Evolving challenges such as APTs, insider threats, BYOD and stealth IT are becoming an ever-increasing problem for those charged with network management and security. (For those not familiar with the term “stealth IT,” the definition is rather straightforward – it is simply the connection of unauthorized devices to the network. These devices enable departments or users to perform functions not normally provided by IT.) Alongside an increasingly complex threat landscape, trends like BYOD and stealth IT have become the bane of many network and security managers by introducing additional traffic, vulnerabilities and compliance-violating elements into the network.
Tracking down unauthorized internal traffic and devices, as well as advanced, external threats that bypass perimeter defenses, takes a bit of detective work and requires proactive network and security monitoring, along with a good sense of what is considered “normal” for network behavior.This is a chore often handled by cobbling together a bandolier of utilities, tools and applications, often an inefficient methodology not just for combating, but for even detecting threats lurking inside the network.
The real trick is to obtain visibility into a wide variety of potential network risks via a single, centralized tool. This is what network and security monitoring vendor Lancope provides through its StealthWatch System, a highly integrated set of consolidated applications that sheds light on those IT elements hiding in the shadows.
Hands-on with StealthWatch 6.4
Lancope is no stranger to security. Founded in 2000, the Alpharetta, GA-based company has steadily developed technologies that provide network visibility and security intelligence to defend enterprises against threats. The company’s StealthWatch product family, now in version 6.4, can collect and analyze NetFlow, IPFIX, and other types of flow data to provide network and security administrators with insight across distributed networks to remediate security problems.What’s more, the product offers a unified management console, intelligent detection algorithms, policy-based alarming and several other capabilities to manage, protect and validate network traffic.
The unifying element of StealthWatch is the StealthWatch Management Console (SMC), which gives a consolidated, dashboard-driven view of contextual network and security information based upon all activity taking place across the network. The console disseminates that information using a drill-down methodology, where pointing and clicking delivers filtered information based upon the element selected. In other words, it provides network traffic visualization, a powerful way to quickly grasp what is happening across a large network. The key to making that information digestible comes in the form of context. StealthWatch automatically applies filters when drilling down on traffic items, showing related information without inconsequential activity.
SMC's dashboard view of network activity
While context-based observations provide an excellent methodology to detect and understand network traffic anomalies in real time, there are times when historical analysis becomes just as important as, if not more important than, real-time analytics. To that end, StealthWatch can store months or even years of NetFlow data to provide a historical audit trail for conducting forensic investigations. StealthWatch also integrates with many other network and security technologies, such as firewalls andIDS/IPS appliances, to capture Syslog data. As those devices report, the data is stored, decoded and correlated with StealthWatch events and made available for later analysis, providing yet another layer of visibility for investigating network threats.
Of course, network analysis may mean different things to those in different roles. To support that ideology, StealthWatch offers “Point-of-View” technology, used to create custom dashboards that focus on the needs of a particular administrative role. For example, network engineers see router interface statistics, top talkers, and trending reports. Security analysts, meanwhile, receive reports detailing policy violations, worm outbreaks and other malware traversing the network.
It is this level of context-based intelligence that exposes the true value of StealthWatch. By obtaining automated reports and context-sensitive information, administrators can quickly identify traffic elements that fall out of the norm and track events that impact data flow, as well as applications running on the network. What’s more, administrators can get a snapshot of what data is being consumed or created by the various network endpoints and correlate that to normalized traffic, making it easy to detect worms, malware, DDoS attacks, unauthorized applications and systems that should not be connected to the network.
Visual mapping brings understanding to complex networks
Beyond its obvious security uses, StealthWatch also does a good job at helping network engineers troubleshoot connectivity issues by monitoring network events and detecting errors. Those capabilities make it easy to spot especially chatty systems, failed router ports and so on. An alert system can inform administrators of problems that need immediate attention.
Automated analytics take StealthWatch even further into the realm of a trusted companion for network and security managers. By unifying security, network and application performance monitoring into a single, event-based data stream that includes internal and perimeter devices, StealthWatch can apply behavioral analytics. These analytics can identify sophisticated, zero-day attacks that bypass perimeter defenses, as well as internal threats such as policy violations, network misuse, unauthorized access, device misconfigurations and data leakage.
A powerful reporting system rounds out StealthWatch’s capabilities, allowing administrators to create ad-hoc reports on the fly or use canned reports, which incorporate visual elements along with numerical data to provide interested parties with a comprehensive picture of what is happening across the network.
The reports are organized in such a way that even non-technical managers can grasp the inherent meaning, making them a powerful tool for CIOs looking to fund technology projects, increase network connectivity or improve security posture.
Tables make it easy to identify devices in use
StealthWatch also brings some additional capabilities to the table, such as identity and device awareness, reputation scoring and real-time threat feeds. Reputation scoring uses behavioral detection combined with gathered data to score the validity of a particular access event.Whether it is an endpoint consuming information or a user authenticating to the network, a reputation score gives a great indication of whether or not that access event is suspicious. Reputation scores can trigger actions, responses or other events, further automating the protection of network resources.
Lancope also provides real-time intelligence to identify suspicious network activity based upon global threats. The company’s SLIC Threat Feed automatically disseminates information on the latest infections, malware, botnets and so on. That translates into an early threat detection system, which empowers security managers to battle the latest compromises, even if they are not aware of them.
StealthWatch offers a massive set of capabilities and tools, which, when used in a unified fashion, should empower any network or security manager to identify, track and remediate most any threat, while also keeping an eye on network performance and load. This helps improve many functions, including threat detection, network troubleshooting, incident response, forensics and compliance.
Entry-level system pricing for StealthWatch begins at U.S. domestic $71,495. Many of its components are available as either physical or virtual appliances.
Editor's note: This review was updated with new images and current pricing information.