| 1 |
After clicking the VIEW button it may take a few moments for the login landing page to appear. If necessary the following credentials can be used
to log in as Auditor@cisco.com using password C1sco12345 otherwise you should land on the Cisco Cyber Vision dashboard.
|
| 2 |
You will be at the main dashboard:
|
| 3 |
Note the system has already had data loaded for demo purposes. There is currently no live traffic in the system.
|
| 4 |
This dashboard provides a quick view into system activity and consists of 2 parts: Operational overview and Security overview.
Operational overviewtab gives the information about the following:
-
Protocol distribution – Number of activities catched for different protocols
-
Most critical events – List of latest event grouped by severity
-
Preset highlights – information such Risk score, Last precomputation, Devices, Vulnerabilities and Events numbers for different built-in presets
|
| 5 |
Click the Security overview tab.
|
| 6 |
You get Security overview view.
  It contains the following information:
-
Vulnerable devices – Number of vulnerable devices grouped by severity
-
Devices by risk score – Number of devices with risk score assigned grouped by risk score severity
-
Most critical events – Last 10 events sorted by severity
-
Events by category – Number of security events for different categories
-
Preset highlights – information such Risk score, Last precomputation, Devices, Vulnerabilities and Events numbers for different built-in presets
|
| 7 |
Note the navigation bar on the left-hand side:
|
| 8 |
You will go through these sections as you navigate this demonstration. Also note the bar can be minimized by clicking the
left-hand pointer at the bottom of the bar (or expanded back by clicking the right-hand pointer at the bottom when minimized):
|
| 9 |
Select the Explore menu from the top left-hand side:
|
| 10 |
The first screen that loads is the Presets section. Note at the top of the screen the navigation bar shows you the location
where you are: Explore / All Presets /. This will change as we continue to navigate through the screens.
|
| 11 |
In the Cyber Vision Center a preset is essentially a set of filters to only look at the information a user is concerned with.
This may be a method to filter to only look at a specific type of device or devices only in a specific area.
|
| 12 |
Note there are two types of presets: system presets that are pre-populated and custom presets that users create. Our demo system today has custom presets already created that are not part of a fresh install.
All custom (user created) presets are under the My preset section, all the others are system presets.
|
| 13 |
Scroll through the list and note the various types of system presets. Since Cyber Vision is a tool that can be used by IT
users, Operational Users, and Security professionals you can see how some of the automatic presets can allow those personas
to quickly access the information they are concerned with.
|
| 14 |
Click the [Munich] OT Traffic preset under the My preset section.
|
| 15 |
Note that when the page loads, the navigation at the top shows you are at the Explore / [Munich] OT Traffic / Dashboard:
|
| 16 |
At any point you can change the preset or the view from the drop-downs in the navigation bar.
|
| 17 |
The Dashboard is another quick highlight view of all the devices inside the selected preset. In this case we are looking at everything
that is essentially Control System Behavior—not broadcast or ARP traffic. But first we need to change the date frame of our
fabric window. The following steps set a time frame that matches our test network database since we do not have a live network
available.
|
| 18 |
Notice there is a time frame shown near the top (actual times displayed will vary). This allows you to filter on what time
range you want to view data. By default, this view is set to the last hour, though may be different on the display due to
the nature of the instant demonstration environment. As mentioned, this system is Looking at stale data so let us change that
to look at a larger time frame. Click the Pencil icon ( ).
|
| 19 |
Timespan Settings pop-up appears. From the Duration drop-down list select Custom period, enter 30d (which means 30 last days) and then click OK.
|
| 20 |
Now dashboard populates with the data.
|
| 21 |
Notice that various places in the interface use this time range. This ability to look at data from any point and time provides
the ability to go back and see what has changed over time or if any unexpected behavior has occurred. This allows Cyber Vision
to be the industrial networks ‘Flight recorder’. Some fields may differ unless otherwise noted.
|
| 22 |
In the dashboard you see information at the top of the page including the global risk score, number of devices, activities,
vulnerabilities and eventsvariables. There is also a count of the number of variables and credentials. If Cisco Cyber Vision
sees any credentials, here we will see a count of those (there are none in this demo data).
Note: New in Cyber Vision v4.0. Preset data are now pre-computed. Cyber Vision automatically updates data in the background when changes occur. Click Refresh or New data to update shown data.
|
| 23 |
Also note the tags at the bottom of the page.
|
| 24 |
Multiple tags can be applied to a single device or activity. Tags are a method to simplify the information learned about a
device or an activity without requiring the user to understand all the specifics of what a device is or how a protocol works.
Tags are automatically applied by Cisco Cyber Vision and are not modifiable here in the GUI. However, a user can create their
own tags and rules on how they are applied via the RESTful API, which is beyond the scope of this demonstration.
|
| 25 |
Note the filter information on the left-hand side. You can hide filter details of each category by clicking the carat to the right of each entry.
 Note: If a device has multiple tags for example broadcast and arp, if you exclude broadcast, you still see the device since it is
also arp. Tags, groups, and source sensor are the high-level filters available here.
|
| 26 |
At the top navigation bar, choose the drop-down next to Dashboard and then select Map.
|
| 27 |
The Map is essentially showing a logical view of which devices and activities are part of the preset. If devices are grouped, they
show (in a colored box) what group they are part of (nested groups supported). The activity between the devices is shown in
the form of links or arrows. Note, this is a logical view of how devices are communicating; it is not a physical or topology
view.
|
| 28 |
The devices are laid out by the system, but you can select the Camera fit icon 
in the lower-left corner to return to the system default layout.
 If what is displayed does not match the image above, click Explore from the left pane and then select the [Munich] OT Traffic preset. You can zoom in and out using the controls in the lower left of the graphic window: 
|
| 29 |
PDF and CSV export is implemented across the platform. Several buttons are available in the GUI to download list or map as
csv and pdf files. On the top right will see the Export to PDF icon. Click over the icon to generate the PDF file. Now at the bottom left of your screen will see the pdf file downloaded.
Click on the file to open the PDF MAP.
|
| 30 |
The legend in the top-left shows the color coding related to the activity between devices.
 Note: New in Cyber Vision v4.0. Cyber Vision 4.0 now lists Devices while Cyber Vision 3.x was listing Components.
Component: Hardware identified by a MAC or IP addresses or Slot IDs. Can be directly related to the network logic of the OT process
Device: Physical devices made of several components. Can be directly related to the device performing a certain task in the industrial
process
New double-border icons (
) indicate a device on the Map.
|
| 31 |
In this view we can quickly see there is important traffic and control system behavior that has been observed between these
devices. Icons of the device/vendor are applied to known devices. If there is a device that does not have enough information
or is unknown to Cyber Vision, it will show as a gear icon.
|
| 32 |
Cisco Cyber Vision Map have the ability to aggregate activities to simplify the view. Activities with groups or with aggregated
objects are now presented in a specific representation, which will replace several flows displayed on the map. Aggregation
is enabled by default, to show network activities check the corresponding checkbox.
 Note: [Munich] OT Traffic preset is configured such way that there are no activities on the map which can be aggregated. You can check how this feature
works using [Lyon] IT Traffic or [Munich] IT Traffic presets.
|
| 33 |
Vulnerabilities are shown as a number in a red circle on the top-left of the device icon.
|
| 34 |
Click the S7-400 station_1 icon.
|
| 35 |
A slider pane will appear from the right side and show more details about the device. From here the tags quickly show what
types of activities have been observed such as a Start CPU and Stop CPU command as well as variables that have been read.
This again shows the benefit of the automated tagging that quickly bubbles up information without requiring a user to have
a deep understanding or needing to look at all the flow information. There is also information about Risk score (will be covered
later) and components of this device.
|
| 36 |
At the bottom of the slide out we can quickly see the number of activities, events, vulnerabilities, credentials, and variables
we have observed related to this device.
|
| 37 |
Click the Technical Sheet link near the middle of the slide out:
|
| 38 |
Here are more details that Cyber Vision has learned about the device such as the vendor, model name, fw-version, and more.
If you scroll to the bottom you can also see a list of components of the device as well as an explanation of the component
tags that have been applied to the device.
|
| 39 |
Click the Risk score tab.
 Note: New in Cyber Vision v4.0. Risk scoring helps focus on what’s important.
-
Guides non-expert users to devices they should deal with first
-
A first step in security management to help make urgent decisions
-
Provides simple information on the security posture
Defining the Cyber Vision risk scores:
|
| 40 |
Click the Security tab.
|
| 41 |
Here users can see a number of vulnerabilities that are known about this device. Historically the vulnerability information
was provided via a curated list that users could upload to the system offline to update the database. The Cyber Vision Center
essentially is matching all the information it knows about the device with known vulnerabilities against that type of hardware,
version of firmware, etc.
You can see the vulnerability description, if there is a solution and what that is, the Common Vulnerability Scoring System(CVSS) score, and any relevant links such as from the vendor or ICS-CERT. Users also have the ability to acknowledge the issue or essentially say why they are not going to correct it, to reduce
the amount of displayed vulnerabilities against systems they cannot update or that are not relevant, i.e. a vulnerability
for a PLC WebServer that the user disabled.
|
| 42 |
Next click the Activity tab.
|
| 43 |
Here users can see a focused Minimap that shows only the activity and flows directly related to this device.
|
| 44 |
Scroll to the bottom of the page to see more details about observed activities such as when the activity was first and last
observed, the number of packets and bytes, and the direction of the flow. This also highlights the tags that are being applied
to what activity which highlights the application level information.
|
| 45 |
Click the line of the activity that has the Start CPU, Stop CPU, and S7 Tags.
|
| 46 |
A sliding pane appears on the right-hand side with summary about the selected activity. Click Flows counter.
|
| 47 |
You get a flow table for the selected activity. Click the flow with Start CPU, Stop CPU and S7 tags.
|
| 48 |
This screen shows greater detail about the specific flow and protocol level details. Since this is a Siemens device leveraging
the S7 protocol, we can see several commands were issued including a plc-stop command and a plc-control command.
This detailed view provides a user more granular understanding of exactly what has been sent to the PLC, such as commands
and the number of occurrences, to identify any anomalous behavior or trace down any changes to the environment. For a user
who is an expert in industrial protocols this information is very useful to gain an understanding of all that is happening.
This also shows the benefit of the tags, as without protocol level understanding, it may be difficult to look at these details
and fully understand what has occurred.
  Click the 
in the top-right to return to the Map view.
|
| 49 |
At the top navigation choose the Map drop-down and then select Device list.
|
| 50 |
The Device list is a table view of all the devices and their components, within the selected preset, that have been discovered
by the Cyber Vision Center. Note we can quickly see information including the IP, MAC, associated tags, risk score, activities,
vulnerabilities, and variables, as well as the vendor, OS, Model, and Firmware where applicable. At any point you can also
click a device to view the device information on the right side slider, as in the Map view.
|
| 51 |
Now click over Export to CSV, at the bottom left of your screen will a CSV file, click on that to open, a text Import form
will appear, please click OK to open the file. Once the file is opened will see Name, Group, Industrial Impact, First Activity,
and other.
|
| 52 |
At the top navigation choose the Device list drop-down and then select Activity list.
|
| 53 |
This view provides a table of all the activities that match the current preset. Note this is not flows, but a high-level summation
of the flows observed and the communication between the devices. Just as before we can see information counts and tags associated
with these activities. Export to CSV is available in the activities list, that can be found to the right side top of the screen.
|
| 54 |
You can select any activity and a more detailed view of that specific activity will show on the right-hand slider. Please
select the activity between Dell 192.168.105.70 and STATION devices as an example.
|
| 55 |
The appearing slider is exactly the same we covered on step 46.
|
| 56 |
Click the X in the upper right-hand corner when done to close the slider.
|
| 57 |
At the top navigation choose the Activity list drop-down and then select Vulnerabilities.
|
| 58 |
For each preset, a new view is now available - Vulnerability Dashboard:
-
Gives the top 10 vulnerabilities plus full inventory list
-
Is based on presets to drill down data by tags, subnets, VLANs, groups and/or sensors
-
Gives links to quickly identify affected components
-
Displays additional context for impact and remediation 
|
| 59 |
Click any Vulnerability title to get detailed information about the vulnerability in a slider pane which appears on the right-hand
side.
|
| 60 |
Close the Vulnerability details slider pane. Click Affected components counter for CVE-2017-12741 vulnerability.
|
| 61 |
You get a slider pane on the right-hand side with a list of componets affected by the vulnerability.
|
| 62 |
Close the sliding pane. At the top navigation choose the Vulnerabilities drop-down and then select Perdue Model.
|
| 63 |
The purpose of this view is to overlay the devices in a Purdue model approach (IEC 62443). The Purdue model is an approach designed to identify devices in levels (0-5) dictated by their function.
Level 0 devices interact with the real world (proximity sensors, actuators, valves). Level 1 devices interact with level 0
devices (I/O block), level 2 with level 1 (PLC) and so on. Since Cyber Vision has an understanding of the devices, this is
a view to overlay the device type against the levels.
Note that many devices could fall into different levels (such as a PLC) so the task of identifying the level is difficult.
The tags are what we use to assign the Purdue Level.
-
Level 0 devices interact with the real world (proximity sensors, actuators, valves)
-
Level 1 devices interact with level 0 devices (I/O block)
-
Level 2 with level 1 (PLC) and so on
Since Cyber Vision has an understanding of the devices, this is a view to overlay the device type against the levels. Note
that many devices could fall into different levels (such as a PLC) so the task of identifying the level is difficult. The
tags are what are used to assign the Purdue Level.
|
| 64 |
At the top navigation choose the Perdue Model drop-down and then select Security Insights.
|
| 65 |
[Munich] OT Traffic preset configured to display information about OT activity only that’s why you don’t see any DNS or HTTP requests and SMB
Tree Names.
|
| 66 |
Let’s open [Munich] IT Traffic preset. At the top navigation choose the [Munich] OT Traffic drop-down and then select [Munich] IT Traffic.
|
| 67 |
Now the Security Insights page is popolated with information about captured DNS and HTTP requests, SMB Tree names, as far
as flows with no tags. You can use a corresponding tab to see necessary information.
|
| 68 |
On the left side select the Reports menu.
|
| 69 |
While the data from Cyber Vision can be accessed via the GUI or via the RESTful API, there are scenarios such as compliance
where having a detailed report is beneficial or even required. The four types of reports available are:
-
The Inventory report in the Cyber Vision Center including component details
-
An Activity report including the details of flows between devices
-
A Vulnerability report including details of why relevant
-
A PLC report which focused on PLC specific information such as variable access
|
| 70 |
Select the Activity report.
|
| 71 |
In the History section select one the reports that has been previously generated. The figure below shows an example of a previously created
report. Click the download icon to view it in a new tab. For demonstration purposes, this will save the time it takes for a new report to be created.
|
| 72 |
You will see the report being opened viewed in a new browser tab.
|
| 73 |
Return to the Reports - Cisco Cyber Vision browser tab and then select Events on the left side.
|
| 74 |
You get the Events Dashboard. Events are grouped by Severity (colored circles):
|
| 75 |
Click Calendar in the top-right corner to switch to the calendar view.
|
| 76 |
In the calendar view you see events in the chronological order.
|
| 77 |
From this view you can select different timeframes to show: Day, Week, Month, Year.
|
| 78 |
You can filter events by severity clicking on corresponding colored rectangle. Click on the orange rectangle to show only
High Severity Events.
|
| 79 |
You can see the current filter applied on the top of the screen. Click X near ‘high’ to reset the currently applied filter by high severity.
|
| 80 |
Select Monitor on the left side.
|
| 81 |
New baselines can be created from the presets. Then the Cyber Vision can detect changes happened to this baseline and alert
you about them. Demo Baseline has been created for All Data preset in this lab. You can see that 34 changes has happened after
the baseline creation. Click on DemoBaseline to see the changes.
|
| 82 |
You get the Component list table where you can see New and Changed components.
|
| 83 |
Click Dell 10.0.0.10 component.
|
| 84 |
You get a sliding pane with brief information about the component. Click any property to display more detailed information.
|
| 85 |
You can check Tags and Properties of the component.
|
| 86 |
Click Investigate with flows link to get all the flows associated with the component.
|
| 87 |
Click Collapse to close the sliding pane with flows.
|
| 88 |
Click X to close the sliding pane with the component details.
|
| 89 |
Now click on 9 new activities to see the list of new/changed activities.
|
| 90 |
You get the activities list of the baseline.
|
| 91 |
Click LD810EP to Dell 10.0.0.10 activity and then click any assigned tag.
|
| 92 |
You get the activity details.
 Note:
New in Cyber Vision v4.0. New Snort activity tags. Specific tags associated with events detected by the Snort IDS and provide more precise context
to understand malicious activities.
 |
| 93 |
Click Investigate with flows to get a list of flows associated with this activity.
|
| 94 |
Click X to close the activity slider pane.
|
| 95 |
At the top navigation choose the Activity list drop-down and then select Map.
|
| 96 |
You get the map view where you can see New (solid red line), Changed (dotted red line) and Unchanged (solid grey line) components.
|
| 97 |
Select Search on the left side.
|
| 98 |
Another very useful tool in Cisco Cyber Vision is this ability to search. Imagine Rockwell suddenly releases an advisory for
version 16.3 of their firmware and you need to know exactly where these devices are located. One option is to do a search
here. In the search bar type 16.3 and then click Search. Here you can see the result is a 1756-L55/A and you could access the technical sheet for that device on the right side.
|
| 99 |
Now, let us do a search for all Rockwell devices. In the search bar type Rockwell and then click Search. You will see every device that has Rockwell associated with it.
|
