Category Archives: Cisco Stealthwatch Cloud

Your applications are on the move – how do you secure them everywhere?

The applications we need to do business are no longer just residing in a single, physical data center. Sure, there are some applications running in your on-premises data center. But some are also running in offsite data centers. Or in your private cloud. Or on Amazon Web Services. Many are likely moving in between these various platforms on a regular basis – for example, from on-prem to cloud, and back.

Recent research conducted as part of our CISO Benchmark Survey indicates that organizations are deploying roughly a third of their new technology via physical infrastructure, a third virtually, and another third in the cloud. So how do we effectively control and secure this new, dynamic environment without hindering productivity and user experience?

Moving Security Closer to the Application

Due to the shifts in the way organizations deploy and access applications, the concept of application security must expand. It’s no longer just about testing for software vulnerabilities (though, that is of course part of it). Today’s application security must be multi-faceted, taking into account concepts including visibility, segmentation, access control, performance monitoring, and more. Many of the security concepts already applied to the network must now also be applied directly to the applications themselves.

This week at Cisco Live, we are unveiling our new approach to this challenge, called Cisco Application-First Security.

Cisco Application-First Security for 360°Application Protection

Cisco Application-First Security is designed to leave no stone unturned when it comes to protecting an application. It combines several of our security products into one holistic solution for making sure applications are protected no matter where they go and how they are used. Application-First Security allows organizations to:

  1. See which applications are running and what they are doing – regardless of where they are – to baseline behaviors and uncover any software vulnerabilities or suspicious processes.
  2. Enable automated microsegmentation and application whitelisting to minimize the spread of attacks laterally throughout the data center and network.
  3. Enforce security policies at scale, for thousands of applications, and across hybrid, multi-cloud data centers – without impacting reliability and performance.

Cisco Application-First Security helps you secure your applications running anywhere at the speed of your business with protection that is continuous, adaptive, and closer to the applications. This Application-First Security model allows you to confidently move your business in any direction you demand with security being an enabler for your development teams. With greater insight and control over your applications, you are able to make intelligent decisions, achieve compliance, and reduce risk.

Our new Application-First Security solution consists of the following products:

Cisco Tetration

Cisco Tetration provides holistic workload protection for multi-cloud data centers. It automatically discovers and baselines application behaviors and dependencies, then generates policy for microsegmentation. Policies are enforced at scale, consistently across workloads. Tetration can also track behavior changes to keep the policy up to date as applications move and evolve.

The Tetration platform can also detect issues such as software vulnerabilities, process behavior anomalies, and malware. If issues are identified, it can proactively quarantine servers and block communication. Tetration enforces policy across thousands of applications and hundreds of millions of policy rules – and across bare metal servers, virtual machines, and containers.

Cisco Stealthwatch Cloud

Visibility into the rest of the network is just as critical as application visibility. Cisco Stealthwatch Cloud is a SaaS service that provides complete visibility into network and cloud traffic. It collects telemetry data across the entire network to automatically monitor traffic and identify anomalies that could signify risk – even in encrypted communications.

Stealthwatch can uncover both known and unknown, internal and external threats, improving incident detection and response. In addition to monitoring on-premises infrastructure and private clouds, Stealthwatch can monitor all public cloud environments including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Duo Beyond

Duo Beyond from Duo Security (now a part of Cisco) allows you to: 1) identify corporate versus personal devices trying to connect to your environment, 2) block untrusted endpoints, and 3) give your users secure access to internal applications without using VPNs. Duo Beyond expands secure access past traditional, perimeter-based network security with the power to grant access to any application, to any user, from any device, while maintaining security.

With Duo Beyond, you can:

  • Differentiate between corporate and personal devices.
  • Limit sensitive data access to only corporate devices.
  • Limit remote access to specific applications without exposing the network.



Security and performance go hand in hand. It’s crucial to verify that thorough security measures do not result in a slower network. That’s why our Application-First Security solution includes powerful application performance monitoring from AppDynamics, now a part of Cisco. AppDynamics provides details needed to quickly resolve issues, make user experience improvements, and ensure that applications are always meeting performance expectations – even in the most complex, multi-cloud environments.

Get Started

In today’s threat environment, no one solution can protect corporate infrastructure. Together, the above products provide the visibility and control needed to quickly identify and remediate attack attempts or other risks to application security. Application-First Security also works in conjunction with the rest of Cisco’s comprehensive security portfolio.

Get started on the path to effective, application-first security. And find out how South Africa’s oldest bank powers and protects its data center and applications with Cisco – decreasing problem resolution time from tens of hours to just minutes.

“In addition to security, visibility, and availability, Cisco technologies give all of us the ability to sleep at night.” – First National Bank, South Africa

Subscribe to our Cisco Live blog series to stay updated on all of our Cisco Live 2019 announcements.

The post Your applications are on the move – how do you secure them everywhere? appeared first on Cisco Blog.

Security Analytics and Logging: Supercharging FirePower with Stealthwatch

When we consider network threat detection, most of us immediately think of signature and rule-based intrusion detection and prevention systems (IDPSs). However, it is a little discussed fact that the very first intrusion detection systems, built back in the ‘80s, were actually based on anomaly detection!

Those pioneers understood that with the presence of zero-days and the lack of exhaustive black-lists, we needed to use the full range of analytical techniques at our disposal to be effective.

Those anomaly detection roots may not be so evident in today’s IDPSs however they were not totally lost. In fact, a whole new branch of network threat detection systems were developed that used those very same anomaly detection techniques. That heritage manifests itself, today in so-called Network Traffic Analysis (NTA) tools.

While IDPSs have made detecting the initial intrusion in the packet stream their relentless focus, NTA systems take a very different approach. They generally work on metadata generated from the network, often called network flows, so they can expand our scope of analysis in both time and space to become essential in post-breach analysis, incident response, and even threat hunting situations.

Well Cisco has arranged a family reunion!

We are proud to announce the combination of our best-in-class IDPS and NTA products, Cisco Firepower and Cisco Stealthwatch. The Security Analytics and Logging (SAL) solution brings the best of perimeter-based protection and detection with the power of visibility and security analytics over the entire network. We believe we have created the most comprehensive network-centric threat protection, detection, and response solution – something that only Cisco is in the position to achieve.

Raising the bar on Network Security

It is very well understood how IDPSs are effective in security protection: blocking activity that can be identified as a threat or violates some policy. However, we accept that threats still get through and that is why IDPS have robust rules-based detection engines based on content-inspection.

But what do we do with all these detections? What if the traffic cannot be inspected? What if decryption is not an option? What if the threat is spreading internally?

Security Analytics and Logging service is specifically designed to augment your Cisco Firepower deployment with security analytics, from the Stealthwatch Cloud platform, to drive improved threat detections and provide the insight needed for more effective protection.

It All Starts with Visibility

The foundation of the solution is the aggregation of the connection and detection logs from Cisco Firepower with the network flows that the Stealthwatch platform collects. Just think about that. A dataset that gives us unprecedented visibility into the entire breadth of your network from perimeter to access, from campus to branch. But that’s not all! That “general ledger” not only contains all the header-based metadata, but now also includes all the metadata and inferences derived from all the deep content-inspection the Cisco Firepower engine provides.

Now you might be thinking to yourself, “there are plenty of tools I can use to gain this type of visibility.” However, in practice the sheer volume, velocity, and variety of the data can lead to staggering costs. The Stealthwatch team has made working at these scales our speciality and because our back ends are optimally engineered for the security outcomes we desire, we can offer this visibility in a much more cost-effective manner.

Security Analytics Driving Rapid Response

With all that visibility comes the opportunity to apply security analytics that can detect breaches that have bypassed the content-inspection based rules at the perimeter.

The security analytics powered by Stealthwatch can achieve this by baselining normal behavior of endpoints on the network in a process we call entity modelling. These models are then used to detect malicious activity based on any changes in behavior and indicators of compromise. The Stealthwatch engine can then combine these observations with others that may come from other parts of the network or even the detection engine in Cisco Firepower to create reliable and useful alerts.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs, all from within Cisco Defense Orchestrator (CDO) and from that same interface, you can modify your network-wide policy to immediately deploy a remediation strategy. In addition, CDO is fully integrated with Cisco Threat Response which allows you to build incident casebooks and drive response actions across the whole of the Cisco security portfolio.

Closing the Loop: Improving Protection through Policy Tuning

Up until now, I have discussed the during and after phases of an attack but with SAL we can close the loop and reason more effectively about the before phase. In this phase we, as security practitioners, try to understand what is actually on our networks and what activity is to be allowed or blocked.

We express this intent through policies that enshrine both threat defense and compliance considerations. But designing and managing these policies across an increasingly complex digital business has historically been a major challenge and can leave many organizations vulnerable to attack.

The insight that it brings to the game drastically improves the way you can make policy decisions from within CDO. Through this capability you can query the logs collected from Cisco Firepower devices to play out what-if scenarios and validate the correct behavior of the policy at the enforcement point. In addition, the extended visibility of the rest of the network that the Stealthwatch platform provides can even allow you to determine if traffic is bypassing your enforcement points.

You can then turn around and deploy these highly tuned policies across the entire portfolio of security products right from within CDO! This is an entirely new paradigm that is required to not only scale with your growing network but also help you seamlessly manage policies across your environment powered by intelligence and insight.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs all from within Cisco Defense Orchestrator (CDO) and from that same interface you can modify your network-wide policy to immediately deploy a remediation strategy.


I have been in-and-around security analytics and threat detection for almost 16 years and have seen many cool improvements and integrations but this one excites me in a way that I have not been before.

This is truly a case where one-plus-one is more that two. We have taken two pillars of network security and turned them into one comprehensive, network-centric, threat detection, protection, and response system. In addition, this solution will grow with you as we look to extend the visibility to every corner of the digital business including the public cloud and software defined network as well allowing you to benefit from the on-going R&D that delivers new threat detection at the speed-of-SaaS.

This may be just the start of this particular journey, but we are starting with all of the accumulated wisdom of those pioneers from back in the ‘80s, and all those that have followed in their footsteps.

To learn more about Cisco’s Security Analytics and Logging, a cloud-delivered security platform that leverages Cisco Defense Orchestrator, Cisco Firepower Next-Generation Firewalls and Stealthwatch Cloud to help you simplify security policy management please visit or contact to get started.

The post Security Analytics and Logging: Supercharging FirePower with Stealthwatch appeared first on Cisco Blog.