(844) 773-7734 mk@mkss.us

Secure Network Analytics (Stealthwatch) Then, Now and Beyond – Part 3: Into the Future

(2020 – Future)

Welcome to the third and final installment in our series looking at the past, present and future of Secure Network Analytics (formerly Stealthwatch). Today, we get to talk about the future.  In parts one and two of this series, we covered Secure Network Analytics’ entry into the market in 2001, its evolution as a product and a company, and how that led to Cisco acquiring Lancope in 2016. Now, it’s time for us to look forward to what the solution will become next. To do this, we need to point out some trends that we think will shape the future of Network Detection and Response (NDR).

2020 has been a hell of a year and I believe these particular trends will remain prominent for the next 5 to 10 years:

  • Customers want to pay for outcomes, not everything that leads up to that outcome
  • Infrastructure as Code
  • Security moves from human-scale to machine-scale

All three of these are deeply interconnected, but let’s address them one by one.


All security products and services have an outcome that is valued. In the end, this is what matters the most no matter how it went about delivering that outcome.  Outcomes also don’t change over time. We are looking to detect and respond to threats on the network but how we go about delivering that outcome has had to change over the years and will continue to change as “what we protect” is constantly evolving and changing. What began as a company called Lancope, delivering a product called Stealthwatch, has now become Cisco Secure Network Analytics and it will largely be delivered as Security as a Service (SaaS).

Why? Because in the SaaS world, you are much closer to just paying for the outcomes. I had a customer once tell me “We are trying to get out of the business of caring and feeding for technology – we are interested in outcomes.”  I hear you loud and clear as this megatrend has swept through all industries (transportation, hotels, dining, etc). We are in an outcome-based economy now and the closer we can get our customers to paying for the outcomes, the better. Cisco Secure Network Analytics will get you closer to the outcome of detection and response with the least amount of care and feeding.

Infrastructure as Code

Network as code, storage as code, the “as code’ mental model is another trend sweeping across numerous fields. In the industrial age, the human body was seen as mechanical and now in the information age, the human body can be seen as code. Following that mindset, we come to “Infrastructure as Code”. The systems that were once managed manually in isolation are now part of the larger programmable mesh and Secure Network Analytics will have a role to play as part of that mesh.  “As Code” inherently means that systems are programmable, testable, and operate at machine-scale. This level of automation is desirable, but we will have to ensure that just like the code we write for a simple application, it does not have vulnerabilities that can be exploited. If we are to automate security to this degree, we must ensure that we are securing the automation process. The good news is that we have best practices on securing code, so they will just need to be applied to the infrastructure automation. Being able to test the automation, being able to perform threat modeling – all these practices help us ensure that our automation is working on behalf of the business and not on behalf of threat actors.

Human-Scale and Machine-Scale

The fact of the matter is that we can no longer defend our networks at human-scale. I cannot emphasize this enough because in our field, we are not just planning for something to fail, we are actively defending against a threat that is innovating and adapting. To move to machine-scale, we must find ways to automate our craft. It is no longer enough for a detection engine of any type to just hand you a list of things you need to go and fix. It is also just as irresponsible for an automated response to assume it can just take input from any source. When we think of detection, we must also think of response and vice versa. While not all detection requires a response, those that do need to be carefully qualified to ensure that they are acting with the intent of the business. The future of Secure Network Analytics is to ensure that it is driving as much automated response as it can, but not to go near automation when the detection is too risky to pursue or if the attacker can exhibit traffic to trigger that automation. It is a tricky matter but that is what got us interested in this subject matter back in 2001! We have lately introduced many capabilities related to response that are enabled natively within the product as well as through the SecureX platform.

To keep up with the current and future innovations for Cisco Secure Network Analytics, visit us at https://www.cisco.com/go/secure-network-analytics.