Lancope's StealthWatch and Cisco for In-depth Network Visibility
and Advanced Security Context

Cisco Cyber Threat Defense Solution Featuring StealthWatch


Lancope’s StealthWatch makes up a key component of the Cisco Cyber Threat Defense Solution, designed to combat today’s most stealthy, sophisticated cyber-attacks. Combining the advanced security capabilities of Lancope and Cisco, the solution provides unprecedented visibility into the network interior.

Security Analysts gain visibility into:

  • Network reconnaissance – probing of the network to uncover attack vectors that can be leveraged for customized attacks
  • Internal malware propagation – the spread of malware across hosts on the internal network to gather security reconnaissance information, steal data or create backdoors for infiltrating a network
  • Command-and-control traffic – botnet communications between attackers and compromised hosts within the network
  • Data exfiltration – the export of sensitive information back to an attacker, generally via command-and-control communications
  • Internal host reputation – uncovering users that conduct suspicious behavior inside the network

More information on the Cisco Cyber Threat Defense Solution can be found here.

Cyber Threat Defense Video


Cisco Cyber Threat Defense Features Lancope StealthWatch 3.08



Lancope has completed interoperability verification testing required by Cisco.

StealthWatch and Cisco ASR/ISR

StealthWatch can now also consume NAT information from the Cisco ASR 1000 separately from other flow records to allow for more flexibility and customization. This feature is especially beneficial for Internet Service Providers (ISPs) that need to capture just the NAT information from flow records in order to comply with the Communications Assistance for Law Enforcement Act (CALEA).

Using data from select devices, StealthWatch can unify NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action. Access to this unique information prevents would-be hackers and other bad actors from hiding behind NAT.


StealthWatch and Cisco NGA

Cisco NGA delivers a consistent, granular level of detail about network traffic flowing through every device by gathering raw traffic information, normalizing it into a NetFlow record, and then forwarding it to Lancope’s StealthWatch® System for analysis. The NGA provides visibility into intra-data center communications, for which network and security monitoring is typically lacking.

Cisco NGA provides cost-effective, high-speed flow generation at up to 40 Gbps from platforms including Cisco Nexus® 7000, Cisco Nexus 5000 and the Catalyst® 6500 Series. Lancope and Cisco worked closely together to test StealthWatch with the NGA and ensure optimal performance. By consuming and analyzing flow data from Cisco NGA, StealthWatch provides the actionable insight required for effective network, application and security troubleshooting across large enterprise networks.

StealthWatch can monitor up to 120,000 flows per second (fps) per collector, and up to 3 million fps total, to effectively digest all of the data and turn it into actionable intelligence.

Lancope and the Cisco Catalyst series

Lancope’s StealthWatch System collects and analyzes flow data from a wide variety of
Cisco devices including the Cisco 2900/3560/3700/4500/6500


Cisco Catalyst 3850 & 4500

By jointly deploying the new Cisco Catalyst 3850 and Catalyst 4500E and Lancope’s StealthWatch System, organizations gain in-depth visibility across all network segments, hosts and devices is key for staying a step ahead of today’s sophisticated attackers.

With StealthWatch, organizations can more effectively identify and combat evolving threats including DDoS, zero-day, insider and APT attacks. Advanced capabilities including mobile, identity, application and virtual awareness extend comprehensive security beyond conventional boundaries for improved risk management.

Cisco Catalyst 6500 Sup2T

Lancope effectively leverages NetFlow for Cat 6500's for comprehensive, end-to-end network visibility and forensic intelligence to quickly and efficiently troubleshoot of a wide range of network performance and security issues.

Learn more:


StealthWatch and Cisco ISE

Lancope provides integration with the Cisco Identity Services Engine (ISE) to help enterprises advance their security strategy in light of increasingly complex technology and mobile environments.

Events are sent in real time from ISE to the StealthWatch Management Console (SMC) for nearly instant awareness of user information and high scalability – with the ability to monitor 250,000 active users.

Lancope's user-centric monitoring capabilities also allow network and security teams to run flow queries and reports based on user names. Administrators can also search on user names, as well as obtain a User Snapshot outlining a specific person’s network activity – including any anomalous behavior or alarms triggered.

Data from ISE allows Lancope to link the user, workstation, location, device type and other identity data to actual network traffic, making it easier for administrators to quickly identify and address anomalous behavior that may lead to security risks or performance issues.

Additionally, the integration of StealthWatch and Cisco ISE provides enhanced mobile device security for BYOD environments.

See the press release for further details.


User-Centric Monitoring


User-Centric Monitoring with StealthWatch 3.41

Tools & Resources

Defending Point of Sale (PoS) System (Cisco and Lancope Webinar)

FPS Calculator
Flows Per Second Calculator


Bandwidth Calculator
NetFlow Bandwidth Calculator


video iconLancope Video Gallery

StealthWatch Labs Intelligence Center
Threat Intelligence Center


"NetFlow is an extremely useful and underused tool for maintaining and troubleshooting enterprise networks. Lancope captures the full power of NetFlow without requiring extensive time or resources from IT teams. In-depth flow data, application analysis and an easy-to-understand, graphical user interface make StealthWatch 6.0 a versatile tool for monitoring and responding to a wide variety of incidents.”  - Cisco Systems

Extending Behavioral Analytics to the Perimeter for Greater Contextual Awareness

Correlating flow data from the internal network with intelligence from perimeter devices such the firewalls provides an additional layer of visibility and security context for detecting advanced threats. This visibility and intelligence is further enhanced when firewall data is collected from the Cisco ASA. While firewalls traditionally export data via Syslog, the ASA provides much richer information and unique data points via the NSEL protocol.

By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:

  • Increase visibility and security context at the network edge
  • Consume and stitch together NAT data to more accurately pinpoint the source of issues such as MPAA/RIAA copyright infringements
  • Audit firewall rules through flow analysis
  • Achieve better performance and scalability for network and security monitoring
  • Save vast amounts of time and money spent correlating data points from various sources
  • More confidently demonstrate compliance with regulations such as PCI

StealthWatch also supports flow update events from Cisco ASA 8.4(5) NSEL. With this feature, StealthWatch can show interface statistics, track how traffic patterns change over the lifetime of a flow, and break down client versus server bytes to be able to perform actions such as detecting whether data was exfiltrated from the network. Lancope also consumes user names within NetFlow records from Cisco ASA appliances to provide an additional identity data source.

Learn More:

ASA video
ASA Support with StealthWatch 6.1 



Solutions brief

Combining Internal and Perimeter Monitoring
for Improved Contextual Awareness

Cisco's CSIRT
Case Study

Cisco CSIRT Case Study

Top Use Cases:

Incident Response
with NetFlow

Contact Lancope

Americas Sales
+1 888.419.1462

Lancope U.S. Federal Sales
+1 770.225.1606

EMEA, APAC Sales & Partners
+ 44 (0) 208 528 1757