Stealthwatch

  1. Stealthwatch
    1. Stealthwatch Enterprise
    2. Stelathwatch Cloud
  2. Host groups
  3. Index
  4. Event
  5. Policy
  6. Encrypted traffic analytics

Stealthwatch

  • sources: NetFlow, JFlow, sFlow, IPFIX, NSEL (Netflow secure event logging – ASA/FTD)
  • IPv4 and IPv6 BUM
  • flow stitching: 2 unidirectional NetFlow → 1 bidirectional conversational flow
  • flow decapsulation: information about same flow from different flow collectors
  • integration with Cognitive Threat Analytics
  • IPFIX includes RTT, SRT (server response time)
  • threat intelligence license: access to Talos signatures
  • dynamic entry modelling (DEM)
    • determines deviation between pattern and role, from baseline
    • predicts behaviour
  • if traffic flow is asymmetric, sensor data must be collected by same collector from different sensors

Stealthwatch Enterprise

  • components
    • Stealthwatch management center (SMC)
    • FlowCollector
    • FlowRate license
    • FlowSensor: optional
  • FlowCollector:
    • 4000 flow sources, 240k flows per second (1 Gbps ~ 1k-5k FPS)
    • on reboot loses alarm history (use replace)
  • FlowSensor:
    • up to 20 Gbps per sensor
    • appliance, DPI
    • receives traffic via SPAN
  • UDP director
    • unicast replication of flow information
    • collects NetFlow, syslog, SMNP
    • sends traffic to SIEM without changing source IP
  • AnyConnect Network Visibility Module (NVM)
    • correlates flow to appication
    • nvzFlow – IPFIX extension
  • if flow rate is exceeded for 10 days within 30-day period – upgrade or restart is prohibited

Stelathwatch Cloud

  • public: AWS, Azure, GCP
  • private:
    • private network monitoring (PNM):
      • collects info locally, sends back to cloud
      • Linux agent
    • virtual appliance
  • AWS
    • VPC logs analysis: IP information
    • Cloud trail
    • IAM
    • Inspector
    • Lambda
    • AWS Config
  • GCP:
    • VPC flow logs analysis
  • Azure
    • analysis of Network Security Group (NSG) flow logs
  • Kubernetes
    • sensors on nodes
    • by daemonset

Host groups

  • types
    • Inside hosts:
      • RFC 1918
      • IPv6 fd00::/8
      • function- and location-based
    • Outside hosts:
      • countries
      • trusted
    • ThreatFeed host group
      • bogon
      • CnC
      • Tor
  • baseline
    • inside: per host by default
    • outside: per group by default
  • IP only

Index

  • types
    • concern index (CI): likelihood of being an attacker
    • target index (TI): likelihood of been a victim
    • file sharing index (FSI): likelihood of being P2P connection
  • alarm if threshold is exceeded
  • indexes are reset every 24h

Event

  • types
    • behavioural: deviance from baseline
    • conditional: on/off
    • other: based on thresholds and duration
  • baseline: weighted average over maximums during past 7 days + maximum in the same day during past 3 weeks
  • if there is no data for host (e.g. time off) then average value for group is used
    • if there are several groups, group with least IP addresses is selected
  • if there is no data during past 7 days, baseline = max value from available
  • observation – event in general sense, ≠ alarm

Policy

  • precedence
    1. host
    2. role: group, IP range
    3. default: separate for Inside and Outside

Encrypted traffic analytics

  • anomaly-based detection
  • detects certificates associated with malicious domains (e.g., CnC)
  • uses initial data packet (IDP), sequence of packet lengths and times (SPLT) and global risk map
  • types
    • malware detection (ETA-MD)
      • requires CTA connectivity
      • inside → outside direction
    • compliance audit (ETA-CA)
      • weak ciphers, old TLS
      • no connectivity to CTA required