Today’s workforce requires mobile and responsive technology. Users are connecting to the corporate network from more places and using more devices than ever before. Forty percent of workers for large enterprises in the U.S. report using their personally owned smartphone, tablet, or computer for work purposes, according to Gartner.
While all these devices can help companies remain competitive, they can be a nightmare to secure. With the Cisco Stealthwatch Endpoint License , security operators can extend the visibility and real-time situational awareness of Stealthwatch to the endpoint. The Stealthwatch Endpoint License collects endpoint telemetry using the Cisco AnyConnect 4.2 and up. This allows security operators to conduct more efficient, context-rich investigation into endpoints that are exhibiting suspicious behavior.
Flow attribution can help investigationsThe ability to identify suspicious and malicious flows with Stealthwatch is invaluable to threat detection, but investigations don’t end there. When an endpoint displays suspicious network behavior, investigators still need to determine what caused the flow. Was it the user? What application were they using? Was it a process, and if so, which process was it? This level of flow attribution can be critical to successfully responding to a threat.
For instance, a security operator uses Stealthwatch to identify an endpoint that is communicating with a known command and control server. This already suggests there is a malware infection, but the investigator needs to determine if any other endpoints on the network are infected. It will take time to take the infected endpoint offline and determine what malware was responsible then analyze all of the other endpoints on the network for indicators of compromise.
With the Endpoint License, endpoint application and process information is collected from the endpoint and woven into the flow record. Once the security operator identifies the command and control activity, they can pivot to endpoint data to determine what process was responsible. With this information, they can then query the data from other endpoints to determine if they were running the same process. This can drastically speed up incident response times and ensure threats are caught earlier.
How it worksThe Endpoint License provides support for the Cisco Network Visibility Flow (nvzFlow) protocol introduced with the Cisco AnyConnect 4.2 Network Visibility Module (NVM). The AnyConnect NVM exports endpoint telemetry using the nvzFlow protocol, an extension of the standards-based IP Flow Information Export (IPFIX) protocol, to the Endpoint Concentrator.
The Endpoint Concentrator collects telemetry from multiple endpoints and forwards it to the Stealthwatch Flow Collector. Using a process of stitching and deduplication, the Flow Collector inserts the endpoint-specific fields into the conversational flow records maintained in its database. The endpoint data is then analyzed and displayed in the Stealthwatch Management Console for a single view of network and endpoint activity.
This process provides a steady stream of high-value endpoint contextual data to the Stealthwatch system. Security operators can query this data and use it to drill into host behavior on the endpoint.
Learn moreTo learn how Cisco Stealthwatch Endpoint License can help protect your network,read the data sheet.