Cisco Stealthwatch

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone i'm charles judd i've been wrapping up production on the s core 350-701 video training series this week so i thought i'd share a topic from that blueprint with you in this video today we're going to take a look at the features and advantages of using cisco stealthwatch including a look at all the information available to us from the stealthwatch dashboard cisco stealthwatch is a security tool that gives us very deep and detailed visibility into our network allowing us to keep track of everything happening through network telemetry at the top we can see several alarm categories and for each category you can see a number below that these numbers indicate how many network endpoints are currently exhibiting that particular behavior so for example if we click on this recon section to take a look at that you can see there are currently four endpoints listed under recon and clicking that category is going to bring us to a list of these affected hosts with the recon category specifically hosts would trigger this alarm if they are performing unauthorized scans using tcp or udp against hosts in the network and that can be an early indicator that someone is gathering intel about our network the first column we see here is the concern index or ci the concern index is essentially a measure of repetition so this first host in the list has obviously been performing some repetitious scanning behavior on the network if we go back to our main dashboard for network security below our alarming host categories we also see some intuitive graphical representations of our network activity we can see the top alarming hosts category listed here we can see a breakdown of the alarms by type and we see the alarms that have happened today this is a really great way to get a quick idea about what's currently happening in the network at any given time below that we see a section for cognitive threat analytics which uses cisco cognitive intelligence this is their cloud-based machine learning engine and this is used to automatically identify suspicious or malicious web traffic cisco cognitive intelligence automatically analyzes over 10 billion web requests every day so it has the ability to create a baseline of normal activity on your network and use that analytical data to identify any traffic anomalies that might be found beside that we have a flow collection trend window stealthwatch leverages network telemetry using netflow data and this area is going to give you a quick look at the flows per second that were detected within the last 24 hours of operation so this is going to allow you to see spikes in your traffic from a high level and next to that we have a view of the top applications communicating in our network if we go back up to our top alarming hosts window we can see here if we use this second particular host as an example we can see that this host is exhibiting behavior of data hoarding recon it has a very high concern index and it is exhibiting exfiltration behavior if we click on the host itself we're going to see a summary information related to the host under the host summary if we scroll down just a bit notice we have a listing of host groups here so stealthwatch will categorize our endpoint into host groups we can see that this particular host is a member of several groups and it appears as though this is a sales and marketing desktop located in atlanta beside that we have a breakdown of the traffic communication for this host you can see on the left we have communication between our internal host groups which this host has been communicating with on our network and on the right we see a list of external communication as well and we can see our alarms by type on the right side if we scroll down we're going to see the top security events for this host the top event as you can see is data hoarding so if we click on that and we actually expand that area we're told that this host has been downloading an unusual amount of data from one or more hosts in the network you can see the expected data download for this host is zero bytes so that means that under normal operations this host doesn't typically download a lot of data and we have a tolerance of up to 50 meg before an alarm is triggered so what this is saying is that based on the historical patterns exhibited by this host this host very rarely downloads data from our network however we can see that currently it has been observed downloading almost 750 meg which is certainly a concern below that we see a port scan security event that we can click on and look at some details about that so this host is attempting to connect to an excessive number of ports on the network and you can see that the target for these port scans listed here on the right are the confidential servers located in atlanta so that is certainly a concern certainly not a good thing to see if we go back up to our host summary area notice here we see an ice anc policy so we have options in other words for using stealthwatch's integrated cisco identity services to allow for adaptive network control that's what anc stands for this would allow you to perform actions such as shutting down the host or quarantining the host from the network we can also use our top monitor menu to take a look at specific hosts at host groups users or interfaces and so if we look at that let's go to our monitor menu and we see those options listed under that this will show us a list of all hosts by default and we can filter those out more specifically we can see our overall concern index for any particular host as well as the alarm categories that we saw from the main dashboard under the analyze menu at the top we can perform flow searches or host searches here and we can see any saved searches or results we also have a copyright infringement option that we see this would be used in cases where you may receive a copyright infringement email from an entity and using the information included in that email that would typically include things like the ip address that was offending the port number the date and the time that would allow you to take this information and track down the endpoint for further action and the jobs menu will allow us to create several saved and ongoing flow queries that we can execute within stealthwatch so that's a look at some of the information gathered by stealthwatch and how we can use that to protect our network
Info
Channel: Kevin Wallace Training, LLC
Views: 3,965
Rating: 5 out of 5
Keywords: cisco, networking, ccna, ccnp, ccie, kwtrain, scor, Cisco Stealthwatch
Id: 6ClG8b4Vtlc
Channel Id: undefined
Length: 7min 5sec (425 seconds)
Published: Fri Jan 29 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.