Improving Operational Efficiencies and Providing Tighter Integrations with Cisco Security Products


The recent CrowdStrike outage illustrated the importance of resilience across our organizations.  While that case was specifically related to operating system and application resilience, network resilience is just as critical to today’s business systems.  The 2023 Cisco Security Outcomes Report found that 61% of respondents had experienced a breach that impacted the resilience of the business.  Cisco Secure Network Analytics (SNA) helps bolster the network’s resilience by providing early detection and response to issues that could impact connectivity.

Secure Network Analytics announced GA of its version 7.5.1 on August 19th, 2024.  This release is packed full of both innovations and improvements to the platform that address many challenges our customers have been clamoring for.  While this release may not have a single, big flashy feature – customers will immediately notice is the overhaul to UI with our Magnetic framework – helping to drive consistency across Cisco products and providing analysts a more consistent look and feel.  There are many other important features packed into this release, providing customers with greater operational efficiencies and tighter integration with several products in the Cisco security portfolio.   All current customers are eligible to upgrade and should look at the release notes (found here) to better understand the upgrade process and any caveats you should consider.

SNA is Cisco’s on-premises NDR solution.  SNA provides enterprise-wide network visibility to detect and respond to threats in real- time. The solution continuously analyzes network activities to create a baseline of normal network behavior. It then uses this baseline, along with non–signature-based advanced analytics that include behavioral modeling and machine learning algorithms, as well as global threat intelligence to identify anomalies and detect and respond to threats in real- time. Secure Network Analytics can quickly and with high confidence detect threats such as Command-and-Control (C&C) attacks, ransomware, Distributed-Denial-of-Service (DDoS) attacks, unknown malware, and insider threats (data exfiltration).  With an agentless solution, you get comprehensive threat monitoring across the entire network traffic, even if it’s encrypted.

7.5.1 continues the path of SNA from being a standalone NDR solution to a solution that truly powers the SOC by giving analysts the detection, investigation, and response actions needed to be successful.

More Detailed, Customizable, and Schedulable Reporting Dashboards

A key element of powering the SOC is giving analysts the details they need, how they need it, and when they need it.  One of the key features of 7.5.1 is the addition of the Network Insights Dashboard in Report Builder.

The Network Insights dashboard is a customizable dashboard template that contains several reports by default including Firewall Log Collection Trend Report, Flow Collection Trend by Flow Collector Report, Flow Collection Trend by Exporter Report, Host Group Application Traffic Report, Host Group Flow Traffic Report, Network and Server Performance Report, and NVM Collection Trend Report

Figure 1 – A Sample Network Insights Report

Other Custom Dashboards can be created to combine multiple data sets into one page and customize the widgets on a page based on your need.  This allows analysts to visualize multiple data types on a single page to easily correlate and to view the complete workflow: from a bird’s eye view to single flows, pivot to deep dive based on current context, filter and sort on any data type (ex. filter by host group, flow collector, application)

Additionally, SNA 7.5.1 gives analysts the ability to schedule customized reports and send those as needed.   You can set up report scheduling for Report Builder reports in v7.5.1. If your report supports scheduling, you can designate a custom schedule and Email delivery list to ensure the .csv file gets delivered to the desired recipients at the preferred time. Some of the reports that support scheduling includes Alarms, DSCP Status, Security Events, and many more.

Figure 2 – Customizable Reports and Dashboards are a Key Feature in 7.5.1

Expanded Firewall Log Ingest

SNA continues to expand the breadth of Cisco Firewall log fields it can ingest now including Encrypted Visibility Engine (EVE) fields in this release.  Users are not penalized for this integration either – Firewall logs do not count against flows per second. 

No Separate Endpoint License Needed for Network Visibility Module (NVM) ingestion

The Network Visibility Module (NVM) collects rich flow context from an endpoint on or off premise and provides visibility into network connected devices and user behaviors when coupled with a Cisco solution such as SNA, or a third-party solution such as Splunk. The enterprise administrator can then do capacity and service planning, auditing, compliance, and security analytics.  The NVM collects the endpoint telemetry for better visibility into the device, the user, the application, the location and the destination.

Figure 3 – Network Visibility Module Imports Directly into SNA

You no longer need to purchase an Endpoint license for NVM. NVM traffic is now included along with NetFlow when calculating Flow Rate (FPS) licensing requirements.

ISE Response Actions

SNA has a long history of integration with Cisco ISE and this release adds to that integration with the addition of Adaptive Network Control (ANC) response policies directly in SNA.  ANC is a service that runs on the Cisco ISE Policy Administration Node (PAN) that you can use to monitor and control network access for endpoints. ANC supports wired and wireless deployments.

Figure 4 – 7.5.1 Provides Tighter SNA and ISE Integration

Better Administrative and User Experience

With every release we try to ensure that we are always improving the user experience and addressing the requirements of our customers.  Some of the administrative improvements in this release include: the ability to deliver Software Downloads for updates, the Direct Upload of Diag Packs or Files to TAC in the Appliance Console (SystemConfig) and Multi-Factor Authentication tp meet US Federal requirements.

Please see the release notes for 7.5.1 for a detailed list of features and changes to this release.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share:





Source link