In all the hoopla that was Cisco Live 2016 I hope you didn't miss the launch of Cisco Stealthwatch Learning Network License.  Stealthwatch Learning Network License is a new addition to Cisco's Stealthwatch product family of Network Based Anomaly Detection (NBAD) and visibility products.  Originally developed by a Cisco team led by Cisco Fellow J.P. Vasseur; the Learning Network development team transferred to the Security Business Group in January 2016; joining the former Lancope Stealthwatch engineering organization. Learning Network consists of two components; a router deployed Learning Agent and a centralized Learning Manager.

 

The Learning Network Agent is a open virtualization format (OVA) virtual machine that can be run either in an LXC container in memory on an ISR 4000 router running IOS-XE; or loaded on board a UCS-e module that is then inserted into a an ISR G2 router.  At launch the ISR 4431 and 4451 routers are supported.  Testing is underway to qualify the Learning Agent for use in the ISR 43xx routers.  Other requirements for a router running the Learning Agent are 8 Gb of memory and the Application Experience (or AppX) license level.  That IOS license includes full NBAR and security feature support.

 

The Learning Manager is delivered as a virtual machine; in this case an Ubuntu image with the Learning Manager software pre-installed. The Learning Manager is a multi-user HTML 5 application that is accessed via a web browser.  One Learning Manager can provide command and control for up to 1000 router deployed agents.

 

The Learning Network differs from the rest of the Stealthwatch family in that it was designed to be installed and operate standalone in a branch router.  Upon installation the router configuration is updated to include a predefined Flexible NetFlow record, monitor, and exporter.  That flow monitor is applied on ingress to all router interfaces.  In addition each router interface is designated as either 'internal' if the interface faces the branch or 'external' if the interface faces the core or HQ network.

 

The Learning Agent uses machine learning to build clusters; or groups of like devices whose traffic moves through the router.  Clusters in Learning Network are like administrator defined host groups defined are at the Stealthwatch Management Console (SMC) in that they describe groups of like devices.  Clusters use those internal and external port definitions to refine relationships based on the direction of traffic that they send or receive (internal to external; external to internal, internal to internal, etc,...).   Once clusters are formed their behavior is analyzed and categorized by the agent through the creation of edges; or application relationships between clusters.  All the computers in a cluster that communicate with a server in a different cluster using the DNS protocol might define an edge.

 

The Learning Agent will alert the operator at the Learning Manager when anomalous conditions are detected.  The operator can then use the Agent to deploy a mitigation to remediate the anomaly.  At launch the only mitigation is to create an ACL to drop packets and disrupt the connection; however additional mitigations are planned including the capability to re-route or re-tag packets.  Mitigations are devloped by the operator at the Learning Manager where a library of mitigations is maintained.  The operator can reuse and deploy mitigations from the Learning Manager to any of the Agents.

 

The Learning Network uses Distributed Relevance Learning to allow operators to adjust the settings of the Agents to see more or less of specific anomalies.  This powerful capability is unique to the Learning Network product right now.  Relevance Learning is another feature that allows a learning agent to better understand the network environment where it is deployed and reduce the number of less relevant or irrelevant detection findings that the agent may signal to an operator.

 

Another feature of the Learning Manager is the capability of white listing an anomaly.  The process of white listing allows the operator at the Learning Manager to examine the conditions that were encountered when an anomaly was detected.  The operator can then edit those conditions and create a white list entry.  This is valuable when an anomaly is raised due to a specific set of conditions between a host and a server.  If that is a normal conversation the operator can edit the settings to allow endpoints on that segment to communicate with the server and save that logic as a white list entry.   By white listing an anomaly the operator is declaring that anomaly as not relevant or irrelevant.

 

For more information about Stealthwatch learning Network License see:  Cisco Stealthwatch Learning Network License - Support - Cisco