The threat environment faced by organization deploying branch networks continues to evolve. It’s time for a disruptive approach to handling network security across many distributed branch sites. Automation is becoming a requirement, because the growing volume and complexity of the threats to data security have made it impossible to keep up with them manually. Cisco is addressing the complexity of network security with a new self-learning, router-based solution called the Stealthwatch Learning Network License. The Learning Network works within a Cisco router in order to discover and learn about your network and adapt as the network and evolving threats to the network are encountered.

Stealthwatch Learning Network License uses a wide range of machine learning algorithms on premise (router) to model normal behaviors and detect anomalies in the network. This application of machine learning represents a disruptive approach to several of the common problems of network security and anomaly detection. Unlike security mechanisms of the past, this approach requires no special configuration and programming of rules, access control lists, and signature libraries;   instead, the learning agent equipped router constantly learns about network behavior and traffic patterns and using advanced analytics identifies anomalous traffic. Furthermore novel and advanced techniques are used to dramatically reduce the identification of benign anomalies through a simple user feedback (Like/Dislike) mechanism, alleviating one of the main challenges with anomaly detection.  The Stealthwatch Learning Network License is capable of quickly learning the environment it is deployed in and identifying relevant anomalies with unprecedented precision.

This Learning Network is the only solution available that combines machine learning with network content analysis and packet-capture deployed in a router to automate branch traffic visibility, protection, and remediation. The Learning Network is software that is sold as a smart license to the Cisco Integrated Service Router (ISR) 4000 branch-office router. It adds an adaptive component to your security efforts, which are no longer dependent on looking for threats that are already known. Instead, the learning network focuses on the relevance of anomalies; and being able to quickly respond to today’s threat environment and Zero-Day Attacks.

Learning Network components are a learning manager and one or more router deployed learning agents deployed at the edge of then network. A Learning Agent is virtual machine deployed into a Linux Container running in memory on a Cisco ISR 4000 series router. These agents inspect traffic, build models, and report anomalies in real time to the centralized Learning Manager. You may deploy at most one agent per router, and up to 1000 agents that communicate with a single manager in your network. At launch the ISR 4451 and ISR 4431 routers are supported, with other platforms to be supported in a near future.

The view of a suspected anomaly from the learning manager
The view of a suspected anomaly from the Learning Manager

The Learning Agent equipped router enforces security in the branch network router, operating as close as possible to the devices that generate the anomalies that pose risk.   It does so by monitoring traffic within and in between branch sites and data resources across multiple access network types. It learns traffic patterns and adapts policies accordingly.

The Learning Agent uses NetFlow but also Deep Packet Inspection (DPI), and Network Based Application Recognition (NBAR); capabilities that are already in Cisco branch routers, to collect, correlate, and analyze security information to perform advanced anomaly and zero-day attack detection. There is a defined Flexible NetFlow record in the router setup that sends that data to the agent running in router memory.

Screen Shot 2016-07-22 at 4.48.20 PM

A key Learning Network differentiator is the solution’s ability to adapt; to identify brand-new anomalies and working with an operator do something about them on the spot by identifying the anomalous characteristics and creating and applying mitigations for situations as they arise. This level of automation is really needed because of how complex and voluminous traffic streams and flows are becoming.

Traditional anomaly and intrusion detection and prevention are strong at catching threats that are already known and identifiable. They’re less able to discover new risks because, they rely on what they’ve been programmed to know and not what they learn as events unfold.

Another advantage of the Learning Network over traditional security solutions is its level of precision. Historically, anomaly detection systems have been rated based on the number of potential security events they’re able to detect. Given that many of these events turn out to be non-risk based or irrelevant traditional systems require tuning or else generate large volumes of unnecessary alerts and activity.

Stealthwatch Learning Network focuses on keeping its identifications precise and only alerting and acting upon events that pose real threats as confirmed by an operator, with a simple Like/Dislike feedback, allowing the Learning Network to identify only relevant anomalies.

It’s important to note that the learning manager operates separately from the Cisco Prime network management application. As a result, it lets you separate your security operations from networking operations, which can come in handy, depending on how your organization is set up.

The Learning Network extends the capabilities of Cisco’s market leading Stealthwatch Network Anomaly Detection (NBAD) and Visibility solution and both can be deployed in the same ISR.

The Learning Network can integrate data from the Cisco Identity Services Engine or access to a Cisco Talos Threat intelligence feeds to provide an operator with additional information and more granular visibility.

The Stealthwatch Learning Network license turns your ISR routers into security devices.  Learning network is not dependent on constantly updating signatures or rules and lists. It learns what’s normal and what’s not by getting to know everyday traffic patterns. This gives you a much more dynamic, always up-to-date approach to branch-office security.



Brian Ford

Technical Marketing Engineer

Security Business Group