And Yet Another Weekend Post! (YAWP)
You know what?! In this article we will introuce you to
The BEAST of network visibility and control!
- What is Stealthwatch?
One of the best methods for detecting hard-to-find hackers, such as those using APTs (Advanced Persistent Threats), is through network traffic flow analysis or netflow.
The story of Steathwatch goes back to 2015 when Cisco bought a great commpnay named Lancope For $452,5 M.
Stealthwatch provides visibility across the whole enterprise, from private networks to the public clouds such as Microsoft Azure and Amazon AWS, and applies advanced security analytics to detect and respond to threats in real-time. The way how Stealthwatch does its work is that it analyses network activities over and over again and creates a baseline of normal network behavior and then uses this baseline, along with advanced machine learning algorithms, to detect anomalies. However, not everything weird is malicious and Stealthwatch can quickly and with high confidence correlate anomalies to threats such as ransomware,C&C attacks, DDoS attacks, illicit crypto mining, unknown malware, as well as insider threats and zero-day-attacks.
You get a fully comprehensive threat monitoring with a single pane of glace, agentless solution, across the branch, data center, endpoint , and cloud, regardless of the presence of network encryption.
Let's imagine you want to explain your colleague ,who is not in Security Department, about this Product.
How will you beginn your conversation? How can you persuade and convince your manager why Stealthwatch could be the best solution to implement when you are frustrated of crypto-mining activities of internal colleagues unintentionally or intentionally?
In the first place you have to know the solution and most importantly know its pons an cons:
- What are the most inportant components of Stealthwatch?
Stealthwatch Management Console (SMC)
UDP Director/Flow Replicator
Note: Actually, in order to make Stealthwatch work you only need SMC, Flowcollector and a couple of Licenses.
- Why should someone need Stealthwatch at all ?!
Network Visibility: Stealthwatch will have overall visibility of your Network of both North-South and most importantly East-West traffic. It even provides visibility across the whole enterprise, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. (Networking team can get advanatge of it in order to find out about top-hosts, top applications, network performance)
Detection: Stealthwatch continuously analyses network activities inside your network, analyses network behavior and sets a baseline, it even used advanced machine learning algorithms to detect anomalies. Stealthwatch is analytical and behavior solution.(Findings Botnets, Malwares, DDoS attacks)
Incident Response: Stealthwatch is capable of analyzing the Incidents which has happened in your network by going back and analyzing the behavior.
-What are the features of Stealthwatch?
Stealthwatch can see each and every conversation happening in the network.
Stealthwatch can know each and every host connected in the network.
Stealthwatch is capable of alerting to change in the behavior.
Stealthwatch can respond to Threats quickly.
Stealthwatch can be used to learn information from the network.
Stealthwatch can analyse the behavior of the network and it is capable of distinguishing between normal and abnormal behavior.
-How can you deploy Stealthwatch?
Stealthwatch can be either deployed in the form of physical appliances or Virtual Machines.
Physical appliance : It can be installed on x210 Series appliance.
VM : It can be installed on VMware KVM.
Stealthwatch smallest flow collector can process 30,000 flows/second.
-What is Stealthwatch Management Console?
The Stealthwatch Management Console (SMC) is an enterprise-level security management system which allows network administrators to configure, define, and monitor multiple distributed Stealthwatch Flow Collectors from a single centralized GUI. It uses identity information, graphical representations of network traffic, , customized summary reports, and integrated security and network intelligence for comprehensive analysis. *comparable with FMC in firewall world*
Stealthwatch Management Console aggregates analysis from, the Cisco ISE (Identity Services Engine), and other sources through PxGrid APIs. With Stealthwatch in place, network operations and security teams can see who is using the network, what applications and services are in use, and most importantly how well they are using these services.
To summarize some of the great benefits you can achieve with SMC please read the following:
Real-time data monitoring can be done across thousands of network segments simultaneously.
Capability to fastly detect and prioritize security threats.
Use of multiple types of flow data such as NetFlow, SFlow, IPFIX etc.
Provides a full audit trail of all network transactions for more effective forensic investigations.
Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.
Configures, coordinates, and manages Cisco Stealthwatch appliances, including the Flow Collector, Flow Sensor, and UDP Director.
-What is a Flow Collector?
The Flow Collector leverages enterprise telemetry such as NetFlow, IPFIX and other types of flow data from existing infrastructure such as switches, routers, , firewalls, endpoints, and other network devices.
In its core, Flow Collector is the Brain of all the operations and magics and it will store the information into the database and this can be used fore Incident Response.
The Flow Collector can also receive and collect telemetry from proxy data sources, which can be analyzed by the GTA (Global Threat Analytics).(formerly known as CTA''Cognitive Threat Analytics'' which is the widely used term among other vendors), the multi-layered machine learning engine, for deep visibility into both web and network traffic.
To summarize some of the great benefits you can achieve with Flow Collector please read the following:
Faster Threat Detection this process enhances your organization’s ability to pinpoint threats and shortens your Mean Time To Know (MTTK).
Extended Data retention allows organisations to retain large amount of data for longer periods which will be helpful while investigating the incidents.
Performs deduplication so that any flows that might have traversed more than one router are counted only once. It then stitches the flow information together for full visibility of a network transaction
Flow-traffic monitoring across hundreds of network segments simultaneously, so you can spot suspicious network behaviour.
-What are the various flows which can be used in Stealthwatch?
Supported flows on Stealthwatch are:
and other types of network telemetry.
-What is a Flow Sensor?
The Flow Sensor is an (optional) component of Stealthwatch Enterprise and provides telemetry for segments of the switching and routing infrastructure that can’t generate NetFlow on their own. It also provides visibility into the application layer data.
If we have non-capable net-flow devices such as some old Cisco 2960 in the network then we have to connect these non-capable devices into a component called Flow Sensor.
In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context to enhance the Stealthwatch security analytics. Advanced behavioral modeling and cloud-based multi-layered machine learning is applied to this dataset to detect advanced threats and perform faster investigations.
To summarize some of the great benefits you can achieve with Flow Sensor please read the following:
Provides true Layer 7 application visibility by gathering application information along with ad-hoc on-demand packet capture (PCAP)
Enhances operational efficiency and reduces costs by identifying and isolating the root cause of an issue or incident within seconds.
Alerts on network anomalies so that this helps to generate alarms with contextual intelligenc