Few things are as dynamic as cybersecurity. Modern networks have become increasingly sophisticated and complex. Today’s network extends to myriad devices fueled by a mobile workforce and more organizations are shifting workloads to the cloud as they move towards a more digitized future. A diversifying and expanding network has many advantages, but it also increases points of vulnerability, while simultaneously making it more difficult to see what’s happening across the network.

Security threats have also evolved rapidly in terms of scale and sophistication. Threats may come in the form of ransomware attacks or attackers might find their way into a network via credentials compromised during a successful phishing expedition. Regardless of the attack method, attackers are successfully penetrating your network, where they often persist for weeks or even years. Organizations need security practices that pinpoint advanced threats early in the attack lifecycle, before they are able to steal valuable assets and do lasting brand damage.

Completing the Modern Active Threat Detection Equation

Network Analysis and Visibility (NAV) is a critical aspect of any security program. With better insight into what people and devices are doing on the network, organizations can answer challenging security questions, specifically those related to data access and user behavior. Bottom line: if you want to get a better understanding of your digital business and how it behaves, you first need to acquire sufficient telemetry data. Fortunately, your network, including routers, switches, and firewalls, can provide the rich telemetry you need to obtain a better understanding of all of the activity that goes on across your network. However, effective NAV is just one part of the threat detection equation.

Once you have the telemetry, you need a scalable approach to detecting abnormal activity. Because attackers use multiple methods to expand their penetration of your network, you must employ multiple analytical techniques to detect these threat behaviors early and ensure that they are eradicated completely. This is the role of security analytics tools, which detect and identify behaviors that are indicative of malicious activity. They do this by integrating a variety of telemetry sources using techniques such as behavior modeling and machine learning. All this should be supplemented by global threat intelligence that is aware of malicious campaigns and maps the suspicious behavior to an identified threat for increased fidelity of detection.

Historically, active threat hunting inside the network was only affordable only by the largest organizations and even then, relatively simple algorithms generated the human effort intensive task of following up on many false positives. By utilizing the best of NAV and modern security analytics in tandem, all organizations can adopt an active threat detection practice that seeks out malicious behavior operating inside their perimeter, so security teams large and small can focus on critical threats, and take quick and effective action.

Security Analytics and Cisco Stealthwatch

However, not all security analytics tools are created equal. Cisco Stealthwatch collects and analyzes massive volumes of data giving even the largest, most complex networks comprehensive internal visibility and protection. It then employs three core analytics approaches that work together to catch threats at the earliest point in the attacker’s activities.

  • Using behavioral analytics, Stealthwatch closely monitors the activity of every device on the network and is able to create a baseline of normal behavior. Additionally, it also has a deep understanding of known bad behaviors and can apply close to 100 different security events or heuristics that look at various types of traffic behavior.
  • Stealthwatch also applies machine learning to hunt for advanced threats and potential malicious communications. Massive amounts of data are processed in near real time to discover critical incidents, which in turn, provides your SOC with clear courses of action to quickly remediate key threats and better avoid false alarms.
  • A global threat intelligence feed powered by Cisco Talos correlates suspicious activity in the local network environment with data on thousands of known command-and-control servers and campaigns to provide high-fidelity detection and faster threat response.

Effective active threat detection is not achieved by applying just one technique. By utilizing NAV tools alongside comprehensive network telemetry, behavioral modeling, machine learning, and top tier global threat intelligence, you can stop threats early and ensure the overall safety and security of your organization’s assets.

Join us to learn more

To learn more about the value of security analytics, join special guest Joseph Blankenship, Principal Analyst with Forrester, on January 22, 2019 for our webinar “Using Security Analytics for Active Threat Detection.” You will learn how you can best use security analytics to seek out malicious behaviors across your enterprise as well as how you can improve your security program with active threat detection.


“Using Security Analytics for Active Threat Detection”

Date / Time: Tuesday, January 22, 2019, 2 p.m. EST

Register now!



TK Keanini


Security Business Group