Skip to main content

 

 

Cisco Defense Orchestrator

Stealthwatch Cloud and Dynamic Entity Modeling

Describes how Stealthwatch cloud tracks the state of your network by performing a behavioral analysis on FTD events and network flow data.

Stealthwatch Cloud and Dynamic Entity Modeling

Required License: Firewall Analytics and Monitoring or Total Network Analytics and Monitoring

Stealthwatch Cloud is a software as a service (SaaS) solution that monitors your on-premises and cloud-based network deployments. By gathering information about your network traffic from sources including Firepower Threat Defense (FTD) events and network flow data, it creates observations about the traffic and automatically identifies roles for network entities based on their traffic patterns. Using this information combined with other sources of threat intelligence, such as Talos, Stealthwatch Cloud generates alerts, which constitute a warning that there is behavior that may be malicious in nature. Along with the alerts, Stealthwatch Cloud provides network and host visibility, and contextual information it has gathered to provide you with a better basis to research the alert and locate sources of malicious behavior.

Dynamic Entity Modeling

Dynamic entity modeling tracks the state of your network by performing a behavioral analysis on FTD events and network flow data. In the context of Stealthwatch Cloud, an entity is something that can be tracked over time, such as a host or endpoint on your network. Dynamic entity modeling gathers information about entities based on the traffic they transmit and activities they take on your network. Stealthwatch Cloud, integrated with a Firewall Analytics and Monitoring license, can draw from FTD connection events and other traffic information in order to determine the types of traffic the entity usually transmits. If you purchase a Total Network Analytics and Monitoring license, Stealthwatch Cloud can also include NetFlow and other traffic information in modeling entity traffic. Stealthwatch Cloud updates these models over time, as the entities continue to send traffic, and potentially send different traffic, to keep an up-to-date model of each entity.

From this information, Stealthwatch Cloud identifies:

  • roles for the entity, which are a descriptor of what the entity usually does. For example, if an entity sends traffic that is generally associated with email servers, Stealthwatch Cloud assigns the entity an Email Server role. The role/entity relationship can be many-to-one, as entities may perform multiple roles.
  • observations for the entity, which are facts about the entity's behavior on the network, such as a heartbeat connection with an external IP address, or a remote access session established with another entity. If you integrate with CDO, these facts can be obtained from FTD events. If you also purchase a Total Network Analytics and Monitoring, license, the system can also obtain facts from NetFlow, and generate observations from both FTD events and NetFlow. Observations on their own do not carry meaning beyond the fact of what they represent. A typical customer may have many thousands of observations and a few alerts.

Alerts and Analysis

Based on the combination of roles, observations, and other threat intelligence, Stealthwatch Cloud generates alerts, which are actionable items that represent possible malicious behavior as identified by the system. Note that one alert may represent multiple observations. If an FTD appliance logs multiple connection events related to the same connection and entities, this may result in only one alert.

For example, a New Internal Device observation on its own does not constitute possible malicious behavior. However, over time, if the entity transmits traffic consistent with a Domain Controller, then the system assigns a Domain Controller role to the entity. If the entity subsequently establishes a connection to an external server that it has not established a connection with previously, using unusual ports, and
transfers large amounts of data, the system would log a New Large Connection (External) observation and an Exceptional Domain Controller observation. If that external server is identified as on a Talos watchlist, then the combination of all this information would lead Stealthwatch Cloud to generate an alert for this entity's behavior, prompting you to take further action to research, and remediate malicious behavior.

When you open an alert in the Stealthwatch Cloud web portal UI, you can view the supporting observations that led the system to generate the alert. From these observations, you can also view additional context about the entities involved, including the traffic that they transmitted, and external threat intelligence if it is available. You can also see other observations and alerts that entities were involved with, and determine if this behavior is
tied to other potentially malicious behavior.

Note that when you view and close alerts in Stealthwatch Cloud, you cannot allow or block traffic from the Stealthwatch Cloud UI. You must update your FTD access control rules to allow or block traffic, if you deployed your devices in active mode, or your firewall access control rules if your FTD devices are deployed in passive mode.