Secure Network Analytics (Stealthwatch) Then, Now and Beyond – Part 2: Behavioral Analytics Has its Day

(2012-2020)

In part 1 of this series, we looked at the world we defended back in 2001 and how that shaped our initial product release. While the threat landscape of yesteryear was different in so many ways to the world we defend today, our objectives remain the same. This time, we will dive into the time period between 2012 and today (2020). The strategic bets we made early on are starting to pay off and several mega-trends in computing would help to make Cisco Secure Network Analytics (formerly Stealthwatch) mandatory to an effective security program.

In 2014 when I started as the Chief Technology Officer for Lancope, the world was concerned with “insider threats.” But when you really investigate the topic, it was less about an employee that was intentionally behaving in a malicious manner and much more about internal accounts being compromised and the entitlement of those accounts being used by external threat actors to perform business compromise. As I said back in 2014 “Attackers are not breaking into your networks, they are simply logging in!” At last, behavioral analytics would have its day to shine!

There were still challenges like when prospects would invite us in for a proof of value evaluation and hand us success criteria that any signature-based system could do. If you see pattern x, do y. The reality is that within most of, if not all of those evaluations, it was the threat actors themselves that helped us show the value of Secure Network Analytics. In the first three to five days, the solution would find something on their network that ONLY a behavioral-based tool would find – the threat actors themselves were part of the evaluation because they were already present on these networks and prior to deploying Secure Network Analytics, no tools could find them.

It’s now 2016 and three mega-trends are developing like a huge set of waves on the north shore of Hawaii and we are ready to ride!

  1. Software Defined Network (SDN)
  2. Dark data (everything in transit is now encrypted)
  3. Cloud-native computing

By this time, Lancope and its Secure Network Analytics product had been acquired by Cisco. The network as a sensor strategy was in full swing, but with the network becoming programmable with software-defined networking (SDN), we could take it to the next level and make the network isolate and mitigate the effective target surface the attackers could address dynamically. We could have the network act as the enforcer. What we found out was that customers had very flat networks where reachability was the desired principal and while they wanted to be segmented, every time they attempted this feat, they would break some critical business function. Secure Network Analytics acted as bookends to this initiative by modeling the segmentation for some number of weeks, gathering evidence that the planned segmentation would work. The SDN controller would then enforce these changes, and then Secure Network Analytics would monitor for violations. Once again, Secure Network Analytics was in the right place at the right time.

Remember in part 1 when I mentioned how industry analysts would criticize Secure Network Analytics for only analyzing metadata and not directly inspecting packets with Deep Packet Inspection (DPI)? Well, every dog has its day and it was about to be ours. Go ahead with your fancy packets captures, you still won’t be able to make sense of it because IT IS ENCRYPTED! Yes, the network traffic that was once in the clear and unsafe had become largely encrypted and only the metadata was directly observable. The Secure Network Analytics team worked to extend the NetFlow standard to include fields that were the last remaining observable items and Cisco routers, switches, and wireless controllers would be able to export this enhanced telemetry, minimizing the need for standalone sensors to be deployed and managed. We went from ‘Network as a Sensor’ to ‘Network as the most awesome Sensor’.

As the world made the move to public cloud-computing, a new form of computing called cloud-native was born. For Secure Network Analytics, it was not that we needed to give up the legacy world and replace it with cloud-native, it was that customers struggled with protecting their businesses in BOTH worlds. As fortune would have it, we found a company called Observable Networks that honestly could have been Secure Network Analytics, but they were just born on planet cloud while we were born on planet on-prem. We acquired them in 2017 and it was like two people who meet each other but feel like they had always been lifelong partners. Secure Cloud Analytics (Stealthwatch Cloud) was born and brought with it the ability to perform all the functions of Secure Network Analytics but within cloud-native environments like Kubernetes, serverless, and across AWS, Google Cloud Platform, and Azure. Secure Network Analytics was again as wide as your business whether you protected from on-premises across multiple cloud providers, or some combination thereof.

We have now covered nearly 20 years of being in market and co-developing features with our customers. For our final part in this series, let’s have some fun and place some strategic bets on where things are going and explore some paths Secure Network Analytics will pursue to ensure that we are delivering value for the next 20 years.

Learn more about Secure Network Analytics.