All Eyes on the Endpoint with Cisco and Splunk

Securing the endpoint is a constant challenge for security teams. Why? The endpoint is where data lives, so it will always be a target for attackers. So much information flows “to, through, and from” the endpoint over such a diverse set of applications and protocols that it makes monitoring for malicious behavior a never-ending challenge. Endpoints also travel – from the office to your home, coffee shops and airports, hopping from one Wi-Fi network to the next. This movement makes the endpoint even more susceptible to attack, which increases the need for extra control mechanisms (like VPN, MDM or MFA). And don’t forget the weakest link – people – who through negligent security practices may inadvertently open phishing emails or click on malicious links. 

With so many threats and such a broad attack surface, it’s no wonder that it’s difficult for security teams to achieve comprehensive visibility across all of their devices. So what do security teams do? Most deploy a small army of different endpoint security products, with unique views into different threat vectors, to solve the problem. It’s not uncommon to find anti-virus, application control, endpoint detection and response (EDR) products, and even endpoint protection platforms (EPP) concurrently deployed. Is this an optimal approach? Of course not. The more security tools you add into the mix, the more complex it is to manage all of them. 

So what if you could get an extra layer of endpoint visibility and protection by leveraging the existing tools you already have? If you’re one of 80,000 Cisco AnyConnect VPN customers, that means you! 

I’m happy to introduce Cisco Endpoint Security Analytics (CESA) Built on Splunk. CESA Built on Splunk brings together the endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of Splunk Enterprise. The result is an added layer of visibility that transforms endpoint data into insights to proactively detect and mitigate network threats. And guess what? There’s no additional agent required – your desktop applications team will love you.

Cisco AnyConnect NVM is a module that’s already part of the Cisco AnyConnect agent (version 4.2 or later). NVM uses IETF-standard IPFIX (IP Flow Information Export) to capture, format, and transport telemetry from endpoint devices to flow collectors whenever the endpoint is in use, on or off network. It then forwards that telemetry to CESA Built on Splunk where it is ingested, correlated, and analyzed to provide instant endpoint security insights. Threat hunters and security analysts can uncover suspicious device behavior, identify anomalies, and answer critical security questions using device telemetry data they can’t get from any other security agent.

CESA Built on Splunk can help you address endpoint security use cases such as:  

  • Data loss detection – see data hoarding activity or exfiltration of data to external domains
  • Threat hunting and detection – see unusual app/process behavior, detect command and control activity, correlate application process to host domain
  • Zero-trust monitoring – see connections to untrusted networks and get off-net device monitoring
  • Untrusted apps and SaaS visibility – track SaaS behavior, scrutinize apps and processes running on devices
  • Security evasion and user attribution – detect if endpoint security applications or other security measures are disabled or not installed
  • Asset inventory – identify devices and OS across all endpoints, remove personal data from devices

Cisco’s own Computer Security Incident Response Team (CSIRT) is already using CESA Built on Splunk to collect and analyze the data generated across approximately 96,000 company endpoints. Cisco CSIRT reports that the analysis of this data has already reduced their incident investigation time from days to hours, while filling gaps in endpoint visibility. The team found that 80% of the CESA Built on Splunk use cases listed above could not have been addressed by another technology. 

Enterprise Security is a team sport! You win by partnering with other innovators in security to drive the best possible outcomes. Cisco is bringing best of breed endpoint security technology, while Splunk is providing the engine that can analyze all of that endpoint data to drive informed security decision-making and rapid response. 

If you already have Cisco AnyConnect deployed and are also running Splunk, then there’s no reason to wait. Also, CESA Built on Splunk is currently available for purchase via Cisco’s vast distribution network. So, deploy CESA Built on Splunk to help you prevent, detect, and respond to threats on your endpoints. You can learn more here, or if you’re ready to get started, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. The technical documentation here can help you get set up.

Also, if you’re attending .conf19, October 21-24, please be sure to stop by Cisco’s booth #124 for a live demo of the CESA Built on Splunk solution!

Happy endpoint threat hunting.

Oliver Friedrichs

Posted by



All Eyes on the Endpoint with Cisco and Splunk

Show All Tags
Show Less Tags

Join the Discussion