Building a security platform powered by advanced analytics
Ever heard the French term “terroir” in reference to wines? It wasn’t until a recent visit to Bordeaux that I truly understood the pride winemakers take around their terroir. Simply put, the terroir of a wine is a combination of climate, soil, terrain, as well as the winemaking tradition that is unique to a particular wine-growing region. For example, in Saint-Émilion, the oldest wine area of the Bordeaux region, the soil is composed of limestone that makes up its terroir. Other factors like elevation, sunlight exposure, etc. contribute to a good wine. That’s the reason Bordeaux wines can be called that only if they come from the region, or Champagne can be called Champagne only if it was made there.
Whether you like wines or not, it’s an interesting way to look at the process of creating or building something – such as the recently announced Cisco SecureX platform. SecureX brings together the strength of Cisco’s broad and integrated portfolio of industry-leading security solutions, including security analytics delivered through Cisco Stealthwatch, for comprehensive visibility and advanced threat detection and response.
Let’s see what makes up the terroir of SecureX platform with respect to security analytics – those innate capabilities unique to SecureX that are unmatched in the market:
Unified visibility driven by context – Stealthwatch collects telemetry from every part of the network to feed into its analytics. It can also ingest additional sources of telemetry like user, device, application, proxy, firewall, web, and endpoint data. This is necessary in today’s complex IT environment with a large number of unmanaged devices that don’t have security agents deployed. To stay ahead of threats, you need the ability to determine which device is connected to the network and what it is doing, at all times. Additionally, as organizations transition to hybrid and multi cloud, they need to be able to extend visibility and security to the cloud as well. Stealthwatch provides truly cloud-native visibility across all major cloud providers like Amazon Web Services (AWS), Microsoft Azure and Google Cloud Platform (GCP), as well as containers and serverless environments. Stealthwatch deployment can also be scaled easily with the growing network because it is agentless, without the need to deploy costly sensors or probes – both on-premises and in the cloud. And now, this contextual visibility is integrated into the SecureX platform where it’s extended even further to internet, endpoint, application, and more through integration with other technologies.
Continuous threat analytics – Visibility helps the security team better understand the entities it is protecting. Stealthwatch goes further by analyzing all that network telemetry at machine-scale to identify suspicious behavior. For instance, this behavior could be the result of an adversary that infiltrated the perimeter and is now using compromised devices or credentials to exfiltrate sensitive data. If this occurs, none of the traditional security technologies will be able to sound the alarm. This is why continuous network traffic analysis is essential. So, what makes Cisco security analytics different? With more than 17 years in the market, the team has a lot of experience building and tweaking the analytics to ensure that security teams see the most critical alerts and can investigate them quickly. Stealthwatch has a layered approach to security analytics, and uses a combination of behavioral modeling, machine learning and the industry-leading Cisco Talos threat intelligence. What’s more important to us is the security outcome for our customers, that is, reducing billions of network sessions to a few critical alerts. And we have a way of measuring this outcome – Stealthwatch users rate 95% of the alerts they see in the dashboard as helpful. Another place where the analytics stands out is encrypted traffic. With more than 80% of the web traffic being encrypted today, using decryption-based technologies is just not feasible. Stealthwatch has the ability to analyze encrypted traffic, without any decryption to detect threats and also to ensure cryptographic compliance.
Automated detection and response – The combination of this context-driven enterprise-wide visibility and the application of advanced analytical techniques leads to accelerated threat detection and response. Every attack begins with some early signs of suspicious activity, such as unusual remote access, port scanning, use of restricted ports or protocols, etc. Continuous network traffic analysis can not only pinpoint this behavior, but also identify where the threat originated, who is the target, and where the threat has spread laterally, so that the security analyst can take action for immediate remediation. And now, with SecureX, the Stealthwatch user can extend investigation and response across other security technologies with just one click. Get the complete picture across every attack vector – network, endpoint, web, email and application workloads. Conversely, you can begin your investigation from SecureX using an indicator of compromise (IoC) and pivot to Stealthwatch to see what kind of communications have occurred with respect to the IoC.
End-to-end security incident workflow: network policy violation use case
The SecureX incident workflow uses cross-product automation to gather information relevant to the alarm into one place, across technologies and teams. For example, the SecureX analytics sends a potential data hoarding alert that your company considers a high priority, and it triggers a prebuilt incident playbook:
- Playbook automatically enriches the alarm using context from your other security technologies and threat intelligence to provide a complete picture of the threat. It aggregates information on the alert in one place using the threat response feature of SecureX to develop actionable insights
- Determine verdicts for observables extracted from the alarm, including the target endpoint, which could be a sensitive data server that the source entity is connected to and downloading a large volume of data from, that depicts anomalous behavior for the entity
- After a thorough investigation, the responder deems this as a valid threat, and SecureX provides the ability to immediately isolate the endpoint from the network
- To fully mitigate the data hoarding and eventual data exfiltration risk, we have ensured that this endpoint can no longer reach the sensitive data server or connect to any external entity over the network
Similarly, for other incidents, you can use SecureX to enable response by blocking any malicious domains identified, hunt malicious or suspicious observables, initiate an approval workflow, collaborate using a built-in casebook function or create an IT ticket to update network policy
Think of the potential for human error of not being able to see these relationships immediately. Plus, the extra time it takes to pivot between multiple product screens without any shared context to complete the orchestrated workflow. You can enhance your investigations with built-in adaptors for incident enrichment, response and approval workflows. SecureX provides a selection of prebuilt playbooks but you can also build your own using defined actions and third-party adapters. It provides more control with less effort using your existing security investments with Stealthwatch. Together with unified visibility, analytics and automated workflows, SecureX can advance the security maturity of any sized team.
Sign up for SecureX
As described above, Cisco SecureX is infused with unique capabilities around security analytics that have been carefully built with years of experience in the industry. And these are now further enhanced through integration with the broadest security portfolio on the planet.
SecureX will be generally available in June. To stay updated on the latest about SecureX, sign up