Lancope stealthwatch

Had a nice meeting yesterday with Cisco and some guys from Lanecope. Must say that stealthwatch seems like a really great product. What their product does is that is collects all flows (and more). Sums it up so you can drill down via connections.

Basically it does something like this on your netflow data

    ~$ nfdump -R /var/cache/nfdump/data/asr0/nfcapd.201302281130:asr1/nfcapd.201302281133 -o long  'dst host 77.66.32.1'|head -10
    Date flow start          Duration Proto      Src IP Addr:Port          Dst IP Addr:Port   Flags Tos  Packets    Bytes Flows
    2013-02-28 11:29:58.616     0.000 TCP      198.89.107.36:41257 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.612     0.000 TCP       181.3.74.102:23628 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.612     0.000 TCP      122.149.174.9:25733 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.612     0.000 TCP     175.217.179.22:27301 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.613     0.000 TCP     141.149.190.34:56307 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.613     0.000 TCP       70.248.23.39:10543 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.613     0.000 TCP      96.45.178.104:62559 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.613     0.000 TCP      218.92.100.34:56154 ->      77.66.32.1:80    ....S.   0        8      384     1
    2013-02-28 11:29:58.613     0.000 TCP      59.37.156.114:34888 ->      77.66.32.1:80    ....S.   0        8      384     1

Stores it in a database for billing, security audits but also for network analysis. The network analysis is based on policies and known patterns (Beacons, traffic patterns/ports/flags, roundtrip etc). Then lets you drill down on a specific hostgroup or target to see who, when and that it talked to. It also integres ICE and logs from DHCP.

Based on this is can alert you if your are under DDOS or if someone just just stole your files (Requires some configuration) or if some of your hosts is part of a botnet. Really nice but properly also quite expensive.