Stealthwatch
- sources: NetFlow, JFlow, sFlow, IPFIX, NSEL (Netflow secure event logging – ASA/FTD)
- IPv4 and IPv6 BUM
- flow stitching: 2 unidirectional NetFlow → 1 bidirectional conversational flow
- flow decapsulation: information about same flow from different flow collectors
- integration with Cognitive Threat Analytics
- IPFIX includes RTT, SRT (server response time)
- threat intelligence license: access to Talos signatures
- dynamic entry modelling (DEM)
- determines deviation between pattern and role, from baseline
- predicts behaviour
- if traffic flow is asymmetric, sensor data must be collected by same collector from different sensors
Stealthwatch Enterprise
- components
- Stealthwatch management center (SMC)
- FlowCollector
- FlowRate license
- FlowSensor: optional
- FlowCollector:
- 4000 flow sources, 240k flows per second (1 Gbps ~ 1k-5k FPS)
- on reboot loses alarm history (use replace)
- FlowSensor:
- up to 20 Gbps per sensor
- appliance, DPI
- receives traffic via SPAN
- UDP director
- unicast replication of flow information
- collects NetFlow, syslog, SMNP
- sends traffic to SIEM without changing source IP
- AnyConnect Network Visibility Module (NVM)
- correlates flow to appication
- nvzFlow – IPFIX extension
- if flow rate is exceeded for 10 days within 30-day period – upgrade or restart is prohibited
Stelathwatch Cloud
- public: AWS, Azure, GCP
- private:
- private network monitoring (PNM):
- collects info locally, sends back to cloud
- Linux agent
- virtual appliance
- private network monitoring (PNM):
- AWS
- VPC logs analysis: IP information
- Cloud trail
- IAM
- Inspector
- Lambda
- AWS Config
- GCP:
- VPC flow logs analysis
- Azure
- analysis of Network Security Group (NSG) flow logs
- Kubernetes
- sensors on nodes
- by daemonset
Host groups
- types
- Inside hosts:
- RFC 1918
- IPv6 fd00::/8
- function- and location-based
- Outside hosts:
- countries
- trusted
- ThreatFeed host group
- bogon
- CnC
- Tor
- Inside hosts:
- baseline
- inside: per host by default
- outside: per group by default
- IP only
Index
- types
- concern index (CI): likelihood of being an attacker
- target index (TI): likelihood of been a victim
- file sharing index (FSI): likelihood of being P2P connection
- alarm if threshold is exceeded
- indexes are reset every 24h
Event
- types
- behavioural: deviance from baseline
- conditional: on/off
- other: based on thresholds and duration
- baseline: weighted average over maximums during past 7 days + maximum in the same day during past 3 weeks
- if there is no data for host (e.g. time off) then average value for group is used
- if there are several groups, group with least IP addresses is selected
- if there is no data during past 7 days, baseline = max value from available
- observation – event in general sense, ≠ alarm
Policy
- precedence
- host
- role: group, IP range
- default: separate for Inside and Outside
Encrypted traffic analytics
- anomaly-based detection
- detects certificates associated with malicious domains (e.g., CnC)
- uses initial data packet (IDP), sequence of packet lengths and times (SPLT) and global risk map
- types
- malware detection (ETA-MD)
- requires CTA connectivity
- inside → outside direction
- compliance audit (ETA-CA)
- weak ciphers, old TLS
- no connectivity to CTA required
- malware detection (ETA-MD)