07-19-2022 09:53 AM
Hey everyone!
I am working on coming up with a Managed Security offering for the company I work for. Cisco SecureX and the Cisco Security suite offer amazing visibility and one pane of glass to manage Security and Incident Response, but there are some logs that I don't think Cisco will ever collect (i.e. Windows Event Logs or application logs). I assumed I would use Splunk, LogRhythm, or another SIEM to collect and search these logs. The problem I run into is now I have two "centralized logs".
Is there a way to get the information from SecureX to a SIEM, or from a SIEM to SecureX? Can a SIEM be a data source for SecureX or the other way around? Am I just doing this wrong?
Thank you in advance for any advice!
DevLop
Solved! Go to Solution.
07-20-2022 08:31 AM
Hi DevLoop,
I havent worked with the Splunk module, but i'm going to assume that it works the same as the others, and essentially just displays some pretty graphs and charts in the GUI based on "alerts" that Splunk has generated.
In regards to the SecureX->Splunk element, that is going to be for CTR, Cisco Threat Response, which you can input and IP or domain etc, and then it will search for instances of that within your Splunk environment.
I suppose the main question is what are your requirements for logging. If you have no actual requirements to be able to do searches on log data, or data retention, then you could just use SecureX. If you have more traditional SIEM-style requirements, then SecureX isnt going to cut it.
There is a SecureX Partner Support WebEx Teams space that you can join by requesting access through this form - https://cs.co/9001Guw6S
I am also from a MSP/Cisco Partner, but this is a good partner space for discussing options to your style of issue.
07-19-2022 03:19 PM
Hi DevLoop,
What kinds of logs are you wanting to send to your SIEM? What Cisco security products do you utilise?
I think pretty much all have the ability to send logs to a SIEM, so you could send to your SIEM and to SecureX.
SecureX is not a log collection platform realistically. It can consume some logs from things like FirePower to show some statistics, but it doesnt have alot of the features that a SIEM would provide.
Can you expand a little more on what you want to achieve?
07-20-2022 08:05 AM - edited 07-20-2022 08:12 AM
Hey Ross!
I work for an MSP, so to answer your questions I would need to be pretty agnostic on the types of logs it would take and we use all of the Cisco Security products since we are a reseller. Most of our customers have Secure Endpoint, Umbrella, and Firepower going to SecureX, and some have Secure Analytics or Secure Web Appliances that feed into it (really tired of typing the word Secure). And again, as far as logs it would have to be pretty agnostic. We work with hospitals, manufacturing, and schools, all of which have their own logging requirements that we may have to ingest. They might have healthcare application logs or the logs from a giant manufacturing machine. This is in addition to normal Windows, Linux, and Syslog.
I assumed that SecureX would not be able to ingest these, but there are integrations. To quote a Splunk integration "This Relay App enables the collection of Sightings from Splunk to allow it to be a data source in Cisco SecureX threat response." If I send all the logs from Secure Endpoint, Umbrella, and Firepower to a SIEM I have to pay for that data in my SIEM license. If I use the SIEM as a data source for SecureX I don't have to pay for more SIEM licensing.
The odd thing is though (and I'm just going to focus on Splunk since its a big name) they also have a module that seems to go the other direction. "Cisco SecureX threat response Add-On for Splunk provides a custom search command allowing users to query Cisco SecureX threat response for targets and verdicts from observables within a Splunk instance." So that sounds like Splunk can search in SecureX, without having to send the data to the SIEM and pay for it.
Hopefully, that helps you understand the background. So do you have any ideas on how to architect this efficiently?
DevLop
07-20-2022 08:31 AM
Hi DevLoop,
I havent worked with the Splunk module, but i'm going to assume that it works the same as the others, and essentially just displays some pretty graphs and charts in the GUI based on "alerts" that Splunk has generated.
In regards to the SecureX->Splunk element, that is going to be for CTR, Cisco Threat Response, which you can input and IP or domain etc, and then it will search for instances of that within your Splunk environment.
I suppose the main question is what are your requirements for logging. If you have no actual requirements to be able to do searches on log data, or data retention, then you could just use SecureX. If you have more traditional SIEM-style requirements, then SecureX isnt going to cut it.
There is a SecureX Partner Support WebEx Teams space that you can join by requesting access through this form - https://cs.co/9001Guw6S
I am also from a MSP/Cisco Partner, but this is a good partner space for discussing options to your style of issue.
07-20-2022 09:15 AM
Ross,
Thanks for the info! That first paragraph was the exact info I needed. If I can use Cisco Threat Response to search SecureX and Splunk (or some other SIEM), I think that is what we need.
I would be using the SIEM for centralized logging and data retention. SecureX and the Cisco Security stack will be our main tools for identifying incidents, and then after identifying them we can use Cisco Threat Response to perform an investigation that includes the logs from the SIEM.
Thanks a lot for the help!
DevLop
07-21-2022 01:58 AM
hi @DevLop , just to chime in here as well on top of the great comments from @ross :
There is a Splunk module for SecureX that allows you to do enrichment in SecureX Threat Response investigations. When you search for certain observables, it will also query Splunk as an enrichment source.
Then there is indeed the Threat Response app for Splunk, which allows you to query SecureX for additional info on observables in Splunk (indeed kind of the reverse integration). I don't think this is what you need for your use case.
Both can have use cases. If your customers are mainly using Cisco products (or other products which have an integration with SecureX), and you don't have an actual use case for logging long term, you could also consider not using a SIEM, leaving the data in the products, and SecureX Threat Response would then be your relay when doing investigations (as it will then pull data from the various products directly).
Technically there is also the Private Intel Database in SecureX, which allows you to add data to it. This is not meant as a SIEM though, but it does allow you to store some information like judgements or sightings from products that are not natively integrated.
TLDR: there are various options, and you need to consider exactly what the use case is to find out what the best fit is.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide