cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

COVID-19 Response - Stealthwatch use cases for managing a shifting remote workforce

972
Views
5
Helpful
1
Comments
 

Updated 5/20/20 - Please continue to monitor this page, new offer information will be added as it is received.

Managing a shifting remote workforce

The day to day management of networks in the age of COVID-19 introduces a number of significant changes that can be challenging to manage, including significant changes to remote workforce architecture.

 
We at Cisco are here for you, and Stealthwatch can assist you in monitoring and investigating the effects of these shifts on your network traffic patterns. 

 
Here are some additional items that may be of use as you navigate these changes.

Stealthwatch Enterprise

Did you know that Stealthwatch Enterprise can be used to...

 

 

For a quick demo showing how Stealthwatch Enterprise can be used to monitor remote users, see the following video in our Stealthwatch Training Center:
https://learning.stealthwatch.com/covid-use-case-video-using-maps-and-top-reports-to-investigate-hosts-using-excessive-bandwidth

 

For these and other use cases, as well as other related self-paced training and information, please visit the Stealthwatch Training Center.

 

Stealthwatch Cloud

 

In Stealthwatch Cloud, you can review the following Alerts and adjust priority as desired.

  1. New Remote Access
    Source has been accessed (e.g., via SSH) from a remote host for the first time in recent history. This alert requires 36 days of history.


  2. High Bandwidth Unidirectional Traffic
    Source started sending large amounts of data to new remote hosts. This can indicate misuse or misconfiguration. For example, malware might cause an infected host to attack a website by directing a host to send lots of data to a vulnerable service. This alert requires 0 days of history.


  3. Network Population Spike
    A record number of IP addresses were observed communicating on the network. This might indicate spoofing of source addresses. This alert requires 36 days of history.


  4. Outbound Traffic Spike
    Source started sending a much larger amount of traffic to external destinations than before. This alert requires 14 days of history.


  5. Attendance Drop
    Source is normally active for most of the day, but its activity dropped across multiple profiles (e.g., SSH Server, FTP Server). This alert requires 14 days of history.
  6. Suspicious SMB Activity

Multiple new SMB servers have communicated with common SMB peers. This alert uses the Suspicious SMB Activity observation and may be an indication of malware or abuse. This alert requires 14 days of history.

  1. IDS Emergent Profile

Device exhibits a new type of traffic at the same time it is flagged as suspicious by an IDS. This alert uses the Intrusion Detection System Notice observation and the New Profile observation and may indicate the device is compromised. This alert requires 14 days of history.

  1. Suspicious Domain Lookup Failures

Device tried to resolve multiple algorithmically-generated domains (e.g., rgkte-hdvj.cc) to an IP address. This alert uses the Domain Generation Algorithm observation may indicate a malware infection or botnet activity. This alert requires 0 days of history.

  1. Suspicious SMB Activity

Multiple new SMB servers have communicated with common SMB peers. This alert uses the Suspicious SMB Activity observation and may be an indication of malware or abuse. This alert requires 14 days of history.

  1. IDS Emergent Profile

Device exhibits a new type of traffic at the same time it is flagged as suspicious by an IDS. This alert uses the Intrusion Detection System Notice observation and the New Profile observation and may indicate the device is compromised. This alert requires 14 days of history.

  1. Suspicious Domain Lookup Failures

Device tried to resolve multiple algorithmically-generated domains (e.g., rgkte-hdvj.cc) to an IP address. This alert uses the Domain Generation Algorithm observation may indicate a malware infection or botnet activity. This alert requires 0 days of history.

  1. Excessive Access Attempts 
    Device has many failed access attempts from an external device. For example, a remote device trying repeatedly to access an internal server using SSH or Telnet would trigger this alert. The alert uses the Multiple Access Failures observation and may indicate the device is compromised. This alert requires 0 days of history.
  2. Unusual DNS Connection 
    Device contacted an unusual DNS resolver and then established periodic connections with a remote device. This alert uses the Unusual DNS Resolver and Heartbeat observations and may indicate that the device is compromised. This alert requires 1 day of history.
  3. Unusual External Server 
    Device has repeatedly communicated with a new external server. This alert uses the New External Server and Persistent External Server observations and may indicate the presence of malware. This alert requires 14 days of history. 
  4. Role Violation

Device is identified with a particular role (e.g., Windows Workstation), but was observed acting in a new role (e.g., SSH server). This alert uses the Role Violation observation and may indicate the device is compromised. This alert requires 0 days of history.

  1. Static Device Deviation

Device is normally static on the network - it talks on the same ports, or to the same devices, with a similar traffic pattern each day. Recently this device has deviated from its norms. This alert uses the Historical Outlier observation and may indicate misuse or a compromise. This alert requires 35 days of history.

  1. Geographically Unusual Remote Access

Device has been accessed from a remote host in a country that doesn't normally access the local network. For example, a local server accepting an SSH connection from a foreign source would trigger this alert. This alert uses the Remote Access observation and may indicate misuse or a compromised device. This alert requires 30 days of history. 

  1. Abnormal User 
    A user session was created on an endpoint that does not normally see sessions with this user. This alert uses the Session Opened observation and requires an integration with either AWS, Sumo Logic, or Active Directory. This alert requires 36 days of history.
  2. Anomalous Mac Workstation 
    An Apple Mac Workstation used a new anomalous behavioral profile (e.g., the host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of malware or misuse. This alert requires 14 days of history.
  3. Anomalous Windows Workstation 
    A Windows workstation used a new anomalous behavioral profile (e.g., the host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of malware or misuse. This alert requires 14 days of history.

 

For a quick demo of how Stealthwatch Cloud can be used to monitor remote users, see: Monitoring Remote Workers - Cisco Stealthwatch Cloud 

 

Comments
Engager

Interesting .. .very...  at least