StealthWatch Introduction

Lancope was founded back in 2000 and is a leading provider of network visibility and security intelligence to protect enterprises against today's top threats. The StealthWatch System uses NetFlow, IPFIX and other types of network telemetry to detect a wide range of attacks from a variety of threats including APTs, DDoS, zero-day malware and insider threats. Lancope was just recently acquired by Cisco late last year but the company itself had a very close relationship with Cisco prior to that and thanks to that relationship, it integrates quite well with a variety of existing Cisco solutions. In this first post, I'm going to dig into some of the components of the StealthWatch System.

So what does StealthWatch do? It's provides context-aware security for real-time threat detection and forensic response. Through StealthWatch, one would be able to transform the network into a virtual sensor grid and correlate data sets across the organization. It provides pervasive network visibility and actionable security intelligence.  With the contextual information that StealthWatch gathers, it has the ability to know every host, record every conversation, baseline the behavior of hosts, store data for months and alert an administrator to any changes. 

When you think about security, typically someone thinks of the controls and tools they put into place which may include any combination or all of the following:

  • Firewall
  • IPS 
  • ACLs
  • NAC 
  • Anti-virus/Anti-Malware
  • SIEM

Even with all these tools, there are things they cannot see or that they may not detect which is where StealthWatch comes in. This is some of the questions I would think about:

  • If someone run a ping sweep across hosts on the same subnet, how are you going to detect it?
  • If a user starts DDoSing something in your network with what looks like legitimate traffic, will you be able to quickly detect it and be alerted on it? 
  • If a user is authorized to download data off a server with proprietary information and they usually only download about 10Mbps a day and suddenly download 100Gbps in one day, how will you be alerted that this host is behaving outside of the norm? How do you currently detect or investigate data leaks?
  • If a user comes in with a worm after taking their work laptop home for the night and the worm starts propagating across the  network, how will you know what hosts are infected if there is no signature?  
  • If someone is stealing proprietary information out of your network and tunneling it through another protocol (i.e. port 53) to make it look like legitimate traffic, how do you know? 
  • How do you investigate malware threats in your environment?
  • How do you investigate network performance on an endpoint if you only have the user's name? 
  • How do you currently detect or investigate insider threats? 

When you think about security threats like this, you start to see the need for something that provides anomaly detection, behavior analysis and baselining for your network as a whole. That's where StealthWatch comes in. I see StealthWatch as a tool that bridges the gap between existing security controls that are out there and provides complete visibility into what's happening in your network. 

This is a high-level diagram of the StealthWatch architecture:

The minimum requirements for the StealthWatch System is a StealthWatch Management Console (SMC) and at least one FlowCollector but there are additional products that might be of assistance. I'll go over those in this blog post:

StealthWatch Management Console (SMC)

The SMC allows administrators to view, understand and act on network and security data through a single interface. SMC provides flow deduplication across flow collectors for flow table entries when queries from multiple FCs contain the same flow. This deduplication is against existing flow records queried and only affects the display of existing flow records in that document. It does not alter the storage of those records. Deduplication ensures each conversation is only counted once. It can collect data from FlowCollectors, firewalls, web proxies, IDS/IPS, and NAC systems. It’s the control center of the StealthWatch system. Available in both physical appliance or virtual appliance. 

What does it do?

  • Manages data
  • Coordinates data
  • Configures data
  • Organizes data for all StealthWatch appliances
  • Drills down on unusual behavior in flow records

It provides the following features:

  • User identity tracking
  • Appliance and virtual deployment options
  • Root-cause analysis and troubleshooting
  • Relational flow maps
  • NAT stitching
  • Custom dashboards
  • Custom reporting
  • Blocking, remediation or rate limiting
  • Top N reports for applications, services, ports, protocols, hosts, peers and conversations
  • Traffic composition breakdown
  • Customizable user interface based on Point-of-View technology
  • Advanced flow visualization
  • Internal and external monitoring
  • Capacity planning and historical traffic trending
  • WAN optimization reporting
  • DSCP bandwidth utilization
  • Worm propagation visualization
  • Internal security for high-speed networks



The FlowCollector collects and analyzes data from existing network infrastructure to provide the complete picture of everything happening in the environment. Some of the features it can provide are:

  • Baselining of all IP traffic
  • Anomaly detection in traffic/host behavior
  • Layer 7 anomaly detection
  • Appliance or virtual deployment options
  • NAT stitching
  • P2P file sharing detection
  • Host and service profiling
  • Index-based prioritization technology 
  • OS fingerprinting
  • Support for application-aware flows such as NBAR2
  • Support for custom applications
  • Closest interface determination and tracking
  • Deduplication of flows
  • Virtual environment monitoring
  • Host Group tracking and reporting
  • Router interface tracking and reporting
  • Bandwidth accounting and reporting
  • Packet-level performance metrics
  • QoS (DSCP) monitoring
  • Interface utilization alarming
  • Unauthorized host access detection
  • Unauthorized Web server detection
  • Misconfigured firewall detection
  • Combined internal and external monitoring
  • Full flow logging
  • Worm detection
  • Botnet detection
  • DoS/DDoS detection (SYN, ICMP, or UDP flood)
  • Fragmentation attack detection
  • Network scanning and reconnaissance detection
  • Large file transfer detection
  • Rogue server detection
  • Long term flow retention


FlowSensor (FS)

The FlowSensor will compliment data received natively from the flow-capable devices. It monitors packet data and enriches flow data which can include application ID, packet header, URL data, network/server response time detail, and the FlowSensor can also produce flow for parts of the network where there is no NetFlow-capable devices. 

What does the FlowSensor do?

  • Identifies applications and protocols regards of whether they are:
    • Plain text
    • Advanced encryption
    • Obfuscation techniques
  • Provides application including SRT, RTT, MTTK
  • Packet-level metrics such as HTTP/HTTPS Header Data and packet paylod
  • Able to create Netflow data in environments where it is not enabled


UDP Director

The UDP Director is a high-performance appliance that receives flows and logging information from multiple locations and forwards it in a single data stream to one or more destinations. For example, if you're sending NetFlow data to LiveAction, StealthWatch, SolarWinds, and Prime, you can create 4 different exporters on each and every network device on your network and waste bandwidth or you can have it all sent to the same IP address (UDP Director) and have it replicate that information to multiple destinations. 

What does the UDP Director do?

  • Simplifies collection of network and security data
  • Reduces points of failure on your network
  • Provides a single destination for all UDP formats on the network including Netflow, SNMP, syslog, etc
  • Reduces network congestion for optimum network performance


StealthWatch Labs Intelligence Center (SLIC) Threat Feed

This is a licensed feature that provides global threat intelligence from a community of experts and partners and aggregates emerging threat information from around the world. It adds an additional layer of protection from botnet command and control centers and other sophisticated attacks. This is a feed that is continuously updated.

What does the SLIC Threat Feed do?

  • Provides global threat intelligence from a community of 3rd-party experts and partners (StealthWatch Intelligence Center)
  • Aggregates emerging threat information from around the world
  • Adds an additional layer of protection from botnet command control centers and other sophisticated attacks
  • Delivers information about a full security incident



ProxyWatch is a licensed feature on StealthWatch. When you have a proxy in the environment, all the hosts will be sending traffic to that proxy from various IP addresses and that proxy will take that traffic and send it to the internet with it's IP. ProxyWatch is almost like NAT stitching for Proxys. It correlates these conversations to provide visibility on both sides of the proxy and turns the missing parts of the conversation into a complete record. 

What does the ProxyWatch do?

  • Enhanced network visibility
  • Additional context around conversations
  • Follow the flow to actual destination


Another great thing about Lancope is that it can integrate well with ISE through pxGrid which will provide the StealthWatch system with extra contextual information about the endpoint and user on that endpoint as well as the ability to quarantine that endpoint if they are misbehaving. In later posts, I'll demonstrate how to integrate ISE and StealthWatch in my lab. In the next blog posts, I'll be going through the installation of StealthWatch, integration, and common tasks.