Cisco Stealthwatch Enterprise Data Sheet

Data Sheet

Download Options

  • PDF
    (239.1 KB)
    View with Adobe Reader on a variety of devices
Updated:18 April 2018

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Download Options

  • PDF
    (239.1 KB)
    View with Adobe Reader on a variety of devices
Updated:18 April 2018
 

For UCS Hardware

Stealthwatch Enterprise is the industry-leading visibility and security analytics solution that leverages enterprise telemetry from the existing network infrastructure. It provides advanced threat detection, accelerated threat response and simplified network segmentation using multi-layer machine learning and advanced behavioral modeling, all across the extended network.

With Stealthwatch Enterprise, you get real-time visibility that helps you gain better insight into activities occurring within your network. You can scale this visibility into the cloud, across the network, at branch locations, in the data center, and down to endpoints.

At the core of Stealthwatch Enterprise are the Flow Rate License, the Flow Collector, Management Console and Flow Sensor. For added functionality, please refer the individual datasheets below:

   Cisco Stealthwatch Endpoint License: Available as a license add-on to extend visibility to end user devices.

   Cisco Stealthwatch Cloud – Available as a product offer to provide visibility and threat detection within public cloud infrastructures such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform.

   Threat Intelligence License - A global threat intelligence feed powered by the industry-leading threat intelligence group, Cisco Talos, provides an additional layer of protection against botnets and other sophisticated attacks. It correlates suspicious activity in the local network environment with data on thousands of known command-and-control servers and campaigns, to provide high fidelity detection and faster threat response. Cisco Talos sees 1.5 million unique malware samples and blocks 20 billion threats per day.

System Benefits

Through its unique view and analysis of network traffic, Stealthwatch Enterprise dramatically improves:

   Real-time threat detection

   Incident response and forensics

   Network segmentation

   Network performance and capacity planning

   Ability to satisfy regulatory requirements

Required Components of the System

Flow Rate License

The Flow Rate License is required for the collection, management, and analysis of flow telemetry and aggregates flows at the Management Console. The Flow Rate License also defines the volume of flows that may be collected and is licensed on the basis of flows per second (fps). Licenses may be combined in any permutation to achieve the desired level of flow capacity.

Flow Collector

The Flow Collector leverages enterprise telemetry such as NetFlow, IPFIX and other types of flow data from existing infrastructure such as routers, switches, firewalls, endpoints and other network infrastructure devices. The Flow Collector can also receive and collect telemetry from proxy data sources, which can be analyzed by the Global Threat Analytics (formerly Cognitive Threat Analytics), the multilayered machine learning engine, for deep visibility into both web and network traffic. Also, Stealthwatch Enterprise, using Encrypted Traffic Analytics, can use analytics to pinpoint malicious patterns in encrypted traffic to identify threats and accelerate response. Though this feature is built in to the system at no extra cost, it will need to be enabled upon deployment.

The telemetry data is analyzed to provide a complete picture of network activity. Months or even years of data can be stored creating an audit trail that can be used to improve forensic investigations and compliance initiatives. The volume of telemetry collected from the network is determined by the capacity of the deployed Flow Collectors. Multiple Flow Collectors may be installed. Flow Collectors are available as hardware appliances or as virtual machines. Table 1 outlines Flow Collector’s benefits.

Table 1.       Major Benefits of the Flow Collector

Benefit

Description

Threat detection

Ingests proxy records and associates them with flow records, delivering the user application and URL information for each flow, to increase contextual awareness. This process enhances your organization’s ability to pinpoint threats and shortens your Mean Time To Know (MTTK).

Flow-traffic monitoring

Monitors flow traffic across hundreds of network segments simultaneously, so you can spot suspicious network behavior. This capability is especially valuable at the enterprise level.

Extended data retention

Allows organizations and agencies to retain large amounts of data for long periods.

Scalability

Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.

Deduplication and stitching

Performs deduplication so that any flows that might have traversed more than one router are counted only once. It then stitches the flow information together for full visibility of a network transaction.

Choice of delivery methods

You can order the Appliance Edition, a scalable device suitable for any size organization.

Or you can order the Virtual Edition, designed to perform the same functions as the appliance edition, but in a VMware environment. This solution scales dynamically according to the resources allocated to it.

* The maximum number of flows per second can change, depending on network conditions.

Flow Collector Specifications

   Stealthwatch Flow Collector 4200 - Part number: ST-FC4200-K9

   Stealthwatch Flow Collector 5200 - Part number: ST-FC5200-K9

   Stealthwatch Flow Collector Virtual Edition can be configured as either FCVE-1000, FCVE-2000, or FCVE-4000 - Part number: L-ST-FC-VE-K9

Note:    These specifications apply to the Stealthwatch system version 6.9.1 and newer

Management Console

The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the Cisco Identity Services Engine, and other sources. It uses graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.

The capacity of the console determines the volume of telemetry data that can be analyzed and presented, as well as the number of Flow Collectors that are deployed. The console is available as a hardware appliance or a virtual machine. Table 2 list the benefits of the consoles.

Table 2.       Major Benefits of the Management Console

Benefit

Description

Real-time up-to-the-minute data

Delivers data flow for monitoring traffic across hundreds of network segments simultaneously, so you can spot suspicious network behavior. This capability is especially valuable at the enterprise level.

Capability to detect and prioritize security threats

Rapidly detects and prioritizes security threats, pinpoints network misuse and suboptimal performance, and manages event response across the enterprise, all from a single control center.

Management of appliances

Configures, coordinates, and manages Cisco Stealthwatch appliances, including the Flow Collector, Flow Sensor, and UDP Director.

Use of multiple types of flow data

Consumes multiple types of flow data, including NetFlow, Internet Protocol Flow Information Export (IPFIX), and sFlow. The result: Cost-effective, behavior-based network protection.

Scalability

Supports even the largest of network demands. Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.

Audit trails for network transactions

Provides a full audit trail of all network transactions for more effective forensic investigations.

Real-time, customizable relational flow maps

Provides graphical views of the current state of the organization’s traffic. Administrators can easily construct maps of their network based on any criteria, such as location, function, or virtual environment. By creating a connection between two groups of hosts, operators can quickly analyze the traffic traveling between them. Then, simply by selecting a data point in question, they can gain even deeper insight into what is happening at any point in time.

Flexible delivery options

You can order the Physical Appliance, a scalable device suitable for any size organization; or you can order the Virtual Edition, designed to perform the same functions as the appliance edition, but in a VMware environment.

Management Console Specifications

   Stealthwatch Management Console 2200 - Part number: ST-SMC2200-K9

   Stealthwatch Management Console Virtual Edition can be configured as either SMC VE or SMC VE 2000 - Part number: L-ST-SMC-VE-K9

Note:    These specifications apply to the Stealthwatch system version 6.9.1 and newer

Optional Components of the System

Flow Sensor

The Flow Sensor is an optional component of Stealthwatch Enterprise and produces telemetry for segments of the switching and routing infrastructure that can’t generate NetFlow natively. It also provides visibility into the application layer data. In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context to enhance the Stealthwatch security analytics. Advanced behavioral modeling and cloud-based multilayered machine learning is applied to this dataset to detect advanced threats and perform faster investigations.

The Flow Sensor is installed on a mirroring port or network tap and generates telemetry based on the observed traffic. The volume of telemetry generated from the network is determined by the capacity of the deployed Flow Sensors. Multiple Flow Sensors may be installed. Flow Sensors are available as hardware appliances or as virtual appliances to monitor virtual machine environments. It also works in environments where an overlay monitoring solution requiring additional security context better fits the operations model of the IT organization.

Table 3 lists the major benefits of the Flow Sensor.

Table 3.       Major Benefits of the Flow Sensor

Benefit

Description

Layer 7 application visibility

Provides true Layer 7 application visibility by gathering application information along with ad-hoc on-demand packet capture (PCAP). This includes data features like RTT (Round trip time), SRT (Server Response Time), Retransmissions.

Packet-level performance and analysis

Provides true Layer 7 application visibility by gathering application information along with ad-hoc on-demand packet capture (PCAP). This includes data features like RTT (Round trip time), SRT (Server Response Time), Retransmissions.

Alerts on network anomalies

Additional telemetry from the Flow Sensor, such as URL information for web traffic and TCP flag detail, helps generate alarms with contextual intelligence so that security personnel can take quick action and mitigate damage.

Lower costs

Enhances operational efficiency and reduces costs by identifying and isolating the root cause of an issue or incident within seconds.

Choice of delivery methods

You can order the Appliance Edition, a scalable device suitable for any size organization.

Or you can order the Virtual Edition, designed to perform the same function as the appliance edition, but in a VMware or KVM Hypervisor environment.

* These numbers are generated in our test environments using average customer data.

Flow Sensor Specifications

   Stealthwatch Flow Sensor 1200 - Part number: ST-FS1200-K9

   Stealthwatch Flow Sensor 2200 - Part number: ST-FS2200-K9

   Stealthwatch Flow Sensor 3200 - Part number: ST-FS3200-K9

   Stealthwatch Flow Sensor 4200 - Part number: ST-FS4200-K9

   Stealthwatch Flow Sensor Virtual Edition - Part number: L-ST-FS-VE-K9

Note:    These specifications apply to Cisco Stealthwatch 6.9.1 and newer

UDP Director

The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network routers and switches by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations.
Table 4 list the major benefits of the UDP Director.

Table 4.       Major Benefits of the UDP Director

Benefit

Description

Reduces unplanned downtime and service disruption

UDP Director high availability is available on the UDP Director 2200 appliance.

Simplifies network security and monitoring

UDP Director aggregates and provides a single standardized destination for NetFlow, sFlow, syslog, and Simple Network Management Protocol (SNMP) information. UDP Director appliances can receive data from any connectionless UDP application, and then retransmit it to multiple destinations, duplicating the data if required.

Can direct UDP data from any source to any destination

Receives data from any connectionless UDP application, and then retransmits it to multiple destinations, duplicating the data if required.

Removes the need to reconfigure infrastructure

Directs point log data (NetFlow, sFlow, syslog, SNMP) to a single destination without the need to reconfigure the infrastructure when new tools are added or removed.

UDP Director Specifications

   Stealthwatch UDP Director 2200 - Part number: ST-UDP2200-K9

   Cisco Stealthwatch UDP Director Virtual Edition - Part number: L-ST-UDP-VE-K9

Ordering Information

The Cisco Stealthwatch System ordering guide will help you understand the system’s models, components, and licensing types. To place an order, contact your account representative.

Service and Support

A number of service programs are available for the Cisco Stealthwatch system. These services help you protect your network investment, optimize network operations, and prepare your network for new applications to extend network intelligence and the power of your business. For more information about Professional Services, see the Technical Support homepage.

Cisco Capital

Cisco Capital® financing can help you acquire the technology you need to achieve your objectives and stay competitive. We can help you reduce CapEx. Accelerate your growth. Optimize your investment dollars and ROI. Cisco Capital financing gives you flexibility in acquiring hardware, software, services, and complementary third-party equipment. And there’s just one predictable payment. Cisco Capital is available in more than 100 countries. Learn more.

For More Information

For more information about Cisco Stealthwatch, visit https://www.cisco.com/go/stealthwatch or contact your Cisco Security account representative to learn how your organization can gain visibility across your extended network by participating in a complimentary Stealthwatch Visibility Assessment.

 

 

 

 

 

Learn more