KEMBAR78
Detect Threats Faster | PPTX
Force 3, profile picture
Uploaded byForce 3
PPTX, PDF359 views

Detect Threats Faster

Cisco Stealthwatch provides enhanced network visibility and security analytics designed to detect insider threats and malicious activities quickly. Leveraging NetFlow analytics, it helps organizations identify threats within their networks by analyzing behavior patterns and incident detection across various infrastructure components. The document outlines the current state of security, highlighting the growing complexity of attacks and emphasizing the importance of visibility for effective threat management.

Downloaded 17 times
Detect Threats Faster CISCO STEALTHWATCH: NETWORK VISIBILITY & SECURITY ANALYTICS
INTRODUCTION: LANCOPE ATTACK CONTINUUM SECURITY: THE CURRENT STATE  Existing Security Stack  Impact LANCOPE SECURITY  Network Sees Everything  Netflow Analytics with Stealthwatch STEALTHWATCH SYSTEM INSIDER THREATS  Regulations  Detection Points  Network & Host Indicators STEALTHWATCH IN ACTION Overview
LANCOPE VALUE With Lancope, our security solutions extend protection further into the network. Lancope provides unmatched visibility leveraging telemetry from the network to allow customers to see more and identify threats faster. Leader in NBA/NBAD. HISTORY Founded 2000 OWNERSHIP Privately held HEADQUARTERS Headquartered in Alpharetta, GA, smaller regional offices in US, UK, UAE LEADERSHIP • Mike Potts, CEO • Tim Keanini, CTO • David Cocchiara, COO/CFO • David Scruggs, VP Sales NO. OF EMPLOYEES ~300 employees CUSTOMERS Blue Chip customer base, including financial services, healthcare, retail, technology, manufacturing, education, service providers, and other enterprises
SECURITY: The Current State
Firewall VPN Email Security Web Security DLP SIEM Replacement Box Failover The Persistent Threats IDS Firewall 2.0 VPN 2.0 Email Security 2.0 Web Security 2.0 DLP 2.0 SIEM 2.0 Replacement Box 2.0 Failover 2.0 Persistent Threats 2.0 IDS 2.0 EXISTING Security stack…
SECURITY EFFECTIVENESS GAP  Attack Surface Diversity: Growing exponentially due to IoT, SaaS / IaaS, and personal device trends  Threats: Continuous rise in sophistication of attackers combined with rapid iteration and evolution of attacker techniques and tools  Detection: Efficacy of classical detection methods eroding  User Behavior: No longer constrained to IT controlled places, apps or devices DEFENSE GROWS MORE COMPLEX
Insider Threat is Hard to Catch ALREADY INSIDE… Perimeter defenses DO NOT HELP KNOWLEDGE… They know where confidential data is and possibly security measures in place CREDENTIAL ACCESS… They usually have legitimate access to confidential data EASY TO EXFILTRATE DATA… Online file sharing sites and USB drives enable quick theft of large data sets HARD TO DETECT… They hide in a sea of credentialed user activity
The Results…
67% Victims notified by external entity 100% Valid credentials used 229 Median # of days before detection Three powerful numbers…
It’s harder than ever to see who’s on your network and what they’re doing
It’s harder than ever to see who’s on your network and what they’re doing And you can’t protect what you can’t see of surveyed organizations are not “fully aware” of the devices accessing their network 90% of companies say their mobile devices were targeted by malware in the last 12 months 75%
Source: Verizon 2014 Data Breach Investigations Report Time to compromise Time to discovery25% 50% 75% 100% 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Percent of breaches where time to compromise (orange)/ time to discovery (blue) was days or less Time to Detection? 100 INDUSTRY DAYS
 Designed using NIST and RMF guidelines  Spans entire security spectrum from detection to response  Four primary tenets:  Security Event Management  Network Security  Vulnerability Management  Access Control Network Security Framework the
Security Everywhere Architecture BEFORE Detect Block Defend DURING AFTER Control Enforce Harden Scope Contain Remediate ATTACK CONTINUUM Network Endpoint Mobile Virtual Cloud Point in Time Continuous
STEALTHWATCH Site C Site B Site A CE CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center
STEALTHWATCH Site C Site B Site A CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center CE
Lack of Visibility - Network Blind Spots You Can’t Protect What You Can’t See 60% of data is stolen in HOURS 54% of intrusions are not discovered for MONTHS (205 Days AVG) 90% of companies are not fully aware of ALL users/devices accessing the network Users DC Servers Users DC Servers East to West Lateral Movement Users DC, Application Servers North to South
Network Servers Operating Systems Routers and Switches Mobile Devices Printers VoIP Phones Virtual Machines Client Applications Files Users Web Applications Application Protocols Services Malware Command and Control Servers Vulnerabilities NetFlow Network BehaviorProcesses The Network Sees Everything
NetFlow Analysis with Stealthwatch Provides… Discovery Policy and segmentation Network behavior anomaly detection (NBAD) Identifying Additional IOCs Better Understanding of IOC Response Audit trail of all host-to-host communication Identifies business-critical applications and services across the network
FLOW INFORMATION PACKETS SOURCE ADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 : : APPLICATION NAME NBAR SECURE-HTTP Routers NETFLOW PROVIDES  A trace of every conversation in your network  The ability to collect records everywhere in your network (switch, router, or firewall)  Network usage measurements  An ability to find north-south as well as east-west communication  Lightweight visibility compared to Switched Port Analyzer (SPAN)- based traffic analysis  Indications of compromise (IOC)  Security group information Switches Visibility Through Netflow 10.1.8.3 172.168.134.2Internet
Start Time Interface Src IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 UNIDIRECTIONAL FLOW RECORDS Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 eth0/1 eth0/2 Scaling Visibility: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 BIDIRECTIONAL FLOW RECORD – Conversation flow record – Allows easy visualization and analysis
Router C • Without deduplication • Traffic volume can be misreported • False positives would occur • Allows for efficient storage of flow data • Necessary for accurate host-level reporting • Does not discard data Duplicates Scaling Visibility: NetFlow Deduplication Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 10.1.1.1 port 80 10.2.2.2 port 240 Router B Router A
Conversational Flow Record • Highly scalable (enterprise-class) collection • High compression => long-term storage • Months of data retention
Conversational Flow Record • Highly scalable (enterprise-class) collection • High compression => long-term storage • Months of data retention When Who Where What Who Security group More context
The Stealthwatch System
Learning Network Manager Proxy License Cloud License Endpoint Concentrator UDP DirectorLegacy Traffic Analysis Software Flow Sensor ESX with Flow Sensor VE Non-NetFlow enabled equipment Security Packet Analyzer Packet Data & Storage ISEIdentity Services Flow Collector Management Console Threat Feed License NetFlow enabled routers, switches, firewalls STEALTHWATCH SYSTEM Comprehensive Security & Network Monitoring
USE CASE 1 Detecting Insider Threats with Stealthwatch
“An insider threat arises when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States.” National Counterintelligence and Security Center. “Insider Threat.” https://www.ncsc.gov/issues/ithreat/  Maliciousness  Compromised credentials  Negligence What is an insider threat?
Some recent (and infamous) examples…
Source: New York Times
Regulations/Authorities  Executive Order 13587, sec 2.1 – Directs organizations managing classified computer networks to implement an insider threat program.2  DoD Directive 5205.16 – Directs the military branches, combatant commands, and DoD agencies to establish insider threat prevention programs.3  National Industrial Security Program Operating Manual, change 2 – Requires all government contractors holding facility clearances to implement an insider threat program.4 2. National Counterintelligence and Security Center. “National Insider Threat Policy.” https://www.ncsc.gov/nittf/docs/National_Insider_Threat_Policy.pdf 3. Office of the Secretary of Defense. “The DoD Insider Threat Program.” http://www.dtic.mil/whs/directives/corres/pdf/520516p.pdf 4. Defense Security Service. “National Industrial Security Program Operating Manual.” http://dtic.mil/whs/directives/corres/pdf/522022M.pdf
Insider Threat Detection Points  NETWORK: Assess behavioral characteristics of network traffic  ENDPOINT: Evaluate host state, processes, files, and client-side applications  APPLICATION: Classify data, analyze database queries, audit access logs, track application flows We’ll focus on detecting insider threats at the network and endpoint level.
Insider Threat: Network & Host Indicators Unusual host or application activity  Time of day  Destination Unusual VPN/VDI connections  Unknown source  Time of day Data Exfiltration  Thumb drive, CD/DVD  File transfers to outside hosts Data Hoarding  Unusual internal file transfers
USE CASE NO. 2 Catching Threats Faster
DATA Minimizing Mean Time to Detect: Large Intelligence Community Agency
DATA Minimizing Mean Time to Detect: Large Intelligence Community Agency
 Collect and correlate information enterprise-wide  Leverage existing flow- generating network devices  Save costs over deploying a full IDS and packet capture infrastructure  Detect east-west traffic at the access layer Multi-Point Collection
Questions?Phil Page, Senior Technical Consultant, Force 3: Ppage@force3.Com
Want to see CISCO Stealthwatch in action? Talk to your Force 3 or Cisco representative about a free, 14-day trial.
Learn more about Force 3’s solutions and services. ◼ Phone: 800-391-0204 ◼ Address: 2151 Priest Bridge Drive, Crofton, MD 21114 ◼ Email: sales@force3.com ◼ Online: www.force3.com

More Related Content

PDF
Holy Threat Intelligence AMPman! We Need Endpoint Security!
byForce 3
 
PPTX
2015 ISA Calgary Show: IACS Cyber Incident Preparation
byCimation
 
PDF
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
byJacob Tranter
 
PDF
Sammanfattning av 2014 Trustwave Global Security Report
byInuit AB
 
PDF
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
PPTX
Pegasus Spyware - What You Need to Know
bySkycure
 
PDF
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
PDF
The Next Generation Security
byCybera Inc.
 
Holy Threat Intelligence AMPman! We Need Endpoint Security!
byForce 3
 
2015 ISA Calgary Show: IACS Cyber Incident Preparation
byCimation
 
Resolution - Security - Cisco Advanced Malware Protection for Endpoints - Fea...
byJacob Tranter
 
Sammanfattning av 2014 Trustwave Global Security Report
byInuit AB
 
PROGRAMMING AND CYBER SECURITY
bySylvain Martinez
 
Pegasus Spyware - What You Need to Know
bySkycure
 
Reducing Your Attack Surface & Your Role in Cloud Workload Protection
byAlert Logic
 
The Next Generation Security
byCybera Inc.
 

What's hot

PDF
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
PPTX
The Threat Landscape in the Era of Directed Attacks - Webinar
byKaspersky
 
PPTX
Balance Risk With Better Threat Detection
bySecureData Europe
 
PDF
Protect Your Enterprise - Check Point SandBlast Mobile
byMarketingArrowECS_CZ
 
PPTX
The Best Just Got Better, Intercept X Now With EDR
byNetpluz Asia Pte Ltd
 
PDF
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
PDF
Anatomy of an Attack
byCisco Canada
 
PDF
Cisco connect winnipeg 2018 anatomy of an attack
byCisco Canada
 
PDF
The Rise of the Purple Team
byPriyanka Aash
 
PDF
Anatomy Of An Attack
byCisco Canada
 
PDF
Antispam aneb plnoleté řešení
byMarketingArrowECS_CZ
 
PPTX
2017 Security Report Presentation
byixiademandgen
 
PPTX
Communication security 2021
byMuhammadusmanRana10
 
PDF
Ransomware attacks
byTexas Medical Liability Trust
 
PDF
Cisco Content Security
byCisco Canada
 
PDF
How Android and iOS Security Enhancements Complicate Threat Detection
byNowSecure
 
DOCX
Zero-Day Vulnerability and Heuristic Analysis
byAhmed Banafa
 
PDF
Advanced Threat Protection Lifecycle Infographic
byBlue Coat
 
PDF
Enhanced threat intelligene for s ps v3
byNeil King
 
PPTX
Advanced Threat Protection - Sandboxing 101
byBlue Coat
 
Reducing Your Attack Surface and Yuor Role in Cloud Workload Protection
byAlert Logic
 
The Threat Landscape in the Era of Directed Attacks - Webinar
byKaspersky
 
Balance Risk With Better Threat Detection
bySecureData Europe
 
Protect Your Enterprise - Check Point SandBlast Mobile
byMarketingArrowECS_CZ
 
The Best Just Got Better, Intercept X Now With EDR
byNetpluz Asia Pte Ltd
 
2019 CYBER SECURITY TRENDS REPORT REVIEW
bySylvain Martinez
 
Anatomy of an Attack
byCisco Canada
 
Cisco connect winnipeg 2018 anatomy of an attack
byCisco Canada
 
The Rise of the Purple Team
byPriyanka Aash
 
Anatomy Of An Attack
byCisco Canada
 
Antispam aneb plnoleté řešení
byMarketingArrowECS_CZ
 
2017 Security Report Presentation
byixiademandgen
 
Communication security 2021
byMuhammadusmanRana10
 
Ransomware attacks
byTexas Medical Liability Trust
 
Cisco Content Security
byCisco Canada
 
How Android and iOS Security Enhancements Complicate Threat Detection
byNowSecure
 
Zero-Day Vulnerability and Heuristic Analysis
byAhmed Banafa
 
Advanced Threat Protection Lifecycle Infographic
byBlue Coat
 
Enhanced threat intelligene for s ps v3
byNeil King
 
Advanced Threat Protection - Sandboxing 101
byBlue Coat
 

Similar to Detect Threats Faster

PDF
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
PPTX
Security and-visibility
byedwardstudyemai
 
PPTX
Insider Threat Solution from GTRI
byZivaro Inc
 
PPTX
Leverage the Network to Detect and Manage Threats
byCisco Canada
 
PPTX
Cisco Stealtwatch
byRayudu Babu
 
PPTX
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
PPTX
Cisco Network Insider: Three Ways to Secure your Network
byRobb Boyd
 
PPTX
Insider threats webinar 01.28.15
byLancope, Inc.
 
PPTX
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
PPTX
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
byEmulex Corporation
 
PPTX
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
PPTX
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
PDF
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
PDF
The Network as a Sensor, Cisco and Lancope
byCisco Enterprise Networks
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PDF
TechWiseTV Workshop: Cisco Stealthwatch and ISE
byRobb Boyd
 
PDF
Identify and Stop Insider Threats
byLancope, Inc.
 
PDF
A rede como um sensor de segurança
byCisco do Brasil
 
PDF
Defensive information warfare on open platforms
byBen Tullis
 
PPTX
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
Security and-visibility
byedwardstudyemai
 
Insider Threat Solution from GTRI
byZivaro Inc
 
Leverage the Network to Detect and Manage Threats
byCisco Canada
 
Cisco Stealtwatch
byRayudu Babu
 
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
Cisco Network Insider: Three Ways to Secure your Network
byRobb Boyd
 
Insider threats webinar 01.28.15
byLancope, Inc.
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
Using NetFlow to Streamline Security Analysis and Response to Cyber Threats
byEmulex Corporation
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
The Network as a Sensor, Cisco and Lancope
byCisco Enterprise Networks
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
TechWiseTV Workshop: Cisco Stealthwatch and ISE
byRobb Boyd
 
Identify and Stop Insider Threats
byLancope, Inc.
 
A rede como um sensor de segurança
byCisco do Brasil
 
Defensive information warfare on open platforms
byBen Tullis
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 

Recently uploaded

PDF
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
PDF
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PDF
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PPTX
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
PPTX
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
PDF
2025 October Patch Tuesday
byIvanti
 
PDF
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
PDF
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
PPTX
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
PDF
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
PPTX
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
PDF
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
PDF
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
PDF
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
PPTX
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
PDF
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
PDF
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
How to Measure Microsoft 365 Copilot Success and Manage AI Risk: Advanced Str...
byNikki Chapple
 
Fairness and Bias in AI Ethics and Explainability
byShiwani Gupta
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
GPUS and How to Program Them by Manya Bansal
byScyllaDB
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Hybrid Active Directory Cyber Resiliency
byFrancesco Faenzi
 
"Daily workflows with Cursor IDE", Maksym Anisimov
byFwdays
 
2025 October Patch Tuesday
byIvanti
 
What is Google Cloud Platform (GCP)? A 5-Minute Guide for Beginners (2025)
byTeleglobal International
 
Rivian's Push Notification Sub Stream with Mega Filter by Marcus Kim & Saahil...
byScyllaDB
 
Session 5 - Specialized AI Associate Series: Build a Document Understanding ...
byDianaGray10
 
TrustArc Webinar - Migration to TrustArc: What Your Journey Will Look Like
byTrustArc
 
CBD Belgium 2025 - The adventures of a Microsoft 365 Platform Owner.pptx
byJasper Oosterveld
 
Meta and Apple close to settling EU cases.pdf
byLUMINATIVE MEDIA/PROJECT COUNSEL MEDIA GROUP
 
Getting the Best of TrueDEM – October News & Updates
bypanagenda
 
Ethical Initiatives in AI and accountability.pdf
byShiwani Gupta
 
"The Art of Web Scraping: Tree Algorithms and JS Magic", Dmytro Tarasenko
byFwdays
 
Unlocking Full-Stack Observability for AIOps: A Precisely Ironstream for Big ...
byPrecisely
 
Planetek Italia Corporate Profile brochure
byPlanetek Italia Srl
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 

Detect Threats Faster

  • 1.
    Detect Threats Faster CISCOSTEALTHWATCH: NETWORK VISIBILITY & SECURITY ANALYTICS
  • 2.
    INTRODUCTION: LANCOPE ATTACK CONTINUUM SECURITY:THE CURRENT STATE  Existing Security Stack  Impact LANCOPE SECURITY  Network Sees Everything  Netflow Analytics with Stealthwatch STEALTHWATCH SYSTEM INSIDER THREATS  Regulations  Detection Points  Network & Host Indicators STEALTHWATCH IN ACTION Overview
  • 3.
    LANCOPE VALUE With Lancope,our security solutions extend protection further into the network. Lancope provides unmatched visibility leveraging telemetry from the network to allow customers to see more and identify threats faster. Leader in NBA/NBAD. HISTORY Founded 2000 OWNERSHIP Privately held HEADQUARTERS Headquartered in Alpharetta, GA, smaller regional offices in US, UK, UAE LEADERSHIP • Mike Potts, CEO • Tim Keanini, CTO • David Cocchiara, COO/CFO • David Scruggs, VP Sales NO. OF EMPLOYEES ~300 employees CUSTOMERS Blue Chip customer base, including financial services, healthcare, retail, technology, manufacturing, education, service providers, and other enterprises
  • 4.
  • 5.
    Firewall VPN Email Security Web Security DLP SIEM ReplacementBox Failover The Persistent Threats IDS Firewall 2.0 VPN 2.0 Email Security 2.0 Web Security 2.0 DLP 2.0 SIEM 2.0 Replacement Box 2.0 Failover 2.0 Persistent Threats 2.0 IDS 2.0 EXISTING Security stack…
  • 6.
    SECURITY EFFECTIVENESS GAP Attack Surface Diversity: Growing exponentially due to IoT, SaaS / IaaS, and personal device trends  Threats: Continuous rise in sophistication of attackers combined with rapid iteration and evolution of attacker techniques and tools  Detection: Efficacy of classical detection methods eroding  User Behavior: No longer constrained to IT controlled places, apps or devices DEFENSE GROWS MORE COMPLEX
  • 7.
    Insider Threat isHard to Catch ALREADY INSIDE… Perimeter defenses DO NOT HELP KNOWLEDGE… They know where confidential data is and possibly security measures in place CREDENTIAL ACCESS… They usually have legitimate access to confidential data EASY TO EXFILTRATE DATA… Online file sharing sites and USB drives enable quick theft of large data sets HARD TO DETECT… They hide in a sea of credentialed user activity
  • 8.
  • 9.
    67% Victims notified by externalentity 100% Valid credentials used 229 Median # of days before detection Three powerful numbers…
  • 10.
    It’s harder thanever to see who’s on your network and what they’re doing
  • 11.
    It’s harder thanever to see who’s on your network and what they’re doing And you can’t protect what you can’t see of surveyed organizations are not “fully aware” of the devices accessing their network 90% of companies say their mobile devices were targeted by malware in the last 12 months 75%
  • 12.
    Source: Verizon 2014Data Breach Investigations Report Time to compromise Time to discovery25% 50% 75% 100% 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 Percent of breaches where time to compromise (orange)/ time to discovery (blue) was days or less Time to Detection? 100 INDUSTRY DAYS
  • 13.
     Designed usingNIST and RMF guidelines  Spans entire security spectrum from detection to response  Four primary tenets:  Security Event Management  Network Security  Vulnerability Management  Access Control Network Security Framework the
  • 14.
    Security Everywhere Architecture BEFORE Detect Block Defend DURINGAFTER Control Enforce Harden Scope Contain Remediate ATTACK CONTINUUM Network Endpoint Mobile Virtual Cloud Point in Time Continuous
  • 15.
    STEALTHWATCH Site C SiteB Site A CE CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center
  • 16.
    STEALTHWATCH Site C SiteB Site A CE CE PE PE PE PE PE MPLS CLOUD Internet TIC CE Data Center CE
  • 17.
    Lack of Visibility- Network Blind Spots You Can’t Protect What You Can’t See 60% of data is stolen in HOURS 54% of intrusions are not discovered for MONTHS (205 Days AVG) 90% of companies are not fully aware of ALL users/devices accessing the network Users DC Servers Users DC Servers East to West Lateral Movement Users DC, Application Servers North to South
  • 18.
  • 19.
    NetFlow Analysis withStealthwatch Provides… Discovery Policy and segmentation Network behavior anomaly detection (NBAD) Identifying Additional IOCs Better Understanding of IOC Response Audit trail of all host-to-host communication Identifies business-critical applications and services across the network
  • 20.
    FLOW INFORMATION PACKETS SOURCEADDRESS 10.1.8.3 DESTINATION ADDRESS 172.168.134.2 SOURCE PORT 47321 DESTINATION PORT 443 INTERFACE Gi0/0/0 IP TOS 0x00 IP PROTOCOL 6 NEXT HOP 172.168.25.1 TCP FLAGS 0x1A SOURCE SGT 100 : : APPLICATION NAME NBAR SECURE-HTTP Routers NETFLOW PROVIDES  A trace of every conversation in your network  The ability to collect records everywhere in your network (switch, router, or firewall)  Network usage measurements  An ability to find north-south as well as east-west communication  Lightweight visibility compared to Switched Port Analyzer (SPAN)- based traffic analysis  Indications of compromise (IOC)  Security group information Switches Visibility Through Netflow 10.1.8.3 172.168.134.2Internet
  • 21.
    Start Time InterfaceSrc IP Src Port Dest IP Dest Port Proto Pkts Sent Bytes Sent 10:20:12.221 eth0/1 10.2.2.2 1024 10.1.1.1 80 TCP 5 1025 10:20:12.871 eth0/2 10.1.1.1 80 10.2.2.2 1024 TCP 17 28712 UNIDIRECTIONAL FLOW RECORDS Start Time Client IP Client Port Server IP Server Port Proto Client Bytes Client Pkts Server Bytes Server Pkts Interfaces 10:20:12.221 10.2.2.2 1024 10.1.1.1 80 TCP 1025 5 28712 17 eth0/1 eth0/2 eth0/1 eth0/2 Scaling Visibility: Flow Stitching 10.2.2.2 port 1024 10.1.1.1 port 80 BIDIRECTIONAL FLOW RECORD – Conversation flow record – Allows easy visualization and analysis
  • 22.
    Router C • Withoutdeduplication • Traffic volume can be misreported • False positives would occur • Allows for efficient storage of flow data • Necessary for accurate host-level reporting • Does not discard data Duplicates Scaling Visibility: NetFlow Deduplication Router A: 10.2.2.2:1024 -> 10.1.1.1:80 Router B: 10.2.2.2:1024 -> 10.1.1.1:80 Router C: 10.1.1.1:80 -> 10.2.2.2:1024 10.1.1.1 port 80 10.2.2.2 port 240 Router B Router A
  • 23.
    Conversational Flow Record •Highly scalable (enterprise-class) collection • High compression => long-term storage • Months of data retention
  • 24.
    Conversational Flow Record •Highly scalable (enterprise-class) collection • High compression => long-term storage • Months of data retention When Who Where What Who Security group More context
  • 25.
  • 26.
    Learning Network Manager Proxy License Cloud License Endpoint Concentrator UDP DirectorLegacy TrafficAnalysis Software Flow Sensor ESX with Flow Sensor VE Non-NetFlow enabled equipment Security Packet Analyzer Packet Data & Storage ISEIdentity Services Flow Collector Management Console Threat Feed License NetFlow enabled routers, switches, firewalls STEALTHWATCH SYSTEM Comprehensive Security & Network Monitoring
  • 27.
    USE CASE 1 DetectingInsider Threats with Stealthwatch
  • 28.
    “An insider threatarises when a person with authorized access to U.S. Government resources, to include personnel, facilities, information, equipment, networks, and systems, uses that access to harm the security of the United States.” National Counterintelligence and Security Center. “Insider Threat.” https://www.ncsc.gov/issues/ithreat/  Maliciousness  Compromised credentials  Negligence What is an insider threat?
  • 29.
    Some recent (andinfamous) examples…
  • 30.
  • 31.
    Regulations/Authorities  Executive Order13587, sec 2.1 – Directs organizations managing classified computer networks to implement an insider threat program.2  DoD Directive 5205.16 – Directs the military branches, combatant commands, and DoD agencies to establish insider threat prevention programs.3  National Industrial Security Program Operating Manual, change 2 – Requires all government contractors holding facility clearances to implement an insider threat program.4 2. National Counterintelligence and Security Center. “National Insider Threat Policy.” https://www.ncsc.gov/nittf/docs/National_Insider_Threat_Policy.pdf 3. Office of the Secretary of Defense. “The DoD Insider Threat Program.” http://www.dtic.mil/whs/directives/corres/pdf/520516p.pdf 4. Defense Security Service. “National Industrial Security Program Operating Manual.” http://dtic.mil/whs/directives/corres/pdf/522022M.pdf
  • 32.
    Insider Threat Detection Points NETWORK: Assess behavioral characteristics of network traffic  ENDPOINT: Evaluate host state, processes, files, and client-side applications  APPLICATION: Classify data, analyze database queries, audit access logs, track application flows We’ll focus on detecting insider threats at the network and endpoint level.
  • 33.
    Insider Threat: Network& Host Indicators Unusual host or application activity  Time of day  Destination Unusual VPN/VDI connections  Unknown source  Time of day Data Exfiltration  Thumb drive, CD/DVD  File transfers to outside hosts Data Hoarding  Unusual internal file transfers
  • 34.
    USE CASE NO.2 Catching Threats Faster
  • 36.
    DATA Minimizing Mean Timeto Detect: Large Intelligence Community Agency
  • 37.
    DATA Minimizing Mean Timeto Detect: Large Intelligence Community Agency
  • 38.
     Collect andcorrelate information enterprise-wide  Leverage existing flow- generating network devices  Save costs over deploying a full IDS and packet capture infrastructure  Detect east-west traffic at the access layer Multi-Point Collection
  • 39.
    Questions?Phil Page, SeniorTechnical Consultant, Force 3: Ppage@force3.Com
  • 40.
    Want to seeCISCO Stealthwatch in action? Talk to your Force 3 or Cisco representative about a free, 14-day trial.
  • 41.
    Learn more aboutForce 3’s solutions and services. ◼ Phone: 800-391-0204 ◼ Address: 2151 Priest Bridge Drive, Crofton, MD 21114 ◼ Email: sales@force3.com ◼ Online: www.force3.com

Editor's Notes

  • #6 This has led organizations to have an average of 50 separate solutions for security. All with different interfaces, languages, and ways to express data. Each box is an island not communicating with, or understanding the other security layers around it.
  • #7 Making things worse, administrators use between 50 and 75% of the functionality in each box adding complexity while getting limited benefit from each product.
  • #11 As more and more employees bring their personal devices onto the corporate network , organizations start to lose sight of exactly what and who is on their network. A recent report noted that 90% of surveyed organizations were not “fully aware” of the devices accessing their network. These “blind spots” in your network quickly translate to security threats. Basically, if you can’t even see what is accessing your network, its going to be an even bigger challenge to secure it across all devices and all users for proactive protection against threats. And it’s not really a matter of “if” your company data will be face a security threat such as a data breach or malware attack, it’s a matter of “when”: According to the Ponemon Institute in the 2015 State of the Endpoint Report: User-Centric Risk, 75% of companies say their mobile devices were targeted by malware in the last 12 months. Data theft and targeted phishing campaigns are on the rise and are becoming increasingly sophisticated. Malware attacks are more sophisticated than the basic phishing attacks of 20 years ago. For example, the Stuxnet virus physically destroyed hundreds to thousands of uranium enrichment centrifuges. Recent breaches at high profile retailers resulted in tens of millions of credit card accounts being compromised and stolen. Devastating, to say the least. Again, the problem enterprises are facing in an increasingly mobile environment is that <click> you can’t protect what you don’t see. In fact, 66% of organizations simply, outright fail to detect a breach for months or even years. (Verizon Data Breach Report - http://www.secretservice.gov/Verizon_Data_Breach_2013.pdf). Scarier still is that today’s advanced, persistent threats can sit quietly in an enterprise infrastructure, moving laterally, to find the right unprotected asset that allows it to elevate rights and gain access to the most important company data. <click>
  • #12 As more and more employees bring their personal devices onto the corporate network , organizations start to lose sight of exactly what and who is on their network. A recent report noted that 90% of surveyed organizations were not “fully aware” of the devices accessing their network. These “blind spots” in your network quickly translate to security threats. Basically, if you can’t even see what is accessing your network, its going to be an even bigger challenge to secure it across all devices and all users for proactive protection against threats. And it’s not really a matter of “if” your company data will be face a security threat such as a data breach or malware attack, it’s a matter of “when”: According to the Ponemon Institute in the 2015 State of the Endpoint Report: User-Centric Risk, 75% of companies say their mobile devices were targeted by malware in the last 12 months. Data theft and targeted phishing campaigns are on the rise and are becoming increasingly sophisticated. Malware attacks are more sophisticated than the basic phishing attacks of 20 years ago. For example, the Stuxnet virus physically destroyed hundreds to thousands of uranium enrichment centrifuges. Recent breaches at high profile retailers resulted in tens of millions of credit card accounts being compromised and stolen. Devastating, to say the least. Again, the problem enterprises are facing in an increasingly mobile environment is that <click> you can’t protect what you don’t see. In fact, 66% of organizations simply, outright fail to detect a breach for months or even years. (Verizon Data Breach Report - http://www.secretservice.gov/Verizon_Data_Breach_2013.pdf). Scarier still is that today’s advanced, persistent threats can sit quietly in an enterprise infrastructure, moving laterally, to find the right unprotected asset that allows it to elevate rights and gain access to the most important company data. <click>
  • #13 Because of this, it currently takes 100 days or more for companies to detect a breach. This is why we need to build a true security architecture and have open integration between the layers of defense as well as build in automation for both analysis and response to reduce the time to detection.
  • #15  In order to deal with this we need customers to look at their security model holistically and gain visibility across the entire attack continuum. Addressing security before during and after attacks. BEFORE AN ATTACK: Customers need to know what they are defending….YOU NEED TO KNOW WHATS ON YOUR NETWORK TO BE ABLE TO DEFEND IT – DEVICES / OS / SERVICES / APPLICATIONS / USERS They need to IMPLEMENT ACCESS CONTROLS, ENFORCE POLICY AND BLOCK APPLICATIONS AND OVERALL ACCESS TO ASSETS. HOWEVER POLICY AND CONTROLS ARE A SMALL PIECE OF WHAT NEEDS TO HAPPEN. THEY MAY REDUCE THE SURFACE AREA OF ATTACK, BUT THERE WILL STILL BE HOLES THAT THE BAD GUYS WILL FIND. ATTACKERS DO NOT DISCRIMINATE. THEY WILL FIND ANY GAP IN DEFENSES AND EXPLOIT IT TO ACHIEVE THEIR OBJECTIVE. DURING THE ATTACK: MUST HAVE THE BEST DETECTION OF THREATS THAT YOU CAN GET ONCE WE DETECT ATTACKS, WE CAN BLOCK THEM AND DEFEND the ENVIRONMENT AFTER THE ATTACK: INVARIABLY ATTACKS WILL BE SUCCESSFUL, AND Customers NEED TO BE ABLE TO DETERMINE THE SCOPE OF THE DAMAGE, CONTAIN THE EVENT, REMEDIATE, AND BRING OPERATIONS BACK TO NORMAL ALSO NEED TO ADDRESS A BROAD RANGE OF ATTACK VECTORS, WITH SOLUTIONS THAT OPERATE EVERYWHERE THE THREAT CAN MANIFEST ITSELF – ON THE NETWORK, ENDPOINT, MOBILE DEVICES, VIRTUAL ENVIRONMENTS. WITH TODAY’S THREAT LANDSCAPE FULL OF ADVANCED MALWARE AND ZERO DAY ATTACKS POINT IN TIME TECHNOLOGY DOES NOT WORK AND JUST ADDS TO THE COMPLEXITY PROBLEM.
  • #18 This is another data point that shows how their attack is getting stealthy. Because companies are investing more toward perimeters, they have less visibility inside their network. Also their network is fairly flat, or not properly segmented, it is easy for attackers to find what they need. 60 % of the data is stolen in hours on average, and it takes months to discover this type of breach. ----- Note & Data Source ----- 90% of organizations not “fully aware” of the devices accessing their network http://lerablog.org/business/it/emerging-trends-for-byod-in-2014/ 14% of organizations had malware enter the corporate network through social media/web apps (between November 2012-November 2013) http://solutions.webtitan.com/blog/bid/157457/New-Research-on-the-Risks-posed-by-Social-Media-in-your-Business-Network-Security http://www.ostermanresearch.com/whitepapers/orwp_or_201204a.pdf 5-10 times more cloud services being used than are known by IT http://blogs.cisco.com/security/beyond-data-securityfive-biggest-risks-of-shadow-cloud-it-services/ 92% of Top 500 Android Apps Carry Security or Privacy Risk http://www.infosecurity-magazine.com/view/36612/92-of-top-500-android-apps-carry-security-or-privacy-risk/
  • #19 With our technologies and pervasive position in the fabric of the network, we can simply see more.
  • #27 The Stealthwatch system is comprised of a number of components to provide a robust and comprehensive view of activity occurring the enterprise network. *click* The two primary components to this system required for operation are the Flow Collector and Management Console appliances. These can be deployed as physical appliances and as virtual machines. The flow collector aggregates all of the network telemetry data Stealthwatch uses to conduct its analysis. It performs stitching and deduping operations on the incoming data to create the conversational flow record we just talked about, and handles most of the analytical heavy lifting for the system. The management console works as your microscope and your macroscope into this sea of data collected by the Stealthwatch system. In addition, it takes in additional telemetry from identity services, such as Active Directory and Cisco ISE, and threat intel to add context to the collected network traffic. *click* Flow Sensors are used to generate netflow in areas of the network that don’t possess native exporting capabilities, by reading PCAP data from a SPAN or TAP port and converting that The Flow Sensor can also be deployed as a physical or virtual appliance.
  • #29 I know a lot of you have had this hammered in by your annual insider threat training, but let's review. We have the official government definition there. An insider threat is a person with access to systems, information, and facilities that uses them to harm the security of the US. This threat can arise for several reasons: -We can have malicious actors, such as disgruntled employees, ideologues, foreign intelligence sources -It can come from compromised credentials. This may come from re-used credentials that were stolen from elsewhere, from someone writing them down on a sticky note, or a shared group account whose credentials are widely known among an organization -Finally, there's negligence. This may result in compromised credentials, but it can also take other forms: not locking your computer when you leave, not ensuring adequate access controls and permissions are in place, allowing unauthorized personnel to gain access to different parts of the building
  • #30 Let's look at some recent examples. And I'm sure all of you already know what's coming on the next slide.
  • #31 No surprises here. What's interesting (and good) is that there's been a massive push within both the public and private sector to deploy insider threat technologies both on the network and on the endpoint.
  • #32 The government has actually codified the requirement for insider threat programs in several regulations and executive orders. Most of you are probably familiar with the first two, but it's the third one that I'd like to hit on here. Government contractors with facilities clearances are now requires to implement their own insider threat program. So for all of you contractors on the line, if you wind up working at any of your corporate offices, you'll have to follow similar guidelines. In fact, we here at Force 3 just rolled out our official insider threat program a few weeks ago.
  • #33 When we look at detecting an insider threat, there’s really three points we have to monitor activity. On the network, on the endpoint, and in the application. Stealthwatch is focused on helping us detect insider threats on the network.
  • #34 These are the red flags that signal someone may be up to no good.
  • #41 That’s enough talk, let’s actually see a realy quick demo of how Stealthwatch detects and presents insider threats to security personnel.