April 01, 2003
- Ease of Use:
- Value for Money:
- Overall Rating:
No need to maintain a signature database.
Takes time to profile your network and then needs manual tuning before it is ready to go.
This offers an innovative approach with the advantage of being able to identify unknown attacks.
StealthWatch employs a completely different approach to traditional IDS, based on signature recognition. Instead of looking for signatures, it 'learns' what kind of activity is normal on your network and looks for abnormal events. Behavior-based IDS has some advantages over signature-based IDS, because less processing power is required and previously unknown attacks can be detected.
StealthWatch monitors the data flows between hosts and builds a database of statistics. When installed, you need to wait at least 24 hours to collect statistics on your network traffic. Then, you can examine the database to confirm manually that the activity seen was normal. This takes quite a bit of time and effort, but you only do this at the beginning. Then you can manually fine-tune if some abnormal activity is acceptable between certain hosts but not others.
Once you are certain that the activity seen is normal, you can lock down StealthWatch on this sample of normal traffic flows. After that, alerts are generated when anything out of line with this baseline activity is seen. If traffic patterns change at a later date, re-tuning the baseline usually takes much less time than it did initially.
StealthWatch uses a number of parameters to determine what is normal - for example, per-host traffic levels - and then comes up an alert based on a Concern Index, which indicates how serious StealthWatch considers the suspicious activity. The Concern Index is based on statistical comparison of network traffic with what has been established as baseline normal activity.
Instead of alarming system managers with every probe, port scan or ping, StealthWatch builds a profile of each suspicious host before assessing its threat by calculating the Concern Index. As soon as the Concern Index exceeds a predetermined value, StealthWatch generates alerts by email, pager, SNMP traps, etc.
StealthWatch is supplied as an appliance based on a standard rack-mounted Intel PC platform running a hardened version of Linux. This can be supplied with various NIC configurations, with the top of the range having two separate gigabit monitoring interfaces and one 10/100Mbits/sec administration interface.
Initial configuration is performed by connecting a monitor and keyboard directly to the StealthWatch hardware. After that, StealthWatch is managed through a web-browser interface from any workstation. Communications with the management interface are secured using SSL.
The reporting facilities are excellent. There is a very graphical approach to reporting, with timeline-based graphs of activity, and adequate information is available for subsequent forensic analysis. The flow data is archived to a log file and kept for up to 30 days.
Sign up to our newsletters
SC Magazine Articles
- CISO salaries and demand for cyber-skills skyrockets, surprising no-one
- Skype targeted by T9000 backdoor trojan
- Student SSNs exposed in University of Central Florida breach
- Malwarebytes says sorry for multiple AV bugs, still unpatched
- Ransomware and POS attackers to zero in on small businesses, retailers
- Obama goes hard on cybersecurity, new CNAP commits funds, resources
- NSA reorg could strengthen defense ops
- Pro-Palestine hacktivist makes good on threat, posts data on FBI and DHS personnel
- Microsoft's February Patch Tuesday: 13 bulletins addressing 36 vulnerabilities
- Draft Investigatory Powers Bill draws fire from Parliamentary committee