Stealthwatch Cloud Sensor Install

In this video, I'm going to walk through the installation of a Stealthwatch Cloud sensor in my LAN environment. Be aware that Stealthwatch Cloud is different than Stealthwatch Enterprise. Stealthwatch Cloud gives you visibility into private networks, public clouds and hybrid environments.

Some of the observables and use-cases for security that Stealthwatch Cloud detects include:

  • Amazon GuardDuty reporting suspicious API calls

  • Amazon GuardDuty reporting suspicious DNS requests

  • Amazon GuardDuty reporting suspicious network connections

  • Inspector findings reported for an AWS resource

  • Device(s) using a profile for the first time which differs from typical behaviors seen in the network (e.g., an abnormally high number of devices using the profile for the first time, sending anomalous traffic)

  • AWS API was accessed from IPs on a watchlist

  • Detected AWS resource that may violate AWS "Well-architectured" guidelines

  • AWS CloudTrail events reported for a device

  • Configuration compliance reported for an AWS resource

  • Updated configuration reported for an AWS resource

  • AWS Lambda function that had unusual activity on one of its metrics

  • Multifactor authentication being removed from a user account

  • CloudTrail logging an AWS user doing an action for the first time

  • An action was performed using the AWS root account

  • Azure Advisor generating a recommendation for an ARM resource

  • Unusual activity detected in the Azure Activity Logs

  • Device used a non-standard protocol on a standard port (e.g., UDP on port 22).

  • Profile set for the device is similar to the profile set of other devices with which the device has not recently been associated.

  • Device resolved an domain listed as an IOC for a known threat

  • Device interacted with a hostname listed as an IOC for a known threat. This observation uses information from Enhanced NetFlow (Encrypted Threat Analytics)

  • Device communicating with an IP address listed as an IOC for a known threat

  • Device interacts with a URL listed as an IOC for a known threat. This observation uses information from Enhanced NetFlow (Encrypted Threat Analytics)

  • Device communicating with a set of countries different from its usual one

  • Device attempting to contact an algorithmically generated domain (e.g., qhjvd-hdvj.cc).

  • Device succeeding in resolving an algorithmically generated domain (e.g., rgkte-hdvj.cc) to an IP address

  • Domain Controller device communicating with unusual external ports

  • Device initiating excessive connections to network printers

  • Device communicating with many external mail servers

  • A device on the local network scanned (or was scanned by) a remote IP address.

  • A GCP cloud function has unusual activity on one of its metrics

  • Device communicating with watchlisted geographic region.

  • Device maintaining a heartbeat with a remote host.

  • One of the source's metrics deviates significantly from its historical baseline

  • Device is observed using an insecure transport protocol. This observation uses information from Enhanced NetFlow (Encrypted Threat Analytics)

  • Forbidden communications between two internal IP endpoints is detected

  • An IDS saw traffic matching a suspicious signature

  • Device scanning a large number of devices

  • Device maintaining a long-lived session with an external IP address

  • Device has multiple failed application (e.g., FTP, SSH, RDP) access attempts

  • Network printer initiating excessive connections to other devices

  • A usually predictable local device communicating with an external device

  • Device started communicating with an external server

  • Device has exchanged a large amount of traffic with a new host

  • A usually predictable local device communicated with a new internal device

  • After not being seen in the lookback period, a new device emerges on the network.

  • Device exchanging an unusually large amount of data with an external host

  • Device exchanging an unusually large amount of data with an internal host

  • Device matches a profile tag (e.g., FTP server) that it hasn't matched recently

  • This device has regularly communicated with the same external server (FTP, SSH, etc.)

  • A record number of IP addresses were observed communicating on the local network

  • Device scanning a large number of ports

  • A similarily sized, and closely timed, data transfer was detected between an internal data source to this device (the "download"), and then from this device to an external data sink (the "upload")

  • A public Amazon Route 53 hosted zone is created

  • A public-facing IP in your network is discovered on a watchlist (either explicitly or implicitly via a domain name)

  • User logged in to many devices in a short period

  • Device sent or received a record amount of traffic

  • Device sent or received a record amount of traffic that matched a known profile

  • Device was accessed from a remote source

  • Device has new traffic that doesn't fit its role (e.g., FTP server communicating on port 80)

  • An active scanner (e.g. nmap) discovered a device behavior

  • SumoLogic Active Directory: A user session was closed

  • SumoLogic Active Directory: A user session was opened

  • Device normally talks to a static set of (internal/external) devices, but has recently started/stopped talking to new/normal devices

  • Device normally uses a static set of (local/connected) ports for (internal/external) communications, but has recently added/dropped ports

  • Device may be contributing to logs hosted by Sumo Logic

  • Multiple devices have performed anomalous activity using the SMB protocol for the first time

  • Device's outbound and inbound traffic did not match the typical ratio associated with the profile it was using. This could indicate participation in an amplification attack

  • No recent activity seen for an AWS resource

  • Device communicated with an unusual DNS resolver

  • Device sent or received packets that are unusually sized for the given profile

  • Device communicated with an IP address that is on a watchlist (either explicitly or implicitly via a domain name)

  • Device looked up a watchlisted domain

Stealthwatch Cloud can natively integrate with AWS, Azure, GCP, Kubernetes, Meraki, and Umbrella to give you visibility into those environments. You can also install Stealthwatch Cloud sensors locally on your LAN to feed it data from Netflow, Enhanced Netflow (ETA), IPFIX, sFlow and it can even collect data from a SPAN port.

As promised in the video, here's the link for a 60-day Stealthwatch Cloud trial: https://www.cisco.com/c/en/us/products/security/stealthwatch/stealthwatch-cloud-free-offer.html