Cisco Stealthwatch (#Part1 Golden Questions and Answers)

And Yet Another Weekend Post! (YAWP)
You know what?! In this article we will introuce you to
The BEAST of network visibility and control!

Stealthwatch introuction:
- What is Stealthwatch?

One of the best methods for detecting hard-to-find hackers, such as those using APTs (Advanced Persistent Threats), is through network traffic flow analysis or netflow.

The story of Steathwatch goes back to 2015 when Cisco bought a great commpnay named Lancope For $452,5 M.

Stealthwatch provides visibility across the whole enterprise, from private networks to the public clouds such as Microsoft Azure and Amazon AWS, and applies advanced security analytics to detect and respond to threats in real-time. The way how Stealthwatch does its work is that it analyses network activities over and over again and creates a baseline of normal network behavior and then uses this baseline, along with advanced machine learning algorithms, to detect anomalies. However, not everything weird is malicious and Stealthwatch can quickly and with high confidence correlate anomalies to threats such as ransomware,C&C attacks, DDoS attacks, illicit crypto mining, unknown malware, as well as insider threats and zero-day-attacks.

You get a fully comprehensive threat monitoring with a single pane of glace, agentless solution, across the branch, data center, endpoint , and cloud, regardless of the presence of network encryption.



Let's imagine you want to explain your colleague ,who is not in Security Department, about this Product.

How will you beginn your conversation? How can you persuade and convince your manager why Stealthwatch could be the best solution to implement when you are frustrated of crypto-mining activities of internal colleagues unintentionally or intentionally?

In the first place you have to know the solution and most importantly know its pons an cons:


- What are the most inportant components of Stealthwatch?


  • Stealthwatch Management Console (SMC)
  • Flow Collector
  • UDP Director/Flow Replicator
  • Packet Analyser
  • Flow Sensor
Note: Actually, in order to make Stealthwatch work you only need SMC, Flowcollector and a couple of Licenses.

- Why should someone need Stealthwatch at all ?!



Network Visibility: Stealthwatch will have overall visibility of your Network of both North-South and most importantly East-West traffic. It even provides visibility across the whole enterprise, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. (Networking team can get advanatge of it in order to find out about top-hosts, top applications, network performance)


Detection: Stealthwatch continuously analyses network activities inside your network, analyses network behavior and sets a baseline, it even used advanced machine learning algorithms to detect anomalies. Stealthwatch is analytical and behavior solution.(Findings  Botnets, Malwares, DDoS attacks)


Incident Response: Stealthwatch is capable of analyzing the Incidents which has happened in your network by going back and analyzing the behavior. 


-What are the features of Stealthwatch?

  • Stealthwatch can see each and every conversation happening in the network.
  • Stealthwatch can know each and every host connected in the network.
  • Stealthwatch is capable of alerting to change in the behavior.
  • Stealthwatch can respond to Threats quickly.
  • Stealthwatch can be used to learn information from the network.
  • Stealthwatch can analyse the behavior of the network and it is capable of distinguishing between normal and abnormal behavior.

-How can you deploy Stealthwatch?


Stealthwatch can be either deployed in the form of physical appliances or Virtual Machines.

Physical appliance                  :        It can be installed on x210 Series appliance.

VM                                        :        It can be installed on VMware KVM.


Stealthwatch smallest flow collector can process 30,000 flows/second.






-What is Stealthwatch Management Console?


The Stealthwatch Management Console (SMC) is an enterprise-level security management system which allows network administrators to configure, define, and monitor multiple distributed Stealthwatch Flow Collectors from a single centralized GUI. It uses identity information, graphical representations of network traffic, , customized summary reports, and integrated security and network intelligence for comprehensive analysis. *comparable with FMC in firewall world*


Stealthwatch Management Console aggregates analysis from, the Cisco ISE (Identity Services Engine), and other sources through PxGrid APIs. With Stealthwatch in place, network operations and security teams can see who is using the network, what applications and services are in use, and most importantly how well they are using these services.


To summarize some of the great benefits you can achieve with SMC please read the following:


  • Real-time data monitoring can be done across thousands of network segments simultaneously.
  • Capability to fastly detect and prioritize security threats.
  • Use of multiple types of flow data such as NetFlow, SFlow, IPFIX etc.
  • Provides a full audit trail of all network transactions for more effective forensic investigations.
  • Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.
  • Configures, coordinates, and manages Cisco Stealthwatch appliances, including the Flow Collector, Flow Sensor, and UDP Director.


-What is a Flow Collector?