Lancope's StealthWatch and Cisco for In-depth Network Visibility
and Advanced Security Context
Cisco Cyber Threat Defense Solution Featuring StealthWatch
Lancope’s StealthWatch makes up a key component of the Cisco Cyber Threat Defense Solution, designed to combat today’s most stealthy, sophisticated cyber-attacks. Combining the advanced security capabilities of Lancope and Cisco, the solution provides unprecedented visibility into the network interior.
Security Analysts gain visibility into:
StealthWatch and Cisco ASR/ISR
StealthWatch can now also consume NAT information from the Cisco ASR 1000 separately from other flow records to allow for more flexibility and customization. This feature is especially beneficial for Internet Service Providers (ISPs) that need to capture just the NAT information from flow records in order to comply with the Communications Assistance for Law Enforcement Act (CALEA).
Using data from select devices, StealthWatch can unify NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action. Access to this unique information prevents would-be hackers and other bad actors from hiding behind NAT.
StealthWatch and Cisco NGA
Cisco NGA delivers a consistent, granular level of detail about network traffic flowing through every device by gathering raw traffic information, normalizing it into a NetFlow record, and then forwarding it to Lancope’s StealthWatch® System for analysis. The NGA provides visibility into intra-data center communications, for which network and security monitoring is typically lacking.
Cisco NGA provides cost-effective, high-speed flow generation at up to 40 Gbps from platforms including Cisco Nexus® 7000, Cisco Nexus 5000 and the Catalyst® 6500 Series. Lancope and Cisco worked closely together to test StealthWatch with the NGA and ensure optimal performance. By consuming and analyzing flow data from Cisco NGA, StealthWatch provides the actionable insight required for effective network, application and security troubleshooting across large enterprise networks.
StealthWatch can monitor up to 120,000 flows per second (fps) per collector, and up to 3 million fps total, to effectively digest all of the data and turn it into actionable intelligence.
Lancope and the Cisco Catalyst series
Lancope’s StealthWatch System collects and analyzes flow data from a wide variety of
Cisco Catalyst 3850 & 4500
By jointly deploying the new Cisco Catalyst 3850 and Catalyst 4500E and Lancope’s StealthWatch System, organizations gain in-depth visibility across all network segments, hosts and devices is key for staying a step ahead of today’s sophisticated attackers.
With StealthWatch, organizations can more effectively identify and combat evolving threats including DDoS, zero-day, insider and APT attacks. Advanced capabilities including mobile, identity, application and virtual awareness extend comprehensive security beyond conventional boundaries for improved risk management.
Cisco Catalyst 6500 Sup2T
Lancope effectively leverages NetFlow for Cat 6500's for comprehensive, end-to-end network visibility and forensic intelligence to quickly and efficiently troubleshoot of a wide range of network performance and security issues.
StealthWatch and Cisco ISE
Lancope provides integration with the Cisco Identity Services Engine (ISE) to help enterprises advance their security strategy in light of increasingly complex technology and mobile environments.
Events are sent in real time from ISE to the StealthWatch Management Console (SMC) for nearly instant awareness of user information and high scalability – with the ability to monitor 250,000 active users.
Lancope's user-centric monitoring capabilities also allow network and security teams to run flow queries and reports based on user names. Administrators can also search on user names, as well as obtain a User Snapshot outlining a specific person’s network activity – including any anomalous behavior or alarms triggered.
Data from ISE allows Lancope to link the user, workstation, location, device type and other identity data to actual network traffic, making it easier for administrators to quickly identify and address anomalous behavior that may lead to security risks or performance issues.
See the press release for further details.
Tools & Resources
"NetFlow is an extremely useful and underused tool for maintaining and troubleshooting enterprise networks. Lancope captures the full power of NetFlow without requiring extensive time or resources from IT teams. In-depth flow data, application analysis and an easy-to-understand, graphical user interface make StealthWatch 6.0 a versatile tool for monitoring and responding to a wide variety of incidents.” - Cisco Systems
Extending Behavioral Analytics to the Perimeter for Greater Contextual Awareness
Correlating flow data from the internal network with intelligence from perimeter devices such the firewalls provides an additional layer of visibility and security context for detecting advanced threats. This visibility and intelligence is further enhanced when firewall data is collected from the Cisco ASA. While firewalls traditionally export data via Syslog, the ASA provides much richer information and unique data points via the NSEL protocol.
By collecting and analyzing data from Cisco ASA with Lancope’s StealthWatch System, organizations can:
StealthWatch also supports flow update events from Cisco ASA 8.4(5) NSEL. With this feature, StealthWatch can show interface statistics, track how traffic patterns change over the lifetime of a flow, and break down client versus server bytes to be able to perform actions such as detecting whether data was exfiltrated from the network. Lancope also consumes user names within NetFlow records from Cisco ASA appliances to provide an additional identity data source.