CLUS17: Security Monitoring with StealthWatch – A quick Overview and Thoughts

My Cisco live experience was focused on 80% Security and 20% Collaboration. One of the sessions I assisted last week was the one related to StealthWatch and Security Monitoring, an interesting new topic for me and one that opens my brain for more questions.

The Security portfolio from Cisco is still huge for me, but I remember saying that when I was starting on my CCIE Collaboration journey a few years back. Remember the Before During and After Attack continuum from Cisco? – Yes, I remember and made my mission to know how all the pieces fit together.


As you may notice, from the previous image, StealthWatch is part of the After phase of the Attack continuum, this is one of the tools you use to analyze traffic patterns, assess the damage and take decisions based on your findings.

I remember saying the other day when sharing with a college that StealthWatch is not more than a Netflow Collector on steroids or something like a very advanced Wireshark application. I may be a bit short with the descriptions because I’m very fresh on the Cisco Security world.

The Session

Where to find this session:
Security Monitoring with StealthWatch
Keep on monitoring this page to find the presentation and the video, for sure better quality than what I write on my blog, the speaker keeps you engaged all the way to the end of the presentation.

Right to the Point

Let’s be honest, my previous minimalistic comparison earlier is not really true, this product is an engine that if well used could be very powerful. So going minimalistic again, it is a great collection engine, which uses correlation or a nice interpretation of what is going on the Network Infrastructure. Remember this, Data, Big Data, analytics, are you familiar with that? – well, that is what this engine does best. And don’t forget that backstage you have the Smart guys from Cisco Talos, providing Global intelligence for StealthWatch traffic collection.

What you need to run StealthWatch in your Network?

First think of a couple of Virtual Machines for a minimum installation, at this point I’m still a bit confused, I remember that from the Spark room assigned to this session the Speaker mentioned the following:
At a minimum, 2 Separate VMS

– Flow Collector
– Management Console

From the Data Sheet shared by the Speaker, this time by his name, Mattew Robertson, I found that there are a few more component, I also noticed that from the session (I was paying attention!), but got a bit confused with the

– Flow Sensor
– UDP Detector

The following image left me with more question than answers when I got back to find out more about it.

the reality is that there are a couple of ingredients (VMS or Licenses?) that are missing from the Data Sheet

– Endpoint License Concentrator – Extends visibility to public, private, and hybrid cloud environments
– Cloud License Concentrator – Extends visibility to the endpoint
Learning Network License – Improves protection against branch threats
– Cisco Stealthwatch Proxy License: Extends visibility to proxy servers

Feeling dizzy yet? – well, you should

… My opinion is that the product catalog should be easier to digest, for clients and Integrators, but that is just my opinion.

Data Analysis with StealthWatch

The major components help to the determine the following:

– Discover
– Identify (IOCs) **I feel a bit smarter by knowing what it means
– Understand IOCs better


More information, New information or Enhancements to compete with other players already doing this 🙂

Netflow can now provide Encrypted Traffic Analysis –> And it has new Netflow fields Sequence of Packet Lengths and Times (SPLT), Initial Data Packet (IDP)

Host Groups, Integration with ISE, PxGrid and many more goodies were presented as part of this session. I also found that StealthWatch makes use of a Java Client and a Web Client, which intends to replace the Java client.

The Host Group Automation concepts seem to be cool and very useful, take a look at it here:
Host Group Automation

What to look forward to?

This post is not intended to be Punny or anything like it, but to help generate fundamental questions that may arise when asking yourself: is this the right solution? – How about a more simple solution, if any.
I’m looking forward to stopping writing and soon begin “labing” to give you a more deep opinion.

About the Author:

Andres Sarmiento, CCIE # 53520 (Collaboration)
With more than 13 years of experience, Andres is specialized in the Unified Communications and Collaboration technologies. Consulted for several companies in South Florida, also Financial Institutions on behalf of Cisco Systems. Andres has been involved in high-profile implementations including Cisco technologies; such as Data Center, UC & Collaboration, Contact Center Express, Routing & Switching, Security and Hosted IPT Service provider infrastructures.

You can follow Andres using Twitter, LinkedIn or Facebook

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top