An early warning solution would be an asset, especially to a global enterprise with thousands of network devices serving millions of customers. Fortunately, such "security alarms" are now available. Our experts recommended the leading brands, along with strategies on how they can be deployed most effectively.
Consider flow-based detection with zone-based policies
"Initially an intrusion-detection appliance, StealthWatch is designed to identify zero-day, unknown, and undocumented attacks by alerting network teams about 'not normal' network traffic," according to Chris Hovis, VP of marketing and business development at Lancope.
StealthWatch is a standard, rack-mount PC running a hardened Linux operating system that passively watches traffic on the network and rates the suspiciousness of new traffic by comparing it to recognised traffic. It can tell what is normal by gathering baseline statistics, then uses complex algorithms and network heuristics to rate suspicious events according to a concern index that shows how unusual or serious the event might be.
Hovis gave an example: "Say you have a Web server that you do not use for FTP, and one day that server starts to service FTP requests. StealthWatch will send an alarm to the administrator with a notice of an important change. In this example, the administrator may find that a hacker has compromised the server and is using it to distribute pirated software or music."
StealthWatch categorises network traffic into "flows" to profile activity and detect nefarious behavior. It quickly identifies known or unknown attacks, internal misuse, or misconfigured network devices, regardless of packet encryption or fragmentation.
Along with flow-based network anomaly detection, StealthWatch offers zone-based security policies. Network administrators can configure groups of hosts, adapting them to the logical or hierarchical security structures and methodologies of the organisation.
