Obtaining a 360-Degree View of Your Network
The average enterprise network is becoming more complex than ever before. Trends such as mobility, the cloud, digitization, and the Internet of Things (IoT) have increased the number of connected machines, changed how they access the network, and made it more difficult to see what is happening on the network.
While these changes have allowed businesses to become more agile and responsive, they have also given attackers more opportunities to infiltrate the network and steal data. Meanwhile, attackers have become more sophisticated, better funded, and well organized. Organizations can no longer focus solely on preventing a breach, but must also build robust threat detection and response capabilities for when an attacker breaks through the perimeter.
The primary challenge to this is gaining comprehensive visibility into network traffic with the context necessary to understand it. With Cisco Stealthwatch and Cisco Identity Services Engine (ISE), you can utilize your existing network infrastructure for complete network visibility, real-time situational awareness, threat detection, and response capabilities.
The first step to gaining comprehensive visibility at the network level is collecting NetFlow, a context-rich and common form of network traffic metadata. NetFlow is garnered directly from network infrastructure devices such as routers, switches, and firewalls. For every communication on the network, NetFlow records various aspects such as:
- Sender and receiver IP address
- Sender and receiver port number
- Bytes transferred
NetFlow does not record the packet payload, which makes it lightweight enough to collect from the entire network and store for months at a time. And because NetFlow is collected directly from network infrastructure devices, there is no need to deploy expensive probes and it is easy to scale as your network grows.
Cisco Stealthwatch uses NetFlow data to build a historic audit trail of network activity and detect signs of threat activity. As data is collected, Stealthwatch creates a baseline of normal activity for each host on the network. When a host behaves in a way that is significantly abnormal, Stealthwatch triggers an alarm.
For example, a user in Human Resources has their network access credentials stolen and an attacker uses their account to hoard data in preparation for exfiltration. As the attacker continues to pull data, it becomes apparent that the user account is accessing far more network resources than usual. Stealthwatch can detect this behavior and alert security personnel to it. This anomaly detection can help security operators detect advanced threats, command-and-control activity, malware, and other threats early enough to respond before data is lost.
Cisco ISE, a next-generation access control platform, provides deeper context to each flow, including the username, device type, location, and type of connection for the host responsible for the activity. This helps security operators and incident responders gain a quick understanding of network activity and perform investigations faster.
ISE also provides the response capabilities necessary to stop malicious hosts. With a single button-click inside the Stealthwatch Management Console, operators can instruct ISE to quarantine a host, which effectively prevents the host from accessing anything on the network.
This level of comprehensive and context-aware visibility is crucial to detecting threats inside the network perimeter quickly enough to stop attacks before significant damage is done. It can dramatically increase the speed of incident response and forensics. Additionally, Stealthwatch and ISE allows for better network segmentation, regulatory compliance, and operational efficiency. Together, these technologies can transform existing networks into highly scalable, always-on security sensors and enforcers for unparalleled threat defense.
For more information on using Stealthwatch and ISE to protect your network, watch this video.