Cisco Stealthwatch observes network for any anomalies that maybe exists in the traffic, actually it does not analyze the packet itself and only packet headers are inspected and bypasses the encryption in the packet. As only the packet header is checked, Stealthwatch can inspect more traffic with consuming less CPU power.
When it comes to security, it must be Multi-layered and Stealthwatch is not a single security solution but should be part of a much bigger solution and networks should also utilize other tools such as Cisco NGFW Firepower. Cisco StealthWatch is installed as an additional appliance through network. Firewall still is being used to protect the network against external threats.
Basically, in the network, either Firewall or switch would send a layer 3 data to the Stealthwatch and suspicious traffic will be identified and Stealthwatch is going to raise an alarm and take action on the data.
The largest Stealthwatch system can analyze up to 600,000 flows per second from 10,000 devices. Also, it is re-scalable compared to other systems. Flows are a single conversation between two network devices. When a large file is going to upload on the network, it would be fragmented into multiple packets though it would still represent a single flow. The sending of a TCP FIN or a timeout symbolizes the end of conversation. Overall, Customers should consider the following benefits to Use Cisco Stealthwatch:
- Stealthwatch is scalable and can process large volumes of traffic.
- Stealthwatch is not just for security purposes and it gives network administrators complete network visibility
- Network can be continuously monitored for which traffics has already bypassed NGFWs, furthermore, internal network will still be checked.
- Using Encrypted Traffic Analytics: traffic can also be checked to ensure is compliant with PCI and HIPPA
Cisco Stealthwatch Components
Cisco Stealthwatch is consisted of four components which can be acquired either as a physical appliance or as a VM and Each part plays an essential rule for traffic’s flow inspection within your network.
Stealthwatch Management Console
Basically, the SMC is the heart of the system and controls other features. The SMC analyses collected flow data from other components. Then it stablishes a baseline up to 7 days and any anomalies which are outside the baseline are reported and in addition alerts are raised for any threats and attacks that occur before and after the stablished baseline. The administrators can also run reports on the console to observe what has been done when and by whom. Moreover, custom policies can be made which can watch for any activities outside the company policy. Patching and updating can be done via SMC.
Stealthwatch Flow Collector
Initially Layer 3 network devices need to send flow data to Flow Collector and it processes the raw data and cleans it and organizes it. After that it sends the data to SMC to be analyzed and correlated with other flows. In order to activate all FC instances, Cisco Stealthwatch license for FC can be purchased and applied on the Cisco smart software management website.
Stealthwatch Flow Sensor
Very similar to Flow Collector though Flow sensor can analyze layer 2 packets and frames sent between hosts. These sensors are connected to SPAN ports. SPAN is known as switch port analyzer that makes an exact copy of all frames that are either transmitted or received on a specified port or VLANs and will transmit them out of a SPAN port to an IDS sensor, a host running Wireshark or a Stealthwatch Flow Sensor. After that relevant data would be sent to SMC. In order to activate all FC instances, Cisco Stealthwatch license for FS can be purchased and applied on the Cisco smart software management website.
Stealthwatch UDP Director
UDP Director is responsible for two matters, first one is Data Aggregation which send collected data from multiple exporters as a single stream to FMC, Secondly, Flow sharing where flow data can be sent to multiple destinations such as SolarWinds, Cisco Prime and Cisco Stealthwatch. In order to activate all UDPD instances, Cisco Stealthwatch license for UDPD can be purchased and applied on the Cisco smart software management website.
Cisco Stealthwatch Features
Stealthwatch is not just a NetFlow analyzer is able to capture private and public addresses as some Public IP addresses might not be trustworthy and may be include Malware sites, command and control servers and ransomware servers. SMC checks each public address and for its trustworthiness and if an address points to a server that is a suspicious server it raises an alert.
Integration with Cisco ISE
The SMC has the ability to be integrated to Cisco ISE and Microsoft Active Directory and this feature makes allows linking of users to alerts. In order to activate all SMC instances, Cisco Stealthwatch license for SMC can be purchased and applied on the Cisco smart software management website.
Threat Intelligence (TI)
Cisco Stealthwatch Threat Intelligence (TI) License gives Stealthwatch customers access to a global threat intelligence feed powered by the Cisco TALOS intelligence platform. It does not use the traditional methods to inspect threads like databases or pattern files instead it uses a service is called Cisco TALOS.
Cisco TALOS is a threat intelligence group run by Cisco included full time researches, decoy systems and traps gather intelligence and updates a cloud-based database every 15 minutes for Cisco security devices to leverage for the purposes of attack mitigation.
The Stealthwatch TI feed offers advanced botnet detection capabilities, continuously monitoring customer networks for thousands of known command-and-control (C&C) servers, bogon IP address spaces, and Tor entry and exit nodes, and automatically adding new botnets to its radar as they are identified in the wild.
Encrypted Traffic Analytics
As encryption is becoming more common now days, attackers also use encryption to avoid firewall inspection. Cisco have introduced encrypted traffic analytics (ETA) and this feature can detect threats in encrypted packets. Stealthwatch is able to analyze ETA data. Currently Cisco Catalyst 9000 switches, ISR 1000 Router, ISR 4000 Router, CSR 1000v Cloud Router, ASR 1000 Router and Catalyst 9800 series wireless controller supports ETA technology.
Cisco Stealthwatch License
Cisco Stealthwatch license is only available in smart solution. Smart licensing is an innovative way to manage all licenses into a centralized platform called Cisco smart software management.
Recently, Cisco has offered its Stealthwatch smart license for devices registration. Administrator should proceed through CSSM websit in order to make their product instances registered using their smart accounts. The following Stealthwatch appliances and features can be licensed with Cisco license types:
- Flow Sensors VE License
- UDP Directors License
- UDP Directors VE License
- Flow Rate (FPS) License
- Endpoint License
- Threat Intelligence License (formerly known as SLIC)
- Security Analytics and Logging License
Also, Stealthwatch Management Consoles VE and Flow Collectors VE licenses are added to your account automatically.
Cisco Stealthwatch PLR License
As an all in one solution, Cisco Stealthwatch PLR license can be used to enable all the mentioned features completely. Cisco permanent license reservation allows customers to enable all premium features permanently and without any network connection. These licenses are essentially designed for highly-secure network architectures where no inbound or outbound connection is allowed.