Cisco Secure Network Analytics (formerly named Stealthwatch) is the leader in the Network Detection and Response (NDR) Gartner quadrant and can transform the network into a sensor to detect insider threats and identify anomalous behavior such as malware, distributed botnets, data exfiltration, and more.

Host Groups offer flexibility in the way you can organize hosts or assets within your organization. In general, hosts can belong to multiple groups allowing you to apply your own business logic. In addition, you can define policies per host group and/or per host. A host group is essentially a virtual container of multiple host IP addresses or IP address ranges that have similar attributes, such as location, function, or topology. By grouping hosts into host groups, you can control how the Stealthwatch Flow Collectors monitor and respond to the behavior of those hosts as a group, rather than individually.
In the steps above we had you remove a group of IP addresses from the “Catch All” group.
The Catch All group in Stealthwatch performs a special function within the product. The contents of the Catch All group establish what IP addresses a company utilizes, owns, or otherwise controls. By default, this includes all private IPv4 and IPv6 address space. What should be added to the Catch All group is all the customer’s public IP address space.

By default, each SMC domain contains the following top-level host groups to which you can add sub host groups for easier reporting and more focused behavioral analytics:

1. Inside Hosts – Contains all host groups whose hosts have been specifically defined as being a part of your network. Make note of example groups such as Compliance Systems, Protected Asset Monitoring, and Trapped Hosts – Honeypot.
2. Outside Hosts – Contains all host groups whose hosts have not been specifically defined as being a part of your network. Make not of the sub groups such as Authorized External DNS Servers, Countries, Customer Reputation List, and Trusted Internet Hosts.
3. (optional) Command & Control and Tor – These are optional feeds you can subscribe to for automated updates of new command and control servers and Tor entry and exit nodes.

Why you need to build stronger defenses beyond access control lists or firewalls:

• Firewalls are as good as the person implementing them, mistakes happen.
• If the access control policy is misconfigured and any rule is moved to the top, how would you detect this before?
• Detect threats when an authorized server is used with stolen credentials.
• Account for all traffic on the inside of the firewall so you can build a general ledger of both authorized and non-authorized traffic making it through the firewall and provide a second chance detection.

Gain visibility into user and endpoint behavior with NVM

It is important to monitor 3rd party and employee VPN access to better protect your organizations intellectual property and customer data. When threats are detected, it is critical to be able to provide rapid threat containment.

AnyConnect Secure Mobility Client increases visibility and control across the extended network, preventing compromised endpoints from gaining access to critical resources. In this lab we will be observing:

• Visibility into user and endpoint behavior with the Network Visibility Module (NVM)

Cisco AnyConnect NVM leverages the Network Visibility Flow, or nvzFlow (pronounced: en-vizzy-flow) protocol to capture user and endpoint behavior both on and off-premise. The job of nvzFlow is to collect flows from endpoints, along with a small set of high-value data related to each flow originating from the endpoint in a lightweight manner in standard IPFIX records. This empowers flow collection solutions to leverage this rich data to create visibility into user and endpoint behavior and as well as long term trending and analytics.

The five key visibility categories conveyed by the protocol or Enhanced Context are:

• User
• Device
• Application
• Location
• Destination

Analyze historical traffic to identify threats from suspect countries

Threats are hiding in legitimate network traffic through common web browsing or through ports and applications that are trusted within firewall rules and on the endpoint. One way to identify these threats is to account for all network traffic entering and leaving the organization to the Internet. Once this visibility is collected, retrospective analysis over this long-term history can be performed to identify what should not exist. Through this visibility and retrospection, detection of threats will be improved along with being able to improve enforcing network segmentation.

Data hoarding

One of the most valuable assets for an organization is its intellectual property, confidential information, and information stored in the company networks. Data breaches cost organizations millions of dollars. The global average cost of a data breach is $3.62 million and the average cost for each lost or stolen record containing sensitive and confidential information is $141. Insider threats, and disgruntled employees could take data and exfiltrate it for financial gain or just to cause harm.
The Secure Network Analytics Data Hoarding alarm indicates that a host within a network has downloaded an unusual amount of data from one or more servers. These events provide valuable insight into unauthorized data movement that might be taking place in the network.

Security events contribute index points to alarms. Alarms are grouped into Alarm categories.
Security Events Associated with the Data Hoarding Alarm Category include:

1. Suspect Data Hoarding
a. Suspect Data Hoarding monitors how much TCP/UDP data an inside host, while acting as a client, downloads from internal servers. The event fires when the amount of data surpasses the threshold for a given host. This threshold is built automatically by baselining.
b. This event is an indication of a particular host gathering data to prepare for exfiltration or other larger-than-normal downloads of internal data.

2. Target Data Hoarding
a. Target Data Hoarding monitors how much TCP/UDP data an inside host, while acting as a server, serves to other inside clients. The event fires when the amount of data surpasses the threshold for a given host. This threshold is built automatically through baselining.
b. This event is potentially an indication of one or many Inside Hosts gathering more data than normal from a particular Inside Host, potentially in preparation for exfiltration or misuse.

data exfiltration to track inside and outside hosts

One of the most valuable assets for an organization is its intellectual property, confidential information, and information stored in the company networks. Data breaches cost organizations millions of dollars.
The Secure Network Analytics Exfiltration alarms tracks inside and outside hosts to which an abnormal amount of data has been transferred. If a host triggers events exceeding a configured threshold, it results in an Exfiltration alarm.

Network segmentation violations

Network administrators are faced with the challenge of creating policies that are effective and do not impede legitimate access. Administrators often do not know the roles of everyone within the company, nor what assets they need access to. They need to be able to see existing network traffic, and they need a way to model policies and assess their accuracy without enforcing them.

Secure Network Analytics provides visibility into network traffic, which allows network administrators to do the following:

• Inventory network assets and classify them based on role or function
• Gain insight into user behavior and interactions on the network

With the information provided by Secure Network Analytics, an administrator can design segmentation based on network activity. Using host and host group policies, proposed segmentation policies can be tested without enforcing them. Alarms can be created to trigger on policies to see what affect they might have without disrupting critical business activities.

Detect traffic to rogue DNS servers

Rogue DNS attacks are difficult to detect without tools because the network appears to be operating normally. Rogue DNS servers arise from either a Trojan or another form of attack. After the initial attack, hackers embed their own DNS server on a network to redirect traffic to external sites for malicious purposes.

The Secure Network Analytics Management Console (SMC) Web User Interface (UI) Flow Search and Custom Events functions can detect DNS activity from illegitimate DNS servers. You can save custom events and schedule custom searches to periodically identify possible rogue DNS traffic. A custom flow search with the following criteria can detect rogue DNS traffic:

• Port/Protocol
• Included/excluded hosts
• Orientation of the object and peer
• Application signature

Encrypted traffic analytics (ETA)

The percentage of encrypted traffic has been increasing each year since the IP protocol began to support cryptography. The use of Internet Protocol (IP) Secure Sockets Layer (SSL) and Transport Layer Security (TLS) cryptography grew 90 percent from 2015 to 2016. Industry analysts from Gartner predict that more than 80 percent of all web traffic will be encrypted by 2019. Encrypted traffic hides possible threats to a network. Until recently, there was no way to analyze encrypted traffic without decrypting it; making it difficult to effectively monitor networks for threats.
Cisco Encrypted Traffic Analytics addresses this problem by producing new telemetry data specifically derived from SSL / TLS connections. This data is then exported to a Secure Network Analytics Flow Collector where it is processed and stitched with connection data to provide new insights into network communications.

Using ETA technology, Secure Network Analytics detects malware in encrypted traffic without decryption by collecting network telemetry from Cisco IOS-XE devices including routers, switches, and Wireless LAN Controllers. ETA data is also produced by the version 7.1 or later Secure Network Analytics Flow Sensor. Secure Network Analytics uses this data along with advanced entity modeling and multilayer machine learning to improve the fidelity of malware detection in encrypted traffic. These new techniques also use the Talos global threat map to identify and correlate known global threats to the local environment.

Encrypted Malware Detection

Secure Network Analytics can be extended by enabling the cloud based Cognitive Threat Analytics (CTA). CTA uses Secure Network Analytics connection data that could include ETA metadata to identify encrypted threats. When first enabled, Secure Network Analytics users should be able to access CTA findings with 24-48 hours to allow for a good baseline and machine learning to take effect. To access Cognitive Threat Analytics, open the Secure Network Analytics Management Console (SMC) Web User Interface (UI) and locate the Cognitive Threat Analytics widget in the Security Insight Dashboard.

Public cloud monitoring and threat protection

Many organizations are hosting part of their application infrastructure within public clouds. As businesses continue to move to the cloud, they must protect customer data and intellectual property for compliance and threat detection.

Secure Cloud Analytics (formerly called Stealthwatch Cloud) is a SaaS visibility and threat detection service that can monitor public cloud infrastructure hosted in AWS, Azure, and Google Cloud for compliance and threat detection. Secure Cloud is integrated with Secure Network Analytics Enterprise via an API.