Cisco Secure Network Analytics Reviews

Our primary use case for this solution is security.

We are currently adding test cases for the solution and it is not yet in a live production environment.

The most valuable feature is integration.

I would like to see a hybrid solution that can work without being connected directly to the internet for those destinations. A business case would be manufacturing floors that are not, or still not, connected to the internet permanently.

In terms of the user interface, navigating through the drill down windows needs to be improved.

This solution seems to be stable.

This is a cloud-based solution, so it is very scalable.

We have not used technical support.

We did not use another solution prior to this one.

The initial setup for this solution is complex, at least in the beginning.

It is a really hard step from being a networking engineer and moving to that software component. You have to understand the software because the dependency on the actual programming is very important. That has been a learning curve.

We are still in beta testing.

Because we are still testing, we do not yet know what our licensing fees will be.

We did not evaluate other options.

My advice to anybody implementing this solution is to start with the DevOps, as soon as possible.

I would rate this solution a seven out of ten.

This is a security solution for us and our customers. We use it for port monitoring aggregation and doing captures.

We had some trouble with the installation as we migrated from our previous solution.

It has been pretty stable since we deployed it, and everything seems to be working fine.

That scalability seems to be ok, although we did have some concerns. Potentially, we are going to be looking at 100-gigabit links, and the version of the solution that we deployed does not support that. That is a long-term concern, rather than an immediate one.

We had some technical questions when we were doing the initial deployment, and they were very good in helping us with that.

Prior to this solution, we used an ad-hoc, internal system. We knew that it had to be replaced because it was not passing the audit as per our set standards. Ultimately, that drove us to look for a more standardized solution.

The initial setup for this solution was fairly complex. This was, in part, because of where we placed it in our network and the removal of our old system. It involved mapping it from the old to new so that it will be able to maintain the same functionality in our network.

We used an integrator to assist with the implementation.

Cisco is our biggest primary vendor, so it was an easy go-to for this solution.

My advice for anybody who is implementing this solution is to engage with an integrator or somebody who is familiar with it, or deploying it. This will make everything easier in terms of setting it up.

This solution is doing everything that we want, and my only complaint is in regards to the quirks during installation.

I would rate this solution an eight out of ten.

We use Cisco Stealthwatch for device compliance and device auditing. It's part of our overall strategy. We have been consolidating down. Our security team is over-packed. We're trying to leverage what we have and move the blame away from us on the network side.

The solution's analytics and thrust detection capabilities are good. We're still adjusting it. It's a little hypersensitive, but it is working right now.

We use cloud threat analytics. We don't use the cloud engine. Intrusion detection and analytics have been good so far. We haven't caught anything crazy yet. We're still eyeing it.

The most valuable feature is the level of visibility and the automation behind it. We don't have to go chasing things down.

Cisco Stealthwatch needs more integration with device discovery. We have to do a lot of hard work to figure out what things are. Better service integration is required.

Stability is what we're looking for in production. Stability is everything.

The stability of the solution seems fine. It hasn't crashed yet.

Scaling with Cisco Stealthwatch is a little bit difficult. At our scale, we need a lot of boxes to make it work. The hardware is something else. Some of the devices seem a little bit outdated in how they're built.

For the scalability, other than some of the interesting things like the blow sensors, the actual analytics engine is solid so far.

The customer service has been fine, normal. It meets our expectations.

We did not have a different solution in this specific use case. We had some solutions that would cover pieces of it but nothing ever did the whole job.

We deployed it ourselves. It was easy enough. The instructions were clear enough for us to be able to roll it out straightforward.

We were looking at NetScout and ThousandEyes, plus a couple of other similar solutions. We have a lot of NetScout products. We're trying to get into that space but we're not there yet. We're still too early. 

There are not a lot of products currently available for that specific function. There are a lot of half-solutions on the market.

Cisco Stealthwatch has not reduced our response times yet, it probably will though. The solution is perfect in traffic analytics. We've started that roll out. The new sites that we have will be doing that.

Right now we have a lot of false positives, but that's just Cisco Stealthwatch still in its adjusting phase.

The solution saves us time, money, and administrative work. It is a lot of administrative work on its own but it's going to help out other teams.

In the long run, it's going to help save money. For the time to value, it's going to take a long time. It's probably a year or two-year process.

On a scale of one to ten, I would rate Cisco Stealthwatch with a seven. It's a solid product. It's very useful, but it takes an incredibly long time. There's a lot of hard work. 

A lot more integration of automation tools like inventory systems would be helpful, i.e. where we can pull the data instead of having to look ourselves.

Cisco Stealthwatch is part of our narrow transformation. We're looking at campus fabric, DNA centers, etc. It helps that we can see what's going on.

Deploying the virtual machines made our storage have artifacts. But that was expected. 
Make sure you resource it correctly because it's going to use more than you expect.

We use Stealthwatch to identify any risk or vulnerabilities in the environment.

Stealthwatch increased our threat detection rate a little bit, as well as our incident response time. It also reduced the amount of time it takes us to detect and remediate threats.

The cognitive analytics really helps us analyze the traffic.

The most valuable feature is its alerts and dashboard.

The solution's analytics and threat detection capabilities are also pretty reasonable.

It's too complicated to install when starting out.

Also, we have actually seen an increase in false positives with Stealthwatch. A few of the false positives were too early to detect.

Availability is another issue. You need a couple of days to get it to work.

It was pretty stable. The only thing is the whole infrastructure is pretty complex with a lot of sensors and the like. With that level of complexity in mind, I would say it is very stable.

Their technical support is very good.

The initial setup was complex. Sensor and controller installation was especially complex.

I would rate Stealthwatch as six out of ten. It is a good product but it needs a lot of work to complete the dot trace and other parts. It's not as competitive as others on the market.

We use Cisco Stealthwatch to do NetFlow across our enterprise network. Cisco Stealthwatch helps our cybersecurity guys detect threats across the network.

We're still deploying it across our enterprise. A lot of our data analytics are still in the making.

The solution has probably increased our incident response rate a little bit. We're seeing extra traffic on the network as opposed to before.

Cisco Stealthwatch has reduced the amount of time to detect an immediate threat.

We're still gathering numbers about our increased threat detection rate. Anything we can improve with security patches to the network greatly improves the product.

There's a lot of traffic on our network that we don't see sometimes.

The product is stable. We have not had any downtime with it.

Scalability is where we're still finetuning the product. Initially, when we implemented Stealthwatch, we did a serious overkill on our flows per second. Now we're trying to correct that and then spread those appliances. 

We would like to license the product across all of the different hardware we have.

Our tech support goes through LAN Help. I was just trying to get to the right person to understand the way we get things set up. It does take time trying to explain what we're doing or trying to do. 

Because we purchase some products through second or third parties, we have difficulty making sure they know that we're the end user.

We're playing with several different products across my teams. All of the teams are rather small. As they get time, they work on other things. 

We've got Cisco guys onsite and we talk with those guys all the time.

Stealthwatch is just set up on a single network that we have. We're pulling primary data from anything that pops up out of the norm. We'll forward that information on to our cybersecurity guys and they'll track it down.

The initial setup is straightforward, but we're starting to fine-tune. We're getting more detailed information on the practical use of the product.

We try to find ROI but sometimes, but it's just not there. It's all about the security posture.

We pay a yearly license.

Our enterprise is primarily dedicated to Cisco solutions. Stealthwatch is a Cisco product. We went with that originally.

Cisco Stealthwatch has increased the administrative time required just to get everything up and running smoothly. In six months, we should have it fine-tuned where it is hopefully saving us some time and manpower.

I would rate Cisco Stealthwatch with a nine out of ten until we get our people fully tuned in to the application. We need more time and more network engineers to work on it.

Use of the product should be based upon how each enterprise is set up if the solution is a good fit for what you need. Each network is different. It just depends on what the requirements are and what you need to do.

We implemented Stealthwatch Cloud in order to provide our analysts with an additional tool for security monitoring.

This tool provides another method for security analysts to triage security alerts. The artifacts available in the tool provide better information for analyzing network traffic. 

It enables a holistic view of network traffic and general packet analysis. It's easy to identify anomalies without the use of signatures. The way in which we implemented Stealthwatch Cloud has enabled my team to analyze traffic behind proxies.

I have nothing negative to say about the product. I've become very familiar with it, it is intuitive and easy to learn. I'm happy that the deployment worked well.

If there was one improvement I’d suggest it would be that it detect traffic through an intranet. The product requires that traffic flow through a managed network device. The product is designed mostly for enterprise environments and not smaller environments or businesses.

No issues with stability.

No issues with scalability. Collecting NetFlow data is not hard, however, there is a chance you’ll end up with a huge amount of data that needs investigating. It might be a good idea to deploy gradually, by network segment.

Technical support has been excellent. I would not hesitate to work with them again. The engineer I worked with was knowledgeable.

No previous solution.

The deployment was a breeze. It is a very innovative and robust platform that allows us to bi-directionally stitch together data elements from NetFlow-enabled devices to provide a context for network utilization.

One thing to keep in mind is that pricing is based on flow. If your environment is a Cisco shop, there should be an option to bundle it with certain purchases.

I do not use this product on AWS but I would be interested in doing so. AWS continues to be an expanding initiative.

Stealthwatch is a great product. It's a paid product with a need for licensing but does DDoS detection, compromised machines, NetFlow collection, and integrates with Cisco Identity Services Engine and Firepower. I rate it a 10 out of 10 due to the great technical support received, ease of deployment, and ease of integration.

I suggest reviewing other products just to get an idea of what’s available on the market. Some that come to mind are Splunk, Sourcefire, Kentik, NfSen, Plixer Scrutinizer, FireEye, and Darktrace. It really depends on if your company is looking for a primary NetFlow tool or a tool that is a mixture of cyber security and NetFlow.

Another thing to keep in mind is that it will be easy to end up with more data than you need when first deploying. The product has the ability to categorize traffic based on severity level (yellow, red). When you deploy, it might be best to take a smaller, manageable approach to investigate traffic on a network. This way you won’t be overwhelmed with the amount of data you get.

• Monitoring
• Security

It is a monitoring solution and network, because many times what we see is circuit oversaturation. Then, we want to know why and where it is coming from.

We were using Stealthwatch before the upgrade, since it came out. We have a good partnership with Cisco. We have NAS engineers. We have a quarterly meeting with Cisco. Generally, when they come out with a new solution, like when Stopwatch first came out, we jump on board. Therefore, we have been with it for awhile.

Our company is global and has various manufacturing plants over the globe along with branches. What we have found from a productivity policing perspective is we have had some of these locations abuse their on-net circuit. They will put it on Netflix and go watch movies when they are not supposed to, and we could not stop it. Unfortunately, we did not know what was going on. In the past, what we used to do was live and work with it. Thus, the company increased the circuit, and we were spending more, not knowing why. 

When Stealthwatch finally came in, we were able to look into that pocket and  flow, saying, "They are going to Facebook. They are going to YouTube. They are going to Netflix." 

Based on other solutions that we had in place (Sourcefire, etc.), we were able to block the center accessing these type of features and apps. This brought down the circuit utilization significantly, then we were able to recoup costs. It saved a lot of money bringing down the circuit. Now, it is not abused anymore.

Visibility. The ability to look East and West. To see what is passing through your circuits, where it is coming from, and how big it is. This is pretty key for us. It is the network. 

From a security standpoint, it is seeing pockets as well. Visibility is very key for us.

In the last year or two, we have been working with our Cisco NAS engineers to improve our security posturing. It is more our being proactive rather than reactive. While Stealthwatch and Lancope have this ability to look inside and give you visibility (a great feature), follow-up is the rule. We would like filters that you can put into place to tap onto certain types of behaviors, alerts out, and/or hopefully a block. This is sort of what we are looking for. 

I might be speaking too early, because we are not down this path yet. We know the feature set is there, we just do not know yet how to achieve it. That is proactive rather than more reactive.

For Lancope Stealthwatch, we would like to see it more on the ASA Firewall platform. While this might already be available, this is more a failing of Cisco to inform us if it is there. For example:

• Are we on the right or wrong version of the code? 
• What does the code look like? 
• Are we are really looking at firewalls? Or is it more about the foundation and route switches that we are seeing?

It is about visibility.

It has been pretty stable. The deployment is the SNC which is located in our headquarters. Then, you have collectors and sensors which are sitting out there in our various eye pop points: East and West points out the door. The sensor sits on the standpoint, therefore it sees everything. The collector, you point to it, and it has been pretty stable in that regard. 

Previously, the one thing which drove us crazy about the product was it seemed to be pretty locked on certain versions of Java. Now, it appears to have been improved. Thus, we are very happy with that.

In terms of improvement overall, we would like to see less reliance on Java and possibly a self-contained REST API package, either client or web-based would be nice rather than locally in Java. This would be a nice feature set.

Integration would be nice too. We are a pretty big Cisco shop. From ICE to our WCs. We are growing while we are looking at other products and solutions out there. Those solutions being FireEye or Palo Alto. Is there an integration where maybe East-West Lancope can see this type of traffic, then send updates and work lists with other products to say, "Block this as this is bad," other than the blocking point being Stealthwatch?

I understand Cisco has AMP Threat Grid. This is their ecosystem, and it is supposed to coordinate and work together in making the setup easy. 

Self-pushes to the cloud, as long as your Cisco-based products report to the same cloud point, then you are all sharing data that way. That is still very Cisco-centric. It would be nice to see a little bit more integration with Palo Alto, FireEye, and VScanner, therefore not all being Cisco-based.

For scalability, we probably want to see more NetFlow availability in other infrastructure products. We know it is there in routers, switches, and foundation. We know we can send it to the box. These are our current questions about NetFlow expansion:

• What about firewalls? Where does Cisco stands today on NetFlow or in the future for firewalls? 
• Is there NetFlow on SPD? I don't know. 
• Are we doing NetFlow on ASA today? Our company is not.  

I do not think it is ready yet, or stable, and expanding NetFlow would be huge.

Generally, when we do something with Lancope or Stealthwatch, either we play with the interface ourselves or we use our NAS engineer. I do not think there has been a situation where we looked for support on a tech case unless there is something really wrong. We have possibly had to contact them one time because of a bad disc. 

We used Riverbed, and it is probably still around as some people can't let go of their old tools.

When we saw what Lancope can do, not just from a visibility perspective, but from a network and security perspective, we jumped on board. Having security tied to the product is what really made it win out. We jumped in all the way. We spent close to a million, because there was a shared infrastructure between two companies. Every eye pop that we bring up or upgrade, Stealthwatch is there. We ensure it is there.

It was pretty straightforward. Once you get the template down, you get to the eye pop or an egress point, then you need one sensor. Deployment is easy.

Today, the company is part of the big Cisco ELA, and it is a la carte. We can get orders for whatever we want. At the end of the day, we have to pay for it in one big expense, but that is fine. We are okay with that.

One of the things which bugs me about Lancope is the licensing. We understand how its licensing works. Our problem is when we bought and purchased most of these Lancope devices, we did so with our sister company. We bought a ton of product. Somewhere within the purchase and distribution, licensing got mixed up. This is all on Cisco, and it is their responsibility. They allotted some of our sister company's equipment to us, and some of ours to them. To date, they have never been able to fix it. We still see this license issue pop up on our screen.

NetFlow is very expensive. 

The only other option was the one we were using at the time, which may not even be comparable because of visibility, and that was Riverbed. Riverbed was extremely expensive. 

Stealthwatch came out, and we jumped on board. It was not only cost alone that made us go with it. It was security which pushed us over the edge. The possibility of seeing in the packet these potentially proactive measures; things you can do to see patterns. The features were what won out.

Come up with a template, then choose a center, choose a region, choose a plant, etc. Figure out how you want the deployment to go, then replicate it. Turn it into some sort of kit. As you stand up more places, or you deploy to other places, it will follow that template, then you are set and done.

This also extends to the config file, which is a bit more problematic. Depending on how large you are (we are very large), you do not always have the same model number of router. For example, we could have 1002X, 1001, and 1002X. They do not always align in terms of what that NetFlow configuration looks like. Some people put NetFlow on a switch. 

Make sure that you are aware of that and you have the best template you can. Get your ducks in a row before you deploy, or else it is going to extend your deployment.

Pros:

• Visibility is key. 
• Security is also key. 
• Being able to drill down into a center's utilization, then create reports based on it.
• Ease of deployment, once you get your ducks in a row.

Con: Reliance on Java. Get away from that.

If they can make this product more web-based, that would be amazing. I do not know the feasibility of that, but it seems like everything is going towards that direction anyway. The sooner Cisco can make use of the app rather than Java, the better.

• ID managers
• Flow replicators
• Flow sensors
• Thick client

Provides easily identifiable anomalies that you can't see with signature detections. 

NetFlow: The beginning of any security investigation starts with NetFlow data. 

One update that I would like to see is an agent-based client. Currently, Stealthwatch is network-based. A local agent could help manage endpoints. 

No issues.

No issues.

I have known these guys for a long time. They are completely familiar with their product.

We did not have a previous solution.

The initial setup is very straightforward. 

The vendor helped in every step of the installation. 

Licensing is done by flows per second, not including outside (in traffic). 

I have tried the Sourcefire solution, but Stealthwatch won out through its ease of use. 

There is nothing like it. It is a dream to operate. It is very intuitive. Go for it.

Also, it is great for a network segmentation project.