Lancope is now part of Cisco Learn MoreLancope Arrow About Cisco

Protecting the Crown Jewels

Charles Herring

Last year in the article Looking East and West we examined how lateral visibility can assist in investigations connected to data theft. In that article we examined an attack were Beron’s computer had fallen under the control of an external attacker in Ukraine that used Beron’s computer to extract data from a business critical database server and upload the stolen data to an external FTP server.

Advanced Data Protection in 6.5

In the year that has passed since we first looked at the Beron compromise, Lancope has improved the security processing model, improved feature sets and incorporated advanced threat detection algorithms.

The dashboard below provides histograms of traffic moving from the protected data stores, the authorized users and support services. Beron’s computer resides in the “Crown Jewels Authorized” host group. The database server that is exploited resides in “Crown Jewels Data.”

Histograms Of Traffic Moving From Protected Data Stores

Relationship Monitoring

On the alarms tab of the dashboard, abnormal transfer rates and totals trigger relationship alarms between the “Crown Jewels Authorized” and “Crown Jewels Data” host groups.

Alarms Tab Of Dashboard

The abnormal transfer can be observed on the traffic tab of the dashboard.

Abnormal Transfer Rate On Traffic Tab Of Dashboard

Segmentation policy allows data to flow between these two security zones. StealthWatch inspects the qualities of the transfers to reveal anomalous activity that can indicate insider or advanced threat.

Segmentation Enforcement

StealthWatch 6.5 includes a new Custom Events feature. This feature allows organizations to create custom detection criteria for a number of purposes including segmentation validation. On the alarm tab of the dashboard, three alarms named “Seg Violation – CJ Auth to Invalid Server” are triggered when Beron’s machine communicates with the unapproved Ukraine server.

Stealthwatch 6.5 Custom Events Feature

These custom events are created through the tools section of the new HTML interface.

Tools Section Of The Stealthwatch 6.5 Html Interface

Data Hoarding

Also new in 6.5 are advanced data hoarding calculations.

Data Hoarding Calculations In Custom Events Section

StealthWatch observes and baselines how much data a host normally takes and serves to/from other internal hosts. When a host starts “hoarding” too much data, a “Suspect Data Hoarding” alarm is triggered. When a host is serving out too much information to other hosts a “Target Data Hoarding” alarm is triggered. In the case of the Beron compromise, the MySQL dump between Beron’s machine and the business critical database server triggered both of these alarms once the acceptable thresholds were crossed.

Data Loss

The final type of alarm in the breach is a “Suspect Data Loss” alarm. This counter based event triggers when abnormal or prohibited amounts of data are sent out of the network. When Beron’s machine begins the upload of the stolen data out of the network, the alarm is triggered.

Data Loss Alarm In Custom Events Section

Wrap Up

StealthWatch continues to be a powerful tool in incident response and forensics when security breaches occur. With the new features and capabilities wrapped into the 6.5 release advanced attacks targeting protected data can be quickly detected.


More from this contributor:

In part one of this series , I discussed the incident response needs of a NetFlow-based security solution. However necessary those functions are,...
As more organizations fall victim to large-scale data breaches and advanced persistent threats, digital security is becoming a higher priority for...
Recent InfoSec news continues to show the relentless attacks against academic networks. This problem is not new, however. In 1999, Dr. John Copeland...