StealthWatch Architecture

The StealthWatch Architecture

StealthWatch by Lancope is the leading solution for flow-based security, network and application performance monitoring across physical and virtual environments. By leveraging NetFlow, sFlow and other flow data from existing routers and switches, StealthWatch provides in-depth, borderless network visibility. With StealthWatch, network operations and security teams can obtain actionable insight into who is using the network, what applications and services are in use, and how well they are performing.

StealthWatch combines behavioral-based network performance and security monitoring with application and identity awareness at a fraction of the cost of conventional monitoring solutions. The system empowers IT teams to make faster, more informed decisions across mission-critical areas including troubleshooting, incident response, compliance, resource allocation, capacity planning and change management.

Hover over the diagram below for more information.

StealthWatch Architecture

By collecting and analyzing NetFlow, sFlow, cFlow, J-Flow, Packeteer-2, NetStream, IPFIX and Cisco NBAR as well as flow data from StealthWatch FlowSensors, StealthWatch delivers pervasive network visibility. By using Lancope's StealthWatch for flow-based security, network and application performance monitoring that delivers actionable network insight, network operators can manage and secure their networks, troubleshoot and pinpoint network attacks, monitor users and applications, and report on network performance and security issues. StealthWatch discovers assets and baselines normal network and application traffic to establish policy and analyze network behavior. By monitoring traffic, StealthWatch identifies unusual actions or departures from normal operation. Unlike conventional IPS solutions which defend the network perimeter by using packet inspection, signature detection and real-time blocking, StealthWatch watches what's happening inside the network, aggregating data from many points to network troubleshooting, forensic analysis and network planning. StealthWatch delivers detailed visibility into user activity, enabling network operators, security administrators and data center personnel to determine within seconds who is responsible and who is affected by events anywhere across the network. Integrating the agentless, non-invasive StealthWatch IDentity's advanced user tracking capability with flow-based security, network and application performance monitoring across physical and virtual environments, the StealthWatch System directly links individual user logins to specific network activity for greater user accountability and faster, more immediate insight into network events. Combining powerful network performance monitoring and behavior-based anomaly detection, StealthWatch delivers total network visibility from a single, integrated platform across physical and virtual environments. StealthWatch reaches deep into the enterprise to deliver unified visibility, removing borders between the various IT teams and enhancing cooperation and efficiency. Bringing these disparate groups together, StealthWatch helps them maximize resources and minimize costs to better manage application performance, network operations and security – even in the virtual environment. StealthWatch combines deep packet inspection (DPI) and behavior analysis to identify applications and protocols in use across the network — no matter if they are plain text or use advanced encryption and obfuscation techniques. Providing true Layer 7 application visibility, StealthWatch gathers application information, along with packet-level performance statistics for more than 900 application variants and their classifications. With unmatched scalability, StealthWatch provides the all-encompassing visibility needed anywhere from branch offices to 10G data centers at a fraction of the cost of traditional probe-based devices. StealthWatch flow-based security, network and application performance monitoring provides an enterprise-wide view of network traffic usage that answers the following: <ul> <li>What are my business applications' bandwidth requirements?</li> <li>How much of my bandwidth is consumed by recreational applications?</li> <li>Do I really need more bandwidth or better traffic management capabilities to manage existing bandwidth more efficiently?</li> <li>Are there just a few guilty hosts responsible for the wasted bandwidth or is there a pattern of host behavior across the board?</li> <li>Do my most critical applications get preferential treatment on the network? If not, does existing bandwidth need to be reallocated or do I need an upgrade?</li> </ul> StealthWatch assures and improves service delivery. StealthWatch enables network operations to map out Quality of Service usage along network paths to ensure out applications are given the proper priority. Through Round Trip Time (RTT) and Server Response Time (SRT) metrics, StealthWatch allows administrators to quickly determine the cause of Service Delivery problems. After establishing a benchmark for normal traffic, StealthWatch passively monitors network activity and flags unknown, new or unusual patterns that might indicate the presence of a threat, misconfigured device or any factor affecting network or application performance. StealthWatch also monitors and records trends in bandwidth and protocol use – and ties user identity to network activity. StealthWatch also helps network operations minimize the time and labor involved in locating and resolving problems. StealthWatch provides flow-based security, network and application performance monitoring for end to end network visibility. Organizations rely on StealthWatch to troubleshoot new technologies and applications, manage and validate infrastructure changes, and resolve network and application performance issues – even for remote locations. Lancope provides comprehensive, continuous monitoring and troubleshooting across physical and virtual network to rapidly respond and resolve network and application issues. StealthWatch allows network and security operations teams to respond to network incidents by enabling automatic mitigation to stop malicious activity and fix network problems. Streamlining network optimization and security operations, StealthWatch can: <ul> <li>Provide automatic or manual mitigation using existing network infrastructure</li> <li>Deploy ACLs, OPSEC, Cisco PIX, Cisco Guard, ArcSight TRM,Brocade INM, TippingPoint Quarantine, Bradford Networks and Blue Coat Packetshaper</li> <li>Remove/quarantine malicious hosts, systems and users</li> </ul> StealthWatch delivers unparalleled levels of visibility, accountability and measurability into both individual host and broad network communications required for achieving and maintaining compliance with industry and government regulations. Through continuous, flow-based network monitoring, StealthWatch: <ul> <li>Ensures network and application availability and internal security through network visibility</li> <li>Provides user accountability for security and network risks through network visibility and authentication stores</li> <li>Supplies risk measurement, prioritization and optional mitigation through network visibility and customizable thresholds</li> </ul> Without knowing what is normal for application and network performance in physical and virtual environments, network and security teams cannot determine when latency is a problem. StealthWatch analyzes packet-level performance statistics from the StealthWatch FlowSensor to build a baseline of normal application and network performance. If performance degradation occurs, StealthWatch automatically alerts operators and helps isolate the root cause within seconds to a specific application, network or security issue.<br /><br /> In addition, applications can carry viruses, worms and other malware that can impact performance. StealthWatch zooms in on any unusual behavior such as this and immediately sends an alarm with the contextual information necessary for security personnel to take quick, decisive action to mitigate any damage. StealthWatch provides scalable network forensics capabilities through the ability to see, discover, and analyze everything that happens across the network. Through end to end network visibility, StealthWatch protects data, provides accountability, deters data loss and is a platform for performing deep network analysis. StealthWatch enables security professionals to store, process and analyze detailed network traffic for supporting forensic investigations. Lancope’s flexible, advanced reporting capabilities allow for the simple creation of high-level reports for management. This intuitive functionality enables senior executives to obtain a broad, easy-to-understand glimpse into what is going on in the network so they can remain in synch with their IT staff and make more informed technology decisions. Custom dashboards provide tailored, real-time views of critical network intelligence according to specific roles within an organization, facilitating collaboration and enabling faster identification and resolution of problems. By empowering users to retrieve the exact information they need at the level of detail required, custom dashboards extend the value of StealthWatch across the enterprise while still protecting sensitive information. Innovative, graphical representations of related hosts on the network (e.g., business units, functional areas, geographical maps, etc.) provide a real-time view of how specific groups are performing at any given time. Administrators can easily customize maps and analyze the traffic between hosts to detect anomalies and assess performance, resulting in fast, nearly effortless troubleshooting.