Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide

The latest version of the CESA app and TA (September 2021 v4.0.1)
POV Kit Data (attached bottom of page) - Sep 2021 - contains avgupd process name for linux running once a day for a period of time (1st to 10th of the month) then stopping, this is for the security evasion use case (lab guide attached at the bottom and also http://cs.co/cesa-guide). 

For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print, Print to PDF or copy and paste to any other document format you like.

1. Quick Reference – README & SAVE TIME

This guide outlines:

● 10-Minute CESA POV Kit – If all you want is the POV Kit, just download the file at bottom of this community page.  Within that .zip file is everything you need for POV, including instructions on how to use the Kit.

Internal Video of 10 min POV 

Note: if you're going to quickly work with the sample data then you don't need a full version of Splunk. You can install one quickly on your own laptop. If you intend to move into real data POV then you will need the collector which won't run on windows, if you want something full featured move right into Splunk Enterprise on Linux (more information below)

● Full Customer Pilot POV – This is for customers who want to configure their own AnyConnect clients to generate NVM telemetry for their POV or pilot instead of using the pre-populated NVM data set in the 10-Minute POV Kit. Read this document for guidance on a full POV/pilot. This will require the configuration of the collector on the splunk instance. For more details read the Anyconnect NVM collector info and Install and Configure AnyConnect NVM 4.7.x or Later and Related Splunk Enterprise Components for CESA 

● Production Deployment – Read this document for guidance on full CESA deployment.

AnyConnect 4.x Network Visibility Module (NVM) Demo

Introduction

This quickstart deployment guide is designed to direct users of Cisco® Endpoint Security Analytics (CESA) Built on Splunk to detailed documentation on how to setup a proof of value or production deployment. This guide will help you to:

● Understand the deployment architecture of CESA Built on Splunk

● Locate detailed documentation regarding how to setup each component of a CESA deployment

Audience

This guide is intended for any user seeking to setup a proof of value or production deployment of CESA Built on Splunk.

Scope

The quickstart guide provides a brief overview of the solution components and where to find detailed deployment documentation for each of those components. 

2. Understanding the Products

Product Overview

Cisco Endpoint Security Analytics Built on Splunk analyzes endpoint telemetry generated by the Network Visibility Module (NVM) built into the Cisco AnyConnect Secure Mobility Client. CESA Built on Splunk is Splunk Enterprise software that is tuned to analyze NVM telemetry produced by endpoints to detect a variety of endpoint-specific security risks and breaches, such as:

• Finding unapproved or blacklisted SaaS and client applications
• Detecting data theft and data loss
• Discovering day-zero malware and conduct threat hunting
• Identifying endpoints trying to evade security scanning or disable client-side security software
• Monitoring pertinent activity and behavior of endpoints when they are not attached to the network, such as in zero-trust deployments
• Creating endpoint software application and process whitelists
• Performing endpoint asset inventory or OS’s, user accounts, device manufacturers/model and software under IT management on the network

CESA Built on Splunk is sized on a per-endpoint basis for 1 and 3 year terms that can be deployed as:

1) a standalone AnyConnect NVM analytics platform or,

2) may be combined with an existing Splunk deployment as a feature license to add per-endpoint priced analytics specifically for AnyConnect NVM telemetry. In this feature license scenario, AnyConnect NVM telemetry does not count against the data volume license used on the broader Splunk deployment, but is instead counted on a per-endpoint basis based on the capacity of the CESA Built on Splunk endpoint capacity purchased.

Product Packaging

Cisco Endpoint Security Analytics Built on Splunk requires two product components to be a functional solution:

1. Cisco AnyConnect Apex license:

This is a term feature license on the AnyConnect client that enables the NVM telemetry to be produced by endpoints. It is this telemetry that is ingested to CESA Built on Splunk and analyzed for security threats and endpoint visibility. Without NVM telemetry, CESA Built on Splunk will not function because it will not have any endpoint telemetry to analyze. The AnyConnect Apex license is purchased separately under SKU L-AC-APX-LIC=. Learn more about AnyConnect Apex licenses at https://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf.

If you don't already have Anyconnect APEX licenses you are able to run up to 5 clients for free to try it out.

2. Cisco Endpoint Security Analytics Built on Splunk:

This is the product described in this ordering guide. It ingests the AnyConnect NVM telemetry from endpoints and performs analytics that detect security threats and provides visibility for those endpoints. NVM data is essentially useless without CESA to analyze the data.  

The primary subscription SKU is CESA-SPLUNK-SUB, which has three configurable SKU options under it:

1) CESA-SPLUNK-LIC includes a Splunk on-prem capacity license for NVM telemetry and is for initial orders of CESA with Splunk capacity and any subsequent orders adding 2500 or more endpoints;

2) CESA-SPLUNK-UPG which is for adding less than 2500 endpoints to an existing CESA-SPLUNK-LIC on-prem deployment.

3) This 3^rd CESA-BYOC-LIC (“Bring Your Own Capacity”) license differs from the previous two in that it DOES NOT include Splunk capacity.  It is a license solely for the Cisco components of Cisco Endpoint Security Analytics (CESA)  on Splunk (event analytics/dashboard and endpoint NVM data collector), AnyConnect NVM Add-On for CESA (data normalization and translator) and Cisco TAC support.  This license may be purchased with no minimum endpoint quantity but must match the number of AnyConnect endpoints being supported in the CESA deployment. This SKU is designed as an alternative to CESA-SPLUNK-xxx SKUs for customers who: a)  already have sufficient Splunk capacity to accommodate the 10MB per endpoint per day of NVM telemetry that endpoints generate, or b) have fewer than 1500 endpoints in their deployment, in which case it is often less expensive to purchase Splunk capacity from Splunk vs. purchasing the CESA-SPLUNK-LIC that starts at 2500 endpoints.

• For cisco/partners, learn more about CESA Built on Splunk licenses and more at sales connect
• For customers please reach out to your account team.

Product Packaging: Support

Support and CESA software upgrades are included with the CESA Built on Splunk product. Since CESA and AnyConnect NVM are a joint solution with components sold separately, they each have distinct support offerings as outlined below. Note that Splunk support, in addition to Cisco TAC support, is included with CESA-SPLUNK-xxx SKUs. Cisco TAC will support installation, troubleshooting and issue resolution up to the point of confirming proper operation of AnyConnect NVM and Cisco components of CESA. When it becomes clear that the issue is with the underlying Splunk deployment and not CESA/NVM, customer will be referred to Splunk support.

Cisco Endpoint Security Analytics Built on Splunk: 

“Standard” support is provided by Splunk (CESA-SPLUNK-xxx SKUs only) and by Cisco TAC as part of the product purchased from Cisco. Standard support includes 24x7 for P1 cases. Upgraded “Premium” support for Splunk may be purchased directly from Splunk and offers 24x7 for P1/P2 cases, access to the “Advance Support Team”, as well as expedited response times. “Premium” support is not available for purchase from Cisco. Learn more at about support packages and terms at:

https://www.splunk.com/en_us/support-and-services/support-programs.html.

Cisco AnyConnect NVM support is provided by Cisco and the TAC as part of normal AnyConnect support.

3. Understanding the CESA Architecture & Where to Find Deployment Documentation

Components Overview & Documentation

From a CESA deployment perspective there are the following components:

• Cisco AnyConnect Secure Mobility Client: AnyConnect generates the Network Visibility Module (NVM) endpoint telemetry that is analyzed to serve the variety of use-cases CESA Built on Splunk performs. NVM telemetry is endpoint customized IPFIX flow data.
  Deployment documentation for AnyConnect NVM:
  
  • Install and Configure AnyConnect NVM 4.7.x or Later and Related Splunk Enterprise Components for CESA (internal - techzone)
  • Cisco AnyConnect NVM Product Documentation
  • How to Deploy AnyConnect NVM
  • AnyConnect NVM demo/configuration video
  • Management tunnel info - allows to send traffic without having a traffic tunnel up

• Cisco Endpoint Analytics Built on Splunk: CESA is the NVM-customized Splunk Enterprise platform that performs security analytics on AnyConnect NVM telemetry produced by endpoints. In addition to the base Splunk Enterprise software included in CESA, there are two NVM-specific components:

  • Cisco Endpoint Security Analytics (CESA) 

    This App (download at https://splunkbase.splunk.com/app/2992/) provides two functions:
    - Provides pre-designed analytics dashboards to visualize, view and set alerts on the data. This component enables immediate visibility into endpoints and user activities, but can also be endlessly customized or even completely replaced with a custom developed deployment-specific CESA console using standard Splunk query and visualization capabilities.

    Deployment documentation for the AnyConnect NVM App for Splunk can be found on

    Splunkbase at: https://splunkbase.splunk.com/app/2992/#/details.

  • Cisco Endpoint Security Analytics Add-On for Splunk - 

    This “technology add-on” (aka “TA” in Splunk nomenclature – downloadable at https://splunkbase.splunk.com/app/4221/) provides NVM data indexing and formatting inside CESA Built on Splunk. It takes NVM data from the endpoint “collector” translates the NVM flow data into syslog that can be processed and analyzed by CESA Built on Splunk. Like any Splunk TA, it is installed within the Splunk Enterprise instance of CESA Built on Splunk. Deployment documentation for the AnyConnect NVM App for Splunk can be found on Splunkbase at: https://splunkbase.splunk.com/app/4221/#/details.

  • The package also contains the “collector” for NVM flows coming from endpoints; this collector component may be installed directly on a Splunk forwarder in the CESA Built on Splunk instance or on a separate Linux-based server (or docker). For demo environments the solution can also be run on a single 64-bit Linux system that includes both the NVM collector and Splunk Enterprise components for demonstration purposes. (You can see the install information under details)

What is needed for a real-client cloud deployment?

Note: for simulated data POV only a cloud instance of Splunk is needed with the CESA dashboard  and TA Add-on Apps

• Splunk Cloud with apps for NVM dashboard and TA Add-on
• Forwarder (on-site) with TA Add-on App
• Collector (either on forwarder or separate linux/docker)  

What about load balancing traffic from Anyconnect NVM to multiple collectors or destinations

For example: for high availability or using with Stealthwatch. Note we don't support setup or design of these systems. It all depends on customer needs in their environment.

•  Cisco Telemetry Broker to send data to the NVM collector and Stealthwatch at same time. 
  • does not support DTLS. It will support non-DTLS use cases for NVM.
• AWS UDP Loadbalancer supports stickiness:
  https://aws.amazon.com/elasticloadbalancing/features/
• DTLS Support
  • Any UDP loadbalancer can be used for that purpose as long as it supports stick-load-balancing when DTLS is being used.

4. Components for a Proof of Value

There are two types of POV available for CESA:

1) The 10-Minute CESA POV Kit enables an existing Splunk customers to use this kit to load all CESA components and a sample NVM data set into their existing Splunk environment. This is the simplest and fastest way for a customer to get a feel for CESA as it does not require any AnyConnect configuration. As the name indicates, an experienced Splunk customer can get a CESA POV running in 10 minutes with this kit. Anyone may download the kit data (attached to the bottom of this page, note this was last updated in July so you can't use the last 30 days). All documentation needed for this kit is contained on this page and in the kit.

2) A Full Customer Pilot POV is for customers who do not already have Splunk or want to generate NVM telemetry for the POV/pilot from their own AnyConnect clients. Procedure for this approach is detailed directly below.

All the components needed to setup a full customer pilot or proof of value deployment for CESA can be downloaded for trial and run on a single server, as follows:

• Splunk Enterprise from https://www.splunk.com/en_us/download/splunk-enterprise.html.  A free version is available (after registration) with a limited feature set and daily data volume, but it is sufficient for testing or POC.  The main feature missing is event alerting, but all other functions needed to run CESA Built on Splunk are present.
• Both the NVM App for Splunk and the NVM Add-On for Splunk can be downloaded for free from www.splunkbase.com after registering on splunk.com.  Once your Splunk Enterprise software is setup, install this App and Add-On per the documentation above.
• Install the collector with information from the details at Anyconnect NVM
• If AnyConnect is already available in the environment, you may run NVM on up to 5 clients without an AnyConnect Apex license for testing purposes.  If AnyConnect is not already present in the test environment, trial licenses may be downloaded at cisco.com.  

This document provides simple step-by-step instructions to run the Cisco Endpoint Security Analytics Built on Splunk (CESA) proof of value (POV) kit in your existing Splunk environment.  You can follow the instructions below or you can just watch the installation video contained at then end of the instructions.

5. POV KIT INSTRUCTIONS

What this POV Kit Does:

Enables you to try out CESA in your existing Splunk environment without having to generate your own AnyConnect NVM telemetry from your organizations AnyConnect endpoints (if you're wanting to use real clients continue with the installation of the apps but skip the section working with the sample data).  Instead you can import the AnyConnect NVM data set provided in this kit into your Splunk instance, install the Splunk App and Add-On noted below and you’re ready to work with CESA.

Installing Cisco NVM Apps:

• Login to your Splunk Instance.
• Download and install Cisco AnyConnect Network Visibility Module (NVM) App for Splunk
• Download and install Cisco NVM Technology Add-On for Splunk 
• After downloading the apps, select “Manage Apps” from Splunk.
• Select “Install App from file”
• Select Choose file and select the downloaded file “Cisco AnyConnect Network Visibility Module (NVM) App for Splunk”
• Select “Upgrade app”.  Checking this will overwrite the app if it already exists.
• Select “Upload”
• Repeat the same process for installing the “Cisco NVM Technology Add-On for Splunk” File.
• After installing both files, we should see 2 new applications under “Apps” Section.

Steps to Add Sample CESA/NVM Data:

Note: If you're not interested in working with this sample data and instead real clients, then please continue on to the POV with real clients

It is important that each file imported into Splunk is mapped to the appropriate sourcetype. The searches and dashboards depend on this step.

• CESA_ifdata.txt maps to sourcetype cisco:nvm:ifdata
• CESA_flowdata.txt maps to sourcetype cisco:nvm:flowdata
• CESA_sysdata.txt maps to sourcetype cisco:nvm:sysdata

The PoV kit will be periodically updated, it is best to delete any prior data imported for these sourcetypes from an older PoV kit. In the global search, select a time range (far right) of "Year to date" and then run the following command for each sourcetype.

• sourcetype="cisco:nvm:flowdata" |delete
• sourcetype="cisco:nvm:ifdata" |delete
• sourcetype="cisco:nvm:sysdata" |delete

If your account does not have sufficient rights, go to Settings->Users and select your user, then select 'edit' and in 'Assign roles' add 'can_delete' to your account.

After completing this task, you can now import the .txt files, mapping each one to the associated sourcetype.

• Select Settings
• Select Add Data
• Select “Upload files from My Computer”
• Now Select the Source File
  1. Now Upload “CESA_flowdata.txt” File
  2. Select Next
  3. Now Select the Source Type, by default we will see “default”
  4. Select the Drop Down Icon and go to Network & Security and Select “cisco:nvm:flowdata”
  5. Select Next
  6. Select Review
  7. Select “Submit”
• Now Select “Add more Data”

• Repeat the steps above for ifdata.txt (choosing sourcetype="cisco:nvm:ifdata" for mapping)

• Repeat the steps above for sysdata.txt (choosing sourcetype="cisco:nvm"sysdata" for mapping)

Once you have imported all 3 data types, you can then explore the data.

• To Select the Dashboard, “Select Cisco NVM Dashboard” and Select “NVM Analytics Dashboards”
• Select “All Categories Top 15 View”
• By Default we will not see any events in the Dashboard
• Under the “Last 24 Hours” Drop down, select last year (data was last generated in July), if this doesn't work adjust accordingly to the dataset
• Now you see the events getting populated in the Dashboard.
• Same way you can select all the types of Dashboard Events.

6. Real client POV

This sections covers the options available for picking your own POV not using the example sample data from the 10-min kit

**Easiest** - For complete cookie-cutter simplicity we recommend the following for a POV:

• For those that don’t want to run CESA in a production Splunk environment.  Install a separate Splunk system by downloading Splunk Enterprise from splunk.com
• Run a representative mix (e.g. Windows, Mac, Linux) of 50 AnyConnect clients or fewer so you don’t exceed the free license capacity of Free Splunk and don’t have to worry about server sizing. 
  • Easiest way to have a small subset of AnyConnect users generate NVM for the POV (vs. changing AnyConnect config for all the users at a customer site) is to:  setup a group in ASDM, have customer push config changes from their endpoint management system, or identify a group in ISE
• Run all CESA components, including Splunk, on a 64bit-Linux system
  This enables you to use the easy install scripts for the NVM Collector that is included in the AnyConnect NVM App for CESA.  Not to mention it only requires one server instance to run the POV.
• If you are already running Splunk on Windows, you can just install the NVM Collector component on a 64-bit Linux system (or Docker container).

• If your customer really wants more than 50 clients for the POV, you can request a 90-day CESA demo license at ask-cesa-pm@cisco.com. But if you get beyond 1000, you’ll need to start sizing server resources (see server sizing information below).

If above POV setup does not work for the customer, here are some other options ordered by ease of deployment.

Run POV in production Splunk environment running on Linux:  

• Install the NVM Collector (packaged in the TA Add-on for CESA) on existing Splunk forwarder or separate linux/docker
• Install the AnyConnect NVM App for CESA and Add-On into the Splunk console
• Run 50 AnyConnect clients or less per above so that you don’t run out of Splunk license capacity on the production system.

Run POV in production Splunk environment running on non-Linux OS:  

• You will still need Linux/Docker for the NVM Collector
• Install the AnyConnect App for NVM/CESA and Add-On into the Splunk console
• Run 50 AnyConnect clients or less per above so that you don’t run out of Splunk license capacity on the production system.

7. Real Client POV Server Sizing

Use this information when sizing out a Real Client POV (not the 10-min with sample data)

Option 1:  CESA as part of existing Splunk production environment

If you have an existing setup with plenty of resources then you may run all the components for a limited POV and only see your resource utilization increase by 5-10% for 50-500 endpoints (small POV).  You will still need to account for the increase in disk space (10mb per endpoint per day).

Example, you can run a POV on a single server/VM if the Splunk instance is running on Linux...budget 10MB per endpoint/day for storage X # of days you want to store the data + XXGB for Splunk.  Example 50 clients for 90 days would use 45 gig of data.  You can follow the server sizing above. 

If POV will not be done on a Docker or other server environment where server resourcing is generally self-managing, below are guidelines for server sizing.

Option 2:  Standalone CESA POV (not part of production Splunk environment), running Splunk and all CESA components on a single Linux server running 64-bit Linux (CentOS 8). This allows a customer to setup an environment completely isolated, easy to install, and with all the components needed

Collector multi-process mode (recommended and on by default, see collector info) - only disable if issues

Small 1-1000

• CPU cores: 12 cores / 2.2 GHz    (x86 64-bit) 
• RAM size:  16 GB
• Disk sub-system: 
• Disk type: HDD 10k RPM (Serial SCSI) 
• Combined IOPS: 800 average IOPS
• Total Disk Capacity: 600 GB (500 clients ~ 90 days = 450gig of data)

Medium 1000-5000

• CPU cores: 16 cores / 2.4 GHz    (x86 64-bit) 
• RAM size:  32 GB
• Disk sub-system: 
• Disk type: HDD 10k RPM (Serial SCSI) 
• Combined IOPS: 1000 average IOPS
• Total Disk Capacity: 600 GB (5000 clients ~ 30 days = 2.5 terabytes for data)

Large 5000-10,000 endpoints 

• CPU cores: 24 cores / 2.6 GHz    (x86 64-bit) 
• RAM size:  48 GB
• Disk sub-system: 
• Disk type: combination of SSD drives and HDD drives ( 15k RPM for HDD)
• Combined IOPS: 1200 average IOPS
• Total Disk Capacity: 1 TB

If you run NVM Collector on a separate Linux box:

For general scaling, support up to 35-40k endpoints per box - after that separate into collector/forwarder distributed deployment (per splunk).

• Cut CPU/Memory sizing in half from above specs
• Disk IO (not applicable - since all it does is logging for the collector and Linux OS)
• 50GB of disk space to run the OS and collector components

• 20k endpoints guidance example

  • CPU cores: 24 cores / 2.6 GHz    (x86 64-bit) 
  • RAM size:  48 GB
  • 64-bit Linux

8. What is needed for the real-client POV

Please follow the attached document (CESA-Splunk-Centos-install.docx) on installing Splunk and the necessary apps for CESA for Splunk.

Also for a complete solution setup (not including the CentOS box) use the Cisco Endpoint Security Analytics (CESA) Built on Splunk Quickstart POV Kit & Deployment Guide

Associated dCloud Lab & demo (hands on)

We have incorporated a lab guide - also copied to bottom of page - for you to use to get some hands-on with some of the use cases. This is open to cisco employees and partners utilizing the following dCloud demos

CESA on Splunk Instant demo using cs.co/cesa-guide with the  cs.co/cesa-instant-demo

• quick instant always on system loaded with the POV kit data all ready to go. Note: no real clients can be used with this offering

Please use the associated lab guide or cs.co/cesa-guide with your own laptop or anyone of the demos listed below.

Cyber Defense Clinic (Cyber Threat Response Clinic)

ISE Enterprise & Security Demo - includes real VPN VM or BYO VPN/Wireless AP

Find on cs.co/selling-ise-demos

• Use real wireless clients or remote VPN clients to generate real traffic to send via NVM
• Virtual VPN client to test scenarios
• Splunk with CESA already installed
• import POV kit data and play with the UIs.

• Scenario 1. NVM Analytics Dashboard Overview
• Scenario 2. Possible Data Exfiltration
• Scenario 3. Untrusted Source Network Domains
• Scenario 4. Anyconnect NVM Configuration

Support

• For first time engagement and for POV/Trial please reach out to your account team before installation to make sure you understand and are engaged. 
• For first-line technical support on the CESA solution (Anyconnect, NVM module, NVM collector and CESA dashboard), please reach out to Cisco TAC and/or Cisco Account team. If the account team is new to the product, they are able to reach out to the TAC to help with deployment and escalation to cesa-pov@cisco.com where needed
• If there are specific questions about CESA specifically (for account teams) please email - cesa-pov@cisco.com.
• For specific questions around the collector, design enhancements and technical details please reach out to  nvzFlow@cisco.com.

Additional information from our experts

Cisco Endpoint Security Analytics (CESA) dashboard overview and faq

Pinpoint Your SolarWinds Exposure with Cisco Endpoint Security Analytics

Some great posts by @vparla 

Linked In - Monitor Split Tunneling With CESA & AnyConnect NVM

Cisco Blog - Using CESA to Solve Endpoint Blindness for a World Class InfoSec Team

Cisco Community - Using CESA to Solve Endpoint Blindness for a World Class InfoSec Team

Cisco, others, shine a light on VPN split-tunneling

IPFIX (nvzFlow) protocol - intended integration point for 3^rd party SIEMs.