Compare Security Analytics Solutions

Similar documents
Subscriber Data Correlation

Enhanced Threat Detection, Investigation, and Response

Cisco Stealthwatch Endpoint License

Cisco Stealthwatch Improves Threat Defense with Network Visibility and Security Analytics

Monitoring and Threat Detection

SIEM Solutions from McAfee

plixer Scrutinizer Competitor Worksheet Visualization of Network Health Unauthorized application deployments Detect DNS communication tunnels

Threat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ

Microsoft Security Management

Un SOC avanzato per una efficace risposta al cybercrime

THE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson

Snort: The World s Most Widely Deployed IPS Technology

QuickSpecs. Aruba IntroSpect User and Entity Behavior Analytics. Overview. Aruba IntroSpect User and Entity Behavior Analytics Product overview

Analytics Driven, Simple, Accurate and Actionable Cyber Security Solution CYBER ANALYTICS

Cisco Cloud Security. How to Protect Business to Support Digital Transformation

RSA NetWitness Suite Respond in Minutes, Not Months

How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption

Stealthwatch ülevaade + demo ja kasutusvõimalused. Leo Lähteenmäki

ARTIFICIAL INTELLIGENCE POWERED AUTOMATED THREAT HUNTING AND NETWORK SELF-DEFENSE

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Business Decision Series

Cisco Encrypted Traffic Analytics Security Performance Validation

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Cognito Detect is the most powerful way to find and stop cyberattackers in real time

Introduction. Learning Network License Introduction

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

Encrypted Traffic Analytics

SOLUTION BRIEF RSA NETWITNESS EVOLVED SIEM

SOLUTION BRIEF RSA NETWITNESS NETWORK VISIBILITY-DRIVEN THREAT DEFENSE

Cisco Firepower NGFW. Anticipate, block, and respond to threats

The Cognito automated threat detection and response platform

USM Anywhere AlienApps Guide

Detecting Network Reconnaissance with the Cisco Cyber Threat Defense Solution 1.0

SIEM Product Comparison

Securing Your Amazon Web Services Virtual Networks

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

DATA SHEET AlienVault USM Anywhere Powerful Threat Detection and Incident Response for All Your Critical Infrastructure

Vectra Cognito. Brochure HIGHLIGHTS. Security analyst in software

Key Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.

McAfee Endpoint Threat Defense and Response Family

Network Security Monitoring with Flow Data

Detecting Internal Malware Spread with the Cisco Cyber Threat Defense Solution 1.0

Network Visibility and Segmentation

Automated Threat Management - in Real Time. Vectra Networks

THE EVOLUTION OF SIEM

Imperva Incapsula Website Security

Office 365 Buyers Guide: Best Practices for Securing Office 365

Cisco Stealthwatch Endpoint License with Cisco AnyConnect NVM

Forescout. eyeextend for Palo Alto Networks Wildfire. Configuration Guide. Version 2.2

Cisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017

Stealthwatch and Cognitive Analytics Configuration Guide (for Stealthwatch System v6.10.x)

Cisco Security Enterprise License Agreement

RSA Security Analytics

Flow-based Traffic Visibility

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

Seceon s Open Threat Management software

Cognitive Threat Analytics Tech update

McAfee Network Security Platform Administration Course

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Securing Your Microsoft Azure Virtual Networks

Manufacturing security: Bridging the gap between IT and OT

Security Events and Alarm Categories (for Stealthwatch System v6.9.0)

Deep Security Integration with Sumo Logic

How Vectra Cognito enables the implementation of an adaptive security architecture

Exam : Title : Security Solutions for Systems Engineers(SSSE) Version : Demo

The Future of Threat Prevention

Agenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options

Symantec & Blue Coat Technical Update Webinar 29. Juni 2017

Novetta Cyber Analytics

Cisco Day Hotel Mons Wednesday

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Administration of Symantec Cyber Security Services (July 2015) Sample Exam

Tetration Hands-on Lab from Deployment to Operations Support

Identity Based Network Access

Threat Detection and Mitigation for IoT Systems using Self Learning Networks (SLN)

Scrutinizer Flow Analytics

Monitoring network bandwidth on routers and interfaces; Monitoring custom traffic on IP subnets and IP subnets groups; Monitoring end user traffic;

Cisco Ransomware Defense The Ransomware Threat Is Real

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Cisco Secure Access Control

Cisco dan Hotel Crowne Plaza Beograd, Srbija.

ATTIVO NETWORKS THREATDEFEND INTEGRATION WITH MCAFEE SOLUTIONS

FIREWALL OVERVIEW. Palo Alto Networks Next-Generation Firewall

THE ACCENTURE CYBER DEFENSE SOLUTION

Using Lancope StealthWatch for Information Security Monitoring

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment

CLEARPASS EXCHANGE. Open third party integration for endpoint controls, policy and threat prevention SOLUTION OVERVIEW MAKE BETTER-INFORMED DECISIONS

UDP Director Virtual Edition Installation and Configuration Guide (for Stealthwatch System v6.9.0)

Cisco Firepower NGFW. Anticipate, block, and respond to threats

CyberArk Privileged Threat Analytics

Network Operations Analytics

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

IBM Proventia Network Anomaly Detection System

McAfee Advanced Threat Defense

Security, Internet Access, and Communication Ports

Security Information & Event Management (SIEM)

Transcription:

Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch can detect and respond to advanced threats in real time using machine learning and entity modeling. See Stealthwatch Cisco Stealthwatch Detection Malware analysis and in encrypted traffic Uses Encrypted Traffic Analytics Malware analysis and in encrypted traffic Malware analysis and in encrypted traffic Data hoarding Events accumulate in the Data Hoarding Index, which is metered either by an absolute limit or by learned behavior of the host or groups. Can detect an anomaly but not a specific data hoarding event Lateral movement Provides worm and visual tracking of malware across the network May detect an anomaly but has no published ability to specifically call out lateral movement Complete network audit trail Can log every conversation on the network using Flow Collectors and Flow Sensors Uses sensors only, so is likely to miss some traffic Flow traffic stored on box Reconnaissance Can detect fast and slow scanning using a unique algorithm that is highly sensitive to very low scan-rate events Can detect reconnaissance, but not likely to be as sensitive as Stealthwatch 's unique scan algorithm With optional Flow Analytics Machine learning Uses multilayer machine learning to provide high-fidelity Has limited baselining capabilities based on broad traffic counts 1

Detection (continued) Exfiltration Generates a suspect data loss alarm for hosts exfiltrating more data (including encrypted data) than normal telemetry from network hardware, and is limited to Command-and-control Can detect multiple security events using analytics and threat intelligence to detect C&C peers and is limited to No specific algorithms for C&C Anomaly Has a mature and proven anomaly system with more than 150 algorithms and is limited to With optional Flow Analytics Malware Can provide zero-day exploit and is limited to With optional Flow Analytics Deployment Scalability Can scale to 6 million flows per second, handle 100 Mbps to 10 Gbps interface connections, spikes in traffic above rated levels, and can collect telemetry from thousands of sensors telemetry from network Significant configuration and customization is required to support consolidated reporting and flow maps across multiple collectors. Data storage On average, the system can store 30-45 days' worth of flow data, and often much more, for deeper forensic investigation. No reported data to confirm storage capabilities Zero-day exploit Can detect new or unique malware for which signatures do not yet exist using a behavioral method with more than 90 parameters and is limited to Has limited baselining capabilities based on broad traffic counts 2

Deployment (continued) Data compression Not applicable As flows are received by the collector, they are synthesized into bidirectional, memoryresident flows. This reduces false positives and allows efficient data storage and accurate host-level reporting. telemetry from network. Some information is discarded Deployment model Does not require deployment of sensors or expensive probes. Telemetry can simply be turned on from network devices to analyze the network traffic. Customers must purchase sensors and choose links to monitor rather than simply enabling telemetry from network devices and getting all conversations; model is expensive and difficult to scale. Can consume most flow-based telemetry sources Endpoint visibility With Cisco AnyConnect 4.2 and later, the Endpoint Data License collects endpoint telemetry using the Cisco Network Visibility Flow (nvzflow) protocol. Lacks features such as enable password, configuration presets for NAD types, and TACACS+ proxy Cloud visibility Can monitor the public cloud through the SaaS-based Stealthwatch Cloud solution Uses sensors to monitor the private cloud network and a Cloud Connector for particular apps Consumes Amazon AWS logs, which are similar to flows and include permit and deny actions Data export Has integrations with security information systems and offers APIs for custom integration; also supports SOAP and REST APIs Has a Splunk connector that takes JSON syslog input from a appliance and displays security incidents on Splunk; also links them to reports on the Threat Visualizer Supports REST API and log outputs Alarm notifications Provides email or syslog export to the SIEM system, Netcool, Remedy ticketing system, etc., with email, SNMP, and syslog notifications Provides formatted syslog output Provides outbound logging and alerting 3

Investigation Full-scope investigative workflows Can investigate long-running security events. Generates context-based and custom alarms, ties username to IP address, monitors interface use, performs deep packet inspection, and logs every network conversation. Classifies the threat it detects and visualizes it on the Threat Visualizer interface Lacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools Effectiveness for enterprise customers Simplifies segmentation by logical host-group modeling to organize users by location, IP address, function, etc.; provides customized notification details and formats with alarm acknowledgment so scaling to enterprises is difficult Significant configuration and customization is required to support consolidated reporting and flow maps across multiple collectors. Flexible query and filtering system Can query on all captured fields. Advanced search is available for encrypted traffic for encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc. Not applicable No comparison information available in published materials Lacks customizable interfaces, rapid historical trending, automated remediation capabilities, and root cause analysis tools. Cyberthreats dashboard Provides pertinent information for SecOps personnel, such as which indexes are populated with alerts, which alarms are active, which hosts have the most alarms associated with them, etc. Also provides the ability to obtain more details and associated telemetry. Primarily a security tool and the workspace is focused on SecOps Dashboard-based for security and network monitoring Visualization and mapping Generates automatic maps such as worm propagation paths and custom relationship maps, allowing the visualization of any set of hosts and how they communicate to any other set Heavily graphics oriented Simple graphs and charts Incident investigation The UI is organized around persona-based workflows, leading administrators immediately to the root causes and supporting information. Has a Threat Visualizer that enables visibility and the handling of threats Investigative workflows are provided. 4

Context Contextual data richness Integrated with Cisco Identity Services Engine (ISE). Enables host information look-up such as user ID, MAC address, device type, and switch port information; does not require a separate query to look up the associated user because user ID can be written Integrated with Active Directory for user data Offers sensors focused on a variety of data, including app performance and DNS deep dives Identity data Integrated with Cisco ISE, Cisco ASA products (NSEL), DHCP/ RADIUS servers, and Active Directory authentication servers for identity-totelemetry correlation Integrated with Active Directory for user data Integrated with Active Directory Routing and switching vendor integration Routers, switches, firewalls, and wireless controllers are the primary data source. Can parse many versions of telemetry and NetFlow from multiple vendors natively, such as IPFIX and sflow, plus other Layer 7 protocols. telemetry from the network. Requires SPAN or TAP for each monitored link and is limited to what's on the link. URL data capture Flow Sensors can extract URL data used by the Flow Collectors and Management Center. URL data can be queried based on operators. Also integrated with Cisco Security Packet Analyzer, which can download exact datagrams that the flow represents in PCAP format. Completely sensor-based and has visibility into packet data Can capture URL data using sensors 5

Context (continued) NetFlow generation for VMware environments Uses the virtual switch NetFlow export feature or virtual flow sensor Not applicable Not applicable because it uses sensors to log traffic Can consume NetFlow telemetry from VMware Collection of application and L7 flow data Maintains flow state (active, inactive, or ongoing); generates NetFlow based on SPAN port monitoring or TAPs; has proxy integration; and provides application identity for multiple vendors such as Palo Alto Networks and L7 Defense; and uses NBAR and NBAR2 with the Flow Sensor Uses probes that parse this data directly from raw packets Can receive firewall data, flow from a SPAN with sensor, and app ID from a sensor or firewall. No NBAR support or proxy integration. Full packet capture Unknown Integrated with the Cisco Security Packet Analyzer, a tool installed on a SPAN or TAP that maintains a rolling buffer of datagrams on a segment and provides the ability of downloading exact datagrams that the telemetry represents in PCAP format and even the files contained within PCAP. It can also launch the packet decoding instead of downloading another app. No comparison information available in published materials No ability for full packet capture Encrypted traffic analysis Uses Encrypted Traffic Analytics or enhanced telemetry from the Cisco network to detect malware and to help ensure crypto compliance. Stealthwatch analyses encrypted traffic using advanced machine learning and global threat intelligence. Might be able to detect some anomalous behavior in encrypted traffic No ability to analyze encrypted traffic wide reputation scoring Creates index-based scoring for every host that tallies unusual activity by a host Unknown Anomaly model might be using a global scoring mechanism No concept of security indexes; triggers only raw alerts and alarms 6

Threat Intelligence Threat intelligence feed Stealthwatch Threat Intelligence License and Global Risk Map, powered by Talos, is a threat feed from a number of sources, updated at least once an hour. It aims to provide a zero false-positive information set. A threat feed that has a list of known malicious sites is available. None, although has a DNS-focused appliance for detecting DNS issues Exploitation Can detect insider threats like data exfiltration and command-and-control communications, plus long and slow attacks. Security events feed the indexes to trigger alarms by means of behavioral algorithms and absolute limits that can be set by the operator. Detection of a number of exploits is called out but the scope is unknown. Threat intelligence sharing Stealthwatch Threat Intelligence data is used by Cisco Talos, and vice versa. Cisco shares data with hundreds of partners, customers, and providers through the Aegis, Crete, and Aspis programs, and is a founding member of the Cyber Threat Alliance. 2018 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback