Cisco Stealthwatch

The solutions Lancope StealthWatch are a NBA-system (Network Behavior Analysis). They are intended for detection of anomalies in network and monitoring of performance on the basis of information on flows (NetFlow, sFlow) collected from all network devices including computers and virtual objects (for example, virtual servers and VPN).

On the basis of the analysis of this information of StealthWatch reveals various cases of threats and violations, such as:

• The unauthorized penetration into network which is missed by classical means of protecting of perimeter (IPS/IDS)
• The spread of viruses, "worms" and spyware which is not detected by regular antivirus tools
• The wrong actions of users (for example, opening of a session of P2P, large-scale loadings from torrent trackers, the appeal to network segments to which there is no access, access attempt to confidential information, etc.)
• Emergence in networks of new devices (hosts) and their "behavior". So, StealthWatch will be able to define who is engaged in loading of a large number of unproductive content, such as MP3 or video.
• Errors in operation of the equipment
• Emergence in networks of "narrow" places and other possible violations
• Control of real expenses of traffic: for example, what host "eats" the most part of bandwidth and that for data pass through it.

Thus, application of the StealthWatch system gives the chance to set real control over actions of users and operation of network devices. The network in which StealthWatch is set is a network without "white spots" and "black holes": administrators see and control all processes and events which in it occurs.

In StealthWatch all most important safety features and managements of IT and network infrastructure integrate: monitoring of network interactions; tracking of anomalies for the analysis of behavior of network; security by identification of dangerous events; response to threats – blocking of dangerous events; optimization and configuring of traffic and capacity; the reporting for all communications and hosts.

Using StealthWatch, the companies can reduce costs, purchasing one instead of separate solutions and to reduce, thus, the total cost of management of networks and their protection.

Now the solution StealthWatch provides monitoring more than 45 million elements (hosts) in networks of hundreds of enterprises and the government organizations worldwide, from the largest corporations and federal telecom operators, to the enterprises of small and medium business.

There are 10 key indicators in which StealthWatch differs from the majority of solutions of monitoring based on flows:

1. StealthWatch is the product long ago debugged, "settled" working 13 years.
2. Unlike most stream TEConts which were developed for control of network performance and the functionality of control of security was added much later, Lancope was focused on network security from the first day.
3. Unlike other stream technologies intended first of all for small network environments, StealthWatch can very effectively and cheap be scaled up to 120,000 flows/sec. (fps) on a collector or up to 3 million fps of everything and protect even big networks.
4. Thanks to a combination of stream monitoring and control at the level of packets, StealthWatch provides complete transparency of all network, even for such environments as virtual or networks 10G.
5. While the majority of the systems of collecting of NetFlow have very limited potential of the analysis, StealthWatch uses the powerful behavioural analysis and functionality of the deep analysis developed for effective detection in real time of botnets, the APT (advanced persistent threats) attacks, insider threats and other anomalies.

The advanced functionality including capability of obtaining information on applications, identifications, mobile devices and also automatic prioritizing of devices and simplification of the problem resolution for a wide rank of network problems has # StealthWatch.

1. In addition to the improved opportunities in the field of security and performance, StealthWatch it can be easily expanded for support of additional functions, including Help Desk, planning of capacity, the analysis of network behavior, etc.
2. the Lancope Company has the established technology partnership and product integration with leading manufacturers of network equipment and security systems long ago.
3. StealthWatch can be purchased both in a hardware form, and in the form of the virtual device, providing to users flexibility of the choice in implementation and structure of service.
4. Cisco, the NetFlow developer, uses Lancope as a monitoring component based on flows for the solution Cisco Cyber Threat Defense.

Lancope StealthWatch 6.2.2

7/9/2012 there was an updating of the StealthWatch system - version 6.2.2. This updating is applicable to all systems 6.2.0 and 6.2.1. All systems working at the version of StealthWatch 6.2.1 should be updated to version 6.2.2, whenever possible, immediately.

The NAT technology was created for maximizing quantity of the available IP addresses in due time. However this technology, unfortunately, significantly reduces network transparency as administrators cannot see precisely who is responsible for the problems which arose in the field of performance or security. Today, during an era of the advanced and developed threats and constantly evolving network environment, the enterprises cannot but not pay attention to the possible dangers coming from similar "blind spots" any more.

"Stitching" of the external Internet IP address and the internal network address of the user in uniform record and also deduplication of the records NAT allows to help to exclude long-term trials for the purpose of determination of the real culprit for bad behavior of network. Integrating these data with the identification information from StealthWatch IDentity or Cisco Identity Services Engine (ISE) it is possible to obtain even more exact data for the analysis of problems in network.

"Accuracy of determination of identity of the user through points of NAT in network becomes a critical factor for the effective problem resolution of security, performance and to volume of similar", - Joe Yeager, the director of product management of Lancope company says. - "Without an opportunity quickly and precisely to obtain this information, the organizations very quickly will understand that they spend a lot of time, being torn via log-files, or will appear in very serious situation which will make the destroying impact not only on IT department".

The StealthWatch system collects and analyzes data of NetFlow, IPFIX and other types of stream data from the existing infrastructure to have new opportunities for problem solving of performance and security, risk management and ensuring complete transparency of all taking place events in network. Without relying on need of permanent updating of signatures, a system uses complex behavioural analysis for detection of a full range of the internal and external threats characteristic of modern conditions, including zero-day problem, botnets, DDoS, APT (advanced persistent threats) and information leak from insiders.

Analyzing over 120 thousand flows per second on one collector or about 3 million flows per second for all system, StealthWatch provides monitoring of traffic, reliable, optimal at the price, even for the biggest networks. The high-speed record NAT is especially important now when operators and service providers consider the possibilities of use of NAT of an operator class (CGN) or other term - large-scale NAT (large-scale NAT) which allows thousands to share jointly one IP address and facilitates an opportunity to "bad actors" to hide for NAT.

The Lancope StealthWatch device creates "picture" (a basic mark) of normal traffic for each network host, group of hosts and defines relationship between hosts. Similar approach allows StealthWatch to signal under following conditions, associated with DDoS:

• High index of a target. The value corresponding to the level of suspicious activity which is directed to it is appropriated to each host. It allows to receive the list of priority assets which are in the maximum danger.
• Response time of the server. Using FlowSensor and FlowSensor VE devices, the StealthWatch system can signal when the Web server or the database server begins to choke.
• Quantity of packets per second. StealthWatch can display the excessive quantity of traffic directed to network resources.
• Obstruction of the interface. Metrics of performance level of the interface are constantly controlled, providing viewing the attack at the physical layer.
• The maximum quantity of the serviced flows. Each server creates basic parameters of normal volume of connections. When this threshold is overcome, the StealthWatch operator receives the corresponding signal.
• The maximum number of the received SYN. When the server begins to receive "unhealthy" quantity of packets of TCP SYN, it is possible to use early warning of it.
• High general traffic of interrelations. When such amount of HTTP requests which exceeds possibilities of the database server is created, there is a signal of mismatch of mutual amount of requests answers showing problems at such level at which other systems of fight against DDoS do not work.
• Activity of a new host. Legitimate users of web services tend to regularity of the visits. The attacking hosts are not accustomed to be delayed or return to "crime scene". StealthWatch can distinguish these two types of users.
• High Concern Index. It is own technique of Lancope which is that such index (indicator) of danger allows to define a priority of the suspicious or abnormal activity resulting from a host. External "aggressors" cause emergence of a signal from High Concern Index when computers to which they want to be connected have the low index.
• The maximum quantity of the initiated flows. Knowing quantity of flows in a minute which is created by the legitimate user at access to service, StealthWatch will signal about hosts which will show exceeding of such regulation.

2014: StealthWatch 6.5

On March 27, 2014 the Lancope company announced a release of the new version of the platform of monitoring of security on the basis of the analysis of behavior of network (Network Behavior Analysis) of StealthWatch 6.5.

Description

The updated system represents enhanced capabilities of analytics of security for ensuring unprecedented control of network and detection of threats. Using the new intuitive web interface and composite functions of warnings, StealthWatch 6.5 facilitates to the organizations fast identification and a stop of action of the advanced modern attacks which take place through defense of perimeter.

New opportunities

• The control panel an operational research of network activity and security (The Operational Network & Security Intelligence, ONSI), allows a system to define precisely "a deadly chain" (kill chain) of the attack, transforming data on network and security to efficient information for fast determination and removal of effects of the attack.
• The new alerting system about data storage defines when the external hacker or the insider begins to transfer data from critical places, such as file server or POS terminals, thereby allowing to prevent date leaks.
• Updates of StealthWatch Labs provide expanded protection against the main threats, providing behavioural algorithms to customers in addition of a standard turnover cycle of a product.
• The criteria of threats determined by the user which allow clients of Lancope to expand still protection of the network by creation of own events and signals based on own security policies or specific threats for the environment.

Additional expansions

• The intuitive web interface provides the powerful, simple and elegant platform from improved by a usability.
• Active Directory integration in the user interface allows to receive additional identification details of users, such as location at office, a contact information and a position in the company that it provides enhanced capabilities of the problem resolution.
• Configuring of user applications allows to detect user applications in the network environment that facilitates identification of abnormal traffic.

The StealthWatch 6.5 system is available. The acting clients of Lancope will receive a new system as a part of service of support.