Introducing Stealthwatch product updates for enhanced network detection and response

We are very excited to announce new features of Cisco Stealthwatch! With release 7.3.0, we are announcing significant enhancements for the Stealthwatch Administrator and the Security Analyst to detect and respond to threats faster and manage the tool more efficiently.

Automated Response updates

Release 7.3, introduces automated response capabilities to Stealthwatch, giving you new methods to share and respond to alarms through improvements to the Response Management module, and through SecureX threat response integration enhancements.

New methods for sharing and responding to alarms

Stealthwatch’s Response Management module has been moved to the web-based UI and modernized to facilitate data-sharing with 3rd party event gathering and ticketing systems. Streamline remediation operations and accelerate containment through numerous new ways to share and respond to alarms through a range of customizable action and rule options. New response actions include:

  • Webhooks to enhance data-sharing with third-party tools that will provide unparalleled response management flexibility and save time
  • The ability to specify which malware detections to send to SecureX threat response as well as associated response actions to accelerate incident investigation and remediation efforts
  • The ability to automate limiting a compromised device’s network access when a detection occurs through customizable quarantine policies that leverage Cisco’s Identity Services Engine (ISE) and Adaptive Network Control (ANC)
Figure 1. Modernized Response Management module with new response action options

SecureX threat response integration enhancements

Get granular and be specific with flexible rule configurations that provide the ability to:

  • Define which alarms from Stealthwatch are shared with SecureX threat response
  • Base shared alarms off multiple parameters, such as alarm severity, alarm type, and host group
  • Share alarms from mission critical services with the ability to define incident confidence levels, how target objects are formed, and rule conditions based off targets created for internal or external hosts
Figure 2. Customize which alarms are sent to SecureX threat response by severity

SecureX platform integration enhancements

Cisco’s SecureX platform unifies visibility, centralizes alerts, and enables automation across your entire security infrastructure on a single dashboard. Maximize operational efficiency, eliminate repetitive tasks, simplify business processes, and reduce human errors by:

  1. Automating responses with pre-built workflows through SecureX’s orchestration capabilities
  2. Creating playbooks with all your integrated security tools through SecureX’s intuitive interface
Figure 3. SecureX’s pre-built workflows and customizable playbooks

Enhanced security analytics

As threats continue to evolve, so do the analytical capabilities of Stealthwatch to deliver fast and high-fidelity threat detections. The cloud-based machine learning engine (Cognitive Intelligence) has been updated to include:

  • New confirmed detections
  • New machine learning classifiers for anomalous TLS fingerprint, URL superforest, and content spoofing detections
  • Smart alert fusion in the new user interface (currently available in beta)
  • New Stealthwatch use cases including Remote Access Trojan and Emotet malware detections
Figure 4. An example of the new content spoofing detector classifier in action.
Figure 5. Stealthwatch’s new GUI with smart alert fusion.

Easier management

Web UI improvements

Don’t let the setup process slow you down! Optimize installation with web UI enhancements that reduce deployment time and support full configuration of (both?) the appliance and vital services before the first reboot to save time.

Flow Sensor versatility and visibility enhancements

Get visibility into more places than ever before through ERSPAN (Encapsulated Remote Switch Port Analyzer) support now added to Flow Sensors. Benefits include:

  • Visibility improvements through the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration
  • Removed requirement of direct physical connectivity
  • ACI traffic monitoring from Spine and Leaf nodes

Coming soon

Introducing the Stealthwatch Data Store!

The Data Store will be supported by version 7.3 and above and offer a new and improved database architecture design for Stealthwatch that enables new ways of storing and interacting with data more efficiently. Each individual Data Store appliance will include a 3-node database cluster with flow ingest by Flow Collectors decoupled from data storage to offer the following benefits:

  • Query performance speed improved by a x10 magnitude
  • Scalable and long-term telemetry storage capabilities with no need for additional Flow Collectors
  • Enterprise-class data resiliency to allow for seamless data availability during single node failures
  • Scalable ingest: Data Stores can be combined to create a single cluster that is capable of monitoring over 3 million flows per second

Note: The Stealthwatch Data Store will be orderable by the end of calendar year 2020.

Improved reporting with the new Report Builder Application

The Report Builder Application will provide a framework for visualizing trends and anomalies in stored data through the ability to build highly customizable reports and configure their layouts in numerous formats and chart types to optimize how they are displayed.

To learn more about this release, check out the Release 7.3.0 At-a-Glance and the Release Notes.

Don’t have Stealthwatch? Learn more by visiting https://www.cisco.com/go/stealthwatch or try the solution out for yourself today with a free visibility assessment.