I am currently attending an introduction class in Cisco Cyber Threat Defense. Since I never heard the phrase before I couldn´t wait showing up.
Cisco Cyber Threat Defense is a conceptual thing just like TrustSec. It brings several building blocks together to form an unique functionality. The pieces that CTD is built upon is StealthWatch from LanCope, Netflow-enabled devices from Cisco and Cisco Identity Services Engine ISE.
StealthWatch is a product that delivers information out of netflow data.Simply put, you tell all (or key) devices in your network infrastructure to send information about traffic flows via the protocol NetFlow to StealthWatch who analyses the data, turns it around, shakes it, boils it and puts it together again to present statistics out of the data. For example: which inside hosts generates the most traffic, what are the most common ports/protocols being used and which server/client conversation pairs eats up all bandwidth on our slow wan link?
Just like other NetFlow applications the GUI is really important. With so much stored data under the hood there must be an easy way to retrieve statistics out of StealthWatch and this product has really succeeded in this. It is really intiutive to build custom reports (documents as it is called by StealthWatch) and tweak filters to drill down exactly what you want to know.
But StealthWatch adds more functionalities to the concept of NetFlow. By analysing it further it can draw security-related conclusions. The key to this is baselining. StealthWatch learns the normal behaviour of hosts in the network when it comes to network traffic. Which hours are peak-time, what ports does that server normally listen to, how many outbound sessions does each inside host open at a given time frame and so on… With various thresholds StealthWatch can trigger events and alarms when it sees anomaly behaviour in the network.
One of the key features of StealthWatch that makes it possible to customize is the concept of host groups. In a hierarchical structure we define which hosts that belongs together by either geography, functionality or both. These host groups are then being used thruout the configuration interface. This makes it easy to treat all mailservers identically and separate them from printers or client computers.
Another key feature of the concept of CTD is the addition of Cisco ISE. With a connection between Cisco ISE and StealthWatch, the latter can receive Cisco Trustsec parameters from ISE and see information about MAC-addresses, profiled clients device type, whitch access switch/port it is connected to and so on. This is really powerful and promising for the future!
StealthWatch itself is built upon several blocks. There need to be a management server (SMC) which is a separate unit. Of course there needs to be Flow Collectors (FC). But also there is a separate FlowSensor (FS) which analyses traffic from a tap or span port and generates NetFlow-data. This is extremely powerful in environments that are not NetFlow enabled. Also there is a FlowSensor VE which is a separate FlowSensor for vmware. This adds on NetFlow visibility for vm-to-vm-traffic and will also tell the SMC additional ESX-specific information such as VM hostnames.
As a NetFlow analyzer StealthWatch is a really powerful tool as such. Besides the security-features, StealthWatch itself can be a powerful tool to find overused (or underused) WAN-links and servers. Building maps of hostgroup-relationships gives you a good overview of the amount of traffic traveling between (and within) different parts of your network. Not as a Layer2/3 network topology map but more several totally customizable relationship-maps.
Cisco Cyber Threat Defense as a security solution also has its right to exist in my opinion. While it is not a IPS (since it doesn´t look deep into packets, it is not inline and it doesnt work with signatures) and not a CS-MARS (R.I.P) is clearly overlaps with both these solutions quite a bit.
Security-wise there are a few terms being used in the traffic-anomaly-analysis that is really powerful and also correlates well to similar functions both in IPS:es and CS-MARS. The Concern Index (CI) is a per host score-system that marks bad behaviour. The more bad traffic that host has generated the higher CI. In the same way there is a Target Index (TI) which is a score-system for attacked devices. Each attack raises the TI of our poor little inside server. These 2 terms are then being used as parameters in the different analysis engines that comes with the StealthWatch system.
Another nice feature is HostLocking. This is as close as you can get to Private Vlan with NetFlow. We define 2 servers (actually host groups, everything is configured related to host groups) and the HostLocking feature simply says that these 2 groups should never talk to each other. If there is traffic sent between these 2 host groups there is something fishy going on and an event is fired.
StealthWatch can currently mitigate attacks by sending syslog, snmp traps, emails, run expect-scripts and in a few other ways. However, it is still a bit limited. And it is important to point out that LanCope has no intention to build something that automatically shoots down all attackers, shuns port-scanners and shut downs switchports of bad users. It is possible to do, but it is not a key feature simply because (in my opinion) since this system relies on NetFlow and is not inline there is a delay and it is probably to late to react anyway (compared to an inline IPS that can decide not to forward one single atomic packet that looks suspicious).
StealthWatch also has its own Senderbase/WebRep-system called SLIC. This is a feed that constantly tells StealthWatch about known bad boys on internet. This feed automatically updates specific host groups in the system and this can be used to detect botnet control systems and treat them differently (block them).
Conclusion
When I first heard of “Cisco Cyber Threat Defense” it sounded so cool that I expected something like CS-MARS on steroids with neon-blue LED:s and unique features to automagically destroy all evil in world. Then reality hit me in my forehead and I understood that this is all about NetFlow, a protocol being around forever already. After having had a deep dive into the features of StealthWatch I now settle in between my first expectation and the reality-check. LanCope has really done their job well to squeeze as much information possible out of NetFlow!
In my humble opinion it is a pitty that StealthWatch uses SLIC and not the Cisco Senderbase WebRep-system.
Finally, a few screen shots:
Leave a Reply