Cisco Confidential© 2016 Cisco and/or its affiliates. All rights reserved. 1
Cisco Stealthwatch
Jason Maynard
Consulting Systems Engineer Cybersecurity
CCIE, CC[N|I|D]P, SFCE, C|EH, RCSS, GICSP, GPEN
#FE80CC1E
http://cs.co/Jason_Maynard_YouTube_Channel
Cisco
Connect

Cisco Confidential 2© 2016 Cisco and/or its affiliates. All rights reserved.
Today’s Agenda
• Finding The Needle
• Cisco Stealthwatch Whiteboard
• Encrypted Analytics
• Flow Analysis

Finding the Needle……..

1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
101010111010010101100101010010100001101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
101010111010010101100101010010100001101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
101010111010010101100101010010100001101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
1010101110100101011001010100101000011101010101111001010100101001010001010100000100101010100100010
010101010010101110101001010100001010100101001010001010101001000101110101001010101010001010101001
101010111010010101100101010010100001101010101111001010100101001010001010100000100101010100100010

Data Hoarding
Exfiltration
SMB Probe
C2C
0 Day
PCI ALERT
OT Alert
Worm Propagation
DDOS Attempt
Recon
HIPAA Alert
Exfiltration
Exfiltratio
Malware
C2C
Bad GEO
APT
Worm P
SMB Pro

Cisco Stealthwatch Whiteboard

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
Endpoint
Concentrator

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
PxGrid
- ISE provides the following
- User/Device/MAC – EX: 10.1.1.1 = Jason | iPhone | MAC
- SMC Behavioral Change
Endpoint
Concentrator

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
PxGrid
- ISE provides the following
- User/Device/MAC – EX: 10.1.1.1 = Jason | iPhone | MAC
- SMC Behavioral Change
SIEM
UDP
Director
- Flows sent centrally
- Duplicate as required
Endpoint
Concentrator

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
PxGrid
- ISE provides the following
- User/Device/MAC – EX: 10.1.1.1 = Jason | iPhone | MAC
- SMC Behavioral Change
SIEM
UDP
Director
- Flows sent centrally
- Duplicate as required
Cloud
Host1
Host2
- Stealthwatch Cloud (Public/Private)
- Agentless,
- EX: AWS - VPC Flow Logs
- Other feed sources
Endpoint
Concentrator

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
PxGrid
- ISE provides the following
- User/Device/MAC – EX: 10.1.1.1 = Jason | iPhone | MAC
- SMC Behavioral Change
SIEM
UDP
Director
- Flows sent centrally
- Duplicate as required
Cloud
Host1
Host2
- Stealthwatch Cloud (Public/Private)
- Agentless,
- EX: AWS - VPC Flow Logs
- Other feed sources
Web Proxy
Proxy Logs
- Provides
URL Insight
Endpoint
Concentrator

Overview Stealthwatch
Visibility
Detection
Incident Response
Router
Firewall
Core /
Distribution
Switch
Access
Access
Access
PC
PC
Internet
N
S
W E
Netflow
Physical, Virtual, Cloud
sFlow, jFlow
cFlow, qFlow
IPFIX……
Network Security Compliance
Top Hosts
Top Apps
Net Perf
APT, Bots
Malware
DDoS
Data EXF
0 Day
PCI
SCADA
HIPAA
Audit
Etc…
Action
Router
(Null Route)
Firewall
(SHUN)
ISE
Quarantine
FC
SMC
FS
Older Switch – 2960
- Generates Netflow
- Layer 7 Visibility
- DPI (Applications)
- RTT (Round Trip Time)
- SRT (Server Response Time)
Packet
Analyzer 42 TB Rolling Buffer
Anyconnect
- NVM (IPFix)
- User
- Device
- Application
- Location
- Destination
PxGrid
- ISE provides the following
- User/Device/MAC – EX: 10.1.1.1 = Jason | iPhone | MAC
- SMC Behavioral Change
SIEM
UDP
Director
- Flows sent centrally
- Duplicate as required
Cloud
Host1
Host2
- Stealthwatch Cloud (Public/Private)
- Agentless,
- EX: AWS - VPC Flow Logs
- Other feed sources
Web Proxy
Netflow and Proxy = Telemetry
Extended Visibility & Behavioral Analytics
Advanced Threat Detection
Encrypted Traffic Analysis
Endpoint
ConcentratorProxy Logs
- Provides
URL Insight

Encrypted Traffic Analytics

Overview of ETA
(Encrypted Traffic Analysis)
Gartner predicts that by 2019, 80 percent of web traffic will be encrypted.
100

Overview of ETA
(Encrypted Traffic Analysis)

Overview of ETA
(Encrypted Traffic Analysis)

Overview of ETA
(Enhanced Netflow)
Encrypted Traffic Analytics focuses on identifying malware communications in encrypted traffic through
passive monitoring, the extraction of relevant data elements and supervised machine learning with cloud
based global visibility.
Sequence of Packet Lengths and Times (SPLT): SPLT conveys the length (number of bytes) of each packet’s application payload for the first
several packets of a flow, along with the inter arrival times of those packets. SPLT can be represented as an array of packet sizes (in bytes)
along with an array of times (in ms) representing the time since the previous packet was observed.
Byte distribution: The byte distribution represents the probability that a specific byte value appears in the payload of a packet within a flow. The
byte distribution of a flow can be calculated using an array of counters. The major data types associated with byte distribution are full byte
distribution, byte entropy and the mean/standard deviation of the bytes. For example, using one counter per byte value, an HTTP GET request,
“HTTP/1.1.”, can be calculated by incrementing the corresponding counter once for the “H,” then incrementing another counter twice for the two
consecutive “T” s and so on. Although the byte distribution is maintained as an array of counters, it can easily be turned into a proper distribution
by normalizing by the total number of bytes.
Initial Data Packet (IDP): IDP is used to obtain packet data from the first packet of a flow. It allows extraction of interesting data such as an
HTTP URL, DNS hostname/address and other data elements. The TLS handshake is composed of several messages that contain interesting,
unencrypted metadata used to extract data elements such as cipher suites, TLS versions and the client’s public key length.
Enhanced Netflow

Overview of ETA
(Example of good vs. bad)
Client to Server
Server to Client

Overview of ETA
(Example of good vs. bad)

Overview of ETA
(Example of good vs. bad)

Overview of ETA
(Cognitive – Machine Learning and Statistical Analysis)

Overview of ETA
(Stealthwatch Insight Dashboard with Cognitive)
The Security Insight
dashboard on the
Stealthwatch Management
Console (SMC) provides a
view of affected users
identified by Cognitive
Analytics by risk type. An
expanded Cognitive
Analytics dashboard
provides detailed
information regarding the
top risk escalations and
relative threat exposure

Overview of ETA
(Malicious Encrypted Traffic)
Upon discovery, a malicious encrypted flow can be blocked or quarantined by Stealthwatch.
Policy-driven remediation actions via pxGrid using Cisco Identity Services Engine (ISE) with
Cisco TrustSec® and Software-Defined Access (SD Access) simplify and accelerate
network security operations

Overview of ETA
(Cryptographic Compliance)
Encrypted Traffic Analytics
also identifies encryption
quality instantly from every
network conversation
providing the visibility to
ensure enterprise
compliance with
cryptographic protocols. It
delivers the knowledge of
what is being encrypted
and what is not being
encrypted on your network
so you can confidently
claim that your digital
business is protected. This
cryptographic assessment
is displayed in Stealthwatch
and can be exported via
APIs to third-party tools for
monitoring and auditing of
encryption compliance

Flow Analysis

Stealthwatch Analyzing Flows
Flow Analysis Process
• Flow Analysis Scenarios (Malware)

Flow Analysis Scenarios
Malware – Malware running on the network – Help!!!
We see the following
• Suspicious Internal Hosts for
today
• Worm Propagation for the last
14 days
• Worm Propagation for today.
Lets drill into this some more

Flow Analysis Scenarios
Malware – Malware running on the network – Help!!!
Zooming in here we can see the IP address of the hosts.
• Purple – hosts are a source of infections
• Green – hosts are exhibited the same behavior of the purple
hosts
• Blue – hosts that are being scanned
We can double click the host to view the “Host Snapshot”. We
can then perform the same analysis as we did in previous
examples. Nowhere to hide!

Flow Analysis Scenarios
Malware – Malware running on the network – Help!!!
We get the identity – Start Active Time, End
Active Time, Username, MAC Address, Device
Type, Domain Name, Switch Port the host is
connected. If you have ISE you could also
quarantine the host with a single click.
We can see that the host is
scanning ports on 5900 (VNC
Port).

Flow Analysis Scenarios
Malware – Malware running on the network – Help!!!
Moving to the “Alarms”. Here we can
acknowledge the alarm after we have
determined that the issue has been
resolved. EX: Helpdesk took the
previous information and scanned the
machine and cleaned the infections.
Right click the host go to “Workflow” and
click “Acknowledge Selection”
Provide some
detail and hit
“Ok”

Stealthwatch Analyzing Flows
Flow Analysis Process
• Flow Analysis Scenarios (Botnet)

Flow Analysis Scenarios
Botnet – Botnets running on the network – Help!!!
• C&C Server Traffic – Today
• Trend of Infected Hosts – Last
30 Days
• Top Infected Host Today
• Top C&C Servers Today

Flow Analysis Scenarios
Botnet – Botnets running on the network – Help!!!
Lets drill into “Top Infected Hosts”
and click the “Host Snapshot” to
learn more about what took place
and the finer details.
We get the identity – Start Active Time, End Active Time,
Username, MAC Address, Device Type, Domain Name, Switch
Port the host is connected. If you have ISE you could also
quarantine the host with a single click.

Flow Analysis Scenarios
Botnet – Botnets running on the network – Help!!!
This gives us insight into the active
flows and we can drill into the
specifics as needed.
We can see a lot of different
“Security Events” that have taken
place. Some of which may
automatically qualify for next
steps in the investigation . We
could export the details into a
csv file and share it with other
teams. Lets drill into the
infected host “Security Event”

Flow Analysis Scenarios
Botnet – Botnets running on the network – Help!!!
Select the row of interest and click “Quick View this Row”
We now get more
details perhaps the IP
address of the target is
something we want to
blacklist – we can use
other tools to action
this mitigation
technique. Cisco NGFW,
Cisco Endpoint AMP,
etc.

Flow Analysis Scenarios
Botnet – Botnets running on the network – Help!!!
We have completed our investigation it is
now time to acknowledge the alarm and
move onto the next threat that may take
place.
Give it a description and select ok.

Stealthwatch Analyzing Flows
Flow Analysis Process
• Flow Analysis Scenarios (Copyright
Infringement)

Flow Analysis Scenarios
Copyright Infringement– You get an email from a copyright infringement authority telling you to stop this
behavior or legal action will be taken. All you have is a timeline, file name, and external IP Address. We will
use the web GUI for this exercise.

Flow Analysis Scenarios
Copyright Infringement– You get an email from a copyright infringement authority telling you to stop this
behavior or legal action will be taken. All you have is a timeline, file name, and external IP Address. We will
use the web GUI for this exercise.
Here we populate the
information we got from
the copyright authority
and begin our search.

Flow Analysis Scenarios
Copyright Infringement– You get an email from a copyright infringement authority telling you to stop this
behavior or legal action will be taken. All you have is a timeline, file name, and external IP Address. We will
use the web GUI for this exercise.
“Select” the flow of
interest.
I can see the following details – Search Subject, Subject Port, Date and Time, Inside
Host, Inside Port , Outside Host, Outside Port, Application, Total Bytes. Lets pivot into
the “Inside Host”

Flow Analysis Scenarios
Copyright Infringement– You get an email from a copyright infringement authority telling you to stop this
behavior or legal action will be taken. All you have is a timeline, file name, and external IP Address. We will
use the web GUI for this exercise.
I can see everything about the host – I know the
internal IP, natted IP (got that insight in the previous
flow search), host details, Peers, Alarms, Users and
Sessions, Application Traffic both Inbound and
Outbound.
If integrated with
ISE I can
“Quarantine and
unquarantine
instantly from
Stealthwatch.