This content is part of the Buyer's Guide: Finding the right security analytics tools for your enterprise
Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Lancope's StealthWatch FlowCollector: Security analytics product overview

Expert Dan Sullivan examines the Lancope StealthWatch FlowCollector, a security analytics product that ingests large volumes of data to identify suspicious activity.

The vast majority of traffic traversing an organization's network is probably benign, but what about the small fraction of traffic that isn't? How can it tell benign from malicious before it's too late? This is the challenge that has driven the development of security analytics tools such as the Lancope StealWatch FlowCollector.

Analyzing network traffic

Security analytics products are designed to collect a variety of information types, and then integrate, analyze and classify content and events to enable security and system administrators to identify potentially malicious activity. Some security analytics tools tailor their analysis to network traffic, while others incorporate diverse data from server logs and endpoint devices. The common characteristic of all security analytics products, however, is the ability to ingest large volumes of data and quickly identify suspicious activity.

Like other security analytics tools, the Lancope StealthWatch FlowCollector aims to consolidate data from across the network, such as routers, switches and firewalls. It uses NetFlow and IPFIX flow data collected from firewalls, routers and other network devices to achieve its mission.

Data collected at routers is used to analyze traffic entering or leaving the network. Lancope's StealthWatch FlowCollector also considers traffic between devices on the network. This is especially important for detecting malicious activity that occurs within the network boundaries. For example, a disgruntled employee might make a copy of a database backup to take to a competitor using a laptop and storage device connected to the network. This kind of event may not leave any traces in inter-network traffic flows.

Scalability is always a consideration when capturing network traffic. A single StealthWatch FlowCollector is designed to support up to 4,000 devices generating as many as 240,000 flows per second. At peak scalability, a properly configured StealthWatch FlowCollector system can process up to 50,000 sources and six million flows per second. StealthWatch FlowCollector includes the ability to detect duplicate flow data as well.

One company's anomaly is another's norm

The concept of anomalous behavior on a network is fairly easy to understand: it is something out of the ordinary. The first job of an anomaly detection system is to determine the baseline for a particular network. The StealthWatch FlowCollector creates a baseline of all IP traffic, which then supports analytics for detecting anomalies in either network traffic or host behavior.

The StealthWatch FlowCollector also includes host-centric analysis, such as host and application profiling and OS fingerprinting. This is useful for detecting outside of typical patterns of use on a host.

In addition, the analytics product provides reporting on device activity, such as host reporting, router interface tracking, and bandwidth accounting and reporting. There is also support for packet level performance metrics and quality of service reporting.

Lancope StealthWatch FlowCollector can go beyond base level network reporting to detect unauthorized hosts and web servers as well as misconfigured firewalls.

Lancope offers 24/7 customer support via phone and online portal. Enterprise premium support is also available for those organizations that want more proactive assistance with planning and deployments. A community portal offers access to documentation, knowledge base articles and training videos. For more information on pricing and licensing, contact Lancope.


Predicting malicious activity is difficult, even with large volumes of data and the most sophisticated analysis techniques. Baselines -- meanwhile -- change, sometimes slowly over time. This can impact the False positive rate of alerts, so care must be exercised when balancing the need to minimize false alarms with the desire to not miss a real threat because alert thresholds were too high.

If there is malicious activity on IT infrastructure, it is probably leaving a trace of some kind in network traffic, which tools like the Lancope StealthWatch FlowCollector can detect. This tool can profile a normal baseline of activity and then detect variations from that norm, and can alert administrators to potentially malicious activity.

 StealthWatch FlowCollector is especially useful for network administrators and security professionals who need to monitor network-level activities across complex infrastructures.

Editor's Note: Lancope was recently acquired by Cisco. While Lancope still operates as a separate company, the acquisition could impact the Lancope StealthWatch product line, including the FlowCollector series.

Next Steps

Part one of this series explains the basics of security analytics products

Part two examines the use cases for security analytics

Part three looks at how to procure security analytics products

Part four compares the best security analytics products on the market

This was last published in September 2016

Dig Deeper on SIEM, log management and big data security analytics