Splunk for Cisco Security Suite

FACT SHEET

Splunk for Cisco Security Suite Using Splunk or Real-time Monitoring and Management o Cisco-centric Security Environments

The Challenges

Apps and Add-ons for Cisco Security

Every Cisco router, switch, rewall, IPS, web p roxy or other hardware or sotware-based solution has a story to tell abo ut the condentiality, integrity and the availability o your environment. Relevant data rom across these systems is critical to investigations and continuous monitoring or situational awareness.

Splunk for Cisco Security Solution

However, However, the real ROI or security sol utions lies in making them work together to provide a comprehensive view o the enterprise security posture. This combined, chronological view o all security-relevant data enables the security team to prioritize events and responses and eectively engage with IT operations and other areas o the business. It’s nearly impossible to make eective business decisions using a product-by-product view o reports. Organizations that attempt this end up with an amalgamation o CS V-tospreadsheet conversions that only provide a repor t-based view, delivered quarterly at best . Traditional security inormation and event management (SIEM) solutions provide an alternative to these highly manual processes but typic ally require that you eliminate or exclude data sources that don’t t into a schema, or simply can’t be collected due to scalabilit y issues. Leaving out specic data sources that don’t appear on a list o supported products means orensic investigations are limited beore they have begun. Forensic investigations need to be quickly assessed and turned into actionable intelligence to prevent a specic set o activities rom happening in the uture.

Our Cisco Security Suite include s multiple apps and add-ons that combine to create one solution running on the Splunk engine. The solution builds on the core Splunk capabilitie s, giving the security team the ability to search machine-generated data, perorm root cause analysis and apply statistical analysis to measure adherence to key peror mance indicators (KPIs). The apps and add-ons within the Splunk or Cisco Securi ty Suite support specic Cisco point solutions with out-o-the-box content, searches and reports all within a single UI .

Splunk Add-on for Cisco Firewall The Cisco Adaptive Security Appliance (ASA) represents an evolution that began with the Cisco PIX rst released in 1994. A s threats have evolved so has the Cisco perimeter rewall, which in addition to rewall capabilities, includes IP S, VPN and content security unctionality. In the rewall add-on, rewall and IPS log data are collected and classied using tags, eld ex tractions and saved searches. Connections accepted and denied by port are  just a sm all sample sa mple o  the i norm ation avai lable via the add-on add-o n that also supports rewall data rom Cisco PIX and FWSM.

Splunk App for Ironport Email Security Appliance (ESA) Approximately 90% o email activity is invalid (spam, viruses, etc.). To reduce invalid mail and protect against viruses and other malware, the security team must provide appropr iate protection against email-borne threats. The Splunk App or ESA makes email transaction tracing simple with a orm -search dashboard that allows you to enter inormation about the transaction, the sender, recipient and attachments and mine or any email transaction nested in the ESA logs. Splunk provides scalable, out-o-the-box reporting and saved searches that represent the most requested searches and analytics.

Splunk App for Ironport Web Security Appliance (WSA)

Splunk Enterprise, with its ability to scale to colle ct, index and report on terabytes o any machine-gene rated data, is ideally suited to meet these challenges. Expanding on a successul collaboration with Cisco/Ironport, Splunk and Cisco continue to work together to provide content or their other Cisco security oerings. The Splunk Cisco Securi ty Suite provides saved searches, reports and dashboards to hel p security teams take ull advantage o the inormation collected across their Cisco security devices. When combined with the core Splunk abi lity to index, search and report on data rom any other securi ty vendor technologies, the Splunk Cisco Security Suite enables a single, comprehensive view or complete situational awareness.

The number o web-born security threats has reached record proportions. It ’s easy or employees to click on a link that might result in the install ation o a key-logger, root-kit or some other orm o malware. Surng to certain d estinations can violate “appropriate use” policies. According to a recent survey, a rapid escalation in employee web surng can be an in dication o an employee looking to leave and perhaps take proprietary inormation with them. Splunk helps track and repor t on web surng as logged by the WSA appliance. The Sp lunk App or WSA provides reports that suppor t the HR proessional’s perspective when analyzing data rom WSA and supports security teams that need to ulll req uests or evidence in HR actions.

Splunk Add-on for Cisco IPS - SDEE Cisco IPS devices and modules use the Securi ty Device Event Exchange (SDEE) message ormat and protocol to communicate events. Cisco routers, the ASA appliance, or the stand-alone

FA AC CT T S SH HE EE ET T

Cisco 4200 series can include an IPS module that produces SDEE log data. SDEE provides a rich level o reporting whe rever the module is implemented or installed. The SDEE support extends to include Cisco global threat correlation, i IPS 7.0 is installed.

The security picture is not compl ete without visibility into virtually “all the data,” including applications. I a successul attack occurs, the security team should know the ull extent, i any, o the data loss.

Splunk Add-on for Cisco Security Agent (CSA)

Cisco Data and Beyond

Cisco Security Agent (CSA) was the rst endpoint security solution that combined zero-update attack deense, policydriven data loss prevention and signature-based antivirus detection in a single agent. Through the Splunk Add-on or Cisco CSA, users gain additional insight and enhanced support or the CSA data that allows or historical and real-time views o host events as registered by CSA.

Sample scenarios and use cases: •

•

•

•

•

•

•

Correlation o Inected Host with Data Loss — Correlate an identied inected host (via IPS, ASA or WSA) with the loss o data via email or the web

The Splunk or Cisco Securit y Suite leverages the native capabilities o the core Splunk engine. Spl unk’s core sotware provides the ability to search report, mo nitor and analyze realtime streaming and historical machine- generated data - physical or virtual. Splunk works across vendor environments, all rom a single interace, and combines the view o security logs with application data on the same timeline. To download the Cisco Security Suite, or the individual Cisco apps and add-ons please visit www.splunkbase.com where you can also nd dozens o other apps and add-ons that run on top o Splunk.

Threat Mapping with Reputation — Geo-locate the call home IP address o botnet trafc rom Cisco ASA and Cisco WSA Botnet Events — Provide botnet activity based upon severity, category, website, source IP, geo-location and event type Security Change Audit — Se e real-time and historical changes by user, applied to security rules on all security appliances

Free Download Download Splunk or ree. You’ll get a Splunk Enterprise license or 60 days and you can index up to 5 00 megabytes o data per day. Ater 60 days, or anytime beore then, you can convert to a perpetual Free license or purchase an Enterprise license by contacting [email protected].

Personnel Access — Determine where a person was when any device using that person’s credentials was involved in a security issue (e.g., an email containing spam, a botnet hosted by the person’s computer) in real time Reputation with Global Correlation — Ratio o events or a period o time that were actionable using traditional IPS inspection vs. ones that incorporate reputation inormation (reputation ltering and reputation inspection) Ability to Import CS-MAR S Archive Files into Splunk — Puts you in control over what log data rom the security architecture you wish to have remain in MARS and what you want to view long-term in Splunk. Automatically pulls MARS data into Splunk or long-term historic trending

Visibility into Custom Application Logs For comprehensive investigations and eective root-cause analysis, a review o data rom traditional security sources typically isn’t enough. Security events and their eect on mission critical applications need to be reviewed as part o the attack timeline. Splunk’s ability to accept multi-line application logs, its reeorm search language and interactive interace let you see the complex characteristics o an incident. For example , Splunk can let you know that an attacker gained access to the network but was blocked at the application-level (avoiding urther expl oit).

250 Brannan St, San Francisco, CA, 94107

in[email protected] | [email protected]

listen to your data Copyright © 2012 Splunk Inc. All rights reserved. Splunk Enterprise is protected by U.S. and international copyright and intellectual property laws. Splunk is a registered trademark or trademark of Splunk Inc. in the United States and/or other jurisdictions. All other marks and names mentioned

866-438-7758 | 415-848-8400

www. splunkbase.com

www.splunk.com