Lancope Adds Application Awareness, Visualization Tools To Network Behavior Analysis

Lancope's StealthWatch 6.0 network behavioral analysis tool features granular application awareness, flexible grouping of network assets for reporting and analysis, and relational mapping for network visualization.

Network behavior analysis plays on both the security and network operations sides of IT by collecting and analyzing network flow telemetry via Netflow, sFlow, JFlow, etc., to identify and remediate the cause of anomalous activity, such as traffic spikes, performance degradation, and communication with unexpected IP addresses that might indicate botnet activity or data exfiltration.

"The same sort of instrumentation points and same sort of measurements can be used quite effectively in both realms," says Jim Frey, research director, enterprise management, for Enterprise Management Associates.

On the security side, the addition of application awareness, through deep packet inspection, helps enterprises identify potentially malicious activity and applications, such as peer-to-peer or social networking sites, that may be banned or restricted by corporate policy. On the network side, fine-grained application awareness enables ops teams to determine if reports of "slowness" are caused by network problems or application issues, such as authorized or unauthorized video streaming, an issue with an authorized business application or a malicious program that needs to be referred to security.

"Is it the network or the application? Everyone points fingers when users report 'slowness' in something," says Joe Yeager, Lancope product manager. "It's always the networks that are blamed, but the networks are only responsible 20 percent of the time." Understanding the cause of performance issues saves organizations from throwing bandwidth capacity at what appear to be network issues but may be related to applications or a faulty DNS server.Another major enhancement is the ability to assign network assets to any number of "host groups for reporting and policy management," instead of inflexible zones. Previously, StealthWatch required that a device be assigned to a single zone. So, for example, an Microsoft Exchange Server could be assigned to an Exchange Server zone or a New York zone or a sales and marketing zone, etc., but not more than one.

Zones are appropriate for security analysis and reporting, says EMA's Frey, but the flexible grouping is far better for network operations. Groupings can be used to tailor reports by organizing data in a way that reflects business operations.

"With the more flexible, business-oriented grouping, data can be presented, viewed and studied in a way that is consistent with the way the organization ... is organized," he says. So, he adds, reports can be used effectively for collaboration within IT teams and to work with people in the supported end user community.

The relational mapping feature produces customizable diagrams to show network flow between assets based on network topologies, different parts of the network, groupings, and so on. Frey believes this will help network and security personnel spot problems more quickly.

"Humans are good at pattern recognition in graphical image consumption; they've never been particularly adept at processing and consuming tables of data," he says. "When you present data in way that's visually impactful, there's a huge productivity and efficiency improvement."Quick recognition improves time to resolution, saving money by bringing production systems back on line or to peak performance. It also gives organizations the option of putting the screens in front of their support teams. "There are big savings with first-call resolution on the help desk side."

Lancope has also improved its performance and data storage capability, replacing its database engine through an OEM agreement with Vertica. Entry-level pricing for StealthWatch starts at $55,995.

See more on this topic by subscribing to Network Computing Pro Reports Best Practices: Performance Management (subscription required).