If someone were to ask you if your network is secure, can you confidently say ‘yes’? Because that would mean you have a way to know if there’s been an APT (Advanced Persistent Threat) attack, if hackers have managed to steal credentials and gain access, or even if there’s an employee accessing critical data with malicious intent. Granted, being “secure” is by definition point-in-time, however what this question implies is whether you can “attest” with reasonable certainty that threats aren’t lurking inside the network.

Many organizations don’t have visibility and security analytics to know what’s going on across their extended network. They don’t know who is accessing servers, who is communicating with who, and what hosts are on their network. And you can’t really detect what you can’t see. To stay ahead of constantly evolving attacks, you need security that is constantly observing, always learning, can detect any anomalies, and tie them to critical threats with a high degree of confidence.  And that’s the advantage of Cisco Stealthwatch Enterprise, which collects telemetry from every part of the network and applies advanced security analytics, powered by behavioral modeling and multilayered machine learning. Stealthwatch Enterprise is uniquely positioned to detect and respond to sophisticated attacks like insider threats, and even those hiding in encrypted traffic. As one of my colleagues says, “We’re going to show you things you might not want to see.”

Comprehensive visibility is definitely important, but security professionals can’t do much without context. Resource-strapped security teams are usually overwhelmed by the large number of alerts they receive on a typical day. According to the Cisco 2018 Annual Cybersecurity Report, 44% of alerts that an organization receives daily aren’t investigated. And of those that are, nearly half aren’t remediated.

Stealthwatch collects telemetry from all across the extended network including data center, branch, endpoint and cloud. It then applies ~100 heuristics or Security Events to this data to detect any anomalies. The anomalies are further analyzed by a combination of supervised and unsupervised machine learning techniques, and are correlated to attacks all across the world using Global Threat Intelligence powered by Cisco Talos. This results in a high fidelity detection, that is also associated with a particular device on the network. You can not only see an alarm being triggered in the dashboard but can also investigate it easily by viewing where it originated from, the traffic associated with it, and where else the threat has propagated within the network. Then, take steps to easily mitigate the threat based on how your business environment is set up. So this is how Stealthwatch reduces the noise and pinpoints critical threats along with information to perform faster investigation and remediation.

Attackers are constantly innovating to find new ways to compromise your digital business leaning towards methods requiring least time and resources and generating maximum returns.

At the same time, we continue to strive to give you more visibility and better analytics for enhanced threat detection, investigation and response. And today, we are excited to announce the new features and enhancements in Stealthwatch Enterprise:

Updates to the web interface design and experience:

  • Investigate incidents faster with optimized, more granular telemetry search and contextual results management – More search parameters that are organized logically will enable granular investigations and return comprehensive results. Users can also filter search results in place without running a new query to narrow down the issue quickly. As you might know, Stealthwatch Enterprise is the only solution that can analyze encrypted traffic without decryption, using Encrypted Traffic Analytics. Now, you can also perform advanced search on encryption parameters such as encryption key exchange, encryption algorithm, key length, TLS/SSL version, and more to help ensure cryptographic compliance (Figure 1)

Figure 1. Stealthwatch Enterprise is the only solution that uses the network to help ensure policy compliance without the need for additional tools


  • Prioritize risks and respond to threats in real time with access to top security events – The new “Top Security Events” widget provides a quick view of the alarms triggered by a specific host, and the details. And with a single click, you can drill down into the telemetry associated with the security event. Also visualize traffic destinations from specific host groups using the “Top Host Groups by Traffic” widget (Figure 2)


Figure 2. Top security events widget in host report


  • Get deeper visibility into the traffic and application patterns within the digital business – Monitor traffic passing through all the exporters in the network and view their current and maximum utilization, bandwidth, speed, etc., using the Interface
  • Better user experience through enhancements for more intuitive workflows

For more details on the web interface enhancements, watch this demo video:

Easily extend visibility to the cloud

Cisco Stealthwatch Cloud is a SaaS based solution that provides visibility and threat detection in your Amazon Web Services (AWS), Google Cloud Platform, and Microsoft Azure environments. Now, users can easily sign up for and perform public cloud monitoring with Stealthwatch Cloud from within Stealthwatch Enterprise. And this integration comes with a free, no-risk, 60-day trial. (Figure 3)

Figure 3. Stealthwatch Cloud dashboard


Simplified management, with improved support and compliance

Stealthwatch Enterprise is a highly mature solution built to scale with your growing business. It is well-integrated with other security products and is compliant with major industry standards like PCI and HIPAA. We are happy to announce that we are FIPS 140-2 certified, a key federal requirement for encryption. Also, there are some other enhancements to make it easier to update the product, along with additional support of KVM Hypervisor environments and load balancers.

Enhanced security analytics

Stealthwatch Enterprise is integrated with a cloud-based threat detection and analytics capability called Global Threat Analytics (formerly Cognitive Threat Analytics). It uses the power of multilayered machine learning and global threat intelligence to detect advanced threats. The attacks are getting smarter, and security analytics techniques need to adapt to detect those threats. The cloud engine updates include improved classifiers to more effectively detect advanced threats such as Command and Control communication, Domain Generation Algorithm (DGA) and data tunneling, malicious Server Message Block (SMB) service discovery, and BitTorrent clients. Illicit cryptomining has emerged as a critical threat where attackers exploit victims’ computational resources for cryptomining activity, without their consent or knowledge. Stealthwatch Enterprise is able to detect cryptomining activity, whether it is only browser-based or encrypted, with new machine learning classifiers.

And finally, we are excited to share that Encrypted Traffic Analytics has received the “Miercom Performance Verified” certification with astounding results!

For further details about these updates, please go here. Learn more about Stealthwatch Enterprise at https://cisco.com/go/stealthwatchenterprise and Stealthwatch Cloud at https://cisco.com/go/stealthwatch-cloud


Megha Mehta

Product Marketing Manager, Cisco Stealthwatch

Security Business Group