The following is a guest post from Scott Pope, Director, Product Management & Business Development, Security Technical Alliances Ecosystem at Cisco Systems.
The post can also be viewed on Cisco Blogs.
In soccer, the name of the game is to play offensively rather than defensively. A good soccer team keeps the ball on the opponent’s side—and when it does penetrate those frontlines, the defensive players are prepared to fend off the threat.
Likewise, businesses may view security as a ‘game plan’ to avert or remediate breaches. But when it comes to network security, it is often treated as a defensive game rather than an offensive one. The past year has been filled with massive, high-profile ransomware attacks and data breaches, like WannaCry, NotPetya, and Equifax, and attacks of this magnitude are only expected to proliferate as cybercriminals become more sophisticated. According to Cisco’s 2018 Annual Cybersecurity Report, 53% of all attacks sustained by businesses in 2017 resulted in financial damages of more than $500,000. With these types of consequences, it is clear that firms need to up their offensive game.
A good game strategy here is to evolve your network perimeter security from just access control to also include effective threat control. Cisco Firepower Next-Generation Firewall (NGFW) and Splunk can help with this evolution. Together these platforms enable your business to engage in analytics-driven security across the entire attack continuum for comprehensive threat management. Based on a purpose-built integration between Firepower and Splunk, the combination bridges a critical gap left by traditional firewall security to deliver the insight needed at the perimeter in order to better position your business to address evolving threats. Instead of playing a reactive game—addressing threats as they arise—your business will be able to devise a proactive strategy for shaping security policies and responding to threats. In short: with Firepower and Splunk, you have the power to boost your offensive game. Here’s how…
Cisco Firepower NGFW Delivers Greater Visibility than a Traditional Firewall
As the saying goes, “you can’t protect what you can’t see.” And with most traditional firewalls, this is precisely the problem: there’s a lot you can’t see. A typical firewall has limited application, user and threat visibility. It sees traffic and some applications, but it only assesses whether that traffic should be permitted or denied based mostly on IP addresses, application ports and network segments. It can’t see threat behavior, detailed application information or utilize real-time threat intelligence feeds. When this limited visibility is coupled with a narrow focus on access control—which is the case for traditional firewalls—you will find that your traditional firewall is valuable before an attack, but is less effective during or after one.
With Cisco Firepower Next-Generation Firewall, you can turn your access control perimeter into a threat control perimeter. Firepower enhances perimeter security by delivering full threat control through its Next-Generation Intrusion Prevention System (NGIPS), advanced malware protection, application visibility and control, vulnerability awareness, asset value and context, Cisco and partner threat intelligence, web reputation, and URL filtering. These enhanced capabilities streamline your firm’s ability to discover threats, enforce security policies, confront attacks, and remediate breaches.
So, migrating from a traditional firewall to Cisco Firepower NGFW is about transforming your game from a defensive one to an offensive one. More specifically, it’s about transitioning from a traditional and more passive strategy (access control) into a dynamic, comprehensive, and integrated solution focused on threat control.
Security Visibility Comparison: Cisco Firepower vs. Traditional Firewalls
Splunk Analytics Enhances Insight Into Firepower Data
It’s also a common saying that knowledge is power. Splunk takes the data assembled by the Firepower Management Center and enables highly customizable analytics, including combining with other Cisco and multi-vendor data sources, to create actionable intelligence. In other words, Splunk enables firms to effectively shape their security policies and respond to future threats through the analytical insights it can bring to Firepower data.
The Splunk/Firepower integration unlocks the ability to send all Firepower Management Center events to Splunk for analysis and threat hunting. Events can be displayed and monitored in the Splunk dashboard, replete with charts, graphs, and geo-location maps to present sophisticated insights that are easily interpreted. This analytics-driven security approach gives analysts the agency to proactively investigate and respond to threats, whether that means monitoring and triage, verifying and escalating, or responding to breaches and infections.
With comprehensive support for the full spectrum of Firepower events in a Splunk environment, firms can adapt their security policies to better protect against ever-evolving perimeter threats. What’s more, Splunk centralizes collection and analysis of data, so analysts can efficiently investigate across a broader Cisco environment, as well as other technologies in multi-vendor security deployments. This capability allows you to aggregate all of your threat intelligence feeds into a single place to make them actionable. For businesses, this is crucial. It diminishes risks by reducing the time required to accurately assess and respond to threats. For you soccer fans, migrating from less advanced security solutions to the Firepower + Splunk integration is like the difference between watching an average soccer player and Ronaldo.
Firepower and Splunk Deliver Actionable Intelligence
Put simply, Firepower event data has the potential to powerfully inform security policy. Splunk helps unleash that potential.
And in comparison to a traditional firewall, the depth of the Firepower/Splunk integration showcases Firepower’s application visibility, advanced threat, identity firewall, threat intelligence, and NGIPS capabilities. The specificity generated by the Firepower/Splunk integration is the clear differentiator.
Let’s look at an example:
A traditional firewall might tell you that user “Pat” tried to access network segments and was denied. Firepower and Splunk would tell you that Pat’s system was compromised by malware, tripped Intrusion Prevention signatures, and was denied access to the network segments associated with a specific firewall security policy while using an unapproved application via an allowed URL, along with other relevant forensic information. This is the kind of specificity that enables you to spot malicious activity as well as create new controls to prevent the same activities in the future.
Comparing threat management to a soccer game, it’s much more fun (and less stressful!) to actively keep the ball out of your zone than to be constantly deflecting shots on goal…and your goalie is more prepared to save shots if he isn’t perpetually under siege. Security can be the same way. By transforming your access control perimeter into a threat control perimeter via Firepower and Splunk, you automatically up your offensive game.
Want to learn more about how Splunk software helps organizations gain business insights from the vast amounts of data generated by Cisco’s industry-leading security, networking, wireless, datacenter and collaboration offerings?
Join Splunk at Cisco Live 2018 for live demos, deep technical conversations, and a range of sessions showcasing the power of Splunk + Cisco including…
- Inside Cisco IT: How Cisco Deployed ISE and TrustSec throughout the Enterprise [BRKCOC-2018]
- Advanced Security Integration with Cisco ISE - Tips & Tricks [BRKSEC-3557]
- Lessons and landmarks from Real-World Cisco UCS Big Data Deployments [BRKINI-2021]
- Integrating Automating Incident Response with Cisco and 3rd Party tools [TECSEC-3610]
- SOC How-to - 10 years of real-world experience leading investigations within Cisco CSIRT [TALGEN-1005]
- Cyber Threat Response: The Hunt is on. [LTRSEC-2020]
About the Author
Scott Pope has held positions in network engineering, market strategy and technical product management at global service providers and networking equipment vendors covering a wide range of data and voice networking technologies. Since 1998 Scott has driven product strategy for many aspects of network security ranging from VPN and firewall to threat management for both wired and wireless networks. Scott currently concentrates his efforts on the Cisco Security technology partner ecosystem, as well other industry partnerships across the Cisco security portfolio.