Cisco Secure Network Analytics Reviews

My main use case for Cisco Secure Network Analytics has been network visibility and anomaly-based threat detection within the enterprise environment. In security operations and VAPT-related activities, it has mainly been used to monitor east-west traffic, detect unusual communication patterns, and identify suspicious behavior that traditional signature-based tools might miss. For example, during an internal security validation exercise, we used it to analyze unusual lateral movement behavior between endpoints. The platform helped identify abnormal internal traffic flows and authentication patterns that were inconsistent with normal user behavior. That visibility was useful for validation detection coverage and understanding how suspicious activity propagates across the network, especially in situations where endpoint-only visibility was not enough.

The first thing I typically check in Cisco Secure Network Analytics is the alert anomaly dashboard to quickly identify any high-priority or unusual activity. After that, I usually review abnormal traffic flows and look for unexpected east-west communication patterns, especially between internal hosts that do not normally communicate frequently. If something looks suspicious, I move into the investigation workflows, such as Flow Search, to analyze source and destination activity, traffic behavior, protocols, and time-based communication patterns in more detail. I also pay attention to high-risk hosts or devices with unusual behavior scores because they often provide early indicators of lateral movement or compromised systems.

In real-world SOC environments, the impact of Cisco Secure Network Analytics is usually very noticeable, but not always in the loud way vendors describe. It tends to show up as measurable improvements in investigation efficiency, visibility depth, and detection confidence rather than just raw alert volumes. Stronger post-incident reconstructions and better prioritization of real threats yield faster triage, better internal visibility, more reliable detection of lateral movement, reduced investigation frictions, and higher analytics confidence.

The value of Cisco Secure Network Analytics shows up in time compression, noise reduction, and investigation efficiency rather than just feature usage. Before deployment, basic network incident scoping takes thirty to ninety minutes, and complex lateral movement cases take two to six hours. After deployment, basic scoping becomes five to twenty minutes, and complex cases become one to three hours.

From a practitioner standpoint, the strongest value of Cisco Secure Network Analytics usually comes down to a few core capabilities that directly reduce investigation time and improve visibility across the network. The best features teams tend to rely on most are network-wide flow visibility. This is the foundation of the platform. Most teams lean heavily on it because it gives a near real-time map of who is talking to whom across on-premises, cloud, and hybrid environments. In practice, this replaces many packet capture first and investigate later workflows with faster flow-level triage.

Behavioral analytics and UEBA for network traffic represents another core strength. The behavioral baselining is one of the most used security features. It highlights anomalies such as unusual data transfers, lateral movement patterns, and abnormal authentication flows. SOC teams often rely on this to generate the first meaningful alert rather than hunting manually.

Lateral movement detection tends to be a high-value feature in enterprise environments. Once an endpoint is compromised, the tool is good at surfacing east-west movement that would otherwise be invisible in traditional perimeter tools. Threat detection with both built-in and custom detections is also heavily used. Teams typically use both out-of-the-box threat models and custom rules tuned for internal environments in mature SOC setups. Custom detection tuning becomes more important over time than default alerts.

Forensic search and investigation workflows are heavily used during incident response because analytics can pivot quickly. Security dashboards and high-level risk scoring support SOC shift handovers, reporting execution, and quick overnight reviews.

Several features often look very promising during evaluation or implementation but end up being used only lightly in day-to-day operations. Advanced reporting and scheduled compliance reports look very attractive for audit and compliance teams at implementation time and can generate structured reports for visibility, risk posture, and traffic summaries. In practice, many teams do not rely on it heavily because SIEM tools or GRC platforms already handle reporting better.

Built-in threat intelligence feeds represent another area where expectations do not always match usage. The platform includes threat intelligence-based detection and classifications. Initially, teams expect to depend on this heavily, but later SOC teams often prefer their own threat intelligence feeds or correlate intelligence inside SIEM instead. The built-in feeds are used but not as a primary detection source.

Automated incident summaries and guided investigation views are designed to simplify triage by automatically grouping related activity into incidents. However, teams often move away from them due to various factors affecting adoption.

I have been familiar with Cisco Secure Network Analytics for around a year through exposure to network monitoring, threat detection, and security visibility use cases in an enterprise environment.

Before we adopted Cisco Secure Network Analytics, most of the visibility work was a mix of existing SIEM-based monitoring and a fair amount of manual investigation. Primarily, we relied on our SIEM stack, mainly Splunk, for log aggregation and correlation. It worked well for known patterns and alerting, but it was heavily dependent on predefined rules and dashboards. For anything beyond that, especially lateral movement or subtle anomalies, analysts had to manually pivot across logs, firewall data, and endpoint alerts, which was time-consuming. In some cases, we also depended on basic network device logs, including firewall, proxy, DNS, and occasionally packet capturing during incident investigations. That gave us visibility, but it was not continuous or behavior-driven, and detecting low and slow attacks was a challenge.

During the evaluation phase, we looked at a few alternatives, including Darktrace for its AI-driven anomaly detection on network behavior, Vectra AI for NDR-focused threat detection and attacker behavior analytics, and we also assessed tightening our existing Splunk-based detection with additional correlation rules instead of introducing a new platform. Ultimately, Cisco Secure Network Analytics stood out because of its strong flow-based visibility, good integration with our existing Cisco infrastructure, and the ability to reduce manual hunting by surfacing behavioral anomalies more proactively. Before Cisco Secure Network Analytics, it was mostly SIEM plus manual correlations, and the evaluation process focused on whether to enhance what we had versus moving to a dedicated network detection and response layer.

Cisco Secure Network Analytics is generally part of a broader team-based security operation workflow rather than something handled completely by one person. In environments using Cisco Secure Network Analytics, multiple teams can be involved, including SOC analysts, network security teams, incident response personnel, and sometimes security engineering teams. My involvement is mainly around security monitoring, validation activities, and investigating suspicious traffic behavior, while other team members focus on areas such as infrastructure management, escalation handling, and SIEM integration. Because Cisco Secure Network Analytics touches visibility, detection, and incident response, the platform tends to work best when it is integrated into a collaborative operational process across different security functions.

Getting Cisco Secure Network Analytics operational was manageable, but the full onboarding process still required planning and coordination with network and security teams. The initial deployment and integration phase took some time because the platform relies heavily on visibility into network telemetry, flow data, and integration with existing monitoring infrastructure. In terms of usability, the core dashboard and monitoring workflows were fairly intuitive for experienced SOC or network security analysts, but teams still benefited from formal training, especially for advanced investigation workflows, tuning, and behavior analysis interpretation. The learning curve was more about understanding how to interpret network behavior effectively rather than learning basic navigation of the platform itself.

In most environments using Cisco Secure Network Analytics, the gaps are not usually missing core functionality but rather workflow acceleration and deeper context automation. Teams often say the platform is powerful but could be more opinionated and less manual in a few areas. If I had to pick just one improvement that would most noticeably change day-to-day workflow in Cisco Secure Network Analytics, it would be a true end-to-end automated incident narrative that correlates network behavior into a single guided investigation timeline. Currently, the process involves starting from an anomaly or alert, pivoting into flows, checking host communication history, reconstructing timelines manually, and correlating with SIEM or endpoint data separately.

For someone with a SOC workflow similar to what we have been discussing, SIEM-centric with some EDR and XDR coverage and a need for strong network visibility, my advice for adopting Cisco Secure Network Analytics would be practical and grounded in what actually works. First, treat it as a visibility and investigation layer, not just a detection tool. Second, plan for a real tuning phase and do not rush production trust. Third, ensure your NetFlow and IPFIX data quality is solid first. Fourth, integrate it tightly with your SIEM from day one. Fifth, train analysts on investigation workflows, not just the user interface. Sixth, define what good looks like before rollout. Seventh, do not over-rely on default detections. Invest in tuning, integration, and analyst workflow training early, and treat it as a network investigation platform rather than just an alerting tool. I would rate my overall experience with Cisco Secure Network Analytics as an eight out of ten.

Our customers mainly use Cisco Secure Network Analytics to get whole network visibility and easy troubleshooting to find actual problems and also to mitigate loopholes or findings immediately to protect their networks from external and internal issues. That is why they are mainly using Cisco Secure Network Analytics.

Mostly, our maximum clients are from the banking sector, and in this regard, we also have clients from the defense and police sectors, meaning military and police.

My customers range from medium to enterprise businesses.

The most effective features of Cisco Secure Network Analytics for threat detection include the ability to easily identify pinpoint issues and troubleshoot to secure the network consistently. If the network is affected by anything, from internal or external threats, their isolation process helps protect other networks from a specific point. Additionally, they receive good reports that are helpful for their management or superiors to understand the actual scenarios of the network.

Regarding analytics tools in the solution, it depends on the benefits based on the segmentation market segment from a business point of view. Main benefits are derived from NetFlow analytics, and they also get benefits from Cisco Works pictures and Cisco Prime, which they use for their network topology.

Every solution is gradually integrated with AI, and Cisco has already implemented AI building features in their solution. With this integrated process, customers are receiving comprehensive benefits. AI is integrated into analytics, and after implementing AI compared to previous solutions or past experiences, customers receive far more benefits. AI provides suggested common lines and protection features that help safeguard networks from various threats or unwanted situations.

In terms of improvements for Cisco Secure Network Analytics, from the implementation point of view, now that AI is in use, some other features need to be upgraded considering AI solutions. Proper management of the database is also important; it should be centralized for easier data collection from a single database. When precise manual analysis is needed, it's sometimes difficult, so having a centralized database will allow network admins to find actual scenarios more effectively, especially since some information may not be visible on the GUI.

Cisco should upgrade their hardware part to run the database, because sometimes it cannot handle the load while all features are running in the network.

The database management should indeed be centralized because while AI runs behind the systems, central management is essential. For example, in a network with 100 Cisco switches, a few routers, firewalls, and access points, all data generated should be preserved in a central database. This approach simplifies management and analysis for troubleshooting, as GUI interfaces may not always provide visible information. Centralizing the database will allow for better understanding of which information is preserved for each specific device.

My experience with Cisco security is extensive, but specifically for Cisco Secure Network Analytics, it has been five to eight years.

The deployment time for Cisco Secure Network Analytics depends on the customer environment and the nature of the product. Sometimes, in the banking sector, running operations through their private sector makes it challenging to implement networks without interrupting the existing setup. Thus, deployment needs careful planning, but new implementations are generally easier.

Stability-wise, I do not face problems frequently, but sometimes there are issues that arise from new hardware implementations or the identification of problems. Once resolved, the system works well, and overall I think it's good.

Cisco Secure Network Analytics is easy to scale up.

For technical support of Cisco, the support they provide depends on how the client procures it, and so far, it's understandable.

Some aspects of Cisco Secure Network Analytics are easy to set up for the default configuration, but there are a few points that require customization based on client requirements and their business demands. Overall, it's easier now than it was previously.

Out of 10, I rate the setup of Cisco Secure Network Analytics as an eight.

Regarding cost, for the Bangladesh context, Cisco Secure Network Analytics is a little bit high-priced because we are a developing country, making it tough to manage affordable solutions. However, considering its stability, features, protection, visibility, and easy maintenance, the solution is effective and, from that point of view, cost-effective. Cisco should consider pricing strategies for the Bangladesh market.

Mostly, our maximum clients are from the banking sector, and in this regard, we also have clients from the defense and police sectors, meaning military and police.

I give Cisco Secure Network Analytics eight out of ten.

The main recommendation for improvement in support is that it's sometimes difficult to connect with them on time, which is a major issue. Another issue is the language barrier.

I recommend using Cisco Secure Network Analytics to simplify operations, especially for network administrators or engineers. Implementing Cisco Analytics allows users to visualize everything in their networks, facilitating troubleshooting and enabling quick identification of network problems. This is crucial, as slow troubleshooting can hamper business operations.

Cisco Secure Network Analytics is used for setting up CDN technology, Content Delivery Network, for load balancing of simultaneous 10,000 live connections with the server. When I first opened Cisco Secure Network Analytics, I was conducting load balancing testing.

The best feature of Cisco Secure Network Analytics is its reliability, which I find to be the one that gets used the most.

Cisco Secure Network Analytics has changed how my team collaborates. Although there was some frustration with too many commands and routing logic, the setup, reliability, ping, and command acknowledgment helped us significantly.

Adoption of Cisco Secure Network Analytics went well, as everyone was working as a team and stayed on the same page while working together.

There were features related to routers and the setup of virtual networks that came up during implementation of Cisco Secure Network Analytics, but I am not actually using them as that was not part of my job.

I have been familiar with Cisco Secure Network Analytics for two years, specifically for network-related work and load balancing of streaming media.

The scope of the load balancing work was a team effort where we used three tools for load balancing, and it was a large scope because there was huge traffic on our website due to video streaming work.

Before I implemented Cisco Secure Network Analytics, I was doing simple Linux work that involved a master-slave combination of servers for load balancing, which was all manual work done with free sport technology.

When I first implemented Cisco Secure Network Analytics, it took three to four weeks with the team to get up and running.

My team did not need formal training on Cisco Secure Network Analytics, as they were experienced.

When evaluating options, I considered Wowza Streaming Engine, a customized tool for load balancing, along with manual work where I set up multiple servers and one master server. I decided on Cisco Secure Network Analytics specifically over those alternatives because it was the requirement of the client.

My advice for someone considering Cisco Secure Network Analytics with a similar workflow is that if they have engineers experienced with Cisco or good capturing power, they should definitely use it. I would rate Cisco Secure Network Analytics a nine out of ten.

I have procured Cisco Secure Analytics for one of my projects, however, I do not have hands-on experience with the product. We are using it internally for analytic purposes, to capture security events at the network layer using NetFlow.

The most valuable features include encrypted traffic analytics and the ability to fulfill requirements at the network level. Encrypted traffic analysis is a very good aspect of the solution.

Improvements are needed on the application layer for complete security analysis. The solution should have the ability to analyze security events not only at the network layer but also at the application and OS layers. There's a need for a more comprehensive licensing model where all necessary licenses are included by default.

We deployed Cisco Secure Network Analytics at our location around 2022 or 2023.

Cisco products are incredibly stable, boasting a 200% stability. There are no issues with reliability, whether it's routers, switches, or any other Cisco products.

I am not aware of the scalability of Cisco Secure Analytics, as it has not yet been fully put into production at our site.

Support issues were primarily related to resolution and response time, suggesting a lack of adequate local support from the Indian side.

Positive

I previously used Cisco products from 2002 to 2006, like routers and switches. After switching to HP products for a while, I returned to Cisco products around 2020 or 2021.

The initial setup was complex, taking over a month to complete installation and configuration.

One or two employees were involved in the lengthy deployment phase, facing challenges during the setup, due to inadequate support.

The organization experienced challenges with licensing as Cisco has multiple licensing factors, and there are concerns about the price. Cisco solutions are considered to be very expensive.

I mentioned considering IBM QRadar, ArcSight, RSA, Dell FortiSIEM for their capabilities on the application layer. These were proposed due to Cisco Secure Analytics not meeting all security layer requirements.

I would rate Cisco Secure Network Analytics an eight out of ten. 

Improvements are necessary in licensing and application layer analysis to meet all security requirements. AI integration could improve predictive analysis and traffic management.

I use the solution in my company just like an NDR solution so that encrypted traffic does not require to be decrypted. Users can monitor all of the encrypted traffic in the product, making it a unique USP of the solution. I think even other tools have such abilities, but Cisco has claimed it is 100 percent sure of all the encrypted traffic it captures.

The most valuable feature of the solution is that it helps you gain visibility for your application. The tool offers L7 visibility, which is good for users who can get visibility of their network communication and decide which protocols they can use in an environment and which ones they can communicate everywhere. If you need to view the L7 visibility, we need to integrate Cisco Secure Network Analytics Flow Sensor, a Cisco component. All the traffic ingested comes from Cisco Secure Network Analytics Flow Sensor and then it is all forwarded to Common Services Platform Collector (CSPC), which are all components of Cisco Secure Network Server and Cisco Secure Network Analytics.

The expensive nature of the tool is an area of concern where improvements are required.

I have experience with Cisco Secure Network Analytics.

When it comes to my company's customers, in every environment where you go to check for solutions, you need permission from the C-level executives and upper management, and it takes time.

My customers are enterprise-sized businesses. Even small businesses can use the tool, but it is expensive. Cisco solutions are used in enterprises with huge management for network visibility.

I have connected with the solution's technical support, and I feel you can ask them any knowledge questions associated with the tool. They provide proper feedback and guidelines. Based on the support offered by the tool's team for PoCs, I rate the technical support a seven to eight out of ten. Even if the tool's support team is not engaged and we need to create a ticket, I have no idea how Cisco gets engaged, but I know that if Cisco's sales team engages me. When it comes to the PoC part, it takes time for the tech team to give me the information I need.

Positive

I work with Forcepoint DLP, Kaspersky's EPP, and XDR tools. I have two years of experience in cybersecurity engineering.

I had just started the tool's PoC for our customer environment and have two months of experience.

For the setup phase, I followed all the Cisco guidelines. My customer also wants to have FortiNDR in their environment. I wanted to see the difference between Cisco and FortiNDR.

The time required to deploy the solution depends on your architecture, how you want it, and the scalability, and that's the customer's requirement. It does not depend on what you can do or the cost factor. Also, if you are using machine learning and artificial intelligence tools, you need to fine-tune the solution, which is why it takes too long to deploy it. We can deploy any solution anywhere we want, but it takes time and depends on the customer's response.

The tool is not cheaply priced. In cybersecurity, you want an extra layer of security in your organization. Some sectors want NDR solutions, so you cannot deploy such tools everywhere, as they are expensive.

In Pakistan, owing to financial reasons, people go for solutions where the set price is minimal. The customers want tools that are priced less but offer compatibility and extra features they don't get from the big solutions in the market. From a financial point of view, the customers want minimally priced products.

When it comes to the integration part, it all depends on the third-party tools for integration. For example, if you need user session details, you may need to integrate Cisco ISE integration with the tool. A complementary feature is available if you want to view the user, who the user is, and what the session time is on this in the network if you can capture off and on traffic. We need to integrate Cisco ISE to view the user's name and their details. I think Cisco wants to add features in Cisco Secure Network Analytics, so there is no need to integrate it with Cisco ISE because you cannot have it everywhere.

I am working on Kaspersky, which has no dedicated NDR solution. So, I am just working on my first NDR solution from Cisco. Cisco is a smooth tool with no bugs. In the future, the tool may add an area like the user's name and session details.

I rate the tool a seven and a half to eight out of ten.

We use Cisco Secure Network Analytics to collect network data, which we then send to our cybersecurity team for analysis. It is a basic use case that focuses on monitoring network traffic for potential security threats and providing our team with the information they need to detect and respond to issues.

The most valuable features of this solution are its reporting and mitigation capabilities.

There is room for improvement in mitigation and reporting, and better integration between Cisco Secure Network Analytics and Cisco Secure Workload would be beneficial.

I have been working with Cisco Secure Network Analytics for almost four years.

Cisco Secure Network Analytics is extremely stable. I would give it a ten out of ten for stability.

The solution is fairly scalable. Our clients are primarily enterprise-level businesses.

I would rate the technical support as a seven out of ten. We have not had any major issues with the solution and it works well.

Neutral

The initial setup is quite easy. The deployment takes around two to three hours.

I would strongly recommend this solution to others. It is user-friendly, with an excellent reporting system. Moreover, it offers seamless integration for mitigation, which is a very valuable feature. Overall, I would rate Cisco Secure Network Analytics as a ten out of ten.

We're currently using it to figure out what is happening in our network. For example, to see whether there's any incorrect traffic in our network. We are also using it to monitor traffic coming from the internet into our network.

We have about 30,000 end users and about 60,000 end devices in the network. We are located in the capital area and have 30 hospitals and 200 other sites.

Cisco Secure Network Analytics has increased the visibility of what is happening in our network, and I think that's the most important reason to use it. We can see what is really happening instead of just looking at numbers from routers or switches.

The user interface is quite good and helps us to understand what is happening.

Cisco Secure Network Analytics provides better visibility, which has helped free up our IT staff's time.

We have been able to save time as an organization in terms of trouble shooting.

I would like to see interoperability with other Cisco products because we have ThousandEyes, Cisco Prime, and others. The interaction among these is important to us.

I've been using this solution for two months.

It scales well, but the cost is a limiting factor for us.

My experience with Cisco's technical support has been good, and I would give them an eight out of ten.

Positive

I was involved with the initial setup, and it was quite straightforward to implement it into our specific environment. Because we were already using Cisco devices, we just had to configure the devices and direct the traffic to them.

We implemented it with the help of our partner's team, and they did good work.

We chose Cisco Services versus competing services because we have a lot of Cisco devices and wanted a solution that will work with them.

On a scale from one to ten, I'd rate Cisco Secure Network Analytics at eight.

Our main use case for Cisco Secure Network Analytics is its ability to monitor encrypted traffic without requiring decryption. This is a unique selling point, allowing us to analyze encrypted traffic securely. While this capability is highlighted by Cisco, it's not exclusive to their solution, as other vendors also offer similar functionalities for monitoring encrypted traffic.

Another notable feature of Cisco Secure Network Analytics is its Layer 7 visibility, which allows us to monitor and analyze network communications at the application layer. This provides insights into which protocols are being used and how they communicate within the environment. To achieve this level of visibility, we integrate a flow sensor component within the Cisco SNA solution, which gathers traffic data and forwards it to the Cisco collectors for analysis. This integration enhances our overall security posture and helps us gain deeper insights into our network traffic.

One area that could be improved in SNA is the integration with Cisco ISE for user and session details, which currently requires additional setup.

The stability of the solution has been good, with minimal downtime or issues encountered during operation.

The scalability of Cisco SNA is impressive, allowing for seamless expansion and handling of large volumes of network traffic. 

I worked with a vendor team, and their level of expertise was satisfactory. Customer service and support from Cisco have been responsive and helpful.

Positive

My experience with setting up SNA was straightforward as I followed Cisco's guidelines and instructions. Additionally, I compared SNA with FortiNDR as per my customer's request to understand the differences between the two solutions.

ROI has been positive due to improved network visibility and security incident detection.

I would rate Cisco Secure Network Analytics around eight out of 10. It provides a smooth experience with minimal bugs, yet there are some features, such as username and session details integration, that could be enhanced in future iterations.

We have a number of users that deployed both fixed hubs and satellite sites. Cisco Secure Network Analytics enables us to get full visibility and detect general threats on both types of sites. Regardless of whether a site is deployed overseas or back home, we want one single solution to be able to collect the telemetry, make a decision on it, and report it in a meaningful way. We also want the solution to be able to pipe it to tools that we can use to fight threats.

I think Cisco Secure Network Analytics improved our organization quite a lot. Prior to deploying it, we did not use anything, so, with it, we have gone from nothing to something. This has been a humongous leap in a way. The solution allowed us to not only get gain insight but also start collaborating with other tools. 

Cisco Secure Network Analytics helped our organization save time. I think having things like our automated analysis built into our network means we don't have to do as much threat-hunting. We still need to do a bit of threat hunting, but as long as we got the automated tools, if an alert comes in, then we can focus our activity on it. We would verify it as a false positive or true positive and then do the remediation steps from there. Rather than having to continuously look through just raw data and make the decision ourselves.

We deal with TLS and other forms of encrypted tunnels. The kind of encrypted traffic analysis we receive from Cisco Secure Network Analytics gives us behavior analytics or anomaly detection on those tunnels, which is really insightful. These analytics are particularly important when we can't man in the middle and decrypt to do a deep packet inspection.

The customizability of the UI should improve. With Splunk and other SIEM tools, you have the ability to create custom dashboards and manipulate the data in a way that works for you. Cisco gives you some creative ability, but you are very much locked into their train of thought. It would be helpful if they went more down the Splunk and Elastic route.

We found flaws in Stealthwatch, but thankfully it has the ability to interconnect with Splunk and other such tools. This enabled us to plug the information over where it falls flat and then start working on other platforms. The solution falls down but tries to make up for it.

I would also like to have greater insight into how it works under the hood. I appreciate that that might not be possible due to commercial confidentiality. However, having that greater insight would allow us to covey a level of trust to the people who use it. 

I have been using this solution for about two years now. 

The solution's stability is hard to fault. It sits there and runs without fault. We have had a fair amount of power outages and we get some very dirty power to our site. So there are brownouts and things like that and they cut off at a moment's notice and then come back and there are no configuration issues typically. We are generally quite happy with the stability that we get from the solution.

Cisco Secure Network Analytics is designed to scale well, especially in your SD-WAN solution that is designed specifically for scale. It makes sense that it scales because it is a security product for SD-WAN solutions. I have had no problems scaling. It has been pretty easy for us to scale.

I have not personally had to use Cisco's tech support. 

We did not previously use a different solution. 

I think generally it was quite easy to deploy. It's a virtualized device, so I just put it on the hypervisor and the documentation is good. I think the research environment that we placed it in was an SD-WAN. We had physical IR1001s and they were a little bit more difficult to figure out. The documentation was a little bit all over the place for that specifically. We had to do a lot of cross-referencing. 

We deployed he solution in-house. 

I think we will get a return on investment from this solution. 

From what I've seen when using the Cisco ecosystem, you can get some good value from the licensing. But there are products out there like Cisco Firepower, for which the license is expensive. We are very much trying to move away from Firepower specifically because of the pricing. It's just not good value for us.

When choosing Cisco, we didn't not consider other solutions, but the expertise that we had in-house was central to our decision. We're very much brought into the CCNA and CCMP learning path and therefore we have expertise in Cisco equipment. To buy into the ecosystem of a Cisco competitor like Juniper would be more trouble and costly for us in the long run. Plus, Cisco does a good job.

I've had not necessarily bad experiences with other products, but when it comes to configuring them, I find them a bit more time-consuming than Cisco. Junos, for example, I typically find the commands I have to type in a bit more convoluted and have to look at documentation over and over again because they're very non-logical. Cisco does have a little bit of backwardness in a CLI, but it's much more intuitive. It's easier for me to go to Cisco and do the CLI and configure everything that I need rather than going to Junos.

The key integration we use with Cisco Secure Network Analytics is Splunk outside of the Cisco ecosystem. We have had an internal push to get further into the Cisco ecosystem because Stealthwatch is just detection and has no way of doing your security orchestration but other Cisco solutions do. The idea going forward is that we will be able to buy in a bit further and exploit that integration to do more machine time response.

I think Cisco Secure Network Analytics is quite good when it comes to securing the infrastructure from end to end. This is particularly the case when you are deploying something like the Cisco SD-WAN solution where you've got your controlling data plane. Cisco has thought about this, going back to the encrypted traffic analysis, your Cisco controlling data plane won't stand up unless they're encrypted. Unless I want a man-in-the-middle, which causes other issues, I deploy Stealthwatch. Stealthwatch has that encrypted traffic analysis. I think it's really well thought through.

We use StealthWatch for telemetry on the cybersecurity side. It's also used for CCTV, IoT, and all the other stuff that isn't connected to the network. There is a cloud version of StealthWatch, but we use the on-prem solution.

StealthWatch lets me see the ports running in and out and the country. It has excellent reporting, telemetry, and artificial intelligence features. With the telemetry, I can set thresholds to detect sudden changes and the alarms go through the PLC parts. I can see all the ports running on that trunk.

There could be better integration on the programming side, which uses Python. StealthWatch could provide a template for Python to manage the switches. For example, it would be nice if StealthWatch bounced a port automatically it detected something anomalous.

We've been using StealthWatch for almost two years. We were the first ones to adopt it in the Philippines.

StealthWatch is a stable product. I haven't seen a technology that could match it aside from the Chinese brand Huawei. Cisco is a US brand, so I haven't seen some of these products outside of this market. 

Who knows? Tomorrow, some company may build a newer, more stable solution, more stable one, but Cisco Stealthwatch has the most stable services today.

The scalability is limited only by the license type. It's not a problem as long as you purchase enough licenses and the necessary services. We have 300 users.

We have a service agreement with Cisco, but we haven't had that many problems with StealthWatch except for a few bugs in newly released versions. Those bugs were a bottleneck for about a year and a half, but we stabilized it about three or four months ago.

We switched to StealthWatch for the orchestration features. 

Setting up StealthWatch is straightforward, but you may need some specialists to integrate it with software solutions like pxGrid, DNAC, and ISE. It took us about two weeks to deploy StealthWatch, but that includes the staffing limitations due to pandemic protocols. In total, it took two months to integrate Cisco ISE, DNAC, and all our other services.

The deployment includes about five engineers—six including me.

We used some integrators, including a consultant from Cisco.

We have a three-year contract with Cisco, including 24/7 online support. There are no additional costs. 

I rate StealthWatch eight out of 10 overall, but I would rate it six for engineers because this is a relatively new technology with a steep learning curve for in-house and third-party engineers.

Whether StealthWatch is a suitable solution depends on the use case and industry, but I recommend it for a company that wants solid telemetry on their end. 

If you're just segregating and creating a sensor firewall on the switch side, you'll save money going with Cisco instead of buying a lot of firewalls to to provide segregation. It's better to use Cisco to centrally manage everything.