Integration of Cisco Threat Response and Cisco Stealthwatch Enterprise
Look at this screenshot from the Cisco Stealthwatch system (this, by the way, is a real picture from one of the customers). What do you see on it? Within almost 10 minutes, about 3 GB of data from Iran was uploaded to the network (this screenshot, as you can see, although taken in January, is of the year 2019, not 2020, and therefore this story has nothing to do with the latest political events on Middle East).
Do you often communicate with Iran? Do you do business with him? Not? Then why do some internal nodes load a lot of data from this country. Why? What is the reason? It is unlikely that Youtube, Facebook, Gmail or Dropbox sites are located in Iran. Then what is the reason for such an anomaly?
And here is another screenshot (from another customer already). Incomprehensible and quite intense SMB traffic with North Korea. What for? Such traffic may be inside the corporate network, but when interacting with external resources?
Another real story. Take a look at the next screenshot of Cisco Stealthwatch. What surprises or disturbs you in it? Too much NTP traffic. Perhaps this is a data leak through NTP, which few people control (DLP certainly doesn’t). Or maybe it’s a DDoS attack through NTP?
We see an anomaly, but we cannot always rely on Stealthwatch data to tell what this or that suspicious activity is connected with. In some cases, the Stealthwatch event enrichment functionality helps with Threat Intelligence data, but there are situations that require a more detailed investigation. Cisco Stealthwatch gives you the opportunity to see what usually goes beyond traditional security features or what bypasses them. But identifying anomalies or abuse, we immediately have a number of questions:
- What is the cause of this anomaly?
- Who is its source?
- Is this an independent anomaly or part of a larger incident?
- What else is associated with this anomaly?
After receiving information from Stealthwatch, you need to check each alarm for all the Threat Intelligence sources you use (in addition to the built-in feeds in Cisco Stealthwatch) and compare it with other security features. If you do not have SIEM, then this takes an additional and quite a long time, even among specialists. SIEM, like its accompanying TI platform, costs a lot of money. How to solve this dilemma?
Cisco has a solution that I have already written on Habré more than once – it’s “SOC out of the box” or Cisco Threat Response – a free solution that does most of the work for IS analysts and, receiving incident data from various Cisco solutions and solutions third firms, automatically compares them and enriches them with data from various TI sources, displaying the development path and the scale of the incident in a matter of seconds. From CTR, you can also respond to identified incidents by issuing appropriate commands to firewalls, attack prevention systems, EDR-class solutions or cloud-based DNS-traffic monitoring tools.
Anomalies that Stealthwatch monitors are sent to CTR Incident Manager, which allows you to see these IB events along with other events received from Cisco Firepower, Cisco AMP for Endpoints, Cisco Threat Grid, Cisco Umbrella, Cisco Email Security, etc. Using Security Insight Dashboard, you can send a request to CTR for any anomaly or event that interests you, without giving all telemetry to CTR and without increasing the risks of disclosing confidential information.
Events sent to the CTR are then enriched with an additional context, which the CTR receives both from other means of protection and from many external TI sources, for example, VirusTotal. The integration of CTR and Stealthwatch also works in the opposite direction. For sites that make you suspicious or that fall into, for example, the Cisco Firepower or AMP for Endpoints logs, you can make a request from CTR to Stealthwatch and get more information about them.
Our integration also allows you to use CTR as an integration bus and through it make requests to other Cisco products that are not directly integrated with Stealthwatch. For example, by identifying a suspicious host in Stealthwatch, you can request all the IP information associated with it in the Cisco AMP for Endpoints endpoint protection system. You can also verify this IP in the external Cisco Talos TI source (regardless of whether you have a Cisco Steallthwatch Threat Intelligence license).
Casebook plugin for browsers, which allows you to automatically extract all the necessary indicators of compromise from Web pages, can also do this for the Stealthwatch interface, thereby speeding up the investigation process and reducing the time to collect all the necessary information at times. But speed is one of the key success factors in investigating incidents and reducing damage from them.
After Stealthwatch transfers the events of interest to you in the CTR, an incident card is created that contains all the necessary information about the anomaly, which can be enriched with data from other means of protection, including third-party solutions that are integrated with CTR. If Stealthwatch itself allows you to block attacks by integrating with Cisco ISE, then CTR offers a wider range of options for neutralizing threats – they can be blocked on a specific node through AMP for Endpoints, on the perimeter through Cisco Firepower, to the Internet through Cisco Umbrella.
If Stealthwatch allows you to conduct an anomaly investigation based solely on network telemetry data received from network equipment, then CTR extends this feature (and I recall that CTR is a free solution) and allows you to display more related security events in the graphical interface, to understand whether the site of interest to us is the victim or source of threat when the attack began, whether it is the target or we fell under the distribution, along with many other victims around the world.
One of the problems that was noted by respondents to our Cisco 2019 CISO Benchmark Study is the poor automation of everyday tasks in the activity of the information security service. 79% of IS leaders said that working with IS events from a variety of security tools has become more difficult than it was in 2018. The Cisco Threat Response solution is designed to get the most out of your investment in information security technology from Cisco through automation that comes right out of the box. If you don’t have SIEM yet, and the information security system is built primarily on Cisco solutions, then you can try to start building SecOps processes with the free Cisco Threat Response. In addition, CTR significantly reduces the time and effort required to investigate incidents, which makes your information security operations more efficient and effective.