• High volume of global NetFlow (~16 Billion Flows Per Day)
  • IPv6 readiness


  • Deploy Stealthwatch: store more NetFlow for incident look-back, enhanced detection capabilities, IPv6 capable
  • Utilize the Stealthwatch feature set: syslog export of events, Host Group-based detection, API queries, Host Alarms


  • Retain 90+ days of full NetFlow records
  • Provides unique interface for gaining insight into NetFlow and the information in contains
  • Automate NetFlow analysis

Lessons Learned

  • Require Full NetFlow for security
  • Tune Stealthwatch Alarms to trim false positives

Next Steps

  • Expand Stealthwatch hardware as network grows
  • Upgrade Stealthwatch to utilize new feature sets, including SLIC and Cisco ISE

Learn more about our partnership with Cisco