Stealthwatch Cloud on TechWiseTV
On this episode of TechWiseTV, we cover cloud security with Stealthwatch Cloud. This is a specific mention of cloud as it now contrasted/complimented with Stealthwatch Enterprise. I have long been a fan of Stealthwatch but we had not covered them on the show since 2016.
Cisco acquired Observable Networks in July of 2017 and gained some very interesting people and technology. CEO Bryan Doerr along with founder and CTO Patrick Crowley joined us to explain and demonstrate the unique value that is now available with Stealthwatch Cloud.
There are multiple options for security and performance analysis when operating your own, on-premise network gear. But now, with public cloud workloads growing so quickly, less traffic is flowing where it can be easily monitored. Security is still needed, no matter where that data goes.
Stealthwatch Cloud addresses this hybrid cloud reality in creative ways.
We recently held a live workshop on this same topic with the amazing TK Keanini (from our Encrypted Traffic Analytics episode) and Jeff Moncrief. TK is always entertaining, informative and frank. It’s a nice follow on to the episode whether you saw it or not.
As always, thank you for watching.
All of our shows and workshops can be found at techwisetv.com
Full transcript below…
TechWiseTV Episode 226
SEGMENT 1 – Robb & Lauren
– Robb Many of you are familiar with Cisco Stealthwatch, a proud security family that keeps growing. First, Stealthwatch Enterprise, which you may already be pretty familiar with, providing security analytics by monitoring network traffic, NetFlow, to ID user-based threats and malicious software. Well, Stealthwatch Cloud is a new addition we get to share today following the Observable Networks acquisition. The security landscape moves quickly. Our data is still on-prem and on at least one cloud if not two or more.
– Lauren Yeah. This multi-cloud reality requires an innovative approach. Stealthwatch Cloud does quite a few creative things, Entity Modeling being at the very core of that. I’ll dig into this with Patrick, founder of Observable Networks, and he’ll be in the lab. But first, let’s join Robb in the lounge with Bryan, CEO of Observable, to get us started.
SEGMENT 2 – Robb & Bryan Doer
– Robb There are so many critical services that we depend on that are now flowing through multiple clouds. So Bryan, welcome to TechWise. Glad to have you here to cover this. So, do we need to blindly depend on cloud providers to handle security for us, or is there more that we can be doing?
– Bryan Actually, we shouldn’t depend on cloud security providers to provide all security. Clouds present an excellent execution platform for our applications, but application providers have a very important role in complimenting the cloud providers efforts with their own to provide a complete security story.
– Robb So how are we handling this notion of, when I’ve got my data on my on-premise network, I’ve got all kinds of tools I can choose from to analyze it and determine if it’s got anything nefarious within that traffic. Now, is that same traffic is being replicated, or maybe coming exclusively from one or multiple clouds, is the data there to make better decisions?
– Bryan That’s the key, right? That’s the key question. How much visibility do you have in the cloud environment? Many years ago, when clouds were first getting started, that was a big knock on clouds, lacking visibility, hard to provide security controls equivalent to what we had in our on-prem environment. Now, cloud providers are actually providing all kinds of execution telemetry, environment related, change information, all of the key variables and sources of information that’s necessary to provide a good security story are now being expressed by the cloud providers. That gives us an excellent platform for building tools on top of those data sources to provide, actually, in many cases, better security then what we had on prem.
– Robb Really? That’s a big statement I bet would surprise.
– Bryan And I’ll make another statement that’s even more, kind of…
– Robb Bigger.
– Bryan Yeah, bigger and better. You know, once upon a time, when clouds were emerging as alternate forms of infrastructure, we had CIO’s rightfully asking, “Can I take the risk of moving this application into the cloud,” right? Because it was perceived to be a lower security environment. The time is here. Not just rapidly approaching, it’s here, where the correct question is, can I actually afford not to put my application in the cloud? Can I take the risk of not moving my application to the cloud when, in your cloud environment, you’re actually using the systems and tools that are available to you?
– Robb Interesting, because you’re saying, not only could it potentially be more secure, you’re saying the cloud is necessary, obviously, from a business perspective. We need that level of agility. We’re not going to do it unless we know we can do it securely. Now you guys, yourself, are a cloud-based service providing security for the cloud as well as for on-premise environments, correct?
– Bryan Yep. That’s key, and so Stealthwatch Cloud is about securing the environment by using network metadata and other sources of security data. And we can do that in both public cloud environments and on-prem environments, and interestingly and importantly, in hybrid situations, doing it together. So, as organizations think about moving their application sets, and it’s not just a big, everything moves in one jump from a data center to a public cloud.
– Robb It’s not the binary thing.
– Bryan No, there’s a migration. There’s a progression. There’s always hybrid operations. Some applications straddle the environments in real-time, and Stealthwatch Cloud can help you with that.
– Robb So let’s get specific. You guys use something, to make sure I got this right, called Entity Modeling. Can you explain what that is and where this starts to provide some of the distinction, because you mentioned flow data as well, that you guys are analyzing? I’m used to thinking, of course, with Stealthwatch, now we call Stealthwatch Enterprise, very much has been known for how it leverages net flow data. We don’t have traditional net flow data available to us, but we do have some metadata that can be used, and you guys are doing that to create Entity Models?
– Bryan That’s right. That’s right. So, we consume net flow as well, and can generate our own metadata when we’re talking about on-prem.
– Robb Okay.
– Bryan In the cloud, you’re correct, we don’t have a typical net flow generator, but in the case of Amazon Web Services, you have something called VPC Flow Logs. Those Flow Logs are the same IP metadata. It’s a perfect replication of the representation of the network traffic that took place between and across the cloud and the external networks, minus the network payload data. That data becomes the primary input to something we call Entity Modeling.
– Robb Okay.
– Bryan Entity Modeling is basically the idea that you can build a baseline understanding of the normal behavior of the devices or of the assets that are in your cloud or on your prem, and then through time, watch the network activity and compare it to the expected behavior that would be established by the baseline, and note behaviors that are changes that may be threatening. A change is almost always present when there’s some kind of compromise, whether it be an external log in or some kind of malware or participation in a botnet. There’s some kind of change in asset behavior that can be detected. And because these models, these Entity Models are on a per asset basis, they’re very granular. So this is not about modeling the network in aggregate. It’s not about trying to sense very small changes in a sea of big data movement, right? It’s about individual models for each and every asset in the environment, it’s unique behavior norms, and then watching it through time.
– Robb So do you have to train the system yourself, or is this something that it does on its own over a period of time? And is that a big period of time, and can it learn the wrong behaviors initially? Let’s say, I install this or I’m starting to work with this, and I already have some behaviors that I weren’t aware of that might be considered abnormal, but they’re not going to be determined as normal automatically or something like this.
– Bryan Yeah, great question. So, let me take your first one and then go to the second one. Both are very good. The system… The way we built the system is we wanted to depend as little as possible on any static user-entered configuration information or user-based training. Why? Because, well, that’s a cumbersome thing to do. Plus, it’s quickly outdated.
– Robb That’s where most of our security issues come from too.
– Bryan Exactly right.
– Robb I know how this works, yeah.
– Bryan So we wanted the system to be very, an overused word, dynamic in that way, self-educating. And it would build a baseline through its own observations through time. We generate alerts to indicate things that might be going wrong. The way the system operates is alerts activate themselves as the data volume, as the data and the baselines mature. So, you know, just imagine over a period of about 30 days, you have more and more of the alerting capability becoming active as additional data minimums are satisfied. So the second question about baking in a bad behavior, that’s always possible, but we have ways to prevent that as well. So, one of the things that Stealthwatch Cloud does is recognize the roles that are being demonstrated by the various assets in the environment. Roles come with expected behavior.
– Robb Right.
– Bryan So if we identify the role of a device, but then we see that device demonstrating behaviors inconsistent with that role, say, in addition to its normal behaviors…
– Robb Like you’re a printer not a web server.
– Bryan That’s right, so why…
– Robb Or you’re a web server not a printer.
– Bryan So you’re a video camera, but why are you talking on the internet?
– Robb Yeah, it’s usually one of our crew members.
– Bryan These are things that we don’t want to be seeing. So we have that and other means of establishing a recognition that, “You know what? From the day we got here, this thing looked like it was doing something wrong,” and we don’t bake in a bad understanding.
– Robb So one final question here. Obviously, we use Amazon Web Servers as an example. They’ve got great instrumentation that you guys have used. I know that these services are changing constantly, however. You guys work with other cloud services, and this is something we can look at, obviously, and it goes on-prem. So, we could use this anywhere, correct?
– Bryan That’s right. Multi-cloud is the story for Stealthwatch cloud, multi-cloud, including your data center environment where you might be virtualized or physical assets. It’s really about multiple styles of infrastructure all being supported by Stealthwatch Cloud at the same time if necessary. And yes, other public clouds can be instrumented as well. And so the idea is to take advantage of the telemetry that public clouds provide. That telemetry, as I indicated a few moments ago, is increasingly, actually better than some of the telemetry we actually have on-prem and making the best security decisions based on that telemetry is the focus of our service.
– Robb Perfect. Okay, Bryan, thank you so much. So guys, the industry pattern is consistent. We get new ways of doing things, like cloud, often brings just as many new challenges that we need to address. It’s the details that matter and that’s what we’re going to do right now is take a look at how we start to assemble and make it easy around all this data. And Lauren, it looks like you’re ready to take it over
SEGMENT 3 – Lauren Malhoit and Patrick Crowley
– Lauren All right. So Stealthwatch Cloud consumes log data and produces noise free security alerts. Patrick, I’m so excited to see this. I’ve seen the clean GUI. Show me how it works.
– Patrick Thanks, Lauren. Happy to be here. Let’s take a look at Stealthwatch Cloud.
– Lauren Awesome.
– Patrick So, as you see here in this demo screen, each customer gets their own portal, their own deployment of Stealthwatch Cloud. That gives them new visibility into their own IT environment, whether that’s on-prem or in the cloud. And so we’re opening up here on the dashboard. This is the top-level dashboard that a user would see when she logs in. And top to bottom, we begin with the most important piece, these noise-free security alerts that we uniquely generate. We’ll talk a little more about those in a second.
– Lauren Perfect.
– Patrick Moving down on this portal, you can see some 30,000-foot view information on what’s going on in your IT environment. All of this derived by Stealthwatch Cloud’s Entity Modeling. So when you see this aggregate information, how many things, how many devices and entitys are active on my network, how much network traffic are they generating. That’s interesting data. There’s sort of a lot of ways you can generate that. In this case, Stealthwatch Cloud is generating that from Entity Modeling, which allows us to give that high-level view, but also somewhat more powerfully, allows us to illustrate for customers the roles that are active in their network, in their IT footprint, often in ways that they’ve never been able to see before. So for instance, coming to the roles portion of the portal, if I take a look at the database servers, what this will show a user is all of her database servers that are active over her on-prem environment and her public cloud environments in one glance without any input or configuration from the user herself. This is all derived automatically from the way that Entity Modeling works.
– Lauren And I think that’s so interesting because, I mean, yeah, database servers, great. But, things like serverless, because I see you have AWS Lambda up there, things like auto-scaling groups where you have to scale in and scale out things. You guys are actually keeping track of that and using that behavior, right?
– Patrick That’s exactly right, and the reason that’s…it’s edifying as a user to be able to see all of this. But it’s very important from a security perspective because if my laptop is visiting a new sports website, well, who cares because it’s a laptop. If my database server visits a new sports website, that’s a different situation.
– Lauren Or betting websites maybe.
– Patrick Or a sports gambling website. Exactly right. Which takes us to our second feature of the portal, which is the most important, our alerts. So, these are the calls-to-action that are derived from Entity Modeling. And so the way that Stealthwatch Cloud creates these alerts, it’s really derived from this underlying technology of Entity Modeling. So, the entities are scrutinized in a way that is specific to that device and that type of device, and how it’s been behaving through time. One very simple example that I’ll show you right now is a kind of an alert called a geographically unusual remote access. It was a very simple illustration of the concept. So what we have here with this alert is a particular server, in our IT environment, has been logged into from a remote endpoint that is located in a country that is atypical for my IT footprint.
– Lauren Right.
– Patrick And so, this is one of several dozen alert types that are derived from information just delivered by Entity Modeling. And to give you a little glimpse into the detail, down below here, you can see that when this alert is created, it’s packaged up by Stealthwatch Cloud with all of the associated evidence to come with it there. So, we have these structure data formats we call observations, which represent the evidence. And as you can see here, we have two examples of observations that show that remote access took place in the server from two different countries in Europe, which is atypical for this deployment that we’re looking at.
– Lauren And I love that about that, that noise-free. I have nightmares of being a network admin again and getting, you know, 30 buzzes on my phone just because there’s data, but no actual, you know, no threat, right?
– Patrick No threat, no action to take. That’s a great point. This example of an alert showed a couple of pieces of evidence associated with this alert. It’s far more customary to have one alert that has hundreds or thousands of discrete types of data associated with it. And so, a Stealthwatch Cloud user will receive one alert notification with a few tens, hundreds, or sometimes thousands of discrete pieces of evidence. And in traditional systems, that we are sort of replacing, those all end up being independent standalone notifications that lead exactly to the scenario you described of a security analyst that is just being bombarded with noise, and there isn’t time to render any judgement about whether this is useful activity or not.
– Lauren The alert fatigue.
– Patrick Alert fatigue is the term. That’s right.
– Lauren So, how do you get notified then?
– Patrick Yeah, that’s right. So, of course, many of our customers like to get their security alerts the old-fashioned ways. Send me an email, send me a syslog message. These days a lot of people are running their incident response programs through Slack chatrooms or Cisco Spark chatrooms. They’re implementing their own incident response systems using fully generic web hooks or programmatic APIs, and Stealthwatch Cloud supports all of these natively.
– Lauren And I think that’s so cool. You can make maybe a post to some API and say, “Hey, quarantine this,” and we’re done.
– Patrick That’s exactly right. One of the more exciting developments over the past year have been our adventurous customers that are using Stealthwatch Cloud as an orchestration platform to trigger automatic remediation steps like, “Quarantine this local host,” or “Block this remote IP at the perimeter.”
– Lauren Thank you so much, Patrick. Stealthwatch Cloud brings actionable intelligence to your entire network, on-premises, in the cloud. Try it yourself with a free, no-risk trial. And thanks for joining us.