StealthWatch for Security Operations: Course Description

STEALTHWATCH FOR SECURITY OPERATIONS:
COURSE DESCRIPTION
6.5 StealthWatch for Security Operations
Available Q1 2015
Overview
Once the StealthWatch® System is installed, and the initial configuration and basic setup of the
system is complete, customers need to begin to use the system to monitor network activities.
The two-day, StealthWatch for Security Operations course is designed for customers who are
new to StealthWatch and have responsibilities such as assessing security needs, creating and
enforcing security policy, security monitoring or security engineering.
The course focuses on tuning the StealthWatch system through adding policies, optimizing
alarms and host group management. It will also cover workflows for obtaining actionable alarms
and incident response.
Assumptions
This course has a very specific focus on security operations. It assumes the StealthWatch
System is installed, reachable and has completed the initial configuration and basic setup of the
system. It also assumes all exporters have Flow data configured properly with exporters
pointing to the appropriate FlowCollector.
Course Prerequisites and Assumed Knowledge
To have a successful learning experience, the following is assumed about your knowledge and
experience:

Basic understanding of TCP/IP and telemetry

Working knowledge of networking technologies including knowledge of servers, routers,
hosts and IP networks within your organization
All students should have completed the following (minimum) prerequisites. These prerequisites
are available as eLearning courses found in the Customer Training Center (LMS) available
through Lancope’s Customer Community:




1
Flow Basics
StealthWatch Overview and Components
StealthWatch SMC Client Interface Overview
StealthWatch Web App Overview
STEALTHWATCH FOR SECURITY OPERATIONS:
COURSE DESCRIPTION
Course Structure
The course can be categorized in the following major concept areas:
Course Outline
Technical Overview

2
Technical Concepts
o NetFlow and Limitations of NetFlow
 Deduplication
 Flow Stitching
 NAT Stitching
 Client / Server issue
o What SW Does
 Behavior Analysis
 Anomaly based vs signature based
o How SW Works
 Flow & Visibility
STEALTHWATCH FOR SECURITY OPERATIONS:
COURSE DESCRIPTION

o Base-lining
Using StealthWatch
o Appliance Administration Interfaces
o The SMC Client
Tuning the System












3
Defining Host Groups
Understanding Default Policy
Using Host Groups By Function
Using the Catch All Host Group
Quieting the system
o Suppress Alarms
o Raising Thresholds
Posturing the system
o Adding Policy
o Lowering Thresholds
o Creating Host Rules
Understanding / Viewing Traffic
o Identify documents/reports/tools you use to help you identify what IP space your
organization owns.
Defining Services and Applications
o What is a Service
o Ports and Protocols
o Defining Services
o What is an application
o Why Define Applications
o Default applications
o Host Group Application Traffic Document
o Investigating Undefined Applications
Viewing Traffic from Undefined Sources
Defining the By Function Host Group
o Need this to understand devices that naturally create a lot of noise on the
network.
o Reducing False Positives
Policy Management
o Role Policy
o Host Policy
How Policies are Applied
o Inside Hosts vs Outside Hosts
STEALTHWATCH FOR SECURITY OPERATIONS:
COURSE DESCRIPTION
Incident Response


Putting Together an incident response process
Example Workflow for Incident Response
o Working with alarms
o Identifying False Positives
Place in the Customer Success Maturity Model
Lancope’s Customer Success model consists of four stages of enablement as shown below.
Each stage has multiple phases. For purposes of this introduction, the goal is to present where
in the customer success maturity model this StealthWatch for Security Operations (SecOps)
course supports enablement.
Implementation
Visibility
Threat
Detection
System
Integration
SecOps (SSO)
Course Pricing
This course is available as a Virtual Instructor-Led (VILT) course. It can be delivered to a
customer as a 2-day private training course. Contact Lancope sales team for additional pricing
information.
Need More Information?
Contact Lancope Learning and Development team at [email protected].
4