Lancope, Inc., headquartered in Atlanta, Georgia, is a pioneer in the field of
network behavior analysis, and was the first to combine behavior-based anomaly
detection and network operations reporting.
Lancope is the developer of the StealthWatch System, claimed to be the most
widely used network behavior analysis and response solution for global enterprises. This
product has been deployed by hundreds of organizations, including Chick-fil-A, General
Electric, Hyundai, Johnson & Johnson, OfficeMax, the National Security Agency,
Stanford University, and the Weather Channel. Lancope also partners with fellow solution
providers through its Technology Alliance Program, which includes Cisco Systems, Check
Point, Foundry Networks, and IBM Tivoli.
Lancope was founded in 2000, and is a private, venture-funded company, with
approximately 60 employees.
Lancope identified a specific networking challenge: In many organizations, no single
group has continuous visibility-from the network infrastructure through to the host
information-that allows them to clearly identify negative impacts on the network, be
those network performance or security-related issues.
To address this deficiency, Lancope’s StealthWatch System meets the needs of both
security and network administrators with an integrated platform that leverages network
intelligence for both parties. It optimizes security and network operations by
streamlining security and network monitoring into a single data set, reducing the time
and resources necessary to identify and then respond to network performance and security
issues, and reducing the cost and complexity associated with non-integrated,
single-function management solutions.
The StealthWatch architecture encompasses six critical network management functions:
Monitor, Baseline, Secure, Respond, Optimize and Report.
The Monitor function leverages the network infrastructure to actively monitor
the flow of data and other network communications, as well as to detect network problems,
security threats, and internal employee misuse in real time.
The Baseline operation discovers assets and inventory, and establishes a
baseline for normal network traffic versus anomalous traffic, to establish policy and
analyze current network behavior.
The Secure function detects and prioritizes network faults and performance
issues, policy violations, insider misuse, and network threats that impact network health
and host integrity.
The Respond operation enables automatic mitigation to stop malicious activity,
remove or quarantine malicious hosts and users, and fix network problems to streamline
network optimization and security operations.
The Optimize function fine-tunes network performance, deals with traffic
engineering and capacity planning, provides root cause determination, and closes the loop
on network and security processes.
Finally, the Report capabilities provide audits and reports of all network
communications, host configurations, user identity and behavior, to meet policy and
The StealthWatch product family includes six key components. The StealthWatch
Management Console manages, coordinates and configures all StealthWatch appliances to
correlate security and network intelligence across the enterprise (Figure
The StealthWatch Identity 1000 automatically connects any unexpected event
within the enterprise network with the user or users who caused the event. Administrators
simply request the username(s) and IP address associated with an event from the
StealthWatch Management Console, and the system returns the appropriate information in
Connecting to the management console and identity system are three traffic flow
monitors: the StealthWatch NC which defeats threats from external and internal
sources; the StealthWatch Xe for NetFlow, which leverages Cisco NetFlow traffic
accounting technology to monitor router traffic across the enterprise; andStealthWatch
Xe for sFlow, which uses traffic information available from Foundry, HP ProCurve and
Extreme network switches (Figure 2). As an example, a Security Worm Tracker can
visualize an outbreak as it propagates through the network (Figure
Finally, the StealthWatch Flow Replicator improves enterprise network
performance by aggregating the flow data from these diverse sources into a single
appliance, and forwards that information to one or more StealthWatch collectors.
StealthWatch 5.7 offers the addition of Quality of Service (QoS) reporting and
trending, which provides the critical visibility needed to ensure actual traffic passing
through individual interfaces matches configured or desired traffic levels for each
service, an issue of great importance for voice and video traffic operations.
StealthWatch also offers unique geographic baselining capabilities that automatically
associate external devices with their country of origin, categorizing into region and
country-specific zones. Administrators can easily and quickly report on top-talkers and
zone locking as well as query for alarms, flows, probes, and host information, filtered
by country. StealthWatch segments Top Ten statistics by hosts, flows, and services to
provide an additional layer of intelligence for investigating network slowdowns or
Further details on the Lancope architecture and products can be found at www.lancope.com. Our next
tutorial will continue our examination of vendors’ network management architectures.