Showing results for 
Search instead for 
Did you mean: 
Cisco Employee


Hi Experts,

I got a question !

If we have sltealthwatch configured with CTA which can get us C&C flow. Now do we really require SLIC feature?





Re: SLIC and CTA on SMC

I just did my implementation so I may be wrong, but I think it may be a matter of timing...
SlIc is going to allow you to know sooner about communication with a known bad Ip.

Cognitive thinks about all of the connections as a whole and tries to infer more about what's going on. Which takes longer...
Cisco Employee

Re: SLIC and CTA on SMC

It's important to understand the differences in the two approaches; threat intel feed and cloud based data analysis. 


The Stealthwatch Threat Intelligence Feed (formerly known as SLIC or Stealthwatch Labs Intelligence Connection) is a IP list that is updated sometimes several times per day based on data from a variety of sources with Cisco and the security industry.  That list resides locally on the Stealthwatch Management Console (SMC).  When an external IP address in a connection matches an IP on that list an alarm is generated.  The process of getting that list from the Internet to the SMC is a download from Cisco.  No local SMC data other than the SMC serial number for identification is shared with Cisco.


Stealthwatch Cognitive integration uses both the Flow Collector and the SMC.  The Flow Collector identifies connections in it's database that cross the trust boundary defined by Internet gateway.  The Flow Collector sends data about connections that cross that trust boundary to Cognitive via an HTTPS tunnel.  At Cognitive additional account specific baselines on submitted data are established and the data is used analyzed using a multi layer framework of classifier algorithms.  The results are that for each submitted connection a risk score is computed and then sent back to the SMC.


Cognitive holds some processed data and as the classifiers are updated it runs that data through now updated classifiers to determine if the risk score has changed.  If it has that info is sent to the SMC.


The Threat Intel feed does not expose any of the customer network and matches very fast.


Stealthwatch with CTA uses cloud based analytics and processing to greatly extend the analysis of customer Internet connection data.


I hope this helps.


Everyone's tags (3)