Showing results for 
Search instead for 
Did you mean: 

FMC Insider Threat/Malware Detection Across the LAN


In regards to Cisco's Threat Deteaction how would you scan for insider threats if the device doesn't have the Secure Endpoint software installed?



  The LAN is setup with Cisco Firepower FMC monitoring with AMP for Endpoints or (Secure Endpoint) software on all devices and you have ISE deployed.  How do you scan for someone that connects a device on the network and the switch port is not configured for 802.1x?


  If someone is using hacking tools within the network how can that be detected if it's local only and doesn't go to the outside through the firewall?


  The reason I asked is because our company brought in a "Red Team" to determine the security of our network and their requirements kind of made me think (THAT'S NOT FAIR)!


  The requirement was for us to open up several ports for them to plug in their scanning laptops.  The port configurations were to be bare with no port security or 802.1x configured and no port mirroring set up.

  Additionally Secure Endpoint software would not be installed on the (Red Team's) computers.


  How would you monitor for malicious activity on the LAN?

2 Replies 2

Rob Ingram
VIP Master VIP Master
VIP Master


I agree. The test they should be running is from a standard (lockdown) port, with all the standard restrictions. Your bosses would get a better understanding of your network security that way.


To answer your question, you could use Secure Network Analytics (previously called StealthWatch) that could monitor for abnormal or malicous traffic on the LAN (for traffic that doesn't transit the firewalls).


Rob, thanks for the reply.  I've requested StealthWatch in the past, but it never got funded.  And you are correct, I expected them to connect to a fully secured port or attempt from outside the WAN.

  How does this method even test our network?


  Can I set up port monitors connected from the Firepower devices to the Access Switches or VLAN interfaces?  When the Cisco sales team pitched the FMC/Firepower upgrade for our firewall suite they said we could create ports and connect them to switches or VLAN interfaces.

  I'm guessing this method would miss anything within an individual switch if the traffic never leaves the switch and we're connected to the L3 VLAN interface and not to the switch.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers