Cisco Stealthwatch Understanding My way

Cisco Stealthwatch Understanding My way

 

Cisco Stealthwatch drastically enhances threat defence by giving detailed network visibility and security analytics. It helps you know every host, record every conversation, understand what is normal, it alerts you to change, and enables you to respond to threats quickly.

With Cisco Stealthwatch and its enhanced analytics capabilities, you can better understand whether encrypted traffic on the network is malicious. The enhanced network telemetry from the latest Cisco routers and switches is collected by Cisco Stealthwatch Enterprise. It uses advanced entity modeling and multilayered machine learning, constantly identifying who is on the network and what they are doing, and can detect anomalous behavior in real time to identify threats.

 

 

Various connection with port information :

 

These are the primary features of Stealthwatch:

Deep visibility across the network perimeter, interior, data center, and private and public cloud
Simplified understanding of normal network behavior through the use of NetFlow
Continuous monitoring of devices, applications, and users throughout your distributed networks
In-depth forensic investigations and post-incident response with contextual threat intelligence and detailed, historic audit trails of NetFlow data
Easy integration with your existing network infrastructure (compatible with non-Cisco telemetry), Cisco Security Packet Analyzer, Cisco ASA Firewalls, Cisco ISE, Cisco TrustSec technology-supported hardware, and a variety of other security solutions, all available through Cloud Network Solutions .

 

Cisco Stealthwatch Enterprise Components

Cisco Stealthwatch Management Console
The console coordinates, manages, and configures Stealthwatch appliances deployed at various segments throughout your enterprise. The management console can also collect data from other types of technologies, including firewalls, web proxies, network access control (NAC) systems, and more. Disparate IT teams can easily obtain pervasive network visibility and actionable security intelligence to detect and prioritize security threats through a single viewpoint. The console is available as a hardware appliance or a virtual machine.
Features include:
• In-depth visibility and behavior-based context defends against APTs, malware, insider threats, worms, viruses, targeted attacks, DDoS attempts, and evolving attacks. Advanced detection capabilities decrease the time between threat onset and resolution.
• Real-time telemetry delivers data flow for monitoring traffic across hundreds of network segments simultaneously to detect suspicious network behavior.
• Robust network intelligence facilitates performance monitoring, capacity planning, and enhances network management. It also reduces time-consuming and resource-intensive manual analysis often associated with other vendors.
• Network groupings, graphical representations, and relationship maps deliver simple views of your organization’s traffic within seconds, illustrating where to focus your attention.
• Multiple alarm categories and context-based alerts on the home dashboard provide quick assessments of your organization’s security posture. This allows for decisive action to mitigate potential damage.
• Scalable functionality performs well in high-speed environments and can protect every part of the network that is accessible by IPs, regardless of size.

Cisco Stealthwatch Flow Collector
The flow collector collects and analyzes massive amounts of network data from your current devices. The result is visibility and security intelligence across physical and virtual environments, improving incident response. Flow Collector provides cost-effective behavioral analytics and advanced security context. This enables early anomaly detection, quick root-cause determination, and enhanced protection for a wide range of threats, including APTs, insider threats, DDoS, and zero-day malware. The solution is available as a hardware appliance or a virtual machine.
Features include:
• Flow-based anomaly detection pinpoints unusual behavior and immediately sends an alarm with actionable intelligence, promoting quick and decisive mitigation.
• Stitched, duplicated, and 1:1 flows simplify network and security monitoring. In addition to detecting anomalies in real time, the solution can store years of data, creating a complete audit trail to improve forensic investigations and compliance.
• Easy upgrading allows you to start small and expand as your capacity needs change. At full scale, Flow Collector can process data from as many as 50,000 flow sources at up to 6 million flows per second (fps).

Cisco Stealthwatch Flow Sensor

This component provides robust visibility of network, application, and server performance metrics. The flow sensor gives you a cost-effective method of troubleshooting both security incidents and application performance problems, while eliminating dangerous network blind spots. It can provide Layer 7 application information for environments where Cisco Network-Based Application Recognition (NBAR) is disabled. The solution is available as hardware appliances or as software for monitoring virtual machine environments.
Features include:
• Network anomaly alerts pinpoint unusual behavior and immediately send alarms with contextual intelligence, allowing you to act quickly and mitigate damage.
• URL data allows administrators to see exactly which websites users are going to, including the file path. This improves the identification of applications causing performance or security problems.
• Enhanced operational efficiency reduces costs by identifying and isolating the root cause of an issue or incident within seconds.

UDP Director

The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network routers and switches by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations.
Features include:
• Reduces unplanned downtime and service disruption on the high availability UDP Director 2200 appliance.
• Simplifies network security and monitoring by providing a single standard destination for NetFlow, SFlow, syslog, and SNMP information.
• Directs UDP data from any UDP application to one or more destinations, duplicating the data if required.

StealthwatchSystem Components

-StealthwatchManagement Console

. Management and reporting
•Up to 25 Flow Collectors
•Up 6 million fps globally
•2 physical and virtual models
•High Availability

Cisco Security Packet Analyzer
•Rolling full packet capture
•2 physical models

– StealthwatchFlow Collector

. Collect and analyze
•Up to 4000 exporters
•Up to sustained 240,000 fps
•4 physical and 3 virtual models

– StealthwatchFlow Sensor
•Generate IPFIX from SPAN/TAP
•Contextual fields (ex. App,URL,SRT,RTT)
•Physical and virtual models

UDP Director
•UDP Packet copier
•Forward to multiple destinations
•High Availability
•2 physical and virtual models

Endpoint License Concentrator
•Collect AnyConectNVM flow data and forward to Flow Collector
•Virtual Appliance

Cloud License Concentrator
•Collect flow data from Cloud License Agents and forward

Here are a few more of the many benefits you will gain when you implement Cisco Stealthwatch.

  1. Gain visibility across all network conversations, including east-west and north-south traffic, to detect both internal and external threats
  2.    Drastically simplify your network segmentation, performance monitoring, and your capacity planning
  3. Conduct advanced security analytics and obtain in-depth context to detect a wide range of anomalous behaviors that may signify an attack
  4. Ensure enterprise compliance by identifying the extent as well as the quality of encryption in the network
  5. Accelerate and improve threat detection, forensics, and incident response across your entire network, including encrypted traffic
  6. Achieve far greater visibility and and anomaly detection with advanced and accurate global and local traffic correlation
  7. Enable deeper forensic investigations with audit histories of network activity
  8. Identify insider threats by obtaining contextual information from cloud services

Dashboard :

 

I will be soon going to make my hands dirty with stealth watch in my lab environment soon and real time example post soon..happy labbbing……………………….!!!!!!!