Lancope, Inc., headquartered in Atlanta, Georgia, is a pioneer in the field of network behavior analysis, and was the first to combine behavior-based anomaly detection and network operations reporting.
Lancope is the developer of the StealthWatch System, claimed to be the most widely used network behavior analysis and response solution for global enterprises. This product has been deployed by hundreds of organizations, including Chick-fil-A, General Electric, Hyundai, Johnson & Johnson, OfficeMax, the National Security Agency, Stanford University, and the Weather Channel. Lancope also partners with fellow solution providers through its Technology Alliance Program, which includes Cisco Systems, Check Point, Foundry Networks, and IBM Tivoli.
Lancope was founded in 2000, and is a private, venture-funded company, with approximately 60 employees.
Lancope identified a specific networking challenge: In many organizations, no single group has continuous visibility—from the network infrastructure through to the host information—that allows them to clearly identify negative impacts on the network, be those network performance or security-related issues.
To address this deficiency, Lancope’s StealthWatch System meets the needs of both security and network administrators with an integrated platform that leverages network intelligence for both parties. It optimizes security and network operations by streamlining security and network monitoring into a single data set, reducing the time and resources necessary to identify and then respond to network performance and security issues, and reducing the cost and complexity associated with non-integrated, single-function management solutions.
The StealthWatch architecture encompasses six critical network management functions: Monitor, Baseline, Secure, Respond, Optimize and Report.
The Monitor function leverages the network infrastructure to actively monitor the flow of data and other network communications, as well as to detect network problems, security threats, and internal employee misuse in real time.
The Baseline operation discovers assets and inventory, and establishes a baseline for normal network traffic versus anomalous traffic, to establish policy and analyze current network behavior.
The Secure function detects and prioritizes network faults and performance issues, policy violations, insider misuse, and network threats that impact network health and host integrity.
The Respond operation enables automatic mitigation to stop malicious activity, remove or quarantine malicious hosts and users, and fix network problems to streamline network optimization and security operations.
The Optimize function fine-tunes network performance, deals with traffic engineering and capacity planning, provides root cause determination, and closes the loop on network and security processes.
Finally, the Report capabilities provide audits and reports of all network communications, host configurations, user identity and behavior, to meet policy and regulatory compliance.
The StealthWatch product family includes six key components. The StealthWatch Management Console manages, coordinates and configures all StealthWatch appliances to correlate security and network intelligence across the enterprise (Figure 1).
The StealthWatch Identity 1000 automatically connects any unexpected event within the enterprise network with the user or users who caused the event. Administrators simply request the username(s) and IP address associated with an event from the StealthWatch Management Console, and the system returns the appropriate information in real-time.
Connecting to the management console and identity system are three traffic flow monitors: the StealthWatch NC which defeats threats from external and internal sources; the StealthWatch Xe for NetFlow, which leverages Cisco NetFlow traffic accounting technology to monitor router traffic across the enterprise; andStealthWatch Xe for sFlow, which uses traffic information available from Foundry, HP ProCurve and Extreme network switches (Figure 2). As an example, a Security Worm Tracker can visualize an outbreak as it propagates through the network (Figure 3).
Finally, the StealthWatch Flow Replicator improves enterprise network performance by aggregating the flow data from these diverse sources into a single appliance, and forwards that information to one or more StealthWatch collectors.
StealthWatch 5.7 offers the addition of Quality of Service (QoS) reporting and trending, which provides the critical visibility needed to ensure actual traffic passing through individual interfaces matches configured or desired traffic levels for each service, an issue of great importance for voice and video traffic operations.
StealthWatch also offers unique geographic baselining capabilities that automatically associate external devices with their country of origin, categorizing into region and country-specific zones. Administrators can easily and quickly report on top-talkers and zone locking as well as query for alarms, flows, probes, and host information, filtered by country. StealthWatch segments Top Ten statistics by hosts, flows, and services to provide an additional layer of intelligence for investigating network slowdowns or traffic spikes.
Further details on the Lancope architecture and products can be found at www.lancope.com. Our next tutorial will continue our examination of vendors’ network management architectures.
Copyright Acknowledgement: © 2008 DigiNet Corporation ®, All Rights Reserved
Mark A. Miller, P.E., is President of DigiNet Corporation®, a Denver-based consulting engineering firm. He is the author of many books on networking technologies, including Voice over IP Technologies, and Internet Technologies Handbook, both published by John Wiley & Sons.