1
00:00:00,790 --> 00:00:07,220
When the flow is first put to use it was mainly for simply gaining visibility into application bandwidth

2
00:00:07,220 --> 00:00:10,490
usage between IP addresses.

3
00:00:10,490 --> 00:00:17,870
Now it is rapidly rising as an integral part of security monitoring products like stealth Watch use

4
00:00:17,870 --> 00:00:25,420
not flow data to create a full picture of a network with drill down Security Analysis features.

5
00:00:25,700 --> 00:00:33,340
Heres a stealth watch dashboard stealth watch as a lane cope a product which has been purchased by Cisco.

6
00:00:33,440 --> 00:00:39,620
It works by simply signing now flow data from all of your network devices to a stealth watch collector

7
00:00:39,980 --> 00:00:46,940
and it has the ability to correlate information and gives you context for IPS users and activity on

8
00:00:46,940 --> 00:00:48,290
the network.

9
00:00:48,290 --> 00:00:53,840
You can see on the top of the dashboard it has a nice summary of the different attacks that exist on

10
00:00:53,840 --> 00:00:54,810
your network.

11
00:00:55,250 --> 00:00:59,720
The flow collection trend at the bottom of the dashboard can be helpful to see if there is anomalies

12
00:00:59,960 --> 00:01:01,150
on the network.

13
00:01:01,220 --> 00:01:08,030
So if Normally I'm peeking my flow is around 700 and that all of a sudden I have a day of 900 closes

14
00:01:08,030 --> 00:01:14,630
on that to me would be a traffic anomaly and I would want to drill into what users and IPs were creating

15
00:01:14,630 --> 00:01:16,540
all these extra flows.

16
00:01:18,970 --> 00:01:24,400
Now take a look at how you can drill down into attacks that have happened on your network or go to the

17
00:01:24,400 --> 00:01:30,850
Network tab and then host on the right side we have a nice list of hosts on our network sorted by overall

18
00:01:30,850 --> 00:01:32,390
civility.

19
00:01:32,620 --> 00:01:36,090
So looks like this top post here has had the most policy violations.

20
00:01:36,490 --> 00:01:43,250
So that might be a host that I want to dig into to see what kind of activity they've had on our if we

21
00:01:43,250 --> 00:01:50,100
look at the alarm section here there is a list of how many events have occurred for each type of attack.

22
00:01:50,990 --> 00:01:51,700
I'm going to click on it.

23
00:01:51,700 --> 00:01:57,580
Exfiltration and we'll drill down into this attack and try to see what IP address and user triggered

24
00:01:57,580 --> 00:02:00,640
this alarm.

25
00:02:00,670 --> 00:02:06,670
So it looks like we have one host that has had traffic that's matched exfiltration and it looks like

26
00:02:06,760 --> 00:02:12,640
the host is part of our compliant systems group are going to click on the host address

27
00:02:18,210 --> 00:02:19,770
Well this is interesting.

28
00:02:19,870 --> 00:02:28,930
I can see that that host is sending data to China and the alarms that's been triggering is suspect data

29
00:02:28,930 --> 00:02:32,110
loss and data exfiltration.

30
00:02:32,380 --> 00:02:39,540
If I scroll down I can even see what user account is being used for these exfiltration items.

31
00:02:41,350 --> 00:02:47,530
So just by analyzing that flow data stopwatches been able to tie all these pieces together for me.

32
00:02:47,530 --> 00:02:52,730
And now I know that I need to remove this host and possibly user from the network.