Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide
The latest version of the CESA app and TA (September 2021 v4.0.1)
POV Kit Data (attached bottom of page) - Sep 2021 - contains avgupd process name for linux running once a day for a period of time (1st to 10th of the month) then stopping, this is for the security evasion use case (lab guide attached at the bottom and also http://cs.co/cesa-guide).
|For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.|
This guide outlines:
● 10-Minute CESA POV Kit – If all you want is the POV Kit, just download the file at bottom of this community page. Within that .zip file is everything you need for POV, including instructions on how to use the Kit.
Note: if you're going to quickly work with the sample data then you don't need a full version of Splunk. You can install one quickly on your own laptop. If you intend to move into real data POV then you will need the collector which won't run on windows, if you want something full featured move right into Splunk Enterprise on Linux (more information below)
● Full Customer Pilot POV – This is for customers who want to configure their own AnyConnect clients to generate NVM telemetry for their POV or pilot instead of using the pre-populated NVM data set in the 10-Minute POV Kit. Read this document for guidance on a full POV/pilot. This will require the configuration of the collector on the splunk instance. For more details read the Anyconnect NVM collector info and Install and Configure AnyConnect NVM 4.7.x or Later and Related Splunk Enterprise Components for CESA
● Production Deployment – Read this document for guidance on full CESA deployment.
This quickstart deployment guide is designed to direct users of Cisco® Endpoint Security Analytics (CESA) Built on Splunk to detailed documentation on how to setup a proof of value or production deployment. This guide will help you to:
● Understand the deployment architecture of CESA Built on Splunk
● Locate detailed documentation regarding how to setup each component of a CESA deployment
This guide is intended for any user seeking to setup a proof of value or production deployment of CESA Built on Splunk.
The quickstart guide provides a brief overview of the solution components and where to find detailed deployment documentation for each of those components.
Cisco Endpoint Security Analytics Built on Splunk analyzes endpoint telemetry generated by the Network Visibility Module (NVM) built into the Cisco AnyConnect Secure Mobility Client. CESA Built on Splunk is Splunk Enterprise software that is tuned to analyze NVM telemetry produced by endpoints to detect a variety of endpoint-specific security risks and breaches, such as:
CESA Built on Splunk is sized on a per-endpoint basis for 1 and 3 year terms that can be deployed as:
1) a standalone AnyConnect NVM analytics platform or,
2) may be combined with an existing Splunk deployment as a feature license to add per-endpoint priced analytics specifically for AnyConnect NVM telemetry. In this feature license scenario, AnyConnect NVM telemetry does not count against the data volume license used on the broader Splunk deployment, but is instead counted on a per-endpoint basis based on the capacity of the CESA Built on Splunk endpoint capacity purchased.
Cisco Endpoint Security Analytics Built on Splunk requires two product components to be a functional solution:
1. Cisco AnyConnect Apex license:
This is a term feature license on the AnyConnect client that enables the NVM telemetry to be produced by endpoints. It is this telemetry that is ingested to CESA Built on Splunk and analyzed for security threats and endpoint visibility. Without NVM telemetry, CESA Built on Splunk will not function because it will not have any endpoint telemetry to analyze. The AnyConnect Apex license is purchased separately under SKU L-AC-APX-LIC=. Learn more about AnyConnect Apex licenses at https://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf.
If you don't already have Anyconnect APEX licenses you are able to run up to 5 clients for free to try it out.
2. Cisco Endpoint Security Analytics Built on Splunk:
This is the product described in this ordering guide. It ingests the AnyConnect NVM telemetry from endpoints and performs analytics that detect security threats and provides visibility for those endpoints. NVM data is essentially useless without CESA to analyze the data.
The primary subscription SKU is CESA-SPLUNK-SUB, which has three configurable SKU options under it:
1) CESA-SPLUNK-LIC includes a Splunk on-prem capacity license for NVM telemetry and is for initial orders of CESA with Splunk capacity and any subsequent orders adding 2500 or more endpoints;
2) CESA-SPLUNK-UPG which is for adding less than 2500 endpoints to an existing CESA-SPLUNK-LIC on-prem deployment.
3) This 3rd CESA-BYOC-LIC (“Bring Your Own Capacity”) license differs from the previous two in that it DOES NOT include Splunk capacity. It is a license solely for the Cisco components of Cisco Endpoint Security Analytics (CESA) on Splunk (event analytics/dashboard and endpoint NVM data collector), AnyConnect NVM Add-On for CESA (data normalization and translator) and Cisco TAC support. This license may be purchased with no minimum endpoint quantity but must match the number of AnyConnect endpoints being supported in the CESA deployment. This SKU is designed as an alternative to CESA-SPLUNK-xxx SKUs for customers who: a) already have sufficient Splunk capacity to accommodate the 10MB per endpoint per day of NVM telemetry that endpoints generate, or b) have fewer than 1500 endpoints in their deployment, in which case it is often less expensive to purchase Splunk capacity from Splunk vs. purchasing the CESA-SPLUNK-LIC that starts at 2500 endpoints.
Support and CESA software upgrades are included with the CESA Built on Splunk product. Since CESA and AnyConnect NVM are a joint solution with components sold separately, they each have distinct support offerings as outlined below. Note that Splunk support, in addition to Cisco TAC support, is included with CESA-SPLUNK-xxx SKUs. Cisco TAC will support installation, troubleshooting and issue resolution up to the point of confirming proper operation of AnyConnect NVM and Cisco components of CESA. When it becomes clear that the issue is with the underlying Splunk deployment and not CESA/NVM, customer will be referred to Splunk support.
Cisco Endpoint Security Analytics Built on Splunk:
“Standard” support is provided by Splunk (CESA-SPLUNK-xxx SKUs only) and by Cisco TAC as part of the product purchased from Cisco. Standard support includes 24x7 for P1 cases. Upgraded “Premium” support for Splunk may be purchased directly from Splunk and offers 24x7 for P1/P2 cases, access to the “Advance Support Team”, as well as expedited response times. “Premium” support is not available for purchase from Cisco. Learn more at about support packages and terms at:
Cisco AnyConnect NVM support is provided by Cisco and the TAC as part of normal AnyConnect support.
From a CESA deployment perspective there are the following components:
Cisco Endpoint Security Analytics (CESA)
This App (download at https://splunkbase.splunk.com/app/2992/) provides two functions:
- Provides pre-designed analytics dashboards to visualize, view and set alerts on the data. This component enables immediate visibility into endpoints and user activities, but can also be endlessly customized or even completely replaced with a custom developed deployment-specific CESA console using standard Splunk query and visualization capabilities.
Deployment documentation for the AnyConnect NVM App for Splunk can be found on
Splunkbase at: https://splunkbase.splunk.com/app/2992/#/details.
Cisco Endpoint Security Analytics Add-On for Splunk -
This “technology add-on” (aka “TA” in Splunk nomenclature – downloadable at https://splunkbase.splunk.com/app/4221/) provides NVM data indexing and formatting inside CESA Built on Splunk. It takes NVM data from the endpoint “collector” translates the NVM flow data into syslog that can be processed and analyzed by CESA Built on Splunk. Like any Splunk TA, it is installed within the Splunk Enterprise instance of CESA Built on Splunk. Deployment documentation for the AnyConnect NVM App for Splunk can be found on Splunkbase at: https://splunkbase.splunk.com/app/4221/#/details.
Note: for simulated data POV only a cloud instance of Splunk is needed with the CESA dashboard and TA Add-on Apps
What about load balancing traffic from Anyconnect NVM to multiple collectors or destinations
For example: for high availability or using with Stealthwatch. Note we don't support setup or design of these systems. It all depends on customer needs in their environment.
There are two types of POV available for CESA:
1) The 10-Minute CESA POV Kit enables an existing Splunk customers to use this kit to load all CESA components and a sample NVM data set into their existing Splunk environment. This is the simplest and fastest way for a customer to get a feel for CESA as it does not require any AnyConnect configuration. As the name indicates, an experienced Splunk customer can get a CESA POV running in 10 minutes with this kit. Anyone may download the kit data (attached to the bottom of this page, note this was last updated in July so you can't use the last 30 days). All documentation needed for this kit is contained on this page and in the kit.
2) A Full Customer Pilot POV is for customers who do not already have Splunk or want to generate NVM telemetry for the POV/pilot from their own AnyConnect clients. Procedure for this approach is detailed directly below.
All the components needed to setup a full customer pilot or proof of value deployment for CESA can be downloaded for trial and run on a single server, as follows:
This document provides simple step-by-step instructions to run the Cisco Endpoint Security Analytics Built on Splunk (CESA) proof of value (POV) kit in your existing Splunk environment. You can follow the instructions below or you can just watch the installation video contained at then end of the instructions.
What this POV Kit Does:
Enables you to try out CESA in your existing Splunk environment without having to generate your own AnyConnect NVM telemetry from your organizations AnyConnect endpoints (if you're wanting to use real clients continue with the installation of the apps but skip the section working with the sample data). Instead you can import the AnyConnect NVM data set provided in this kit into your Splunk instance, install the Splunk App and Add-On noted below and you’re ready to work with CESA.
Note: If you're not interested in working with this sample data and instead real clients, then please continue on to the POV with real clients
It is important that each file imported into Splunk is mapped to the appropriate sourcetype. The searches and dashboards depend on this step.
The PoV kit will be periodically updated, it is best to delete any prior data imported for these sourcetypes from an older PoV kit. In the global search, select a time range (far right) of "Year to date" and then run the following command for each sourcetype.
If your account does not have sufficient rights, go to Settings->Users and select your user, then select 'edit' and in 'Assign roles' add 'can_delete' to your account.
After completing this task, you can now import the .txt files, mapping each one to the associated sourcetype.
Repeat the steps above for ifdata.txt (choosing sourcetype="cisco:nvm:ifdata" for mapping)
Repeat the steps above for sysdata.txt (choosing sourcetype="cisco:nvm"sysdata" for mapping)
Once you have imported all 3 data types, you can then explore the data.
This sections covers the options available for picking your own POV not using the example sample data from the 10-min kit
**Easiest** - For complete cookie-cutter simplicity we recommend the following for a POV:
If your customer really wants more than 50 clients for the POV, you can request a 90-day CESA demo license at firstname.lastname@example.org. But if you get beyond 1000, you’ll need to start sizing server resources (see server sizing information below).
If above POV setup does not work for the customer, here are some other options ordered by ease of deployment.
Run POV in production Splunk environment running on Linux:
Run POV in production Splunk environment running on non-Linux OS:
Use this information when sizing out a Real Client POV (not the 10-min with sample data)
Option 1: CESA as part of existing Splunk production environment
If you have an existing setup with plenty of resources then you may run all the components for a limited POV and only see your resource utilization increase by 5-10% for 50-500 endpoints (small POV). You will still need to account for the increase in disk space (10mb per endpoint per day).
Example, you can run a POV on a single server/VM if the Splunk instance is running on Linux...budget 10MB per endpoint/day for storage X # of days you want to store the data + XXGB for Splunk. Example 50 clients for 90 days would use 45 gig of data. You can follow the server sizing above.
If POV will not be done on a Docker or other server environment where server resourcing is generally self-managing, below are guidelines for server sizing.
Option 2: Standalone CESA POV (not part of production Splunk environment), running Splunk and all CESA components on a single Linux server running 64-bit Linux (CentOS 8). This allows a customer to setup an environment completely isolated, easy to install, and with all the components needed
Collector multi-process mode (recommended and on by default, see collector info) - only disable if issues
Large 5000-10,000 endpoints
If you run NVM Collector on a separate Linux box:
For general scaling, support up to 35-40k endpoints per box - after that separate into collector/forwarder distributed deployment (per splunk).
20k endpoints guidance example
Please follow the attached document (CESA-Splunk-Centos-install.docx) on installing Splunk and the necessary apps for CESA for Splunk.
Also for a complete solution setup (not including the CentOS box) use the Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide
We have incorporated a lab guide - also copied to bottom of page - for you to use to get some hands-on with some of the use cases. This is open to cisco employees and partners utilizing the following dCloud demos
ISE 3.x Enterprise & Security (preferred) or the Cyber Defense Clinic (Cyber Threat Response Clinic)
Please use the associated lab guide or http://cs.co/cesa-guide with your own laptop.
ISE Enterprise & Security Demo - includes real VPN VM or BYO VPN/Wireless AP
Find on https://cs.co/selling-ise-demos
Some great posts by @vparla
IPFIX (nvzFlow) protocol - intended integration point for 3rd party SIEMs.