There are many aspects to securing an endpoint beyond finding the malware on it.  What do you know about the behavior of your endpoints? Can you track anomalous traffic? Can you tell what the applications and other software processes are up to?  What is happening when the device is off the corporate network? Has a user or device evaded endpoint security measures? With insight to such issues, you can generate visibility that not only follows endpoints on and off network, but also finds threats often not addressed by anti-malware solutions.


With this in mind, Cisco has created a solution unlike anything available in the industry today — Cisco Endpoint Security Analytics (CESA) Built on Splunk. This new solution brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform. The result is an added layer of deep endpoint visibility that transforms endpoint-centric data into insights to proactively detect and mitigate network threats.

If you already use AnyConnect NVM, you know it creates a lot of detailed, endpoint-specific data. But by building and productizing CESA on top of Splunk, we’ve paired that data with an equally comprehensive and cost-effective analytics tool. CESA addresses endpoint security use cases such as:

  • Unapproved applications and SaaS visibility
  • Endpoint security evasion
  • Attribution of user to device to application to traffic and destination
  • Zero-trust monitoring
  • Data loss detection
  • Day-zero malware and threat hunting
  • Asset inventory

The behavioral data produced by NVM complements anti-malware agents like Cisco Advanced Malware Protection (AMP) for Endpoints that primarily focus on file analysis to detect malware on endpoints, which identifies known issues. But because CESA analyzes user and device behavior and identifies changes and anomalies, it enables threat hunters and analysts to discover malicious or suspicious endpoint activity, often without an additional endpoint agent. Where antivirus and other endpoint solutions would miss these threats, CESA provides early detection that increases security posture. CESA endpoint analytics also complements the broad network visbility provided by Cisco Stealthwatch by following endpoints on and off network, as well as enabling deep endpoint insight into down to the user account, device details and network interface levels of the endpoint.  Together CESA and Stealthwatch cover every aspect of network and endpoint behavior leaving no blind spot unchecked.  

How we address endpoint blindness

Even as security products continue to integrate, endpoint blindness is a persistent problem. Information security (infosec) teams need to know more about what is happening on the endpoints to anticipate where attacks are more likely to occur.

By leveraging the NVM telemetry that endpoints provide, we gain a better understanding of users’ network behaviors and where threats are going to happen. These insights can raise potential red flags like:

  • Are my endpoints suddenly communicating with domains we’ve not seen in our environment before?
  • Has a user changed behavior suddenly, using applications and visiting hosts they don’t usually access?
  • Does an endpoint have unusual traffic patterns? Is it uploading or downloading more than usual? Is someone hoarding or exfiltrating data?
  • Are any machines using unapproved applications or SaaS services?
  • Has security been disabled on an endpoint?
  • Which endpoints have known bad files or applications?
  • What are my users doing when they are not connected to my network?
  • Which devices and operating systems are in use in my endpoint environment?
  • Who is using each device and what are they doing with it?

It’s important to note that CESA is integrated into the Cisco Security infrastructure. CESA works together with network visibility from Cisco Stealthwatch and endpoint control from Cisco AMP for Endpoints. Additionally, Cisco Identity Services Engine (ISE) is used to quarantine users when identified as suspicious. These integrations serve to further increase the security posture of the network.

Cisco’s CSIRT team uses CESA

Many of our case studies come from our partners and customers, but this time our Cisco infosec team put together a case study as they leveraged CESA within the Cisco organization. They used the solution to collect and analyze the data generated by NVM across approximately 96,000 endpoints, and extract context such as user, device, application, location, and destination. The analysis of this data, from when the user is both on- and off-prem, helped Cisco infosec reduce incident investigation time from days to hours, while filling gaps in endpoint visibility.

“Splunk makes accessing the data from NVM, writing queries, and analyzing the data very easy,” said Cisco CSIRT’s Imran Islam.

Before CESA, the infosec team would struggle to determine which user is associated with what machine. And drilling down further was difficult if not impossible – from identifying machine to traffic; from traffic to the application or software process producing it; and then the traffic’s destination, whether inbound or outbound. It was reported by the Cisco infosec team that 80% of CESA use cases could not have been addressed by other technology.

Partnering to create a more secure network

At Cisco, we’re leading the industry in multi-vendor partnering solutions because we understand that collaboration is key to our customers having effective and efficient security across their networks — from endpoint to data center and cloud to campus. In fact, the Internet Engineering Task Force (IETF) recently standardized the XMPP-Grid security data exchange framework – based on Cisco Platform Exchange Grid (pxGrid) – which enables seamless collaboration and the sharing of information between security platforms from multiple vendors.

While no one product can achieve absolute security, no security solution exists in complete isolation. As security products become more interconnected, share context for threats, and participate in incident response, the risk of data breaches and security incidents is increasingly mitigated. This is why we believe in working so closely with our partners like Splunk through the Cisco Security Technical Alliance to integrate solutions that protect against emerging threats and improve customer security.

Splunk’s analytics-driven security solutions continue to serve as a perfect complement to Cisco Security. And we’re excited to see CESA deliver endpoint visibility and advanced threat detection for our customers. Cisco AnyConnect (Cisco’s VPN Client) is already deployed by over 150 million endpoints, and many customers are already running the Splunk console, which makes CESA a simple addition that will bring immense value for infosec’s ability to anticipate and stop endpoint threats before they manifest on the network.

If you don’t yet have these products, learn more about CESA and how you can add Cisco AnyConnect NVM and Splunk here. Stay tuned in the coming weeks for added CESA integration with Cisco Umbrella to enable enforcement at the domain level.

You can learn more about how Cisco infosec utilized CESA in this case study. 

Want to get started with CESA today? If you already have Splunk and AnyConnect, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. Finally, turn on NVM telemetry in your AnyConnect environment as outlined in these tech docs.

Finally, be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security.


Jeff Reed

SVP/GM of Cloud and Network Security

Security Business Group