While organizations would ideally like to do everything they can to block a cybersecurity attack, the reality is that internal and external threats targeting your network can find a way to infiltrate and cause a major breach. So how can you answer questions like – Have we been compromised? What did it impact? The answer is continuous network monitoring for early threat detection. Every cyber threat touches the network so being able to detect malicious activity as soon as it occurs can prevent a threat from turning into a high impact incident.
Cisco Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud by collecting network telemetry. It then applies advanced security analytics in the form of behavioral modeling and machine learning to pinpoint anomalies and further reduce them to critical alerts in order to detect advanced threats in real-time. With a single, agentless solution, you get comprehensive threat monitoring, even in encrypted traffic.
In this post, I would like to provide some examples of threats Stealthwatch has been able to uncover in our customers’ environments that enabled them to take actions to stop a breach:
Traffic to suspicious geographies – With nation-state actors increasingly targeting organizations to disrupt operations, steal trade secrets, or maintain clandestine access in the network, it is necessary to be able to detect geographically unusual access. Behavior like a US employee suddenly logging in from an country she has never connected from before, or a large amount of traffic to a suspicious country that your organization has no business in – Stealthwatch alerts on all that.
Insecure network protocols – The use of insecure protocols makes your organization vulnerable to attacks. But your network is so big, complex and ever-changing. How do you find when and where violations to your corporate security policy are occurring? With Stealthwatch, you can set up custom monitoring to alert on any communication based on applications, ports, destinations, and dozens of other characteristics. For example, Server Message Block (SMB) traffic from outside of the organization was how the WannaCry campaign was executed. Another scenario is being able to identify if the Network Time Protocol (NTP) is being exploited by attackers to route your server time queries elsewhere.
Healthcare organization detects data exfiltration due to NTP exploit
IoT/OT device compromise – The “things” connected to the network such as medical devices, factory thermal controls, video cameras, production and assembly robotics, etc. are especially at risk and attackers are increasingly exploiting them to gain access to the rest of the network. Because no form of antivirus or endpoint security can be installed on them, they must be primarily protected through network monitoring. Being able to detect unauthorized access to these devices is key. For example, Stealthwatch once found that a vending machine was being exploited by attackers to launch a DDoS attack within a school that caused their learning systems to go down. Another organization had their Internal Protocol (IP) camera surveillance systems compromised.
Restricted application access – We have seen many instances in the past year where an organization’s compute resources have been used for illicit cryptomining. In one of our previous blogs, we discussed in detail how Stealthwatch is able to detect this activity, even if it’s browser-based and not running a mining application on the user’s device. Stealthwatch has also uncovered access to Torrent websites. Accessing restricted applications, whether it’s by external actors or by unwitting/malicious insiders, violates organizational policies and increases risk of a breach.
Attackers use organization’s compute resources for illicit cryptomining
Misconfigured cloud accounts – Stealthwatch also monitors cloud environments, using the same approach of collecting and analyzing telemetry without any probes or agents. One of the major causes of a breach within the cloud comes from misconfigured assets. Overly permissive access control lists or security groups, or a stale access key can be exploited by attackers to gain access to cloud accounts. In fact, attackers used the same approach in the recent breach of a major bank that was hosted on AWS.
These are just some of the types of incidents that a network traffic analysis (NTA)/network detection and response (NDR) solution like Stealthwatch can detect. Stealthwatch collects telemetry from all parts of the network and provides enough contextual information along with the alert to easily investigate the traffic, and then take immediate action to respond to the threat. Our customers are always amazed at the things they were missing before deploying Stealthwatch to monitor their network. To gain confidence in your security effectiveness, sign up for our free 2-week visibility assessment today!
In this post, we discussed how real-time detection of a security event can aid in effective breach defense. To learn about other ways in which Cisco can help with breach defense, go to: https://www.cisco.com/c/en/us/solutions/security/breach-readiness-response/index.html