A Cisco & Splunk Security Integration Everyone Should Be Using

The following is a guest post from Scott Pope, Director, Product Management & Business Development, Security Technical Alliances Ecosystem at Cisco.

You can read the original version of this post on Cisco Blogs.

Splunk’s 9th annual user conference, .conf18, kicks-off next week in Orlando. Cisco will be there in a big way given the depth and breadth of our Splunk integrations, but I wanted to shine a light on an integration that is among the most powerful of all our Splunk integrations—Cisco AnyConnect Network Visibility Module and its associated Splunk app in Splunkbase.

Cisco AnyConnect is best known as Cisco’s VPN client deployed to more than 130 million endpoints. But perhaps the most interesting part of AnyConnect is its Network Visibility Module (NVM).

NVM leverages an existing AnyConnect client footprint to generate insightful endpoint security telemetry. Because AnyConnect operates as a network connection, it sees some unique telemetry, such as unique device ID, device name, process/container names, parent processes, parent processes, privilege changes, source/destination domain and DNS info, network interfaces and more. This enables NVM to produce telemetry that enables detection of data leakage, unapproved applications or SaaS services, security evasion, early malware activity. When you bring that data into Splunk for analysis, you gain serious insight on what your endpoints are doing. And sometimes it can be a little scary.


See the power of NVM live at Splunk .conf18 during the famed “Boss of the SOC” capture the flag event and “Splunking the Endpoint IV: A New Hope, a hands on session led by Splunk security guru James Brodsky.

Here are 10 key security questions that NVM telemetry analyzed by Splunk answers:

  • What endpoints have known bad files, applications, or talking to bad domains?
  • Has user privilege escalated on any devices?
  • What apps/processes are running at root (but shouldn’t be)?
  • What SaaS services are in use?
  • Are endpoint processes uploading/downloading files that match against known hashes?
  • Why someone is connecting so many times to a destination?
  • Are unusual processes running on unusual ports? (eg SMTP on wrong port)
  • What devices and OSs are on my network?
  • Where is my endpoint traffic going?  Is anything evading the corporate network?
  • Where are the leak-paths in my network?
  • Is someone hoarding data to steal or share?
  • Who is connecting to untrusted networks?
  • What is making connections to LDAP?
  • Did any users’ behaviors change?
  • Can I prove that personal data was deleted after processing was done?

Okay, that was more than 10. See what I mean? NVM is powerful.

How NVM Works

NVM isn’t about file analysis like an anti-malware client. Instead it's about traffic analysis. The two are quite complementary, in fact. If you’re familiar with what Cisco Stealthwatch does for analyzing network traffic patterns, that is essentially what NVM does for endpoints. In fact, like Stealthwatch, NVM is based on IPFIX data (i.e. standardized Netflow). NVM generates IPFIX data based on traffic flows and endpoint configuration data. That data is aggregated in Splunk for analysis.

Want to Try It?

Want to get deeper on NVM? Check out a 5-minute NVM video demo. Want to try it out in your Splunk environment? Check out the NVM Deployment Guide for Splunk and download the NVM app for Splunk from Splunkbase. While NVM requires an Apex AnyConnect license, you can test it out on a limited number of clients with any AnyConnect license.

Learn more about the value of combining Splunk and Cisco technologies in the below sessions or stop by the Cisco booth. See you at .conf!

Tuesday, Oct. 2
SECS2100: From Endpoint to Firewall – Building Effective Threat Perimeters with Cisco and Splunk
Tuesday, Oct. 2
ITS2102: Optimizing and Securing your Data Center by Integrating Cisco ACI, Network Assurance Engine, and Tetration with Splunk
Wednesday, Oct 3
SEC1835: Enabling Your Mission Through Automated Alignment With NIST’s Risk Management Framework
Wednesday, Oct 3
SEC1378: Splunking the Endpoint IV: A New Hope
Wednesday, Oct 3
IT1548: IT Services Modernization at Cisco: How Cisco Monitors 3 Million Devices Daily with Splunk


Scott Pope
Director, Product Management & Business Development
Security Technical Alliances Ecosystem

Scott Pope has held positions in network engineering, market strategy and technical product management at global service providers and networking equipment vendors covering a wide range of data and voice networking technologies. Since 1998 Scott has driven product strategy for many aspects of network security ranging from VPN and firewall to threat management for both wired and wireless networks. Scott currently concentrates his efforts on the Cisco Security technology partner ecosystem, as well other industry partnerships across the Cisco security portfolio.

Follow all the conversations coming out of #splunkconf18!

Posted by