Blog

Cisco Secure Network Analytics

Written by IPTel Solutions | 30 June 2024 11:00:00 PM

Do you ever wonder what is happening on your network? Sometimes it seems slow, clients don’t seem to act the way you think they should and you have a suspicion you might have been hacked.

Cisco SNA (Secure Network Analytics - formerly Stealthwatch)  is all about helping you spot unusual activity on your network that may not trigger alarms with other monitoring tools.

The SNA solution is able to analyse thousands of network sessions and determine when something looks suspicious and can provide context-based alerting that actually makes sense and allows for fast prioritisation of alerts.

SNA closely monitors the activity of all connected devices and uses multiple analytical techniques to determine anomalous behaviours that deviate from “normal”, but also has a deep understanding of known bad behaviours; allowing us to identify threats that you wouldn’t have known to look for!

Cisco SNA provides detailed analytics on normal network behaviours, providing alerting and analytics on departure from the expected baseline.

The baseline produced by SNA allows you to quickly and easily determine when a departure from that baseline is a threat to your network.

ASSOCIATED BLOGS:

Cisco SNA Components

Thanks to the current generation of Catalyst network devices, the network itself is generating lots meta data; Cisco SNA then takes all that metadata, de-duplicating it, stitching it with other meta data, and preparing it for a lot of the analytics.

The system is built and designed using a number of discrete components, including an SNA Manager, datastore and inbound flow devices. The components you need are largely dictated by the size of the install you need to undertake.

 

The key SNA components are:

  • SNA Manager: Aggregate and display all flows
  • SNA Datastore: For larger SNA installations, virtual or appliance based datastore
  • Flow Sensor: Optional component to produce network for segments that cannot produce NetFlow natively
  • Cisco Telemetry Broker: Ingest a variety of telemetry sources, for forwarding on to Cisco SNA

Additionally, Integration with Cisco XDR (Extended Detection and Response) is able to provide a broader view of your organisation, helping you to perform extended threat hunting and forensic investigations by aggregating and correlating telemetry form other parts of the network as well as from SNA, allowing you to draw the bigger picture of an attack in a simplified, enriched, and correlated manner.

SNA and XDR work very well together by complimenting each other; detections and telemetry from SNA is one source of data feeding into XDR, and along with other data from multiple technologies to identify incidents without having to focus purely on Network based detections and visibility.

Optionally, another valuable component of SNA is an integration with Cisco’s Global Threat Intelligence, TALOS. Providing an additional layer of protection against sophisticated attacks. Correlating suspicious activity with data on thousands of known command and control services to provide accurate and thorough detection and faster threat response. TALOS stops in the order of 200 millions threats per day!

ASSOCIATED BLOGS:

Cisco SNA Use Cases

There are various workflows and use cases possible, as detailed below.

Real-Time Threat Detection

Detection of various types of threats and suspicious behaviours, including encrypted malware and policy violations.

Data modelling is used to analyse in real time the activity of every device on the NW. Baselines are created of normal behaviour, additionally, hundreds of security observations are applied (heuristics) that look at various types of traffic behaviour.

 

Remote Worker Monitoring

Receive telemetry from AnyConnect Network Visibility Module, to collate detailed end-point specific data.

Encrypted Traffic Analytics

ETA allows you to analyse encrypted traffic without needing to decrypt it using enhanced telemetry from current generation cisco network; applying a combination of enhanced analytics to detect malware and ensure crypto compliance.

SNA is teamed up with Cisco Cognitive Analytics, which is a cloud-based service and comes back with an analysis as to whether that traffic is malicious or not. Think of this as machine learning on a global scale that is basically helping you with the fidelity of detecting malicious traffic within encrypted sessions.

ETA means that you can Investigate threats faster and resolve network security incidents in encrypted traffic with higher precision.

Threat inspection, including data integrity checks on encrypted traffic.

TrustSec Matrix Analytics Reporting

A very powerful use-case is being able to visualise users and devices that are communicating with each other, meaning it can highlight possible policy violations; it can show you devices that shouldn’t be allowed to communicate with each other..! Once identified, it even allows you to simulate any policy changes in a passive manner before pushing those changes out into the network.

This is achieved thanks to Cisco ISE and its identity-based capabilities; Security Group Tags are an identity-based way to manage policy and access controls. Meaning we can de-couple from needing to rely on the IP address of a user or device to enforce policies, but rather move into a framework based on the identity of a user or device.

Cisco ISE

The ability to move away from traditional methods to manage access control (IP addresses and network ACLs) and into an identity-based approach is crucial for modern organisations that have users connecting from anywhere and from any device; ISE allows us to enforce consistent policies for users and devices regardless of which IP address or subnet they connect from.

From here, using SNA to glean a 360-degree view of client connectivity sessions, we can achieve detailed contextual awareness and correlation into network connections.

ASSOCIATED BLOGS:

Cisco Secure Network Analytics: Summary

As threats continue to evolve, perimeter-based solutions cannot be 100 percent effective.

You need a solution that can detect advanced threats early in the attack lifecycle and before they are able to compromise your network and create a significant impact.

In this blog, we have given an overview of SNA and how it can improve your threat response capabilities and get a comprehensive view of incidents within your network.

we have run though the components you need to build out a working Cisco SNA install, and more importantly the use cases that SNA can support.

Cisco SNA is all about giving you peace of mind that you have an advanced tool watching for unexpected activity on your network. When a departure from your usual baseline occurs, SNA can alert you on that, so you can take the relevant action.

ASSOCIATED BLOGS:

If you need any help with your Cisco Umbrella implementation, we can help.