STEALTHWATCH MANAGEMENT CONSOLE The System by Lancope is a leading solution for network visibility and security intelligence across physical and virtual environments. With the System, network operations and security teams obtain actionable insight into who is using the network, what applications and services are in use and how well they are performing. The System delivers total, unified network visibility from a single, integrated platform to improve threat detection and incident response while increasing network availability and reducing enterprise risk. The Management Console (SMC) provides the single vantage point for disparate IT groups to see contextual information about all activity across the network and to investigate accordingly. It is available as either a physical or virtual appliance. Solve Issues in Minutes, Not Days with Pervasive Network Visibility With the SMC, gone are the days when different IT departments spent hours and even days trying to isolate the root cause of an issue before finally being able to deploy the appropriate personnel to take corrective action. By simply glancing at the SMC s user-friendly graphical interface, operators can immediately spot and zoom in on any unusual behavior. Using the SMC s unique drilldown features, IT personnel can go from identifying the issue to isolating the root cause within minutes, identifying affected applications and users along the way, thereby reducing Mean Time To Know (MTTK), enhancing operational efficiency and decreasing costs. Administrators can rapidly detect and prioritize security threats, pinpoint network misuse and suboptimal performance and manage event response across the enterprise all from a single control center. Armed with The SMC is a centralized control center with customizable views and powerful drill-down capabilities. graphical representations of network traffic, customized summary reports and integrated security and network intelligence, operators can easily identify internal and external attacks, network exposures and policy violations. The SMC also enhances network management through trend analysis, firewall and capacity planning, and performance monitoring. Visualize and Troubleshoot APTs, Malware and Insider Threats The SMC empowers the security team to proactively identify threats on the network that could lead to data breaches or performance issues. From worms, viruses and other malware to targeted attacks, DDoS, insider threats and APTs, the System provides the in-depth visibility and security context needed to thwart evolving threats. The System quickly zooms in on any unusual behavior, immediately sending an alarm to the SMC with the contextual information necessary for security personnel to take quick, decisive action to mitigate any potential damage. 1
By collecting, analyzing and storing large amounts of NetFlow, IPFIX and other types of flow data for extended periods of time, the System also provides a full audit trail of all network transactions for more effective forensic investigations. Comprehensive network intelligence eliminates the time-consuming and resourceintensive manual investigation associated with other solutions. Gain More Insight into Evolving Threats with the New SLIC Threat Feed The Labs Intelligence Center (SLIC) is Lancope s research initiative through which global intelligence on the Internet s top threats is delivered to customers and the public. Lancope s research group, Labs, conducts both in-house research and taps into a broad community of third-party experts and partners to aggregate emerging threat information from around the world. Through the SLIC Threat Feed, Lancope correlates real-time intelligence on global threats with suspicious network activity to alert on hosts infected with advanced malware, including botnet activity. The SMC s sophisticated flow visualization enables operators to immediately understand attack activity, propagation and impact, quickly identifying points of entry to expedite incident response and fortify defenses. Continuously monitoring customer networks for thousands of known command-and-control servers, the threat feed further enhances Lancope s early threat detection capabilities, preventing cyber-attacks from wreaking havoc on corporate and government networks. Accelerate Problem Resolution with Customizable Relational Flow Mapping With real-time, customizable relational flow maps, the SMC provides network operations and security teams with graphical views of the current state of the organization s traffic. Within seconds, these teams can see exactly where to focus their attention. The SMC allows administrators to easily construct maps of their network based on any criteria, such as location, function or virtual environment. By creating a connection between two groups of hosts, operators can quickly analyze the traffic traveling between them. Then, simply by selecting a data point in question, they can drill down to gain even deeper insight into what is happening at any point in time. With the SLIC Threat Feed, data on known botnets is automatically incorporated into the System. 2
Shedding Light on the NAT Blind Spot with NAT Stitching Relational flow maps enable network and security personnel to quickly investigate areas that need attention. Using data from select devices, the System can unify NAT information from inside the firewall with information from outside the firewall to pinpoint which IPs and users inside the network are responsible for a particular action. Access to this unique information prevents would-be hackers and other bad actors from hiding behind NAT. With NAT stitching, organizations can quickly identify the source of any possible outbound attack or copyright violation notice. Analyze Network Traffic Down to the Application and User Level With the advent of Web 2.0, as much as 85% of all network traffic is now going through port 80. As a result, distinguishing between individual applications has become increasingly difficult. Both network operations and security teams need to know what, when and how applications are in use across the enterprise to optimize performance and secure the network. The SMC brings true Layer 7 application visibility to network and security teams by gathering application information and packet-level metrics and displaying them in easily understood pie charts, graphs and tables. In addition, administrators can use the SMC to define their own custom applications based on IP addresses. For example, one group of IP addresses can represent all of the Exchange servers in the organization. Another group of IP addresses can represent all of the DNS servers and so on. Real-time visualization helps network and security teams identify risky user behaviors such as P2P file sharing. How It Works The System stitches NAT communications together to enhance visibility at the network edge. The SMC configures, coordinates and manages the System appliances, including FlowCollector, FlowSensor, and IDentity appliances. As these devices gather intelligence from critical segments throughout the enterprise, they feed it to the SMC. The SMC in turn correlates this information in real time and displays it in an easily understood graphical format. Along with flow export technologies, the System can collect data from other types of technologies, such as firewalls, Web proxies, intrusion detection devices (IDS), intrusion prevention systems (IPS) and network admission control (NAC) systems. The SMC associates this data with behavior-based, flow-driven events, displays it graphically and stores it in the database for further analysis. In addition, the flexible SOAP-compliant Web API provides programmable access to System data from within enterprise applications, such as SIEMs, network managers, trouble-ticketing systems and third-party reporting systems. 3
Management Console or VE FAILOVER Management Console Virtual Edition (VE) Syslog, SNMP NetFlow/sFlow FC or ID FlowReplicator FlowCollector FlowCollector Virtual Edition (VE) Cisco ISE IDentity NetFlow/sFlow + Application Information + Packet-Level Metrics Legacy Traffic Analysis Software NetFlow, Syslog, SNMP NetFlow-enabled Routers, Switches, Firewalls FlowSensor vsphere with FlowSensor VE User and Device Information Feeds of emerging threat information The SMC provides centralized management, configuration and reporting for all System devices. Management Console Features Matrix *Limited functionality with sflow Features Network Security User identity tracking Flexible deployment options, including virtual Quick root-cause analysis, troubleshooting Relational flow maps NAT stitching Custom dashboards Custom reports Automated blocking, remediation or rate limiting Top N reports for applications, services, ports, protocols, hosts, peers and conversations Traffic composition breakdown Customizable user interface based on Point-of-View TM technology Support for multi-gigabit and large-scale MPLS network environments Advanced flow visualization Massive scalability Combined internal and external monitoring Capacity planning and historical traffic trending WAN optimization reporting* DSCP bandwidth utilization Worm propagation visualization Internal security for high-speed networks 4
Management Console Specifications SMC 500 and 1000* SMC 2000* Network Management Port 1; 10/100/1000 Copper Database Capacity 1 TB (RAID-6 Redundant) 2 TB (RAID-6 Redundant) Hardware Platform Hardware Generation Rack Units (Mountable) Power Heat Dissipation Dimensions Weight Rails Regulatory * System v6.5 specifications FCC (U.S. only) Class A DOC (Canada) Class A CE Mark (EN55022 Class A, EN55024, EN61000-3-2, EN 61000-3-3, EN60950) R620 12G 1U Redundant 750W AC, 50/60 Hz Auto Ranging (100V to 240V) 2,891 BTU per hour maximum Height: 1.68 in. (4.3 cm) Width: 17.08 in. (43.4 cm) Depth: 27.25 in. (69.2 cm) 41 lb (18.6 kg) Sliding Ready Rails with Cable Management Arm VCCI Class A UL 1950 CSA 950 Please contact sales@lancope.com for a complete list. SMC Virtual Edition (VE) The SMC Virtual Edition (VE) is designed to perform the same function as the appliance edition, but in a VMware environment. The SMC VE Minimum Resource Requirements table shows the minimum resource requirements for the SMC VE to operate based on the number of FlowCollectors sending it data. However, the SMC VE scales dynamically according to the resources allocated to it. Therefore, for the SMC VE to operate effectively, be sure to allocate resources so that they are reserved for the SMC VE and not shared with any other virtual machine. SMC VE Minimum Resource Requirements FlowCollectors Concurrent Users Reserved Memory Storage 1 Up to 2 4 GB 2 Up to 3 Up to 5 8 GB 3 Up to 5 Up to 10 16 GB 4 Note: If the External Event processing (Syslog) feature is used, then more memory and processing resources will be required. 2014 Lancope, Inc. All rights reserved. Lancope,, and other trademarks are registered or unregistered trademarks of Lancope, Inc. All other trademarks are properties of their respective owners. DSV3-r001-03262014 STEALTHWATCH MANAGEMENT CONSOLE 6.5 DATA SHEET www.lancope.com 5