Cisco Blogs

The Formula One Approach to Security

- May 9, 2016 - 1 Comment

Many of today’s systems are built on telemetry, the automated gathering of remote data measurements to gain insights and manage performance and operations.

One industry that has been quick to embrace telemetry is auto racing. Winning racing teams are outfitting their cars with around 100 sensors that monitor thousands of components. Every race weekend, hundreds of gigabytes of real-time telemetry are generated. This data is then shared with on-site engineers, those located at its headquarters, and with the car’s engine manufacturer. The data monitors a variety of factors including tire pressure, fuel consumption, brake temperature, and wind force to identify problems and ensure optimal performance.

In the past, racing was just about getting as much horsepower as possible, but today’s racing outfits recognize the need for real-time data analysis, to understand if there are any problems with the car and fix them immediately. Wins are the result of driver intuition, mechanical efficiency, and now, telemetry analysis.

Telemetry became mandatory, and with the right analytics, it drastically improved system performance. But the value of telemetry isn’t confined to performance optimization in race cars.

Large, cloud-based services are also built on top of telemetry, which provides the insight necessary for elasticity and dynamic resource management. Hyperscale systems such as those used in video streaming and social media services must be able to expand and contract with the ebb and flow of consumer demand. You simply cannot design a dynamic, modern service without each part of the microarchitecture sending data about its current state.

Security practitioners use it to obtain valuable insight into network behavior and early threat detection to identify malicious activity and gain a leg up on threat actors.

NetFlow is the language of network activity

Network telemetry comes in the form of NetFlow. You can think of NetFlow as a phone bill for network activity. It contains aspects of each conversation such as the time, date, IP address of the sender and receiver, length of conversation, and amount of data transferred, but it doesn’t include the content of the transaction.

In addition, NetFlow is collected directly from network infrastructure devices such as switches, routers, and firewalls. This makes NetFlow inherently scalable, able to dynamically adjust with network changes, and forgoes the cost of deploying expensive probes. Security professionals can realistically collect and store NetFlow on every conversation of the network, building a comprehensive audit trail of activity.

Analytics transform this telemetry into actionable intelligence. There are two primary types of NetFlow-based security analytics: detection of known bad behaviors and anomaly detection.

Detecting know bad behaviors

Sophisticated threat actors and complex threat surfaces create innumerable attack vectors, making it nearly impossible to prevent all threats from gaining access to the internal network. In addition to traditional defenses, security professionals need a way to identify threats on their internal environments before data is stolen.

Fortunately, an attack isn’t complete when the threat actor gains access to the network. They still must conduct various activities in order to locate the target data and exfiltrate it to hosts outside the network. These activities are detectable, giving the security team a window of opportunity to mitigate the attack before it is complete.

Behaviors such as network scanning, lateral movement, worm propagation, segmentation violations, and exfiltration have distinct behavior patterns. Since NetFlow documents all activity, sophisticated analytics tools will identify these behaviors in real time.

Stealthwatch is Cisco’s NetFlow-based threat detection and internal network monitoring tool. By collecting, parsing, and analyzing network telemetry, Stealthwatch reduces the time to detect (TTD) of advanced threats from hours or days to minutes.

For instance, an internal host begins scanning the network on TCP ports, which triggers an alarm. Threat actors often scan networks to find available services that can be used to escalate privileges and extend their reach within the network. This behavior is rarely legitimate unless it comes from certain specialized hosts, which should be whitelisted. Once the scanning host begins communicating with scanned hosts, it is likely there is some form of malware propagation taking place. Looking at the Stealthwatch propagation tracker, security operators can identify the scope of the infection and determine the initial point of compromise in a matter of minutes.

Likewise, security teams can mirror their network policies within Stealthwatch to verify they are being enforced correctly. With comprehensive visibility, Stealthwatch can quickly identify conversations taking place between two hosts that should be segmented or traffic involving prohibited protocols such as peer-to-peer. These activities could be signs of a threat or at the very least errant user behavior.

Anomaly detection

Advanced persistent threats are skilled at avoiding traditional forms of detection, so a different type of behavioral analysis is needed to find them. NetFlow provides a complete view of communication taking place on the network, and the right kinds of analytics can be used to detect traffic that is abnormal and suspicious.

Many attackers utilize login credentials stolen from legitimate users, allowing them privileged access to the network. To help identify this activity, NetFlow-based analytics tools like Stealthwatch build profiles of expected behavior for every host on the network. When activity falls significantly outside of expected thresholds, an alarm is triggered for suspicious behavior.

For example, if a user in marketing usually only accesses a few megabytes of network resources a day but suddenly starts collecting gigabytes of proprietary engineering data in a few hours, they could be hoarding data in preparation for exfiltration. Whether the activity is the result of compromised credentials or insider threat activity, the security team is now aware of the suspicious behavior and can take steps to mitigate it before that data makes it out of the network.

Stealthwatch turns telemetry into security intelligence

Telemetry is no longer optional for organizations seeking to protect themselves from today’s threat actors, but telemetry on its own isn’t valuable. The data must first be parsed, combined with other sources of contextual information, and analyzed before it is useful. Cisco Stealthwatch does all of this to transform telemetry into actionable intelligence.

Stealthwatch facilitates both detection of known bad behaviors and anomaly detection, but can also be used for forensic investigations because it creates a network audit trail complete with traffic and host information. Additionally, Stealthwatch is integrated with a number of other Cisco products including the Identity Services Engine (ISE), which attributes activity to user identity information and further streamlines investigations.

To compete with advanced attackers, organization’s must collect telemetry from the network to gain complete visibility and leave threat actors with no place to hide. After all, to protect your environment, you must be able to see it.

For more on the network visibility and security analytics of Stealthwatch, see our page on



In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    Very good article. I wish our org would embrace netflow, analytics and ISE. :(