News & Events

An Introduction To Cisco Stealthwatch

  • 11 August, 2020

Article, Cisco, Cloud, Security

Stealthwatch is now called Cisco Secure Network Analytics. See here.

To read about the new features that come with Stealthwatch 7.0, please click here.

If you are reading this, the chances are that you’ve been hearing the name Cisco Stealthwatch being mentioned everywhere and want it explained in a more simple way. This article aims to assist you in understanding what Stealthwatch does, how it works, and its immense value to your network and business.

Learn about our Network Security Visibility Assessment.

What is Stealthwatch?

In essence, Cisco Stealthwatch drastically enhances threat defence by giving detailed network visibility and security analytics. It helps you know every host, record every conversation, understand what is normal, it alerts you to change, and enables you to respond to threats quickly. Stealthwatch applies machine learning and statistical modeling to the network telemetry collected from all across the extended network, including data center, branch, endpoints and cloud .

Stealthwatch collects telemetry from every part of the network and applies advanced security analytics to the data. It creates a baseline of normal web and network activity for a network host, and applies context-aware analysis to automatically detect anomalous behaviors. Stealthwatch can identify a wide range of attacks, including malware, zero-day attacks, distributed denial-of-service (DDoS) attempts, advanced persistent threats (APTs), and insider threats.

Stealthwatch is also integrated with a cloud-based threat detection and analytics platform that applies a combination of supervised and unsupervised machine learning to learn from what it sees and adapt to changing network behavior over time. It really is a win-win.

stealthwatch diagram

So, Cisco Stealthwatch can get additional contextual information to identify and prioritize new and emerging threats across the extended network. The advanced security analytics allow you to have deep visibility into both web and network traffic. This contextual information provides visibility and analytics giving you the ability to identify and prioritise emerging threats across the extended network. Now, you can detect threats that have bypassed existing security controls and identify data exfiltration to legitimate cloud services.

Stealthwatch uses several different techniques to uncover any undesired files or malware with some being relatively simple. One way it can uncover shady files is by reviewing unencrypted handshake patterns for known undesirable destinations. Handshaking in technology is similar to what you might guess it is. When a computer communicates with another foreign device such as a modem, a handshaking process will take place in order to establish rules for the communication. By reviewing this information, Stealthwatch can make decisions on a file based on its destination or origin.

It also searches for things such as self-signed certificates and other signs of sloppiness or bad intention. A self-signed certificate is an identity certificate that is signed by the same entity whose identity it certifies which can obviously be a security issue. In the past, hackers have used crafted self-signed certificates that use the names of legitimate businesses or individuals in an effort to obscure the nature of the malicious traffic. Stealthwatch prevents this from happening.

Below is a video which explains how Stealthwatch Enterprise works.

Cisco security cheat sheet free

How does Stealthwatch work?

In 2016, Cisco researchers discovered that malware leaves recognisable traces even in encrypted traffic. Now they are using this discovery to release a new technology known as Encrypted Traffic Analytics (ETA). Encryption is important in security. But although you may use encryption to protect data and privacy, attackers use it to conceal malware and evade detection by network security products.

Currently, around 55% of traffic through networks is encrypted, this is expected to rise to around 75% by 2019 (NSS). 70% of cyber attacks will use encryption in 2019 according to Gartner. Clearly a tool to monitor all this traffic is vital as the volume of cybercrime every year is increasing exponentially.

With Cisco Stealthwatch and its enhanced analytics capabilities, you can better understand whether encrypted traffic on the network is malicious. The enhanced network telemetry from the latest Cisco routers and switches is collected by Cisco Stealthwatch Enterprise. It uses advanced entity modelling and multilayered machine learning, constantly identifying who is on the network and what they are doing, and can detect anomalous behaviour in real-time to identify threats.

It also uses a global threat map to identify and correlate known global threats to the local environment. This considerably improves the fidelity of malware detection in encrypted traffic, and at the same time provides end-to-end confidentiality and maintains channel integrity because there is no decryption—an industry first.

Here is a short video that explains ETA.

What are the benefits of using Stealthwatch?

Where Stealthwatch beats many other security services is the visibility it gives the user. When Stealthwatch is activated you can attain an extremely high level of visibility into network and cloud traffic in a matter of minutes. This is an invaluable tool to keeping your organisation secure from threats because as time goes on, more and more devices will be connecting to your cloud; 63 million new devices will be attaching to enterprise networks every second by 2020 (Gartner). It’s impossible to know which devices are infected with malware without security like this in place. Stealthwatch leverages network telemetry to increase visibility and context into all of your users, a feature that no other security service performs as efficiently.

Because it uses entity modelling you can confidently detect threats, data exfiltration (unauthorised transfer of data) and much more. Traffic is monitored automatically so when questionable behaviour occurs you know about it immediately and you have all the information needed to solve the problem. Knowing that you have a top of the range security system constantly working across your extended network can give you real peace of mind as the constant threat of an attack can be extremely stressful.

Here are a few more of the many benefits you will gain when you implement Cisco Stealthwatch.


Gain visibility across all network conversations, including east-west and north-south traffic, to detect both internal and external threats


Drastically simplify your network segmentation, performance monitoring, and your capacity planning


Conduct advanced security analytics and obtain in-depth context to detect a wide range of anomalous behaviors that may signify an attack


Ensure enterprise compliance by identifying the extent as well as the quality of encryption in the network


Accelerate and improve threat detection, forensics, and incident response across your entire network, including encrypted traffic


Achieve far greater visibility and and anomaly detection with advanced and accurate global and local traffic correlation


Enable deeper forensic investigations with audit histories of network activity


Identify insider threats by obtaining contextual information from cloud services

Free Cisco Licensing Cheat Sheet

Stealthwatch Cloud vs. Stealthwatch Enterprise?


To conclude, there is no doubt Cisco Stealthwatch is a revolutionary service. Encrypted malware is becoming a new favourite method of attack for hackers and the fact that Stealthwatch can prevent it is priceless for any organisation. Although the intricacies of how it works can be confusing, hopefully this article has helped you understand it slightly more.

Learn about our Network Security Visibility Assessment.

To read about the new features that come with Stealthwatch 7.0, please click here.


Tesrex also provide a full range of services centred around Cyber-Security. Contact us to arrange a consultation and to find out more about how we can help you understand where you are and how to get to where you want to be.

Talk to Tesrex

Ask an expert some questions or see a demo. We’d love to help you!