cisco-and-splunk-innovation-through-the-power-of-integration.pdf

Cisco and Splunk
Innovation through the Power of Innovation
Douglas Hurd | Cisco Security Technical Alliances PM
Colin Lowenberg | Cisco Meraki Platform Partnerships PM
Karthik Karupasamy | Cisco UCS Technical Marketing Engineer
Robert Novak | Cisco Big Data Technical Solutions Architect
September 28, 2017 | Washington, DC

During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved.
Forward-Looking Statements

Eight Years of
Integration and
Innovation
A brief history of Cisco and Splunk together
With Robert Novak

▶ Splunk will run on almost anything (even my laptop)
▶ Standalone servers have lower admin overhead
▶ Build up your clusters and you have to keep them consistent
▶ Grow your data sources (and uses) and you have to add servers
▶ Cluster constipation is bad, mmmkay?
Why Does Hardware Still Matter?
4

▶ Cisco customer big data pools tend to grow 2-3x/year
▶ Cisco customer IT staff doesn’t grow as fast
▶ The Cisco Unified Computing System (UCS) provides scalable, repeatable, predictable,
and manageable deployments across dozens to thousands of servers for any application
deployment
▶ Pallet to production in hours, not days or weeks
▶ Deep engineering integration between Cisco and Splunk with tested and proven
configurations
More on this later…
Why Does Hardware Still Matter?
5

▶ 10s of thousands of employees, contractors, devices
▶ 100s of offices, business apps, audiences
▶ Lots of data in lots of places
▶ No one tool (not even Splunk) can do everything for everyone all the time
▶ High volume, low value, low shelf life
• Stealthwatch (formerly Lancope), Hadoop feed into Splunk
▶ Low to moderate volume, high value, (any) shelf life
• Splunk on its own, sometimes with fronting dashboards
▶ Additional visualizations with Platfora, Tableau, etc
Big Data at a Big Customer: Cisco
6

▶ Customer for 8+ years, strategic
partner for 4+ years
▶ Geographically disparate data
collection and analysis
▶ Over 70 business
applications/use cases across
the company
• Around 20 teams using Splunk
including Cisco IT and CSIRT
▶ Nearly 10x growth in search
volume from 2014-2016
A closer look at Splunk within Cisco
7

8
Dozens Of Apps And Add-ons At Splunkbase
Always more being added and
updated, by Cisco, Splunk,
partners, third party
developers, and end users!

Splunk and Cisco API-based Integrations
Programmable Operational Analytics at Scale
Security
Collaboration
Business Analytics
Infrastructure
Identity Services
(ISE/pxGrid)
FirePOWER Next
Gen Firewall
Umbrella (DNS)
CloudLock
ThreatGrid*
Cisco UCS
ACI / APIC
Call Manager
Spark
and many more here https://splunkbase.splunk.com/apps/#/search/Cisco/
Nexus 9k
Wireless / CMX

Cisco Security
Integrations
Making sense of a broad security platform
using Cisco and Splunk technologies
With Douglas Hurd

Splunk & Cisco Security – “Better Together”
• Largest security footprint in the industry
• Produces broad range of security telemetry
across most security technologies
• Ubiquitous network footprint enables bi-
directional integration for executing security
automation
• High investment in Splunk apps for serving
joint customers
• Voluminous, context-rich Cisco data sources
drive license volumes while enabling improved
security & compliance, more effective SIEM
use cases and new use cases beyond security
• Automated actions in Cisco network environs
• Proven, supported integrations accelerate time
to value
Security Breadth, Customer Reach,
Infrastructure for Automation
Analytics Efficacy, Ability to
Automate, Committed Customers

12
Cisco Splunk Integrations
ü CVD: Cisco UCS Integrated Infrastructure for Splunk Enterprise
(Distributed Deployment, High Capacity) (link)
ü CVD: Cisco Application Centric Infrastructure with Splunk (link)
ü Splunk on UCS Reference Architecture (link)
ü Cisco Cloud Security for VMDC 1.0 Design Guide (link)
Security
IPS
Identity Services Engine/pxGrid
FireSIGHT (including AMP)
ASA/PIX/FWSM Firewalls
Web Security Appliance (WSA)
Email Security Appliance (ESA)
Stealthwatch
Umbrella Investigate
Cloud Web Security (CWS)
AnyConnect
CloudLock
ThreatGrid
Data Center / ACI
Cisco UCS
UCS Director Express for Big Data
Application Centric Infrastructure
(ACI - APIC)
Nexus 9K
Tetration (planned)
Enterprise Networking
Nexus and Catalyst Switches
Nexus 1000V
NGN Routers (CRS, ASR, ISR)
Meraki Wireless
Open SDN
Network Controller
CMX Wireless
Network Data Platform (planned)
Collaboration
Call Manager
Spark
AppDynamics
ü Inaugural SIEM & Threat Defense Partner
ü Inaugural pxGrid partner
ü Inaugural member of Cisco Security Tech Alliances program
ü Inaugural ACI Partner
ü Inaugural Data Analytics Partner
Cisco
Security
Suite
App
Cisco
Networks
App

Cisco Firepower &
Splunk
Douglas Hurd / Cisco Security Technical
Alliances

Threat Defense Security
DURING
Detect
Block
Defend
AFTER
Scope
Contain
Remediate
BEFORE
Discover
Enforce
Harden
Unified Threat Management
FirePOWER Services
FirePOWER Appliances
Secure Access & Identity
Next Generation Firewall Next Generation IPS
Email Security
Web Security
Advanced Malware Protection
Sandboxing & Threat Analysis
Network Anomaly Detection
FirePOWER Services
FirePOWER Appliances
AMP for Endpoints
AMP for Networks
Meraki Appliances Wired & Wi-Fi
Meraki Cloud Management
Email Security Appliance
Cloud Email Security
AMP ThreatGRID Cloud & Appliance
OpenDNS Investigate
Identity Services Engine (ISE)
TrustSec, AnyConnect VPN
OpenDNS Umbrella
Cloud Web Security, Web Security
Appliance
CloudLock
StealthWatch
Cognitive Threat Analytics
Threat Intelligence

▶ Firepower-Splunk mutual customer base expanding
• ASA to Firepower Threat Defense – More FMCs
▶ Add-Ons for Firepower available on Splunkbase
▶ Cisco’s Firepower TA & App built in 2014, based on v.5.4
• Over 6000 downloads
• Not recommended with FMC V6.x
▶ ‘Community Supported’ model facing challenges
▶ Focused on new business model for this critical integration
▶ Resources directed at Firepower 6.x customers
Background on Firepower and Splunk

▶ Firepower-Splunk mutual customer base
expanding
• ASA to Firepower Threat Defense – More
FMCs
▶ Add-Ons for Firepower available on
Splunkbase
▶ Cisco’s Firepower TA & App built in
2014, based on v.5.4
• Over 6000 downloads
• Not recommended with FMC V6.x
▶ ‘Community Supported’ model facing
challenges
▶ Focused on new business model for this
critical integration
▶ Resources directed at Firepower 6.x
customers
Background on Firepower and Splunk

Data Consumption – Eat In or Delivery?
Expectations and User Roles are Changing

Data Parity
Some customers want all data to be replicated on their SIEM

▶ Scalable app with major improvements
▶ TAC Support option will be offered
• Free for customers that do not want TAC support
• Chargeable for customers that want TAC support
▶ Official GA Release: End of June
▶ Beta II underway during May thru June 2017
▶ PID: FP-SPLUNK-SW-K9
▶ Description: “Cisco eStreamer eNcore for Splunk
• Software downloads: software.cisco.com
New Cisco eStreamer ‘eNcore’ for Splunk
Free Version
Pay Version
App Cost Free $$$
Community
Support
Yes Yes
TAC Support
No Yes
App Updates Yes Yes

Improvements and Enhancements
Feature Benefit
Built from scratch in Python • No Perl dependencies
• Python very popular
• Completely up to date with entire 6.2 API schema
Multi-process • Highly scalable
Multi-FMC Support • Connect multiple FMCs to one instance
• Reduce complexity
Fully Qualified Event Output • Encoded event info is written out in text
Event de-duplication (Future) • Avoid paying Splunk for redundant event data
• Gives Firepower HA configurations more flexibility
TAC Supported option available • End to End support for Firepower Splunk customers
Forward Compatible • Ongoing maintenance to support new eStreamer API
versions

Cisco Cloud Security
and Splunk

Branch office
Cisco Cloud Security
Umbrella
Secure access to the internet
Cloudlock
Secure usage of cloud apps
Investigate
Threat Intelligence
HQ Roaming

API
Automatically enrich security alerts
inside Splunk, allowing analysts to
discover the connections between the
domains, IPs, and file hashes in an
attacker’s infrastructure.
domains, IPs, ASNs, file hashes
Splunk Add-on for Cisco Umbrella Investigate
INVESTIGATE

▶ Manage Cloud Security incidents
within Splunk
▶ Seamless extend Security
Operations to cloud environments
while maintaining existing
workflows
▶ Leverage Splunk’s rich data
visualization, alerting and
reporting functionality
▶ Two leaders - Partnership
Strength
Splunk App for Cisco Cloudlock

ShadowIT for Cisco FP and Splunk Customers
CLOUDLOCK
SHADOW IT
ENGINE
Cisco Web Security
Cisco NGFW
FirePOWER
3rd party Security
Appliances
SIEM:

Correlating Network
And Infrastructure
Data Around The
World
Using open APIs monitor and manage connectivity and
security for the largest Latin American country
Colin Lowenberg

30
Collecting Meraki Data Into Splunk
Syslog
API
XML CMX
TCP Input
Add-on
HTTP Event
Collector

▶ Managed WiFi in all Mexican Gov’t buildings: libraries,
health centers, community buildings, etc.
▶ Indoor and outdoor APs for gov’t and public use
▶ 22K+ sites across Mexico
Cisco Meraki + Splunk
México Conectado connects all Mexican government buildings using Meraki

© 2017 SPLUNK INC.
The Mexico Conectado
Project
Country Digitization
Analytics Platform
CDAP
(powered by Splunk)
Smart Cities
& Government
Analytics

Your Splunk
Environment:
Better on Cisco UCS
Automate deployment, correlate with your entire
datacenter, and optimize for management and scalability
With Karthik Karupasamy

Cisco UCS Add-On for
Splunk Enterprise

▶ Splunk-built rewrite of original UCS add-on
▶ Aggregates, monitors, trends and analyzes
all relevant data from Cisco UCS Manager
instances
▶ Enables proactive capacity and performance
monitoring/ management, fault trending,
power and cooling, and more
▶ Works with other Splunk add-ons and data
sources (including Enterprise Security and
PCI Compliance add-ons) to aggregate and
correlate data across your enterprise
Splunk Add-On for Cisco UCS
35
Application
s
Operating Systems
Hypervisors
UCS server,
storage,
network

Accelerated Troubleshooting with Splunk & UCS
See demo on Youtube at bit.ly/splunk-ucs-mtti

Cisco Unified Computing System
Unified
Management
▶ Faster deploy/
provision
▶ Unification leads to
reduced complexity
▶ Management via a
single interface
Simplified
Architecture
▶ Networking with fewer
components
▶ Lower cost and easier
scaling
▶ Fewer management
touch points
▶ Stateless: any
resource, any time
▶ Better TCO/ROI
Scale
▶ Ultimate Scalability
Enhanced design
capability
▶ Designed for the future,
today
Higher
Performance
▶ Brings out the best of
x86 architecture
▶ Optimized resource
utilization for
compute, networking,
and management
A differentiated, revolutionary approach

SingleConnect: LAN,
SAN and Management
UCS 6200 and 6300 Series Fabric
Internments,
Installed in pairs, active-active.
UCS Manager is embedded
Pre-tested and pre-validated
configuration
Fabric-based infrastructure integrates
computing, networking, and storage
resources
Designed for high performance and
availability
Cisco UCS Integrated Infrastructure for
Big Data Topology
Provisioning
Monitoring
Maintenance
Growth
Support for direct
connectivity to Fabric
Interconnects

Cisco UCS Director
Express for Big Data

Features:
▶ Complete automation of industry-leading validated solution for Splunk Enterprise
▶ Indexer clustering – customizable Replication and Search Factors
▶ Search Head clustering
▶ Shared License Master, Deployer for SHC
▶ Ability to grow the Search head, Indexer clusters.
▶ Monitoring console
Deploy your Splunk Enterprise Cluster in hours – not in days or weeks

UCSD Express For Big Data – Two Ways to Create
Unified Management Platform for Highly Available Distributed Splunk Clusters
Use
Bundled
Templates
(Instant)
Create
your
Custom
Template
Select
Size
Splunk
Version
OS
IP
Address
Binding
Ready-to-
Use
Splunk
Cluster

Instant Splunk Cluster Under One Management
Decisions
Insights
Marketing LOB
Shadow IT for Big
Data
Supply Chain
LOB
IT Team
Marketing
Splunk Cluster
Supply Chain
Splunk Cluster
Sales Splunk
Cluster
Decisions
Insights
Sales LOB
• Faster Turnaround Time
• No Shadow IT team
• No Growing Pains
• Scalable performance and Enterprise
Grade system
• Unified Data Center Management
• Optimal Resource Utilization
• Simplified Compliance and
Governance
UCSD Express

UCSD Express
UCS 6200/6300 Series
Fabric Interconnect
UCS Manager
UCS C220/C240 M4/M5
Series Rack Servers
UCS S3260 Storage
Server
Cisco UCS
Service Profile
NIC MACs
HBA WWNs
Server UUID
VLAN Assignments
VLAN Tagging
FC Fabrics
Assignments
FC Boot
Parameters
Number of vNICs
Boot order
PXE settings
IPMI Settings
Number of vHBAs
QoS
Call Home
Template
Association
Org & Sub Org
Assoc.
Server Pool
Association
Statistic
Thresholds
BIOS scrub actions
Disk scrub actions
BIOS firmware
Adapter firmware
BMC firmware
RAID settings
Advanced NIC
settings
Serial over LAN
settings
BIOS Settings
Splunk Enterprise
Unified Management with UCS Director Express for Big Data
Programmability, Scalability and Automation

• Industry leading tool to provision, manage and monitor all software and hardware
components
• Policy and model-based management, with service profiles, that improves agility
and reduces risk
• Utilizes auto-discovery to detect, inventory, manage, and provision system components
• Offers a comprehensive open XML API, which facilitates integration with third-party
management tools
UCS
Manager
• Manages multiple, globally distributed Cisco UCS domains with thousands of
servers from a single pane
• Provides global configuration capabilities for pools, policies, and firmware
UCS
Central
Management
UCS
Director
• Delivers a unified converged infrastructure management solution
• Provides programmable application containers across computing, networking, and
storage resources and extend automation benefits to the entire infrastructure stack
UCS Director
Express for
Big Data
• Delivers scalable and reliable Hadoop deployment on UCS Big Data clusters
• Offers centralized visibility across Hadoop and physical infrastructure
• Provides greater IT agility resulting in increased IT impact on business
Abstraction of all configuration and identity information into a service profile speeds deployment, reduces
errors, lowers costs
Programmable Infrastructure
Policy based Management
UCS Management Software provides:
Provisioning
Monitoring
Maintenance
Growth
Speed
Ease of
experimentation
Consistency Simplicity Visibility

End-to-end provisioning, deployment and management
4
Associate Hadoop and
Infrastructure Profiles to
create Hadoop Clusters
3 Service Profile Templates
Create Service Profiles
2
Policies Used to Create
Hadoop and Infrastructure
Service Profile Templates
Network
SME
Namenode, data node configuration
Configure Hadoop services
Setup heap size and memory buffers
HDFS, MapReduce configuration
Setup other Hadoop services
Uplink and server port configuration
Network interface card (NIC)
configuration: MAC address, VLAN,
and QoS settings; worldwide names
(WWNs), and bandwidth constraints;
and firmware revisions
Unique user ID (UUID), firmware
revisions, and RAID controller settings
Service profile assigned to server,
chassis slot, or pool
1 Subject Matter Expert
Define Policies
Create Infrastructure
Profile
Create Hadoop Profile
Create Hadoop
Application Profile
Server
SME
Storage
SME
Hadoop
SME

Creating and
Managing Splunk
clusters

Splunk Cluster customizations
Optionally add another NIC for Replication Traffic
Select custom RAID policy for each Role Customize Storage Tiers
Select physical infrastructure options

Creating a Splunk cluster
▶ Cluster Name
▶ OS (RHEL)
▶ Splunk version
▶ UCS Manager
▶ Organization

Creating a Splunk Cluster
▶ Server-pools (per role)
▶ Map vNIC to IP-Pools.
• Mgmt, (and ingest)
• Data1 for Replication
(optional),
▶ Click Submit
PXE VLAN
Replication
Factor,
Search
Factor
Server
Pools
Networking

Creating a Splunk Cluster -- Server Pool Selection
Server
Pools
Server
Count
Hostname
Prefix

Creating a Splunk Cluster -- VNIC configuration
▶ Map vNIC to IP-Pools.
NOTE: eth0 à MGMT pool binding shown.
▶ Click Submit

▶ Splunk Cluster is powered by Underlying UCS HW Template
▶ Splunk’s UCS HW Template comes with Flexible RAID Policy
▶ RAID Policies Supported:
• RAID1, RAID0
• RAID5, RAID6
• RAID10 (default)
• Future (RAID50, RAID60)
▶ Separate RAID policies for HOT/WARM, COLD and Frozen
Flexible RAID config via UCS HW Profiles

Splunk UCS HW Template – RAID Policy
RAID
Policy
Custom
Partitions

Splunk UCS HW Template – Inside the RAID Policy
RAID10 for
HOT/WARM
Cold data
on the same
RAID group

Splunk UCS HW Template – Inside the RAID Policy
RAID10 for
HOT/WARM
RAID5 for
COLD

Typical Big Data
Deployment Challenges
▶ Paralysis by HW analysis
▶ Inconsistent configurations
▶ Repeatable results
▶ Justifiable costs/TCO/footprint
▶ Scalability and sustainability
Cisco UCS Delivers
▶ Accelerated Sales cycle/time to
production
▶ Reduced architectural planning and
calculation for the customer
▶ Consistent, repeatable results
▶ Comprehensive automated deployment
▶ Facilitates Splunk expansion at a
reduced footprint

ACI app center
Aci-splunk: What Is New?
Cisco ACI App & Add-on for Splunk Enterprise version 4.0 – Splunk Certified
Multi-Pod
visibility
Micro-Segmentation
support
Multiple APIC
monitoring
Enhanced user interface with
drill down capabilities
ACI App Center
integration
Supported on APIC 1.3 and higher Compatible with Splunk 6.4 & above
Available on splunkbase

Cisco Tetration App & Add-on for Splunk Enterprise version 1.0
Central Proactive
Monitoring
Operational
Analytics
Cross tier
Visibility
Real-time Application
Monitoring
Accelerated RCA & deeper visibility Policy Enforcement
Tetration App for
Splunk V1.0
Cisco Tetration
Analytics
Use Tetration APIs to receive ADM,
Endpoints, Inventory data
Send Configuration data, health & performance
metrics, syslog and fault information
Enforce policies using Tetration sensors
Tetration Analytics App for Splunk

Why You Never See
Tacos Mounted On
Drones In The Real
World
Wrapping up the Cisco and Splunk innovation story
With Robert Novak

Cisco Technology Description SplunkBase URL
Cisco Security Suite The Cisco Security Suite provides a single pane of glass interface into Cisco security data. https://splunkbase.splunk.com/app/525/
Cisco Firepower™
Management Center
Splunk Add-on for Cisco FirePower Management Center leverages data collected via Cisco eStreamer to
allow a Splunk Admin to analyze and correlate reports from Cisco through the Splunk Common
Information Model.
https://splunkbase.splunk.com/app/1808
Cisco eNcore for Splunk
Comprehensive eStreamer ‘Client’ or Splunk ‘TA’ that collects all ten event types in their entirety from
Firepower Management Center 6.x
https://splunkbase.splunk.com/app/3662/
Cisco Umbrella
Automatically enrich security alerts inside Splunk, allowing analysts to discover the connections between
the domains, IPs, and file hashes in an attacker’s infrastructure
Cisco ISE
Splunk App for Cisco ISE. Collects data from ISE via Syslog and provides Adaptive Network Control
(ANC) Mitigation Actions via pxGrid.
Cisco CloudLock
The CloudLock Cloud Access Security Broker harnesses crowd-sourced, actionable cybersecurity
intelligence to enable enterprises to securely leverage the cloud.
https://www.cloudlock.com/blog/tag/cloudlock-
for-splunk/
Cisco eStreamer
eStreamer log collection and comprehensive selection of dashboards optimized for Sourcefire System
5.2+ and Splunk 6.
Cisco IPS
The Splunk Add-on for Cisco IPS allows a Splunk software administrator to consume, analyze, and
report on Cisco IPS data that conforms to the Security Device Event Exchange (SDEE) standard.
Cisco CWS
The Cisco Cloud Web Security (CWS) Add-on for Splunk allows a Splunk administrator to analyze and
correlate Cisco Cloud Web Security (CWS) log data through the Common Information Model in Splunk
Enterprise
Cisco ESA
The Splunk Add-on for Cisco ESA allows a the Splunk software administrator to leverage Textmail,
HTTP, and Authentication logs of Cisco ESA.
Cisco AnyConnect
The Cisco AnyConnect Network Visibility (NVM) App for Splunk
allows IT administrators to analyze and correlate user and endpoint behavior in Splunk Enterprise.
Cisco ASA
The Splunk Add-on for Cisco ASA allows a Splunk software administrator to map Cisco ASA devices,
Cisco PIX, and Cisco FWSM events to the Splunk CIM.

cisco-and-splunk-innovation-through-the-power-of-integration.pdf

More Related Content

Similar to cisco-and-splunk-innovation-through-the-power-of-integration.pdf (20)

Recently uploaded (20)

cisco-and-splunk-innovation-through-the-power-of-integration.pdf