Market Brief

Internal Host Reputation Delivers Visibility to Combat Advanced Threats

Download Market Brief

With so many new threats and threat actors lurking on the Internet, IP reputation is becoming increasingly critical for effectively combating attacks. Whether it’s a botnet, APT or targeted attack, IT administrators need to know exactly who is communicating with their network, and more importantly, inside their network. This combination of network visibility and security is critical for tackling the threats facing today’s organizations.

While many vendors offer solutions for external IP reputation, flagging known, bad outsiders, Lancope uniquely provides intelligence for both internal and external host reputation. In addition to uncovering nefarious external IP addresses, Lancope’s StealthWatch® System also delivers internal host reputation, and ties it to specific user and device information, better preparing organizations to combat APTs, address BYOD challenges and deliver actionable information for security teams.

Today’s reality is that many cyber threats are bypassing perimeter defenses or originating from inside the network. The growing sophistication of today’s threat landscape is significantly lessening the efficacy of conventional security solutions including firewalls, antivirus and IDS/IPS. Internal network visibility and threat intelligence are therefore just as important now as external defenses and attack data.

Internal Host Reputation from StealthWatch

Lancope’s StealthWatch System leverages NetFlow, IPFIX and other types of flow data inherent within enterprise infrastructure devices to provide in-depth, internal visibility across the entire network. Not relying on signature updates, StealthWatch delivers a comprehensive picture of all traffic traversing a network, including the ‘who’ behind each piece of communication. The system provides both a high-level overview, as well as the ability to drill down into each communication and host to view a plethora of relevant data for faster troubleshooting.

Lancope’s StealthWatch System correlates both internal and external host reputation data to enhance protection from advanced threats.Lancope’s StealthWatch System correlates both internal and external host reputation data to enhance protection from advanced threats.

Enhanced Intelligence for Expedited Troubleshooting

A key feature of Lancope’s monitoring capabilities is the StealthWatch Concern IndexTM. Using sophisticated, behavioral algorithms, the Concern Index (CI) assigns points to internal hosts whenever they conduct anomalous activities, thus establishing their reputation. Hosts that accumulate a specified number of points will trigger an alarm to the IT administrator alerting him/her that the host should be investigated. That way, StealthWatch automatically prioritizes the most concerning issues facing a network so they can be dealt with first.

The CI significantly improves the ability of today’s governments and enterprises to identify and combat advanced threats within their networks. The system can uncover a wide range of suspicious host behaviors and policy violations such as:

  • Sending out an unusual amount of traffic
  • Communicating with known, bad external hosts
  • Accessing restricted parts of the network
  • Spreading malware

By uncovering, ranking and alarming on hosts that are engaged in suspicious behaviors, internal host reputation can help organizations thwart attacks including botnets, zero-day attacks, APTs and the insider threat.

Additionally, StealthWatch’s mobile and identity awareness capabilities enable administrators to easily tie users and devices on the network to specific IP addresses. The ability to track down the exact individuals and machines causing problems even further expedites troubleshooting, and helps to address evolving trends such as BYOD.

Meanwhile, advanced application awareness reveals exactly which programs are in use to help pinpoint policy violations or applications that are causing issues on the network. StealthWatch provides this in-depth visibility across both physical and virtual networks, and can also store flow data for long periods of time to support forensic investigations.

Internal + External Host Reputation = Advanced Security Context

Lancope also offers a threat feed for external host reputation to complement its internal visibility and security context functionality. Provided through the StealthWatch Labs Intelligence CenterTM (SLIC), the threat feed provides another layer of defense against advanced attacks. The StealthWatch Labs research team conducts in-house research and taps into a broad community of third-party experts to aggregate emerging threat information from around the world.

The SLIC Threat Feed offers advanced botnet detection capabilities, continuously monitoring customer networks for thousands of known C&C servers and automatically adding new botnets to its radar as they are identified in the wild. It enables administrators to identify communications between internal hosts and C&C servers, in addition to any C&C servers operating within the network. From there, StealthWatch generates alarms and Concern Index events to flag these issues so they can be swiftly mitigated.


The SLIC Threat Feed incorporates external IP reputation data into StealthWatch.
The SLIC Threat Feed incorporates external IP reputation data into StealthWatch.

Combining real-time data on threats from criminal organizations with insight on suspicious network activity allows StealthWatch to provide information around the full security incident. Under today’s security paradigm, administrators need to know not only about the bad guys lurking on the Internet, but also about the ones operating inside the network perimeter.