topic Re: FMC Insider Threat/Malware Detection Across the LAN in Network Security

FMC Insider Threat/Malware Detection Across the LAN

davsnet2000 — Thu, 21 Oct 2021 18:03:15 GMT

In regards to Cisco's Threat Deteaction how would you scan for insider threats if the device doesn't have the Secure Endpoint software installed?

Situation:

The LAN is setup with Cisco Firepower FMC monitoring with AMP for Endpoints or (Secure Endpoint) software on all devices and you have ISE deployed. How do you scan for someone that connects a device on the network and the switch port is not configured for 802.1x?

If someone is using hacking tools within the network how can that be detected if it's local only and doesn't go to the outside through the firewall?

The reason I asked is because our company brought in a "Red Team" to determine the security of our network and their requirements kind of made me think (THAT'S NOT FAIR)!

The requirement was for us to open up several ports for them to plug in their scanning laptops. The port configurations were to be bare with no port security or 802.1x configured and no port mirroring set up.

Additionally Secure Endpoint software would not be installed on the (Red Team's) computers.

How would you monitor for malicious activity on the LAN?

Re: FMC Insider Threat/Malware Detection Across the LAN

Rob Ingram — Thu, 21 Oct 2021 18:14:54 GMT

@davsnet2000

I agree. The test they should be running is from a standard (lockdown) port, with all the standard restrictions. Your bosses would get a better understanding of your network security that way.

To answer your question, you could use Secure Network Analytics (previously called StealthWatch) that could monitor for abnormal or malicous traffic on the LAN (for traffic that doesn't transit the firewalls).

https://www.cisco.com/c/en_uk/products/security/stealthwatch/index.html

Re: FMC Insider Threat/Malware Detection Across the LAN

davsnet2000 — Thu, 21 Oct 2021 20:53:02 GMT

Rob, thanks for the reply. I've requested StealthWatch in the past, but it never got funded. And you are correct, I expected them to connect to a fully secured port or attempt from outside the WAN.

How does this method even test our network?

Can I set up port monitors connected from the Firepower devices to the Access Switches or VLAN interfaces? When the Cisco sales team pitched the FMC/Firepower upgrade for our firewall suite they said we could create ports and connect them to switches or VLAN interfaces.

I'm guessing this method would miss anything within an individual switch if the traffic never leaves the switch and we're connected to the L3 VLAN interface and not to the switch.