Stealthwatch is a network monitoring tool developed by Cisco that provides complete network visibility. It monitors all network traffic and host behavior, storing data for months. It detects anomalies like unauthorized data downloads or performance issues. Stealthwatch works by collecting IP flow data from network devices using the IPFIX protocol. It has several components, including the Stealthwatch Management Console for managing and viewing network data, FlowCollectors for aggregating flow data, and optional FlowSensors and UDP Directors to enhance data collection and routing. The tool detects threats by correlating local network data with external threat intelligence feeds.

1. Stealthwatch
Defined ,Explained and Explored
Presented By:
Rayudu Babu ,
Security Analyst,
CEH V-10

2. Contents:
What is stealthwatch
What it does
How it works
Stealthwatch architecture
Components of stealthwatch
Use cases

3. What is stealthwatch:
Stealthwatch is a network monitoring tool ,developed by
cisco lancope.It provides complete network visibility and
integrated network intelligence across the organization. It
has the ability to know every host, records every
conversation, baseline the behavior of hosts, store data for
months and alert an administrator to any changes.

4. What it does:
 If someone run a ping sweep scan across hosts on the same subnet, how are you going to detect it?
 If a user starts DDoSing something in your network with what looks like legitimate traffic, will
you be able to quickly detect it and be alerted on it?
 If a user is authorized to download data off a server with proprietary information and they usually
only download about 10Mbps a day and suddenly download 100Gbps in one day, how will you be
alerted that this host is behaving outside of the norm? How do you currently detect or investigate
data leaks?
 How do you investigate network performance on an endpoint if you only have the user's name?
 How do you currently detect or investigate insider threats?
We can find solutions for above all questions using stealthwatch. To find any attack
we need to integrate all network security tools like Firewall/IPS/ACLs /NAC/Anti-
virus/Anti Malware /SIEM,but stealthwatch act as integrated security intelligence
tool.

5. How it works:
It works based on IPFIX( IP Flow Information Export) protocol. IPFIX is very
similar to Netflow, it is also called as Netflow version10(V10) protocol.
Working procedure also same as netflow it allows for network engineers and
administrators to collect flow information from Switches, Routers and any other
network devices that support the protocol and analyze the Traffic Flow
information that is being sent by processing it through a Network/Netflow
Analyzer.

6. Stealthwatch architecture:

7. Components of stealthwatch:
The minimum requirements for the StealthWatch System is a StealthWatch Management
Console (SMC) and at least one FlowCollector. but there are additional products that might
be of assistance.
 StealthWatch Management Console (SMC)
 FlowCollector(FC)
 FlowSensor (FS)
 UDP Director
 StealthWatch Labs Intelligence Center (SLIC) Threat Feed

8. StealthWatch Management Console (SMC)
The SMC allows administrators to view and act on network and security
data through a single interface. Centralized location for policy management
and data collection. It translates raw data into sophisticated reports and
graphical representations.
What does it do?
 Manages data
 Coordinates data
 Configures data
 Organizes data for all StealthWatch appliances
 Drills down on unusual behavior in flow records

9. FlowCollector(FC)
The FlowCollector aggregates flow data from multiple networks or network segments .Collects
and analyzes data to provide the complete picture of everything happening in the environment.
Some of the features :
 Baselining of all IP traffic
 Anomaly detection in traffic/host behavior
 Layer 7 anomaly detection
 NAT stitching
 P2P file sharing detection
 Host and service profiling
 Host Group tracking and reporting
 Router interface tracking and reporting
 Bandwidth accounting and reporting

10. FlowSensor (FS):
The Flowsensor creates flow data in environments where NetFlow is not enabled.Also
delivers performance analysis and deep packet inspection like application ID, packet
header, URL data, network/server response time detail.Flowsensors are optional but very
useful.
What does it do:
 Provides layer 7 application visibility regards of whether they are:
 Plain text
 Advanced encryption
 Obfuscation techniques
 Provides application including SRT, RTT, MTTK
 Packet-level metrics such as HTTP/HTTPS Header Data and packet payload
 Able to create Netflow data in environments where it is not enabled

11. UDP Director:
The UDP Director is a high-performance appliance that receives flows and logging
information from multiple locations and forwards it in a single data stream to one or
more destinations
 It simplifies the management of UDP data streams from netflow,sflow,syslog and
snmp traffic.
 Forwards data from multiple network locations in a single data stream to network
devices including the flow collector
 Aggregates and provides a single destination for UDP data and allows distribution of it
across the organization

12. StealthWatch Labs Intelligence Center (SLIC) Threat Feed
 The SLIC provides global threat intelligence feeds form various experts
like talos and correlates it with data from stealthwatch system to
provide security.
 It adds an additional layer of protection from botnet command and
control centers and other sophisticated attacks.

13. Questions?

14. Thank You