Lancope this week is set to announce an updated version of its flagship product suite that it says can now more deeply inspect application and Cisco router traffic for potential worms, viruses and malicious behavior on internal networks.

The company's StealthWatch suite of traffic analysis appliances have been upgraded to manage more security devices, to process NetFlow data from Cisco routers, and inspect traffic for application-specific policies such as port usage. By monitoring traffic flows and inspecting packets across a network, this type of network-anomaly behavior detection tool from Lancope, Arbor Networks and Q1 Labs attempts to provide an early warning to network and security managers.

Burton Group analyst Trent Henry says Lancope's product provides additional insight into security issues that could have sneaked by perimeter tools such as firewalls and intrusion-detection systems (IDS) or intrusion-prevention systems (IPS). According to a Forrester Research survey of 190 IT shops, 58% of companies this year will invest in network firewalls, 43% will invest in gateway anti-virus, and 35% will invest in network-based IDS or IPS. The same survey also found IT managers more concerned over internal security problems.

Henry says Lancope and its competitors could gain traction among enterprise network and security managers looking to more quickly lock down internal threats.

"Network-anomaly detection is used to some extent by IDS and IPS systems for known vulnerabilities, but Lancope goes a bit further by providing visualization across the entire network," he says. "Anomaly-detection tools monitor normal vs. potential bad behavior, but they are also like [security information management] products in that they provide event management and correlation to other systems to more quickly pinpoint the problem."

Lancope packages its StealthWatch 5 software on appliances that are distributed across a network, near a core switch or data center router. Upon installation, it performs a benchmark of normal traffic behavior and continuously monitors for changes. The product does not sit in line of network traffic, but passively monitors conversations between hosts and clients. Administrators can tap into the appliances via a Web-based interface or use the management console to configure, monitor and generate reports from multiple distributed appliances.