Cisco’s Network as a Sensor and Enforcer solutions were designed to embed security throughout the extended network, and with the Stealthwatch Learning Network , we have brought that capability directly to the branch network.
The enterprise network is evolving, becoming more complex and dynamic as the Internet becomes even more ubiquitous, and threat actors are taking advantage of this trend to compromise networks and steal data. The ability to see and understand all activity on the network is now a crucial component to combating sophisticated attackers.
But the branch network can be a difficult area to gain operational awareness of. In the past, security teams were often forced to either backhaul branch network telemetry to a centralized location, which can be expensive, or give up branch visibility entirely, which gives attackers a place to operate without much risk of detection.
The Stealthwatch Learning Network License provides branch visibility, threat detection, control, and mitigation capabilities, without the need for extensive hands-on management or complex implementation. It does so by deploying intelligent sensors directly on your 4000-series Integrated Services Router (ISR) using the new IOS XE container feature. These sensors monitor the branch network, automatically build policies based on traffic patterns and user feedback, and report suspicious and anomalous activity to a centralized, web-based management console.
WhileCisco Stealthwatch can currently monitor the branch network by using NetFlow export sent to a central Flow Collector, the Stealthwatch Learning Network License uses the software agent on the ISR to read NetFlow and NBAR locally. Also because it is based on the ISR, the Learning Network License provides mitigation capabilities and control of packet capture.
Use Your Branch Network as a Sensor and EnforcerThe Learning Network License utilizes your branch router to collect a variety of network telemetry, including NetFlow and packet capture, and then uses machine learning, NBAR, and analysis of past activity to identify potential threats and anomalies. This effectively transforms the branch network into a powerful security sensor, providing comprehensive visibility and ensuring there are no blind spots where threat actors can operate undetected.
Because the analysis takes place locally on the ISR, only reporting alarms and necessary packets back to the management agent, the Stealthwatch Learning Network License prevents unnecessary communication and minimizes impacts to network performance. The Learning Network License’s machine learning make it a lightweight solution with no rules to configure, signatures needed, or access-control lists (ACLs).
Instead, the Learning Network License goes through a short self-training period when it is installed, where the Distributed Learning Agent studies how traffic moves on the branch network, both in terms of time of day and volumes, to understand what is happening from user behavior and protocols in use. When this period is over, the Learning Network License is able to detect behavior that differs significantly from the expected norm. This information is further enhanced through other Cisco solutions such as TALOS , which helps identify known threats, and the Identity Services Engine (ISE) , which provides user identity information.
When the Learning Network License detects anomalous behavior, it then rates its threat probability and alerts administrators. This way, security operators can quickly evaluate security events, based on severity, and respond. They can also provide feedback through a simple “thumbs up” and “thumbs down” mechanism, which further tunes the policies. This results in more accurate alarms and less “noise” over time.
The other component to effective branch network security is enforcement. Again because the Stealthwatch Learning Network License is deployed on the ISR, it can respond to attacks by dropping packets, thus mitigating threats from the device level. Responders can initiate this behavior from the management console or instruct the Learning Network License to automatically drop packets that exhibit certain signs. This transforms the branch network into a security enforcer, capable of defending itself from attacks without the need of hands-on management.
Protecting your branch network with the Stealthwatch Learning Network LicenseToday’s distributed networks are large and complex, making securing them a difficult proposition. When it comes to branch networks, organizations are often forced to decide between paying to backhaul data back to headquarters or leaving the branch network unsecured, which sophisticated attackers will gladly exploit. The Stealthwatch Learning Network License adds a third, viable solution by using your branch router as a powerful security sensor and enforcer. Through the collection of telemetry and sophisticated analysis, threat activity can be detected and mitigated in real time without extensive management or the need to route traffic through a centralized location.
To learn how the Stealthwatch Learning Network License can help secure your branch network,click here.
