Connect the dots of endpoint visibility and use it as a threat and compliance early warning system

Splunk’s annual user conference, .conf18, kicks-off next week in Orlando.  Cisco will be there in a big way given the depth and breadth of our Splunk security integrations.  But I wanted to shine a light on an integration that is among the most powerful of all our Splunk integrations – Cisco AnyConnect Network Visibility Module and its associated Splunk app.

Cisco AnyConnect is best known as Cisco’s VPN client deployed to more than 130 million endpoints.  But perhaps the most interesting part of AnyConnect is its Network Visibility Module (NVM).  NVM leverages an existing AnyConnect client footprint to generate insightful endpoint security telemetry.  Because AnyConnect operates as a network connection, it sees some unique telemetry, such as unique device ID, device name, process/container names, parent processes, privilege changes, source/destination domain and DNS info, network interfaces and more. This enables NVM to produce telemetry that enables detection of data leakage, unapproved applications or SaaS services, security evasion, early malware activity.   When you bring that data into Splunk for analysis, you gain serious insight on what your endpoints are doing.  And sometimes it can be a little scary.


See the power of NVM live at Splunk’s famed “Boss of the SOC” capture the flag event at .conf18 and in “Splunking the Endpoint IV: A New Hope”, hands-on session led by Splunk security guru James Brodsky.


Here are 10 key security questions that NVM telemetry analyzed by Splunk answers:

What endpoints have known bad files, applications, or talking to bad domains?

Has user privilege escalated on any devices?

What apps/processes are running at root (but shouldn’t be)?

What SaaS services are in use?

Are endpoint processes uploading/downloading files that match against known hashes?

Why someone is connecting so many times to a destination?

Are unusual processes running on unusual ports? (eg SMTP on wrong port)

What devices and OSs are on my network?

Where is my endpoint traffic going?  Is anything evading the corporate network?

Where are the leak-paths in my network?

Is someone hoarding data to steal or share?

Who is connecting to untrusted networks?

What is making connections to LDAP?

Did any users’ behaviors change?

Can I prove that personal data was deleted after processing was done?


OK – that was more than 10.  See what I mean?  NVM is powerful.


How NVM Works 

NVM isn’t about file analysis like an endpoint protection platform (e.g. anti-malware client).  Instead it is about traffic analysis.  The two are quite complementary in fact.  If you’re familiar with what Cisco Stealthwatch does for analyzing network traffic patterns, that is essentially what NVM does for endpoints.  In fact, like Stealthwatch, NVM is based on IPFIX data (i.e. standardized Netflow).  NVM generates IPFIX data based on traffic flows and endpoint configuration data.  That data is aggregated in Splunk for analysis.

Want to Try It?

Want to get deeper on NVM?  Check out a 5-minute NVM video demo.  Want to try it out in your Splunk environment?  Check out the NVM Deployment Guide for Splunk and download the NVM app for Splunk from Splunkbase.  While NVM requires an Apex AnyConnect license, you can test it out on a limited number of clients with any AnyConnect license.

See you at .conf!  And while you’re there, check out our other Cisco + Splunk security sessions:


Scott Pope

Director, Product Management & Business Development

Security Technical Alliances Ecosystem