Cisco’s network is a massively complex environment that requires extensive monitoring and remediation. In today’s world of advanced threats and attacks, the company that possesses and positions its tools to preemptively identify and mitigate threats is the one left standing when the dust settles.

Cisco leverages its Computer Security Incident Response Team (CSIRT), a global organization comprised of information security professionals, to monitor, investigate, and respond to cyber security incidents 24×7. The Cisco CSIRT team forms part of the investigative branch of Cisco’s Information Security organization, protecting Cisco from security threats and the loss of its intellectual assets.

With a variety of security tools, CSIRT is able to detect and analyze malicious traffic throughout the network, including virus propagation, targeted attacks, and commonplace exploits. Because CSIRT continually identifies new security threats, the team needs some historical look-back at what occurred on the network. They also need a solution that can dissect the finer details of security incidents while facing the ever-present restrictions with data storage. StealthWatch, a NetFlow monitoring solution from Cisco partner Lancope, contains unique storage, interactivity, and parsing capabilities, to provide a more concise set of data for analysis.

Since integrating StealthWatch, we have realized impressive benefits with respect to network latency and intelligence. With the ability to store and analyze higher quantities of data, CSIRT has a better understanding of relevant activity on the network. However, the deployment and integration of StealthWatch presented several challenges. Because Cisco has a vast and diverse network with a range of activity, the out-of-the-box alarms available in StealthWatch required tuning. After collaboration with Lancope engineers, improved rules and exceptions now better align with Cisco’s business requirements.

The unique alerts inherent in this network security strategy have meant greater visibility into the network, allowing us to ask better questions:

  • What malicious activity is going on at this very moment?
  • Where exactly is it coming from?

It’s one thing to be able to identify a known threat, but it is a game changer when you can trace where the attacks are originating and accurately analyze the affected networks in real time.

Read a case study about the deployment here: http://www.cisco.com/en/US/solutions/collateral/ns340/ns1176/borderless-networks/Cisco_IT_Case_Study_CSIRT_Lancope_Stealthwatch.html


Paul Eckstein

Information Security Manager