• High volume of global NetFlow (~16 Billion Flows Per Day)
  • IPv6 readiness


  • Deploy Stealthwatch: store more NetFlow for incident look-back, enhanced detection capabilities, IPv6 capable
  • Utilize the Stealthwatch feature set: syslog export of events, Host Group-based detection, API queries, Host Alarms


  • Retain 90+ days of full NetFlow records
  • Provides unique interface for gaining insight into NetFlow and the information in contains
  • Automate NetFlow analysis

Lessons Learned

  • Require Full NetFlow for security
  • Tune Stealthwatch Alarms to trim false positives

Next Steps

  • Expand Stealthwatch hardware as network grows
  • Upgrade Stealthwatch to utilize new feature sets, including SLIC and Cisco ISE


PDF icon Download PDF (260.38 KB)

One of the things we like about Stealthwatch is complete visibility into an event.

Mike Scheck, Cisco CSIRT Incident Response Manager