Updated 5/20/20 - Please continue to monitor this page, new offer information will be added as it is received.

Managing a shifting remote workforce

The day to day management of networks in the age of COVID-19 introduces a number of significant changes that can be challenging to manage, including significant changes to remote workforce architecture.

 
We at Cisco are here for you, and Stealthwatch can assist you in monitoring and investigating the effects of these shifts on your network traffic patterns. 

 
Here are some additional items that may be of use as you navigate these changes.

Stealthwatch Enterprise

Did you know that Stealthwatch Enterprise can be used to...

• Monitor remote access users, including workloads and applications being used by hosts. 
  See how by reading our use-case writeup at: https://cisco.bravais.com/s/eOmPrYQT9hDLvVjkCWZr
• Investigate excessive bandwidth usage, by monitoring how much bandwidth applications are using, along with which users and hosts are using those applications. 
  To learn how, check out: https://cisco.bravais.com/s/J4rf56hnr89HrlTQfDS3
• Determine why an interface is over capacity, by quickly identifying interfaces that are either overloaded or close to capacity, and investigating the applications, users, or hosts that are generating the most activity. 
  Read how here: https://cisco.bravais.com/s/YwcuOLt7KSR2XM8UqvFr
• Investigate hosts using the most bandwidth, including pulling details around the applications, peers, ports, protocols and services being utilized. 
  Learn how here: https://cisco.bravais.com/s/Hdq98EdEqbgsTTOZKQkZ
• Quickly review details about tracked Interfaces with the Interface status report, including exposing details on the traffic flowing through them. 
  For more information, see: https://cisco.bravais.com/s/tYJldeTCBNc6kJ0V8gPf
• Identify Applications being used on the network, allowing you to report on known and classify unknown applications present in the network environment. 
  Read about how here: https://cisco.bravais.com/s/uR4XEmRJMb3ykksPEtdw
• Report on traffic from specific geographies, and alert if traffic from outside an approved geographical region tries to access sensitive data.
  Learn how here: https://cisco.bravais.com/s/M4kYziQ7cokXizox37qh
• Perform network usage accounting in the WebUI, to effectively allocate resources and account for overall network usage by host groups.
  See how here: https://cisco.bravais.com/s/DsPCQMCRO8OW48BP9Hlx
• Identify virtual machines generating excessive traffic, and determine if the VM is overloaded or a virtualized service is being DoS’d by use.
  Read about how here: https://cisco.bravais.com/s/5SNNyGylJysm1Ta80nVJ
• Investigate Network Performance, exposing and diagnosing reported issues of slow network or application/server performance.       
  More information here: https://cisco.bravais.com/s/RuadJxoMduoPn6024eCC
• Assist with Network Segmentation and Policy Development, by exploring existing network traffic to model policies and assessing their accuracy before enforcement.
  See more here: https://cisco.bravais.com/s/BxIiDNSiesmUYS6G9iWM
• Use Response Times as an Indicator of DoS, by monitoring the traffic allowed to pass into the network for peaks that might indicate a DoS attack.
  Learn more here: https://cisco.bravais.com/s/dFF3pjp435FWQ11BUEW5
• Get a visual overview of network status using the Visibility Assessment Application, providing an overview of enterprise network security posture and metrics that can be exported as a printable report.
  Learn more here: https://cisco.bravais.com/s/Y3hr1T4e3sQYspeqEd3A
• The Anomaly alarm category, to help determine if there is legitimate traffic to/from a host/server.
  Read about it here: https://cisco.bravais.com/s/RA9I2jIG2mIr39zjRRva
• Detecting Application Access Policy Violations, and determine where policy violations or attempted policy violations have occurred.
  Read about it here: https://cisco.bravais.com/s/jVC66bEDF35awHtHJ9Bi
• Detecting Application Tunneling, and investigate hosts hiding traffic within common ports such as DNS, HTTP, etc. to tunnel data out.
  Learn how to here: https://cisco.bravais.com/s/Ii2EuG6xXfXeBLivzUSQ
• The Data Exfiltration alarm category,  to detect abnormal amounts of data being transferred from inside to outside.
  Read more here: https://cisco.bravais.com/s/EUKuCnTIOS4sf14pdfvN
• The Data Hoarding alarm category,  to detect large amounts of data being transferred between hosts, which can be a precursor for a data loss event.
  Read more here: https://cisco.bravais.com/s/S1UVcdkXhcoSS3XHPnEo
• Detecting Data Loss, displaying data transfer activity from the inside to the outside of the monitored domain.
  Learn about it here: https://cisco.bravais.com/s/wpTcWT1G9V8KnNRbfONe

For a quick demo showing how Stealthwatch Enterprise can be used to monitor remote users, see the following video in our Stealthwatch Training Center:
https://learning.stealthwatch.com/covid-use-case-video-using-maps-and-top-reports-to-investigate-hosts-using-excessive-bandwidth

For these and other use cases, as well as other related self-paced training and information, please visit the Stealthwatch Training Center.

Stealthwatch Cloud

In Stealthwatch Cloud, you can review the following Alerts and adjust priority as desired.

1. New Remote Access

   Source has been accessed (e.g., via SSH) from a remote host for the first time in recent history. This alert requires 36 days of history.


2. High Bandwidth Unidirectional Traffic

   Source started sending large amounts of data to new remote hosts. This can indicate misuse or misconfiguration. For example, malware might cause an infected host to attack a website by directing a host to send lots of data to a vulnerable service. This alert requires 0 days of history.


3. Network Population Spike

   A record number of IP addresses were observed communicating on the network. This might indicate spoofing of source addresses. This alert requires 36 days of history.


4. Outbound Traffic Spike

   Source started sending a much larger amount of traffic to external destinations than before. This alert requires 14 days of history.


5. Attendance Drop

   Source is normally active for most of the day, but its activity dropped across multiple profiles (e.g., SSH Server, FTP Server). This alert requires 14 days of history.
6. Suspicious SMB Activity

Multiple new SMB servers have communicated with common SMB peers. This alert uses the Suspicious SMB Activity observation and may be an indication of malware or abuse. This alert requires 14 days of history.

1. IDS Emergent Profile

Device exhibits a new type of traffic at the same time it is flagged as suspicious by an IDS. This alert uses the Intrusion Detection System Notice observation and the New Profile observation and may indicate the device is compromised. This alert requires 14 days of history.

1. Suspicious Domain Lookup Failures

Device tried to resolve multiple algorithmically-generated domains (e.g., rgkte-hdvj.cc) to an IP address. This alert uses the Domain Generation Algorithm observation may indicate a malware infection or botnet activity. This alert requires 0 days of history.

1. Suspicious SMB Activity

Multiple new SMB servers have communicated with common SMB peers. This alert uses the Suspicious SMB Activity observation and may be an indication of malware or abuse. This alert requires 14 days of history.

1. IDS Emergent Profile

Device exhibits a new type of traffic at the same time it is flagged as suspicious by an IDS. This alert uses the Intrusion Detection System Notice observation and the New Profile observation and may indicate the device is compromised. This alert requires 14 days of history.

1. Suspicious Domain Lookup Failures

Device tried to resolve multiple algorithmically-generated domains (e.g., rgkte-hdvj.cc) to an IP address. This alert uses the Domain Generation Algorithm observation may indicate a malware infection or botnet activity. This alert requires 0 days of history.

1. Excessive Access Attempts 
   Device has many failed access attempts from an external device. For example, a remote device trying repeatedly to access an internal server using SSH or Telnet would trigger this alert. The alert uses the Multiple Access Failures observation and may indicate the device is compromised. This alert requires 0 days of history.
2. Unusual DNS Connection 
   Device contacted an unusual DNS resolver and then established periodic connections with a remote device. This alert uses the Unusual DNS Resolver and Heartbeat observations and may indicate that the device is compromised. This alert requires 1 day of history.
3. Unusual External Server 
   Device has repeatedly communicated with a new external server. This alert uses the New External Server and Persistent External Server observations and may indicate the presence of malware. This alert requires 14 days of history. 
4. Role Violation

Device is identified with a particular role (e.g., Windows Workstation), but was observed acting in a new role (e.g., SSH server). This alert uses the Role Violation observation and may indicate the device is compromised. This alert requires 0 days of history.

1. Static Device Deviation

Device is normally static on the network - it talks on the same ports, or to the same devices, with a similar traffic pattern each day. Recently this device has deviated from its norms. This alert uses the Historical Outlier observation and may indicate misuse or a compromise. This alert requires 35 days of history.

1. Geographically Unusual Remote Access

Device has been accessed from a remote host in a country that doesn't normally access the local network. For example, a local server accepting an SSH connection from a foreign source would trigger this alert. This alert uses the Remote Access observation and may indicate misuse or a compromised device. This alert requires 30 days of history. 

1. Abnormal User 
   A user session was created on an endpoint that does not normally see sessions with this user. This alert uses the Session Opened observation and requires an integration with either AWS, Sumo Logic, or Active Directory. This alert requires 36 days of history.
2. Anomalous Mac Workstation 
   An Apple Mac Workstation used a new anomalous behavioral profile (e.g., the host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of malware or misuse. This alert requires 14 days of history.
3. Anomalous Windows Workstation 
   A Windows workstation used a new anomalous behavioral profile (e.g., the host connected to many devices over BitTorrent). This alert uses the Anomalous Profile observation and may be an indication of malware or misuse. This alert requires 14 days of history.

For a quick demo of how Stealthwatch Cloud can be used to monitor remote users, see: Monitoring Remote Workers - Cisco Stealthwatch Cloud