StealthWatch 6.5 – Dynamic Flow Analysis by Matt Robertson

StealthWatch 6.5 – Dynamic Flow Analysis

The course of an investigation is ever changing based on where the facts lead us; we might start based on one hypothesis, but as the facts unfold we discover a different truth. The new dynamic flow analysis functionality in the Lancope StealthWatch System 6.5 was designed to support the fluid nature of an investigation, allowing a investigator to quickly and easily search flow data, filter the results to those flows of interest and easily visualize what has happened on the network. 

The initial Flow Analysis: Build Query screen allows you to build a flow query specifying a range of details about the initial search subject and peer from the host and host groups involved, to specific uses or applications, orientation as well as connection details such as bytes and packets. Once built the query can be saved and run again later. 

Flow Analysis

The results of the query will return a flow summary that provides a quick view of the flows including directionality (note: the quick view can be turned into a tabular view if desired). On the left side, faceted filtering allows for extremely fast traversal of flow results based on where the investigation will take you, including screen support and save flow queries. At the end of an investigation the set of results can be saved for later and/or exported as a CSV.


Suppose for a minute that for some reason you are concerned about traffic between your organization and China. Perhaps you read this article - - and are concerned that someone has outsourced their job to a Chinese entrepreneur. So you run a flow query looking for all traffic during the last 24 hours between the inside network and China where the connection had more than 100 kilobytes transferred. 

Flow Analysis on All Inside Hosts


 Flow Analysis Actions 

Realizing that this was too broad of a query you refocus your attention to the faceted filtering on the left, to narrow down your search results to the flows that have the longest duration, in this case 15M 12s to 19m 0s.


Flow Analysis Filters

Your attention is immediately grabbed by the top flow reporting a large FTP transfer between an inside host and China. Expanding the additional flow details option we see that the inside host is actually a member of the Compliance Host Group. 


Detect suspicious Flows


Flow Analysis for Compliance Hosts

Now concerned, you click on the IP Address to go into the Host Snapshot of and note that the host has an active Data Exfiltration Alarm associated with it.  


Host Snapshot - Activate data exfiltration alarm

In this example, the investigation started looking for something else but led to the discovery of a significant data exfiltration event and you move quickly into remediation phases.


The new dynamic flow analysis functionality in the StealthWatch System 6.5 allows the investigator to quickly and efficiently search, view, filter and save flow data streamlining the investigation process and providing valuable security intelligence.    

 Learn about all the new features in the StealthWatch System 6.5 here.