Yazar: Fatih ERMİŞ | Çözüm Danışmanı
Cisco Endpoint Security Analytics ( CESA )
Cisco makes serious investments in the field of Security as well as in the field of Network. With the large investments it has made in recent years, it offers many solutions for the security of endpoints (end users) as well as network security. These solutions developed for endpoint security are successful products that “protect against advanced malware threats”; AMP (Advanced Malware Protection) and Cisco Umbrella (DNS Security) products. Although these products provide security against many of the threats that occur for endpoints, there were still unresolved security gaps in endpoints.
These developments in Cisco endpoint security are recently emerging to fuel the Endpoint Security Analytics (CESA) solution. CESA, along with the Cisco AnyConnect Network Visibility Module (NVM Agent), maximizes endpoint and user network visibility by collecting endpoint telemetry and integrating telemetry data with Splunk Enterprise. It is based on nvzFlow (en-vizzy-flow), the foundation of NVM technology. Cisco AnyConnect NVM supports the Cisco Network Visibility Stream protocol, or nvzFlow for short. The protocol is designed to provide endpoints with better visibility into the network by augmenting standard IPFIX with a small set of high-value endpoint binding data.
CESA Story
The CESA solution was developed by the Cisco Security CTO Office. Cisco Information Security Teams were not able to obtain all the endpoint data they needed to perform incident response and were experiencing many difficulties in gaining endpoint visibility. Together with Cisco Information Security Teams, they integrated Cisco AnyConnect and Splunk products to solve some of the problems. Many Cisco employees were working off-site; they had some blind spots in the endpoint security area because they were connected to both corporate and cloud resources at the same time. They needed a way to collect and store at least a year of data for incident analysis. They also needed real-time information to see what was happening on the network. CESA was developed as an answer to all this confusion.
CESA Benefits
Endpoints (End User) provide device visibility: It helps find endpoint threats at zero point without problems such as malware, dangerous user behavior, data leakage, etc., provides visibility into which applications or software as a service (SaaS) are in use, and provides visibility into device types and operating systems in the network for incident response.
Endpoints (End User) Allows tracking wherever they go: It ensures whether the device is connected to the network through endpoint telemetry.
Quickly and easily find searches: Leverages existing AnyConnect telemetry (no additional endpoint agents required), instantly gain insights from pre-built Splunk dashboards, and easily find the questions and answers you need through searches.
Provides predictable costs: Can be budgeted per endpoint rather than per variable volume of data transferred to Splunk.
Support for different devices: Windows, macOS, Linux and Samsung Knoxenabled devices are supported.
How Does CESA Work?
Many companies want to know what their employees and devices are doing at work, on the road, or at the coffee shop. That’s why Cisco invented the AnyConnect Network Visibility Module (NVM) to provide unprecedented endpoint behavioral visibility.
Cisco AnyConnect NVM is enabled with AnyConnect agent version 4.2 and is supported in later versions. NVM can generate IPFIX endpoint telemetry when the device is in use, even when the device is off the network. This data is streamed to stream collectors and forwarded to Splunk, where it becomes instantly available. With the “Splunk NVM” application developed by Cisco, users get ready-to-use dashboards so they can quickly understand the data and start using it to answer critical security questions (incident response).
CESA can be used as a standalone NVM analytics deployment or added to an existing Splunk Enterprise environment. Cisco Endpoint Security Analytics built on Splunk provides deep endpoint visibility. Cisco AnyConnect NVM is powered by Splunk Enterprise.
The AnyConnect Network Visibility Module provides visibility into mobile devices with rich user behavior data through IPFIX data (IP Flow Information Export), allowing employees to monitor whether they are endpoints and threatening their company’s security. The behavioral data generated by NVM is complementary to antimalware agents that primarily focus on file analysis, such as Cisco Advanced Malware Protection (AMP) for Endpoints.
NVM telemetry is captured and analyzed in CESA Built-Splunk to address endpoint security use cases such as:
Data loss detection
- Data accumulation activity — download and upload behavior
- Excessive filtering — loading external domains and network shares
Zero-day malware and threat detection
- Unusual application/process behavior — running on standard or non-standard ports
- Command and Control detection — creation of connections to new, unusual or bad domains
- Threat detection – hosting domain correlation
Zero trust monitoring
- Off-network device monitoring — user, device, traffic, application and data behavior monitoring
- SaaS usage behavior — Monitoring SaaS services
- Untrusted connections — track who connects to untrusted networks
Unapproved apps and SaaS visibility
- Access to SaaS domains — connections and SaaS behavior are used
- Application and process visibility — find applications and processes running on devices
Security evasion and user attribution
- Endpoint security applications — detecting if they are disabled
- CESA — detecting whether it is disabled
- Attribute user network access — user activity goes down to the network interface controller level
Asset inventory
- Device type and OS inventory — can be defined and reported by type
- Data privacy compliance
