Have an account?
  •   Personalized content
  •   Your products and support
Log In

Need an account?

Create an account

Learn how Cisco Stealthwatch Enterprise compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch Enterprise can detect and respond to advanced threats in real time using machine learning and entity modeling.

See Stealthwatch Enterprise

Cisco Stealthwatch Enterprise

Darktrace

Plixer

Expand all

Detection

Malware analysis and detection in encrypted trafficUses Encrypted Traffic Analytics
Uses Encrypted Traffic Analytics
Data hoarding detectionEvents accumulate in the Data Hoarding Index, which is metered either by an absolute limit or by learned behavior of the host or groups.LimitedCan detect an anomaly but not a specific data hoarding event
Events accumulate in the Data Hoarding Index, which is metered either by an absolute limit or by learned behavior of the host or groups.Can detect an anomaly but not a specific data hoarding event
Lateral movement detectionProvides worm detection and visual tracking of malware across the networkLimitedMay detect an anomaly but has no published ability to specifically call out lateral movement
Provides worm detection and visual tracking of malware across the networkMay detect an anomaly but has no published ability to specifically call out lateral movement
Complete network audit trailCan log every conversation on the network using Flow Collectors and Flow SensorsLimitedUses sensors only, so is likely to miss some trafficFlow traffic stored on box
Can log every conversation on the network using Flow Collectors and Flow SensorsUses sensors only, so is likely to miss some trafficFlow traffic stored on box
Reconnaissance detectionCan detect fast and slow scanning using a unique algorithm that is highly sensitive to very low scan-rate eventsLimitedCan detect reconnaissance, but not likely to be as sensitive as Stealthwatch Enterprise's unique scan algorithmWith optional Flow Analytics
Can detect fast and slow scanning using a unique algorithm that is highly sensitive to very low scan-rate eventsCan detect reconnaissance, but not likely to be as sensitive as Stealthwatch Enterprise's unique scan algorithmWith optional Flow Analytics
Machine learningUses multilayer machine learning to provide high-fidelity detection LimitedHas limited baselining capabilities based on broad traffic counts
Uses multilayer machine learning to provide high-fidelity detection Has limited baselining capabilities based on broad traffic counts
Exfiltration detectionGenerates a "suspect data loss" alarm for hosts exfiltrating more data (including encrypted data) than normal LimitedUses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations
Generates a "suspect data loss" alarm for hosts exfiltrating more data (including encrypted data) than normal Uses only sensors rather than telemetry from network hardware, and detection is limited to sensor-placement locations
Command-and-control detectionCan detect multiple security events using analytics and threat intelligence to detect C&C peersLimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsLimitedNo specific algorithms for C&C
Can detect multiple security events using analytics and threat intelligence to detect C&C peersUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsNo specific algorithms for C&C
Anomaly detectionHas a mature and proven anomaly detection system with more than 150 algorithmsLimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsLimitedWith optional Flow Analytics
Has a mature and proven anomaly detection system with more than 150 algorithmsUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsWith optional Flow Analytics
Malware detectionCan provide zero-day exploit detection LimitedUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsLimitedWith optional Flow Analytics
Can provide zero-day exploit detection Uses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsWith optional Flow Analytics

Deployment

ScalabilityCan scale to 6 million flows per second, handle 100 Mbps to 10 Gbps interface connections, spikes in traffic above rated levels, and can collect telemetry from thousands of sensorsLimitedUses only sensors rather than telemetry from networkLimitedSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Can scale to 6 million flows per second, handle 100 Mbps to 10 Gbps interface connections, spikes in traffic above rated levels, and can collect telemetry from thousands of sensorsUses only sensors rather than telemetry from networkSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Data storageOn average, the system can store 30-45 days' worth of flow data, and often much more, for deeper forensic investigation.LimitedNo reported data to confirm storage capabilities
On average, the system can store 30-45 days' worth of flow data, and often much more, for deeper forensic investigation.No reported data to confirm storage capabilities
Zero-day exploit detectionCan detect new or unique malware for which signatures do not yet exist using a behavioral method with more than 90 parametersUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsLimitedHas limited baselining capabilities based on broad traffic counts
Can detect new or unique malware for which signatures do not yet exist using a behavioral method with more than 90 parametersUses only sensors rather than telemetry from the network, and detection is limited to sensor-placement locationsHas limited baselining capabilities based on broad traffic counts
Data compressionAs flows are received by the collector, they are synthesized into bidirectional, memory-resident flows. This reduces false positives and allows efficient data storage and accurate host-level reporting.Not applicableUses only sensors rather than telemetry from network.LimitedSome information is discarded
As flows are received by the collector, they are synthesized into bidirectional, memory-resident flows. This reduces false positives and allows efficient data storage and accurate host-level reporting.Uses only sensors rather than telemetry from network.Some information is discarded
Deployment modelSee noteDoes not require deployment of sensors or expensive probes. Telemetry can simply be turned on from network devices to analyze the network traffic. See noteCustomers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. See noteCan consume most flow-based telemetry sources
Does not require deployment of sensors or expensive probes. Telemetry can simply be turned on from network devices to analyze the network traffic. Customers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. Can consume most flow-based telemetry sources
Endpoint visibilityWith Cisco AnyConnect 4.2 and later, the Endpoint Data License collects endpoint telemetry using the Cisco Network Visibility Flow (nvzFlow) protocol.Lacks features such as enable password, configuration presets for NAD types, and TACACS+ proxy
With Cisco AnyConnect 4.2 and later, the Endpoint Data License collects endpoint telemetry using the Cisco Network Visibility Flow (nvzFlow) protocol. Lacks features such as enable password, configuration presets for NAD types, and TACACS+ proxy
Cloud visibilityCan monitor the public cloud through the SaaS-based Stealthwatch Cloud solutionLimitedUses sensors to monitor the private cloud network and a Cloud Connector for particular appsLimitedConsumes Amazon AWS logs, which are similar to flows and include permit and deny actions
Can monitor the public cloud through the SaaS-based Stealthwatch Cloud solutionUses sensors to monitor the private cloud network and a Cloud Connector for particular appsConsumes Amazon AWS logs, which are similar to flows and include permit and deny actions
Data exportSee noteHas integrations with security information systems and offers APIs for custom integration; also supports SOAP and REST APIsSee noteHas a Splunk connector that takes JSON syslog input from a Darktrace appliance and displays security incidents on Splunk; also links them to reports on the Darktrace Threat VisualizerSee noteSupports REST API and log outputs
Has integrations with security information systems and offers APIs for custom integration; also supports SOAP and REST APIsHas a Splunk connector that takes JSON syslog input from a Darktrace appliance and displays security incidents on Splunk; also links them to reports on the Darktrace Threat VisualizerSupports REST API and log outputs
Alarm notificationsSee noteProvides email or syslog export to the SIEM system, Netcool, Remedy ticketing system, etc., with email, SNMP, and syslog notificationsSee noteProvides formatted syslog outputSee noteProvides outbound logging and alerting
Provides email or syslog export to the SIEM system, Netcool, Remedy ticketing system, etc., with email, SNMP, and syslog notificationsProvides formatted syslog outputProvides outbound logging and alerting

Investigation

Full-scope investigative workflowsCan investigate long-running security events. Generates context-based and custom alarms, ties username to IP address, monitors interface use, performs deep packet inspection, and logs every network conversation.LimitedClassifies the threat it detects and visualizes it on the Threat Visualizer interfaceLimitedLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools
Can investigate long-running security events. Generates context-based and custom alarms, ties username to IP address, monitors interface use, performs deep packet inspection, and logs every network conversation.Classifies the threat it detects and visualizes it on the Threat Visualizer interfaceLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools
Effectiveness for enterprise customersSimplifies segmentation by logical host-group modeling to organize users by location, IP address, function, etc.; provides customized notification details and formats with alarm acknowledgmentLimitedUses only sensors rather than telemetry from the network, so scaling to enterprises is difficultLimitedSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Simplifies segmentation by logical host-group modeling to organize users by location, IP address, function, etc.; provides customized notification details and formats with alarm acknowledgmentUses only sensors rather than telemetry from the network, so scaling to enterprises is difficultSignificant configuration and customization is required to support consolidated reporting and flow maps across multiple Plixer collectors.
Flexible query and filtering systemCan query on all captured fields. Advanced search is available for encrypted traffic for encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc.Not applicableNo comparison information available in published materialsLimitedLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Can query on all captured fields. Advanced search is available for encrypted traffic for encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc.No comparison information available in published materialsLacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools.
Cyberthreats dashboardSee noteProvides pertinent information for SecOps personnel, such as which indexes are populated with alerts, which alarms are active, which hosts have the most alarms associated with them, etc. Also provides the ability to obtain more details and associated telemetry.See notePrimarily a security tool and the workspace is focused on SecOpsSee noteDashboard-based for security and network monitoring
Provides pertinent information for SecOps personnel, such as which indexes are populated with alerts, which alarms are active, which hosts have the most alarms associated with them, etc. Also provides the ability to obtain more details and associated telemetry.Primarily a security tool and the workspace is focused on SecOpsDashboard-based for security and network monitoring
Visualization and mappingSee noteGenerates automatic maps such as worm propagation paths and custom relationship maps, allowing the visualization of any set of hosts and how they communicate to any other setSee noteHeavily graphics orientedSee noteSimple graphs and charts
Generates automatic maps such as worm propagation paths and custom relationship maps, allowing the visualization of any set of hosts and how they communicate to any other setHeavily graphics orientedSimple graphs and charts
Incident investigationSee noteThe UI is organized around persona-based workflows, leading administrators immediately to the root causes and supporting information.See noteHas a Threat Visualizer that enables visibility and the handling of threatsSee noteInvestigative workflows are provided.
The UI is organized around persona-based workflows, leading administrators immediately to the root causes and supporting information.Has a Threat Visualizer that enables visibility and the handling of threatsInvestigative workflows are provided.

Context

Contextual data richnessIntegrated with Cisco Identity Services Engine (ISE). Enables host information look-up such as user ID, MAC address, device type, and switch port information; does not require a separate query to look up the associated user because user ID can be written LimitedIntegrated with Active Directory for user dataLimitedOffers sensors focused on a variety of data, including app performance and DNS deep dives
Integrated with Cisco Identity Services Engine (ISE). Enables host information look-up such as user ID, MAC address, device type, and switch port information; does not require a separate query to look up the associated user because user ID can be written Integrated with Active Directory for user dataOffers sensors focused on a variety of data, including app performance and DNS deep dives
Identity dataIntegrated with Cisco ISE, Cisco ASA products (NSEL) , DHCP/RADIUS servers, and Active Directory authentication servers for identity-to-telemetry correlationLimitedIntegrated with Active Directory for user dataLimitedIntegrated with Active Directory
Integrated with Cisco ISE, Cisco ASA products (NSEL) , DHCP/RADIUS servers, and Active Directory authentication servers for identity-to-telemetry correlationIntegrated with Active Directory for user dataIntegrated with Active Directory
Routing and switching vendor integrationRouters, switches, firewalls, and wireless controllers are the primary data source. Can parse many versions of telemetry and NetFlow from multiple vendors natively, such as IPFIX and sFlow, plus other Layer 7 protocols. Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.
Routers, switches, firewalls, and wireless controllers are the primary data source. Can parse many versions of telemetry and NetFlow from multiple vendors natively, such as IPFIX and sFlow, plus other Layer 7 protocols. Uses only sensors rather than telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link.
URL data captureSee noteFlow Sensors can extract URL data used by the Flow Collectors and Management Center. URL data can be queried based on operators. Also integrated with Cisco Security Packet Analyzer, which can download exact datagrams that the flow represents in PCAP format.See noteCompletely sensor-based and has visibility into packet dataSee noteCan capture URL data using sensors
Flow Sensors can extract URL data used by the Flow Collectors and Management Center. URL data can be queried based on operators. Also integrated with Cisco Security Packet Analyzer, which can download exact datagrams that the flow represents in PCAP format.Completely sensor-based and has visibility into packet dataCan capture URL data using sensors
NetFlow generation for VMware environmentsUses the virtual switch NetFlow export feature or virtual flow sensorNot applicableNot applicable because it uses sensors to log trafficCan consume NetFlow telemetry from VMware
Uses the virtual switch NetFlow export feature or virtual flow sensorNot applicable because it uses sensors to log trafficCan consume NetFlow telemetry from VMware
Collection of application and L7 flow dataMaintains flow state (active, inactive, or ongoing); generates NetFlow based on SPAN port monitoring or TAPs; has proxy integration; and provides application identity for multiple vendors such as Palo Alto Networks and L7 Defense; and uses NBAR and NBAR2 with the Flow Sensor Uses probes that parse this data directly from raw packetsLimitedCan receive firewall data, flow from a SPAN with sensor, and app ID from a sensor or firewall. No NBAR support or proxy integration.
Maintains flow state (active, inactive, or ongoing); generates NetFlow based on SPAN port monitoring or TAPs; has proxy integration; and provides application identity for multiple vendors such as Palo Alto Networks and L7 Defense; and uses NBAR and NBAR2 with the Flow Sensor Uses probes that parse this data directly from raw packetsCan receive firewall data, flow from a SPAN with sensor, and app ID from a sensor or firewall. No NBAR support or proxy integration.
Full packet captureIntegrated with the Cisco Security Packet Analyzer, a tool installed on a SPAN or TAP that maintains a rolling buffer of datagrams on a segment and provides the ability of downloading exact datagrams that the telemetry represents in PCAP format and even the files contained within PCAP. It can also launch the packet decoding instead of downloading another app.UnknownNo comparison information available in published materialsNo ability for full packet capture
Integrated with the Cisco Security Packet Analyzer, a tool installed on a SPAN or TAP that maintains a rolling buffer of datagrams on a segment and provides the ability of downloading exact datagrams that the telemetry represents in PCAP format and even the files contained within PCAP. It can also launch the packet decoding instead of downloading another app.No comparison information available in published materialsNo ability for full packet capture
Encrypted traffic analysisUses Encrypted Traffic Analytics or enhanced telemetry from the Cisco network to detect malware and to help ensure crypto compliance. Stealthwatch analyses encrypted traffic using advanced machine learning and global threat intelligence.LimitedMight be able to detect some anomalous behavior in encrypted trafficNo ability to analyze encrypted traffic
Uses Encrypted Traffic Analytics or enhanced telemetry from the Cisco network to detect malware and to help ensure crypto compliance. Stealthwatch analyses encrypted traffic using advanced machine learning and global threat intelligence.Might be able to detect some anomalous behavior in encrypted trafficNo ability to analyze encrypted traffic
Enterprisewide reputation scoringCreates index-based scoring for every host that tallies unusual activity by a hostUnknownAnomaly detection model might be using a global scoring mechanismNo concept of security indexes; triggers only raw alerts and alarms
Creates index-based scoring for every host that tallies unusual activity by a hostAnomaly detection model might be using a global scoring mechanismNo concept of security indexes; triggers only raw alerts and alarms

Threat Intelligence

Threat intelligence feedStealthwatch Threat Intelligence License and Global Risk Map, powered by Talos, is a threat feed from a number of sources,updated at least once an hour. It aims to provide a zero false-positive information set.A threat feed that has a list of known malicious sites is available.None, although Plixer has a DNS-focused appliance for detecting DNS issues
Stealthwatch Threat Intelligence License and Global Risk Map, powered by Talos, is a threat feed from a number of sources,updated at least once an hour. It aims to provide a zero false-positive information set.A threat feed that has a list of known malicious sites is available.None, although Plixer has a DNS-focused appliance for detecting DNS issues
Exploitation detectionCan detect insider threats like data exfiltration and command-and-control communications, plus long and slow attacks. Security events feed the indexes to trigger alarms by means of behavioral algorithms and absolute limits that can be set by the operator.Detection of a number of exploits is called out but the scope is unknown.
Can detect insider threats like data exfiltration and command-and-control communications, plus long and slow attacks. Security events feed the indexes to trigger alarms by means of behavioral algorithms and absolute limits that can be set by the operator.Detection of a number of exploits is called out but the scope is unknown.
Threat intelligence sharingStealthwatch Threat Intelligence data is used by Cisco Talos, and vice versa. Cisco shares data with hundreds of partners, customers, and providers through the Aegis, Crete, and Aspis programs, and is a founding member of the Cyber Threat Alliance.
Stealthwatch Threat Intelligence data is used by Cisco Talos, and vice versa. Cisco shares data with hundreds of partners, customers, and providers through the Aegis, Crete, and Aspis programs, and is a founding member of the Cyber Threat Alliance.