FACT SHEET
Splunk for Cisco Security Suite Using Splunk or Real-time Monitoring and Management o Cisco-centric Security Environments
The Challenges
Apps and Add-ons for Cisco Security
Every Cisco router, switch, rewall, IPS, web p roxy or other hardware or sotware-based solution has a story to tell abo ut the condentiality, integrity and the availability o your environment. Relevant data rom across these systems is critical to investigations and continuous monitoring or situational awareness.
Splunk for Cisco Security Solution
However, However, the real ROI or security sol utions lies in making them work together to provide a comprehensive view o the enterprise security posture. This combined, chronological view o all security-relevant data enables the security team to prioritize events and responses and eectively engage with IT operations and other areas o the business. It’s nearly impossible to make eective business decisions using a product-by-product view o reports. Organizations that attempt this end up with an amalgamation o CS V-tospreadsheet conversions that only provide a repor t-based view, delivered quarterly at best . Traditional security inormation and event management (SIEM) solutions provide an alternative to these highly manual processes but typic ally require that you eliminate or exclude data sources that don’t t into a schema, or simply can’t be collected due to scalabilit y issues. Leaving out specic data sources that don’t appear on a list o supported products means orensic investigations are limited beore they have begun. Forensic investigations need to be quickly assessed and turned into actionable intelligence to prevent a specic set o activities rom happening in the uture.
Our Cisco Security Suite include s multiple apps and add-ons that combine to create one solution running on the Splunk engine. The solution builds on the core Splunk capabilitie s, giving the security team the ability to search machine-generated data, perorm root cause analysis and apply statistical analysis to measure adherence to key peror mance indicators (KPIs). The apps and add-ons within the Splunk or Cisco Securi ty Suite support specic Cisco point solutions with out-o-the-box content, searches and reports all within a single UI .
Splunk Add-on for Cisco Firewall The Cisco Adaptive Security Appliance (ASA) represents an evolution that began with the Cisco PIX rst released in 1994. A s threats have evolved so has the Cisco perimeter rewall, which in addition to rewall capabilities, includes IP S, VPN and content security unctionality. In the rewall add-on, rewall and IPS log data are collected and classied using tags, eld ex tractions and saved searches. Connections accepted and denied by port are just a sm all sample sa mple o the i norm ation avai lable via the add-on add-o n that also supports rewall data rom Cisco PIX and FWSM.
Splunk App for Ironport Email Security Appliance (ESA) Approximately 90% o email activity is invalid (spam, viruses, etc.). To reduce invalid mail and protect against viruses and other malware, the security team must provide appropr iate protection against email-borne threats. The Splunk App or ESA makes email transaction tracing simple with a orm -search dashboard that allows you to enter inormation about the transaction, the sender, recipient and attachments and mine or any email transaction nested in the ESA logs. Splunk provides scalable, out-o-the-box reporting and saved searches that represent the most requested searches and analytics.
Splunk App for Ironport Web Security Appliance (WSA)
Splunk Enterprise, with its ability to scale to colle ct, index and report on terabytes o any machine-gene rated data, is ideally suited to meet these challenges. Expanding on a successul collaboration with Cisco/Ironport, Splunk and Cisco continue to work together to provide content or their other Cisco security oerings. The Splunk Cisco Securi ty Suite provides saved searches, reports and dashboards to hel p security teams take ull advantage o the inormation collected across their Cisco security devices. When combined with the core Splunk abi lity to index, search and report on data rom any other securi ty vendor technologies, the Splunk Cisco Security Suite enables a single, comprehensive view or complete situational awareness.
The number o web-born security threats has reached record proportions. It ’s easy or employees to click on a link that might result in the install ation o a key-logger, root-kit or some other orm o malware. Surng to certain d estinations can violate “appropriate use” policies. According to a recent survey, a rapid escalation in employee web surng can be an in dication o an employee looking to leave and perhaps take proprietary inormation with them. Splunk helps track and repor t on web surng as logged by the WSA appliance. The Sp lunk App or WSA provides reports that suppor t the HR proessional’s perspective when analyzing data rom WSA and supports security teams that need to ulll req uests or evidence in HR actions.
Splunk Add-on for Cisco IPS - SDEE Cisco IPS devices and modules use the Securi ty Device Event Exchange (SDEE) message ormat and protocol to communicate events. Cisco routers, the ASA appliance, or the stand-alone
FA AC CT T S SH HE EE ET T
Cisco 4200 series can include an IPS module that produces SDEE log data. SDEE provides a rich level o reporting whe rever the module is implemented or installed. The SDEE support extends to include Cisco global threat correlation, i IPS 7.0 is installed.
The security picture is not compl ete without visibility into virtually “all the data,” including applications. I a successul attack occurs, the security team should know the ull extent, i any, o the data loss.
Splunk Add-on for Cisco Security Agent (CSA)
Cisco Data and Beyond
Cisco Security Agent (CSA) was the rst endpoint security solution that combined zero-update attack deense, policydriven data loss prevention and signature-based antivirus detection in a single agent. Through the Splunk Add-on or Cisco CSA, users gain additional insight and enhanced support or the CSA data that allows or historical and real-time views o host events as registered by CSA.
Sample scenarios and use cases: •
•
•
•
•
•
•
Correlation o Inected Host with Data Loss — Correlate an identied inected host (via IPS, ASA or WSA) with the loss o data via email or the web
The Splunk or Cisco Securit y Suite leverages the native capabilities o the core Splunk engine. Spl unk’s core sotware provides the ability to search report, mo nitor and analyze realtime streaming and historical machine- generated data - physical or virtual. Splunk works across vendor environments, all rom a single interace, and combines the view o security logs with application data on the same timeline. To download the Cisco Security Suite, or the individual Cisco apps and add-ons please visit www.splunkbase.com where you can also nd dozens o other apps and add-ons that run on top o Splunk.
Threat Mapping with Reputation — Geo-locate the call home IP address o botnet trafc rom Cisco ASA and Cisco WSA Botnet Events — Provide botnet activity based upon severity, category, website, source IP, geo-location and event type Security Change Audit — Se e real-time and historical changes by user, applied to security rules on all security appliances
Free Download Download Splunk or ree. You’ll get a Splunk Enterprise license or 60 days and you can index up to 5 00 megabytes o data per day. Ater 60 days, or anytime beore then, you can convert to a perpetual Free license or purchase an Enterprise license by contacting
[email protected].
Personnel Access — Determine where a person was when any device using that person’s credentials was involved in a security issue (e.g., an email containing spam, a botnet hosted by the person’s computer) in real time Reputation with Global Correlation — Ratio o events or a period o time that were actionable using traditional IPS inspection vs. ones that incorporate reputation inormation (reputation ltering and reputation inspection) Ability to Import CS-MAR S Archive Files into Splunk — Puts you in control over what log data rom the security architecture you wish to have remain in MARS and what you want to view long-term in Splunk. Automatically pulls MARS data into Splunk or long-term historic trending
Visibility into Custom Application Logs For comprehensive investigations and eective root-cause analysis, a review o data rom traditional security sources typically isn’t enough. Security events and their eect on mission critical applications need to be reviewed as part o the attack timeline. Splunk’s ability to accept multi-line application logs, its reeorm search language and interactive interace let you see the complex characteristics o an incident. For example , Splunk can let you know that an attacker gained access to the network but was blocked at the application-level (avoiding urther expl oit).
250 Brannan St, San Francisco, CA, 94107
in
[email protected] |
[email protected]
listen to your data Copyright © 2012 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws. Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned
866-438-7758 | 415-848-8400
www. splunkbase.com
www.splunk.com