top of page

Cisco Stealthwatch (#Part1 Golden Questions and Answers)

And Yet Another Weekend Post! (YAWP)
You know what?! In this article we will introuce you to
The BEAST of network visibility and control!
Stealthwatch introuction:
- What is Stealthwatch?

One of the best methods for detecting hard-to-find hackers, such as those using APTs (Advanced Persistent Threats), is through network traffic flow analysis or netflow.

The story of Steathwatch goes back to 2015 when Cisco bought a great commpnay named Lancope For $452,5 M.

Stealthwatch provides visibility across the whole enterprise, from private networks to the public clouds such as Microsoft Azure and Amazon AWS, and applies advanced security analytics to detect and respond to threats in real-time. The way how Stealthwatch does its work is that it analyses network activities over and over again and creates a baseline of normal network behavior and then uses this baseline, along with advanced machine learning algorithms, to detect anomalies. However, not everything weird is malicious and Stealthwatch can quickly and with high confidence correlate anomalies to threats such as ransomware,C&C attacks, DDoS attacks, illicit crypto mining, unknown malware, as well as insider threats and zero-day-attacks.

You get a fully comprehensive threat monitoring with a single pane of glace, agentless solution, across the branch, data center, endpoint , and cloud, regardless of the presence of network encryption.

Let's imagine you want to explain your colleague ,who is not in Security Department, about this Product.

How will you beginn your conversation? How can you persuade and convince your manager why Stealthwatch could be the best solution to implement when you are frustrated of crypto-mining activities of internal colleagues unintentionally or intentionally?

In the first place you have to know the solution and most importantly know its pons an cons:

- What are the most inportant components of Stealthwatch?

  • Stealthwatch Management Console (SMC)

  • Flow Collector

  • UDP Director/Flow Replicator

  • Packet Analyser

  • Flow Sensor

Note: Actually, in order to make Stealthwatch work you only need SMC, Flowcollector and a couple of Licenses.

- Why should someone need Stealthwatch at all ?!

Network Visibility: Stealthwatch will have overall visibility of your Network of both North-South and most importantly East-West traffic. It even provides visibility across the whole enterprise, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. (Networking team can get advanatge of it in order to find out about top-hosts, top applications, network performance)

Detection: Stealthwatch continuously analyses network activities inside your network, analyses network behavior and sets a baseline, it even used advanced machine learning algorithms to detect anomalies. Stealthwatch is analytical and behavior solution.(Findings Botnets, Malwares, DDoS attacks)

Incident Response: Stealthwatch is capable of analyzing the Incidents which has happened in your network by going back and analyzing the behavior.

-What are the features of Stealthwatch?

  • Stealthwatch can see each and every conversation happening in the network.

  • Stealthwatch can know each and every host connected in the network.

  • Stealthwatch is capable of alerting to change in the behavior.

  • Stealthwatch can respond to Threats quickly.

  • Stealthwatch can be used to learn information from the network.

  • Stealthwatch can analyse the behavior of the network and it is capable of distinguishing between normal and abnormal behavior.

-How can you deploy Stealthwatch?

Stealthwatch can be either deployed in the form of physical appliances or Virtual Machines.

Physical appliance : It can be installed on x210 Series appliance.

VM : It can be installed on VMware KVM.

Stealthwatch smallest flow collector can process 30,000 flows/second.

-What is Stealthwatch Management Console?

The Stealthwatch Management Console (SMC) is an enterprise-level security management system which allows network administrators to configure, define, and monitor multiple distributed Stealthwatch Flow Collectors from a single centralized GUI. It uses identity information, graphical representations of network traffic, , customized summary reports, and integrated security and network intelligence for comprehensive analysis. *comparable with FMC in firewall world*

Stealthwatch Management Console aggregates analysis from, the Cisco ISE (Identity Services Engine), and other sources through PxGrid APIs. With Stealthwatch in place, network operations and security teams can see who is using the network, what applications and services are in use, and most importantly how well they are using these services.

To summarize some of the great benefits you can achieve with SMC please read the following:

  • Real-time data monitoring can be done across thousands of network segments simultaneously.

  • Capability to fastly detect and prioritize security threats.

  • Use of multiple types of flow data such as NetFlow, SFlow, IPFIX etc.

  • Provides a full audit trail of all network transactions for more effective forensic investigations.

  • Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.

  • Configures, coordinates, and manages Cisco Stealthwatch appliances, including the Flow Collector, Flow Sensor, and UDP Director.

-What is a Flow Collector?

The Flow Collector leverages enterprise telemetry such as NetFlow, IPFIX and other types of flow data from existing infrastructure such as switches, routers, , firewalls, endpoints, and other network devices.

In its core, Flow Collector is the Brain of all the operations and magics and it will store the information into the database and this can be used fore Incident Response.

The Flow Collector can also receive and collect telemetry from proxy data sources, which can be analyzed by the GTA (Global Threat Analytics).(formerly known as CTA''Cognitive Threat Analytics'' which is the widely used term among other vendors), the multi-layered machine learning engine, for deep visibility into both web and network traffic.

To summarize some of the great benefits you can achieve with Flow Collector please read the following:

  • Faster Threat Detection this process enhances your organization’s ability to pinpoint threats and shortens your Mean Time To Know (MTTK).

  • Extended Data retention allows organisations to retain large amount of data for longer periods which will be helpful while investigating the incidents.

  • Performs deduplication so that any flows that might have traversed more than one router are counted only once. It then stitches the flow information together for full visibility of a network transaction

  • Flow-traffic monitoring across hundreds of network segments simultaneously, so you can spot suspicious network behaviour.

-What are the various flows which can be used in Stealthwatch?

Supported flows on Stealthwatch are:

  • NetFlow

  • S-Flow

  • IP-FIX (Nortel/Palo-Alto)

  • App-Flow (Citrix)

  • Net-Stream (Huawei)

  • I-Flow/C-Flow (Juniper)

and other types of network telemetry.

-What is a Flow Sensor?

The Flow Sensor is an (optional) component of Stealthwatch Enterprise and provides telemetry for segments of the switching and routing infrastructure that can’t generate NetFlow on their own. It also provides visibility into the application layer data.

If we have non-capable net-flow devices such as some old Cisco 2960 in the network then we have to connect these non-capable devices into a component called Flow Sensor.

In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context to enhance the Stealthwatch security analytics. Advanced behavioral modeling and cloud-based multi-layered machine learning is applied to this dataset to detect advanced threats and perform faster investigations.

To summarize some of the great benefits you can achieve with Flow Sensor please read the following:

  • Provides true Layer 7 application visibility by gathering application information along with ad-hoc on-demand packet capture (PCAP)

  • Enhances operational efficiency and reduces costs by identifying and isolating the root cause of an issue or incident within seconds.

  • Alerts on network anomalies so that this helps to generate alarms with contextual intelligence so that security personnel can take quick action and mitigate risks.

-What is UDP Director/Flow Replicator?

Call this like Mr copy machine!😂 The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network switches and routers by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations.

To summarize some of the great benefits you can achieve with UDP Director please read the following:

  • Reduces unplanned downtime and service disruption since UDP director High Availability is available.

  • Receives data from any connectionless UDP application, and then retransmits it to multiple destinations, duplicating the data if required.

  • Directs point log data (NetFlow, sFlow, Syslog, SNMP) to a single destination without the need to reconfigure the infrastructure when new tools are added or removed.

  • Simplifies network security and monitoring by aggregating and provides single standardized destination for NetFlow, sFlow, Syslog, and Simple Network Management Protocol (SNMP) information

-How do we redirect the traffic from non-NetFlow supported devices?

Flow Sensors will be deployed in order to collect the information from the non-NetFlow capable devices where SPAN/Copy of data packet will be collected from and then flow sensor will transform data packet to full NetFlow.

While doing full NetFlow, Flow sensor will also perform.

  • DPI (Deep Packet Inspection) will be done and this will be helpful in finding Top application in the network.

  • Round Trip Time(RTT) and Server Response Time(SRT) which will help in network performance calculation.What is the use of integrating Stealthwatch with ISE?

Integrate Stealthwatch Management Console to ISE through pxGrid will provide the Stealthwatch system with extra contextual information about the endpoint and user on that endpoint as well as the ability to quarantine that endpoint if they are misbehaving.

To summarize some of the great benefits you can achieve with integrating ISE into SMC please read the following:

  • Stealthwatch can send API query to ISE and take action by quarantining or providing limited access to users.

  • ISE adds user information into NetFlow for example: User-ID, Device-Type and MAC address.

-What is Packet Analyzer in Cisco Stealthwatch?

It is basically like Wireshark on steroids! The Cisco Packet Analyzer is one of the tools in Stealthwatch which will help you investigate security events and anomalous network activity in your network.

Here are some use cases:

Suppose Stealthwatch detects abnormal/bad behavior inside the network but as an administrator, if we want to find out what has caused the abnormal behavior, in this case, we can do deep dive inspection using Packet Analyzer.

You can dig deep into packets which caused the deviation of the baseline for future digital forensics analysis in order to provide evidence to court of justice.

Note: Packet Analyzer has a 42 Terabyte of Rolling buffer which can store only 42 TB of data in Buffer.

What is Cloud Component in Stealthwatch?

And Yet Another Acquisition by Cisco in 2017. Cisco acquired Observable Networks.

Most of Enterprise network will have cloud platform where network devices and servers are installed on cloud. In this case if we want to

monitor the Cloud platform then we need to install agent on the Client.

-What is Data Concentrator in Cloud Component of Stealthwatch?

In the process of monitoring the devices which are on cloud we install an agent on the Client. Then the Agent will send all the information to a component called as Data Concentrator (Cloud Concentrator).

Data Concentrator will convert all the information which has received from Client (Cloud device) into NetFlow and send that information via tunnel (VPN) to Flow Collector.

-What is meant with Flow in Stealthwatch?

Flow is a Stream of information exchanged between the routing protocols, routing tables as well as flow of packets from routers physical interface to routing engine.

Network Flow is a Unidirectional sequence of packets that have a common characteristics.

Here are some characteristics of Flow:

  • Flow will have complete information of who is talking to who on the network level.

  • Flow will have information e.g: source IP’s, destination IP’s,time stamps, port numbers, packet count, etc.

  • Flow technology was originally developed by Cisco and it was called as NetFlow.

  • Flow will tell how a specific organisations network being used.

-What is NetFlow?

  • NetFlow was developed by Cisco in 1966.

  • NetFlow is packet forwarding mechanism wherein information will be sent across in NetFlow to Flow collector.

Here are some different versions of NetFlow:

  • Version-1

  • Version-5

  • Version-7

  • Version-9

  • IP-FIX

-What is NetFlow Exporter? ( Great Stuff )

Once the Flow Record has been created then that record has to be tied to a Flow Exporter. Flow Exporter configuration defines either the physical IP address or virtual Flow Collector IP Address to which NetFlow data has to be sent.

It also defines the source interface from which the Flow Exporter device will send NetFlow data, this can be a physical or logical address.

Configuration example:

flow exporter PHENIIX-EXPORT source vlan 6 destination transport udp 9995 export-protocol netflow-v5 template data timeout 60


All product names, logos, and brands are the property of their respective owners in Austria or other countries. All company, product and service names used in this website are for identification purposes only. Pheniix is not affiliated with or an official partner of Cisco, CompTIA,Dimension Data, VMware, Amazon, Microsoft, Certified Ethical Hacker, (ISC)², Juniper, Wireshark, Offensive Security,Google, GNS3, F5, Python, Linux, Java, OpenStack, Vagrant, Ansible, Docker, GIT, , Blockchain or other companies. Use of these names, logos, and brands does not imply endorsement. The opinions expressed in Pheniix are personal perspectives and not those of Cisco, Dimension Data or any other company. Pheniix runs as an independent blog.

#IPSEC #SecurityCenter #InfoSec #ASASecurityDeviceManagerASDM #CCNASecurity #NationalCyberSecurityAwarenessMonth #Cybersecurity #CloudSecurity #Security #security #NationalSecurityAgencyNSA #IBMSecurity #CiscoSecurity #cybersecurity #securityflaw #CyberSecurity #CCNAWireless #CCNA #CCNP #CCIE #CCIELab #CISSP #CCSP #ISC2 #Cybercrime #cryptocurrency #Encyption #cyberwar #CCNACyberOps #PolicySet #Stealthwatch #Lancope #visibility #CiscoNetworkingAcademy #Netflow

bottom of page