Cisco Stealthwatch collects and analyzes network data to deliver comprehensive visibility and protection for even the largest and most dynamic networks. Stealthwatch analyzes industry-standard NetFlow data from Cisco and other vendors’ routers, switches, firewalls, and other network devices to detect advanced and persistent security threats such as internally spreading malware, data leakage, botnet command and control traffic, and network reconnaissance
Stealthwatch consists of two core appliances and several optional appliances and capabilities.
The core appliances are:
- Stealthwatch Management Console
- Flow Collector
Optional appliances and capabilities of the system for additional flexibility in deployment and visibility into areas of your network:
- Flow Sensor – additional NetFlow data sensor + plus for not NetFlow-capable devices.
- UDP Director (FlowReplicator) – collects NetFlow from devices and send it to multiple destination: Stealthwatch, Prime, LiveAction etc
Stealthwatch Management Console (SMC):
Configure menu (only in an admin level account)
Deploy menu (only in an admin level account)
Good to know all indications of each alarm categories, since they are used everywhere in the Stealthwatch to identify the alarm:
- CI: Concern Index – Hosts exhibiting multiple unusual behavior over time that could indicate malware or an insider threat
- TI: Target Index – Hosts that are being actively targeted by potentially malicious activity from other hosts
- RC: Recon (network scanning) and Exploitation around a targeted attack
- C&C: Command and Control (C&C) – botnet communication activity detected in the network
- Exploitation – Tracks direct attempts by hosts to compromise each other, such as through worm propagation and brute force password cracking.
- DS: DDoS Source – alerts for an internal host potentially involved in DDoS activity
- DT: DDoS Target – alerts for internal hosts potentially being targeted by DDoS activity
- DH: Data Hoarding – Hosts observed moving large amounts of data internally to the network
- EX: Exfiltration – Hosts sending significant amounts of data outside of the network
- PV: Policy Violation -alarms triggered off of policies and custom events defined by the Stealthwatch system’s administrator
- AN: Anomaly – Other anomalous detected behavior. Tracks events that indicate that hosts are behaving abnormally or generating traffic that is unusual, but is not consistent with another category of activity.
Cognitive Threat Analytics
An optional capability available when the integration is activated, it provides Stealthwatch with enhanced, machine learning based behavioral analytics against select internal network traffic and traffic seen crossing the network perimeter.