Safety groups can usually discover themselves looking at a wall of logs, runtime occasions, firewall alerts, and workload indicators, figuring out the reply might be in there someplace, however not having the time to look at the small print.
Functions now span Kubernetes clusters, cloud workloads, information facilities, and branches, whereas groups attempt to join indicators from workloads, customers, brokers, logs, and firewalls. Every sign can inform a part of the story, however with vulnerabilities being exploited sooner than ever, it’s straightforward to lose time chasing noise as a substitute of discovering threats.
That’s the reason Cisco is bringing richer product telemetry into Splunk, together with the detections and correlation wanted to make that telemetry helpful. As organizations construct towards a hybrid mesh firewall structure, Cisco supplies deeper visibility from runtime workloads and superior firewall logging, whereas Splunk helps flip that visibility into detection, investigation, and motion.
Transfer from remoted alerts to a transparent image of workload threat
As a result of fashionable purposes are dynamic throughout containers, Kubernetes workloads, and providers, it’s not sufficient to get an alert that one thing occurred. Groups must know what workload did it, what course of prompted it, and whether or not that habits was anticipated.
Cisco Isovalent Enterprise Platform supplies runtime visibility throughout Kubernetes and Linux workloads, together with course of execution, community connections, file entry, and workload identification. Splunk brings that telemetry into the SOC with purpose-built detections and correlation, serving to analysts perceive suspicious habits in context. Now, groups can transfer from manually deciphering direct runtime occasions to appearing on correlated, high-confidence detections contained in the Splunk workflows they already use.
Get detections with detailed logs as a native firewall functionality
As a high-volume telemetry supply, safety groups hardly ever have time to transfer past alerts and study firewall logs on the lookout for small modifications, surprising patterns, or refined indicators of attacker habits. Now, in its newest software program launch, Cisco Firewall introduces a local superior logging functionality, giving clients detailed, structured logs for richer protocol-level element.
Splunk turns that element into usable detections and correlation, serving to groups floor significant patterns in DNS, HTTP, FTP, connection habits, anomalies, and inspection occasions with out manually sorting. With customized detections and correlation, Splunk may also help analysts determine patterns that primary logs might miss, reminiscent of command-and-control habits, DNS tunneling, suspicious downloads, beaconing, or uncommon protocol exercise.
Detect threats sooner, earlier than the incident escalates
Many assaults are usually not apparent on the level of entry, so when prevention misses one thing, detection pace issues. That is the place the mix of Cisco telemetry and Splunk analytics turns into particularly precious.
For instance, in an atmosphere the place Kubernetes egress site visitors is inspected by Cisco Safe Firewall, a compromised web-service pod out of the blue spawns a shell and begins reaching out by DNS. Splunk detections utilizing Isovalent telemetry can present the pod, course of, timing, and vacation spot, whereas Cisco Safe Firewall superior logging provides context like uncommon question patterns or irregular response sizes. Collectively, these indicators assist analysts join workload habits to community habits, examine with confidence, and reply sooner.
Over time, this implies clients have the superior potential to:
- Detect: Much less handbook occasion stitching for sooner risk detection
- Examine: Get higher context to extend confidence to behave
- Act: Reply sooner throughout hybrid environments
Cisco and Splunk are making that doable by bringing deeper product telemetry and purpose-built detection collectively in a single safety workflow. To multiply this benefit, take a look at the superior risk detection, investigation, and response with Cisco Firewall Promotional Splunk Capability (FTD).
We’d love to listen to what you suppose! Ask a query and keep related with Cisco Safety on social media.
Cisco Safety Social Media