The network security threat landscape is ever evolving. But always at the cutting edge are custom-written, stealthy threats that evade traditional security perimeter defenses. The Cisco Cyber Threat Defense Solution provides greater visibility into these threats by identifying suspicious network traffic patterns within the network interior. These suspicious patterns are then supplemented with contextual information necessary to discern the level of threat associated with the activity.
Using NetFlow telemetry and contextual information from the Cisco network infrastructure, a network security analyst can, from a single pane of glass, identify suspicious activity, gather pertinent user information, identify the application, and collection of host information. With this information, the analyst can decipher the correct next steps to take concerning the threat in a timely, efficient, and cost-effective manner for advanced cyber threats such as:
• Network reconnaissance - The act of probing the network looking for attack vectors that can be exploited by custom-crafted cyber threats
• Network interior malware proliferation - Spreading malware across hosts for the purpose of gathering security reconnaissance data, exfiltrating data, or creating back doors to the network
• Command and control traffic - Communications between the attacker and the compromised internal hosts
• Data exfiltration - Export of sensitive information back to the attacker, generally via command and control communications
This document outlines the specifications for the three main functional components of the Cisco Cyber Threat Defense Solution:
• Generating network-wide security telemetry - NetFlow export from Cisco Catalyst® switches, Cisco Integrated Services Routers, and Cisco ASA 5500 Series Adaptive Security Appliances
• Aggregating, normalizing, and analyzing NetFlow telemetry data to detect threats and suspicious behavior - Lancope StealthWatch System
• Providing contextual information to determine the intent and severity of the threat - User identity, endpoint device profiling, and posture information from the Cisco Identity Services Engine
Cisco Network Infrastructure: Generating Full Security Telemetry from the Network Interior
Recent advances in Cisco Catalyst switches enable the industry's first pervasive network traffic telemetry - from the user access edge to distribution to the core of the switching network. The line-rate, non-performance-impacting NetFlow telemetry capabilities of the Cisco Catalyst 3560-X, 3750-X, 4500, and 6500 Series provide insight into traffic patterns characteristic of threats that have bypassed the security perimeter and are attempting to remain below the detection radar. Key to delivering this visibility is Cisco's ability to generate unsampled NetFlow data in scale from these platforms.
Table 1 lists system requirements for generating line-rate, unsampled NetFlow data from Cisco Catalyst switches.
Table 1. Cisco Catalyst Switches Capable of Line-Rate, Unsampled NetFlow
NetFlow telemetry is also generated at network borders from Cisco routers and Cisco ASA 5500 adaptive security appliances as well as the Cisco NetFlow Generation Appliance (NGA). Table 2 lists system recommendations for generating NetFlow data from these platforms.
Table 2. Cisco Router and ASA 5500 and NGA System Recommendations
Cisco ASA 5500 Series Adaptive Security Appliances
Cisco ASA Software Release 8.4(4)1
Cisco NetFlow Generation Appliance
Cisco NGA Software Version 1.0
Lancope StealthWatch System: Detecting Threats and Suspicious Activity
With the Cisco network infrastructure delivering ubiquitous NetFlow telemetry, the next step is to collect and analyze that data. The Lancope StealthWatch System, available from Cisco, is purpose-built to aggregate and normalize massive amounts of NetFlow data, and then apply security analytics to detect malicious and suspicious network traffic patterns as presented through the StealthWatch Management Console.
The primary components of the Lancope StealthWatch System are:
• FlowCollector - A physical or virtual appliance that aggregates and normalizes NetFlow and application-type data collected from up to 2,000 Cisco Catalyst switches, Cisco integrated services routers, or Cisco ASA 5500 adaptive security appliances per FlowCollector.
• StealthWatch Management Console - A physical or virtual appliance that aggregates, organizes, and presents analysis from FlowCollectors, the Cisco Identity Services Engine, and other network context via graphical representations of network traffic, user identity information, customized summary reports, and integrated security and network intelligence for drill-down analysis.
• Flow licenses - A Flow license is required to aggregate flows at the StealthWatch Management Console. Flow licenses also define the volume of flows that may be collected.
The optional components of the Lancope StealthWatch System are:
• FlowSensor - A physical or virtual appliance that Provides an overlay solution for generating NetFlow data for legacy Cisco network infrastructures not capable of producing line-rate, unsampled NetFlow data. Also for environments where IT security prefers a dedicated overlay architecture separate from the network infrastructure.
• FlowReplicator - A physical appliance that provides a single point for forwarding NetFlow data as a single data stream to other consumption devices.
StealthWatch FlowCollector
The volume of NetFlow telemetry collected from the network is defined by the capacity of the FlowCollectors deployed. Multiple FlowCollectors may be installed to scale the deployment. FlowCollectors are available as hardware appliances or as virtual machines ("VEs"). Table 3 lists FlowCollector specifications and capacities.
Table 3. StealthWatch FlowCollector Models
Model
Maximum Flows Per Second
Maximum NetFlow Exporters
(e.g., Switches, Routers)
Maximum Hosts Monitored
(IP Addresses)
Flow Storage Capacity
FlowCollector VE
30,000*
1000
500,000
1 TB
FlowCollector 1000
30,000
500
250,000
1 TB
FlowCollector 2000
60,000
1000
500,000
2 TB
FlowCollector 4000
120,000
2000
1,000,000
4 TB
* Dependent on resources of virtual machine.
Additional information regarding deployment sizing and hardware configurations can be found at http://www.lancope.com.
StealthWatch Management Console
The volume of NetFlow data analyzed and presented, as well as the number of StealthWatch FlowCollectors that can be deployed, is defined by the capacity of the StealthWatch Management Console. The console is available as a hardware appliance or as a virtual machine. Table 4 lists the specifications and capacities of the StealthWatch Management Console.
Table 4. StealthWatch Management Console Models
Model
Maximum FlowCollectors Supported
Flow Storage Capacity
StealthWatch Management Console VE
5*
1 TB
StealthWatch Management Console 1000
5
1 TB
StealthWatch Management Console 2000
25
2 TB
* Dependent on resources of virtual machine.
Additional information regarding deployment sizing and hardware configurations can be found at http://www.lancope.com.
StealthWatch Flow Licenses
A Flow license is required to aggregate flows at the StealthWatch Management Console. Flow licenses also define the volume of flows that may be collected. Licenses may be combined in any premutation to achieve the desired level of flow capacity. License capacities available are:
License Type
Flow Collection License - 1000 Flows
Flow Collection License - 10,000 Flows
Flow Collection License - 25,000 Flows
Flow Collection License - 50,000 Flows
Flow Collection License - 100,000 Flows
Note: FlowSensor traffic does not count against flow license capacities.
StealthWatch FlowSensor
The FlowSensor is an optional component that produces NetFlow data for segments of the switching and routing infrastructure that do not support NetFlow, or for environments where an overlay monitoring solution better fits the operations model of the IT organization. The FlowSensor can also provide Layer 7 application information for environments where Cisco Network-Based Application Recognition (NBAR) is not enabled.
The volume of NetFlow data generated from the network is defined by the capacity of the FlowSensors deployed. Multiple FlowSensors may be installed to scale the deployment. FlowSensors are available as hardware appliances or as software to monitor virtual machine environments. Table 5 lists the specifications and capacities of FlowSensors.
Table 5. StealthWatch FlowSensor Models
Model
Traffic Capacity
FlowSensor VE
1 per ESXi server
FlowSensor 250
100 Mbps
FlowSensor 1000
1 Gbps
FlowSensor 2000
2.5 Gbps
FlowSensor 3000
5 Gbps
Additional information regarding deployment sizing and hardware configurations can be found at http://www.lancope.com.
StealthWatch FlowReplicator
The FlowReplicator is an optional component that reduces telemetry generation and network overhead by aggregating network and security information from multiple locations into a single data stream to send to the FlowCollector or other devices. FlowReplicators are available as hardware appliances. Table 6 lists the specifications and capacities of FlowReplicators.
Table 6. StealthWatch FlowReplicator Models
Model
Traffic Capacity - Inbound
Traffic Capacity - Outbound
FlowReplicator 1000
10 KPPS
20 KPPS
FlowReplicator 2000
20 KPPS
60 KPPS
Additional information regarding deployment sizing and hardware configurations can be found at http://www.lancope.com.
Identifying suspicious traffic patterns is key to threat detection and visibility, but deciphering the intent and danger associated with those threats requires relevant contextual information. The Cisco Cyber Threat Defense Solution presents a unified view of the traffic pattern analysis via NetFlow and relevant contextual information regarding that traffic, such as user identity, posture, device type, user policy, application information, and firewall context. This information is presented in a single pane of glass via the StealthWatch Management Console.
Cisco Identity Services Engine
The Cisco Identity Services Engine provides a highly powerful and flexible attribute-based access control solution that combines authentication, authorization, and accounting (AAA), endpoint security posture assessment, and endpoint device-type profiling and identification on a single platform. The Cisco Identity Services Engine automatically discovers and classifies endpoints, provides the right level of access based on identity, and provides the ability to enforce endpoint compliance by checking a device's posture. These functions enable the Identity Services Engine to provide key identity, device, and posture information to provide threat context associated with suspicious network traffic patterns identified by the StealthWatch System. Furthermore, Cisco Identity Services Engine can be used to execute threat remediation actions for affected users.
The volume of users/sessions and devices that can be monitored is defined by the capacity of the Cisco Identity Services Engine model. Multiple Cisco Identity Services Engine devices may be installed to scale the deployment. The Cisco Identity Services Engine is available as a hardware appliance or as a virtual machine. Table 7 lists the specifications and capacity of the Identity Services Engine.
Table 7. Cisco Identity Services Engine Models
Model
Endpoints Supported
Storage Capacity
Cisco ISE Software Release
Cisco ISE 3315 Identity Services Engine
3000
500 GB
1.1
Cisco ISE 3355 Identity Services Engine
6000
600 GB
1.1
Cisco ISE 3395 Identity Services Engine
10,000
1.2 TB
1.1
Additional information regarding deployment sizing, hardware configurations, and licensing options can be found at http://www.cisco.com/go/ise.
NAT Stitching
Lancope StealthWatch uses NAT context from ASA 5500 appliances and ASR 1000 Series Routers to connect internal and external representations of the same traffic flow into one single deduplicated flow record. Along with the other identity and application information presented in StealthWatch, this can significantly speed the process of analysis and incident response by eliminating the time-consuming manual process of correlating inside to outside address information.
NBAR is a Cisco IOS® Software feature on Cisco Integrated Services Routers that performs stateful deep-packet inspection on a data flow to identify the packet type and the protocol that the flow belongs to. NBAR can distinguish more than 900 different protocols using protocol signatures inside the packet content. It can also inspect custom protocols by using a custom Protocol Description Language Module (PDLM) that has the protocol signatures.
The Lancope StealthWatch System uses NBAR information from Cisco Integrated Services Routers to provide additional threat context by identifying the application associated with suspicious traffic. This capability is included in the StealthWatch System.
