The Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.

You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controller for additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporates into internal traffic models. This allows the system to better identify and report anomalies of interest.

You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.

Figure 1 illustrates an example security deployment within an enterprise network.

Figure 1. Example Security Deployment

To install the Cisco Stealthwatch Learning Network License system, the organization deploys:

• an ESXi host running a controller in the network core

• a Cisco ISR running an agent in each branch, between the hosts and the internet

The organization also deploys an optional Cisco SNS-3415 to collect ISE user identity data. Though not required for Learning Network License, the user identity data provides additional context to anomalies.

Though a Learning Network License controller can manage up to 1000 agents, the diagram only shows a controller managing two agents.

Figure 1 illustrates the Learning Network License system, focusing on the interaction among Learning Network License components.

Figure 2. Example Learning Network License Deployment

Both agents transfer management traffic, including anomaly data, over a TCP connection to the controller. The controller transfers management traffic, including mitigations, back to the agents over the same connection.

The controller integrates with other systems. It consumes threat intelligence from Talos to better identify traffic anomalies and malicious behavior, as well as user identity information from ISE to provide details about hosts involved in anomalies.

The controller implements a northbound RESTful API for mitigations. Other authorized security appliances can use this API to take mitigation actions on traffic in the network.

It is not possible to accurately predict throughput and processing capacity for controller and agent virtual appliances. A number of factors heavily influence performance, such as the:

• amount of memory and CPU capacity of the ESXi host and router running the virtual service

• number of total virtual machines running on the ESXi host and router

• number of sensing interfaces, network performance, and interface speed

• amount of resources assigned to each virtual machine

• level of activity of other virtual appliances sharing the ESXi host and router

• complexity of mitigation policies applied to an agent

Note

VMware provides a number of performance measurement and resource allocation tools. Use these tools on the ESXi host while you run your virtual appliance to monitor traffic and determine throughput. If the throughput is not satisfactory, adjust the resources assigned to the virtual appliances that share the ESXi host. You can enable VMware tools to improve the performance and management of your virtual appliances. Alternatively, you can install tools (such as esxtop or VMware/third-part add-ons) on the host or in the virtualization management layer (not the guest layer) on the ESXi host to examine virtual performance.

Management traffic sent from the agent to the controller includes health checks and anomaly data. The bandwidth required varies based on multiple factors, including the nature of your network traffic and how the system learns and prioritizes detected anomalies. However, the system rate-limits the total amount of anomaly data sent by an agent per day, ensuring that they do not overwhelm your network by sending extraneous anomalies. The agent only reports anomalies of interest, based on user feedback and the machine learning algorithms.

Encrypted management traffic sent from the controller to the agent includes:

• health check requests

• mitigations

• requests for anomaly-related PCAP files if packet buffer capture (PBC) is enabled

• startup files when managed agents restart and do not have certain local files

Each mitigation is relatively small, measured in kilobytes.

• Fine-tune your configuration, inspect anomalies, and mitigate anomalous traffic, as described in Next Steps.

• Optionally, enable audit and event logging on the controller. See Logging Configuration Overview for more information.

• Optionally, integrate your deployment with ISE by configuring pxGrid. See Integrating pxGrid for more information.

• Optionally, configure a pxGrid integration demo to populate anomalies with sample user identity data. You do not need to have ISE deployed to your environment for the pxGrid integration demo. See ISE pxGrid Demo for more information.