I recently met with Tobias Mayer, an engineer from EMEA with Cisco. He has a particular expertise in Websecurity Technology. The Cisco Munich Data Center has a great Splunk deployment and Tobias works closely with organizations in EMEA to solve their daily problems.
One common claim from End-Users in IT is „Our internet is slow“….and then the troubleshooting begins…
There are various components within enterprise IT that could be the reason why: „the internet is slow“.
It could be:
- The Proxy Server is running on max load (CPU, Memory, Concurrent Connections)
- The network connection from the client to the proxy within the internal network is slow
- The Active Directory / Authentication Service for the proxy response is slow
- The DNS Server for the name resolution is slow
- The threat intelligence / domain reputation validation service response is slow (Cisco Talos)
- The bandwith of the ISP is slow
- The website the user is trying to access is slow to respond
Troubleshooting all these different components is very time consuming.
Cisco’s Web Security Appliance allows customers to customize the access log to include the response times from each of the components that make up the internet-service for end-users. New data fields can be easily displayed on Splunk Dashboards for continuous monitoring or quick ad-hoc troubleshooting tasks.
Here you can see a 30 day chart about the average response and latency times of the DNS Server, the Reputation Service and how long it takes until the first byte is recieved from the internet (ISP Bandwith).
This results in great operational insight, allows proactive monitoring and ensures investment is made into the right components to improve the overall service if required.
Cisco WSA User Guide – Kapitel 21, Page 375 and following explains all possible Variables for the custom log. You might also look at Scan engine response times etc. – be creative!
Splunk Add-on for Cisco WSA on Splunkbase
Cisco Security Suite on Splunkbase