yog ib qho kev tshuaj ntsuam xyuas hauv thaj tsam ntawm kev ruaj ntseg cov ntaub ntawv uas muab kev saib xyuas kev hem thawj hauv lub network faib. StealthWatch yog raws li sau NetFlow thiab IPFIX los ntawm routers, keyboards thiab lwm yam khoom siv hauv network. Raws li qhov tshwm sim, lub network dhau los ua qhov ntsuas siab thiab tso cai rau tus thawj coj saib mus rau qhov chaw uas ib txwm muaj kev ruaj ntseg network, xws li Next Generation Firewall, tsis tuaj yeem ncav cuag.
Hauv cov ntawv dhau los kuv twb tau sau txog StealthWatch: Thiab . Tam sim no kuv thov kom txav mus los thiab sib tham txog yuav ua li cas ua haujlwm nrog lub tswb thiab tshawb xyuas qhov xwm txheej kev nyab xeeb uas qhov kev daws teeb meem tsim. Yuav muaj 6 qhov piv txwv uas kuv vam tias yuav muab lub tswv yim zoo ntawm qhov muaj txiaj ntsig ntawm cov khoom.
Ua ntej, nws yuav tsum tau hais tias StealthWatch muaj qee qhov kev faib tawm ntawm lub tswb ntawm algorithms thiab pub. Thawj yog ntau yam kev ceeb toom (kev ceeb toom), thaum tshwm sim, koj tuaj yeem ntes cov khoom tsis txaus ntseeg ntawm lub network. Qhov thib ob yog qhov xwm txheej kev nyab xeeb. Kab lus no yuav saib 4 piv txwv ntawm algorithms triggered thiab 2 piv txwv ntawm pub.
1. Kev soj ntsuam ntawm cov kev sib tshuam loj tshaj plaws hauv lub network
Thawj kauj ruam hauv kev teeb tsa StealthWatch yog los txhais cov tswv thiab cov koom tes hauv pawg. Nyob rau hauv lub web interface tab Configure > Host Group Management Networks, hosts, thiab servers yuav tsum tau muab faib ua pawg tsim nyog. Koj tuaj yeem tsim koj tus kheej pawg. Los ntawm txoj kev, kev txheeb xyuas kev sib cuam tshuam ntawm cov tswv hauv Cisco StealthWatch yog qhov yooj yim heev, vim tias koj tuaj yeem tsis tsuas yog txuag cov ntxaij lim dej los ntawm kwj, tab sis kuj yog cov txiaj ntsig lawv tus kheej.
Yuav pib, nyob rau hauv lub web interface koj yuav tsum mus rau lub tab Txheeb xyuas> Flow Search. Tom qab ntawd koj yuav tsum teeb tsa cov kev ntsuas hauv qab no:
- Nrhiav hom - Kev sib tham sab saum toj (kev sib tham nrov tshaj plaws)
- Lub Sij Hawm Ntau - 24 teev (lub sijhawm, koj tuaj yeem siv lwm qhov)
- Nrhiav Lub Npe - Cov Kev Sib Tham Sab Hauv-Inside (ib lub npe phooj ywg)
- Subject - Host Groups β Inside Hosts (qhov chaw - pab pawg neeg sab hauv)
- Kev sib txuas (koj tuaj yeem teev cov chaw nres nkoj, daim ntawv thov)
- Peer - Cov pab pawg tswv cuab β Sab hauv hosts (qhov chaw - pab pawg ntawm sab hauv)
- Nyob rau hauv Advanced Options, koj muaj peev xwm kuj qhia kom meej cov collector los ntawm cov ntaub ntawv yog saib, sorting cov zis (los ntawm bytes, kwj, thiab lwm yam). Kuv mam li tso nws ua ntej.
Tom qab nias lub pob Nrhiav ib daim ntawv teev cov kev sib cuam tshuam tau tshwm sim uas twb tau txheeb xyuas los ntawm tus nqi ntawm cov ntaub ntawv xa mus.
Hauv kuv qhov piv txwv tus tswv 10.150.1.201 (server) kis nyob rau hauv ib tug xov tooj xwb 1.5 GB tsheb khiav mus rau host 10.150.1.200 (tus neeg siv) los ntawm kev cai mysql. Khawm Tswj cov kab tso cai rau koj ntxiv cov kab ntau ntxiv rau cov ntaub ntawv tso tawm.
Tom ntej no, ntawm kev txiav txim siab ntawm tus thawj tswj hwm, koj tuaj yeem tsim txoj cai kev cai uas yuav ua rau muaj kev cuam tshuam zoo li no thiab ceeb toom koj ntawm SNMP, email lossis Syslog.
2. Kev tshuaj xyuas qhov qeeb ntawm cov neeg siv khoom-neeg rau zaub mov kev sib cuam tshuam hauv lub network kom qeeb
Cov ntawv SRT (Server Response Time), RTT (Round Trip Time) tso cai rau koj mus nrhiav cov neeg rau zaub mov qeeb thiab kev ncua hauv network. Cov cuab yeej no yog qhov tshwj xeeb tshaj yog thaum koj xav tau sai sai nrhiav qhov ua rau cov neeg siv tsis txaus siab txog daim ntawv thov ua haujlwm qeeb.
ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: yuav luag tag nrho Netflow exporters tsis paub yuav ua li cas xa SRT, RTT cim npe, feem ntau, txhawm rau pom cov ntaub ntawv zoo li no ntawm FlowSensor, koj yuav tsum teeb tsa xa cov ntawv luam ntawm cov tsheb khiav los ntawm cov khoom siv network. FlowSensor nyob rau hauv lem xa qhov txuas ntxiv IPFIX rau FlowCollector.
Nws yog qhov yooj yim dua los ua qhov kev tshuaj ntsuam no hauv StealtWatch java daim ntawv thov, uas tau nruab rau ntawm tus thawj tswj hwm lub computer.
Txoj cai nas khawm rau Sab hauv Hosts thiab mus rau lub tab Flow Table.
Nyem rau Lim thiab teem caij tsim nyog. Ua piv txwv:
- Hnub / Sijhawm - Rau 3 hnub kawg
- Kev ua tau zoo - Lub Sijhawm Mus Ncig Nruab Nrab> = 50ms
Tom qab tso tawm cov ntaub ntawv, peb yuav tsum ntxiv RTT thiab SRT teb uas peb nyiam. Txhawm rau ua qhov no, nyem rau ntawm kab hauv lub screenshot thiab xaiv nrog tus nas khawm sab xis Tswj cov kab. Tom ntej no, nyem RTT, SRT tsis.
Tom qab ua tiav qhov kev thov, kuv txheeb los ntawm RTT qhov nruab nrab thiab pom qhov sib cuam tshuam qeeb.
Mus rau hauv cov ncauj lus kom ntxaws, right-click rau kwj thiab xaiv Quick View rau Flow.
Cov ntaub ntawv no qhia tias tus tswv tsev 10.201.3.59 los ntawm pawg Kev Muag Khoom thiab Kev Ua Lag Luam los ntawm raws tu qauv NFS thov kom DNS server rau ib feeb thiab 23 vib nas this thiab tsuas yog txaus ntshai lag. Hauv tab interfaces Koj tuaj yeem nrhiav tau qhov twg Netflow cov ntaub ntawv xa tawm cov ntaub ntawv tau txais los ntawm. Hauv tab rooj Cov ncauj lus kom ntxaws ntxiv txog kev sib cuam tshuam yog qhia.
Tom ntej no, koj yuav tsum paub seb cov khoom siv twg xa mus rau FlowSensor thiab qhov teeb meem feem ntau yuav nyob ntawd.
Ntxiv mus, StealthWatch yog qhov tshwj xeeb hauv qhov nws ua deduplication cov ntaub ntawv (combines tib kwj). Yog li ntawd, koj tuaj yeem sau los ntawm yuav luag txhua Netflow li thiab tsis txhob ntshai tias yuav muaj ntau cov ntaub ntawv sib npaug. Qhov tsis sib xws, hauv cov tswv yim no nws yuav pab kom nkag siab qhov twg hop muaj qhov qeeb tshaj plaws.
3. Kev soj ntsuam ntawm HTTPS cryptographic raws tu qauv
ETA (Encrypted Traffic Analytics) yog ib lub tshuab tsim los ntawm Cisco uas tso cai rau koj los txheeb xyuas cov kev sib txuas tsis zoo hauv cov tsheb khiav tsis tau decrypting. Ntxiv mus, cov thev naus laus zis no tso cai rau koj "tshem" HTTPS rau hauv TLS cov qauv thiab cov txheej txheem cryptographic uas siv thaum sib txuas. Qhov kev ua haujlwm no yog qhov tseem ceeb tshwj xeeb tshaj yog thaum koj xav tau txhawm rau txheeb xyuas lub network nodes uas siv cov qauv crypto tsis muaj zog.
ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: Koj yuav tsum xub nruab lub network app ntawm StealthWatch - ETA Cryptographic Audit.
Mus rau tab Dashboards β ETA Cryptographic Audit thiab xaiv cov pab pawg ntawm cov tswv uas peb npaj los txheeb xyuas. Rau tag nrho cov duab, cia peb xaiv Sab hauv Hosts.
Koj tuaj yeem pom tias TLS version thiab cov txheej txheem crypto sib raug yog cov zis. Raws li cov txheej txheem ib txwm nyob hauv kab kev nqis tes ua mus rau Saib Flows thiab kev tshawb nrhiav pib hauv ib lub tab tshiab.
Los ntawm cov zis nws tuaj yeem pom tias tus tswv tsev 198.19.20.136 thoob plaws 12 teev siv HTTPS nrog TLS 1.2, qhov twg encryption algorithm AES-256 thiab hash function SHA-384. Yog li, ETA tso cai rau koj mus nrhiav tsis muaj zog algorithms ntawm lub network.
4. Kev tshuaj ntsuam xyuas network anomaly
Cisco StealthWatch tuaj yeem paub txog kev tsis sib haum xeeb ntawm lub network siv peb lub cuab yeej: Cov xwm txheej tseem ceeb (kev ruaj ntseg txheej xwm), Cov xwm txheej kev sib raug zoo (cov xwm txheej ntawm kev sib cuam tshuam ntawm ntu, network nodes) thiab kev txheeb xyuas tus cwj pwm.
Kev txheeb xyuas tus cwj pwm, nyob rau hauv lem, tso cai rau lub sij hawm los tsim ib tug cwj pwm qauv rau ib tug tshwj xeeb tswv tsev los yog pab pawg neeg ntawm hosts. Cov tsheb khiav ntau dua uas dhau los ntawm StealthWatch, qhov tseeb dua cov lus ceeb toom yuav ua tsaug rau qhov kev tshuaj ntsuam no. Thaum xub thawj, lub kaw lus ua rau ntau yam tsis raug, yog li cov cai yuav tsum tau "twisted" ntawm tes. Kuv pom zoo kom koj tsis quav ntsej cov xwm txheej zoo li no rau thawj ob peb lub lis piam, vim tias lub kaw lus yuav hloov kho nws tus kheej, lossis ntxiv rau kev zam.
Hauv qab no yog ib qho piv txwv ntawm txoj cai predefined Neeg tsis muaj siab, uas hais tias qhov kev tshwm sim yuav tua tsis muaj lub tswb yog ib tug tswv tsev nyob rau hauv pab pawg Inside Hosts cuam tshuam nrog Pab Pawg Inside Hosts thiab hauv 24 teev cov tsheb yuav dhau 10 megabytes.
Piv txwv li, cia lub tswb Cov ntaub ntawv pov thawj, uas txhais tau hais tias qee qhov chaw / qhov chaw tus tswv tsev tau rub tawm / rub tawm cov ntaub ntawv ntau ntawm cov ntaub ntawv los ntawm pawg tswv lossis tus tswv tsev. Nyem rau ntawm qhov kev tshwm sim thiab mus rau lub rooj uas cov neeg ua yeeb yam tau qhia. Tom ntej no, xaiv tus tswv tsev uas peb txaus siab rau hauv kab Cov ntaub ntawv pov thawj.
Ib qho xwm txheej tau tshwm sim qhia tias 162k "cov ntsiab lus" raug kuaj pom, thiab raws li txoj cai, 100k "cov ntsiab lus" raug tso cai - cov no yog cov ntsuas hauv StealthWatch. Hauv ib pawg kev nqis tes ua Kev lag luam Saib Flows.
Peb tuaj yeem soj ntsuam qhov ntawd muab host interacted nrog tus tswv thaum hmo ntuj 10.201.3.47 los ntawm department Muag & Ua Lag Luam los ntawm raws tu qauv HTTPS thiab downloaded 1.4 GB. Tej zaum qhov piv txwv no tsis ua tiav tag nrho, tab sis kev tshawb nrhiav kev sib cuam tshuam txawm tias ntau pua gigabytes tau ua raws nraim tib txoj kev. Yog li ntawd, kev tshawb nrhiav ntxiv ntawm qhov tsis txaus ntseeg yuav ua rau muaj txiaj ntsig zoo.
ΠΡΠΈΠΌΠ΅ΡΠ°Π½ΠΈΠ΅: hauv SMC web interface, cov ntaub ntawv nyob hauv tabs Dashboards tsuas yog tso tawm rau lub lim tiam dhau los thiab hauv tab saib hauv 2 lub lis piam dhau los. Txhawm rau txheeb xyuas cov xwm txheej qub thiab tsim cov ntawv ceeb toom, koj yuav tsum ua haujlwm nrog java console ntawm tus thawj tswj hwm lub computer.
5. Nrhiav kev txheeb xyuas hauv network
Tam sim no cia saib ob peb yam piv txwv ntawm kev pub - cov ntaub ntawv kev nyab xeeb xwm txheej. Qhov kev ua haujlwm no yog qhov txaus siab rau cov kws tshaj lij kev ruaj ntseg.
Muaj ntau ntau hom kev tshwm sim scan preset hauv StealthWatch:
- Chaw nres nkoj Scan-qhov chaw luam tawm ntau qhov chaw nres nkoj ntawm tus tswv tsev.
- Addr tcp scan - lub hauv paus scans tag nrho network ntawm tib TCP chaw nres nkoj, hloov qhov chaw nyob IP chaw nyob. Hauv qhov no, lub hauv paus tau txais TCP Reset pob ntawv lossis tsis tau txais cov lus teb txhua.
- Addr udp scan - lub hauv paus scans tag nrho lub network ntawm tib qhov chaw nres nkoj UDP, thaum hloov qhov chaw nyob IP chaw nyob. Hauv qhov no, lub hauv paus tau txais ICMP Port Unreachable pob ntawv lossis tsis tau txais cov lus teb txhua.
- Ping Scan - lub hauv paus xa ICMP thov rau tag nrho lub network txhawm rau tshawb nrhiav cov lus teb.
- Stealth Scan tΡp/udp - qhov chaw siv tib qhov chaw nres nkoj txuas mus rau ntau qhov chaw nres nkoj ntawm qhov chaw nyob ntawm tib lub sijhawm.
Txhawm rau ua kom yooj yim dua los nrhiav txhua lub scanners sab hauv ib zaug, muaj lub network app rau StealthWatch - Kev ntsuam xyuas pom. Mus rau lub tab Dashboards β Visibility Assessment β Internal Network Scanners koj yuav pom cov xwm txheej ntsig txog kev ruaj ntseg scanning rau 2 lub lis piam dhau los.
Nyem lub khawm Paub meej, koj yuav pom qhov pib scanning ntawm txhua lub network, kev sib tw tsheb thiab cov tswb sib xws.
Tom ntej no, koj tuaj yeem "ua tsis tiav" rau hauv tus tswv tsev los ntawm lub tab hauv lub screenshot dhau los thiab pom cov xwm txheej kev nyab xeeb, nrog rau kev ua haujlwm hauv lub lim tiam dhau los rau tus tswv tsev no.
Ua piv txwv, cia peb txheeb xyuas qhov xwm txheej Chaw nres nkoj Scan los ntawm tus tswv tsev 10.201.3.149 rau 10.201.0.72, Nias Kev Ua > Associated Flows. Kev tshawb nrhiav xov yog pib thiab cov ntaub ntawv cuam tshuam tau tshwm sim.
Yuav ua li cas peb pom tus tswv tsev no los ntawm ib qho ntawm nws cov chaw nres nkoj 51508 / TSO scanned 3 teev dhau los lub hom phiaj host los ntawm chaw nres nkoj 22, 28, 42, 41, 36, 40 (TCP). Qee qhov chaw tsis tso tawm cov ntaub ntawv vim tias tsis yog txhua qhov Netflow teb tau txais kev txhawb nqa ntawm Netflow exporter.
6. Kev tshuaj xyuas ntawm rub tawm malware siv CTA
CTA (Cognitive Threat Analytics) - Cisco huab analytics, uas koom ua ke zoo kawg nkaus nrog Cisco StealthWatch thiab tso cai rau koj los ua kom tiav kev txheeb xyuas tsis muaj npe nrog kev txheeb xyuas kos npe. Qhov no ua rau nws tuaj yeem ntes Trojans, kab kab network, xoom-hnub malware thiab lwm yam malware thiab faib lawv hauv lub network. Tsis tas li ntawd, yav dhau los hais txog ETA thev naus laus zis tso cai rau koj los tshuaj xyuas cov kev sib txuas lus tsis zoo no hauv kev nkag mus nkag.
Qhov tseeb ntawm thawj tab hauv lub vev xaib interface muaj qhov tshwj xeeb widget Cognitive Threat Analytics. Cov ntsiab lus luv luv qhia txog kev hem thawj pom ntawm tus neeg siv lub tswv yim: Trojan, kev dag ntxias software, cuam tshuam adware. Lo lus "Encrypted" tiag tiag qhia txog kev ua haujlwm ntawm ETA. Los ntawm txhaj rau tus tswv tsev, txhua yam ntaub ntawv hais txog nws, cov xwm txheej kev nyab xeeb, suav nrog CTA cav, tshwm.
Los ntawm hovering hla txhua theem ntawm CTA, qhov kev tshwm sim qhia cov ncauj lus kom ntxaws txog kev sib cuam tshuam. Txhawm rau ua tiav kev ntsuas, nyem qhov no Saib qhov xwm txheej, thiab koj yuav raug coj mus rau ib qho kev sib cais Cognitive Threat Analytics.
Nyob rau sab xis sab xis, lub lim tso cai rau koj los tso saib cov xwm txheej los ntawm qib hnyav. Thaum koj taw tes rau ntawm ib qho kev tsis sib xws, cov cav yuav tshwm rau hauv qab ntawm lub vijtsam nrog lub sijhawm sib raug ntawm sab xis. Yog li, tus kws paub txog kev ruaj ntseg cov ntaub ntawv kom meej meej nkag siab tias tus tswv tsev twg muaj tus kab mob, tom qab qhov kev ua, pib ua qhov twg.
Hauv qab no yog lwm qhov piv txwv - banking Trojan uas kis tus tswv tsev 198.19.30.36. Tus tswv tsev no tau pib cuam tshuam nrog cov neeg siab phem, thiab cov ntawv teev lus qhia txog kev khiav ntawm cov kev cuam tshuam no.
Tom ntej no, ib qho kev daws teeb meem zoo tshaj plaws uas tuaj yeem ua tau yog cais tus tswv tsev ua tsaug rau cov neeg nyob hauv nrog Cisco ISE rau kev kho thiab tshuaj xyuas ntxiv.
xaus
Cisco StealthWatch kev daws teeb meem yog ib qho ntawm cov thawj coj ntawm cov khoom siv saib xyuas network ob qho tib si ntawm kev txheeb xyuas network thiab cov ntaub ntawv kev ruaj ntseg. Ua tsaug rau nws, koj tuaj yeem tshawb xyuas cov kev sib cuam tshuam tsis raug cai hauv lub network, kev thov qeeb, cov neeg siv nquag tshaj plaws, tsis txaus ntseeg, malware thiab APTs. Ntxiv mus, koj tuaj yeem nrhiav cov scanners, pentesters, thiab ua crypto-audit ntawm HTTPS tsheb. Koj tuaj yeem pom cov ntaub ntawv siv ntau dua ntawm .
Yog tias koj xav txheeb xyuas qhov ua tau zoo thiab ua tau zoo txhua yam ua haujlwm ntawm koj lub network, xa .
Nyob rau yav tom ntej, peb tab tom npaj ntau cov ntawv tshaj tawm kev tshaj tawm ntawm ntau yam ntaub ntawv kev ruaj ntseg khoom. Yog tias koj txaus siab rau lub ncauj lus no, tom qab ntawd ua raws cov kev hloov tshiab hauv peb cov channel (, , , )!
Tau qhov twg los: www.hab.com