April 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
No need to maintain a signature database.
Takes time to profile your network and then needs manual tuning before it is ready to go.
This offers an innovative approach with the advantage of being able to identify unknown attacks.
StealthWatch employs a completely different approach to traditional IDS, based on signature recognition. Instead of looking for signatures, it 'learns' what kind of activity is normal on your network and looks for abnormal events. Behavior-based IDS has some advantages over signature-based IDS, because less processing power is required and previously unknown attacks can be detected.
StealthWatch monitors the data flows between hosts and builds a database of statistics. When installed, you need to wait at least 24 hours to collect statistics on your network traffic. Then, you can examine the database to confirm manually that the activity seen was normal. This takes quite a bit of time and effort, but you only do this at the beginning. Then you can manually fine-tune if some abnormal activity is acceptable between certain hosts but not others.
Once you are certain that the activity seen is normal, you can lock down StealthWatch on this sample of normal traffic flows. After that, alerts are generated when anything out of line with this baseline activity is seen. If traffic patterns change at a later date, re-tuning the baseline usually takes much less time than it did initially.
StealthWatch uses a number of parameters to determine what is normal - for example, per-host traffic levels - and then comes up an alert based on a Concern Index, which indicates how serious StealthWatch considers the suspicious activity. The Concern Index is based on statistical comparison of network traffic with what has been established as baseline normal activity.
Instead of alarming system managers with every probe, port scan or ping, StealthWatch builds a profile of each suspicious host before assessing its threat by calculating the Concern Index. As soon as the Concern Index exceeds a predetermined value, StealthWatch generates alerts by email, pager, SNMP traps, etc.
StealthWatch is supplied as an appliance based on a standard rack-mounted Intel PC platform running a hardened version of Linux. This can be supplied with various NIC configurations, with the top of the range having two separate gigabit monitoring interfaces and one 10/100Mbits/sec administration interface.
Initial configuration is performed by connecting a monitor and keyboard directly to the StealthWatch hardware. After that, StealthWatch is managed through a web-browser interface from any workstation. Communications with the management interface are secured using SSL.
The reporting facilities are excellent. There is a very graphical approach to reporting, with timeline-based graphs of activity, and adequate information is available for subsequent forensic analysis. The flow data is archived to a log file and kept for up to 30 days.
Sign up to our newsletters
SC Magazine Articles
- Long list of devices believed to be affected by NetUSB vulnerability
- Website observed serving 83 executable files, more than 50 percent malware
- Scammers target oil companies with sneaky attack
- TeslaCrypt used to extort over $76K in recent months
- CareFirst BlueCross BlueShield breached, more than one million individuals notified
- Hackers exploit Starbucks auto-reload feature to steal from customers
- Study: Nearly all SAP systems remain unpatched and vulnerable to attacks
- Former Nuclear Regulatory Commission employee arrested for alleged spear phishing campaign
- Millions of WordPress websites vulnerable to XSS bug
- FireEye first cybersecurity firm awarded DHS SAFETY Act certification
- FTC gives thumbs up to companies that cooperate during breach probes
- Researchers publish developer guidance for medical device security
- Senate gears up for Saturday USA Freedom Act vote; House breaks for recess
- Researchers observe SVG files being used to distribute ransomware
- Federal prosecutors charge Chinese nationals with trade secret theft