Abstract image of a woman sitting on books and studying on a laptop

Cisco Network Behaviour dibuywvdsvdtdstydsdsa

Download as PPTX, PDF
S
solomonrajuprimedtal

dgvacvasyIvdbhdusduhuifgdfigdfgbdbdbnoibfdubdfibduadfuvyfyfyfahussdgdgghdssdgdsusu

Engineering
1 of 98
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Design, Deploy and Troubleshoot Network Detection and Response Secure Network Analytics
Agend a • Introduction • What are the core components • Legacy and new Architecture • Deployment Flow and Strategies • Transitions • Telemetry Ingest • Conclusion 2
Introductio n
Secure Network Analytics Behavioral modeling Behavioral analysis of every activity within the network to pinpoint anomalies Data collection Rich telemetry from the existing network infrastructure including enhanced telemetry for encrypted traffic analytics Cisco XDR Extended Detection and Response with Cisco XDR. Advanced analytics extends local detections with global intelligence and integrations for accelerated response Multilayered machine learning Combination of supervised and unsupervised techniques to convict advanced threats with high fidelity Secure Network Analytics Endpoint Telemetry Device and process insight with flow telemetry from Cisco Secure Client 4
Contextual network-wide visibility Agentless, using existing network and cloud infrastructure, even in encrypted traffic Predictive threat analytics Combination of behavioral modeling, machine learning and global threat intelligence Automated detection and response High-fidelity alerts prioritized by threat severity with ability to conduct forensic analysis Cisco Secure Network Analytics 5
Multi-telemetry ingest and visibility VPC, NSG flow logs Secure Network Analytics On-prem Network Telemetry Admin Data center Networ k Users On-premises network Remote Workers Campus/ Branch Public Clouds Cisco Firewall Log Data Endpoint Data (NVM) 6
Extensible Telemetry Ingest AnyConnect Secure Mobility Client Identity Services Engine AHGA/ ADC* Proxy Integration * Secure Web Appliance Other Web Proxies ETA Capable Devices Secure Firewall Flow Sensor NetFlow Enabled Devices IPAM DB Threa t Intel Network Telemetr y HTTP(S) Requests HTTP(S) Responses HTTP(S) URL Custom HTTP(S) Headers Username TLS Version Key Exchange Authenticatio n Alg. MAC Username MAC Address TrustSec Groups OS Type Process name Process hash Process account Parent process name Parent process hash OS Version Connected interface …. Flow Action Translated Port/IP SYSLOG Connections Malware events File events Hardware events L7 Application HTTP Requests HTTP Responses SRT/RTT TCP Flags Payload SRC/DST IP Address SRC/DST Port Bytes/Pkts Sent Bytes/Pkts Received … (NetFlow, IPFIX) Host Group s VPC & NSG flow log transformatio n via CTB 7
8 If You Fail to Plan, You Are Planning to Fail
Core Components Old Architecture
Secure Network Analytics Component Icons flow data (ETA Fields) global threat alerts Flow Sensor VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow Hypervisor with Flow Sensor VE proxy data NetFlow enabled routers, switches, firewalls NetFlow UDP Director Additional Traffic Analysis Software (SIEM: Splunk) Flow Collector Manage r Threat Intelligenc e License global threat alerts telemetry for encrypted traffic analytics (ETA) End of Life cloud-based machine learning 10
Secure Network Analytics components Manage r Flow Sensor Flow Collector SMC VE (Virtual Edition) SMC 2210 • SMC for Management and Configuration supports: • Up to 25 Flow Collectors • 10000 Network Access User sessions • 15 concurrent managing users • Scale up to 6 Million FPS in one deployment Flow Collector VE FC 4210/FC5210 • Flow Collector is the center of Data Collection and Analytics. • Up to 25 FC per deployment • Up to 240 000 FPS per FC • Up to 6TB of Flow Storage • Up to 1Million Host Classified • Up to 4000 Data Source per FC Flow Sensor VE FS1210/FS 3210/FS4210 • Ingest SPAN to generate telemetry and contextual data. • Up to 80Gbps per FS, Copper and Fiber supported interface, • 1Gb, 10Gb and 40 Gb monitor interfaces 11
UDP director UDP Director VE (Virtual edition) UDPD 2210 Replicates UDP traffic and generates NetFlow from SPAN traffic supporting: • 1Gbps/10Gbps interfaces • Up to 150,000 pps Allows NetFlow, SYSLOG and SNMP data to be sent transparently to multiple collection points Provides additional flexibility and ease of deployment Secure Network Analytics manager NetFlow Telemetry for Encrypted traffic analytics (ETA) NetFlow enabled routers, switches, firewalls UDP Director Flow Collector NOT FOR SALE 12
Required core components Flow rate license Secure Network Analytics manager • A physical or virtual appliance that aggregates, organizes, and presents analysis from flow collectors • Central management for all Secure Network Analytics devices • User interface to Secure Network Analytics • Maximum 2 per deployment Flow collector (FC) • A physical or virtual appliance that aggregates, normalizes and analyze telemetry and application data collected from exporters such as routers, switches, and firewalls • High performance NetFlow/SFlow/IPFIX collector • Maximum 25 per deployment Flow rate license • Collection, management, and analysis of telemetry by Secure Network Analytics • The flow rate license is simply determined by the number/type of switches, routers, firewalls and probes present on the network • FPS estimation Tool https://apps.cisco.com/cfgon/public/app/lancope/fpsestimator.jsp#/add- items Flow Collector Secure Network Analytics manager 13
Core Components New Architecture
flow data (ETA Fields) global threat alerts Flow Sensor Hypervisor with Flow Sensor VE VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow proxy data NetFlow enabled routers, switches, firewalls NetFlow Telemetry Broker Additional Telemetry Destinations (SIEM: Splunk) Flow Collector Manage r Threat Intelligenc e License global threat alerts telemetry for encrypted traffic analytics (ETA) Data Store VPC Secure Network Analytics Data Store Component & CTB End of Life cloud-based machine learning 15
Secure Network Analytics manager • A physical or virtual appliance that aggregates, organizes, and presents analysis from flow collectors • Central management for all Secure Network Analytics devices • User interface to Secure Network Analytics • Maximum 2 per deployment Flow collector (FC) • A physical or virtual appliance that aggregates, normalizes and analyze telemetry and application data collected from exporters such as routers, switches, and firewalls • High performance NetFlow/SFlow/IPFIX collector • Maximum 25 per deployment Data Store (DS) • A physical or virtual appliance that store data in a scalable, resilient way. • Maximum 12 per deployment (36 nodes) Flow rate license • Collection, management, and analysis of telemetry by Secure Network Analytics • The flow rate license is simply determined by the number/type of switches, routers, firewalls and probes present on the network • FPS estimation Tool: https://apps.cisco.com/cfgon/public/app/lancope/fpsestimator.jsp#/add-items Data Store Required core components Flow rate license Flow Collector Secure Network Analytics Deployment Data Store 16 Manage r
Deplo y
Deployment Order Flow Collector Data Store SMC Flow Sensor 18
Virtual Edition Resources SMC FC with no Data store RESERVERD RESOURCES 19
Virtual Edition Resources FC With Data Store Single Data STORE RESERVERD RESOURCES 20
Deployment Requirements • IP addresses for appliances to be deployed • DNS Server IP(s) • NTP Server IP(s) • SMTP relay (if needed) • Internal IP ranges in use/to be monitored Only for Data Store per node • Non-routable IP Address from the 169.254.42.0/24 21 Device Information Communication Ports –NOT Full LIST From (Client) To (Server) Port Protocol Admin User PC All appliances TCP/443 HTTPS Admin User PC All appliances TCP/22 SSH All appliances Network time source UDP/123 NTP Flow Collector SMC TCP/443 HTTPS Manager Flow Collector TCP/443 HTTPS Manager Flow Sensor TCP/443 HTTPS Manager Internet TCP/443 HTTPS Manager DNS UDP/53 DNS Flow Sensor SMC TCP/443 HTTPS Flow Sensor Flow Collector UDP/2055 NetFlow NetFlow Exporters Flow Collector UDP/2055* NetFlow NOT FULL List of Ports
Deployment Steps First Time Setup Appliance Setup Tool • Interface SFP or BaseT Selection • IP address Subnet Configuration • For Data Node 2nd IP non- routable • For FC Telemetry Selection and UDP Port Definition • Password Change • IP address Subnet Configuration Verification • SNA Domain and Type Type (DS or Not) • DNS and NTP Console Http://IPaddres s Reboot is common between steps 22 Removed 7.5 Less Restart
Cenralized Management Connect With the Manager • Connecting to the Manager • Will also Use the AST (Appliance Setup Tool) (From FST in 7.5) • After the AST Reboot • Devices Connected • Data Store Not Initialized Initialize the Data Store • Go back to the Central Manager console • Initialize the Data Store 23
Smart Licensing Deployment Options • Cisco product sends usage information directly over the internet. No additional components are needed. • Cisco products send usage information to a locally installed appliance. • Periodically, exchange information with Cisco to ensure license usage is accurate. • This synchronization can occur automatically in connected environments or manually in disconnected environments. • Use copy/paste information between product and Cisco.com to manually check in and out licenses. • Functionally equivalent to older node locking, but with Smart License tracking. Direc t On- Prem Offline (not recommended) 24
Licensing Notes 25 • After 90 Evaluation period ends the system will stop processing new flows • Still functional with historical data, but new flow data will not be processed • This is the ONLY hard enforcement used in Smart Licensing • After a system is registered and the associated licensing periods expire or are exceeded there is no hard enforcement • The system will display banners informing users they are out of compliance, but the system will still process flow
Flow estimation • It is an estimated Value unless you do a PoV • FPS license is based on 95th percentile, for 95% of the time the FPS actual is AT or BELOW the stated amount For every 1000 fps per day you need 1 GB storage at the Flow Collector 26
The Data Store
What is the Data Store • The Data Store is a new and improved database architecture design for SNA • Each individual Data Store appliance will include a 3-Node database cluster • Flow ingest by Flow Collectors is separated from data storage • This distributed design enables scalable and resilient data storage, providing retention times of over a year • Queries are handled by the Data Store, effectively increasing performance across all metrics by a significant magnitude 1 or more Flow Collectors Management Console 3 or more Data Nodes 28
With and Without the Data Store 1M FPS/90 days storage • 16 total nodes: 8 data nodes + 8 Flow Collectors (FC) • Coupled Data collection & storage • 10 total nodes: 6 data nodes + 4 FC • Independent data collection & storage • Efficient and optimized data storage 1M FPS/90 days storage Flow Collectors (FC4210) FC5210 Data Base Current Customer Deployment New Data Store Deployment Data Nodes FC5210 Engine 29
Data Resiliency In addition to extending retention time, the Data Store also introduces enterprise-class data resiliency 1 or more Flow Collectors Management Console • Telemetry data is stored redundantly across nodes to allow for seamless availability during single node failures • Seamless availability for a Data Store deployments 1 2 3 4 5 6 3 o r m o r e D 30
Data Store Performance Top Reports Non-DS Data Store Applications 5hr 47min 21min Hosts 29hr 36min 19min 31 Ports 9hr 53min 19min Protocols 6hr 50min 28min Services 6hr 2min 20min • Large Enterprise traffic, ran for 3 days at 150,000 fps into two hardware testbeds: • FC5210 (Non-Data Store) • 3-Node Data Store with a FC4210 • After 3 days, 19.4 Billion flows were written to each testbed bed
Data Store Deployment Single Switch Architecture 32 Two Switch Architecture • eth2 or eth3 can be used for internode communications • Must be 168.254.42.x/24 • Provides resiliency for switch failure using port channels and interconnected trunk ports • Uses both eth2 and eth3 for port channel
Data Store Evolution 7.3.0 Data Store on HW Data Nodes is introduced 7.3.1 Virtual Data Nodes were added, enabling virtual deployment 7.3.2 Added new telemetry types, Firewall logs and Remote worker visibility, all NVM fields 7.4.0 Virtual Manager and Flow Collector(s) and a physical Data Store Support added for ASA firewall logs 7.4.1 Expand to Data Store • Single Node • Multi- Telemetry • New Analytics 7.4.2 Transition to Data Store • Existing customers can transition to Data Store Geo-Redundancy • New peer site design M6 HW Support • SFP Interfaces 33
The single node Data Store • Single node Data Stores can be either virtual or physical appliances • Supports up to 4 Flow Collectors • Easily expands to a full 3 node cluster, which now supports N+1 horizontal scaling • Note: A Data Store must consist of homogenous data nodes, either all virtual or all physical appliances Data Store Single Data Node Virtual or physical Expand/Scale as needed with FCs Single node virtual Data Store scales to 225K FPS Single node physical Data Store scales to 500K FPS 34
Demo Data Store
Redundanc y
Redundancy – High Level Design – Non-Data Store VIP NetFlow/IPFIX (UDP 2055) Heartbeat Signal Sent over network HTTPS SMC Primar y (active) Broke r Primary (active) FC Primary (active) SPAN SMC Secondary (active) Broker Secondary (passive) FC Secondary (active) FS Secondary (active) FS Primar y (active) Exporter s Actual Redundancy 37
Redundancy – Notes– Non Data Store 38 • SMC redundancy follows active – active (but no change) • Flow Collector redundancy is active active and done by design • Flow Collector redundancy required double licensing • CTB help in achieving the flow collection redundancy • Flow Sensor redundancy is active - active
Resilient central storage for multi-geo ingestion • Flow Collector consolidates redundant flow date into context rich bi-flow records • Highly efficient compression minimizes WAN impact when backhauling telemetry data • Telemetry data is stored redundantly across data nodes to help ensure data availability even during a data node failure • Redundant inter-connection switches, help to ensure the Data Store stays in operation during network upgrades and unplanned outages 39
Redundancy – New Architecture Requirement: Geographical redundancy while minimizing footprint Solution: Peer Sites • Primary deployment is associated to a peer site where configurations are sync’d • Both sites run and operate independently, allowing great flexibility to meet customer operational reqs • Site telemetry is sent to both primary and peer sites. • Primary site can be robust HW appliances where peer site is smaller virtual deployment reducing OPEX • Peer sites based on Active/Standby Managers design, and is supported within peer sights for large Enterprises demanding full redundancy 40
What are the gotchas? 41 • Java/Swing client is not supported with Data Store • BU is actively working to close reporting and data visibility gaps • Peer Site sync is manual • 3+ DC designs are not supported today • BU: Investigating extending peer site for this purpose • Multiple Data Stores are not supported by a single Manager • Converged Analytics cannot support multiple domains, it runs on one domain at a time
Cisco Telemetry Broker
Storage (Archival, Audit) 3rd Party Cloud Services (SIEM/Datadog/ServiceNow) 3rd Party On-Prem (Home grown Data Lakes, Live Action, SevOne) Cisco Cloud Services (Secure Cloud Analytics, CDO, SecureX, SSE*) Cisco On-Prem Platforms (DNA Center, Secure Workload) CTB Distributed Nodes Broker Transform Filter Anonymize API Telemetry Sources Telemetry Destinations Cisco Secure Network Analytics NetFlow / sFlow Syslog VPC Flow Logs SNMP Trap Application Sources …and more Sources = Network, Application, or Cloud provider points of telemetry egress. Endpoint (NVM) 43 *integrations under investigation
Cisco Telemetry Broker Democratizes Telemetry Data Quickly enable PoV/onboarding of non-incumbent tools Replicate Telemetry Control Costs: Only index high value data Brokering Compliance: Keep low value data in low-cost storage Increased visibility of legacy sources Legacy protocol to Modern tool Transforming The ability to transform data protocols from the source to the destinations protocol of choice Modern protocol to Legacy tool Increased visibility into modern sources Route Telemetry Let teams run the tools of their choice without deploying new agents/collectors Filter to Drop and Segment The ability to route and replicate telemetry data from multiple source locations to multiple destinations Filtering The ability to filter data being replicated to enable fine grain control over what destinations ingest and analyze 44
Components of the Telemetry Broker • CTB Manager node: • Only one manager is deployed and can manage multiple Broker nodes* • Maintains the policy/rules for the broker nodes enabling central management from one view • If the manager goes down, broker nodes continue to process telemetry • Backup configurations are created for recovery • CTB Broker node: • Where the telemetry brokering work occurs • Can be deployed closest to telemetry sources Manager Broker Node Broker Node Broker Node Management Network Monitoring Network Broker Node *A single Manager supports up to 10 Broker nodes 45
Minimum requirements for a Cisco Telemetry Broker Node: • CPU: 2 cores (1 Gbps) or 5 cores (10Gbps) • Memory: 4 GB (1 Gbps) or 8 GB (10 Gbps) • Storage: 20GB Minimum requirements for a Cisco Telemetry Broker Manager: • CPU: 2 cores • Memory: 8 GB • Storage: 50GB Cisco Telemetry Broker Can also be deployed on a UCS server! Versions 6.7 or 6.5 46 **See notes for more details https://cs.co/ telemetrybroker
Hardware broker node • Supports 300k FPS capable of uploading to Cisco XDR • Dedicated 10GB Management and Monitoring interfaces • 16 x 16 GB DDR4 3200 memory • 6 x 600GB 10K RPM RAID6(data), 2 x 240GB Data M.2 RAID1 (OS) storage • 2 x Processor AMD EPYC 7313 16C/32T @ 3.0Ghz or boost 3.7Ghz processor 47
High Availability • HA Configurations are supported for Cisco Telemetry Broker • Simply scale more brokering nodes to provide for resiliency • HA Broker nodes will operate in standby mode until their associated active node goes down • Broker nodes can be geo- distributed with the manager centralized • Broker nodes operating in standby mode will not process any telemetry and will not incur any additional licensing cost M B B B B B B 48
Transition s
Migrating from a UDPD • Cisco Telemetry Broker improves upon the successful feature set of the UDP Director - CTB improves performance, simplicity, and offers new feature functionality • Cisco Telemetry Broker can use an existing configuration file from UDPD to seamlessly integrate existing forwarding rules • Device architectures are different - Account for the addition of Brokering Nodes in an existing design - Account for new licensing model UDP Directo r Brokerin g Filtering Transformin g Brokerin g only Secure Network Analytics SIEM Cisco DNA Center Secure Network Analytics SIEM Cisco DNA Cent er Secure Network Analytics SIEM Secure Network Analytics Logs IPFIX VPC Flow logs Cheap Storage IPFIX IPFIX 50
Data Store Transition No need for forklift upgrades to achieve success! Upgrad e Softwar e 2 Hardware generations supported 4K and 5K Re-use Managers Flow Collectors Flow Sensors 51 No other vendor in the market supports this model
Transitioning to Data Store Today FC • Data Store is added to the existing deployment • Upgrade existing FC (engine) to send new telemetry to the Data Store • The FC (DB) will stay in existing format • Manager communicates with the Data Store to run reports and flow searches for recently ingested telemetry • Manager queries FC (DB) for older reports and searches FC • After FC (DB) retention time has expired, DB portion is decommissioned • SMC no longer queries FC (DB) • For virt FC, and FC42xx/FC43xx FC (DB) resources are returned to system to optimize FC performance (up to three times faster) Not the 5K DB Node End State • FC 4210 DDS • FC 5210 DDS • FC 4200 DDS • FC 5200 DDS FC Transition State 52
Transition Steps 53 • From the Manager web UI - Step 1: Create a Data Store domain - Step 2: Setup sync between non-Data Store domain to Data Store domain - Step 3: Sync the domains • From the Manager CLI (SystemConfig as root) - Step 4 – Add the data node(s) to Central Manager - Step 5 – Enable SSH on the Data Store - Step 6 – Initialize the Data Store - Step 7 – Pick the flow collector and domain for transitioning - Step 8 – Acknowledge the flow collector transition • From the Manager web UI - Central Manager>Inventory tab will show a transition flag (Data Store Transition) next to the flow collector - Central Manager>Data Store tab will show “Oldest Record (days ago)” for NetFlow, NVM and Firewall logs. - Once there is 30 days for each then the transition can be completed • From the Manager CLI (SystemConfig as root) - Step 9 – Select Data Store then Complete Transition and then the flow collector to transition - Step 10 – Acknowledge to complete the transition (note all old data on the flow collector will be deleted) Transitio n Setup Initiate Transition Monitor Transitio n Complete Transition
Telemetry Ingest and Analytics
Multi-telemetry ingest and visibility VPC, NSG flow logs Secure Network Analytics On-prem Network Telemetry Admin Data center Networ k Users On-premises network Remote Workers Campus/ Branch Public Clouds Cisco Firewall Log Data Endpoint Data (NVM) 55
Netflow Required Fields 56 The fields that SNA requires to ingest flow are: Field NetFlow Element ID Configuration Example Required Field? NF_F_PROTOCOL 4 match ipv4 protocol Yes, Key Field NF_F_SRC_ADDR_IPV4 8 match ipv4 source address Yes, Key Field NF_F_DST_ADDR_IPV4 12 match ipv4 destination address Yes, Key Field NF_F_L4_SRC_PORT 7 match transport source-port Yes, Key Field NF_F_L4_DST_PORT 11 match transport destination-port Yes, Key Field INPUT_SNMP 10 match interface input Yes, Key Field SRC_TOS 5 match ipv4 tos Yes, Key Field OUTPUT_SNMP 14 collect interface output Yes, Key Field NF_F_IN_BYTES 1 collect counter bytes Yes, Key Field NF_F_IN_PKTS 2 collect counter packets Yes, Key Field NF_F_LAST_SWITCHED 21 collect timestamp sys-uptime first Required; for calculating duration NF_F_FIRST_SWITCHED 22 collect timestamp sys-uptime last Required; for calculating duration NF_F_TCP_FLAGS
Netflow Required Fields 57 ETA Fields ETA Fields ETA Fields ETA Fields 44940 ipv4 idp This is Initial Data Packet; used for crypto audit 44941 ipv4 splt SPLT - Sequence of Packet Lengths and Times ; malware detection 44944 ETA Byte Distribution; malware detection NBAR Data NBAR Data NBAR Data NBAR Data 12235 match application name NBAR application data 45003 match application name NBAR application data Additional Fields Additional Fields Additional Fields Additional Fields initiatorOctets 231 collect connection initiator This field is useful to determine the flow initiator natEvent 230 Without this field we cannot get firewall events for the flow (denied, accepted, etc)
VPC Flow Logs to IPFIX 10010 11011 Flow Logs Transformed to IPFIX Flow Logs Secure Network Analytics On-Prem Networks NetFlow IPFIX 100101 101011 • Cloud Flow Logs from AWS and Azure provide insight into the activities of hosts residing within cloud environments • Meta data from Flow Logs centers around the network activity, similar to IPFIX/NetFlow - There are 25 total fields provided in Flow Logs - Fields provide insight to network metadata as well as metadata associated with the VPC/NSG • CTB pulls Flow Logs from AWS S3 buckets and Azure BLOB storage via secure HTTPS connections and transforms the telemetry to IPFIX - Once the VPC flow is transformed it is then forwarded to consumers 58
Complete and continuous remote worker visibility The Cisco Secure Client (AnyConnect Secure Mobility Client) caches all network traffic telemetry records, even when users are not using a VPN • On-network flows (collected when VPN connected) – real time • When user connects to VPN all stored NVM flow data is sent to the Flow Collector • Can be configured for burst or chunks and adjustable cache size • Detections are carried out on the NVM flows (Behavioral, Customer Security Events and Converged Analytics) • Note a flow search does not show NVM specific fields • Off-network flows (collected when VPN not connected) – cached late arriving • Can view the historical NVM flow data using the NVM endpoint traffic reports in Report Builder • No detections are applied to off-network traffic nvm_to_flow_cache nvm_filter_untrusted_flow 59
No Endpoint VM Since 7.3 Recap of all NVM telemetry records retained User Endpoints with AnyConnect Secure Mobility Client Start Time* End Time* Source IP* Source Port* Destination IP* Destination Port* Bytes Sent* Bytes Received* Packet Count* (derived) Protocol* Interface Info UID Interface Index Interface Type Interface Name Interface Details List Interface Mac Addr. UDID User User Account Type Agent Version Virtual Station Name OS Name OS Version OS Edition System Manufacturer System Type Process Account* Process Account Type Process ID Process Name* Process Hash* Process Path Process Args Parent Process ID Parent Process Account Process Account Parent Process Name* Parent Process Hash* Parent Process Path Parent Process Args Host Name DNS Suffix Module Name List Module Hash List Parent Process Name Parent Process Hash Flow Collecto r Data Store NVM Telemetry • Session • Interfac e • User • OS • Process * NVM telemetry records available within non-Data Store deployments 60
Store Cisco Firewall logs on premise with Data Store Cross launch from FMC with context into Secure Analytics and Logging dashboard Make data available to FMC via APIs for supporting remote query 100,000k eps (8.65 Bn/ day) support for +30 days using full data store architecture 61
FMC pivots directly to the Data Store with enhanced context • Contextual pivots from Firepower Management Center to the event viewer optimizes SecOps workflows by automatically filtering on events of interest Remote Query API do not support ASA Events 62
Intelligent viewer provides access to all Firewall data • Select custom timeframes going back across over any retention time • Filter exclusively on Security Events and use per column filters to quickly isolate data of interest • Create custom view to tailor content based on columns shown • Use Summary to identify trends and outliers • Export any view to CSV for archiving or to further forensic investigations 63
Secure Network Analytics detection architecture NetFlo w Devices Secure Firewall Secure Client Flow Collector Data Store Converged Analytics with MITRE ATT&CK mappings VPN and Split Tunnel off-network NVM and FW event logs are saved to the Data Store without analysis Remote worker off-network (NVM) IDS Events Malware Events LINA Events Connection logs Cisco XDR XDR NetFlow Connectio n logs Promote d Events Behaviora l security events SRC/DST IP Address SRC/DST Port Protocol Bytes/Packets Sent B …yte .s/Packets Received FC Analytics Engines Custom Security Events Network Context based Detections Firewall events can be sent to Cisco XDR from FMC in addition to being stored on-prem Mana ger Firewall detections based on Firewall event context planned Will Change 64
SNA Firewall Logs Detections Secure Firewall Flow Collector Data Store IDS Events Malware Events LINA Events Connection logs Connectio n logs Behaviora l security events Custom Security Events Ingest Convert Detect Firewall Logs Ingested on port 8514 65 Connections Logs Converted To Flow Apply Behavioral and Custom Detections Flows converged from Firewalls logs to Netflow do not count against the FPS license. SAL is licenses per GB/Day already Firewall Logs from a device should not be sent at the same time with Netflow, that will create wrong ByteCount. Now ! SNA detections with a firewall only as a telemetry source. (Connection End)
SNA Firewall Logs Detections Leverage Analytics to trigger Behavioral Alerts Flow Denied Security Event in SNA triggered on traffic from Firewall Logs Customized Alerts with Custom Security Events 66
SNA Firewall logs to Detections Configurations 67 Configuration • sal_enable = 1 • sal_to_flow_cache = 0 (default) Put it to 1 to enable conversion • sal_port = 8514 (default) Ports should not be overlapped with other ports 2055 for Netflow and 2030 for NVM Troubleshooting • /lancope/var/sw/today/logs/sw.log 05:00:02 S-per-t: 05:05:00 S-per-t: Current sal_event, Input: 0, Decoded: 0, Output: 0, Ignored: 0 Current sal_event, Input: 3325, Decoded: 3325, Output: 3325, Ignored: 0, Dropped: 0, To_Flow: 1578 this period Dropped: 0, To_Flow: 0 this period 05:10:00 S-per-t: Current sal_event, Input: 4411, Decoded: 4411, Output: 4411, No Pivots are available to FMC Not Available for DDS
NVM Detections Secure Client Flow Collector Data Store FC Analytics Engines VPN and Split Tunnel Behaviora l security events Custom Security Events No Conversion of NVM to flows required, Flows then goes through the detection engine All Detection from behavioral analytics can be applied including data movement. Alert on Process Names and Hashes with CSEs in addition to all other 68 One More way to Deploy SNA without having to be restricted to network flow to get detections
NVM Detections Configurations 69 New Install nvm_enable = 1 nvm_to_flow_cache = 0 (default) nvm_port = 2030 (default) NVM flows can be seen in flow search and Report Builder when nvm_to_flow_cache is enabled NVM flows can be seen in only Report Builder when nvm_to_flow_cache is not enabled Troubleshooting /lancope/var/sw/today/logs/sw.log /lancope/var/logs/containers/svc-db-ingest.log
New Detections and Alerts in Converged Analytics 4 New Alerts from Secure Cloud Analytics • LDAP Connection Spike • Outbound LDAP Spike • Protocol Forgery • Repeated Umbrella Sinkhole Communications 2 New Observations from Secure Cloud Analytics • ISE Session Started Observation • Umbrella Sinkhole Hit Observation 70
Dynamically maps entities by role Functional modeling Type based modeling Android Citrix PVS server Windows workstation Mail server Medical imaging client Remote desktop server DNS server VolP client Apple iOS Web server Wireless LAN controller Domain controller …over 50+ entity roles are supported ! • Automatic role classification available on a new report leveraging the new converged analytics capability • Roles are available out of the box with no tuning and provide details about devices on the network for investigation Roles include: 71
Device Report Traffic enhanced with automatic filters • Select any time on the traffic statistics graph and see results dynamically filtered in the flow table • Accelerates investigation of traffic anomalies • Immediately correlates chart events with actual flows attributing to the event 72
Demo NVM + Firewall Logs + Converged Analytics
Design- Where to get Telemetry
Where To Enabled Telemetry ? Flow Sensor Hypervisor with Flow Sensor VE VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow proxy data NetFlow enabled routers, switches, firewalls NetFlow Telemetry Broker Additional Telemetry Destinations (SIEM: Splunk) Flow Collector Manage r telemetry for encrypted traffic analytics (ETA) Data Store VPC 75
The more you enabled the more you see Visibility into traffic going through these devices to the internet or to the main data center. Firewalls could provide NAT information Visibility into traffic going through the core to the Internet or to the DC and Campuses More visibility into user traffic from one VLAN to another or even from port to port Edge Devices at Campus Edge Devices at Branches Core Switches Access and Distribution 76
Add A Flow Sensor At the EDGE Get Application layer visibility into your internet traffic (URL and APPs) Visibility into VM traffic and additional network use cases with RTT and SRT Legacy Networks visibility where flow is not available VM VM At the Hypervisor Non Flow Capable Networks 77
What Can A flow Sensor Do Virtual or physical appliance that produces telemetry for network infrastructure incapable of generate NetFlow natively Provides additional security context to enhance Secure Network Analytics security analytics Additional information gathered • ETA enhanced NetFlow • TLS Finger Printing • Layer 7 application data • URL information for web traffic • TCP and ICMP flag details • RTT (Round trip time) • SRT (Server response time) • Retransmissions • X-Forwarded headers from web load balancers Non-NetFlow enabled equipment Secure Network Analytics manager Flow Collector VM VM Flow Sensor Hypervisor with Flow Sensor VE ETA Enhanced NetFlow 78
Visbility at the Endpoint Level User Endpoints with AnyConnect Secure Mobility Client Start Time* End Time* Source IP* Source Port* Destination IP* Destination Port* Bytes Sent* Bytes Received* Packet Count* (derived) Protocol* Interface Info UID Interface Index Interface Type Interface Name Interface Details List Interface Mac Addr. UDID User User Account Type Agent Version Virtual Station Name OS Name OS Version OS Edition System Manufacturer System Type Process Account* Process Account Type Process ID Process Name* Process Hash* Process Path Process Args Parent Process ID Parent Process Account Process Account Parent Process Name* Parent Process Hash* Parent Process Path Parent Process Args Host Name DNS Suffix Module Name List Module Hash List Parent Process Name Parent Process Hash Flow Data Store Collector 79 NVM Telemetry • Session • Interfac e • User • OS • Process * NVM telemetry records available within non-Data Store deployments
Store and Analyse Firewall Logs Min Supported Version Notes FMC 6.7 Older versions are supported but Cross-launch will not be available FTD 6.4 SMC 7.3.0 SMC VE or SMC 2210 SAL On Prem 1.0.0 An application needs to be installed separately from the SMC 7.3.0 install Secure Firewall Flow Collector Data Store IDS Events Malware Events LINA Events Connectio n logs Behaviora l security events 80 Custom Security Events
Analyze your Cloud Data by adding CTB srcaddr dstaddr srcport dstport protocol packets bytes start End tcp-flags sourceIPv4Address or sourceIPv6Address destinationIPv4Address or destinationIPv6Address sourceTransportPort destinationTransportPort protocolIdentifier packetDeltaCount Secure octetDeltaCount Netwo flowStartSeconds flowEndSeconds tcpControlBits Cisco Telemetry Broker Transformation VPC Flow Logs IPFIX rk Analytics 81
Summarize The Telemetry Design Use Cases Visibility into traffic going through the Network east West extend it by enabled at other layers 82 Analyze and Store your firewall logs and NAT information Get to the endpoint process user and interface level Get visibility into your cloud environment by leveraging CTB
Design - Most Common Integrations
Secure Network Analytics integrations Proxy Web APP, web URL and user info External lookup Extended analytics, threat investigation DNA Center Automated setup and deployment XDR Threat hunting and response Secure Client Process and endpoint visibility PAN Application and user identity Identity Services Engine User identity, device identity, mitigation and response API Automated and customized configuration and reporting Secure Network Analytics 84
Secure Network Analytics and network access integration Network Access services and classification Secure Network Analytics Secure Network Analytics visibility Device Id Domain Id Active Start active time Endpoint IP Username SGT Tag Trustsec name Last update time InterfaceDevice PortId InterfaceDeviceI p Vlan MAC address Session ID Active Start active time Username Last update time Secure Network Analytics also integrates with ISE-PIC using pxGrid to get endpoint contextual information Secure Network Analytics integrates with ISE to get mitigation capabilities and apply different ANC policies to an endpoint Info from ISE Info from ISE – PIC Cisco Identity Services Engine pxGrid 85
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Validate trusted ISE policy is being observed from near real time network telemetry
Secure Network Analytics is a comprehensive data source Source Information Method SMTP To inbox & ticketing systems Data exporter Usually to SIEMs SYSLOG To log aggregation SOAP web services API REST API Alarms Notification s Normalized flow data Data export from FC APIs Configuratio n and reporting Flow Collector Manager 87
Improving on-prem NDR with Cisco XDR Cisco XDR Enrichment Requests from manual investigations or auto- mated from event correlation Alarms and Events sent to XDR analytics Tiles to Contro l Center Optional: Send flows to XDR analytics via CTB or FC Secure Network Analytics Cross correlation of data Correlation of NDR findings with other detections mechanisms including EDR based detections, email and others 88 Impact Analysis Understand the Impact of an incident leveraging XDR incident Manager Reduce the time to respond Reducing the time to response leveraging XDR automation and the multi responses capabilities Extend response capability Expand NDR response capabilities with multiple technologies through XDR integrations with Cisco and 3rd party technologies
Data Enrichment From SNA to XDR Events details are sent with relationship indicators for some alerts when available 89 Security Events Contribute into XDR investigations Security Events Investigation Configuration Limit s
© 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public SNA Alerts to XDR SNA Converged Analytics Alerts Published to XDR Through Response Management Alerts can trigger incidents and are Mapped with MITRE attack tactics and technique. It came in 7.5 Will Change 7.5.1
Response Managemen t Alerts Emai l Syslog Converged Analytics Engine (Data Store only) Integration for Response Management Threat Response Webhoo k 91
Rule What alarms? Action What to do with alarms? Response Manager Logic If Condition is met, then trigger Response Automatic Response Automate responses by defining rules and applying actions 92 New Alerts option in Response Manger. Converged Analytics needs to be enabled. Webhooks supported for Alerts (Converged Analytics) and Alarms. Not customizable for either. New Actions for Converged Analytics Alerts.
Rules With Flexible Conditions 93 Define Rules with Multiple Conditions • Granular control with complex rule triggering conditions Use Multiple Actions: • Select 1 or more actions to be executed once rule is matched and alert is open • Select 1 or more actions to trigger when the alert is closed
Demo XDR and Response Management
Most Utilized Resources 98 SNA Resources Secure Analytics Videos http://cs.co/SecureAnalyticsVideo s Detection: Secure Analytics Detections Demo playlist Design Guide: SNA Data Store Design Guide FPS Estimator: FPS Estimator Training Center: Secure Network Analytics Training Center - Use Cases
Thank you Thank you
FC4300 in a Non–Data Store Deployment • The Flow Collector does everything: ingestion, storage, and query. • Retention & performance depend on appliance sizing: • FC4300 can ingest up to ~4M flows per second (depending on model and license). • Stores flow records locally (on its own disks). • Query performance is fine for short- to mid-term history (days to a few weeks). • As flow volume and query size grow, performance slows because the collector handles queries + ingestion simultaneously. • Best for small to medium deployments where: • Flow volume is moderate. • Long-term retention isn’t required.
FC4300 in a Data Store Deployment • Flow Collector handles ingestion only and forwards flow data into the Data Store cluster. • Data Store handles indexing, long-term retention, and queries. • Benefits: • Higher retention (months/years). • Faster queries on large datasets because SMC queries the Data Store, not the Flow Collector. • Flow Collector resources are dedicated to ingestion, improving stability at high flow rates. • Supports scalability → multiple FC4300s feeding the same Data Store cluster. • Best for large enterprises, service providers, or compliance- driven industries needing forensic data for long periods.

More Related Content

PDF
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
PDF
ONS Summit 2017 SKT TINA
Junho Suh
 
PPTX
NetFlow Analyzer Training Part I: Getting the initial settings right
ManageEngine, Zoho Corporation
 
PPTX
Data center webinar_v2_1
Lancope, Inc.
 
PPTX
The Need for Complex Analytics from Forwarding Pipelines
Netronome
 
PPTX
Cloud Migration
Jolyne Marie
 
PPTX
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
ManageEngine, Zoho Corporation
 
PPTX
Network Telemetry
Aalok Shah
 
Nozomi Networks SCADAguardian - Data-Sheet
Nozomi Networks
 
ONS Summit 2017 SKT TINA
Junho Suh
 
NetFlow Analyzer Training Part I: Getting the initial settings right
ManageEngine, Zoho Corporation
 
Data center webinar_v2_1
Lancope, Inc.
 
The Need for Complex Analytics from Forwarding Pipelines
Netronome
 
Cloud Migration
Jolyne Marie
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
ManageEngine, Zoho Corporation
 
Network Telemetry
Aalok Shah
 

Similar to Cisco Network Behaviour dibuywvdsvdtdstydsdsa (20)

PDF
Security defined routing_cybergamut_v1_1
Joel W. King
 
PPTX
Free NetFlow Analyzer training - Getting the initial settings right
ManageEngine, Zoho Corporation
 
PPTX
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
PPTX
ADAM-3600 Sales kit_WATER.pptx
CADALTAINGENIERIASRL
 
PPTX
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
nicholas njoroge
 
PPTX
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
PPTX
Monitoring federation open stack infrastructure
Fernando Lopez Aguilar
 
PDF
Genian NAC Datasheet
GENIANS, INC.
 
PPTX
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
PPTX
Splunk App for Stream
Splunk
 
PDF
Deep Flow Monitoring with ServicePilot
ServicePilot
 
PDF
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Brandon DeVault
 
PPTX
Acceleration_and_Security_draft_v2
Srinivasa Addepalli
 
PDF
Smart grid solutions
Minka Grdesic
 
PDF
Iskra Energy Management Expertise: smart grid solutions
Minka Grdesic
 
PPTX
NUVX Technologies general solutions
NUVX
 
PPTX
Free OpManager training Part3- Network performance monitoring
ManageEngine, Zoho Corporation
 
PDF
Cisco IT Infrastructure Monitoring with SolarWinds Tools
Gintare Stravinskaite
 
PPTX
Raga_SDN_NSX_1
Ranjith Kumar
 
PPTX
M.Tech Internet of Things Unit - IV.pptx
AvinashAvuthu2
 
Security defined routing_cybergamut_v1_1
Joel W. King
 
Free NetFlow Analyzer training - Getting the initial settings right
ManageEngine, Zoho Corporation
 
Cisco connect winnipeg 2018 a look at network assurance in dna center
Cisco Canada
 
ADAM-3600 Sales kit_WATER.pptx
CADALTAINGENIERIASRL
 
Cisco Standard Network Platform (SNP) - Catholic Relief Services Case Study
nicholas njoroge
 
NFA - Middle East Workshop
ManageEngine, Zoho Corporation
 
Monitoring federation open stack infrastructure
Fernando Lopez Aguilar
 
Genian NAC Datasheet
GENIANS, INC.
 
Software Defined Networking, Concepts and Practical Implementations
Bangladesh Network Operators Group
 
Splunk App for Stream
Splunk
 
Deep Flow Monitoring with ServicePilot
ServicePilot
 
Toolkit Titans - Crafting a Cutting-Edge, Open-Source Security Operations Too...
Brandon DeVault
 
Acceleration_and_Security_draft_v2
Srinivasa Addepalli
 
Smart grid solutions
Minka Grdesic
 
Iskra Energy Management Expertise: smart grid solutions
Minka Grdesic
 
NUVX Technologies general solutions
NUVX
 
Free OpManager training Part3- Network performance monitoring
ManageEngine, Zoho Corporation
 
Cisco IT Infrastructure Monitoring with SolarWinds Tools
Gintare Stravinskaite
 
Raga_SDN_NSX_1
Ranjith Kumar
 
M.Tech Internet of Things Unit - IV.pptx
AvinashAvuthu2
 
Ad

More from solomonrajuprimedtal (9)

PPTX
networkanalysisminiproject2-220802175311-53d25ee7.pptx
solomonrajuprimedtal
 
PPTX
hidihofdiofyuhjhjjfhjhffjhfhhjfhhfhjfhjhjfhjfhjfjhfhjfjfhjhfhjffhjhjhjhjhjhjh...
solomonrajuprimedtal
 
PPTX
Kubernetes PPTghjhhjhhhhhhggjjghjgjhghjghjghghghjghghghgghghghhjghghghghj
solomonrajuprimedtal
 
PPTX
bigdgiuuuuoipopoooojpojhiOohuggbvkllhggjkgjkjkjk
solomonrajuprimedtal
 
PPTX
dsgfdfdhfdhdfhdfhdfhdfhhhgfhhhhdfhfgfsjwshgkhgk
solomonrajuprimedtal
 
PPTX
gfggdfgdfgdfdfdffdgfdgfdgfdgfdgfdgfdgfdfdfdhdfhdhhdhdhdhdh
solomonrajuprimedtal
 
PPTX
rmrfnel;,;'sdc,hddguydgudfufdydydhfjguyju8y8
solomonrajuprimedtal
 
PPTX
jhuigygtftrdtrdersresygyijhvtdghgytfkjhuiyugok
solomonrajuprimedtal
 
PPTX
Arrayuyfuyyugyrhuhuuuurhrfuhufujoppoopopopop
solomonrajuprimedtal
 
networkanalysisminiproject2-220802175311-53d25ee7.pptx
solomonrajuprimedtal
 
hidihofdiofyuhjhjjfhjhffjhfhhjfhhfhjfhjhjfhjfhjfjhfhjfjfhjhfhjffhjhjhjhjhjhjh...
solomonrajuprimedtal
 
Kubernetes PPTghjhhjhhhhhhggjjghjgjhghjghjghghghjghghghgghghghhjghghghghj
solomonrajuprimedtal
 
bigdgiuuuuoipopoooojpojhiOohuggbvkllhggjkgjkjkjk
solomonrajuprimedtal
 
dsgfdfdhfdhdfhdfhdfhdfhhhgfhhhhdfhfgfsjwshgkhgk
solomonrajuprimedtal
 
gfggdfgdfgdfdfdffdgfdgfdgfdgfdgfdgfdgfdfdfdhdfhdhhdhdhdhdh
solomonrajuprimedtal
 
rmrfnel;,;'sdc,hddguydgudfufdydydhfjguyju8y8
solomonrajuprimedtal
 
jhuigygtftrdtrdersresygyijhvtdghgytfkjhuiyugok
solomonrajuprimedtal
 
Arrayuyfuyyugyrhuhuuuurhrfuhufujoppoopopopop
solomonrajuprimedtal
 
Ad

Recently uploaded (20)

PDF
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
PPTX
Principal presentation for NAAC (1).pptx
GMKosgiker
 
PPTX
Module1.pptxrjkeieuekwkwoowkemehehehrjrjrj
kuldeep2405050
 
PDF
AIGA 012_04 Cleaning of equipment for oxygen service_reformat Jan 12.pdf
karthikp452666
 
PDF
[jvmmeetup] next-gen integration with apache camel and quarkus.pdf
Muhammad Edwin
 
PPT
Programmable Logic Controller PLC and Industrial Automation
Nereus Fernandes
 
PDF
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
PDF
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
PPTX
Solar energy pdf of gitam songa hemant k
siddarthakattamuru
 
PPTX
CT Generations and Image Reconstruction methods
St.Xaviers Catholic College of Engineering
 
PDF
Computer System Architecture 3rd Edition-M Morris Mano.pdf
Nune SrinivasRao
 
PDF
VTU IOT LAB MANUAL (BCS701) Computer science and Engineering
rizawan
 
PDF
SEH5E Unveiled: Enhancements and Key Takeaways for Certification Success
Bernardo A. Delicado
 
PDF
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
PPTX
MAD Unit - 3 User Interface and Data Management (Diploma IT)
JappanMavani
 
PPTX
Design ,Art Across Digital Realities and eXtended Reality
Meenalochini M
 
PPT
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
PDF
Beginners-Guide-to-Artificial-Intelligence.pdf
TamerAMekhimar
 
PDF
Micro 4 New.ppt.pdf a servay of cells and microorganism
nehasingh160179
 
PDF
Unit1 - AIML Chapter 1 concept and ethics
muthusamyvijay762
 
MACCAFERRY GUIA GAVIONES TERRAPLENES EN ESPAÑOL
Distribucioneskaled
 
Principal presentation for NAAC (1).pptx
GMKosgiker
 
Module1.pptxrjkeieuekwkwoowkemehehehrjrjrj
kuldeep2405050
 
AIGA 012_04 Cleaning of equipment for oxygen service_reformat Jan 12.pdf
karthikp452666
 
[jvmmeetup] next-gen integration with apache camel and quarkus.pdf
Muhammad Edwin
 
Programmable Logic Controller PLC and Industrial Automation
Nereus Fernandes
 
MLpara ingenieira CIVIL, meca Y AMBIENTAL
MarceloArielTisera
 
Unit I -OPERATING SYSTEMS_SRM_KATTANKULATHUR.pptx.pdf
HarshDudhatra4
 
Solar energy pdf of gitam songa hemant k
siddarthakattamuru
 
CT Generations and Image Reconstruction methods
St.Xaviers Catholic College of Engineering
 
Computer System Architecture 3rd Edition-M Morris Mano.pdf
Nune SrinivasRao
 
VTU IOT LAB MANUAL (BCS701) Computer science and Engineering
rizawan
 
SEH5E Unveiled: Enhancements and Key Takeaways for Certification Success
Bernardo A. Delicado
 
UEFA_Embodied_Carbon_Emissions_Football_Infrastructure.pdf
tuchinad02
 
MAD Unit - 3 User Interface and Data Management (Diploma IT)
JappanMavani
 
Design ,Art Across Digital Realities and eXtended Reality
Meenalochini M
 
UNIT-I Machine Learning Essentials for 2nd years
rajeswarigcse
 
Beginners-Guide-to-Artificial-Intelligence.pdf
TamerAMekhimar
 
Micro 4 New.ppt.pdf a servay of cells and microorganism
nehasingh160179
 
Unit1 - AIML Chapter 1 concept and ethics
muthusamyvijay762
 

Cisco Network Behaviour dibuywvdsvdtdstydsdsa

  • 1. Design, Deploy and Troubleshoot Network Detection and Response Secure Network Analytics
  • 2. Agend a • Introduction • What are the core components • Legacy and new Architecture • Deployment Flow and Strategies • Transitions • Telemetry Ingest • Conclusion 2
  • 4. Secure Network Analytics Behavioral modeling Behavioral analysis of every activity within the network to pinpoint anomalies Data collection Rich telemetry from the existing network infrastructure including enhanced telemetry for encrypted traffic analytics Cisco XDR Extended Detection and Response with Cisco XDR. Advanced analytics extends local detections with global intelligence and integrations for accelerated response Multilayered machine learning Combination of supervised and unsupervised techniques to convict advanced threats with high fidelity Secure Network Analytics Endpoint Telemetry Device and process insight with flow telemetry from Cisco Secure Client 4
  • 5. Contextual network-wide visibility Agentless, using existing network and cloud infrastructure, even in encrypted traffic Predictive threat analytics Combination of behavioral modeling, machine learning and global threat intelligence Automated detection and response High-fidelity alerts prioritized by threat severity with ability to conduct forensic analysis Cisco Secure Network Analytics 5
  • 6. Multi-telemetry ingest and visibility VPC, NSG flow logs Secure Network Analytics On-prem Network Telemetry Admin Data center Networ k Users On-premises network Remote Workers Campus/ Branch Public Clouds Cisco Firewall Log Data Endpoint Data (NVM) 6
  • 7. Extensible Telemetry Ingest AnyConnect Secure Mobility Client Identity Services Engine AHGA/ ADC* Proxy Integration * Secure Web Appliance Other Web Proxies ETA Capable Devices Secure Firewall Flow Sensor NetFlow Enabled Devices IPAM DB Threa t Intel Network Telemetr y HTTP(S) Requests HTTP(S) Responses HTTP(S) URL Custom HTTP(S) Headers Username TLS Version Key Exchange Authenticatio n Alg. MAC Username MAC Address TrustSec Groups OS Type Process name Process hash Process account Parent process name Parent process hash OS Version Connected interface …. Flow Action Translated Port/IP SYSLOG Connections Malware events File events Hardware events L7 Application HTTP Requests HTTP Responses SRT/RTT TCP Flags Payload SRC/DST IP Address SRC/DST Port Bytes/Pkts Sent Bytes/Pkts Received … (NetFlow, IPFIX) Host Group s VPC & NSG flow log transformatio n via CTB 7
  • 8. 8 If You Fail to Plan, You Are Planning to Fail
  • 10. Secure Network Analytics Component Icons flow data (ETA Fields) global threat alerts Flow Sensor VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow Hypervisor with Flow Sensor VE proxy data NetFlow enabled routers, switches, firewalls NetFlow UDP Director Additional Traffic Analysis Software (SIEM: Splunk) Flow Collector Manage r Threat Intelligenc e License global threat alerts telemetry for encrypted traffic analytics (ETA) End of Life cloud-based machine learning 10
  • 11. Secure Network Analytics components Manage r Flow Sensor Flow Collector SMC VE (Virtual Edition) SMC 2210 • SMC for Management and Configuration supports: • Up to 25 Flow Collectors • 10000 Network Access User sessions • 15 concurrent managing users • Scale up to 6 Million FPS in one deployment Flow Collector VE FC 4210/FC5210 • Flow Collector is the center of Data Collection and Analytics. • Up to 25 FC per deployment • Up to 240 000 FPS per FC • Up to 6TB of Flow Storage • Up to 1Million Host Classified • Up to 4000 Data Source per FC Flow Sensor VE FS1210/FS 3210/FS4210 • Ingest SPAN to generate telemetry and contextual data. • Up to 80Gbps per FS, Copper and Fiber supported interface, • 1Gb, 10Gb and 40 Gb monitor interfaces 11
  • 12. UDP director UDP Director VE (Virtual edition) UDPD 2210 Replicates UDP traffic and generates NetFlow from SPAN traffic supporting: • 1Gbps/10Gbps interfaces • Up to 150,000 pps Allows NetFlow, SYSLOG and SNMP data to be sent transparently to multiple collection points Provides additional flexibility and ease of deployment Secure Network Analytics manager NetFlow Telemetry for Encrypted traffic analytics (ETA) NetFlow enabled routers, switches, firewalls UDP Director Flow Collector NOT FOR SALE 12
  • 13. Required core components Flow rate license Secure Network Analytics manager • A physical or virtual appliance that aggregates, organizes, and presents analysis from flow collectors • Central management for all Secure Network Analytics devices • User interface to Secure Network Analytics • Maximum 2 per deployment Flow collector (FC) • A physical or virtual appliance that aggregates, normalizes and analyze telemetry and application data collected from exporters such as routers, switches, and firewalls • High performance NetFlow/SFlow/IPFIX collector • Maximum 25 per deployment Flow rate license • Collection, management, and analysis of telemetry by Secure Network Analytics • The flow rate license is simply determined by the number/type of switches, routers, firewalls and probes present on the network • FPS estimation Tool https://apps.cisco.com/cfgon/public/app/lancope/fpsestimator.jsp#/add- items Flow Collector Secure Network Analytics manager 13
  • 15. flow data (ETA Fields) global threat alerts Flow Sensor Hypervisor with Flow Sensor VE VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow proxy data NetFlow enabled routers, switches, firewalls NetFlow Telemetry Broker Additional Telemetry Destinations (SIEM: Splunk) Flow Collector Manage r Threat Intelligenc e License global threat alerts telemetry for encrypted traffic analytics (ETA) Data Store VPC Secure Network Analytics Data Store Component & CTB End of Life cloud-based machine learning 15
  • 16. Secure Network Analytics manager • A physical or virtual appliance that aggregates, organizes, and presents analysis from flow collectors • Central management for all Secure Network Analytics devices • User interface to Secure Network Analytics • Maximum 2 per deployment Flow collector (FC) • A physical or virtual appliance that aggregates, normalizes and analyze telemetry and application data collected from exporters such as routers, switches, and firewalls • High performance NetFlow/SFlow/IPFIX collector • Maximum 25 per deployment Data Store (DS) • A physical or virtual appliance that store data in a scalable, resilient way. • Maximum 12 per deployment (36 nodes) Flow rate license • Collection, management, and analysis of telemetry by Secure Network Analytics • The flow rate license is simply determined by the number/type of switches, routers, firewalls and probes present on the network • FPS estimation Tool: https://apps.cisco.com/cfgon/public/app/lancope/fpsestimator.jsp#/add-items Data Store Required core components Flow rate license Flow Collector Secure Network Analytics Deployment Data Store 16 Manage r
  • 19. Virtual Edition Resources SMC FC with no Data store RESERVERD RESOURCES 19
  • 20. Virtual Edition Resources FC With Data Store Single Data STORE RESERVERD RESOURCES 20
  • 21. Deployment Requirements • IP addresses for appliances to be deployed • DNS Server IP(s) • NTP Server IP(s) • SMTP relay (if needed) • Internal IP ranges in use/to be monitored Only for Data Store per node • Non-routable IP Address from the 169.254.42.0/24 21 Device Information Communication Ports –NOT Full LIST From (Client) To (Server) Port Protocol Admin User PC All appliances TCP/443 HTTPS Admin User PC All appliances TCP/22 SSH All appliances Network time source UDP/123 NTP Flow Collector SMC TCP/443 HTTPS Manager Flow Collector TCP/443 HTTPS Manager Flow Sensor TCP/443 HTTPS Manager Internet TCP/443 HTTPS Manager DNS UDP/53 DNS Flow Sensor SMC TCP/443 HTTPS Flow Sensor Flow Collector UDP/2055 NetFlow NetFlow Exporters Flow Collector UDP/2055* NetFlow NOT FULL List of Ports
  • 22. Deployment Steps First Time Setup Appliance Setup Tool • Interface SFP or BaseT Selection • IP address Subnet Configuration • For Data Node 2nd IP non- routable • For FC Telemetry Selection and UDP Port Definition • Password Change • IP address Subnet Configuration Verification • SNA Domain and Type Type (DS or Not) • DNS and NTP Console Http://IPaddres s Reboot is common between steps 22 Removed 7.5 Less Restart
  • 23. Cenralized Management Connect With the Manager • Connecting to the Manager • Will also Use the AST (Appliance Setup Tool) (From FST in 7.5) • After the AST Reboot • Devices Connected • Data Store Not Initialized Initialize the Data Store • Go back to the Central Manager console • Initialize the Data Store 23
  • 24. Smart Licensing Deployment Options • Cisco product sends usage information directly over the internet. No additional components are needed. • Cisco products send usage information to a locally installed appliance. • Periodically, exchange information with Cisco to ensure license usage is accurate. • This synchronization can occur automatically in connected environments or manually in disconnected environments. • Use copy/paste information between product and Cisco.com to manually check in and out licenses. • Functionally equivalent to older node locking, but with Smart License tracking. Direc t On- Prem Offline (not recommended) 24
  • 25. Licensing Notes 25 • After 90 Evaluation period ends the system will stop processing new flows • Still functional with historical data, but new flow data will not be processed • This is the ONLY hard enforcement used in Smart Licensing • After a system is registered and the associated licensing periods expire or are exceeded there is no hard enforcement • The system will display banners informing users they are out of compliance, but the system will still process flow
  • 26. Flow estimation • It is an estimated Value unless you do a PoV • FPS license is based on 95th percentile, for 95% of the time the FPS actual is AT or BELOW the stated amount For every 1000 fps per day you need 1 GB storage at the Flow Collector 26
  • 28. What is the Data Store • The Data Store is a new and improved database architecture design for SNA • Each individual Data Store appliance will include a 3-Node database cluster • Flow ingest by Flow Collectors is separated from data storage • This distributed design enables scalable and resilient data storage, providing retention times of over a year • Queries are handled by the Data Store, effectively increasing performance across all metrics by a significant magnitude 1 or more Flow Collectors Management Console 3 or more Data Nodes 28
  • 29. With and Without the Data Store 1M FPS/90 days storage • 16 total nodes: 8 data nodes + 8 Flow Collectors (FC) • Coupled Data collection & storage • 10 total nodes: 6 data nodes + 4 FC • Independent data collection & storage • Efficient and optimized data storage 1M FPS/90 days storage Flow Collectors (FC4210) FC5210 Data Base Current Customer Deployment New Data Store Deployment Data Nodes FC5210 Engine 29
  • 30. Data Resiliency In addition to extending retention time, the Data Store also introduces enterprise-class data resiliency 1 or more Flow Collectors Management Console • Telemetry data is stored redundantly across nodes to allow for seamless availability during single node failures • Seamless availability for a Data Store deployments 1 2 3 4 5 6 3 o r m o r e D 30
  • 31. Data Store Performance Top Reports Non-DS Data Store Applications 5hr 47min 21min Hosts 29hr 36min 19min 31 Ports 9hr 53min 19min Protocols 6hr 50min 28min Services 6hr 2min 20min • Large Enterprise traffic, ran for 3 days at 150,000 fps into two hardware testbeds: • FC5210 (Non-Data Store) • 3-Node Data Store with a FC4210 • After 3 days, 19.4 Billion flows were written to each testbed bed
  • 32. Data Store Deployment Single Switch Architecture 32 Two Switch Architecture • eth2 or eth3 can be used for internode communications • Must be 168.254.42.x/24 • Provides resiliency for switch failure using port channels and interconnected trunk ports • Uses both eth2 and eth3 for port channel
  • 33. Data Store Evolution 7.3.0 Data Store on HW Data Nodes is introduced 7.3.1 Virtual Data Nodes were added, enabling virtual deployment 7.3.2 Added new telemetry types, Firewall logs and Remote worker visibility, all NVM fields 7.4.0 Virtual Manager and Flow Collector(s) and a physical Data Store Support added for ASA firewall logs 7.4.1 Expand to Data Store • Single Node • Multi- Telemetry • New Analytics 7.4.2 Transition to Data Store • Existing customers can transition to Data Store Geo-Redundancy • New peer site design M6 HW Support • SFP Interfaces 33
  • 34. The single node Data Store • Single node Data Stores can be either virtual or physical appliances • Supports up to 4 Flow Collectors • Easily expands to a full 3 node cluster, which now supports N+1 horizontal scaling • Note: A Data Store must consist of homogenous data nodes, either all virtual or all physical appliances Data Store Single Data Node Virtual or physical Expand/Scale as needed with FCs Single node virtual Data Store scales to 225K FPS Single node physical Data Store scales to 500K FPS 34
  • 37. Redundancy – High Level Design – Non-Data Store VIP NetFlow/IPFIX (UDP 2055) Heartbeat Signal Sent over network HTTPS SMC Primar y (active) Broke r Primary (active) FC Primary (active) SPAN SMC Secondary (active) Broker Secondary (passive) FC Secondary (active) FS Secondary (active) FS Primar y (active) Exporter s Actual Redundancy 37
  • 38. Redundancy – Notes– Non Data Store 38 • SMC redundancy follows active – active (but no change) • Flow Collector redundancy is active active and done by design • Flow Collector redundancy required double licensing • CTB help in achieving the flow collection redundancy • Flow Sensor redundancy is active - active
  • 39. Resilient central storage for multi-geo ingestion • Flow Collector consolidates redundant flow date into context rich bi-flow records • Highly efficient compression minimizes WAN impact when backhauling telemetry data • Telemetry data is stored redundantly across data nodes to help ensure data availability even during a data node failure • Redundant inter-connection switches, help to ensure the Data Store stays in operation during network upgrades and unplanned outages 39
  • 40. Redundancy – New Architecture Requirement: Geographical redundancy while minimizing footprint Solution: Peer Sites • Primary deployment is associated to a peer site where configurations are sync’d • Both sites run and operate independently, allowing great flexibility to meet customer operational reqs • Site telemetry is sent to both primary and peer sites. • Primary site can be robust HW appliances where peer site is smaller virtual deployment reducing OPEX • Peer sites based on Active/Standby Managers design, and is supported within peer sights for large Enterprises demanding full redundancy 40
  • 41. What are the gotchas? 41 • Java/Swing client is not supported with Data Store • BU is actively working to close reporting and data visibility gaps • Peer Site sync is manual • 3+ DC designs are not supported today • BU: Investigating extending peer site for this purpose • Multiple Data Stores are not supported by a single Manager • Converged Analytics cannot support multiple domains, it runs on one domain at a time
  • 43. Storage (Archival, Audit) 3rd Party Cloud Services (SIEM/Datadog/ServiceNow) 3rd Party On-Prem (Home grown Data Lakes, Live Action, SevOne) Cisco Cloud Services (Secure Cloud Analytics, CDO, SecureX, SSE*) Cisco On-Prem Platforms (DNA Center, Secure Workload) CTB Distributed Nodes Broker Transform Filter Anonymize API Telemetry Sources Telemetry Destinations Cisco Secure Network Analytics NetFlow / sFlow Syslog VPC Flow Logs SNMP Trap Application Sources …and more Sources = Network, Application, or Cloud provider points of telemetry egress. Endpoint (NVM) 43 *integrations under investigation
  • 44. Cisco Telemetry Broker Democratizes Telemetry Data Quickly enable PoV/onboarding of non-incumbent tools Replicate Telemetry Control Costs: Only index high value data Brokering Compliance: Keep low value data in low-cost storage Increased visibility of legacy sources Legacy protocol to Modern tool Transforming The ability to transform data protocols from the source to the destinations protocol of choice Modern protocol to Legacy tool Increased visibility into modern sources Route Telemetry Let teams run the tools of their choice without deploying new agents/collectors Filter to Drop and Segment The ability to route and replicate telemetry data from multiple source locations to multiple destinations Filtering The ability to filter data being replicated to enable fine grain control over what destinations ingest and analyze 44
  • 45. Components of the Telemetry Broker • CTB Manager node: • Only one manager is deployed and can manage multiple Broker nodes* • Maintains the policy/rules for the broker nodes enabling central management from one view • If the manager goes down, broker nodes continue to process telemetry • Backup configurations are created for recovery • CTB Broker node: • Where the telemetry brokering work occurs • Can be deployed closest to telemetry sources Manager Broker Node Broker Node Broker Node Management Network Monitoring Network Broker Node *A single Manager supports up to 10 Broker nodes 45
  • 46. Minimum requirements for a Cisco Telemetry Broker Node: • CPU: 2 cores (1 Gbps) or 5 cores (10Gbps) • Memory: 4 GB (1 Gbps) or 8 GB (10 Gbps) • Storage: 20GB Minimum requirements for a Cisco Telemetry Broker Manager: • CPU: 2 cores • Memory: 8 GB • Storage: 50GB Cisco Telemetry Broker Can also be deployed on a UCS server! Versions 6.7 or 6.5 46 **See notes for more details https://cs.co/ telemetrybroker
  • 47. Hardware broker node • Supports 300k FPS capable of uploading to Cisco XDR • Dedicated 10GB Management and Monitoring interfaces • 16 x 16 GB DDR4 3200 memory • 6 x 600GB 10K RPM RAID6(data), 2 x 240GB Data M.2 RAID1 (OS) storage • 2 x Processor AMD EPYC 7313 16C/32T @ 3.0Ghz or boost 3.7Ghz processor 47
  • 48. High Availability • HA Configurations are supported for Cisco Telemetry Broker • Simply scale more brokering nodes to provide for resiliency • HA Broker nodes will operate in standby mode until their associated active node goes down • Broker nodes can be geo- distributed with the manager centralized • Broker nodes operating in standby mode will not process any telemetry and will not incur any additional licensing cost M B B B B B B 48
  • 50. Migrating from a UDPD • Cisco Telemetry Broker improves upon the successful feature set of the UDP Director - CTB improves performance, simplicity, and offers new feature functionality • Cisco Telemetry Broker can use an existing configuration file from UDPD to seamlessly integrate existing forwarding rules • Device architectures are different - Account for the addition of Brokering Nodes in an existing design - Account for new licensing model UDP Directo r Brokerin g Filtering Transformin g Brokerin g only Secure Network Analytics SIEM Cisco DNA Center Secure Network Analytics SIEM Cisco DNA Cent er Secure Network Analytics SIEM Secure Network Analytics Logs IPFIX VPC Flow logs Cheap Storage IPFIX IPFIX 50
  • 51. Data Store Transition No need for forklift upgrades to achieve success! Upgrad e Softwar e 2 Hardware generations supported 4K and 5K Re-use Managers Flow Collectors Flow Sensors 51 No other vendor in the market supports this model
  • 52. Transitioning to Data Store Today FC • Data Store is added to the existing deployment • Upgrade existing FC (engine) to send new telemetry to the Data Store • The FC (DB) will stay in existing format • Manager communicates with the Data Store to run reports and flow searches for recently ingested telemetry • Manager queries FC (DB) for older reports and searches FC • After FC (DB) retention time has expired, DB portion is decommissioned • SMC no longer queries FC (DB) • For virt FC, and FC42xx/FC43xx FC (DB) resources are returned to system to optimize FC performance (up to three times faster) Not the 5K DB Node End State • FC 4210 DDS • FC 5210 DDS • FC 4200 DDS • FC 5200 DDS FC Transition State 52
  • 53. Transition Steps 53 • From the Manager web UI - Step 1: Create a Data Store domain - Step 2: Setup sync between non-Data Store domain to Data Store domain - Step 3: Sync the domains • From the Manager CLI (SystemConfig as root) - Step 4 – Add the data node(s) to Central Manager - Step 5 – Enable SSH on the Data Store - Step 6 – Initialize the Data Store - Step 7 – Pick the flow collector and domain for transitioning - Step 8 – Acknowledge the flow collector transition • From the Manager web UI - Central Manager>Inventory tab will show a transition flag (Data Store Transition) next to the flow collector - Central Manager>Data Store tab will show “Oldest Record (days ago)” for NetFlow, NVM and Firewall logs. - Once there is 30 days for each then the transition can be completed • From the Manager CLI (SystemConfig as root) - Step 9 – Select Data Store then Complete Transition and then the flow collector to transition - Step 10 – Acknowledge to complete the transition (note all old data on the flow collector will be deleted) Transitio n Setup Initiate Transition Monitor Transitio n Complete Transition
  • 55. Multi-telemetry ingest and visibility VPC, NSG flow logs Secure Network Analytics On-prem Network Telemetry Admin Data center Networ k Users On-premises network Remote Workers Campus/ Branch Public Clouds Cisco Firewall Log Data Endpoint Data (NVM) 55
  • 56. Netflow Required Fields 56 The fields that SNA requires to ingest flow are: Field NetFlow Element ID Configuration Example Required Field? NF_F_PROTOCOL 4 match ipv4 protocol Yes, Key Field NF_F_SRC_ADDR_IPV4 8 match ipv4 source address Yes, Key Field NF_F_DST_ADDR_IPV4 12 match ipv4 destination address Yes, Key Field NF_F_L4_SRC_PORT 7 match transport source-port Yes, Key Field NF_F_L4_DST_PORT 11 match transport destination-port Yes, Key Field INPUT_SNMP 10 match interface input Yes, Key Field SRC_TOS 5 match ipv4 tos Yes, Key Field OUTPUT_SNMP 14 collect interface output Yes, Key Field NF_F_IN_BYTES 1 collect counter bytes Yes, Key Field NF_F_IN_PKTS 2 collect counter packets Yes, Key Field NF_F_LAST_SWITCHED 21 collect timestamp sys-uptime first Required; for calculating duration NF_F_FIRST_SWITCHED 22 collect timestamp sys-uptime last Required; for calculating duration NF_F_TCP_FLAGS
  • 57. Netflow Required Fields 57 ETA Fields ETA Fields ETA Fields ETA Fields 44940 ipv4 idp This is Initial Data Packet; used for crypto audit 44941 ipv4 splt SPLT - Sequence of Packet Lengths and Times ; malware detection 44944 ETA Byte Distribution; malware detection NBAR Data NBAR Data NBAR Data NBAR Data 12235 match application name NBAR application data 45003 match application name NBAR application data Additional Fields Additional Fields Additional Fields Additional Fields initiatorOctets 231 collect connection initiator This field is useful to determine the flow initiator natEvent 230 Without this field we cannot get firewall events for the flow (denied, accepted, etc)
  • 58. VPC Flow Logs to IPFIX 10010 11011 Flow Logs Transformed to IPFIX Flow Logs Secure Network Analytics On-Prem Networks NetFlow IPFIX 100101 101011 • Cloud Flow Logs from AWS and Azure provide insight into the activities of hosts residing within cloud environments • Meta data from Flow Logs centers around the network activity, similar to IPFIX/NetFlow - There are 25 total fields provided in Flow Logs - Fields provide insight to network metadata as well as metadata associated with the VPC/NSG • CTB pulls Flow Logs from AWS S3 buckets and Azure BLOB storage via secure HTTPS connections and transforms the telemetry to IPFIX - Once the VPC flow is transformed it is then forwarded to consumers 58
  • 59. Complete and continuous remote worker visibility The Cisco Secure Client (AnyConnect Secure Mobility Client) caches all network traffic telemetry records, even when users are not using a VPN • On-network flows (collected when VPN connected) – real time • When user connects to VPN all stored NVM flow data is sent to the Flow Collector • Can be configured for burst or chunks and adjustable cache size • Detections are carried out on the NVM flows (Behavioral, Customer Security Events and Converged Analytics) • Note a flow search does not show NVM specific fields • Off-network flows (collected when VPN not connected) – cached late arriving • Can view the historical NVM flow data using the NVM endpoint traffic reports in Report Builder • No detections are applied to off-network traffic nvm_to_flow_cache nvm_filter_untrusted_flow 59
  • 60. No Endpoint VM Since 7.3 Recap of all NVM telemetry records retained User Endpoints with AnyConnect Secure Mobility Client Start Time* End Time* Source IP* Source Port* Destination IP* Destination Port* Bytes Sent* Bytes Received* Packet Count* (derived) Protocol* Interface Info UID Interface Index Interface Type Interface Name Interface Details List Interface Mac Addr. UDID User User Account Type Agent Version Virtual Station Name OS Name OS Version OS Edition System Manufacturer System Type Process Account* Process Account Type Process ID Process Name* Process Hash* Process Path Process Args Parent Process ID Parent Process Account Process Account Parent Process Name* Parent Process Hash* Parent Process Path Parent Process Args Host Name DNS Suffix Module Name List Module Hash List Parent Process Name Parent Process Hash Flow Collecto r Data Store NVM Telemetry • Session • Interfac e • User • OS • Process * NVM telemetry records available within non-Data Store deployments 60
  • 61. Store Cisco Firewall logs on premise with Data Store Cross launch from FMC with context into Secure Analytics and Logging dashboard Make data available to FMC via APIs for supporting remote query 100,000k eps (8.65 Bn/ day) support for +30 days using full data store architecture 61
  • 62. FMC pivots directly to the Data Store with enhanced context • Contextual pivots from Firepower Management Center to the event viewer optimizes SecOps workflows by automatically filtering on events of interest Remote Query API do not support ASA Events 62
  • 63. Intelligent viewer provides access to all Firewall data • Select custom timeframes going back across over any retention time • Filter exclusively on Security Events and use per column filters to quickly isolate data of interest • Create custom view to tailor content based on columns shown • Use Summary to identify trends and outliers • Export any view to CSV for archiving or to further forensic investigations 63
  • 64. Secure Network Analytics detection architecture NetFlo w Devices Secure Firewall Secure Client Flow Collector Data Store Converged Analytics with MITRE ATT&CK mappings VPN and Split Tunnel off-network NVM and FW event logs are saved to the Data Store without analysis Remote worker off-network (NVM) IDS Events Malware Events LINA Events Connection logs Cisco XDR XDR NetFlow Connectio n logs Promote d Events Behaviora l security events SRC/DST IP Address SRC/DST Port Protocol Bytes/Packets Sent B …yte .s/Packets Received FC Analytics Engines Custom Security Events Network Context based Detections Firewall events can be sent to Cisco XDR from FMC in addition to being stored on-prem Mana ger Firewall detections based on Firewall event context planned Will Change 64
  • 65. SNA Firewall Logs Detections Secure Firewall Flow Collector Data Store IDS Events Malware Events LINA Events Connection logs Connectio n logs Behaviora l security events Custom Security Events Ingest Convert Detect Firewall Logs Ingested on port 8514 65 Connections Logs Converted To Flow Apply Behavioral and Custom Detections Flows converged from Firewalls logs to Netflow do not count against the FPS license. SAL is licenses per GB/Day already Firewall Logs from a device should not be sent at the same time with Netflow, that will create wrong ByteCount. Now ! SNA detections with a firewall only as a telemetry source. (Connection End)
  • 66. SNA Firewall Logs Detections Leverage Analytics to trigger Behavioral Alerts Flow Denied Security Event in SNA triggered on traffic from Firewall Logs Customized Alerts with Custom Security Events 66
  • 67. SNA Firewall logs to Detections Configurations 67 Configuration • sal_enable = 1 • sal_to_flow_cache = 0 (default) Put it to 1 to enable conversion • sal_port = 8514 (default) Ports should not be overlapped with other ports 2055 for Netflow and 2030 for NVM Troubleshooting • /lancope/var/sw/today/logs/sw.log 05:00:02 S-per-t: 05:05:00 S-per-t: Current sal_event, Input: 0, Decoded: 0, Output: 0, Ignored: 0 Current sal_event, Input: 3325, Decoded: 3325, Output: 3325, Ignored: 0, Dropped: 0, To_Flow: 1578 this period Dropped: 0, To_Flow: 0 this period 05:10:00 S-per-t: Current sal_event, Input: 4411, Decoded: 4411, Output: 4411, No Pivots are available to FMC Not Available for DDS
  • 68. NVM Detections Secure Client Flow Collector Data Store FC Analytics Engines VPN and Split Tunnel Behaviora l security events Custom Security Events No Conversion of NVM to flows required, Flows then goes through the detection engine All Detection from behavioral analytics can be applied including data movement. Alert on Process Names and Hashes with CSEs in addition to all other 68 One More way to Deploy SNA without having to be restricted to network flow to get detections
  • 69. NVM Detections Configurations 69 New Install nvm_enable = 1 nvm_to_flow_cache = 0 (default) nvm_port = 2030 (default) NVM flows can be seen in flow search and Report Builder when nvm_to_flow_cache is enabled NVM flows can be seen in only Report Builder when nvm_to_flow_cache is not enabled Troubleshooting /lancope/var/sw/today/logs/sw.log /lancope/var/logs/containers/svc-db-ingest.log
  • 70. New Detections and Alerts in Converged Analytics 4 New Alerts from Secure Cloud Analytics • LDAP Connection Spike • Outbound LDAP Spike • Protocol Forgery • Repeated Umbrella Sinkhole Communications 2 New Observations from Secure Cloud Analytics • ISE Session Started Observation • Umbrella Sinkhole Hit Observation 70
  • 71. Dynamically maps entities by role Functional modeling Type based modeling Android Citrix PVS server Windows workstation Mail server Medical imaging client Remote desktop server DNS server VolP client Apple iOS Web server Wireless LAN controller Domain controller …over 50+ entity roles are supported ! • Automatic role classification available on a new report leveraging the new converged analytics capability • Roles are available out of the box with no tuning and provide details about devices on the network for investigation Roles include: 71
  • 72. Device Report Traffic enhanced with automatic filters • Select any time on the traffic statistics graph and see results dynamically filtered in the flow table • Accelerates investigation of traffic anomalies • Immediately correlates chart events with actual flows attributing to the event 72
  • 73. Demo NVM + Firewall Logs + Converged Analytics
  • 75. Where To Enabled Telemetry ? Flow Sensor Hypervisor with Flow Sensor VE VM VM Non-NetFlow enabled equipment ETA enhanced NetFlow proxy data NetFlow enabled routers, switches, firewalls NetFlow Telemetry Broker Additional Telemetry Destinations (SIEM: Splunk) Flow Collector Manage r telemetry for encrypted traffic analytics (ETA) Data Store VPC 75
  • 76. The more you enabled the more you see Visibility into traffic going through these devices to the internet or to the main data center. Firewalls could provide NAT information Visibility into traffic going through the core to the Internet or to the DC and Campuses More visibility into user traffic from one VLAN to another or even from port to port Edge Devices at Campus Edge Devices at Branches Core Switches Access and Distribution 76
  • 77. Add A Flow Sensor At the EDGE Get Application layer visibility into your internet traffic (URL and APPs) Visibility into VM traffic and additional network use cases with RTT and SRT Legacy Networks visibility where flow is not available VM VM At the Hypervisor Non Flow Capable Networks 77
  • 78. What Can A flow Sensor Do Virtual or physical appliance that produces telemetry for network infrastructure incapable of generate NetFlow natively Provides additional security context to enhance Secure Network Analytics security analytics Additional information gathered • ETA enhanced NetFlow • TLS Finger Printing • Layer 7 application data • URL information for web traffic • TCP and ICMP flag details • RTT (Round trip time) • SRT (Server response time) • Retransmissions • X-Forwarded headers from web load balancers Non-NetFlow enabled equipment Secure Network Analytics manager Flow Collector VM VM Flow Sensor Hypervisor with Flow Sensor VE ETA Enhanced NetFlow 78
  • 79. Visbility at the Endpoint Level User Endpoints with AnyConnect Secure Mobility Client Start Time* End Time* Source IP* Source Port* Destination IP* Destination Port* Bytes Sent* Bytes Received* Packet Count* (derived) Protocol* Interface Info UID Interface Index Interface Type Interface Name Interface Details List Interface Mac Addr. UDID User User Account Type Agent Version Virtual Station Name OS Name OS Version OS Edition System Manufacturer System Type Process Account* Process Account Type Process ID Process Name* Process Hash* Process Path Process Args Parent Process ID Parent Process Account Process Account Parent Process Name* Parent Process Hash* Parent Process Path Parent Process Args Host Name DNS Suffix Module Name List Module Hash List Parent Process Name Parent Process Hash Flow Data Store Collector 79 NVM Telemetry • Session • Interfac e • User • OS • Process * NVM telemetry records available within non-Data Store deployments
  • 80. Store and Analyse Firewall Logs Min Supported Version Notes FMC 6.7 Older versions are supported but Cross-launch will not be available FTD 6.4 SMC 7.3.0 SMC VE or SMC 2210 SAL On Prem 1.0.0 An application needs to be installed separately from the SMC 7.3.0 install Secure Firewall Flow Collector Data Store IDS Events Malware Events LINA Events Connectio n logs Behaviora l security events 80 Custom Security Events
  • 81. Analyze your Cloud Data by adding CTB srcaddr dstaddr srcport dstport protocol packets bytes start End tcp-flags sourceIPv4Address or sourceIPv6Address destinationIPv4Address or destinationIPv6Address sourceTransportPort destinationTransportPort protocolIdentifier packetDeltaCount Secure octetDeltaCount Netwo flowStartSeconds flowEndSeconds tcpControlBits Cisco Telemetry Broker Transformation VPC Flow Logs IPFIX rk Analytics 81
  • 82. Summarize The Telemetry Design Use Cases Visibility into traffic going through the Network east West extend it by enabled at other layers 82 Analyze and Store your firewall logs and NAT information Get to the endpoint process user and interface level Get visibility into your cloud environment by leveraging CTB
  • 84. Secure Network Analytics integrations Proxy Web APP, web URL and user info External lookup Extended analytics, threat investigation DNA Center Automated setup and deployment XDR Threat hunting and response Secure Client Process and endpoint visibility PAN Application and user identity Identity Services Engine User identity, device identity, mitigation and response API Automated and customized configuration and reporting Secure Network Analytics 84
  • 85. Secure Network Analytics and network access integration Network Access services and classification Secure Network Analytics Secure Network Analytics visibility Device Id Domain Id Active Start active time Endpoint IP Username SGT Tag Trustsec name Last update time InterfaceDevice PortId InterfaceDeviceI p Vlan MAC address Session ID Active Start active time Username Last update time Secure Network Analytics also integrates with ISE-PIC using pxGrid to get endpoint contextual information Secure Network Analytics integrates with ISE to get mitigation capabilities and apply different ANC policies to an endpoint Info from ISE Info from ISE – PIC Cisco Identity Services Engine pxGrid 85
  • 86. © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public Validate trusted ISE policy is being observed from near real time network telemetry
  • 87. Secure Network Analytics is a comprehensive data source Source Information Method SMTP To inbox & ticketing systems Data exporter Usually to SIEMs SYSLOG To log aggregation SOAP web services API REST API Alarms Notification s Normalized flow data Data export from FC APIs Configuratio n and reporting Flow Collector Manager 87
  • 88. Improving on-prem NDR with Cisco XDR Cisco XDR Enrichment Requests from manual investigations or auto- mated from event correlation Alarms and Events sent to XDR analytics Tiles to Contro l Center Optional: Send flows to XDR analytics via CTB or FC Secure Network Analytics Cross correlation of data Correlation of NDR findings with other detections mechanisms including EDR based detections, email and others 88 Impact Analysis Understand the Impact of an incident leveraging XDR incident Manager Reduce the time to respond Reducing the time to response leveraging XDR automation and the multi responses capabilities Extend response capability Expand NDR response capabilities with multiple technologies through XDR integrations with Cisco and 3rd party technologies
  • 89. Data Enrichment From SNA to XDR Events details are sent with relationship indicators for some alerts when available 89 Security Events Contribute into XDR investigations Security Events Investigation Configuration Limit s
  • 90. © 2024 Cisco and/or its affiliates. All rights reserved. Cisco Public SNA Alerts to XDR SNA Converged Analytics Alerts Published to XDR Through Response Management Alerts can trigger incidents and are Mapped with MITRE attack tactics and technique. It came in 7.5 Will Change 7.5.1
  • 92. Rule What alarms? Action What to do with alarms? Response Manager Logic If Condition is met, then trigger Response Automatic Response Automate responses by defining rules and applying actions 92 New Alerts option in Response Manger. Converged Analytics needs to be enabled. Webhooks supported for Alerts (Converged Analytics) and Alarms. Not customizable for either. New Actions for Converged Analytics Alerts.
  • 93. Rules With Flexible Conditions 93 Define Rules with Multiple Conditions • Granular control with complex rule triggering conditions Use Multiple Actions: • Select 1 or more actions to be executed once rule is matched and alert is open • Select 1 or more actions to trigger when the alert is closed
  • 95. Most Utilized Resources 98 SNA Resources Secure Analytics Videos http://cs.co/SecureAnalyticsVideo s Detection: Secure Analytics Detections Demo playlist Design Guide: SNA Data Store Design Guide FPS Estimator: FPS Estimator Training Center: Secure Network Analytics Training Center - Use Cases
  • 97. FC4300 in a Non–Data Store Deployment • The Flow Collector does everything: ingestion, storage, and query. • Retention & performance depend on appliance sizing: • FC4300 can ingest up to ~4M flows per second (depending on model and license). • Stores flow records locally (on its own disks). • Query performance is fine for short- to mid-term history (days to a few weeks). • As flow volume and query size grow, performance slows because the collector handles queries + ingestion simultaneously. • Best for small to medium deployments where: • Flow volume is moderate. • Long-term retention isn’t required.
  • 98. FC4300 in a Data Store Deployment • Flow Collector handles ingestion only and forwards flow data into the Data Store cluster. • Data Store handles indexing, long-term retention, and queries. • Benefits: • Higher retention (months/years). • Faster queries on large datasets because SMC queries the Data Store, not the Flow Collector. • Flow Collector resources are dedicated to ingestion, improving stability at high flow rates. • Supports scalability → multiple FC4300s feeding the same Data Store cluster. • Best for large enterprises, service providers, or compliance- driven industries needing forensic data for long periods.