topic Re: Stealthwatch Mitigation Actions in Security Analytics

Stealthwatch Mitigation Actions

Andryan Viryadi Tanamir — Mon, 06 Mar 2017 07:23:22 GMT

Hello,

I'm experimenting with Stealthwatch with my labs.

I currently deployed SMC, FlowCollector and FlowSensor and integrated with Cisco ISE 2.1

For anyone who has deployed Stealtwatch, do Stealthwatch support automatic mitigation for alarms triggered?

I have searched and found some ambiguity in documents.

Attached below is the document I found in Stealthwatch help section

What mitigation device does the documents states? Can Stealthwatch do a automatic mitigation via Cisco ISE?

Thanks

Re: Stealthwatch Mitigation Actions

__bford__ — Tue, 14 Mar 2017 13:17:42 GMT

Andryan,

The document you are referring to describes a Stealthwatch mitigation capability that was developed to work with the Cisco ASA.

Currently Stealthwatch does not offer 'automatic' mitigation via Cisco ISE. The Stealthwatch host 'Quarantine' function requires that a user to submit the request which is processed via pxGrid and assigns the default remediation policy define on the ISE to the selected host.

Brian

Re: Stealthwatch Mitigation Actions

Andryan Viryadi Tanamir — Tue, 21 Mar 2017 07:19:45 GMT

Ah I see, does this mitigation capability still works with ASA? Can't find any documentation with it.

And by the way, my FlowSensor can't make use of its DPI capabilities to sense L7 Application. When i set my flow sensor to point to FlowCollector, in SMC, it fell into Exporters category, not Flow Sensor, any help?

Re: Stealthwatch Mitigation Actions

jemoncri — Tue, 21 Mar 2017 12:25:20 GMT

Hello Andryan, the remote SSH mitigation into an ASA still functions in the java client. As for the exporter issue, you'll want to double check the Flow Sensor's export settings via it's web interface. It's likely set to export as v9 and not IPFIX. Please ensure it's exporting as IPFIX and that should resolve it.

Thanks,
Jeff

Re: Stealthwatch Mitigation Actions

Andryan Viryadi Tanamir — Tue, 21 Mar 2017 13:36:45 GMT

Ah thanks ! So much trouble done just for this !!

Dees that mean I can finally sitting down waiting for the FlowSensor populate the packets received by itself using DPI?

I have deployed it for almost 2 weeks and all I got in Top Applications are Unclassified HTTP and Unclassified HTTPS.

To clarify, if I didn't deploy FlowSensor at all in my deployment, does it means I will lost the visibility of applications etc ?

Thanks

Re: Stealthwatch Mitigation Actions

jemoncri — Tue, 21 Mar 2017 13:59:36 GMT

No problem! Make sure the SPAN is correctly configured going into the Flow Sensor’s monitor port, otherwise you will not be able to get DPI working properly. DPI is one method of application verification, the other is via NBAR if you have an exporting device that supports NBAR.

Re: Stealthwatch Mitigation Actions

Andryan Viryadi Tanamir — Wed, 22 Mar 2017 04:55:14 GMT

Hello Jeff,

I have managed to put FlowSensor to its correct space in SMC. But I still can't see how the flowsensor categorized each applications on its own. Are there any other configuration needed?

I have set the monitoring port to accept promiscuous mode.

Still unclassified hmm