Professional Documents
Culture Documents
Intelligence
BRKGS-2541
Matt Robertson
Security Technical Marketing Engineer
Crown Jewels
Cisco Public
Crown Jewels
BRKGS-2541
Cisco Public
Crown Jewels
Data that is valuable to attackers
Cisco Public
eth0/2
eth0/1
NetFlow
10.2.2.2
port 1024
Start Time
Interface Src IP
10:20:12.221 eth0/1
10:20:12.871 eth0/2
BRKGS-2541
10.1.1.1
port 80
10.2.2.2 1024
10.1.1.1 80
10.1.1.1 80
10.2.2.2 1024
Cisco Public
TCP
TCP
Pkts
Sent
5
Bytes
Sent
1025
17
28712
TCP Flags
SYN,ACK,PSH
SYN,ACK,FIN
NetFlow = Visibility
A single NetFlow Record provides a wealth of information
Router# show flow monitor CYBER-MONITOR cache
BRKGS-2541
Cisco Public
StealthWatch FlowCollector
Collect and analyze
Up to 2000 sources
Up to sustained 120,000 fps
NetFlow
Cisco Network
BRKGS-2541
Cisco Public
StealthWatch FlowSensor
Generate NetFlow data
StealthWatch FlowSensor VE
Virtual environment
Visibility into ESX
What
Where
When
BRKGS-2541
Cisco Public
How
Who
More context
BRKGS-2541
Cisco Public
11
BRKGS-2541
Cisco Public
12
Not Allowed
Allowed
BRKGS-2541
Cisco Public
13
Peer
conditions
Object
conditions
Time range
Connection
conditions
BRKGS-2541
Cisco Public
Cisco Public
15
BRKGS-2541
Cisco Public
BRKGS-2541
Cisco Public
Summary
18
Related Sessions
BRKSEC-2136 Preventing Armageddon: Finding the threat before its too late
Matt Robertson Wednesday, Jan 28 2:30-4:00
BRKGS-2541
Cisco Public
19
Call to Action
Visit the World of Solutions for
Cisco Campus:
Lancope Booth Booth #G8
Cisco Security - Cyber Threat Defence Demo
Cisco Enterprise Networking Network as a Sensor & Enforcer
BRKGS-2541
Cisco Public
20
BRKGS-2541
Cisco Public
21
NetFlow and the Lancope StealthWatch System provide actionable security intelligence
BRKGS-2541
Cisco Public
22