Cisco StealthWatch or classic corporate network security tools (FW, IPS, ACL, NAC, AV, SIEM)?

The composition of almost any information security system includes traditional systems (individually or in combination):

• Firewall
• Intrusion Prevention System (IPS)
• Access Control Lists (ACLs)
• Network Access Control System (NAC)
• Antivirus systems (Antivirus / Antimalware)
• Information Management Event Management Systems (SIEM)

All these systems are good both individually for solving their problems, and in combination. However, there are various classes of information security tasks that these systems cannot solve. Moreover, the traditional network perimeter, where traditional means of protection were commonly used in the modern network infrastructure, is blurred, since during this time cloud technologies have appeared, and users have become much more mobile.

What tasks can solve traditional systems, and with which they will cope extremely problematic or even impossible?



Just ask yourself questions, such as these:

1. If someone collects information about hosts that are in the same network segment using eg ping (i.e. ping sweep), can you see it? How are you going to define such activity?
2. If a user of your network starts a DDoS attack (deliberately or under someone else’s control) to something that is also in your network, and so it looks like legitimate traffic, can you quickly identify and raise an alarm?
3. If a user of your network, who has permissions to download files from a company’s server with confidential information, usually downloading about 10 MB per day, one day suddenly downloaded 100 GB of similar files from a server. Do you know about it, will you be, or automatically notified? How do you detect and investigate such facts of information leaks?
4. If a user of your network infected your laptop with a network worm outside the company, then brought it to work and connected to the corporate network. How do you know which hosts on your network are infected, for example, if no traditional security tools have, for example, signatures for this network worm?
5. If someone steals confidential information from the network of your company, while hiding the transmission, by tunneling it into some well-known protocol allowed in your network (for example, DNS, UDP / 53). So how do you know about this?
6. How do you investigate the threats of viruses and malicious software that have already happened in your infrastructure?
7. How do you investigate issues related to network performance of workstations, provided that you know, for example, only the user name on the network?
8. How are you now identifying or investigating insider threats?

As soon as you have such questions, it becomes clear that the traditional means of ensuring information security in the corporate network cannot answer them qualitatively. In fact, you need a tool that complements the traditional means of protection.

And there is such a tool - a well-known company Cisco has an excellent product called Cisco StealthWatch (the name is inherited from the original product of Lancope, which was founded in 2000, and also was the leader in the global market of the solution to provide Network Visibility & Security Intelligence before Cisco acquisitions in 2015):



So what is Cisco StealthWatch - in fact, it is a means of providing information security in the network, which is based on collecting telemetry data from various devices, that is, not only from the ITU standing on the perimeter, but also from infrastructure devices such as routers, switches, servers with virtual machines and even from user devices (it’s not important whether they are connected from inside the corporate network or are located outside of it).

Since the main protocol for collecting telemetry data in the Cisco StealthWatch solution is the well-known and popular NetFlow / IPFIX, this eliminates the need for a separate dedicated physical network for monitoring, that is, you can use existing network equipment. And if on some part of the corporate network there are no devices with NetFlow support, then Cisco StealthWatch has a solution for this case as well.

Moreover, Cisco StealthWatch does not just collect this data (that is, it is the collector of this data), it can deduplicate it, enrich telemetry data with data from other sources, etc. It all forms the most comprehensive information context about traffic flows from disparate information sources in corporate network, available in real time mode. Advanced Security Context Information for Cisco StealthWatch provides another solution - Cisco ISE, as well as Cisco cloud services containing IP / URL reputation databases).

With Cisco StealthWatch, the entire corporate data network is transformed into a single sensor that detects attacks, abnormal behavior, etc ... This solution goes beyond the corporate network, even allowing you to monitor cloud environments and mobile users. The solution knows everything about each host and user on the network, records all of its actions on the network (including seeing network traffic at the level of application signatures), tracks deviations from the “normal” behavior (and the solution can create a profile of the “correct” behavior ( baseline) as an auto-learning mechanism), provides storage of this data, allows you to make selections from this data (including analysis of suspicious activity, since more than 100 different anomaly detection algorithms and behavior are already wired in Cisco StealthWatch) cuts administrators about any changes. The solution can be used as a tool to conduct a permanent audit of the health of traditional information security tools, and it can also be useful to investigate the propagation paths of malicious code and attack vectors (the very possibility of diving into historical data).

We recommend everyone interested and willing to get more detailed information about Cisco StealthWatch to see the recording of the presentation on the Cisco StealthWatch solution courtesy of information security engineer Vasily Tomilin of Cisco, for which we express our special thanks to him:


Since the product is quite comprehensive, we suggest that you try it out first in the form of labs in the Cisco dCloud cloud, to get access, write to us and we will help you to get started with Cisco dCloud, just some 1.5-2 hours and you will be able to familiarize yourself with the product within basic laboratory works, and for those who want to try the product in all its glory, including also deployment, there is also a separate laboratory work for 2 days.

PS On June 21st in St. Petersburg, Vasily Tomilin holds a seminar " Cisco Threat Hunting Workshop ". Education is free and includes laboratory work. You can read more about this event and register here . Limited number of seats.