Attacks/Breaches
4/9/2009
11:00 AM
50%
50%

Rolling Review: StealthWatch System For Network Behavior Analysis

Lancope appliances provide deep threat analysis that's easy to see.

The Lancope StealthWatch System shines as a security tool, but network operations staff benefit, too. The StealthWatch network behavior analysis appliances let users easily monitor 10-Gb networks without relying on signatures to detect attacks.

The StealthWatch appliances, like rivals in this market, aren't cheap--the four we tested list for a total of $189,900--but their performance and features make clear why Lancope is a front-runner in network behavior analysis and set a formidable standard for the competition in this Rolling Review. The appliances let us baseline clients and servers, detect anomalous behavior, and monitor application and network performance, while letting users work in a rich, Java-based interface.

Essential to the system is the StealthWatch Management Console appliance, which correlates data from all the other appliances, handles users' Java clients, and generates reports. The StealthWatch NC performs direct packet capture, the StealthWatch Xe handles flow data, and the StealthWatch ID-1000 interfaces with directory services to provide user information to the Management Console. Most enterprises wouldn't need more than one Management Console and one ID-1000, but they might want several NC or Xe appliances, depending on the size and complexity of the networks to be analyzed.

Go With The Flow
Like competing tools from Arbor Networks and Riverbed Technology, the StealthWatch system leverages network flow data exported from network devices such as switches and routers as its major source for data analysis. It supports all flow data formats collected by the StealthWatch Xe appliance, including NetFlow, IPFIX, sFlow, and cflow.

Rolling Review
NETWORK BEHAVIOR
ANALYSIS TOOLS
Business value
This Rolling Review examines the ability of network behavior analysis tools to protect enterprise systems from attacks and integrate with installed systems for intrusion detection and prevention.
Reviewed so far
Lancope StealthWatch System
Appliances offer feature flexibility and an impressive visual interface.
Still to come
Arbor Networks, Riverbed Technology, Tenable Network Security
Organizations that want the visibility provided by network behavior analysis but can't export flow data aren't left in the dark. The NC appliance can generate flow data by analyzing network traffic through a switch monitoring port or network tap.

In tests, StealthWatch Management Console and ID-1000 configuration and setup took only about an hour using the included quick setup guides. The system creates a baseline profile for every host on the network, including information such as ports used, regular bandwidth usage, and communication with other hosts.

When hosts exhibit behavior outside their baselines, StealthWatch quantifies that information and reports it via alarms, alerts, and probes that feed into three major indexes: the Target Index, the host being attacked; the File Sharing Index, which indicates if there is peer-to-peer activity; and the Concern Index, which determines potential risk by issuing a cumulative score. The higher the Concern Index score, the greater the likelihood there's a serious problem with the host device.

Lancope's impressive user interface makes heavy use of graphs and charts of network traffic, protocols, TCP flags, active flows, and much more. Graphs make it easy to spot trends over time, port scans, and large data transfers that could otherwise easily be overlooked. Groups looking to implement StealthWatch quickly will find the included dashboards a good starting point, with some focused on security and others on network stats. Custom dashboards are easy to design.

Reporting was straightforward, and enterprises that have security event managers such as ArcSight can leverage these systems for a unified monitoring and mitigation, or use the exposed SOAP-based Web service to pull information into other commercial or custom-built security event managers.

John H. Sawyer is a senior security engineer with the University of Florida. Write to us at iweekletters@techweb.com.

Our Take
LANCOPE STEALTHWATCH SYSTEM
StealthWatch's impressive user interface makes it easy to pinpoint issues and trends quickly, and compensates for the appliances' somewhat quirky terminology.
Expensive network taps and load balancers aren't needed. StealthWatch leverages network flow data exported from existing network devices.
The StealthWatch NC appliance uses deep packet inspection to perform application layer analysis, OS fingerprinting, and attack detection.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?