Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Rolling Review: StealthWatch System For Network Behavior Analysis

Lancope appliances provide deep threat analysis that's easy to see.

The Lancope StealthWatch System shines as a security tool, but network operations staff benefit, too. The StealthWatch network behavior analysis appliances let users easily monitor 10-Gb networks without relying on signatures to detect attacks.

The StealthWatch appliances, like rivals in this market, aren't cheap--the four we tested list for a total of $189,900--but their performance and features make clear why Lancope is a front-runner in network behavior analysis and set a formidable standard for the competition in this Rolling Review. The appliances let us baseline clients and servers, detect anomalous behavior, and monitor application and network performance, while letting users work in a rich, Java-based interface.

Essential to the system is the StealthWatch Management Console appliance, which correlates data from all the other appliances, handles users' Java clients, and generates reports. The StealthWatch NC performs direct packet capture, the StealthWatch Xe handles flow data, and the StealthWatch ID-1000 interfaces with directory services to provide user information to the Management Console. Most enterprises wouldn't need more than one Management Console and one ID-1000, but they might want several NC or Xe appliances, depending on the size and complexity of the networks to be analyzed.

Go With The Flow
Like competing tools from Arbor Networks and Riverbed Technology, the StealthWatch system leverages network flow data exported from network devices such as switches and routers as its major source for data analysis. It supports all flow data formats collected by the StealthWatch Xe appliance, including NetFlow, IPFIX, sFlow, and cflow.

Rolling Review
NETWORK BEHAVIOR
ANALYSIS TOOLS
Business value
This Rolling Review examines the ability of network behavior analysis tools to protect enterprise systems from attacks and integrate with installed systems for intrusion detection and prevention.
Reviewed so far
Lancope StealthWatch System
Appliances offer feature flexibility and an impressive visual interface.
Still to come
Arbor Networks, Riverbed Technology, Tenable Network Security
Organizations that want the visibility provided by network behavior analysis but can't export flow data aren't left in the dark. The NC appliance can generate flow data by analyzing network traffic through a switch monitoring port or network tap.

In tests, StealthWatch Management Console and ID-1000 configuration and setup took only about an hour using the included quick setup guides. The system creates a baseline profile for every host on the network, including information such as ports used, regular bandwidth usage, and communication with other hosts.

When hosts exhibit behavior outside their baselines, StealthWatch quantifies that information and reports it via alarms, alerts, and probes that feed into three major indexes: the Target Index, the host being attacked; the File Sharing Index, which indicates if there is peer-to-peer activity; and the Concern Index, which determines potential risk by issuing a cumulative score. The higher the Concern Index score, the greater the likelihood there's a serious problem with the host device.

Lancope's impressive user interface makes heavy use of graphs and charts of network traffic, protocols, TCP flags, active flows, and much more. Graphs make it easy to spot trends over time, port scans, and large data transfers that could otherwise easily be overlooked. Groups looking to implement StealthWatch quickly will find the included dashboards a good starting point, with some focused on security and others on network stats. Custom dashboards are easy to design.

Reporting was straightforward, and enterprises that have security event managers such as ArcSight can leverage these systems for a unified monitoring and mitigation, or use the exposed SOAP-based Web service to pull information into other commercial or custom-built security event managers.

John H. Sawyer is a senior security engineer with the University of Florida. Write to us at [email protected].

Our Take
LANCOPE STEALTHWATCH SYSTEM
StealthWatch's impressive user interface makes it easy to pinpoint issues and trends quickly, and compensates for the appliances' somewhat quirky terminology.
Expensive network taps and load balancers aren't needed. StealthWatch leverages network flow data exported from existing network devices.
The StealthWatch NC appliance uses deep packet inspection to perform application layer analysis, OS fingerprinting, and attack detection.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
Navigating Security in the Cloud
Diya Jolly, Chief Product Officer, Okta,  12/4/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "This is the last time we hire Game of Thrones Security"
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19230
PUBLISHED: 2019-12-09
An unsafe deserialization vulnerability exists in CA Release Automation (Nolio) 6.6 with the DataManagement component that can allow a remote attacker to execute arbitrary code.
CVE-2013-0342
PUBLISHED: 2019-12-09
The CreateID function in packet.py in pyrad before 2.1 uses sequential packet IDs, which makes it easier for remote attackers to spoof packets by predicting the next ID, a different vulnerability than CVE-2013-0294.
CVE-2014-0242
PUBLISHED: 2019-12-09
mod_wsgi module before 3.4 for Apache, when used in embedded mode, might allow remote attackers to obtain sensitive information via the Content-Type header which is generated from memory that may have been freed and then overwritten by a separate thread.
CVE-2015-3424
PUBLISHED: 2019-12-09
SQL injection vulnerability in Accentis Content Resource Management System before the October 2015 patch allows remote attackers to execute arbitrary SQL commands via the SIDX parameter.
CVE-2015-3425
PUBLISHED: 2019-12-09
Cross-site scripting (XSS) vulnerability in Accentis Content Resource Management System before October 2015 patch allows remote attackers to inject arbitrary web script or HTML via the ctl00$cph_content$_uig_formState parameter.