Introducing continuous remote employee visibility and expanded information collection with Protected Network Analytics Release 7.3.2

We are extremely excited to announce new Secure System Analytics functions! With release 7.3.2, we’ve furthered our initiatives to increase the zero-trust workplace to anywhere on any device through significant enhancements to Secure Network Analytics’ capability to provide complete and continuous remote control worker visibility and also have also expanded data selection from integrated Cisco Secure answers to provide extended visibility beyond the parameters of the original network, and more!

Preamble: The fantastic system visibility blackout of 2020


It’s no key that last year’s abrupt exodus from corporate offices presented institutions with novel challenges linked to monitoring and securing their newly remote workforce. To briefly level-set, let’s have a quick step back in its history – in the past to 2019 prior to the “home based (WFH) era” had started to illustrate the gravity of the paradigm shift that happened in the last two years and its own security implications. Companies had always historically skilled visibility gaps into employee routines whenever their users had been off-VPN while functioning remotely. However, then back, although these occasional gaps in visibility did bring about minor and temporary improved organizational risks naturally, the overall level of non-VPN-connected remote function that occurred was therefore low and infrequent that it had been regarded as negligible and ignored.

Then, fast-ahead to March 2020, where practically every organization has been hit with a whole and prolonged employee activity visibility blackout. This “visibility blackout” resulted in an explosion in dependence on remote access from anywhere and on anything, exponentially expanding threat surfaces and increasing opportunities for attackers successfully. In summary, visibility evaporated, and meanwhile, organizational risk levels spiked parabolically.

SecOps teams were left within the discovered and dark themselves asking questions like, have some of our users visited malicious URLs? Has anyone “long gone rogue”? Are usually employees exfiltrating sensitive proprietary data? Possess users’ devices already been unintentionally compromised and so are now demonstrating order and manage (C&C) exercise? Are we dealing with compliance-associated and broader organizational risks because of employees operating outdated and vulnerable os’s that need patching?

Complete. Blackout.

Complete and continuous remote worker visibility


Cisco Secure System Analytics begun to address this whole “WFH visibility blackout conundrum” with Release 7.3.1 by introducing endpoint Network Visibility Module (NVM) data as a major telemetry source to supply businesses with continuity in remote worker monitoring and visibility without requiring NetFlow telemetry to be there. This simplified deployments and enabled customers to obtain additional visibility greatly. Starting today, with Discharge 7.3.2, we’re further extending this ability with the Data Shop now supporting all NVM telemetry record selection to provide 100%-complete and continuous remote worker visibility. Therefore now, every time a user functions either on-system or remotely – end up being it in the home or a nearby coffee shop – and therefore off-network, without tunneling by way of a VPN, are usually optimizing their remote function encounter with split tunneling, almost all their action will locally be saved. When workers turn their AnyConnect VPNs back again on eventually, the System Visibility Module will telephone home and deliver logs of most their user actions back again to Secure Network Analytics.

Lights on back! 


Thus giving security practitioners the continuity in visibility they need by permitting them to monitor remote worker telemetry through the collection and storage NVM endpoint records with no need for NetFlow to get user and gadget context. Safety teams can gain visibility into activities they had been previously blind to today, such as:

Additionally, with Release 7.3.2, customers which are making use of NVM data plus a Data Shop deployment may also be gaining the next benefits:

    • NVM telemetry records could be collected, kept, and queried in the info Store


    • New NVM reports that are offered in the Record Builder software


    • The opportunity to define customized safety events predicated on NVM data-particular criteria


    • All Endpoint Concentrator functions are completely maintained by the Flow Collector

at this point


Figure 1. A Secure System Analytics deployment allowed with both AnyConnect Protected Mobility Client and the info Shop. User endpoints generate NVM data with rich and granular device context – such as for example IP addresses, user and host names, machine models and types, which os’s and versions are working, the procedures that launched system connectivity, MAC addresses, hash information, and much more – that’s all stored and gathered in the info Store.


Extended data collection to supply further prolonged visibility and enhanced context 


Additionally, simply by leveraging other Cisco Secure offerings, Secure Network Analytics right now offers expanded visibility and enhanced context beyond the parameters of both traditional on-premises network, in addition to public and private cloud network environments. Along with NVM data, further extended visibility and extra context can be achieved by gathering Cisco Firewall logs from Cisco’s Protection Analytics and Logging providing to increase visibility to the system perimeter, and also through the Cisco Telemetry Agent , which is with the capacity of brokering, filtering, and transforming multiple data formats into IPFIX records along with other Secure System Analytics-compatible data formats.

Introducing Safety Logging and Analytics On-premises 

Protection Analytics and Logging (SAL) is currently supported being an on-premises, enterprise-class storage remedy for large-scale firewall deployments. SAL provides main log administration to streamline IT functions.

The SAL On-premises solution can be an improved architecture appropriate for most of Cisco’s ASA and FTD firewall devices, and with the capacity of storing all firewall connection and security events on-premises with the info Store to provide drastically improved log ingest capacity and extended log retention periods. SAL On-premises furthermore supports a fully certified remote query API that allows the Cisco Safe Firewall Administration Console (FMC) to populate its occasion viewers and dashboards and assistance its reporting and analysis abilities. As a total result, SAL On-premises provides significantly enhanced firewall log administration scalability by providing the following benefits:

    • Cross launch capacity from the FMC with context in to the Safety and Logging Analytics Dashboard


    • Data open to the FMC to aid remote queries


    • Improved log ingest capacity by way of a 5x magnitude of 100K activities per second (EPS)


    • Significantly longer-term log storage space periods increased by way of a 50x magnitude of 1 month at 100K EPS



Also to summarize the implications of the aforementioned two bullets, with the retention period of 1 month at 100K EPS, SAL On-premises supplies a literal 300x – or perhaps a whopping 30 effectively,000% – upsurge in firewall log storage space capacity!

Lastly, since this brand new capability was built upon the Secure Network Analytics platform natively, it could seamlessly correlate both firewall and network logs and provide expanded visibility and enhanced context that extends from internal on-premises traffic to the network perimeter.


Figure 2. A graphical depiction of the Protection Logging and Analytics On-premises Architecture.



The Cisco Telemetry Agent 

The Cisco Telemetry Agent (CTB) further expands Secure System Analytics’ data collection features by ingesting system telemetry from different sources, transforming the info format into IPFIX records, and forwarding that telemetry to Secure System Analytics then. For instance, CTB can ingest on-premises system telemetry, which includes NetFlow, Syslog, IPFIX, and cloud-centered telemetry sources, such as for example AWS VPC Flow Logs, and transform them into IPFIX records or other Secure System Analytics-compatible telemetry sources.

Figure 3. The Cisco Telemetry Agent can convert VPC Flow Logs from AWS S3 buckets into IPFIX records and forwards them to Secure System Analytics.

As illustrated within Figure 3, the Cisco Telemetry Agent can enable users to get complete visibility across their hybrid-cloud environments and monitor them with Secure Network Analytics.



Today’s network environments are complex and vast – spanning from traditional on-premises offices to hybrid-cloud environments, in addition to to remote workers’ house networks. Likewise, today’s companies need system detection and response options (NDR) to achieve comprehensive and continuous visibility and threat detections across their expanse system environments. Unfortunately, however, not absolutely all NDR tools are manufactured equal. Selecting the most appropriate one is crucial to making sure that your company stays a step ahead in the arms competition that’s network security.

Only Protected Network Analytics rises to the challenge by offering probably the most comprehensive and context-rich visibility – that spans throughout all of your network environments and extends even more out, throughout your broader environment -paired using its world-class and time-tested analytics to provide the broadest & most high-fidelity behavioral-based detection capabilities.

Don’t accept anything less. Find out more about Secure System Analytics or try the answer out on your own today with a free visibility assessment .

To learn more concerning this release, browse the Release 7.3.2 Release Notes .



%d bloggers like this: