Attacks/Breaches
4/9/2009
11:00 AM
50%
50%

Rolling Review: StealthWatch System For Network Behavior Analysis

Lancope appliances provide deep threat analysis that's easy to see.

The Lancope StealthWatch System shines as a security tool, but network operations staff benefit, too. The StealthWatch network behavior analysis appliances let users easily monitor 10-Gb networks without relying on signatures to detect attacks.

The StealthWatch appliances, like rivals in this market, aren't cheap--the four we tested list for a total of $189,900--but their performance and features make clear why Lancope is a front-runner in network behavior analysis and set a formidable standard for the competition in this Rolling Review. The appliances let us baseline clients and servers, detect anomalous behavior, and monitor application and network performance, while letting users work in a rich, Java-based interface.

Essential to the system is the StealthWatch Management Console appliance, which correlates data from all the other appliances, handles users' Java clients, and generates reports. The StealthWatch NC performs direct packet capture, the StealthWatch Xe handles flow data, and the StealthWatch ID-1000 interfaces with directory services to provide user information to the Management Console. Most enterprises wouldn't need more than one Management Console and one ID-1000, but they might want several NC or Xe appliances, depending on the size and complexity of the networks to be analyzed.

Go With The Flow
Like competing tools from Arbor Networks and Riverbed Technology, the StealthWatch system leverages network flow data exported from network devices such as switches and routers as its major source for data analysis. It supports all flow data formats collected by the StealthWatch Xe appliance, including NetFlow, IPFIX, sFlow, and cflow.

Rolling Review
NETWORK BEHAVIOR
ANALYSIS TOOLS
Business value
This Rolling Review examines the ability of network behavior analysis tools to protect enterprise systems from attacks and integrate with installed systems for intrusion detection and prevention.
Reviewed so far
Lancope StealthWatch System
Appliances offer feature flexibility and an impressive visual interface.
Still to come
Arbor Networks, Riverbed Technology, Tenable Network Security
Organizations that want the visibility provided by network behavior analysis but can't export flow data aren't left in the dark. The NC appliance can generate flow data by analyzing network traffic through a switch monitoring port or network tap.

In tests, StealthWatch Management Console and ID-1000 configuration and setup took only about an hour using the included quick setup guides. The system creates a baseline profile for every host on the network, including information such as ports used, regular bandwidth usage, and communication with other hosts.

When hosts exhibit behavior outside their baselines, StealthWatch quantifies that information and reports it via alarms, alerts, and probes that feed into three major indexes: the Target Index, the host being attacked; the File Sharing Index, which indicates if there is peer-to-peer activity; and the Concern Index, which determines potential risk by issuing a cumulative score. The higher the Concern Index score, the greater the likelihood there's a serious problem with the host device.

Lancope's impressive user interface makes heavy use of graphs and charts of network traffic, protocols, TCP flags, active flows, and much more. Graphs make it easy to spot trends over time, port scans, and large data transfers that could otherwise easily be overlooked. Groups looking to implement StealthWatch quickly will find the included dashboards a good starting point, with some focused on security and others on network stats. Custom dashboards are easy to design.

Reporting was straightforward, and enterprises that have security event managers such as ArcSight can leverage these systems for a unified monitoring and mitigation, or use the exposed SOAP-based Web service to pull information into other commercial or custom-built security event managers.

John H. Sawyer is a senior security engineer with the University of Florida. Write to us at iweekletters@techweb.com.

Our Take
LANCOPE STEALTHWATCH SYSTEM
StealthWatch's impressive user interface makes it easy to pinpoint issues and trends quickly, and compensates for the appliances' somewhat quirky terminology.
Expensive network taps and load balancers aren't needed. StealthWatch leverages network flow data exported from existing network devices.
The StealthWatch NC appliance uses deep packet inspection to perform application layer analysis, OS fingerprinting, and attack detection.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-0547
Published: 2015-07-04
The D2CenterstageService.getComments service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0548
Published: 2015-07-04
The D2DownloadService.getDownloadUrls service method in EMC Documentum D2 4.1 and 4.2 before 4.2 P16 and 4.5 before P03 allows remote authenticated users to conduct Documentum Query Language (DQL) injection attacks and bypass intended read-access restrictions via unspecified vectors.

CVE-2015-0551
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in EMC Documentum WebTop 6.7SP1 before P31, 6.7SP2 before P23, and 6.8 before P01; Documentum Administrator 6.7SP1 before P31, 6.7SP2 before P23, 7.0 before P18, 7.1 before P15, and 7.2 before P01; Documentum Digital Assets Manager 6.5SP6 before P2...

CVE-2015-1966
Published: 2015-07-04
Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before FP17, 6.2.1 before FP9, and 6.2.2 before FP15, as used in Security Access Manager for Mobile and other products, allow remote attackers to inject arbitrary web script or HTML via a crafte...

CVE-2015-2964
Published: 2015-07-04
NAMSHI | JOSE 5.0.0 and earlier allows remote attackers to bypass signature verification via crafted tokens in a JSON Web Tokens (JWT) header.

Dark Reading Radio
Archived Dark Reading Radio
Marc Spitler, co-author of the Verizon DBIR will share some of the lesser-known but most intriguing tidbits from the massive report