The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco Secure Network Analytics
This document describes the information for Cisco Secure Network Analytics (formerly Stealthwatch Enterprise). The Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) datasheet can be reviewed here.
For more detailed information, go to: https://cs.co/sna.
Cisco Secure Network Analytics provides enterprise-wide network visibility to detect and respond to threats in real- time. The solution continuously analyzes network activities to create a baseline of normal network behavior. It then uses this baseline, along with non–signature-based advanced analytics that include behavioral modeling and machine learning algorithms, as well as global threat intelligence to identify anomalies and detect and respond to threats in real- time. Secure Network Analytics can quickly and with high confidence detect threats such as Command-and-Control (C&C) attacks, ransomware, Distributed-Denial-of-Service (DDoS) attacks, illicit cryptomining, unknown malware, and insider threats. With an agentless solution, you get comprehensive threat monitoring across the entire network traffic, even if it’s encrypted.
Organizations have already invested a lot into their IT infrastructure and security. Yet, threats continue to find ways to get through. Moreover, it often takes months or even years to detect breaches. This lack of visibility is a function of continuously growing network complexity and constantly evolving threats. Security teams with limited resources and disjointed tools can only do so much. Practically all organizations have security solutions, such as firewalls, but how do they know whether these tools are working, managed, and configured correctly? How do they know that these tools are doing the job that they need them to do?
We decided to turn the problem on its head—why not enlist your existing investment, the network, to secure your organization? The network telemetry is a rich data source that can provide valuable insights about who is connecting to the organization and what they are up to. Everything touches the network, so this visibility extends from the HQ to the branch, data center, roaming users, smart devices extending to private and public clouds. Analyzing this data can help detect threats that may have found a way to bypass your existing controls before they are able to have a major impact.
The solution is Secure Network Analytics, which enlists the network to provide end-to-end visibility of traffic, on- premises as well as in private and public clouds. This visibility includes knowing every host and seeing who is accessing which information at any given point. From there, it’s important to understand what is normal behavior for a particular user or “host” and establish a baseline from which you can be alerted to any change in the user’s behavior the instant it happens.
Secure Network Analytics offers two different deployment models — on-premises as a hardware appliance or as a virtual machine. Secure Cloud Analytics (formerly Stealthwatch Cloud) is the Software-as-a-Service (SaaS) version of Secure Network Analytics. In addition to monitoring the private network, Secure Cloud Analytics can also be deployed to detect threats and configuration issues in the public cloud.
Simply put, by providing the most comprehensive and context-rich network visibility, paired with time-tested and industry-leading security analytics, Secure Network Analytics delivers the broadest and most high-fidelity behavioral- based threat detection capabilities to dramatically improve:
● Unknown threat detection: Identify suspicious behavioral-based network activity that traditional signature- based tools miss, such as communications and malicious domains.
● Insider threat detection: Get alarmed on data hoarding, data exfiltration, and suspicious lateral movements.
● Encrypted malware detection: Leverage multilayered machine learning and extend visibility into encrypted web traffic without decryption.
● Policy violations: Ensure that security and compliance policies set in other tools are enforced.
● Incident response and forensics: Respond quickly and effectively with complete knowledge of threat activity, network audit trails for forensics, and integrations with SecureX and other Cisco Secure solutions.
Secure Network Analytics has made endpoint record telemetry data from the AnyConnect Network Visibility Module (NVM) a primary telemetry source. This enables users to capture a wide range of additional granular, endpoint-specific user and device context to effectively provide organizations with complete and continuous visibility into mobile remote worker endpoint activity, regardless of whether a user is using a single VPN session to work, optimizing their remote work experience using split tunneling or if they are disconnected from VPN entirely. This bolsters organizations’ security postures through visibility into activities that they were previously blind to, such as employees running older operating system versions with vulnerabilities that need patching, employees engaged in data hoarding or data exfiltration, and more.
Users can leverage Cisco Secure Network Analytics’ integration with Cisco Identity Services Engine to accelerate their group-based policy adoption efforts by generating group-based policy reports that provide new ways to visualize group communications. Group-based policy reports enable users to effortlessly visualize, analyze, and drill down into any inter-group communication, validate the efficacy of policies, adopt the right policies based on their environment’s needs, and streamline their policy violation investigations via insights into relevant flows and associated IPs. To learn more, reference the At-a-Glance.
The rapid rise in encrypted traffic is changing the threat landscape. While encryption is excellent for data privacy and security, it has also become an opportunity for cybercriminals to conceal malware and evade detection. Today, roughly 95% of all web traffic is encrypted, and over 70% of attacks are expected to use encryption. Traditional threat inspection with bulk decryption, analysis, and re-encryption is not always practical or feasible for performance and resource reasons. Also, it compromises privacy and data integrity. With its expertise in the network infrastructure market, Cisco has introduced a revolutionary technology to analyze encrypted traffic without any decryption. This allows organizations to 1) detect threats in encrypted traffic and 2) ensure cryptographic compliance. To learn more, go to: https://www.cisco.com/go/eta.
● No more blind spots: Secure Network Analytics is the only security analytics solution that can provide comprehensive visibility across the private network and into the public cloud without deploying sensors everywhere. It is also the first solution to detect malware in encrypted traffic without any decryption.
● Focus on incidents, not noise: By using the power of behavioral modeling, multilayered machine learning, and global threat intelligence, Secure Network Analytics significantly reduces false positives and alarms on critical threats affecting your environment.
● Catch them in the act: Secure Network Analytics constantly monitors the network to detect advanced threats in real-time. Stealthy attacks are commonly preceded by activities such as port scanning, constant pinging, and reconnaissance tactics. The solution recognizes these early warning signs and alarms on them to stop attackers early on. Once threats are identified, users can also conduct forensic investigations to pinpoint their source and determine where else it may have propagated.
● Make the most of your investment: With an agentless solution, you are using the rich telemetry generated by your existing network infrastructure to improve your security posture.
● Scale security with business growth: Now there’s no need to compromise on security as the business needs to change. Whether you are adding a new branch or a data center, moving workloads to the cloud, or simply adding more devices, any Secure Network Analytics deployment can easily provide coverage by scaling to the needs of your network. It can be deployed on-premises or in the cloud, can be consumed as a SaaS-based or license-based solution, and provides automatic role classification capabilities to automatically classify new devices as they are added to the network.
● Integrate your security ecosystem with SecureX: The solution comes with the SecureX platform built-in to offer extended threat investigation and response capabilities. Secure Network Analytics integrates with SecureX to unify visibility, simplify threat response and enable automation across every threat vector and access point.
At the core of Secure Network Analytics are the required components: the Manager, Flow Collector, and Flow Rate License. In addition, we offer optional components like the Flow Sensor, the Cisco Telemetry Broker and the Data Store, which are also available to provide a flexible and robust architecture.
Required components of the system
The Secure Network Analytics Manager aggregates, organizes, and presents analyses from up to 25 Flow Collectors, Cisco Secure Network Access (formerly Cisco Identity Services Engine), and other sources. It uses graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.
The capacity of the manager determines the volume of telemetry data that can be analyzed and presented, as well as the number of Flow Collectors that are deployed. The manager is available as a hardware appliance or a virtual machine. Table 1 lists the benefits of the manager.
Table 1. Major benefits of the Manager
| Benefit |
Description |
| Real-time, up-to-the- minute data |
Delivers data flow for monitoring traffic across hundreds of network segments simultaneously so that you can spot suspicious network behavior. This capability is especially valuable at the enterprise level. |
| Capability to detect and prioritize security threats |
Rapidly detects and prioritizes security threats, pinpoints network misuse and suboptimal performance, and manages event response across the enterprise, all from a single control center. |
| Management of appliances |
Configures, coordinates, and manages Cisco Network Analytics appliances, including the Flow Collector, Flow Sensor, and UDP Director. |
| Use of multiple types of flow data |
Consumes multiple types of flow data, including NetFlow, IPFIX, and sFlow. The result: cost-effective, behavior-based network protection. |
| Scalability |
Supports even the largest of network demands. Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size. |
| Audit trails for network transactions |
Provides a complete audit trail of all network transactions for more effective forensic investigations. |
| Real-time, customizable relational flow maps |
Provides graphical views of the current state of the organization’s traffic. Administrators can easily construct maps of their network based on any criteria, such as location, function, or virtual environment. By creating a connection between two groups of hosts, operators can quickly analyze the traffic traveling between them. Then, simply by selecting a data point in question, they can gain even deeper insight into what is happening at any point in time. |
| Flexible delivery options |
You can order the Physical Appliance, a scalable device suitable for any size organization. Or you can order the Virtual Edition, designed to perform the same functions as the appliance edition, but in a VMware or KVM Hypervisor environment. |
● Secure Network Analytics Manager 2210 — Part number: ST-SMC2210-K9
● Secure Network Analytics Manager 2300 — Part number: ST-SMC2300-K9
● Secure Network Analytics Manager Virtual Edition — Part number: L-ST-SMC-VE-K9
The Flow Collector collects and stores enterprise telemetry types such as NetFlow, IPFIX (Internet Protocol Flow Information Export), NVM, and SYSLOG from existing infrastructure such as routers, switches, firewalls, endpoints, and other network infrastructure devices. The Flow Collector can also collect telemetry from proxy data sources, which can be analyzed by the cloud-based machine learning engine (global threat alerts).
The telemetry data is analyzed to provide a complete picture of network activity. Months or even years of data can be stored, creating an audit trail that can be used to improve forensic investigations and compliance initiatives. The volume of telemetry that can be collected from the network is determined by the total combined capacity of the deployed Flow Collectors. Multiple Flow Collectors can be installed. Flow Collectors are available as hardware appliances or as virtual machines. Table 2 outlines Flow Collector’s benefits.
Table 2. Major benefits of the Flow Collector
| Benefit |
Description |
| Threat detection |
Ingests proxy records and associates them with flow records to deliver the user application and URL information for each flow to increase contextual awareness. This process enhances your organization’s ability to pinpoint threats and shortens your Mean Time to Know (MTTK). |
| Flow traffic monitoring |
Monitors flow traffic across hundreds of network segments simultaneously so that you can spot suspicious network behavior. This capability is especially valuable at the enterprise level. |
| Extended data retention |
Allows organizations and agencies to retain large amounts of data for long periods. |
| Scalability |
Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size. |
| Deduplication and stitching |
Performs deduplication so that any flows that might have traversed more than one router are counted only once. It then stitches the flow information together for complete visibility of a network transaction. |
| Choice of delivery methods |
You can order the Appliance Edition, a scalable device suitable for any size organization. Or you can order the Virtual Edition, designed to perform the same functions as the appliance edition, but in a VMware or KVM Hypervisor environment. This solution scales dynamically according to the resources allocated to it. |
● Secure Network Analytics Flow Collector 4210 — Part number: ST-FC4210-K9
● Secure Network Analytics Flow Collector 5210 — Part number: ST-FC5210-K9
● Secure Network Analytics Flow Collector 4300 — Part number: ST-FC4300-K9
● Secure Network Analytics Flow Collector Virtual Edition — Part number: L-ST-FC-VE-K9
The Data Store provides a solution for environments requiring high data ingest capacity levels or long-term retention times that exceed the capacity of one or more Flow Collectors. The Data Store cluster can be added between the Secure Network Analytics Manager and Flow Collectors. For these larger and more extensive networks, one or more Flow Collectors ingest and de-duplicate flow data, perform analyses, and then send the flow data and its results directly to the Data Store. This flow data is then distributed equally across a Data Store, which is comprised of a minimum of three Data Node appliances. The Data Store facilitates flow data storage and keeps all your network telemetry in one centralized location, as opposed to having it spread across multiple Flow Collectors in a distributed model. This new centralized model offers greater storage capacity, flow rate ingestion, and increased resiliency versus the distributed model.
Table 3. Major benefits of the Data Store
| Benefit |
Description |
| Increases data ingest capacity |
Data Stores can be combined to create a single cluster of data nodes capable of monitoring over 3 million flows per second (FPS) to aid in relieving ingestion bandwidth challenges for organizations with high flow volumes. |
| Enterprise-class data resiliency |
Telemetry data is stored redundantly across nodes to allow for seamless data availability during single node failures, helping to ensure against the loss of telemetry data. Deployments with two Data Stores or more can support up to 50% of data node loss and continue to operate.* The Data Store also supports redundant interconnection switches to remain fully operational during network upgrades and unplanned outages. *Depending on your hardware configuration and installation. |
| Significant query and reporting response time improvements |
The Data Store provides drastically improved query performance and reporting response times that are at least 10x faster than those offered by other standard deployment models. It can also perform an increased number of concurrent queries, whether through APIs or the Secure Network Analytics Manager web UI. These query improvements stand to deliver substantial operational efficiency gains. Through the ability to run reports and get answers more quickly, the Data Store enables practitioners to pinpoint and respond to threats more quickly to expedite triage, investigation, and remediation workflows. |
| Storage scalability |
The Data Store offers organizations with growing networks enhanced flexibility around data storage scalability through the ability to add additional database clusters. |
| Long-term data retention |
Scalable and long-term telemetry storage capabilities enable long-term flow retention of up to 1 to 2 years’ worth of data with no need to add additional Flow Collectors. This aids in satisfying regulatory requirements and reducing costs and complexity associated with purchasing and integrating third-party storage solutions or extra Flow Collectors. |
● Cisco Secure Network Analytics Data Store 6200 — Part number: ST-DS6200-K9
● Cisco Secure Network Analytics Data Store 6300 — Part number: ST-DN6300-K9
● Cisco Secure Network Analytics Virtual Data Store — Part number: L-ST-DS-VE-K9
To learn more, reference the Secure Network Analytics Data Store Solution Overview