Market Brief

Behavioral Analytics and Heuristics for Expedited Network Troubleshooting

Download Market Brief

There are many solutions on the market that simply collect and store flow data, or that provide limited analysis capabilities. Lancope’s StealthWatch® System sets itself apart by employing sophisticated behavioral analytics and heuristics to help organizations more quickly and effectively get to the root of network and security issues – at a fraction of the cost of traditional monitoring solutions.

Instead of relying on signature updates to detect attacks, or focusing only on specific types of issues like most other network and security technologies, StealthWatch monitors network and host behaviors as a whole to establish baselines and quickly alert on a wide range of anomalies. Additionally, instead of covering isolated segments of the network as in the case of technologies such as probes and IDS/IPS devices, StealthWatch provides 24/7, end-to-end visibility across the entire network, uncovering any type of issue in any segment of the network at any time. This way, organizations are better protected from advanced persistent threats (APTs) and other security risks, as well as from network performance and availability problems. 

How It Works

StealthWatch collects NetFlow and other types of flow data from organizations’ existing routers, switches and other flow-enabled devices. The system then employs sophisticated behavioral analytics and heuristics to analyze 90+ attributes of the flow data to establish baselines for each host and group of hosts on the network. Examples of some of these attributes include 1) how much traffic a specific host is generating, 2) which other hosts it is communicating with, 3) the types of applications it is running, and many, many more. Both host behaviors and overall traffic patterns are analyzed, and organizations can employ a combination of built-in and user-defined heuristics. 

From there, StealthWatch can easily detect and generate an alarm when a host is exceeding its normal traffic threshold, for example, or conducting other anomalous behaviors. StealthWatch also goes a step further to feed these behavioral alarms into its proprietary Concern Index™ (CI), which automatically prioritizes the most concerning hosts on the network. When hosts conduct suspicious behaviors, they are assigned CI points, and hosts that accumulate a specified number of points will trigger an alarm to the IT administrator alerting him/her that the host should be investigated. The CI also employs its own set of over 100 algorithms designed to detect and prioritize anomalous behavior even before baselines are established. 

In addition to providing high-level overviews of concerning behaviors, StealthWatch also allows users to drill down into specific alarms, hosts and traffic patterns to obtain more in-depth insight. StealthWatch Host Snapshots, for example, provide a multitude of details on specific hosts, such as recent alarm activity observed from the host, interfaces the host is using, and more. Using these techniques, StealthWatch significantly expedites troubleshooting, detecting both zero-day attacks that bypass perimeter defenses, as well as insider threats such as network misuse, unauthorized access, device misconfigurations and data leakage.

The breadth of information StealthWatch affords—in conjunction with both definable and built-in heuristics—helps us view all traffic flowing across our networks and security devices. With StealthWatch, we can identify security threats, capture statistics and data streams for capacity planning, enforce usage policies, and solve performance problems much faster. It also enables our staff to respond to network threats and outages quickly and intelligently, reducing business impact.”

-Henry County Water & Sewerage Authority 

NetFlow vs. IDS/IPS

While many organizations rely on IDS/IPS technologies to detect and block attacks, it is important to note that these systems can only go so far in protecting enterprise networks. First off, they are designed to be deployed at the perimeter of the network, and are cost-prohibitive when it comes to internal deployments. Unfortunately, amidst today’s threat landscape, perimeter security is no longer enough, as many attacks are either bypassing the perimeter or surfacing from within. Flow collection and analysis technologies provide visibility across the entirety of the network, eliminating dangerous network blind spots left by IDS/IPS and other perimeter-based technologies.

Secondly, IDS/IPS systems rely on canned signatures to detect attacks, often allowing APTs and other zero-day attacks for which no signatures exist to invade the network. Monitoring for anomalous behaviors rather than specific types of attacks, StealthWatch provides better protection even in areas of the network already covered by an IDS/IPS. StealthWatch also goes above and beyond the capabilities of IDS/IPS to support network performance, compliance initiatives and forensic investigations. 

StealthWatch Fills in the Gap to Provide More Advanced Detection of Network and Security Issues

StealthWatch fills in the gaps left by other technologies by providing more actionable insight for cost-effectively addressing the full spectrum of network and security issues facing today’s enterprise. The system unifies security, network and application performance monitoring in a single platform, enabling organizations to detect the root cause of issues all the way down to the exact application and user. In addition to providing in-depth visibility for the internal network, StealthWatch can also conduct sophisticated behavioral analysis on data from perimeter devices such as firewalls for even greater situational awareness. StealthWatch is scalable to meet the needs of even the largest networks, and can also monitor and protect virtual environments. Optional, automated mitigation capabilities further increase the value of StealthWatch for maintaining secure, high-performing enterprise networks.