Network visibility is crucial to running a strong network security practice. Oftentimes when organizations first deploy Cisco Stealthwatch, it uncovers previously unknown risky or suspicious activity on the network. In some cases, it detects an outright breach.
With Halloween right around the corner, I wanted to share five cases where Stealthwatch uncovered risky or malicious activity in a customer environment. If you want to hear similar stories, please attend my webinarWhat you can't see CAN hurt you -and other network horror storieson Thursday, Oct 18, at 1 p.m. ET/10 a.m. PT.
A K-12 school system struggled for months with identifying the root cause of performance impacts to its student information system, a service critical to its day-to-day educational needs. Within 7 days of implementing Stealthwatch, the system administrator identified a forgotten server that had been compromised and was launching denial-of-service (DoS) attacks against the student information system from the network. Because the server had an alternate, unsanctioned path to the Internet and only targeted internal systems, the attacks circumvented the school's other security measures.
A banking and brokerage company purchased Stealthwatch to detect distributed-denial-of-service (DDoS) attacks against its systems. While evaluating the Stealthwatch solution, system administrators also detected three hosts propagating malware and multiple hosts making insecure Telnet connections. Of more concern, it found significant outbound traffic to suspicious servers in China and Israel, where the company did no business.
A government agency discovered several hundred abnormal connections to its network from more than 10 different countries. On further investigation, the agency discovered a printer that had been installed to expedite a project and left operational. The printer remained unpatched with default credentials and was accessible from the Internet. Attackers discovered the printer and used it to gain access to the network and wreak havoc.
Within 2 weeks of monitoring its network with Stealthwatch, a healthcare company identified malicious activity. Almost immediately, it identified peer-to-peer (P2P) file sharing leaving the network for servers based in China and Russia, where the company does no business. Additionally, the company discovered fake antivirus software, which had infected several hosts and was communicating with outside servers.
A banking company suspected attackers might be using its network to compromise customer accounts. After implementing Stealthwatch, the company discovered application tunneling, which was bypassing its firewall rules and connecting with servers in Ukraine, Lithuania, and other suspicious countries. The bank also discovered multiple hosts that were infected with Dridex, a piece of botnet malware that targets banks and other financial institutions.
If you would like to hear more network security horror stories, or just want to learn more about Cisco Stealthwatch, please attend my webinarWhat you can't see CAN hurt you -and other network horror storieson Thursday, Oct 18, at 1 p.m. ET/10 a.m. PT.