Attacks/Breaches
4/9/2009
11:00 AM
50%
50%

Rolling Review: StealthWatch System For Network Behavior Analysis

Lancope appliances provide deep threat analysis that's easy to see.

The Lancope StealthWatch System shines as a security tool, but network operations staff benefit, too. The StealthWatch network behavior analysis appliances let users easily monitor 10-Gb networks without relying on signatures to detect attacks.

The StealthWatch appliances, like rivals in this market, aren't cheap--the four we tested list for a total of $189,900--but their performance and features make clear why Lancope is a front-runner in network behavior analysis and set a formidable standard for the competition in this Rolling Review. The appliances let us baseline clients and servers, detect anomalous behavior, and monitor application and network performance, while letting users work in a rich, Java-based interface.

Essential to the system is the StealthWatch Management Console appliance, which correlates data from all the other appliances, handles users' Java clients, and generates reports. The StealthWatch NC performs direct packet capture, the StealthWatch Xe handles flow data, and the StealthWatch ID-1000 interfaces with directory services to provide user information to the Management Console. Most enterprises wouldn't need more than one Management Console and one ID-1000, but they might want several NC or Xe appliances, depending on the size and complexity of the networks to be analyzed.

Go With The Flow
Like competing tools from Arbor Networks and Riverbed Technology, the StealthWatch system leverages network flow data exported from network devices such as switches and routers as its major source for data analysis. It supports all flow data formats collected by the StealthWatch Xe appliance, including NetFlow, IPFIX, sFlow, and cflow.

Rolling Review
NETWORK BEHAVIOR
ANALYSIS TOOLS
Business value
This Rolling Review examines the ability of network behavior analysis tools to protect enterprise systems from attacks and integrate with installed systems for intrusion detection and prevention.
Reviewed so far
Lancope StealthWatch System
Appliances offer feature flexibility and an impressive visual interface.
Still to come
Arbor Networks, Riverbed Technology, Tenable Network Security
Organizations that want the visibility provided by network behavior analysis but can't export flow data aren't left in the dark. The NC appliance can generate flow data by analyzing network traffic through a switch monitoring port or network tap.

In tests, StealthWatch Management Console and ID-1000 configuration and setup took only about an hour using the included quick setup guides. The system creates a baseline profile for every host on the network, including information such as ports used, regular bandwidth usage, and communication with other hosts.

When hosts exhibit behavior outside their baselines, StealthWatch quantifies that information and reports it via alarms, alerts, and probes that feed into three major indexes: the Target Index, the host being attacked; the File Sharing Index, which indicates if there is peer-to-peer activity; and the Concern Index, which determines potential risk by issuing a cumulative score. The higher the Concern Index score, the greater the likelihood there's a serious problem with the host device.

Lancope's impressive user interface makes heavy use of graphs and charts of network traffic, protocols, TCP flags, active flows, and much more. Graphs make it easy to spot trends over time, port scans, and large data transfers that could otherwise easily be overlooked. Groups looking to implement StealthWatch quickly will find the included dashboards a good starting point, with some focused on security and others on network stats. Custom dashboards are easy to design.

Reporting was straightforward, and enterprises that have security event managers such as ArcSight can leverage these systems for a unified monitoring and mitigation, or use the exposed SOAP-based Web service to pull information into other commercial or custom-built security event managers.

John H. Sawyer is a senior security engineer with the University of Florida. Write to us at iweekletters@techweb.com.

Our Take
LANCOPE STEALTHWATCH SYSTEM
StealthWatch's impressive user interface makes it easy to pinpoint issues and trends quickly, and compensates for the appliances' somewhat quirky terminology.
Expensive network taps and load balancers aren't needed. StealthWatch leverages network flow data exported from existing network devices.
The StealthWatch NC appliance uses deep packet inspection to perform application layer analysis, OS fingerprinting, and attack detection.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4467
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3, does not properly determine scrollbar boundaries during the rendering of FRAME elements, which allows remote attackers to spoof the UI via a crafted web site.

CVE-2014-4476
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4477
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4479
Published: 2015-01-30
WebKit, as used in Apple iOS before 8.1.3; Apple Safari before 6.2.3, 7.x before 7.1.3, and 8.x before 8.0.3; and Apple TV before 7.0.3, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulner...

CVE-2014-4480
Published: 2015-01-30
Directory traversal vulnerability in afc in AppleFileConduit in Apple iOS before 8.1.3 and Apple TV before 7.0.3 allows attackers to access unintended filesystem locations by creating a symlink.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.