How Cisco Built an Advanced Security Analytics Platform

0
1829

The recently announced Cisco SecureX platform brings together the strength of Cisco’s broad and integrated portfolio of security solutions, including security analytics delivered through Cisco Stealthwatch, for comprehensive visibility and advanced threat detection and response. Let’s see what makes up the innate capabilities unique to SecureX.

Unified visibility driven by context

Stealthwatch collects telemetry from every part of the network to feed into its analytics. It can also ingest additional sources of telemetry like user, device, application, proxy, firewall, web and endpoint data. This is necessary in today’s complex IT environment with a large number of unmanaged devices that don’t have security agents deployed. To stay ahead of threats, you need the ability to determine which device is connected to the network and what it is doing, at all times.

Additionally, as organizations transition to hybrid and multicloud, they need to be able to extend visibility and security to the cloud as well. Stealthwatch provides truly cloud-native visibility across all major cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), as well as containers and serverless environments.

Stealthwatch deployment can also be scaled easily with the growing network because it is agentless, without the need to deploy costly sensors or probes – both on-premises and in the cloud. And now, this contextual visibility is integrated into the SecureX platform where it’s extended even further to internet, endpoint, application and more through integration with other technologies.

Continuous threat analytics  

Visibility helps the security team better understand the entities it is protecting. Stealthwatch goes further by analyzing all that network telemetry at machine-scale to identify suspicious behavior. For instance, this behaviour could be the result of an adversary that infiltrated the perimeter and is now using compromised devices or credentials to exfiltrate sensitive data. If this occurs, none of the traditional security technologies will be able to sound the alarm. This is why continuous network traffic analysis is essential.

So, what makes Cisco security analytics different? With more than 17 years in the market, the team has a lot of experience building and tweaking the analytics to ensure that security teams see the most critical alerts and can investigate them quickly. Stealthwatch has a layered approach to security analytics, and uses a combination of behavioural modeling, machine learning and Cisco Talos threat intelligence.

What’s more important to Cisco is the security outcome for customers, that is, reducing billions of network sessions to a few critical alerts. And Cisco has a way of measuring this outcome – Stealthwatch users rate 95 percent of the alerts they see in the dashboard as helpful.

Another place where the analytics stands out is encrypted traffic. With more than 80 percent of internet traffic being encrypted today, using decryption-based technologies is just not feasible. Stealthwatch has the ability to analyze encrypted traffic, without any decryption, to detect threats and also to ensure cryptographic compliance.

Automated detection and response  

The combination of this context-driven enterprise-wide visibility and the application of advanced analytical techniques leads to accelerated threat detection and response. Every attack begins with some early signs of suspicious activity, such as unusual remote access, port scanning, use of restricted ports or protocols, etc. Continuous network traffic analysis can not only pinpoint this behaviour, but also identify where the threat originated, who is the target, and where the threat has spread laterally, so that the security analyst can take action for immediate remediation.

And now, with SecureX, the Stealthwatch user can extend investigation and response across other security technologies with just one click. Get the complete picture across every attack vector – network, endpoint, web, email and application workloads. Conversely, you can begin your investigation from SecureX using an indicator of compromise (IoC) and pivot to Stealthwatch to see what kind of communications have occurred with respect to the IoC.

How SecureX Dashboard prevents security threats

The SecureX incident workflow uses cross-product automation to gather information relevant to the alarm into one place, across technologies and teams. For example, SecureX analytics sends a potential data hoarding alert that your company considers a high priority, and it triggers a prebuilt incident playbook:

  • Playbook automatically enriches the alarm using context from your other security technologies and threat intelligence to provide a complete picture of the threat. It aggregates information on the alert in one place using the threat response feature of SecureX to develop actionable insights.
  • Determine verdicts for observables extracted from the alarm, including the target endpoint, which could be a sensitive data server that the source entity is connected to and downloading a large volume of data from, that depicts anomalous behaviour for the entity.
  • After a thorough investigation, the responder deems this as a valid threat, and SecureX provides the ability to immediately isolate the endpoint from the network.
  • To fully mitigate the data hoarding and eventual data exfiltration risk, this endpoint can no longer reach the sensitive data server or connect to any external entity over the network.
  • Similarly, for other incidents, you can use SecureX to enable response by blocking any malicious domains identified, hunt malicious or suspicious observables, initiate an approval workflow, collaborate using a built-in casebook function or create an IT ticket to update network policy.

Think of the potential for human error of not being able to see these relationships immediately. Plus, the extra time it takes to pivot between multiple product screens without any shared context to complete the orchestrated workflow. You can also enhance your investigations with built-in adaptors for incident enrichment, response and approval workflows.

SecureX provides a selection of prebuilt playbooks but you can build your own using defined actions and third-party adapters. It provides more control with less effort using your existing security investments with Stealthwatch. Together with unified visibility, analytics and automated workflows, SecureX can advance the security maturity of any sized team.

Protect your organization with Cisco SecureX

As described above, Cisco SecureX is infused with unique capabilities around security analytics that have been carefully built with years of experience in the industry. And these are now further enhanced through integration with Cisco’s broad security portfolio.

For more information on Cisco SecureX, contact your CDW Account Manager.