Endpoints, that is. After all, defense breaches, malware introduction, and security risks often arise from exploitation of endpoints such as user devices and smart things (IoT) connected to the network. And as organizations are going digital, their users are bringing in ever more devices, and their operations are adding IoT devices in record numbers, threats are likely only to increase.

Network administrators should take note. Some of these endpoints may have been added in an ad-hoc manner outside IT’s controlled environment with minimal security provisions, or added years ago from vendors who do not scrupulously keep their software updated. And there is growing evidence that bad actors are taking advantage of these weaknesses. Cyberattacks on IoT devices surged by over 300% in 2019[1], and over 75% of vulnerabilities discovered in 2019 were from IoT devices[2]. It is clear therefore, that administrators need to increase visibility into, and better monitor all devices that are connecting to their networks.

You can’t secure what you can’t see

The first step in securing yourself is knowing what devices are on your network. A recent enhancement in Cisco DNA Center, called AI endpoint analytics, provides a way to identify and profile IoT devices, and by uncovering spoofed devices, detect and contain potential threats.


Figure 1. AI endpoint analytics aggregates network data to identify unknown endpoints.

To achieve its objectives, AI endpoint analytics aggregates data from a variety of sources in the network, collates and analyzes it to build a detailed endpoint profile, and clusters like endpoints into groups by applying artificial intelligence and machine learning (AI/ML) techniques.

Data collection and analysis provides insights

Figure 2. Cisco Catalyst 9000 access switches analyze endpoint traffic and send data to Cisco DNA Center.

Effective analysis needs rich data. To get the widest range of data, AI endpoint analytics obtains it from many different angles. One of the key sources of insights comes by analyzing data gathered via deep-packet inspection (DPI) of endpoint communications by applying techniques such as Network Based Application Recognition (NBAR) and Software-Defined Application Visibility and Control (SD-AVC), available in Cisco Catalyst 9000 series access switches. These techniques can identify more than 1400 protocols used across different environments such as healthcare, enterprise IoT, building automation, etc., and provide clues to the nature of the endpoint. Other data points for AI endpoint analytics include telemetry from network devices, asset information from configuration management databases (CMDB), and any input from administrators themselves. With all these put together, endpoints’ profiles begin to emerge.

Custom appliance when you need it

Figure 3. Cisco DNA Traffic Telemetry Appliance analyzes endpoint data when access switches can not.

If you run a network that has few Cisco Catalyst 9000 series access switches and are not able to take advantage of running NBAR and SD-AVC analytics on them, you can still benefit from these technologies by using an appliance customized for the purpose. The Cisco DNA Traffic Telemetry Appliance, different from the Cisco DNA Center appliance, runs NBAR and SD-AVC on traffic that it collects from spanned ports from distribution layer switches and provides the required analytics.

Behavioral analysis detects spoofs

AI endpoint analytics analyzes each endpoint’s behavior and assigns a score based on its trustworthiness.

A common security exploitation involves changing or spoofing the MAC address of an endpoint to make it impersonate another device. For example, a rogue device may be spoofed to appear as a harmless printer. By comparing AI generated behavioral models to that of actual endpoint behavior, AI Endpoint Analytics can easily flag the inconsistency of what it expects to see and what it observes.

Group-based policies make segmentation easier

Security constructs like network segmentation can be vastly simplified if we can group similar endpoints together. Network segmentation typically works by appropriately tagging all endpoints’ traffic so that the proper access policy can be applied. Assigning the same tags to similar endpoints reduces the sheer number of tags and consequently, the number of rules you need to define. AI endpoint analytics groups like endpoints together that can form the basis of group-based access policies.

Watch a video how AI endpoint analytics helps definition and enforcements of advanced security policies and network segmentation:


AI endpoint analytics is the essential first step in securing your network and organization. The crucial and comprehensive visibility it provides paves the way to apply advanced policies to segment the network based on groups and roles.

AI endpoint analytics is available on Cisco DNA Center release and higher with the Cisco DNA Advantage software subscription license. Cisco DNA software licenses allow you to adopt new features and functionality on Cisco DNA Center as quickly as they are released without a lengthy and cumbersome process, unlocking your network’s full potential.

Get more information on AI endpoint analytics and the security solutions it enables in these resources.


[1] Melissa Michael, Attack Landscape H1 2019: IoT, SMB traffic abounds, Blog at F-Secure.com, December 2019

[2] Martin Zeisser, Talos Vulnerability Discovery Year in Review — 2019, December 2019