Security ChalkTalks: Learn Cisco Stealthwatch

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Music] hello team my name is Jose Fernandez I'm a security camera engineer with Cisco and today we're going to be talk we're gonna be talking about stealthWatch we're going to be doing a white pour session around this product so there are three main purposes our objectives around stealthWatch one is our 3 value propositions around stopwatch one is visibility the second objective of stealthWatch is detection and the third objective is incident response or mitigation so let's focus right now on visibility when we're talking about visibility let's say you have your network you have your cloud you have your one router your firewall you have your course which and then you have your access layer switches and then you have your networks here on the side so the nice thing about stopwatch is that not only you're gonna get disability north-south disability but more importantly you're gonna have the visibility the east-west disability or lateral disability so what that means is that you're gonna gain every or you're gonna be able to see every conversation at the host level of what's happening inside of that network and when I refer to the network I refer to the not only the physical network but also the virtual network and the cloud now this is exactly what we call instead of Cisco the network as a sensor it's the ability that you have as a customer to get that visibility without having to add anything to that network you can actually leverage that I work the way this you can you don't have to buy in points you don't have to add probes you don't have to buy agents and place agents in every single computer the way how this works is that we use a protocol called net flow and NetFlow it's a layer three protocol that was actually created by Cisco was invented by Cisco many years ago now some of our competitors they also have other protocols so for instance they have what they call s flow C flow J flow Q flow IP fix as an example and so on and so forth the nice thing about this is that stealthWatch you know we can actually consume all these different flows he doesn't have to be only net flow we can actually consume the other flows so that's how we gain that visibility and we provide once again the visibility of every conversation inside of the network now the second objective or second value proposition around stealthWatch is detection now when we're talking about detection is we're detecting any anomaly that it's going that it's happening inside of the network and there are two stakeholders within an organization that really pay attention to what stuff what you can do for them one is the security team and the other one is the networking team now from the security team why do they care about a solution like stealthWatch well because stealthWatch is going to be able to detect advanced persistent threats it's going to be able to detect botnets it's going to be able to detect malware it's going to be able to detect DDoS attacks data exfiltration and more importantly it's going to be able to detect Desir attacks remember the days your attacks are attacks based on behavior so one of the nice features that stealthWatch has is that it does behavioral analytics so not only is going to be able to do some signature base applications but it's more of a behavioral solution behavioral analytics solution because it's going to pay attention to every bad behavior that it's happening inside of the network now from the networking perspective why stakeholders within an organization care about stuff watch well you can actually see or detector monitor who are your top hosts instead of your environment what you know which ones are your top applications and I'll get back to applications a little later and also we can talk about network latency as an example or network performance okay so when we talk about network performance typically an organization has an issue of detecting this type of behavior why because sometimes the network people starts blaming the application people within the same organization or the application people turns around and starts blaming the networking group now with stealthWatch and a couple of clicks you should be able to detect is this due to network is the network performance due to an application issue or is it due to a security problem that they may have so it's a very simple way to solve that problem in an organization today and the third objective of stealthWatch is incident response and when we're talking about instant response and mitigation we can actually store data into our databases for you know for a year so so the customer can actually go back in time and see really what happened inside of my network not only or what's happening today my network but what happened three weeks ago what happened six months ago but also from the mitigation perspective I can actually send actions from stealthWatch to multiple components inside of my network I can send actions to a router as an example and syn a script of null sea route I can also send an action to a firewall and send a shun command or I can send an action to ice which is our identity service engine and when we talk about mitigation and adding icing to this entire ecosystem then we're talking about the data the network as an enforcer so the network has a sensor it's the ability that you have as a customer to gain that visibility without having to add anything to the network and then the network as an enforcer is now utilizing ice or identity service engine or neck network actually network access control to be able to mitigate that particular attack now the architecture is stealthWatch is very simple we have a component called a flow collector and we have the management console this is really the basic architecture of stealthWatch there's nothing more to it now this architecture comes in into two different flavors there's a virtual it can be actually deployed in a virtual environment or it can be an appliance and we have multiple models of the flow collector so for instance the smallest flow collector can process 30,000 flows per second the largest collector can process up to 240,000 flows per second now the way how this works is that you can find strategic locations within the network to actually send those net flows so let's say you can actually generate a net flow from your core switch and send it over or from your firewall and send over to the collector or from your router so you can actually find a strategic locations with and I want to send that flow once that flow hits the flow collector the flow collector is going to correlate all that data it's going to stitch all that data together and it's going to eliminate any kind of duplicity inside of that message it's going to store that message or the flows into a database which gives you that incident response or mitigation or the the forensics ability to go back in time and then it's going to compare that those flows with security algorithms that it's what provides this security security intelligence that I was talking about and it's going to generate a baseline so every time the host if there is a host instead of the network we're gonna study the behavior of that particular host and we're gonna generate a baseline if there is a deviation of that baseline if there's deviations of that baseline then we're gonna trigger an alert okay and that's really how stuff watch works now the flow collector again is the brain of the operations well that all that magic happens now let's say for instance that you have a switch access layer switch that it's not NetFlow capable so let's talk about as an example Cisco 2960 Cisco 2960 by the way the 29 60 X they now support a full net flow but the 29 60 has something called limited net flow and we limited net flow we're not gonna be able to process all that flow winning six winning stopwatch so what we do then let's say you as a customer wanted to gain visibility of what's really happening you know from that access layer switch into this network and you want to have full visibility of east-west visibility of what's happening there so one thing that you can do is that you can actually connect this access layer switch to another component of stealthWatch called the flow sensor and the flow sensor has multiple functionalities with this particular component so the first one is once we collect the data packet out of that span we're going to grab that data packet and we're going to transform that data packet into full net flow so now we're going to send that full net flow into this flow collector so that's the function number one of a flow sensor but while the flow sensor is doing that it's also doing something called VPI or deep packet inspection and when it does the DPI or deep packet inspection it's getting inside of a payload a little bit and it's pulling information like layer seven information so the applications what kind of applications we are seeing in the network today whether they are Netflix they are Facebook Twitter etc etc we can also pull out a couple of attributes called the RT T and s RT and the RT T stands for round-trip time and the SRT stands for server response time so when we're talking about network performance and understanding how your network is you know working today then we certainly use these two attributes to make that calculation so we use the RT t and the SRT to be able to understand when you're about your network performance or latencies then if we're talking about if the user or the customer has I use a requirement around applications or layer 7 information then we're gonna need the flow sensor to be able to give us that that capability so that's exactly and that's why I underlined top applications is because we're going to be able to pull that information out of the flow sensor now there is another component and by the way once again the flow sensor is just an option it's not part of the basic architecture but it definitely plays a very important role let's talk about ice because ice is very important in TOR stealthWatch ecosystem or solution or deployments that we do today ice actually is her identity service engine or network access control and ice has two different functions or or it achieves two different functionalities within this ecosystem functionality number one is that it adds user information into that net flow so it actually fits into the net flow user ID because our ice component can actually integrate with an LDAP or Active Directory in the backend so it sends out you try the information device type and MAC address so when you're looking at your network as an example and let's say you're looking at IP address 10 10.1.1.10 instead of your network but now we can actually pull a store we can put together a story and we can say you know what that turn that turn that 1.1 belongs to John and John has an iPad and he's doing X Y and C so that's why we can actually correlate and we can put all that data together and that once again that's done by the flow collector now the other functionality of ice is stealthWatch remember is going to look at every behavior that it's happening inside of the network and if I see that John is doing something really bad John who is at 10.10 that 1.1 in a very suspicious manner then stealthWatch is going to send an action to ice beer or P X grid API and it's gonna tell eyes hey ice you know what there's something wrong with John he's doing something that he's not supposed to be doing so you got to stop him you got to put him into a VLAN a quarantine VLAN so that he's not operating any longer inside of the network and not only ice is going to st. John as a user to this VLAN but also a device that he's connecting with so that's exactly what ice can do for us and that's why we call it the network as an enforcer is the ability that we have or the integration that exists today between eyes and stuff watch now there is another component inside the stopwatch solution that is called a packet analyzer so let's put it right here packet analyzer and the packet analyzer also connects to a switch as an example via a spam port let's let me give you this example so let's say it stealthWatch it takes a bad behavior inside of the network but you as a customer you still wanted to understand what initiated that behavior and you want to go deep into the packet itself and drill down into the packet to understand really what happened instead of the network then that's when we use the packet analyzer the packet analyzer it's a 42 terabyte of a rolling buffer and what it is is that it only it's only going to store up to 42 terabytes so whether that represents a single day of work or represents an entire week that's really up to how much data we're processing at that time but the nice thing about it is that from the management console of stealthWatch you can just right click into that behavior and it sent you right into the packet analyzer to see kind of like a Wireshark interface to see exactly what's really happening inside of the packet and you can drill down into it so it's very important again this is called a packet analyzer now there's another component that is optional as well for stuff Watch and it's called a UDP director and the UDP director it's good oh it's utilized every time let's say a customer has in this scenario of this particular network they have let's let's call it they have a cm and the same is already getting net flow from from a particular component let's say he's already getting net flow from the course which well there's some limitation as to the number of sessions that you can have per suite or per router or firewall in terms of the net flows that you generate and that limitation is set to two and already when you set it to two sessions you're already pushing it already creating overhead or a situation of an overhead of performance inside of that switch so the reason behind the UDP director is that now we can actually eliminate that connection that is going to the sim so we can eliminate that connection and we can send a single net flow out to the UDP director and the UDP director then replicates that data or it makes copy of that data color the photocopy machine and it just really stream you so it makes it gets a single UDP message and it makes copy as many times as you need it and redistribute that message throughout the entire network so one of those messages can actually go to our flow collector and the other message can go to the CM that you have inside of the network so the UDP director it's an easy way to replicate the data the other component of stealthWatch is the cloud component and a cloud component let's say you have an AWS type of application and you have different hosts inside of that cloud well guess what if you want to have this ability of that cloud or what's happening inside of the cloud you can actually install an agent it's an agent approach deployment type of deployment so you deploy an agent in each one of those hosts and it's going to send data to what we call a data concentrator and the concentrator is then going to collect that data from each one of the agents and it's going to transform that data into full net flow and it's going to send via a VPN connection or directly PN connection is going to send that full net flow from the cloud to Anam promise flow collectors so again this is a VPN connection okay so that's what the cloud is there for and then there's a few other components that I can also mention one is called the the anyconnect license component and that is for every anyconnect client that you have up out there and you connect the latest versions of any connect can actually support net flow and it sends net flow to our flow collector and you can start seeing disability around hash information file types and even user information as well then we also have the proxy license component and the proxy license is typically when you have a solution like this you can only see from the beginner or who initiated that message all the way to the proxy but you don't have your completely blinding to what's happening on the other side of the proxy so with our proxy license you can actually have full experience of where was the beginning and where's the in and you can just tap that full visibility through that proxy so these are the components of stealthWatch is pretty simple two percent very seemed very easy to to recommend it to a customer and very easy to deploy in fact you're going to deploy a solution like this in less than an hour and it's like turning a switch on into a dark room when you walk into a dark one when you turn the light switch you're gonna see a whole bunch of stuff inside of that Network and this is one of the greatest advantage of having a solution like stealthWatch thank you very much for your for your time for watching this video and if you need to if you have any questions please contact me at jose fe2 at Cisco comm thank you very much
Info
Channel: Cisco
Views: 57,257
Rating: 4.9321151 out of 5
Keywords: Stealthwatch
Id: MZr_V2L-RXk
Channel Id: undefined
Length: 20min 18sec (1218 seconds)
Published: Tue Aug 15 2017
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.