup

Copyright © www.ine.com
Copyright © www.ine.com
Host Groups & User
Management

Copyright © www.ine.com
Copyright © www.ine.com
Course Overview

Hosts Groups

User Management

Default Users

Custom Users

Copyright © www.ine.com
Copyright © www.ine.com
Host Groups
Host Groups contains ONLY IP address
IP formats permitted :
Single IP address such as 10.1.2.3
Hyphenated range such as 192.168.1.1-57
CIDR notation such as 10.245.0.0/16
Combined CIDR and Hyphenated such as 10.100-201.6.0/24

HYPHENATED RANGE MUST BE IN SINGLE OCTET

Copyright © www.ine.com
Copyright © www.ine.com
Configure Host Groups
Description IP Address

DNS Server 10.10.30.15, 10.10.30.16

Vulnerability Scanner 10.203.0.207

Mail Server 10.10.30.23

Time Server 10.10.30.10

Public IP Address Space 209.182.184.0/24

Atlanta 10.201.0.0/16

PCI Devices 10.201.3.0/24

Copyright © www.ine.com
Copyright © www.ine.com
User Management
There are three default users in all Stealthwatch appliances :
admin
sysadmin
root

Stealthwatch supports Role Based Access Control. There are two


broad categories of role :
Data Roles
Function Roles

Copyright © www.ine.com
Copyright © www.ine.com
Configure Custom User

Username Access to Data Access to Functions

soc Read access to all data Access to all non-config functions

helpdesk Read access only to Atlanta IP Access to traffic graphs, top


addresses conversations, host snapshot, and
flow table

swadmin Full Access Full admin access to all product


configuration

Copyright © www.ine.com
Copyright © www.ine.com
Lab…

Copyright © www.ine.com
Classification of Customer
Environment

Copyright © www.ine.com
Copyright © www.ine.com
Overview
Purpose of classification

Classify Public IP Space

Java Client

Web Client

Classification Techniques for servers

Copyright © www.ine.com
Copyright © www.ine.com
Purpose of Classification
The more hosts that are classified by their function, the more valuable is the
solution.

Traffic processing and report will be more meaningful when we have as


small amount of Undefined traffic as possible

For Example: When investigating a security event, additional context regarding the
IP address which is source/destination in concerned traffic.

Note: FILTERS ARE THE TOOL USED FOR CLASSIFICATION AND INVESTIGATION

Copyright © www.ine.com
Copyright © www.ine.com
Classify Public IP Space

Information regarding communication between two outside IP


shouldn’t exists with our on-premise Stealthwatch system.

Implies one of the IP must be customer owned public IP.

Copyright © www.ine.com
Copyright © www.ine.com
Classification Techniques for servers
Network Scanners
Traditional servers such as DNS, NTP, Web
Identity servers such as Active Directory
Classify Undefined Services & Application

Copyright © www.ine.com
Copyright © www.ine.com
Lab…

Copyright © www.ine.com
Detecting Indicators of
Compromise (IoC)

Copyright © www.ine.com
Copyright © www.ine.com
Overview
Concept : IoC
IoC’s from Traffic Analysis
Security Model
Alarms
Lab
Create Custom Security events
Create Document
Create System Alarms

Copyright © www.ine.com
Copyright © www.ine.com
Indicator of Compromise

An artifact observed on a network or in operating system that with high confidence indicates
a computer intrusion.

1. IDS/IPD Alerts
2. File hashes
3. Log Analysis (SIEM)
4. Behavioral Analysis
5. ….

Copyright © www.ine.com
Copyright © www.ine.com
IoC’s from Traffic Analysis

Behavioral Analysis
Leverages knowledge of known bad behavior
Policy and segmentation

Anomaly Detection
Identify a change from “normal”

Copyright © www.ine.com
Copyright © www.ine.com
Security Model (I)

Copyright © www.ine.com
Copyright © www.ine.com
Security Events

A security event is the mechanism that assigns index points to


an alarm.

Copyright © www.ine.com
Alarms

Indicate significant behavior changes and policy violations


Known and unknown attacks generate alarms
Activity that falls outside the baseline, acceptable behavior or
established policies
In broad sense, three types of Alarms
Default
Host Group
Host

Copyright © www.ine.com
Copyright © www.ine.com
Security Model (II)

Copyright © www.ine.com
Copyright © www.ine.com
Lab
Create custom security event to
Unauthorized access of PCI host from internet
Host sitting on internet, trying to RDP/SSH/Telnet to local host

Create custom document to show data related to internet traffic


usage

Create a Stealthwatch system alarm

Copyright © www.ine.com
Copyright © www.ine.com
Lab…

Copyright © www.ine.com
SNMP, Storage, Backup
&
Upgrade

Copyright © www.ine.com
Copyright © www.ine.com
Overview

SNMP

Storage Capacity

Configuration Backup

Stealthwatch Upgrade

Copyright © www.ine.com
Copyright © www.ine.com
SNMP

Gives the ability to monitor the appliance via external mechanism.


Best practice.
Example : Avoid critical issues due to which SMC doesn’t issue System
Alarms
Configured via SNMP agent
SNMP agent settings do not interact with the SMC polling exporters
and have no relation to Response Management of SMC

Copyright © www.ine.com
Copyright © www.ine.com
Storage Capacity

Storage space is dependent appliance model purchased, amount of


storage assigned to virtual appliances.
Database Storage Statistics
When the hard disk on the FC reaches maximum capacity, it will
delete oldest data to make room for newer data.
Method to increase storage for Flow data.

Copyright © www.ine.com
Copyright © www.ine.com
Configuration Backups

Stealthwatch appliances saves configuration backup locally on daily


basis.
Configuration backup procedure happens automatically at scheduled
time.
If appliance fails or reset to factory, locally saved configuration
backups will not be available.

Configuration backup to external machine is critical

Copyright © www.ine.com
Copyright © www.ine.com
Stealthwatch Upgrade (I)
Two method to upgrade Stealthwatch appliance :
SMC push out the upgrade to appliance it manages
Manual upgrade

Depending on the time, Stealthwatch appliance is up and amount of date,


time of upgrade will vary. It can take well above 45 minutes.

Official Upgrade order as of 6.9.x


1. UDP Director
2. Flow Collector [For FC5000, DB node should be upgraded before engine node]
3. Secondary SMC
4. Primary SMC
5. Flow Sensor

Copyright © www.ine.com
Copyright © www.ine.com
Stealthwatch Upgrade (II)
Stealthwatch update process for each appliance :
Check the version compatibility. There is specific upgrade path
Perform configuration backup
Create diagnostic pack
An encrypted archive file for troubleshooting in case of update/device failure
Due to large system, it may timeout. To overcome, run command “dodiagpack” via SSH
Above command doesn’t timeout
Above command will create file at /lancope/var/admin/diagnostics
Restart the appliance
Device must be up for minimum 1 hour but not over 7 days
If outside of above duration, SWU files will not be install due to migration safety switch
Apply the update

Copyright © www.ine.com
Copyright © www.ine.com
Lab…

Copyright © www.ine.com

You might also like