Benefitting from Additional Cisco Security Products¶
Cisco Stealthwatch¶
Stealthwatch Components¶
Stealthwatch Management Console
Stealthwatch Flow Collector
Flows Per Second License
Stealthwatch Flow Sensor
UDP Director
AnyConnect Network Visibility Module and Stealthwatch Cloud¶
Network Visibility Module¶
Installs on a host system as an application
Configure what data to collect and where to send it
Gain information on processes, PIDs, services
Stealthwatch Cloud¶
Behavior analytics cloud offering
Uses native telemetry sources
AWS VPC flow logs
Azure NGS flow logs
Stealthwatch Cloud Modeling¶
Forecast: Predicts future behavior based on past activities
Group: Compares entity/host to similar ones
Role: Categorizes role based on traffic seen
Rule: Detects when policies are violated
Consistency: When a device veers heavily from the baseline/normal behavior
Cognitive Threat Analytics and Encrypted Traffic Analytics¶
Cognitive Threat Analytics¶
CTA for short
Uses machine learning and data sharing
Analyzes network and endpoint telemetry
Correlates your activity with known threats
Provides risk assessment for threats
cognitive.cisco.com
Encrypted Traffic Analytics¶
ETA for short
Analyzes encrypted traffic
Doesn’t need to decrypt packets
Helps with compliance
See what cipher suites are being used
What You Need Far ETA
Network device capable of enhanced NetFlow
Internet connection for Stealthwatch
CTA/ETA turned on
Enhanced NetFlow, which is sent to the Flow Collector and contains metadata and packet stream information.
Cisco PxGrid¶
Provides a unified framework that enables ecosystem partners to integrate with, then share context either unidirectionally or bidirectionally without the need to adopt special APIs.
pxGrid Ecosystem¶
ISE is the brain behind Cisco’s pxGrid implementation!
Subscribers and publishers
No changing the data format
Information can be consumed by all desired subscribers
Adaptive Network Control¶
ISE capability that uses special policies to restrict or allow access on the network
Quarantine policy as an example; cut off access via RADIUS CoA for endpoint or user in question
Do not need to change overall network policies to enforce!
Rapid Threat Containment¶
Provides additional automation for discovering and mitigating threats
Learn, Detect, Respond, Contain
Uses CVSS and STIX standards
Cisco Umbrella Investigate¶
Helps fill the gaps left by other security technologies
What Does It Do?¶
Gives you risk scores, request patterns, domain context information, key events, and more
Looks for relationships between the malware, domains, IP addresses, networks, and more
Guilt?¶
Guilt by association
Guilt by inference
Patterns of guilt