Cisco Stealthwatch Basic Interview Questions

Stealthwatch Overview

Stealthwatch provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time. It continuously analyses network activities and creates a baseline of normal network behavior and then uses this baseline, along with advanced machine learning algorithms, to detect anomalies. However, not everything weird is malicious and Stealthwatch can quickly and with high confidence correlate anomalies to threats such as C&C attacks, ransomware, DDoS attacks, illicit crypto mining, unknown malware, as well as insider threats. With a single, agentless solution, you get comprehensive threat monitoring across the data center, branch, endpoint, and cloud, regardless of the presence of network encryption.

Now, if you are looking for a job which is related to the Network Security Administrator who wants to have the complete visibility of on-going activities in the network then you can implement one of the best in class enterprise- wide visibility product i.e. Stealthwatch. If you are preparing for the latest Network Security technologies then you need to understand what Stealthwatch is and related concepts around it. It is true that different product based companies have different product in all the technology space wherein each and every device has its own feature set and in this section we will  be discussing on Stealthwatch and related interview questions. Here, we have prepared the most important document which talks about Stealthwatch and related interview questions along with answers which will help you get ease your day to day activities while managing Stealthwatch and to crack the interviews with ease.

Q. What is Stealthwatch?

Stealthwatch is the industry-leading visibility and security analytics solution that leverages enterprise telemetry from the existing network infrastructure. It provides advanced threat detection, accelerated threat response and simplified network segmentation using multi-layer machine learning and advanced behavioral modeling, all across the extended network.

Q. What are all architecture of Stealthwatch?

Stealthwatch consists of below mentioned key components in its architecture.

• Stealthwatch Management Console
• Flow Collector
• Flow Sensor
• UDP Director/Flow Replicator
• Packet Analyser

Q. What are the main objectives of Stealthwatch?

Key components of Stealthwatch are as follows.

Network Visibility: Stealthwatch will have overall visibility of your Network of both North-South or East-West traffic. It even provides enterprise-wide visibility, from the private network to the public cloud, and applies advanced security analytics to detect and respond to threats in real-time

Detection: Stealthwatch continuously analyses network activities inside your network, analyses network behavior and sets a baseline, it even used advanced machine learning algorithms to detect anomalies. Stealthwatch is behavior and analytical solution.

Incident Response: Stealthwatch is capable of analyzing the Incidents which has happened in your network by going back and analyzing the behavior.

Q. What are the features of Stealthwatch?

• Stealthwatch can see each and every conversation happening in the network.
• Stealthwatch can know each and every host connected in the network.
• Stealthwatch can analyse the behavior of the network and it is capable of distinguishing between normal and abnormal behavior.
• Stealthwatch is capable of alerting to change in the behavior.
• Stealthwatch can respond to Threats quickly.
• Stealthwatch can be used to learn information from the network.

Q. How can you deploy Stealthwatch?

Stealthwatch can be either deployed on physical appliance or Virtual Machine.

Physical appliance             :             Stealthwatch can be installed on x210 Series appliance.

Virtual                                :             Stealthwatch can be installed on VMware KVM.

In Stealthwatch smallest flow collector can process 30,000 flows/second.

Q. What is Stealthwatch Management Console?

The Stealthwatch Management Console (SMC) is an enterprise-level security management system that allows network administrators to define, configure, and monitor multiple distributed Stealthwatch Flow Collectors from a single location. It uses graphical representations of network traffic, identity information, customized summary reports, and integrated security and network intelligence for comprehensive analysis.

Stealthwatch Management Console aggregates organizes and presents analysis from, the Cisco Identity Services Engine, and other sources. This system provides flow-based security, network, and application performance monitoring across physical and virtual environments. With Stealthwatch, network operations and security teams can see who is using the network, what applications and services are in use, and how well they are performing.

Q. What are the major benefits of Stealthwatch Management Console(SMC)?

• Real-time up-to-the-minute data monitoring can be done across hundreds of network segments simultaneously.
• Capability to rapidly detect and prioritize security threats.
• Configures, coordinates, and manages Cisco Stealthwatch appliances, including the Flow Collector, Flow Sensor, and UDP Director.
• Use of multiple types of flow data such as NetFlow, SFlow, IPFIX etc.
• Provides a full audit trail of all network transactions for more effective forensic investigations.
• Performs well in extremely high-speed environments and can protect every part of the network that is IP reachable, regardless of size.

Q. What is Flow Collector?

The Flow Collector leverages enterprise telemetry such as NetFlow, IPFIX and other types of flow data from existing infrastructure such as routers, switches, firewalls, endpoints, and other network infrastructure devices.

Basically, Flow Collector is the Brain of all the operations and it will store the information into the database and this can be used while Incident Response.

The Flow Collector can also receive and collect telemetry from proxy data sources, which can be analyzed by the Global Threat Analytics (formerly Cognitive Threat Analytics), the multi-layered machine learning engine, for deep visibility into both web and network traffic.

Q. What are the major benefits of Flow Collector?

• Faster Threat Detection this process enhances your organization’s ability to pinpoint threats and shortens your Mean Time To Know (MTTK)..
• Flow-traffic monitoring across hundreds of network segments simultaneously, so you can spot suspicious network behaviour.
• Extended Data retention allows organisations to retain large amount of data for longer periods which will be helpful while investigating the incidents.
• Performs deduplication so that any flows that might have traversed more than one router are counted only once. It then stitches the flow information together for full visibility of a network transaction

Q. What are the various flows which are supported in Stealthwatch?

Below mentioned are the various types of flows which are supported on Stealthwatch.

• NetFlow
• S-Flow
• I-Flow/C-Flow (Juniper)
• IP-FIX (Nortel/Palo-Alto)
• App-Flow (Citrix)
• Net-Stream (Huawei)

Q. What is a Flow Sensor?

The Flow Sensor is an optional component of Stealthwatch Enterprise and produces telemetry for segments of the switching and routing infrastructure that can’t generate NetFlow natively. It also provides visibility into the application layer data. In case if we have non-capable net-flow devices in the network then we have to connect these non-capable devices into a component called Flow Sensor.

In addition to all the telemetry collected by Stealthwatch, the Flow Sensor provides additional security context to enhance the Stealthwatch security analytics. Advanced behavioral modeling and cloud-based multi-layered machine learning is applied to this dataset to detect advanced threats and perform faster investigations.

Q. What are the major benefits of Flow Sensor?

• Provides true Layer 7 application visibility by gathering application information along with ad-hoc on-demand packet capture (PCAP)
• Alerts on network anomalies so that this helps to generate alarms with contextual intelligence so that security personnel can take quick action and mitigate damage.
• Enhances operational efficiency and reduces costs by identifying and isolating the root cause of an issue or incident within seconds.

Q. What is UDP Director/Flow Replicator?

The UDP Director simplifies the collection and distribution of network and security data across the enterprise. It helps reduce the processing power on network routers and switches by receiving essential network and security information from multiple locations and then forwarding it to a single data stream to one or more destinations.

Q. What are the major benefits of UDP Director/Flow Replicator?

• Reduces unplanned downtime and service disruption since UDP director High Availability is available.
• Simplifies network security and monitoring by aggregating and provides single standardized destination for NetFlow, sFlow, Syslog, and Simple Network Management Protocol (SNMP) information
• Receives data from any connectionless UDP application, and then retransmits it to multiple destinations, duplicating the data if required.
• Directs point log data (NetFlow, sFlow, Syslog, SNMP) to a single destination without the need to reconfigure the infrastructure when new tools are added or removed.

Q. How do we redirect the traffic from non-NetFlow supported devices? 

Flow Sensors will be deployed in order to collect the information from the non-NetFlow capable devices wherein SPAN/Copy of data packet will be collected from and then flow sensor will transform data packet to full NetFlow.

While doing full NetFlow, Flow sensor will also perform.

• Deep Packet Inspection will be done and this will be helpful in finding Top application in the network.
• Round Trip Time(RTT) and Server Response Time(SRT) which will help in network performance calculation.

Q. What is the use of integrating Stealthwatch with ISE?

Integrate Stealthwatch Management Console to ISE through pxGrid will provide the Stealthwatch system with extra contextual information about the endpoint and user on that endpoint as well as the ability to quarantine that endpoint if they are misbehaving.

Q. What are the key functionalities of ISE post integrating with Stealthwatch?

There are 2 key functionalities of ISE which can be leveraged on Stealthwatch.

• ISE adds user information into NetFlow i.e. User-ID, Device-Type and MAC address.
• Stealthwatch can send API query to ISE and take action by quarantining or providing limited access to users.

Q. What is Packet Analyzer in Cisco Stealthwatch?

The Cisco Packet Analyzer is one of the tool in Stealthwatch which will help you investigate security events and anomalous network activity in your network.

Q. What is the use case of Packet Analyzer in Cisco Stealthwatch?

Suppose Stealthwatch detects abnormal/bad behavior inside the network but as an administrator, if we want to find out what has caused the abnormal behavior, in this case, we can do deep dive inspection using Packet Analyzer.

Packet Analyzer has a 42 Terabyte of Rolling buffer which can store only 42 TB of data in Buffer.

Q. What is Cloud Component in Stealthwatch?

Most of Enterprise network will have cloud platform wherein servers and network devices are installed on cloud. In this case if we want to monitor the Cloud platform then we need to install agent on the Client.

Q. What is Data Concentrator in Cloud Component of Stealthwatch?

In the process of monitoring the devices which are on cloud we install an agent on the Client. Then the Agent will send all the information to a component called as Data Concentrator(Cloud Concentrator).

Data Concentrator will convert all the information which has received from Client(Cloud device) into NetFlow and send that information via tunnel to Flow Collector.

Q.What is Flow in Stealthwatch?

Network Flow is a Unidirectional sequence of packets that have a common characteristics.
Flow is a Stream of information exchanged between the routing protocols, routing tables as well as flow of packets from routers physical interface to routing engine.

Q. What are the characteristics of Flow?

• Flow will have complete information of who is talking to who on the network level.
• Flow will tell how a specific organisations network being used.
• Flow will have information w.r.t. source IP’s, destination IP’s, port numbers, packet count, time stamps etc.
• Flow technology was originally developed by Cisco and it was called as NetFlow.

Q. What is NetFlow?

• NetFlow was developed by Cisco in 1996.
• NetFlow is packet forwarding mechanism wherein information will be sent across in NetFlow to Flow collector.

Q. What are the different versions of NetFlow?

Various versions of NetFlow are mentioned below.

• Version-1
• Version-5
• Version-7
• Version-9
• IP-FIX

Q. What is NetFlow Exporter?

Once the Flow Record has been created then that record has to be binded/tied to a Flow Exporter. Flow Exporter configuration defines either the physical IP address or virtual Flow Collector IP Address to which NetFlow data has to be sent.

It also defines the source interface from which the Flow Exporter device will send NetFlow data, this can be a physical or logical address.

Q. What is NetFlow Generator?

The device where NetFlow is enabled is called as NetFlow Generator.

Note: Advanced questions on stealthwatch are coming soon.

ISE interview question and answer

Information Security interview questions

Cisco FirePower (FTD) Interview Questions and Answers