All About the Visibility

What Is Visibility?

In StealthWatch® terms, visibility refers to real-time host-level insight of activities and behaviors of individual workstations, servers and IP-based machines on the network. StealthWatch provides complete visibility into all IP-based communications across the network from identifying erratically behaving hosts to identifying all mail or web servers – legitimate or not – on the network to isolating the single conversation tying up network bandwidth. This type of comprehensive visibility enables administrators to quickly drill down to the root cause of an incident and rapidly remedy the situation before any impact to network services or availability occurs.

Visibility into Malicious Hosts

StealthWatch’s Concern Index™ (CI) feature serves as the basis for visibly identifying maliciously behaving hosts on the network. The CI is a threshold-based point system for bad behavior on a host-by-host basis, automatically prioritizing unexpected network activity in terms of severity and risk to greatly accelerate administrators’ ability to isolate and resolve any network performance or security incident.

In this example, the five most erratically behaving hosts on the network are highlighted. These are the only hosts on the network that have drastically skewed from normal behavior. This type of visibility gives administrators, at any time, complete understanding of all malicious activity on the network on a per-host basis.

Visibility into Rogue Servers

StealthWatch gives administrators the ability to quickly identify rogue servers on the network. By monitoring all communications traversing the network, StealthWatch easily detects hosts that are acting as servers when they have no business behaving as such.

In this example, StealthWatch has identified a host – highlighted in green – within the Sales & Marketing group acting as a DNS server.

Because StealthWatch does not actively interrogate hosts, but instead passively listens to communications, there is no impacting the network. These types of queries looking for rogue devices can be run as often as necessary, unlike an active scanning system or vulnerability management tool.

Identifying a Single Conversation as the Culprit of a Bandwidth Concern

StealthWatch visibility includes being able to drill down to the individual conversation level to identify a single flow record as the source of a network slowdown. From there, StealthWatch correlates the conversation to a unique UserID to isolate the actual perpetrator of the bandwidth issue.

In this example, following an abnormal spike in traffic on the domain traffic graph, the flow visualization report pinpoints the culprit’s IP address.

Domain Traffic Graph

Flow Visualization Graph

Now that the single flow in question has been isolated, administrators can right-click on the internal IP address to see the actual user responsible for the large inbound data flow that is slowing the network.