On October 23rd, 2014, we updated our
By continuing to use LinkedIn’s SlideShare service, you agree to the revised terms, so please take a few minutes to review them.
Splunk For Cisco Security Suite (Us Format) CopyDocument Transcript
FAC T S H E E TSplunk for Cisco Security SuiteUsing Splunk for Real-time Monitoring and Managementof Cisco-centric Security EnvironmentsThe Challenges Apps and Add-ons for Cisco SecurityEvery Cisco router, switch, ﬁrewall, IPS, web proxy or other Splunk for Cisco Security Solutionhardware or software-based solution has a story to tell aboutthe conﬁdentiality, integrity and the availability of your Our Cisco Security Suite includes multiple apps and add-ons thatenvironment. Relevant data from across these systems is critical combine to create one solution running on the Splunk engine.to investigations and continuous monitoring for situational The solution builds on the core Splunk capabilities, giving theawareness. security team the ability to search machine-generated data, perform root cause analysis and apply statistical analysis toHowever, the real ROI for security solutions lies in making them measure adherence to key performance indicators (KPIs). Thework together to provide a comprehensive view of the enterprise apps and add-ons within the Splunk for Cisco Security Suitesecurity posture. This combined, chronological view of all support speciﬁc Cisco point solutions with out-of-the-boxsecurity-relevant data enables the security team to prioritize content, searches and reports all within a single UI.events and responses and effectively engage with IT operationsand other areas of the business. Splunk Add-on for Cisco FirewallIt’s nearly impossible to make effective business decisions The Cisco Adaptive Security Appliance (ASA) represents anusing a product-by-product view of reports. Organizations evolution that began with the Cisco PIX ﬁrst released in 1994. Asthat attempt this end up with an amalgamation of CSV-to- threats have evolved so has the Cisco perimeter ﬁrewall, whichspreadsheet conversions that only provide a report-based view, in addition to ﬁrewall capabilities, includes IPS, VPN and contentdelivered quarterly at best. Traditional security information and security functionality. In the ﬁrewall add-on, ﬁrewall and IPS logevent management (SIEM) solutions provide an alternative to data are collected and classiﬁed using tags, ﬁeld extractions andthese highly manual processes but typically require that you saved searches. Connections accepted and denied by port areeliminate or exclude data sources that don’t ﬁt into a schema, or just a small sample of the information available via the add-onsimply can’t be collected due to scalability issues. Leaving out that also supports ﬁrewall data from Cisco PIX and FWSM.speciﬁc data sources that don’t appear on a list of supportedproducts means forensic investigations are limited before they Spunk App for Ironport Email Security Appliance (ESA)have begun. Forensic investigations need to be quickly assessed Approximately 90% of email activity is invalid (spam, viruses,and turned into actionable intelligence to prevent a speciﬁc set etc.). To reduce invalid mail and protect against viruses andof activities from happening in the future. other malware, the security team must provide appropriate protection against email-borne threats. The Splunk App for ESA makes email transaction tracing simple with a form-search dashboard that allows you to enter information about the transaction, the sender, recipient and attachments and mine for any email transaction nested in the ESA logs. Splunk provides scalable, out-of-the-box reporting and saved searches that represent the most requested searches and analytics. Splunk App for Ironport Web Security Appliance (WSA) The number of web-born security threats has reached record proportions. It’s easy for employees to click on a link that might result in the installation of a key-logger, root-kit or some other form of malware. Surﬁng to certain destinations can violate “appropriate use” policies. According to a recent survey, a rapid escalation in employee web surﬁng can be an indicationSplunk Enterprise, with its ability to scale to collect, index and of an employee looking to leave and perhaps take proprietaryreport on terabytes of any machine-generated data, is ideally information with them. Splunk helps track and report on websuited to meet these challenges. Expanding on a successful surﬁng as logged by the WSA appliance. The Splunk Appcollaboration with Cisco/Ironport, Splunk and Cisco continue to for WSA provides reports that support the HR professional’swork together to provide content for their other Cisco security perspective when analyzing data from WSA and supportsofferings. The Splunk Cisco Security Suite provides saved security teams that need to fulﬁll requests for evidence in HRsearches, reports and dashboards to help security teams take actions.full advantage of the information collected across their Ciscosecurity devices. When combined with the core Splunk ability to Splunk Add-on for Cisco IPS - SDEEindex, search and report on data from any other security vendor Cisco IPS devices and modules use the Security Device Eventtechnologies, the Splunk Cisco Security Suite enables a single, Exchange (SDEE) message format and protocol to communicatecomprehensive view for complete situational awareness. events. Cisco routers, the ASA appliance, or the stand-alone