(844) 773-7734 mk@mkss.us

Mapping Secure Network Analytics (and Cognitive) to NIST CSF Categories and Sub-Categories

Secure Network Analytics uses flow telemetry such as NetFlow, jFlow, sFlow, IPFIX, and packet-level data and helps in reducing the risk to an organisation. It offers network performance monitoring, behaviour-based anomaly detection and advanced threat detection to deliver network visibility into physical and virtual environments from a single platform.

NIST CSF Categories and Sub-Categories

IDENTIFY – Asset Management (H/W and S/W inventories; communication and data flow are mapped)

[ID.AM-3] The Host Locking feature of Secure Network Analytics allows us to establish rules for the flow of data between hosts/host groups. With this feature, we can easily create, change, and audit security policy definitions. We can also quickly identify prohibited services and applications as well as unauthorised access. This helps in improving regulatory compliance, reducing operational risk, and reducing operating costs by improving operational efficiency.

It can help in answering questions like:

  • Where was the data sent? (Flow Table and Quick View for flow)
  • How can I locate the offending host?
  • How long did this connection last?
  • What was the total amount of data exchanged?

IDENTIFY – Risk Assessment (receive threat intelligence; identify threats; identify business impacts; determine risk; prioritise risk responses)

Secure Network Analytics provides complete network visibility and threat- detection solution with detailed forensics capability.

[ID.RA-2] Secure Network Analytics customers have access to our global threat intelligence feed powered by the Cisco Talos. It provides an additional layer of protection against botnets and other sophisticated attacks by monitoring connections from the local network to the internet. This leads to high-fidelity detections and faster threat response.

[ID.RA-3, ID.RA-4 and ID.RA-5] The Alarm Summary and the Alarm Table can help us identify new threats on our network, such as when a new vulnerability is discovered targeting a service of a commonly used operating system. Secure Network Analytics can be used to determine if a particular worm is on our network and to proactively identify potential threats. With all this information, it does help in identifying potential business impact and risk.

[ID.RA-6] High-fidelity alerts are prioritized by threat severity with ability to conduct forensic analysis. This in turn helps in identifying and prioritizing risk responses.

PROTECT – Access Control (Network Integrity Protection)

[PR.AC-5] Cisco Secure Network Analytics helps in protecting network segmentation integrity with behaviour-based anomaly detection

PROTECT – Data Security (data leak protection)

[PR.DS-1], [PR.DS-2], [PR.DS-3], [PR.DS-5] Secure Network Analytics is a must have data leak protection solution with minimal network performance impact. It analyses Flow records (NetFlow, IPFIX, jFlow, sFlow, and packet-level data) and alerts on evidence of information loss. It can send alerts when large amounts of data unexpectedly leave a database server to the internet or to any other unwanted destination. It helps in identifying data leak weather it is ‘At Rest’, ‘In Transit’ or ‘In Use’.

PROTECT – Maintenance (Prevents unauthorised access)

[PR.MA-2] Provides visibility that helps to segment and prevent unauthorised access to Industrial Control and Information Systems

DETECT – Anomalies and Events detection (baselining of operations and data flow; analysing events to understand attack targets; event data collection and corelation; impact and alert threshold)

[DE. AE-1 and DE. AE-3] Host groups are monitored to establish baseline behaviour and thresholds. Cognitive Intelligence helps organisations quickly detect and respond to sophisticated attacks. Using machine learning and statistical modelling of networks, it creates a baseline of normal activity and identifies anomalous traffic occurring within the network. It correlates security events from multiple sources and sensors to reveal unusual patterns and trends that potentially reveal or analytically confirm the presence of a threat with a certain confidence level.

[DE.AE-2 and DE.AE-5] Secure Network Analytics learns normal network traffic patterns and establishes baselines of expected behaviour. It analyses, detects and alerts on network traffic anomalies and suspicious traffic patterns to pinpoint command-and-control communications and data exfiltration.

[DE.AE-4] Alarm Summary and the Alarm Table can help organisations identify new threats on the network (when a new vulnerability is discovered) targeting a service of a commonly used operating system. This information can then help in determining the impact of an event on the business.

DETECT – Security Continuous monitoring (network monitoring; malicious code detection; monitoring unauthorised connections and devices; vulnerability scan)

[DE.CM-1, DE.CM-4, and DE.CM-7] Cisco Secure Network Analytics continually analyses network traffic for signs of unusual or suspicious activity, insider threat activity, the effects of spreading malware or propagation of malicious code.

RESPOND – Incident analysis (Investigate notifications from detection systems; understand the impact of an incident; perform forensics and categorise the incidents as per the response plan)

[RS.AN-1, and RS.AN-2] Secure Network Analytics correlates events from multiple sources and sensors to reveal unusual patterns and trends that potentially reveal or analytically confirm the presence of a threat with a certain confidence level. This helps in investigating notifications from detection systems and understanding the impact of an incident.

[RS.AN-3 and RS.AN-4] Cisco Secure Network Analytics analyses Flow records for forensics analysis during and after an event. It reveals the answers to the following questions and helps in deciding the appropriate response and recovery plan:

  • What is the traffic pattern?
  • Which systems communicated?
  • When this happened?
  • How much data was exchanged?

[NB: For high level mapping of other Cisco Security Products to NIST CSF, please read my previous Blog here]


Install and Upgrade Guides

Network Analytics At-a-Glance

Network Analytics Datasheet

Solving Business problems with Stealthwatch

Stealthwatch and Cognitive Intelligence

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels