Attacks/Breaches
4/9/2009
11:00 AM
Connect Directly
RSS
E-Mail
50%
50%

Rolling Review: StealthWatch System For Network Behavior Analysis

Lancope appliances provide deep threat analysis that's easy to see.

The Lancope StealthWatch System shines as a security tool, but network operations staff benefit, too. The StealthWatch network behavior analysis appliances let users easily monitor 10-Gb networks without relying on signatures to detect attacks.

The StealthWatch appliances, like rivals in this market, aren't cheap--the four we tested list for a total of $189,900--but their performance and features make clear why Lancope is a front-runner in network behavior analysis and set a formidable standard for the competition in this Rolling Review. The appliances let us baseline clients and servers, detect anomalous behavior, and monitor application and network performance, while letting users work in a rich, Java-based interface.

Essential to the system is the StealthWatch Management Console appliance, which correlates data from all the other appliances, handles users' Java clients, and generates reports. The StealthWatch NC performs direct packet capture, the StealthWatch Xe handles flow data, and the StealthWatch ID-1000 interfaces with directory services to provide user information to the Management Console. Most enterprises wouldn't need more than one Management Console and one ID-1000, but they might want several NC or Xe appliances, depending on the size and complexity of the networks to be analyzed.

Go With The Flow
Like competing tools from Arbor Networks and Riverbed Technology, the StealthWatch system leverages network flow data exported from network devices such as switches and routers as its major source for data analysis. It supports all flow data formats collected by the StealthWatch Xe appliance, including NetFlow, IPFIX, sFlow, and cflow.

Rolling Review
NETWORK BEHAVIOR
ANALYSIS TOOLS
Business value
This Rolling Review examines the ability of network behavior analysis tools to protect enterprise systems from attacks and integrate with installed systems for intrusion detection and prevention.
Reviewed so far
Lancope StealthWatch System
Appliances offer feature flexibility and an impressive visual interface.
Still to come
Arbor Networks, Riverbed Technology, Tenable Network Security
Organizations that want the visibility provided by network behavior analysis but can't export flow data aren't left in the dark. The NC appliance can generate flow data by analyzing network traffic through a switch monitoring port or network tap.

In tests, StealthWatch Management Console and ID-1000 configuration and setup took only about an hour using the included quick setup guides. The system creates a baseline profile for every host on the network, including information such as ports used, regular bandwidth usage, and communication with other hosts.

When hosts exhibit behavior outside their baselines, StealthWatch quantifies that information and reports it via alarms, alerts, and probes that feed into three major indexes: the Target Index, the host being attacked; the File Sharing Index, which indicates if there is peer-to-peer activity; and the Concern Index, which determines potential risk by issuing a cumulative score. The higher the Concern Index score, the greater the likelihood there's a serious problem with the host device.

Lancope's impressive user interface makes heavy use of graphs and charts of network traffic, protocols, TCP flags, active flows, and much more. Graphs make it easy to spot trends over time, port scans, and large data transfers that could otherwise easily be overlooked. Groups looking to implement StealthWatch quickly will find the included dashboards a good starting point, with some focused on security and others on network stats. Custom dashboards are easy to design.

Reporting was straightforward, and enterprises that have security event managers such as ArcSight can leverage these systems for a unified monitoring and mitigation, or use the exposed SOAP-based Web service to pull information into other commercial or custom-built security event managers.

John H. Sawyer is a senior security engineer with the University of Florida. Write to us at iweekletters@techweb.com.

Our Take
LANCOPE STEALTHWATCH SYSTEM
StealthWatch's impressive user interface makes it easy to pinpoint issues and trends quickly, and compensates for the appliances' somewhat quirky terminology.
Expensive network taps and load balancers aren't needed. StealthWatch leverages network flow data exported from existing network devices.
The StealthWatch NC appliance uses deep packet inspection to perform application layer analysis, OS fingerprinting, and attack detection.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

CVE-2014-5158
Published: 2014-08-21
The (1) av-centerd SOAP service and (2) backup command in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE-2014-5159
Published: 2014-08-21
SQL injection vulnerability in the ossim-framework service in AlienVault OSSIM before 4.6.0 allows remote attackers to execute arbitrary SQL commands via the ws_data parameter.

CVE-2014-5210
Published: 2014-08-21
The av-centerd SOAP service in AlienVault OSSIM before 4.7.0 allows remote attackers to execute arbitrary commands via a crafted (1) remote_task or (2) get_license request, a different vulnerability than CVE-2014-3804 and CVE-2014-3805.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.