Today’s enterprise network is more complex and distributed than ever before. New security challenges arise weekly. The evolving threat landscape, along with growing trends such as cloud computing and the Internet of Things (IoT), further complicate the situation. Maintaining full visibility is increasingly more difficult as you add users and devices to your network.
Network security can go beyond conventional anomaly detection by harnessing the power of network traffic flow data. Real-time situational awareness of all the users, devices, and traffic on your extended network allows you to quickly and effectively respond to threats. You can detect and protect against a wide range of attacks with continuous monitoring and intelligence.
You can help defend your entire organization with views into everything happening across your network, data center, and even your data stored in public clouds. Threats don’t only come from outside the network anymore. Stolen credentials or other techniques make it necessary to monitor more than just the perimeter or even just your network.
Cloud Network Solutions recommends Cisco Stealthwatch, which aggregates and analyzes network telemetry, information generated by network devices, to turn your network into a sensor. You gain visibility into system traffic flows from the network edge to the data center, including virtual machines. Stealthwatch detects a wide range of network and data center issues, from malicious insiders attempting to exfiltrate sensitive data to malware spreading internally from host to host. It works with the entire Cisco router and switch portfolio as well as a variety of security solutions, all available through Cloud Network Solutions, including:
- Cisco Secure Data Center
- Cisco IOS Flexible NetFlow
- Cisco TrustSec security technology
- Cisco ASA with FirePOWER Services Next-Generation Firewalls (NGFWs)
- Cisco Identity Services Engine (ISE)
- Cisco Web Security Appliance (WSA)
- Cisco Security Packet Analyzer
Cisco Stealthwatch Advantage
Stealthwatch uses network data to accelerate and improve anomaly detection, incident response, and forensics across your entire network. It establishes a baseline of what’s considered normal behavior and activity on your network. With this baseline as your primary reference point, you can use the solution to identify anomalous behavior on your network that may signify an attack. The proposed solution leverages traffic flows to monitor your entire environment to determine whether policy and network access violations are taking place.
The proposed solution continuously monitors both north-south and east-west traffic inside your network to identify traffic patterns that may signal system abuse and insider threats. This allows you to help identify and defend against zero-day malware, advanced persistent threats (APTs), DDoS attempts, and other attacks before they cause harm. The proposed solution’s Stealthwatch Management Console enables you to view and monitor these traffic flows for anomaly detection.
These are the primary features of Stealthwatch:
- Deep visibility across the network perimeter, interior, data center, and private and public cloud
- Simplified understanding of normal network behavior through the use of NetFlow
- Continuous monitoring of devices, applications, and users throughout your distributed networks
- In-depth forensic investigations and post-incident response with contextual threat intelligence and detailed, historic audit trails of NetFlow data
- Easy integration with your existing network infrastructure (compatible with non-Cisco telemetry), Cisco Security Packet Analyzer, Cisco ASA Firewalls, Cisco ISE, Cisco TrustSec technology-supported hardware, and a variety of other security solutions, all available through Cloud Network Solutions .
Cisco Stealthwatch Benefits
|Desired Business Outcome||How We Can Make It Happen|
|Accelerate behavioral anomaly detection and incident response||• Isolate the root cause of an incident within seconds and conduct efficient triage for fast mitigation.
• Use NetFlow for advanced security analytics, network forensics, and security incident management.
|Improve network visibility||• Reduce risk by seeing when and how users and devices are connecting to your network, including:
− Conversations within your network
− Communications extending out to the cloud
− Information passing between distributed branch offices
• View large amounts of data being exfiltrated to unrecognized IP addresses and machines. This includes visibility of command-and-control sessions.
• Gain complete visibility in public cloud environments
|Fulfill and maintain compliance||• Protect intellectual property and proprietary data with PCI and HIPAA compliance. Stealthwatch solution can assist in compliance audit trails and help gather information to accelerate audit compliance.
• Simplify compliance with network segmentation, enterprise-wide visibility, and enhanced network management.
Cisco Stealthwatch Solutions Details
Cloud Network Solutions Cisco Stealthwatch solution describes a suite of products that work together to provide real-time situational awareness of all users, devices, and traffic on your extended network. By combining the right components, the solution is scalable to your specific needs as well. Cloud Network Solutions offers the following suite of products, packages, and features.
Stealthwatch Cloud is a SaaS delivered, web-based solution that provides end-to-end visibility, behavioral analysis, and threat detection across your private network, public cloud, and hybrid environments. Stealthwatch Cloud delivers high value notifications of changes in behavior that it observes on your network without wasting the precious time of your IT and security personnel. Being web-based, it is platform independent and can work for any cloud environment, including Amazon Web Services (AWS) and Microsoft Azure. Stealthwatch Cloud is also capable of monitoring small to medium-sized private networks and hybrid infrastructures that combine on-premises and cloud deployments. Stealthwatch Cloud can export threat and behavioral details to a number of security and web-based services including Cisco Spark, Datadog, Hipchat, PagerDuty, Slack and SIEMs and supports standard formats like email and syslog.
Stealthwatch Cloud’s Public Cloud Monitoring provides the visibility and threat detection capabilities you need to keep your workloads highly secure in AWS and Microsoft Azure infrastructures. It is a cloud-delivered, SaaS-based solution that can be deployed easily and quickly. Within AWS, Stealthwatch Cloud AWC VPC Flowlogs to model the behavior of each cloud resource, a method called entity modeling. It is then able to detect sudden changes in behavior, malicious activity, and signs of compromise. VPC Flowlogs are available with no software deployments for your AWS assets, just a configuration change in your AWS console.
Stealthwatch Cloud’s Private Network Monitoring can deliver the visibility necessary to detect threats on the network in real time, without the need for expensive equipment, IT resources, or extensive security staff time. Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detection for the on-premises network, delivered from a cloud-based SaaS solution. It is the preferred choice for organizations that want better awareness and security in their on-premises environments while reducing capital expenditure and operational overhead.
Stealthwatch Cloud Screenshots
|Public Cloud Monitoring||Information is collected from public cloud based services such as Amazon Web Services to build usage models for your data in those clouds. Cloud resource modeling is then applied to watch for sudden changes in behavior, malicious activity, and other signs of compromise.
• SaaS solution delivered from the cloud for simple deployment
• Threat detection in public clouds
• Integration and UI control for Amazon Inspector
|Private Network Monitoring||Stealthwatch Cloud’s Private Network Monitoring can deliver the visibility necessary to detect threats on the network in real time, without the need for expensive equipment, IT resources, or extensive security staff time.
• Receives a wide variety of network telemetry and logs.
• Integrates with physical networks and private virtual environments, such as VMWare hypervisor solutions
• Use the same portal as Public Cloud Monitoring with a lightweight virtual appliance
The Stealthwatch Enterprise package includes the following security solutions:
Cisco Stealthwatch Management Console: Provides a single vantage point for disparate IT groups to see behavioral information of traffic across the network. The simple at-a-glance interface permits operators to quickly spot trouble and respond accordingly.
Cisco Stealthwatch Management Console
Cisco Stealthwatch Flow Collector: Allows for network visibility and security intelligence across physical and virtual environments to improve incident response.
Cisco Stealthwatch Flow Sensor: Produces NetFlow data for segments of the switching and routing infrastructure that do not support NetFlow. It also delivers thorough visibility of network and server performance metrics. The result is optimized security, network operations, and application performance.
|Cisco Stealthwatch Management Console||The console coordinates, manages, and configures Stealthwatch appliances deployed at various segments throughout your enterprise. The management console can also collect data from other types of technologies, including firewalls, web proxies, network access control (NAC) systems, and more. Disparate IT teams can easily obtain pervasive network visibility and actionable security intelligence to detect and prioritize security threats through a single viewpoint. The console is available as a hardware appliance or a virtual machine.
• In-depth visibility and behavior-based context defends against APTs, malware, insider threats, worms, viruses, targeted attacks, DDoS attempts, and evolving attacks. Advanced detection capabilities decrease the time between threat onset and resolution.
• Real-time telemetry delivers data flow for monitoring traffic across hundreds of network segments simultaneously to detect suspicious network behavior.
• Robust network intelligence facilitates performance monitoring, capacity planning, and enhances network management. It also reduces time-consuming and resource-intensive manual analysis often associated with other vendors.
• Network groupings, graphical representations, and relationship maps deliver simple views of your organization’s traffic within seconds, illustrating where to focus your attention.
• Multiple alarm categories and context-based alerts on the home dashboard provide quick assessments of your organization’s security posture. This allows for decisive action to mitigate potential damage.
• Scalable functionality performs well in high-speed environments and can protect every part of the network that is accessible by IPs, regardless of size.
|Cisco Stealthwatch Flow Collector||The flow collector collects and analyzes massive amounts of network data from your current devices. The result is visibility and security intelligence across physical and virtual environments, improving incident response. Flow Collector provides cost-effective behavioral analytics and advanced security context. This enables early anomaly detection, quick root-cause determination, and enhanced protection for a wide range of threats, including APTs, insider threats, DDoS, and zero-day malware. The solution is available as a hardware appliance or a virtual machine.
• Flow-based anomaly detection pinpoints unusual behavior and immediately sends an alarm with actionable intelligence, promoting quick and decisive mitigation.
• Stitched, duplicated, and 1:1 flows simplify network and security monitoring. In addition to detecting anomalies in real time, the solution can store years of data, creating a complete audit trail to improve forensic investigations and compliance.
• Easy upgrading allows you to start small and expand as your capacity needs change. At full scale, Flow Collector can process data from as many as 50,000 flow sources at up to 6 million flows per second (fps).
|Cisco Stealthwatch Flow Sensor|
|This component provides robust visibility of network, application, and server performance metrics. The flow sensor gives you a cost-effective method of troubleshooting both security incidents and application performance problems, while eliminating dangerous network blind spots. It can provide Layer 7 application information for environments where Cisco Network-Based Application Recognition (NBAR) is disabled. The solution is available as hardware appliances or as software for monitoring virtual machine environments.
• Network anomaly alerts pinpoint unusual behavior and immediately send alarms with contextual intelligence, allowing you to act quickly and mitigate damage.
• URL data allows administrators to see exactly which websites users are going to, including the file path. This improves the identification of applications causing performance or security problems.
• Enhanced operational efficiency reduces costs by identifying and isolating the root cause of an issue or incident within seconds.
|The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network routers and switches by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations.
• Reduces unplanned downtime and service disruption on the high availability UDP Director 2200 appliance.
• Simplifies network security and monitoring by providing a single standard destination for NetFlow, SFlow, syslog, and SNMP information.
• Directs UDP data from any UDP application to one or more destinations, duplicating the data if required.
Stealthwatch Enterprise also has additional licenses available through Cloud Network Solutions to enhance its performance when interacting with other Cisco Security products.
- Flow Rate License: Required for the collection, management, and analysis of flow telemetry and aggregates flows at the Management Console. The Flow Rate License also defines the volume of flows that may be collected and is licensed on the basis of flows per second (fps). Licenses may be combined in any permutation to achieve the desired level of flow capacity.
- Cisco Stealthwatch Proxy License: Delivers additional network visibility and anomaly detection capabilities from proxy servers to your management console. This license enables the correlation of information sent from the proxy servers and provides information about web traffic being intercepted by the proxy server, enabling deeper visibility into web traffic.
- Cisco Stealthwatch Threat Intelligence License: Correlates flow data to provide enhanced detection capabilities for advanced malware, including botnet activity. Botnet detection functionality includes in-depth traffic reporting and analysis of command-and-control communications.
- Cisco Stealthwatch Learning Network License: Identifies traffic at the network device level using network based application recognition, localized network flow data, and machine learning sensors. This software resides on select ISR 4000 series routers. This helps you to make informed decisions to flag or drop suspicious packets, enabling accelerated incident response and device level mitigation.
- Cisco Stealthwatch Endpoint License: Allows for the collection of application data by integrating with Cisco AnyConnect® Secure Mobility Client. The endpoint license receives input from Cisco AnyConnect Secure Mobility Client and forwards that data to Stealthwatch for analysis and reporting in the Stealthwatch Management Console.
Contact Cloud Network Solutions team today for a complete Advisory, Implementation, Training, Optimization, Support and Managed services offering.
- Solution OverviewCisco Stealthwatch