It's important to understand the differences in the two approaches; threat intel feed and cloud based data analysis.
The Stealthwatch Threat Intelligence Feed (formerly known as SLIC or Stealthwatch Labs Intelligence Connection) is a IP list that is updated sometimes several times per day based on data from a variety of sources with Cisco and the security industry. That list resides locally on the Stealthwatch Management Console (SMC). When an external IP address in a connection matches an IP on that list an alarm is generated. The process of getting that list from the Internet to the SMC is a download from Cisco. No local SMC data other than the SMC serial number for identification is shared with Cisco.
Stealthwatch Cognitive integration uses both the Flow Collector and the SMC. The Flow Collector identifies connections in it's database that cross the trust boundary defined by Internet gateway. The Flow Collector sends data about connections that cross that trust boundary to Cognitive via an HTTPS tunnel. At Cognitive additional account specific baselines on submitted data are established and the data is used analyzed using a multi layer framework of classifier algorithms. The results are that for each submitted connection a risk score is computed and then sent back to the SMC.
Cognitive holds some processed data and as the classifiers are updated it runs that data through now updated classifiers to determine if the risk score has changed. If it has that info is sent to the SMC.
The Threat Intel feed does not expose any of the customer network and matches very fast.
Stealthwatch with CTA uses cloud based analytics and processing to greatly extend the analysis of customer Internet connection data.
I hope this helps.
Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
