Cisco Secure Network Analytics (Stealthwatch) Overview

Cisco Secure Network Analytics (Stealthwatch) is a collector and aggregator of network telemetry data that performs network security analysis and monitoring to automatically detect threats that manage to infiltrate a network as well as the ones that originate from within a network. Using advanced security analytics, Stealthwatch can quickly and with high confidence detect threats such as command-and-control (C&C) attacks, ransomware, DDoS attacks, illicit crypto mining, unknown malware, and inside threats. It is an agentless solution that brings threat visibility into every part of the network, including the cloud, and the only product that can detect malware in encrypted traffic and ensure policy compliance without decryption.

Cisco Secure Network Stealthwatch Enterprise

Stealthwatch Enterprise provides real-time visibility into activities occurring within the network. This visibility can be scaled into the cloud, across the network, to branch locations, in the data center, and down to the endpoints.

At the core of Stealthwatch Enterprise are the Flow Rate License, the Flow Collector, Management Console, and Flow Sensor. Optional but recommended components include the following:

  • Cisco Stealthwatch Threat Intelligence: Enables a feed of threat intelligence from Cisco Talos
  • Cisco Stealthwatch Endpoint: Extended network visibility into endpoints
  • Cisco Stealthwatch Cloud: Can be used in combination with Stealthwatch Enterprise to extend visibility into Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure cloud infrastructures

Cisco Secure Network Stealthwatch Enterprise Benefits:

  • Real-time threat network detection
  • Incident response and forensics
  • Network segmentation
  • Network performance and capacity planning
  • Ability to satisfy regulatory requirements

Cisco Secure Network Stealthwatch Enterprise Components:

  • Flow Rate License: The Flow Rate License is required for the collection, management, and analysis of flow telemetry data and aggregates flows at the Stealthwatch Management Console as well as to define the volume of flows that can be collected.
  • Flow Collector: The Flow Collector collects and analyzes enterprise telemetry data such as NetFlow, IP Flow Information Export (IPFIX), and other types of flow data from routers, switches, firewalls, endpoints, and other network devices. The Flow Collector can also collect telemetry from proxy data sources, which can be analyzed by Global Threat Analytics (formerly Cognitive Threat Analytics). It can also pinpoint malicious patterns in encrypted traffic using Encrypted Traffic Analytics (ETA) without having to decrypt it to identify threats and accelerate the response. Flow Collector is available as a hardware appliance and as a virtual machine.
  • Stealthwatch Management Console (SMC): The SMC is the control center for Stealthwatch. It aggregates, organizes, and presents analysis from up to 25 Flow Collectors, Cisco ISE, and other sources. It offers a powerful yet simple-to-use web console that provides graphical representations of network traffic analysis, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis. The SMC is available as a hardware appliance or a virtual machine learning.

Cisco Stealthwatch Cloud

Stealthwatch Cloud provides the visibility and continuous threat detection required to secure the on-premises, hybrid, and multi-cloud environments. It can accurately detect threats in real-time, regardless of whether an attack is taking place on the network, in the cloud, or across both environments. Stealthwatch Cloud is a cloud-based software-as-a-service (SaaS) solution. It detects a malware, ransomware, data exfiltration, network vulnerabilities, and role changes that indicate compromise.

Public Cloud Monitoring

Cisco Stealthwatch Cloud Public Cloud Monitoring provides visibility and threat detection in AWS, GCP, and Microsoft Azure cloud infrastructures. It is a SaaS-based solution that can be deployed easily and quickly. Stealthwatch Cloud can be deployed without software agents, instead relying on native sources of telemetry such as its virtual private cloud (VPC) flow logs. Stealthwatch Cloud models all IP traffic inside VPCs, between VPCs, or to external IP addresses generated by an organization’s resources and functions. Stealthwatch Cloud is also integrated with additional AWS services such as Cloud Trail, Amazon CloudWatch, AWS Config, Inspector, Identity and Access Management (IAM), Lambda, and more.

Public Cloud Monitoring can be used in combination with Cisco Stealthwatch Enterprise to provide visibility and threat detection across the entire network.

Private Network Monitoring

Cisco Stealthwatch Cloud Private Network Monitoring provides visibility and threat detection for the on-premises network, delivered from a cloud-based SaaS solution. It is a perfect solution for organizations that want better awareness and security in their on-premises environments while reducing capital expenditure and operational overhead.

A lightweight virtual appliance needs to be installed in a virtual machine or server that can consume a variety of native sources of telemetry data or extract metadata from network packet flow. The collected metadata is encrypted and sent to the Stealthwatch Cloud analytics platform for analysis.

Managing Network Data

Many organizations face significant challenges when it comes to effectively managing the collection and storage of their network telemetry in an efficient and scalable manner. This is especially pronounced for large enterprises and service providers with massive network footprints and exceptionally high flow per second (FPS) volumes, as they are faced with problems related to ingestion bandwidth, query performance, long-term data retention, and data resiliency. As a result, practitioners at these firms are often forced to implement unconventional workarounds that come with undesirable tradeoffs to satisfy their network telemetry and data storage needs. Large organizations need a solution that provides scalable network telemetry collection and storage, highly responsive query times, and reliable data resiliency as core capabilities. The Stealthwatch Data Store provides an improved database architecture for solving these problems by decoupling ingest and data storage enabling new ways of efficiently managing data.

Common Network Telemetry

Ingestion: Organizations with large or expanding network footprints face scalability challenges and increased expenses as they must continuously purchase additional sensors or Flow Collectors to handle continuously growing ingest volumes

Query performance: For large enterprises, the task of running queries on large data sets is incredibly computationally expensive and can take upwards of 24 hours – this leads to operational inefficiencies by slowing down remediation efforts and draining finite computational bandwidth

Data retention: Many organizations are unable to retain the amount of network telemetry that they need to fulfill compliance requirements, forcing them to either purchase expensive third-party storage solutions or free up room in their proprietary databases to avoid legal risks should they be audited

Data resiliency: Organizations that lack sufficient backup storage capacity are at risk of losing valuable data if one of their critical backup data storage systems fails Organizations can purchase either a single hardware Data Store 6200 or a Virtual Data Store, or can scale in terms of FPS and data retention by adding multiple Data Stores together as a single database cluster.

Required solution components

Data Store (DS 6200):

  • Secure Network Analytics Manager 2210
  • Flow Collector 4210
  • Data Store 6200

Virtual Data Store:

  • Virtual Secure Network Analytics Manager
  • Virtual Flow Collector
  • Virtual Data Store (L-ST-DS-VE-K9)

Additional notes:

  • The Data Store will be supported by Secure Network Analytics versions 7.3 and above
  • Both the Data Store 6200 and the Virtual Data Store consist of a set of three Data Node appliances
  • Data Node appliances are not sold separately

How It Works

The Data Store cluster sits between the Cisco Stealthwatch Management Console and Flow Collectors. One or more Flow Collectors ingest and de-duplicate flow data, perform analyses, and then send the flow data and its results directly to the Data Store. This flow data is then distributed equally across a Data Store, which is comprised of a minimum of three Data Node appliances. The Data Store facilitates flow data storage and keeps all your network telemetry in one centralized location as opposed to having it spread across multiple Flow Collectors in a distributed model. This new centralized model offers greater storage capacity, flow rate ingestion, and increased resiliency versus the distributed model.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: