Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
S U M M I T
S Y DNEY
Cisco Stealthwatch Cloud: How to achieve better visibility,
stronger security and receive actionable alerts using VPC
Flow...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why is this important? - Smarter threats are m...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
What is required? - Visibility is required for...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Challenge – How do we analyze massive amou...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Solution! - Stealthwatch Cloud
Help with V...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Entity
Modeling
(Machine Learning)
How? - Use ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Machine Learning provides better threat detect...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
36 Day Baseline
Monitor and model
behavior
Cla...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Excessive failed access attempts
Produce Low-n...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Create an understanding of the resource/entity...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Expected Behavior based on Role
Lambda
Nat Gat...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Network Visibility
In addition to entity visib...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
A database server exporting data to a foreign ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Talos Intelligence - Web Probing from Tor Exit...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Failed SSH connection attempts seen
Multiple a...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Building Segmentation Rules
Compliance rules –...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Amazon Account
How Does it work? - Amazon Web ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How do we integrate! - Open APIs and built in ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
How do I get started! - 60 Day free trial via ...
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Demo
cisco.com/go/stealthwatchcisco.com/go/stealthwatch
Próxima SlideShare
Cargando en…5
×

Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow Logs and Other AWS Tools (Sponsored by Cisco Stealthwatch) - AWS Summit Sydney

238 visualizaciones

Publicado el

Visibility is a must for detecting threats and compromises in the cloud, containers, and on-premises networks. In this session, we will explore how Stealthwatch Cloud uses VPC Flow logs and network telemetry combined with advanced analytics such as entity modeling and threat intelligence feeds like Cisco Talos to detect attacks, data exfiltration, unusual remote access, and traffic that is not compliant with your policies.

  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Achieving Visibility, Security and Real-Time Actionable Alerts Using VPC Flow Logs and Other AWS Tools (Sponsored by Cisco Stealthwatch) - AWS Summit Sydney

  1. 1. S U M M I T S Y DNEY
  2. 2. Cisco Stealthwatch Cloud: How to achieve better visibility, stronger security and receive actionable alerts using VPC Flow Logs Mindy Schlueter Principal Cybersecurity Systems Engineer
  3. 3. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Why is this important? - Smarter threats are more difficult to detect Motivated and targeted adversaries Insider Threats Increased attack sophistication State sponsored Financial/espionage motives $1T cybercrime market Compromised credentials Disgruntled employees Admin/privileged accounts Advanced persistent threats Encrypted malware Zero-day exploits Industry average detection time for a breach Industry average time to contain a breach Average cost of a data breach Time Source: Ponemon 2018 Cost of a Data Breach Study
  4. 4. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential What is required? - Visibility is required for detection but is it enough? Crypto Mining Network Recon Ransomware Compliance Network Visualization Bad User Behavior Shadow IT Unapproved DNS High Risk Countries Poor Security Posture
  5. 5. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Challenge – How do we analyze massive amounts of data from many sources to find the interesting event? Network Users HQ Data Center Admin Branch RECORD every conversation Understand what is NORMAL Be alerted to CHANGE KNOW every host Respond to THREATS quickly Roaming Users Cloud
  6. 6. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential The Solution! - Stealthwatch Cloud Help with Visibility, Threat Identification and Network Compliance Using Dynamic Entity Modeling (Machine Learning) Cloud Native Logs Premises Network Flows Virtual Sensor NetFlow IPFIX Mirror/Span AWS
  7. 7. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Entity Modeling (Machine Learning) How? - Use cloud native APIs and data sources to ingest the traffic in near real time What? Maintain a model (a kind of simulation) of each and every device & entity on your network Why? - Have a derived understanding of typical behavior, be able to detect when behavior changes that represents a security risk © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How we do it?
  8. 8. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Machine Learning provides better threat detection 36 Day Baseline Collect Input Draw ConclusionsPerform Analysis CloudTrail NetFlow/IPFIX IAM Logs Watch lists 3rd Party Services VPC Flow Logs Dynamic Entity Modeling Using Machine Learning Group Consistency Rules Forecast Role What ports/protocols does the device continually use or never use? Do all roles behave similarly? Do all remote desktop servers communicate the same? Does it communicate internally only? What countries does it talk to? Should the connection be allowed? How much data does the device normally send/receive by profile, time of day, etc? What is the role of the device? Should this role being doing this on the network? Turn Network data into actionable alerts! Start – collect meta data
  9. 9. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Day Baseline Monitor and model behavior Classify roles Dynamically assign roles to entities Alert Triggers for Database Exfiltration Database server identified IP address detected Data access from regular location Machine Learning helps us to detect abnormal activity for an entity New External Connection osbservation New High Throughput Connection Existing IP accesses database server Communicates with set of IPs Data stays within environment ? Discovery & Learning Role Detected Baselineing Normal Behaviour Anamoly Detected Alert Generated Machine Learning
  10. 10. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Excessive failed access attempts Produce Low-noise alerts Made possible via Machine Learning DDoS and amplification attacks Potential data exfiltration Geographically unusual remote access Suspected botnet interaction ALERT: Anomaly detected 96% of customers rated the alerts generated by Stealthwatch Cloud’s entity modeling solutions as “helpful” E.g. 10k endpoints = 1-2 Alerts/day
  11. 11. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Create an understanding of the resource/entity http://www.cisco.obsrvbl.com/roles X IP Addresses Traffic Counters 30 Day Dashboard Connectivity Counters Matched Traffic Profiles For example we monitor an entities:
  12. 12. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Expected Behavior based on Role Lambda Nat Gateway Database Services ELBs Terminal Servers http://www.cisco.obsrvbl.com/roles X We use roles to predict how an entity will operate – determined by APIs or behavior Someone scanning the IP of the NAT Gateway (role) is not as interesting as someone scanning my databases. Entity with this role then scan less important Entity with this role then scan more important
  13. 13. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Network Visibility In addition to entity visibility SWC can provide visibility of network resources as well!
  14. 14. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential A database server exporting data to a foreign country Note the supporting Observations
  15. 15. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Talos Intelligence - Web Probing from Tor Exit Nodes 172.23.3.45 entity appears on multiple watch (black) lists Leverage threat feeds like Cisco’s Talos to identify bad hosts
  16. 16. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Failed SSH connection attempts seen Multiple access failures – entity does not have SSH locked down Detect poor security posture – without the need to complete baselining So lets identity the gaps before they become compromises.
  17. 17. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Building Segmentation Rules Compliance rules – catch unwanted communications Highlight forbidden communications between internal entities So lets identity the gaps before they become compromises.
  18. 18. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Amazon Account How Does it work? - Amazon Web Services Architecture SaaS Portal API Permissions allow SWC to read AWS services Role Created for SWC in Account Amazon CloudWatch Amazon CloudTrail Amazon VPC Amazon VPC Amazon VPC Amazon Simple Storage Service (S3) AWS Identity and Access Management (IAM) Amazon GuardDuty AWS Lambda Amazon Inspector AWS Config Flow logs Flow logs Read only permissions required for VPC flow logs TLS 1.2
  19. 19. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How do we integrate! - Open APIs and built in services allow for integration into current systems SaaS Management Portal Web Platforms Email SIEM AWS And Other Applications S3SQS Stealthwatch Cloud SNS Because we know that security these days is not about having one point product but having a solution that can integrate with multiple applications that all work together!
  20. 20. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential How do I get started! - 60 Day free trial via AWS Marketplace or Cisco Direct SaaS Management Portal features - Unlimited users No patching necessary Support included Available anywhere New features added monthly http://www.cisco.obsrvbl.com/roles X Link to free trial - https://aws.amazon.com/marketplace/pp/B075MWZVBM
  21. 21. © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Demo
  22. 22. cisco.com/go/stealthwatchcisco.com/go/stealthwatch

×