Cisco StealthWatch or classic corporate network security tools (FW, IPS, ACL, NAC, AV, SIEM)?

The composition of virtually any information security system includes traditional systems (individually or in combination):

• Firewall
• Intrusion Prevention System (IPS)
• Access Control Lists (ACLs)
• Network Access Control System (NAC)
• Antivirus Systems (Antivirus / Antimalware)
• Information Management Event Management Systems (SIEM)

All these systems are good both individually for solving their problems, and in combination. However, there are various classes of information security tasks that these systems cannot solve. Moreover, the traditional network perimeter, where traditional means of protection were commonly used in the modern network infrastructure, is blurred, since during this time cloud technologies have appeared, and users have become much more mobile.

What tasks can solve traditional systems, and with which they will cope extremely problematic or even impossible?



Just ask yourself questions, such as these:

1. If someone collects information about hosts that are in the same network segment using eg ping (i.e. ping sweep), can you see it? How are you going to define such activity?
2. If a user of your network starts a DDoS attack (deliberately or under someone else’s control) to something that is also in your network, and so it looks like legitimate traffic, can you quickly identify and raise an alarm?
3. If a user of your network, who has permissions to download files from a company’s server with confidential information, usually downloading about 10 MB per day, one day suddenly downloaded 100 GB of similar files from a server. Do you know about it, will you be, or automatically notified? How do you detect and investigate such facts of information leaks?
4. If a user of your network has infected your laptop with a network worm outside the company, then brought it to work and connected to the corporate network. How do you know which hosts on your network are infected, for example, if none of the traditional means of protection have, for example, signatures for this network worm?
5. If someone steals confidential information from the network of your company, while hiding the transmission, by tunneling it into some well-known protocol allowed in your network (for example, DNS, UDP / 53). So how do you know about this?
6. How do you investigate the threats of viruses and malicious software that have already happened in your infrastructure?
7. How do you investigate issues related to the network performance of workstations, provided that you know, for example, only the user name on the network?
8. How are you now identifying or investigating insider threats?

As soon as you have such questions, it becomes clear that the traditional means of ensuring information security in the corporate network cannot answer them qualitatively. In fact, you need a tool that complements the traditional means of protection.

And there is such a tool - a well-known company Cisco has an excellent product called Cisco StealthWatch (the name is inherited from the original product of Lancope, which was founded back in 2000, and was also the world market leader in providing solutions for Network Visibility & Security Intelligence before Cisco acquisitions in 2015):



And what is Cisco StealthWatch - in fact, it is a means of providing information security in the network, which is based on collecting telemetry data from various devices, that is, not only from the ITU standing on the perimeter, but also from infrastructure devices such as routers, switches, servers with virtual machines and even from user devices (it doesn't matter if they are connected from inside the corporate network or are located outside of it).

Since the main protocol for telemetry data collection in the Cisco StealthWatch solution is the well-known and popular NetFlow / IPFIX, this eliminates the need for a separate dedicated physical network for monitoring, that is, existing network equipment can be used. And if on some part of the corporate network there are no devices with NetFlow support, then Cisco StealthWatch also has a solution for this case.

Moreover, Cisco StealthWatch does not just collect this data (that is, it is the collector of this data), it can deduplicate it, enrich telemetry data with data from other sources, etc. It all forms the most comprehensive information context about traffic flows from disparate information sources in corporate network, available in real time mode. Advanced Security Context Information for Cisco StealthWatch provides another solution - Cisco ISE, as well as Cisco cloud services containing IP / URL reputation databases).

With the help of Cisco StealthWatch, the entire corporate data network is transformed into a single sensor that detects attacks, abnormal behavior, etc ... This solution goes beyond the corporate network, even allowing you to monitor cloud environments and mobile users. The solution knows everything about each host and user on the network, records all its actions on the network (including seeing network traffic at the level of application signatures), monitors deviations from the “normal” behavior (and the solution allows you to create a profile of the “correct” behavior ( baseline) as an auto-learning mechanism), provides storage of this data, allows sampling of this data (including analysis of suspicious activity, since Cisco StealthWatch already contains more than 100 different anomaly detection algorithms and behavior), warns administrators of any changes. The solution can be used as a tool to conduct a permanent audit of the health of traditional information security tools, and it is also useful to investigate the propagation paths of malicious code and attack vectors (the very possibility of “diving” into historical data).

Anyone interested and willing to get more detailed information about Cisco StealthWatch, we recommend that you look at the recording of the presentation on the Cisco StealthWatch solution, courtesy of information security engineer Vasily Tomilin, for which we express special thanks to him:


Since the product is quite comprehensive, we suggest you to try it out first as a laboratory in the Cisco dCloud cloud, to get access, write to us and we will help you to get started with Cisco dCloud, just some 1.5-2 hours and you will be able to familiarize yourself with the product within basic laboratory works, and for those who want to try the product in all its glory, including also deployment, there is also a separate laboratory work for 2 days.