Cisco Secure Network Analytics Reviews

We use this solution primarily for the TLS audit in our on-premise environment, and to assist our customers.

We are a reseller, and we are able to show demos of this solution pretty quickly. It gets people really excited.

The network visibility has vastly improved for the organizations that I assist with their services. Generally, they do not have lateral visibility into their network. We come in and deploy Cisco ISE, which helps them segment, but they still can’t prove what is going on. Now, with this solution, they have the ability to not only show what a user has tried to do, but they can show where inside of the network it was stopped. From that point, they have verification and can take action.

Our customers are happy with the threat detection rate. I would estimate that it has increased by eighteen to fifty-two percent. This solution definitely improves the incident response time. We always try to help our customers understand this advantage.

It has reduced the amount of time it takes to detect and remediate threats. I’d imagine that it makes it faster for most of our customers. A lot of them spin their wheels trying to get this information out of there, but they don’t actually see the value until they realize that the right search will show the flow immediately. It gets those answers to them quickly.

It helps with the administration. When it comes to creating documentation, you can export those things and paste them onto the back of the report.

I would say that the time to value is approximately a week. It takes this long because the machine learning component has to learn your network first.

The most valuable features are encrypted threat analysis and the ability to run jobs on entire flows.

The reporting feature is helpful for creating documentation because you can export relevant information and paste it into the back of the report.

I’ve found that the solution's analytics and threat detection capabilities are very useful. I would like it to be able to better integrate with Firepower, but it meets the needs that it was promising from the beginning.

I would like this product to have better integration with Cisco Firepower. That is the easiest way to pair.

Eliminating Java from the SMC would improve this solution.

It would be better to let people know, upfront, that is doesn't give you nice, clear information, as seen in the demos, without Cisco ISE installed. Most of my customers are ISE-based so it doesn't matter, but I have to break the news to the ones who are not.

This solution is pretty stable for the most part. I don't like Java, so that's the thing that needs to go, but for the most part, it is a great solution.

This is a really scalable solution. We have done some pretty large deployments, and I have seen the scalability.

I haven't needed to contact technical support for this solution. 

We did not use another solution prior to this one. It was like the wild wild west. We set this up in our lab because the internal IT couldn't figure out what everybody was doing. They now have insight into who did what, which is important because we have a lot of intellectual property to protect.

The initial setup is straightforward for me, so when I work with our customers the setup is straightforward for them.

It is a basic, three-tier model that includes flow sensors, flow collectors, and the SMC (Stealthwatch Management Control). These are all named appropriately, so people can understand what is being talked about when they hear it.

After the installation is complete, it takes about a week for the machine learning component to learn your network.

We implement this solution for our customers.

This solution is expensive. Our fees are approximately $3,000 USD.

We did not evaluate other options before choosing this one.

If I knew somebody who was researching this solution I would ask them: "How can you prove that when you set a policy, a person can't access this system?" This solution allows you to see any way that they've jumped through the network to try and get to that point. It is a pretty solid solution for this. 

The biggest lesson that I have learned is how poorly implemented campus networks are. They’re just poor.

Many people do not understand the Encrypted Traffic Analysis, but it improves the ability to analyze the traffic so it is a valuable feature.

This is a good solution, but Java is still in the SMC, the Firepower integration is not really there, and I would really appreciate people being told about the necessity of ISE beforehand.

I would rate this solution a seven out of ten.

Our primary use case for this solution is security.

We are currently adding test cases for the solution and it is not yet in a live production environment.

The most valuable feature is integration.

I would like to see a hybrid solution that can work without being connected directly to the internet for those destinations. A business case would be manufacturing floors that are not, or still not, connected to the internet permanently.

In terms of the user interface, navigating through the drill down windows needs to be improved.

This solution seems to be stable.

This is a cloud-based solution, so it is very scalable.

We have not used technical support.

We did not use another solution prior to this one.

The initial setup for this solution is complex, at least in the beginning.

It is a really hard step from being a networking engineer and moving to that software component. You have to understand the software because the dependency on the actual programming is very important. That has been a learning curve.

We are still in beta testing.

Because we are still testing, we do not yet know what our licensing fees will be.

We did not evaluate other options.

My advice to anybody implementing this solution is to start with the DevOps, as soon as possible.

I would rate this solution a seven out of ten.

We use Cisco Stealthwatch as our primary NetFlow collector. We use it for data analysis and for any issues that arise that require NetFlow data.

We recently got a security team. They've been more hands-on. They are not intuitive to networks. 

Cisco Stealthwatch is good at bridging the gap between what they're capable of doing and the knowledge that they need. That generally comes from the networking side.

The search options on Cisco Stealthwatch are the most valuable. You can get very granular with it, down to the kilobits or the seconds if you want. The product supports any time frame that you need, so that is nice.

The solution affects network visibility in our company across all of our data, including our data center. All data transfers pass through our NetFlow collector. 

It's very easy to pinpoint any network anomalies or any type of suspicious behavior. NetFlow is very good at detecting those spikes and traffic.

We don't use Cisco Stealthwatch for threat detection. We use it more for information gathering. We use better options for threat detection, i.e. Palo Alto firewalls for our security. 

I would like the search page available with Cisco Stealthwatch to be more intuitive. The previous release was better than the current one for the UI. 

We moved to the latest UI a couple of months ago, maybe like six months ago. I'm not a fan. I wish the search options were easier.

As far as stability, we've never had a problem with Cisco Stealthwatch. We've had it for probably three years. It's time for an upgrade.

We're doing scalability with Cisco Stealthwatch now. We have a 1 GB collector. We need a 10 GB collector. We're looking at upgrading. 

Cisco Stealthwatch has been good for us in the last couple of years. We had to purchase a whole new appliance for the 10 GB collector. 

As far as scalability for the one that we purchased, it was not that great.

I haven't had to use their technical support services.

We're a Cisco running shop primarily. We purchased DNA Center and Stealthwatch all as part of that package. We're trying to get the whole suite of software packages. Stealthwatch is part of it.

Our previous manager implemented our initial setup. I'm just a user. I can imagine it was difficult.

Stealthwatch has almost everything we need. There's no reason to evaluate anyone else. 

We also have a WildPackets and a LiveAction engine. We use that for remote packet captures and not NetFlow data analytics.

The solution has not increased our threat detection rate. It has reduced our incident response times by at least 50%. It also reduced the amount of time it takes to detect and remediate threats by around 50%. We use other tools for reducing false positives.

The solution saves us time. There's a learning curve for it. Once you get the hang of it, you can get the information you need within a couple of minutes. 

As opposed to having to set up a sniper and figure out where to put everything, it greatly increases the amount of time that I can take to find what I need. 

It took me a couple of weeks to get the hang of it. I didn't use any training material, just learned on my own. I'm sure if I would have had some training, it would have been easier.

Cisco Stealthwatch is one of the tools that I tell anyone that comes to the networking group to learn first. Because you can get a lot of relevant information fairly quickly.

I give Cisco Stealthwatch an eight out of ten. Not a ten because of the UI. I'm just not a fan of it. 

Other than that, availability, uptime, and maintenance on it are all great. It does what I need it to do, but the UI is the deal breaker for me.

The biggest lesson I've learned using the solution is the importance of NetFlow. We're using NetFlow 9. I'd like to move towards NetFlow 12. 

I appreciate the historical data that NetFlow can provide in my environment. I would recommend Stealthwatch because it's invaluable to troubleshooting.

We provide this solution to our customers to give them visibility into their network.

This solution gives our customers better visibility. They have a large infrastructure and they don't know what is going on in the individual locations, so we're using Stealthwatch for that.

It has reduced our incident response time by around forty percent.

It saves time, money and administrative work for our customers.

The most valuable features provided by this solution are visibility and information.

The solution's analytics and threat detection capabilities are good. Network visibility is also really good. 

The encrypted traffic analytics work well, I don't see any problem with it.

The time to value is very good, and it is based on visibility. For example, one of our customers was locked by Ransomware and it cost them two million Danish Krones (approximately $300,000 USD). The shipper was not able to send anything until we got everything working.

It has reduced the amount of time it takes to detect and remediate threats, although it is hard to tell by how much. If you’re under attack and you get visibility then you know it, and you can take precautions as fast as possible.

Some of our customers find this solution to be a little bit tough because they don't understand how to configure and use it. It may have to do with a need for more education when installing the product.

Speed is an issue because the faster you have visibility, the better the solution.

I would say that the stability of this solution could be better.

The scalability is okay.

Technical support for this solution could be better. It's ok. It is sometimes a case of having to find the right tech engineer before you get the real answers. Not everybody knows Stealthwatch, which is the problem.

Previously, my customer had a large router and switching network with a lot of perimeter security, but they didn't have any security or visibility on their internal network. That is why they are using Stealthwatch now.

The initial setup of this solution is complex. The most important thing is that the customer has good guidelines.

I performed the deployment myself.

We did not evaluate other options before choosing this solution.

In summary, this product provides good visibility into the internal network, but it is difficult for some people to install and configure.

I would rate this solution an eight out of ten.

We have a number of users that deployed both fixed hubs and satellite sites. Cisco Secure Network Analytics enables us to get full visibility and detect general threats on both types of sites. Regardless of whether a site is deployed overseas or back home, we want one single solution to be able to collect the telemetry, make a decision on it, and report it in a meaningful way. We also want the solution to be able to pipe it to tools that we can use to fight threats.

I think Cisco Secure Network Analytics improved our organization quite a lot. Prior to deploying it, we did not use anything, so, with it, we have gone from nothing to something. This has been a humongous leap in a way. The solution allowed us to not only get gain insight but also start collaborating with other tools. 

Cisco Secure Network Analytics helped our organization save time. I think having things like our automated analysis built into our network means we don't have to do as much threat-hunting. We still need to do a bit of threat hunting, but as long as we got the automated tools, if an alert comes in, then we can focus our activity on it. We would verify it as a false positive or true positive and then do the remediation steps from there. Rather than having to continuously look through just raw data and make the decision ourselves.

We deal with TLS and other forms of encrypted tunnels. The kind of encrypted traffic analysis we receive from Cisco Secure Network Analytics gives us behavior analytics or anomaly detection on those tunnels, which is really insightful. These analytics are particularly important when we can't man in the middle and decrypt to do a deep packet inspection.

The customizability of the UI should improve. With Splunk and other SIEM tools, you have the ability to create custom dashboards and manipulate the data in a way that works for you. Cisco gives you some creative ability, but you are very much locked into their train of thought. It would be helpful if they went more down the Splunk and Elastic route.

We found flaws in Stealthwatch, but thankfully it has the ability to interconnect with Splunk and other such tools. This enabled us to plug the information over where it falls flat and then start working on other platforms. The solution falls down but tries to make up for it.

I would also like to have greater insight into how it works under the hood. I appreciate that that might not be possible due to commercial confidentiality. However, having that greater insight would allow us to covey a level of trust to the people who use it. 

I have been using this solution for about two years now. 

The solution's stability is hard to fault. It sits there and runs without fault. We have had a fair amount of power outages and we get some very dirty power to our site. So there are brownouts and things like that and they cut off at a moment's notice and then come back and there are no configuration issues typically. We are generally quite happy with the stability that we get from the solution.

Cisco Secure Network Analytics is designed to scale well, especially in your SD-WAN solution that is designed specifically for scale. It makes sense that it scales because it is a security product for SD-WAN solutions. I have had no problems scaling. It has been pretty easy for us to scale.

I have not personally had to use Cisco's tech support. 

We did not previously use a different solution. 

I think generally it was quite easy to deploy. It's a virtualized device, so I just put it on the hypervisor and the documentation is good. I think the research environment that we placed it in was an SD-WAN. We had physical IR1001s and they were a little bit more difficult to figure out. The documentation was a little bit all over the place for that specifically. We had to do a lot of cross-referencing. 

We deployed he solution in-house. 

I think we will get a return on investment from this solution. 

From what I've seen when using the Cisco ecosystem, you can get some good value from the licensing. But there are products out there like Cisco Firepower, for which the license is expensive. We are very much trying to move away from Firepower specifically because of the pricing. It's just not good value for us.

When choosing Cisco, we didn't not consider other solutions, but the expertise that we had in-house was central to our decision. We're very much brought into the CCNA and CCMP learning path and therefore we have expertise in Cisco equipment. To buy into the ecosystem of a Cisco competitor like Juniper would be more trouble and costly for us in the long run. Plus, Cisco does a good job.

I've had not necessarily bad experiences with other products, but when it comes to configuring them, I find them a bit more time-consuming than Cisco. Junos, for example, I typically find the commands I have to type in a bit more convoluted and have to look at documentation over and over again because they're very non-logical. Cisco does have a little bit of backwardness in a CLI, but it's much more intuitive. It's easier for me to go to Cisco and do the CLI and configure everything that I need rather than going to Junos.

The key integration we use with Cisco Secure Network Analytics is Splunk outside of the Cisco ecosystem. We have had an internal push to get further into the Cisco ecosystem because Stealthwatch is just detection and has no way of doing your security orchestration but other Cisco solutions do. The idea going forward is that we will be able to buy in a bit further and exploit that integration to do more machine time response.

I think Cisco Secure Network Analytics is quite good when it comes to securing the infrastructure from end to end. This is particularly the case when you are deploying something like the Cisco SD-WAN solution where you've got your controlling data plane. Cisco has thought about this, going back to the encrypted traffic analysis, your Cisco controlling data plane won't stand up unless they're encrypted. Unless I want a man-in-the-middle, which causes other issues, I deploy Stealthwatch. Stealthwatch has that encrypted traffic analysis. I think it's really well thought through.

From a security perspective, we are watching for behind the scenes data exfiltration, or tubulous, or malicious network traffic, that our other tools may not be detecting at a basic network layer.

We are also using it for performance issues in trying to figure out if a site is experiencing issues with slowness. Also, we try to determine things like whether we are exceeding the bandwidth of the link or whether there is a bottleneck or something that's not negotiating correctly on the network.

Also, we use it for TAP to try and do inline network traffic analysis from a security perspective or from a performance perspective as well.

It has definitely helped us improve our mean time to resolution on network issues.

From a security perspective, I think they've been good as far as giving us knowledge.

I wouldn't say it's really transformed what we do. It's just another tool that gives us the information we need or helps alarms for us. But it only alarms on a handful of things. I think there are six or eight alerts that we've deemed critical.

Beyond that, it's just mostly the performance where I think it helps out. But that's like any NetFlow performance tool. Having insight into what's going across your network is critical for any huge network to function correctly.

The most valuable feature of this solution is the ability to do TAPs because we have a distributed network.

The ability to set up one tool to stream that data over to us has been helpful because that way, we don't have to have other infrastructure and be really close to where the activity is. 

The security features have been good for helping create some correlation. For example, when you tap in, what else happens from the network perspective. 

Otherwise, just the general network performance monitoring is probably the number one thing that gets used. If we're having slowness issues then it can tell us what the bandwidth and usage are. We can find things like what is using up all the bandwidth and then find out how can we break that apart or route that differently, through a different WAN connection or internet connection.

An issue that we are having is that people have tools to do a security analysis of network traffic and people have tools that do NetFlow analysis, but typically the security tools do the NetFlow as well. We need the security piece and there are many good NetFlow tools out there, but they don't have that. I feel like they didn't segregate the product classes enough.

When you're doing research, you are looking for network traffic analysis, not NetFlow tools or network performance monitoring. This is the type of thing that I have been running into. You have to search for something that sounds very much like the other things, but it's not.

Many of these tools require extensive on-premises hardware to run. It is for their own performance and to support their own tools, including machine learning. It's as though you have to buy this hardware stack, and I feel that contributes to the price. This is versus having my collected data and then feeding it up into the cloud. I feel like a lot of monitoring tools or a lot of analysis tools are going that route. I don't think that StealthWatch is there, yet. It isn't good when you get to the point where you need to buy a huge stack of hardware. Instead, I just pay a license for how much data I send to the cloud. It is maintained there and that way, year after year I don't have to buy new hardware when it goes end-of-life.

The company has been using Cisco Stealthwatch for a couple of years, but I have only been with the company for less than one year.

I have not been made aware of any stability issues with the tool. 

My understanding is that it has been easy to scale, although I was not around for it. We have not had astronomical growth, but it sounds like it runs stable and there haven't been any performance issues with it.

We have 10 to 20 threat prevention engineers and network engineers of various levels who use it.

I have not been in contact with technical support.

I have not used another similar solution in the past. I think the only thing that would even come close was using Azure Advanced Threat Analytics, but that only really analyzes network traffic coming to the domain. It checks, for example, if there is sketchy network traffic hitting your domain controllers.

In my previous jobs, I used network performance tools, but nothing that was the same as StealthWatch where it combines that performance and security analysis together.

This is an expensive product. We have quit paying for support because we don't want to have to upgrade it and keep paying for it.

I looked at the capabilities of SolarWinds NetFlow and realized that it can't replace our Cisco StealthWatch.

We are using the previous version.

Our situation was that it was really expensive to keep up maintenance and the hardware was about to go end of life, which meant that we had to purchase a new hardware stack. Also, we were trying to get out of the data center business, so keeping StealthWatch is not really an option.

It doesn't fit where our company wants to go, but at the same time, it's one of three products out there that actually does what it does. Otherwise, you have to start linking NetFlow into the UEBA space.

My advice for anybody who is considering StealthWatch is that if you're going to maintain an on-prem network, I think it's a good solution. That is if you want to feed the bill and have something that is top of the line. But if you have a cloud journey underway and you're trying to downsize your data centers, it's going to add a big hardware footprint. This is just something to consider.

Overall, this is a good product but it would be better if it were cheaper and it fit our future plans better. Everybody had been happy with it, and the major reasons we're getting away from it are the footprint and the costs.

I would rate this solution an eight out of ten.

Our primary uses for this solution are threat management and traffic management.

Our network visibility is pretty significant right now, where we use it within our data centers and even on the OT side of the house. It’s given us pretty good visibility.

This solution has increased our threat detection rate by forty to sixty percent.

Using this solution has helped us to improve threat-remediation timeframe.

It has reduced your incident response time. We use the solution's encrypted traffic analytics. It has significantly improved our capabilities. 

The most valuable features of this solution are the logging, keeping threats under control, and keeping our data and environment secure.

It is time-consuming to set it up and understand how the tool works.

In our environment, the way we've implemented in phases, the stability is good.

We're going to be looking at this, and I'm hoping that it is scalable across our environment.

I would rate the technical support for this solution extremely well. The professional services have been really good for us.

We did not use another solution prior to this one, and we choose this solution based on Cisco's recommendation after they reviewed our requirements.

The initial setup of this solution is complex. it wasn't necessarily the tool that was complex, but the environment. It had to do with the way our network is and the requirements that we needed to be implemented. This is where the complexity came from.

We had a partner to assist us with the deployment.

Cisco was the only vendor that we considered for this solution.

My advice for anybody who is implementing this solution is to have your requirements identified very clearly before you start.

The analytics and threat detection capabilities are pretty extensive. We still need to use other tools and mechanisms to analyze data, but it does the job that we’re looking for.

I would rate this solution an eight out of ten.

Our primary use for this solution is to provide operational metrics. In terms of the analytics and threat detection capabilities, it basically cures our day-to-day for everything that we do. It helps us out tremendously.

This product alleviates the day-to-day headaches for us, in regards to metrics. In terms of network visibility, the way we were looking at it before was kind of archaic. This solution has definitely opened up the metrics, as far as reporting is concerned.

This savings brought about by implementing this solution has allowed us to cut one position.

It has increased our threat detection rate and it has reduced our incident response time by ten to fifteen percent. 

The most valuable feature of this solution is the reporting, in terms of operational metrics and what I can show to the execs.

There is room for this solution to mature because there are still things that we want to see.

The reporting of day-to-day metrics still has room for improvement.

This solution is very stable.

We're kind of immature, right now, in our implementation, but I see it growing.

We have not used technical support at this point.

We were archaic in terms of reporting.

I wouldn't say that the initial setup was complex. It took us approximately one week, which included two days of off-screening and two days of prep.

It was more a case of red tape on our end in regards to getting it into production than anything else. It wasn't complicated at all.

We handled the deployment in-house.

The ROI was immediate for us, in regard to how we implemented it. The implementation was super quick, and we saw returns right from the get-go.

The pricing for this solution is good.

We evaluated Darktrace, but I didn’t have a good, happy experience with their Account Manager.

My advice to anybody researching this type of solution is to put Cisco Stealthwatch on the shortlist. It is not complicated to install. The feature set is good, as well as the pricing.

The biggest lesson for us is that we needed improvement, compared to what we had before. We ran around naked for the previous four years that I have been with the company. We made a good decision.

This is a good product, but there are still things that we would like to see.

I would rate this solution a nine out of ten.