Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About brford
Stats
Member since
02-12-2001
115
Posts
67
Helpful
9
Solutions
Created by
brford
in Security Analytics
in Security Analytics
08-22-2019
07:40 AM
08-22-2019
07:40 AM
The short answer is Yes.
The Threat Intel Feed (also known as SLIC Feed) is an IP Blacklist that lives on and is updated at your SMC. The big advantage of SLIC is that it is fast. If an external IP matches an IP on the Threat Feed list then there is an alarm.
Cognitive Threat Analytics requires that data about a connection involving an external IP be sent to the cloud for analysis and risk scoring. Cognitive Intelligence takes longer but is able to identify threats based on their communications and behavior characteristics rather than on just matching an IP address.
Cognitive returns a risk score which is valuable in that it helps you triage your work; looking at the highest risk connections first and then working through a list to lower risk connections.
... View more
Created by
brford
in Security Analytics
in Security Analytics
08-22-2019
07:32 AM
08-22-2019
07:32 AM
Take a look at https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/smc_users_guide/SW_6_9_0_SMC_Users_Guide_DV_1_2.pdf , specifically page 325 'Adding Authentication Services' and see if that helps.
... View more
Created by
brford
in Security Analytics
in Security Analytics
08-22-2019
07:23 AM
08-22-2019
07:23 AM
Ben makes a couple of important points here. Meta data from the AnyConnect Network Visibility Module (NVM has to be sent to an Endpoint Concentrator. That meta data is 'NZFlow' not NetFlow or IPFIX. That meta data is not able to be processed at a Flow Collector and requires the Endpoint Concentrator to create IPFIX data that the Flow Collector can process. Another important point is that NZFlow or endpoint meta data is stitched into Flow Collector connection records. You need to have either NetFlow or IPFIX data about a connection to add endpoint data in to. That means the connection has to also pass through a NetFlow or IPFIX capable device. Often this is the switch or WLC the endpoint is connecting to OR a router that the switch or WLC is connected to.
... View more
08-06-2019
10:38 AM
Thanks for pointing that out.
After some research changing the time reflected in Java client reporting does not seem to be configurable. At the time that was developed; normalizing time to UTC was viewed as a feature because it allowed you to compare results from two SMCs quickly.
I did bring this to the attention of the team that is developing the new web user interface response management and reporting capability.
... View more
- Tags:
- stealthwatch
08-06-2019
10:33 AM
It's important to understand the differences in the two approaches; threat intel feed and cloud based data analysis.
The Stealthwatch Threat Intelligence Feed (formerly known as SLIC or Stealthwatch Labs Intelligence Connection) is a IP list that is updated sometimes several times per day based on data from a variety of sources with Cisco and the security industry. That list resides locally on the Stealthwatch Management Console (SMC). When an external IP address in a connection matches an IP on that list an alarm is generated. The process of getting that list from the Internet to the SMC is a download from Cisco. No local SMC data other than the SMC serial number for identification is shared with Cisco.
Stealthwatch Cognitive integration uses both the Flow Collector and the SMC. The Flow Collector identifies connections in it's database that cross the trust boundary defined by Internet gateway. The Flow Collector sends data about connections that cross that trust boundary to Cognitive via an HTTPS tunnel. At Cognitive additional account specific baselines on submitted data are established and the data is used analyzed using a multi layer framework of classifier algorithms. The results are that for each submitted connection a risk score is computed and then sent back to the SMC.
Cognitive holds some processed data and as the classifiers are updated it runs that data through now updated classifiers to determine if the risk score has changed. If it has that info is sent to the SMC.
The Threat Intel feed does not expose any of the customer network and matches very fast.
Stealthwatch with CTA uses cloud based analytics and processing to greatly extend the analysis of customer Internet connection data.
I hope this helps.
... View more
Created by
brford
in Security Analytics
in Security Analytics
08-05-2019
12:12 PM
08-05-2019
12:12 PM
Regarding wanting to know "if the [Stealthwatch] ANC policy can be automatically enforced once some alarms / anomalies has been detected.". No.
Stealthwatch requires that a user select and apply an ANC policy. There is no 'automatic' enforcement in Stealthwatch.
... View more
Created by
brford
in Security Analytics
in Security Analytics
08-05-2019
12:06 PM
08-05-2019
12:06 PM
You want to take a a look at the Stealthwatch 'Response Management capability from the Java client. Response Management allows the admin user to configure how to parse data and share it from the Stealthwatch Management Console.
... View more
04-17-2019
12:38 PM
Para problemas de licenciamento, você precisa entrar em contato com o suporte técnico através do Cisco TAC.
... View more
03-29-2019
05:39 PM
OK. For this flow record to work with Cisco Stealthwatch (v6.10 or later) you'll need the following:
match ipv4 proto
match ipv4 source addr
match ipv4 destination addr
match transport source-port
match transport destination-port
match ipv4 tos
collect interface out
collect counter bytes
collect counter packets
collect timestamp sys-uptime first
collect timestamp sys-uptime last
These are REQUIRED flow record fields for Stealthwatch v6.10 and later.
You can add the following optional data elements to that flow record:
collect routing next-hop address ipv4 (used for closest interface determination)
collectipv4 ttl minimum
collect ipv4 ttl max (these two data elements are used to understand the path of the flow through the network)
collect transport tcp flag (to gain more insight into TCP connections)
... View more
- Tags:
- eta
- stealthwatch
03-29-2019
08:41 AM
Here is an end of March 2019 update regarding Cisco Stealthwatch Labs available in dCloud.
Cisco Stealthwatch 7.0 and ETA Use Cases Sandbox v2.1
The Cisco Stealthwatch 7.0 Use Cases v2.1 Sandbox is a live environment that shows how Cisco Stealthwatch can transform the network into a sensor to detect insider threats and identify anomalous behavior.There are a number of different exercises in this lab so that learners can complete the lab one exercise at a time or all in one session. For learners new to Stealthwatch plan on spending up to 8 hours. If the learner worked with a previous version of Stealthwatch (v 6.10 or earlier) the lab can be completed in as little as 2 hours.This lab has been used for the Cisco Stealthwatch Test Drive seminar and webinar series.
Cisco Stealthwatch 7.0 Deployment Lab v1
The goal of this hands-on lab is to teach the methodology required to successfully deploy a base Stealthwatch installation. By completing the included lab scenarios, you will deploy several Stealthwatch appliances in a simulated customer environment.
This lab provides administrative access to a fresh (new installation) Stealthwatch instance and exposes the learner to information gathering and steps to deploy in a virtual environment. Expect to spend at least 4 hours to complete this lab; more if you are new to Stealthwatch.
Cisco Stealthwatch 7.0 v1 - Instant Demo
This demo can be used to show customers the enhanced visibility and security analytics that be generated from the network. It features Stealthwatch Enterprise solutions such as Encrypted Traffic Analytics (ETA) as well as outsider threat detection such as malware, zero-day attacks, distributed denial-of-service (DDoS) attempts, command-and-control (C2) communications, advanced persistent threats (APTs), and insider threats like data exfiltration and data hoarding.
As data in this lab is pre-populated there is little or no need to reserve and run days in advance.
Cisco Stealthwatch Cloud v1 - Instant Demo
Demonstration how Stealthwatch Cloud provides comprehensive network visibility from the datacenter to the cloud. It is composed of two products, Public Cloud Monitor and Private Network Monitor.
As in instant demo the data here is pre-populated and there is no need to reserve days in advance.
Keep in mind that Stealthwatch is available in all dCloud data centers. The timing of replay data should coincide with business hours of the data center.
... View more
- Tags:
- stealthwatch
Labels:
03-29-2019
07:41 AM
That's a good looking 9300 NetFlow for Stealthwatch config but it doesn't enable ETA.
While Encrypted Traffic Analytics (ETA) currently uses Cisco NetFlow v9 as it's transport (export) protocol it is not enabled as part of the standard NetFlow configuration. You want to take a look at the 'et-analytics ...' commands in order to enable ETA processing and export.
The ETA process on the 9300 is separate from the NetFlow process. ETA uses one of the available exporters; so if you configure NetFlow as you described and enable ETA your device will report 2 exporters.
For the 9300 see:
https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.pdf
... View more
Created by
brford
in Security Analytics
in Security Analytics
03-22-2019
06:49 AM
03-22-2019
06:49 AM
What version of Stealthwatch are you using?
... View more
Created by
brford
in Security Analytics
in Security Analytics
03-22-2019
06:24 AM
03-22-2019
06:24 AM
OK. Lots going on here.
You have defined two host groups: Link Local and Bogon Subnets
The inside IP 169.254.162.200 appears in both of those host groups.
You are seeing 4 different alarms: High SMB Peers, New Flows, Max flows, and Connect to Bogon.
The 'New Flows' should not normally be an issue. It just means a new device has started connecting over the network.
The 'Max flows' could be an issue. It means that you have a baseline set and that the source IP host is exceeding that baseline. That could be a start up issue with a new deployment (and ignored) OR it could mean that host is suddenly very active and should be investigated.
You have a 'High SMB Peers' alarm. That's the same as above. The baseline on a new install could be low. That could go away over the next days or weeks. In the meantime investigate what that host is doing.
The 'Connect to Bogon' means that some inside host is connecting to an external (outside) IP that has been identified as a Bogon. Bogon's are IP addresses that either should not or do not exist in public IP address space. That could be something that is built into a security event in your local SW or it could be coming from the Threat Intel feed or the Cognitive Threat Analytics. I don't know which you have configured.
In general you should investigate these Bogon connections and consider adding ACLs to either your Internet router or your Firewall to block those connections.
Hope this helps.
Brian
... View more
Created by
brford
in Security Analytics
in Security Analytics
03-21-2019
11:21 AM
03-21-2019
11:21 AM
If the SMC DNS is configured then entries in the Web GUI should be resolved to a URL and domain. DNS is configured when the SMC is installed. The admin should be able to update that setting on the SMC.
... View more
Created by
brford
in Security Analytics
08-22-2019
08-22-2019
The short answer is Yes. The Threat Intel Feed (also known as SLIC Feed)
is an IP Blacklist that liv...
Created by
brford
in Security Analytics
08-22-2019
08-22-2019
Take a look at
https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/management_console/sm...
Created by
brford
in Security Analytics
08-22-2019
08-22-2019
Ben makes a couple of important points here. Meta data from the
AnyConnect Network Visibility Module...
08-06-2019
Thanks for pointing that out. After some research changing the time
reflected in Java client reporti...
08-06-2019
It's important to understand the differences in the two approaches;
threat intel feed and cloud base...
Created by
brford
in Security Analytics
08-05-2019
08-05-2019
Regarding wanting to know "if the [Stealthwatch] ANC policy can be
automatically enforced once some ...
08-05-2019
You want to take a a look at the Stealthwatch 'Response Management
capability from the Java client. ...
04-17-2019
Para problemas de licenciamento, você precisa entrar em contato com o
suporte técnico através do Cis...
03-29-2019
OK. For this flow record to work with Cisco Stealthwatch (v6.10 or
later) you'll need the following:...
03-29-2019
Here is an end of March 2019 update regarding Cisco Stealthwatch Labs
available in dCloud. Cisco Ste...
03-29-2019
That's a good looking 9300 NetFlow for Stealthwatch config but it
doesn't enable ETA. While Encrypte...
Created by
brford
in Security Analytics
03-22-2019
03-22-2019
What version of Stealthwatch are you using?
03-22-2019
OK. Lots going on here. You have defined two host groups: Link Local and
Bogon Subnets The inside IP...
Created by
brford
in Security Analytics
03-21-2019
03-21-2019
If the SMC DNS is configured then entries in the Web GUI should be
resolved to a URL and domain. DNS...
Public Statistics
| Date Registered | 02-12-2001 11:09 AM |
| Date Last Visited | 08-22-2019 06:57 AM |
| Total Messages Posted | 115 |
| Total Helpful Votes Received | 67 |
Helpful Votes Given To
