Cisco StealthWatch License

  • Technical Support
  • Last updated on: 03 Jan 2020

Cisco StealthWatch

Network visibility and security analytics

Cisco Stealthwatch uses NetFlow to provide visibility across the network, data center, branch offices, and cloud. Its advanced security analytics uncover stealthy attacks on the extended network. Stealthwatch helps you use your existing network as a security sensor and enforcer to dramatically improve your threat defense.

Detect threats faster with Stealthwatch

The most dangerous threats are the ones you can’t see. Get the visibility you need to monitor your entire infrastructure and detect threats before damage is done. As part of the Cisco portfolio, Stealthwatch delivers security that is simple, open, and automated for integrated threat defense and strong protection.


Extend your network visibility

Gain unprecedented visibility into the internal network to detect attacks that get past perimeter defenses. Collect valuable security data from routers, switches, firewalls, and endpoints to increase awareness of threats.

Extend your network visibility

Speed up incident response and forensics

Quickly detect issues, including malware, insider threats, and sophisticated attacks. Store flow data for long periods of time. Use advanced security analytics to conduct better investigations.

 Speed up incident response and forensics

Secure your data center

Extend visibility and control to your data center, monitoring both north-south and east-west traffic. Add role-based monitoring and better network segmentation by using Stealthwatch with Cisco ISE and Cisco TrustSec.

Secure your data center

Protect branch networks

Extend advanced network protection to the branch with the Stealthwatch Learning Network License. Turn your router into a security device to obtain deep visibility across your branches and respond faster to threats.

Protect branch networks

See through the clouds

Secure your cloud environment as well as your physical network with the Stealthwatch Cloud License. Extend your network as a sensor to the cloud and enhance security across your entire infrastructure.

The Cisco Stealthwatch system provides industry-leading network visibility and security intelligence for faster, more precise threat detection, incident response, and forensic analysis.

Cisco Stealthwatch’s ability to provide extended visibility helps you gain better insight into activities occurring within your network. You can scale this visibility into the cloud, across the network, at branch locations, in the data center, and down to endpoints.

At the core of the Cisco Stealthwatch system are the Flow Collector, Flow Sensor, and Management Console. Additional licenses for added functionality are available. Please review the individual data sheets about these licenses for more detailed information.

●   Cisco Stealthwatch Cloud License: extends visibility to public, private, and hybrid cloud environments

●   Cisco Stealthwatch Endpoint License: extends visibility to the endpoint

● Cisco Stealthwatch Learning Network License: extends visibility to the branch using Cisco® Integrated Service Routers (ISRs)

●   Cisco Stealthwatch Proxy License: extends visibility to proxy servers


Through its unique view and analysis of network traffic, Cisco Stealthwatch dramatically improves:

●   Real-time threat detection

●   Incident response and forensics

●   Network segmentation

●   Network performance and capacity planning

●   Ability to satisfy regulatory requirements

Management Console

The Management Console manages, coordinates, and configures Cisco Stealthwatch appliances deployed at critical segments throughout the enterprise.

The capacity of the console determines the volume of NetFlow data that can be analyzed and presented, as well as the number of Flow Collectors that are deployed. The console is available as a hardware appliance or a virtual machine. Tables 1, 2, and 3 list the benefits, models, and specifications of the console, respectively.

Flow Sensor

The Flow Sensor component produces NetFlow data for segments of the switching and routing infrastructure that do not support NetFlow. It also works in environments where an overlay monitoring solution better fits the operations model of the IT organization. The Flow Sensor can provide Layer 7 application information for environments where Cisco Network-Based Application Recognition (NBAR) is not enabled. The Flow Sensor delivers comprehensive visibility of network and server performance metrics. It combines deep packet inspection (DPI) and behavior analysis to identify applications and protocols. The result is optimized security, network operations, and application performance.

The volume of NetFlow data generated from the network is determined by the capacity of the deployed Flow Sensors. Multiple Flow Sensors may be installed. Flow Sensors are available as hardware appliances or as software to monitor virtual machine environments. Tables 6 and 7 list the major benefits and specifications of the Flow Sensor.

UDP Director

The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network routers and switches by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations. Tables 8 and 9 list the major benefits and specifications of the UDP Director.

Network visibility is essential for security

Today’s enterprise network is expanding rapidly. It connects multiple branches, mobile users, the cloud, and data centers. To meet its challenges, organizations are moving away from traditional IT infrastructures and toward a digital-ready network infrastructure. As companies move toward digitization and adopt new practices and technologies, they must maintain security. To do this, they need to see what traffic is coming in and going out of the entire network. They need to see their web traffic, applications, traffic flows, users, and devices that are known—and unknown—so they can determine whether there is anomalous behavior. Cisco offers a variety of effective security solutions that are simple, open, and automated. Now, our new Cognitive Analytics feature in Cisco® Stealthwatch provides exceptional visibility for improved threat detection into web traffic and across the entire network


• Improve threat detection with visibility and analysis of encrypted traffic.

• Accelerate and improve threat detection with machine learning to identify threats that bypass traditional security thresholds.

• Achieve greater visibility and anomaly detection with global and local traffic correlation.

• Obtain continuous analysis of command-and-control communications.

• Identify insider threats by obtaining contextual information from cloud services

Protecting your network against threats—from the inside and out

The Internet is a haven for malicious activity. And any user can accidently interact with threats that affect the network. Stealthwatch can identify a wide range of attacks, including malware, zero-day attacks, distributed denial-of-service (DDoS) attempts, advanced persistent threats (APTs), and insider data theft. Stealthwatch monitors flow traffic across hundreds of network segments simultaneously, so you can spot suspicious behavior. It ingests proxy records and associates them with flow records, delivering the user application and URL information for each flow, to increase contextual awareness. Cognitive Analytics extends this approach on a global scale. In addition, the identified threat is categorized and, in a majority of cases, associated with a particular threat actor. This process enhances your ability to pinpoint threats and decreases your time to detection (TTD).

Insider data theft

Stealthwatch with Cognitive Analytics monitors popular cloud services such as, Dropbox, Google, and Box along with internal corporate assets such as enterprise resource planning (ERP) systems. It identifies any anomalous usage of these services and determines whether they are being used legitimately. For example, you can see if a host or user is:

• Interacting with a known command-and-control site

• Accessing applications that it doesn’t typically access

• Increasing traffic to a particular site Having visibility into both external and internal traffic in conjunction with anomaly detection helps you identify insider and advanced threats more easily.

Analyzing encrypted traffic for improved security

Encryption is important in security. But although you may use encryption to protect data and privacy, attackers use it to conceal malware and evade detection by network security products. With Stealthwatch and its enhanced analytics capabilities, you can better understand whether encrypted traffic on the network is malicious. Stealthwatch applies machine learning and statistical modeling for encrypted traffic analytics to enhance NetFlow analysis. Cognitive Analytics can learn from what it sees and adapt to changing network behavior over time.

The network telemetry is collected through the Flow Collector and is sent to Cognitive Analytics for further analysis. Stealthwatch with Cognitive Analytics improves visibility into traffic flows by centralizing the management of network and web traffic within the Management Console. Rather than decrypt the traffic, Stealthwatch with Cognitive Analytics pinpoints malicious patterns in encrypted traffic to identify threats and accelerate the appropriate response.

Leveraging security analytics for actionable intelligence

Cisco Stealthwatch provides continuous realtime monitoring of, and pervasive views into, all network traffic. It dramatically improves visibility, security, and response times to questionable incidents. It creates a baseline of normal web and network activity for a user or host, and it applies context-aware analysis to automatically detect anomalous behaviors. As a critical, part of our Network as a Sensor and Network as an Enforcer initiatives, Stealthwatch uses NetFlow data to turn your network into a security sensor. And with Cognitive Analytics, a cloud-based threat detection and analytics capability, you can get deep visibility into both web and network traffic. This additional contextual information helps you identify and prioritize new and emerging threats across the extended network.

Network Visibility and Control in Healthcare

Healthcare organizations deliver critical, life-saving treatment that depends heavily on electronic patient records. When electronic records are not available due to network or security issues, the quality of care declines. Further complicating matters is the need to keep patient records secure and confidential to comply with Health Insurance Portability and Accountability Act (HIPAA) regulations. As in other industries, traditional security efforts for healthcare organizations demand vast amounts of time and resources. IT teams must manually comb through logs, manage a multitude of host agents, and perform frequent signature updates. Healthcare organizations frequently operate complex networks that must accommodate the needs of care providers, staff, patients, and specialized medical devices. This complexity creates a chaotic environment. Security personnel often find it difficult to identify devices connected to the network and enforce proper access policies. Additionally, the FDA has strict guidelines for making changes to any system that is used in patient care. It is therefore more difficult to patch infected systems in healthcare organizations than it is in other industries. To properly secure their complex networks, healthcare organizations need comprehensive network visibility and secure network access.

End-to-End Network Visibility with Stealthwatch

Cisco® Stealthwatch unifies flow-based security to streamline workflows and provide comprehensive network visibility. It analyzes NetFlow and other sources of telemetry data from your existing network infrastructure devices. It then provides the insight you need to troubleshoot a wide range of security issues across the entire network. The time to detect and respond to a threat or security incident is dramatically reduced. Stealthwatch uses the telemetry to transform the network itself into a powerful security sensor, capable of monitoring every device on the network and detecting behavior that is anomalous, malicious, or in violation of organization policy. For example, a specialized medical device that should communicate only with specific hosts on the network begins transmitting data to an external host. This could be a sign of a compromised machine engaging in command-and-control activity. Stealthwatch can detect this and many other suspicious behaviors in real time. Stealthwatch is scalable to meet the needs of even the largest networks. It can monitor virtual networks, public cloud environments, data centers, and branch networks. This visibility will enable you to embrace innovative IT trends such cloud computing while still maintaining control over security.

Secure Access with Cisco ISE

The Cisco Identity Services Engine (ISE) provides highly secure nextgeneration network access and endpoint awareness. When a device connects to the network, ISE can determine the device type, who is responsible for it, and whether it is compliant. ISE can then grant the appropriate access privileges according to the organization’s policies. ISE also assists with device discovery, helping security operators ensure that there are no unknown devices operating on the network. The information from ISE is shared with Stealthwatch, so investigators can associate flow activity with user and device information and respond to incidents quickly. Additionally, hosts can be quarantined by ISE from both the Stealthwatch and ISE user interfaces. With Cisco TrustSec® technology, ISE can also provide software-defined network segmentation. ISE can assign security group tags (SGTs) to endpoints. Cisco TrustSec uses these tags to enforce segmentation policies across the network. Network segmentation is dynamic, centrally managed, and independent of network topology. With Cisco ISE and Cisco TrustSec, healthcare organizations can more easily manage the network access of staff, patients, and medical devices. At the same time, they can make sure that each endpoint is able to access only the appropriate network resources.

Cisco Security Stealthwatch Deployment Service


• Bring Cisco Stealthwatch online much quicker through an accelerated and error-free deployment to increase your return on investment.

• Learn from highly skilled Cisco® Stealthwatch experts in a half-day knowledge-transfer session customized expressly for your technical team, so they are ready to manage Stealthwatch the day it’s installed.

• Implement and configure alarms precisely to your specifications and needs to eliminate bothersome false-positive alarms. This includes the creation of customized reports that detail alarm activity so you have an audit trail of alarm activity.

The Deployment Service for Stealthwatch allows network and security teams to closely align Stealthwatch with your overall security strategy and business objectives. The service will install and integrate Stealthwatch into your network infrastructure. The service provides for the initial configuration, tuning, and report configuration. The initial configuration service gets your host group settings established so you can begin grouping users by work function, geography, similar projects, or however your organization chooses to create logical groupings. This creates a natural path for creating and enforcing security policies. Initial tuning dials in alarms, reducing false positives, so when alarms do fire you have a high degree of confidence they require attention. Report generation is one of the hallmarks of Stealthwatch. Configuring reports, such as top-talker reports, can include top communication by amount of data, frequency of visits to a destination, or the number of conversations by a host. This data can be extremely valuable for the contextual orientation of what’s occurring on your network.

Get Stealthwatch Up and Running in No Time

No one is more qualified than a Stealthwatch engineer to execute your Stealthwatch deployment. Our professional services team will ascertain what your primary security goals are – whether policy management and enforcement, segmentation, lateral data movement, or any other areas of concern – and determine how best to design Stealthwatch so that it seamlessly integrates with your existing network design. You enjoy: • Conservation of internal resources, reduced deployment time, and fine-tuning of your system. • Successful deployment of Stealthwatch, including configurations that suit your specific needs. Examples include setting of alarms and thresholds to recommended values such as Concern Index for alarm thresholds, preliminary host group structure, or number and type of alarm categories to implement. • Customized training of your team on how to succeed with Stealthwatch. Training can include host group creation and configuration, alarm configuration, report creation, contextual map creation, and many other areas where Stealthwatch can be fine tuned.

Success is often determined at the very beginning of a project. By taking advantage of our deployment service you can set yourself up for success. Within a few hours of working alongside your Cisco Professional Services expert, you’ll have the needed tuning and configurations in place to get Stealthwatch operational quickly. The benefits to you will be greater internal network visibility and threat detection capabilities, and a faster return on your investment.

The Cisco Stealthwatch Learning Network License improves protection against branch threats.

The solution is part of the Cisco Stealthwatch family of products. Together they enhance visibility into advanced threats by identifying suspicious patterns of traffic within a Cisco® network.

The Learning Network License uses the Cisco Integrated Services Router (ISR) as a security sensor to monitor branch traffic through NetFlow, Network-Based Application Recognition (NBAR), intelligent sensors that use machine learning, and packet capture. It baselines traffic patterns to detect anomalies and help build effective branch security policies. You can mitigate threats directly from the branch by using the Cisco Stealthwatch manager to instruct the ISR to drop suspicious packets.

Figure 1 illustrates how we have expanded the Cisco Stealthwatch portfolio with the Learning Network License in the branch. We now offer both Cisco Stealthwatch (right) and the Learning Network License (left) to extend our “network as a sensor” and “network as an enforcer” initiatives.

With the Learning Network we add unique capabilities, including machine learning, local packet capture (PCAP) at the branch, and mitigation access control list (ACL) drop. These features are built into a Cisco IOS® container app within the Cisco 4000 Series Integrated Services Routers along with using local NetFlow and NBAR. With Cisco Stealthwatch we use NetFlow data sent to the central site, and behavioral analytics along with central detection for a full historical data. For your branch network you may want to use both solutions or only one.

Together, the two products give you:

  • Exceptional anomaly detection methods
  • The ability to spot zero-day attacks and to find trends 30, 60, and 90 days in the past
  • Broad and deep branch-level visibility

Figure 1. Features and Capabilities of the Cisco Stealthwatch Portfolio and Learning Network License

Product Overview

The Cisco Stealthwatch Learning Network License embeds security into your network infrastructure by turning your router into a security device. It brings you deeper visibility across the branch network and between branches. It strengthens network protection and responds quickly to threats. It extends security to the branch without affecting network performance.

The Learning Network is made up of two components:

  1. Distributed learning agents are placed at the edges of your network in your ISR branch routers. An agent can be implemented as a software agent with Cisco IOS XE Software and the Container feature. Optionally it can also be installed with the Cisco UCS® blade on the ISR.
  2. The agent is managed by a central monitoring agent. The manager is installed on any virtual machine server. Each agent becomes uniquely customized to its environment, using machine-learning algorithms and techniques to learn what is normal (baseline) and to consequently detect anomalies. Each agent autonomously models traffic characteristics thanks to various data feeds such as NetFlow records, deep packet inspection of raw packets (for example, DNS packets), and even the local state available on the branch router or switch.

The agent builds its own models and avoids forwarding heavy traffic over the WAN for centralized analysis. It is designed to be lightweight in terms of memory and CPU consumption.

The manager is the user’s point of entry to the Learning Network License solution. It is a highly scalable application running in the data center. It “orchestrates” the agents. It aggregates and stores the information they provide and amplifies their context with information from different sources. (These can include threat intelligence from Cisco pxGrid and the Cisco Identity Services Engine, intelligence from Talos, DNS transaction details, and so on.) The manager provides a way to retrieve all information for analysis and gives the user the ability to control and provide feedback to the system.

Use Case: Split Tunnel VPN Branch (IWAN)

Figure 2 shows a typical branch use with a split tunnel, direct Internet access, and a VPN link to headquarters. In this case the user is attempting to load a new application at the branch, and the application is attempting to send data to a suspected Internet site. The machine learning agent at the router identifies the suspicious traffic. The Learning Network Centralized Agent Manager (SCA) mitigates the event by applying an access control list to drop the connection.

Platform Support

The Stealthwatch Learning Network License is specifically designed to take advantage of the new Cisco 4000 Series Integrated Services Routers and their Cisco IOS XE module architecture. It allows the agent to be installed as a software agent in Cisco IOS XE containers. The agent can also be installed on a Cisco UCS E-Series blade.

You can add the Stealthwatch Learning Network License to any 4451, 4431, 4351, or 4331 ISR. (The 4321 and 4221 ISRs are being qualified now. Please contact Cisco for the latest support.) We recommend that you order the 4000 Series AX, AXV, or Cisco ONE 4000 Series ISR bundle. These come with the AppX license that the Stealthwatch Learning Network License requires and that all our security features, including Intelligent WAN, support. Please see the bundle ordering guide (Cisco 4000 Series Integrated Services Router Family Ordering Guide). In addition, please see the Cisco ONE WAN bundles C1-CISCO4431/K9, C1-CISCO4451/K9, C1-CISCO 4351, and C1-CISCO 4321. These also support SLN and include an 8 GB memory upgrade that the SLN requires.

LicensingThe Cisco Stealthwatch Learning Network License is a Smart Software licensing enabled product. The agent is sold under 1-year and 3-year term licenses. The manager has a perpetual license. If you do not already have a Smart License account, please see your Cisco representative to set one up.

System Requirements

Agent in Cisco IOS XE SoftwareWhen the agent is run in Cisco IOS XE containers, it requires at least 8 MB RAM.When packet capture is to be used, it is limited to 500 MB with flash. If you intend to use packet capture for higher usage, you need to add storage to your ISR with the NIM carrier card for solid-state drives.
Agent on Cisco UCS E-Series ServerThe Cisco UCS E-Series Open Virtualization Archive (OVA) is configured to use a 155-GB disk, 5 GB of memory, 4 vCPUs, and ESXi 5.5.
ManagerThe manager requires ESXi 5.5 or later with 4 vCPUs, 24 GB RAM, and 200 GB storage. The manager can support up to 1000 agents. For installation of more than 50 agents the recommendation is 64 GB of memory, 16 vCPUs, and 4 TB of storage.


Summary: Learning Networks Deployment

Description: Y:\Production\Cisco Projects\C78 Data Sheet\C78-737494-02\v1a 221116 2206 Shafeeque\C78-737494-02_Cisco Stealthwatch Learning Network License\Links\C78-737494-02_Figure 03.jpg


Cisco Stealthwatch Endpoint License 1 Data Sheet With the Cisco Stealthwatch™ Endpoint License you can conduct in-depth, context-rich investigations into endpoints that exhibit suspicious behavior.

In our connected world, mobility is king. More users are connecting to corporate networks with more devices, from more places than ever before. The average worker uses three personal devices for work purposes. That’s more than 15 billion mobile devices worldwide with access to enterprise networks. And the reality is that many of those devices could already be compromised. Security professionals need to see into the applications and processes that occur at the network edge, down to remote devices. The Cisco Stealthwatch endpoint solution permits security professionals to conduct more efficient, context-rich investigations into user machines that are exhibiting suspicious behavior. Tightly integrated with the Cisco AnyConnect® Network Visibility Module, the Stealthwatch Endpoint solution provides greater network visibility while enhancing the investigation of endpoints. It offers easy access to endpoint applications and information that security analysts need to speed incident response and remediate policy violations.

How It Works

The Endpoint License delivers support for the Cisco® Network Visibility Flow (nvzFlow) protocol introduced with the Cisco AnyConnect 4.2 Network Visibility Module (NVM). The AnyConnect NVM collects high-value endpoint contextual data. It exports that telemetry using the nvzFlow protocol, an extension of the standards-based IP Flow Information Export (IPFIX) protocol, to the Endpoint Concentrator. The Endpoint Concentrator collects this telemetry from multiple endpoints and forwards it to the Flow Collector. There, through a process of stitching and deduplication, the endpoint-specific fields are inserted into the conversational flow records maintained in the Flow Collector database. The endpoint data is then analyzed and displayed in the Stealthwatch console for a single view into activity across the network. Generating telemetry from the endpoint provides context and awareness. It is a critical step in gaining the visibility needed to secure the endpoint.


Endpoint License: The Endpoint License allows telemetry data to be captured from endpoint devices that connect to your network, such as desktop computers, laptops, smartphones, and tablets. The license permits the high-value endpoint contextual data collected by the AnyConnect NVM to be exported to the Endpoint Concentrator for further analysis in the Management Console.

Endpoint Concentrator: The Endpoint Concentrator collects IPFIX data from the Cisco AnyConnect Network Visibility Module. Data is collected from all endpoint devices and is passed through the Endpoint Concentrator to the Flow Collector. A Flow Collector is required for an Endpoint solution deployment.

Stealthwatch Flow Collector: The Flow Collector provides network visibility and security intelligence across physical and virtual environments to help improve incident response. The volume of NetFlow telemetry collected from the network is determined by the capacity of the deployed Flow Collectors. Multiple Flow Collectors may be installed. Flow Collectors are available as hardware appliances or as virtual machines. The capacity of the Flow Collector must be taken into consideration for the deployment of the Endpoint solution. Table 4 outlines the Flow Collector’s benefits.

The Flow Collector should be used as a guide when determining the number of supported hosts for the Endpoint License, because the Flow Collector will experience degradation before the Endpoint Concentrator. The maximum endpoint traffic impact on Flow Collectors is 50,000 fps; standard performance considerations for flows per second (fps) still apply.

Management Console: The Management Console manages, coordinates, and configures Cisco Stealthwatch appliances deployed at critical segments throughout the enterprise. With the Management Console, administrators can easily view, understand, and act upon a plethora of network and security data, all through a single interface. Snapshot views and sophisticated drill-down capabilities provide the exact level of information you need exactly when you need it. Advanced graphics and customizable views of network activity deliver unique insight to help network and security teams understand traffic patterns and identify deviations from normal network behavior. Administrators can view high-level details, or choose to drill down into alarms, security event details, host-level views, and more for fast, efficient troubleshooting and root cause analysis. Dynamic querying, customized reports, and intuitive visualizations of network data help to decrease the time between problem onset and resolution. Major benefits of the Management Console are shown in Table 5. Specifications of the various models are given in Tables 6 and 7.

Click Here for Ordering Information