April 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
No need to maintain a signature database.
Takes time to profile your network and then needs manual tuning before it is ready to go.
This offers an innovative approach with the advantage of being able to identify unknown attacks.
StealthWatch employs a completely different approach to traditional IDS, based on signature recognition. Instead of looking for signatures, it 'learns' what kind of activity is normal on your network and looks for abnormal events. Behavior-based IDS has some advantages over signature-based IDS, because less processing power is required and previously unknown attacks can be detected.
StealthWatch monitors the data flows between hosts and builds a database of statistics. When installed, you need to wait at least 24 hours to collect statistics on your network traffic. Then, you can examine the database to confirm manually that the activity seen was normal. This takes quite a bit of time and effort, but you only do this at the beginning. Then you can manually fine-tune if some abnormal activity is acceptable between certain hosts but not others.
Once you are certain that the activity seen is normal, you can lock down StealthWatch on this sample of normal traffic flows. After that, alerts are generated when anything out of line with this baseline activity is seen. If traffic patterns change at a later date, re-tuning the baseline usually takes much less time than it did initially.
StealthWatch uses a number of parameters to determine what is normal - for example, per-host traffic levels - and then comes up an alert based on a Concern Index, which indicates how serious StealthWatch considers the suspicious activity. The Concern Index is based on statistical comparison of network traffic with what has been established as baseline normal activity.
Instead of alarming system managers with every probe, port scan or ping, StealthWatch builds a profile of each suspicious host before assessing its threat by calculating the Concern Index. As soon as the Concern Index exceeds a predetermined value, StealthWatch generates alerts by email, pager, SNMP traps, etc.
StealthWatch is supplied as an appliance based on a standard rack-mounted Intel PC platform running a hardened version of Linux. This can be supplied with various NIC configurations, with the top of the range having two separate gigabit monitoring interfaces and one 10/100Mbits/sec administration interface.
Initial configuration is performed by connecting a monitor and keyboard directly to the StealthWatch hardware. After that, StealthWatch is managed through a web-browser interface from any workstation. Communications with the management interface are secured using SSL.
The reporting facilities are excellent. There is a very graphical approach to reporting, with timeline-based graphs of activity, and adequate information is available for subsequent forensic analysis. The flow data is archived to a log file and kept for up to 30 days.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
SOC Analyst, Aldershot, £55-63k + benefits
Infosec People - England, Aldershot, Hampshire
Security Architect, Cardiff - to £70k Basic
Infosec People - Cardiff, Wales
Interim CISO (Chief Information Security Officer) - Cyber Security Director
CYBER EXECS - London (Central), London (Greater)
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Cyber-security must reflect risk not just regulation
- Data centres are on the move - where will they end up?
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- 9.2 million medical records for sale on darkweb
- Microsoft Office 365 hit with massive Cerber ransomware attack, report