Security Archives - Morten https://www.morten.com.tr/en/category/blog/security-blog/ Mon, 03 Nov 2025 20:17:23 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.2 https://www.morten.com.tr/wp-content/uploads/2024/12/cropped-Morten-Logo-Bordo-Kopya-2-32x32.png Security Archives - Morten https://www.morten.com.tr/en/category/blog/security-blog/ 32 32 Cisco Secure Workload (Formerly Tetration) https://www.morten.com.tr/en/cisco-secure-workload/?utm_source=rss&utm_medium=rss&utm_campaign=cisco-secure-workload Tue, 23 May 2023 05:19:08 +0000 https://tecnologia.vamtam.com/?p=8435 Yazar:  Emin YÖNEY | Kıdemli Çözüm Danışmanı

Cisco Secure Workload (Tetration), bir ağ güvenliği ve analiz platformudur. Bu platform, kurumsal ağlarınızda gerçek zamanlı trafik analizi yaparak, ağınızda olan herhangi bir tehdidi tespit edebilmenizi sağlar.

The post Cisco Secure Workload (Formerly Tetration) appeared first on Morten.

]]>

Author: Emin YÖNEY | Senior Solution Consultant

Cisco Secure Workload (Tetration) is a network security and analysis platform. This platform allows you to detect any threats on your network by analyzing real-time traffic on your corporate networks.

It monitors applications, processes, users, and devices on your network and helps understand their relationships so you can be alerted immediately if any threats come to your network.

It also tracks where applications on your network are running and what resources they are using, so you can identify performance issues. 

Cisco Secure Work Load (Tetration) also supports cloud-native applications, so you can monitor all applications in your enterprise network and understand the relationships between different platforms.

The main features offered by the application in network security and analysis are as follows.

  • Secure Workload’s (Tetration) automated approach helps in rapid deployment of Microsegmentation.
  • Zero Trust in the Micro Segmentation application model enables you to implement Micro Segmentation.
  • It quickly detects threats in the network by performing real-time traffic analysis.
  • Relationship mapping helps to understand the relationships between application, process, user and device.
  • It detects performance issues and optimizes resources by monitoring resource usage.
  • It is compatible with and supports applications running on popular cloud-based application services such as AWS, Microsoft Azure, and Google Cloud Platform. It also supports applications running in your own private cloud environment.
  • Monitors application performance and detects performance issues.
  • It detects malicious content by performing content inspection.
  • Provides useful information for the business by analyzing data.
  • It summarizes the data and presents it in an understandable way.
  • Automatically manages and edits policies.
  • Detects malware on your network.

To summarize, Cisco Secure Workload (Tetration) is a groundbreaking platform in network security and analytics. It monitors all applications, processes, users, and devices on your network, allowing you to detect any threats and troubleshoot performance issues.

The post Cisco Secure Workload (Formerly Tetration) appeared first on Morten.

]]> ISE 3.0 ile Gelen Yeni Özelikler https://www.morten.com.tr/en/ise-3-0-ile-gelen-yeni-ozelikler/?utm_source=rss&utm_medium=rss&utm_campaign=ise-3-0-ile-gelen-yeni-ozelikler Fri, 27 Aug 2021 13:12:17 +0000 http://10.41.150.12/?p=989942 Yazar: Fatih Ermiş | Kıdemli Çözüm Danışmanı ISE 3.0 ile beraber daha sade bir arayüz oluşturulmuş, eski arayüze nazaran daha kullanıcı dostu ve daha göz yormayan bir arayüz bizi karşılıyor. Yeni arayüzde menü öğelerinin üst satırı kaldırılırken, yerine sol üst köşeye hamburger buton eklenerek, ISE 3.0 tamamen önceki versiyonlarda olmayan yeni bir görünüm kazandırdığı çok...

The post ISE 3.0 ile Gelen Yeni Özelikler appeared first on Morten.

]]>
Author: Fatih Ermis | Senior Solution Consultant With ISE 3.0, a simpler interface has been created, more user-friendly and easier on the eyes than the old interface.

In the new interface, while the top row of menu items is removed, a hamburger button is added to the upper left corner, and it can be easily said that ISE 3.0 has a completely new look that was not in previous versions. It is worth mentioning that all configurations can be made under the menu.

It can be said that the dark mode is a different touch and gives a new image to the ISE interface, while the previous versions were all blue tones on a white background, dark colors were included with ISE 3.0. However, the “Make a Wish” feedback that we know from Meraki has not been forgotten in the menu, I think this feature, which I think Cisco will integrate into all its products from now on, especially for user / administrator feedback, is really very important for both parties.

At the same time, thanks to the search tab added to this menu, ISE 3.0 is one step ahead, both user-friendly and very fast access to the desired configuration. Shortcuts have been added to the lower left corner of the Dark Mode, so it is very easy to open or close the Menu.

In addition, it is noticeable that the switching speed between tabs in ISE 3.0 is much faster than before.

We mentioned that the Make a Wish section was added to the bottom section for both user/admin experience and easy feedback (complaints, requests or suggestions). Cisco actually says to users, ‘We listen to you, we improve our systems with your suggestions’, with this tradition we are used to from Meraki, and this gives users/admins the opportunity to be a part of these developments, I think it is a fast feedback feature that brings both the producer and the users together from the same perspective.

One of the user-friendly features that comes with ISE 3.0 is the “interactive help” feature, which can be accessed both from the Help Menu in the upper right corner and from the tab in the lower right corner.

This feature, which is not available in older versions of Cisco ISE, actually provides the user with a faster and easier use in many ways. For example, we want to configure Posture, when we click on the Posture section, it brings up all the tabs we need regarding Posture.

When we click on the Agentless Posture feature, a wizard appears before us, showing us all the necessary steps for configuration step by step. Thus, everything that needs to be done to make Agentless Posture is provided very easily, when we complete each step and click on the (Next) option, we can move on to the next step, while at the same time it provides the opportunity to define the configurations starting from the desired step.

 

All components needed throughout the configuration process are presented to you by these wizards and you are asked to complete the relevant configurations.

It is important to remember that you must have the correct licenses for the relevant configurations.

  • Agentless Posture Windows and MacOS Feature:

Agentless posture can be used with ISE 3.0 for “Microsoft and Apple” devices without installing anyconnect agents on endpoints.

  • End User Visibility and Custom Script Feature

Thanks to this feature, special scripts can be written for Windows and Mac end users, points to be considered;

o Only admins with SuperAdmin authority can run these scripts,

o   You must have Domain Admin information and/or Local admin user information,

o PowerShell for Windows machines,

o SSH access for Mac,

o   CURL 34+ for both Mac and Windows

  • ODBC Multiple Attributes Lookup Feature

Instead of specifying attributes manually, the authorization profile can be conveniently configured to use VLAN from the ODBC database based on specified entry attributes (such as MAC address, username, called-station-ID, or device location).

 

  • Certificate Fingerprinting for Multiple CA s Feature

Thanks to this feature that comes with ISE 3.0, a secure mechanism is provided for multiple certificates to support different domains, and thus the reliability of many domains will be increased by multiple certificates.

 
  • PassiveID and Windows Event API Feature

With Cisco ISE Version 3.0, the MS-Eventing API or Microsoft Remote Assistance Call (MSRPC) protocol can be used for Passive Identity. Cisco ISE uses the MSRPC protocol to establish node communication and monitor heartbeats between nodes. This option is in addition to the WMI protocol for Passive Identity service. With this feature coming with ISE 3.0, Passive Identity will significantly improve overall performance by using MS RPC APIs instead of WMI.

  • API Gateway Feature

The Cisco ISE (API Gatwey) gateway is a new feature in ISE 3.0, an API management solution that acts as a single entry point to multiple Cisco ISE Service APIs to provide better security and traffic management. API requests from external clients are routed to the API gateway in Cisco ISE, and requests are also routed to the Cisco ISE Nodes that run their APIs, providing service according to the rules configured in the API Gateway.

 
  • Device Identifier Change Feature for Windows Devices

A new device identifier based on CN/SAN certificate attributes used between ISE and MDM is used to query compliance independent of the MAC address on end-user devices. (UDID: Unique Device Identifier)

 
  • Baseline Policies Feature with Microsoft SCCM

With ISE 3.0, ISE Admins can select specific base policies and have only those policies checked for compliance.

  • Posture AV/AM Minimum Version Control Feature

There are many different Anti-virus and many different Anti-malware products, the policies created at this stage were either very general or very specific, with ISE 3.0, AV/AMs can be specified as a minimum version and be compliant on the relevant version. It should not be overlooked that OPSWAT support is mandatory here.

  • Health Check Feature

One of the most frequently used features by admins coming with ISE 3.0 will undoubtedly be the Health Check feature. ISE 3.0 offers an optional system health check option to diagnose all nodes in your distribution. Running a health check on all nodes before any operation helps identify critical issues that may cause an outage, if any. Health Check shows the operating status and health status of all dependent components. In the event of a component failure, the operation is carried out smoothly and offers troubleshooting suggestions to resolve the issue. Another innovation in ISE 3.0 is that

It is worth mentioning that it is an excellent solution for detecting and solving many problems before upgrades and for performing upgrades without any problems.

 
  • Debugging Feature in Profiles by Function

The Debug Wizard contains predefined debug templates that you can use to troubleshoot issues on ISE Nodes. You can easily configure Debug Profiles and Debug Logs from here. Another plus of this feature is that Cisco TAC can now easily enable debug logs across multiple Nodes in a Cisco ISE deployment. This feature will help in faster troubleshooting. Also, the created debug profiles can be used across multiple Nodes.

  • More functional TCP Dump Feature

With ISE 3.0, you can control the collected data by specifying the file size, number of files, processing time, on which interfaces the dump file should be created (always in raw format / TCP dump format), including connected interfaces.

 

·         ISE 3.0 Supported Platforms ( SNS 35XX series EOL )

  •           Platform Supports – Cloud

o   Amazon Vmware Cloud

o   SAML SSO Support with Azure Active Directory

Now available via the ISE web portal Azure AD SAML 2.0 MFA feature can be used with ISE 3.0. (Guest, BYOD and My Devices Portal)

ROPC using 802.1X Azure AD (Resource Owner Password Credentials)
With ISE 3.0 802.1X, users can be authenticated directly to Azure AD using OAuth ROPC.

The post ISE 3.0 ile Gelen Yeni Özelikler appeared first on Morten.

]]> Cisco Firepower NGFW / NGIPS https://www.morten.com.tr/en/cisco-firepower/?utm_source=rss&utm_medium=rss&utm_campaign=cisco-firepower Mon, 11 Jan 2021 05:10:09 +0000 https://tecnologia.vamtam.com/?p=8414 Yazar: Huzeyfe Himmetoğlu | Kıdemli Ağ ve Güvenlik Uzmanı
Cisco Firepower yalnız kurt değildir!Firepower gücünü arkasındaki TALOS istihbarat ekibi ve ona içerik sağlayan Resim-1’de de gösterilen ürün ailesinden almaktadır.

The post Cisco Firepower NGFW / NGIPS appeared first on Morten.

]]>

Author: Huzeyfe Himmetoglu | Senior Network and Security Specialist

Cisco Firepower is not a lone wolf! Firepower derives its power from the TALOS intelligence team behind it and the product family shown in Figure-1 that provides it with content. Cisco has long acquired the best companies in their fields within the framework of end-to-end security approach in Figure-1 and ensured their integration. For this reason, Cisco Firepower never has to fight against endless attack methods alone. Thanks to Network Discovery, a feature I like about Firepower, it recognizes your inventory and services and optimizes IPS signatures for relevant traffic.

 

 

Cisco's Next Generation IPS and Firewall adventure begins with the acquisition of SourceFire by Martin Roesch, founder of the 2.7 billion open source intrusion detection platform SNORT, in 2013. Regardless of the continuation of this process, we can actually date Firepower's birth year to 1998, the year Snort was released. A few years after the acquisition, Cisco combined the ASA (IOS) Firewall with the SourceFire software and ran the system within the scope of FTD (Firepower Threat Defense). The anatomy of Firepower is summarized in Figure-2.

 

Cisco's series and short descriptions for use in small/medium businesses, enterprises and ISP/Datacenters are shown in Figure-3. Firepower 4100 and 9300 devices work with the chassis operating system FXOS and you can install more than one FTD in it. If you want, you can also run them as active/active or active/passive redundant. If you have ASA Firewalls and want to replace them with Firepower NGFW, you can quickly replace your operating system with FTD with the Firepower Migration Tool without changing your devices. You can access the relevant compatibility table from the link below.

https://www.cisco.com/c/en/us/td/docs/security/firepower/compatibility/firepower-compatibility.html

Please contact us for detailed information.

Useful links:

FirePower
https://www.cisco.com/c/tr_tr/products/security/firewalls/index.html

Talos Web Address
https://talosintelligence.com/

Integration link with security manufacturers
https://www.cisco.com/c/m/en_us/products/security/technical-alliance-partners.html

The post Cisco Firepower NGFW / NGIPS appeared first on Morten.

]]> Operasyonel Teknolojilerin ( OT ) Güvenliği için Cisco Cyber Vision https://www.morten.com.tr/en/operasyonel-teknolojilerin-guvenligi-icin-cisco-cyber-vision/?utm_source=rss&utm_medium=rss&utm_campaign=operasyonel-teknolojilerin-guvenligi-icin-cisco-cyber-vision Thu, 26 Nov 2020 05:08:07 +0000 https://tecnologia.vamtam.com/?p=8408 Yazar: Fatih Ermiş | Çözüm Danışmanı

Bölüm 1: Cisco Cyber Vision Nedir?

IT için sarf edilen güvenlik katmanları artık OT güvenliği içinde günümüzde olmazsa olmazlar arasına girmiştir.

The post Operasyonel Teknolojilerin ( OT ) Güvenliği için Cisco Cyber Vision appeared first on Morten.

]]>

Author: Fatih Ermis | Senior Solution Consultant

Section 1: What is Cisco Cyber Vision?

The security layers used for IT have now become indispensable for OT security. Especially recently, most data leaks are made by infiltrating the inside through different means. It is seen that security products positioned for North-South internet traffic are not sufficient for such leaks. In addition to North-South traffic, similar data leaks can be prevented by routine anomaly/vulnerability scans on the East-West, i.e. horizontal axis.

Although most OT products work on intranet (closed circuit / closed to the internet) systems, information security gaps can occur at many points with different integrations. One of the biggest problems in OT technologies is visibility. One of the reasons for this is that there are too many devices in the structures and the structure is constantly being expanded uncontrollably by making additions. In addition, it can be added that a structure of this size cannot be intervened without any problems. Both the fact that critical services are running on it and that very serious financial losses can be experienced in the event of a problem can cause obstacles by the management in making the necessary improvements and/or security additions.

To prevent similar situations from occurring, Cisco aims to prevent such problems with its Cyber ​​Vision product, which increases the visibility of OT environments, reveals existing threats, and creates existing inventories.

Cyber ​​Vision to your institution;

  • Providing full visibility for OT environments (assets and processes)
  • Real-time monitoring of your dynamically changing inventory and network

( Dynamic Asset Management and Monitoring )

  • Providing the same information security for the OT network as for IT,
  • It will take your organization's security to the next level with comprehensive threat intelligence.

Security Assessments

Securing your OT infrastructure starts with a clear view of your asset inventory, communication models, and accurately positioned network maps (network topologies). Cyber ​​Vision automatically generates a list of your industrial assets and detailed network maps.

 

Network Segmentation

Industrial security applications (best practices) recommend that networks be moved to compatible architectures, and in order to prevent a possible attack from spreading to the entire architecture, network segmentation and the ability to create policies between these segmented networks provide great benefits to institutions in terms of information security vulnerabilities. In this area, Cisco Cyber ​​Vision product integrates with Cisco ISE (Identity Service Engine) to create asset groups and enables segmentation policies to be applied dynamically (dynamic network segmentation).

 

Standard IT cyber security solutions and methods may not always be sufficient to meet OT cyber security needs. In response to this need, Cisco has introduced its Cyber ​​Vision product for the security of OT technologies.

Chapter 2: Cyber ​​Vision Installation

To download Cyber ​​Vision Center software;

https://software.cisco.com/download/home/286325414/type

Features required for a virtual environment;

You can install and test Cyber ​​Vision Center in a virtual environment with 2 CPUs, 6G RAM and 50GB HDD.

The installation steps are as follows;

  • Cyber ​​Vision software is downloaded from Cisco's website
  • The downloaded .ova file is uploaded to the virtual environment.

  • The installed virtual machine is opened and the system is started.

  • Click “Start” to start the Cyber ​​Vision Center installation.

  • Relevant DHCP settings are made.

  • Once the configuration is complete, the necessary information is entered into the Cyber ​​Vision Center interface.

The Cyber ​​Vision Center main screen is designed very simply and the Dashboard screen includes event levels with descriptions as critical, high, medium and low.

If we need to summarize Cyber ​​Vision in 4 main features, we can summarize it as collecting all the information of the inventories by collecting meaningful information from your OT network via passive sensors using DPI technology; taking these inventories under control, generating an alarm when any possible opening/anomaly is detected and finally, providing comparative data for taking action by examining the records of past traffic movements.

There are 2 options for Cyber ​​Vision Licensing. Essential and Advantage licenses. In addition 

As with many of Cisco's security products, a 90-day Essential or Advantage trial license is available.

Cyber ​​Vision consists of 2 main components, Cyber ​​vision center (Hardware and Software) and Sensors. Cyber ​​vision center can be installed in a virtual environment.

You can monitor security activities in your OT network from the Cyber ​​Vision Center interface.

With the Network Explore feature, the map of which TAGGED or unTAGED devices are communicating with whom will increase the visibility of your network.

You can easily access reports on what type of vulnerabilities there are in your network, the score information, and the vulnerabilities that need to be closed.

The post Operasyonel Teknolojilerin ( OT ) Güvenliği için Cisco Cyber Vision appeared first on Morten.

]]> Cisco SecureX ile Tüm Güvenlik Ürünlerinizin Görünürlüğünü Arttırın! https://www.morten.com.tr/en/cisco-securex-ile-guvenlik-urunlerinizin-gorunurlugunu-arttirin/?utm_source=rss&utm_medium=rss&utm_campaign=cisco-securex-ile-guvenlik-urunlerinizin-gorunurlugunu-arttirin Wed, 08 Jul 2020 08:47:34 +0000 https://tecnologia.vamtam.com/?p=2819 Yazar:  Fatih Ermiş | Çözüm Danışmanı

Cisco SecureX platformu ağınızda bulunan tüm güvenlik ürünleri ile entegre olarak görünürlüğü arttırdığı gibi, güvenlik analizleri yapmakta,

The post Cisco SecureX ile Tüm Güvenlik Ürünlerinizin Görünürlüğünü Arttırın! appeared first on Morten.

]]>

Author: Fatih Ermiş | Solution Consultant

The Cisco SecureX platform integrates with all security products in your network to increase visibility, perform security analysis, detect threats, and automate workflows to accelerate response to these threats.

SecureX, offered as a cloud solution by Cisco, is a platform that simplifies the methods of eliminating the complexities experienced by information security managers and collects visibility at a single point. 

Cisco SecureX threat response uses an integrated security architecture that automates integrations across Cisco Security products to simplify threat investigations and responses. With Cisco SecureX threat response, you can paste these observables into the “Investigate” user interface or use an easy browser plug-in on any web page.

It brings all information from intelligence sources and security products together on a single screen and displays results in seconds. It will become indispensable for SOC teams with a single console for direct remediation, access to threat intelligence, and tools such as casebooks and incident managers. It overcomes many challenges by making threat investigations faster, simpler, and more effective. Leveraging the success of Threat Response with Security Operations teams, SecureX takes this foundation to the next level to increase collaboration between SecOps, NetOps, and ITOps. SecureX simplifies security by:

  • Integrate visibility into all solutions that make up our customers' security inventories at a single point.
  • Providing added value to your customers in a very short time through a completely cloud-based and multi-user solution.
  • Analyze activities and data across network traffic from millions of endpoints, switches, and routers.
  • Determine who/what is being targeted in your network in a short time,
  • Providing the opportunity to take rapid action against threats by feeding threat intelligence sources.
  • Bringing the power of Cisco Talos to our customers’ security operations center (SOC) instantly.

  • Automation is enabled in workflows to maximize operational efficiency by eliminating repetitive tasks and human error.

  •  To increase visibility into our customers' security products and networks while consolidating and eliminating complexity.

 

Results of Cisco SecureX;

 

  • To have a large number of security outputs in a shorter time,
  • Reduces mean time to repair (MTTR) and exposures,
  • Increases the efficiency of SOC teams,
  • Provides research and intervention functions through a single window,
  • Providing automation and orchestration capabilities
  • Provides savings;

o   It reduces personnel costs,

o It saves Operation and Development time,

o It saves analyst time,

o It saves processing time and software budget,

o   It reduces potential financial and legal exposure,

The post Cisco SecureX ile Tüm Güvenlik Ürünlerinizin Görünürlüğünü Arttırın! appeared first on Morten.

]]> Son Kullanıcı Güvenlik Görünürlüğü Bundan Sonra Sorun Olmayacak! https://www.morten.com.tr/en/son-kullanici-guvenlik-gorunurlugu-bundan-sonra-sorun-olmayacak-2/?utm_source=rss&utm_medium=rss&utm_campaign=son-kullanici-guvenlik-gorunurlugu-bundan-sonra-sorun-olmayacak-2 Wed, 10 Jun 2020 13:34:02 +0000 http://10.41.150.12/?p=989967 Yazar: Fatih ERMİŞ | Çözüm Danışmanı Cisco Endpoint Security Analytics ( CESA ) Cisco en az Network alanında olduğu kadar Güvenlik alanında çok ciddi yatırımlarda bulunmaktadır. Son yıllarda yaptığı büyük yatırımlarla birlikte network güvenliği alanında olduğu kadar uç noktaların ( son kullanıcıların ) da güvenliği için birçok çözüm sunmaktadır. Uç nokta güvenliği için geliştirilmiş olan...

The post Son Kullanıcı Güvenlik Görünürlüğü Bundan Sonra Sorun Olmayacak! appeared first on Morten.

]]>
Yazar: Fatih ERMİŞ | Çözüm Danışmanı

Cisco Endpoint Security Analytics ( CESA )

Cisco makes serious investments in the field of Security as well as in the field of Network. With the large investments it has made in recent years, it offers many solutions for the security of endpoints (end users) as well as network security. These solutions developed for endpoint security are successful products that “protect against advanced malware threats”; AMP (Advanced Malware Protection) and Cisco Umbrella (DNS Security) products. Although these products provide security against many of the threats that occur for endpoints, there were still unresolved security gaps in endpoints.

These developments in Cisco endpoint security are recently emerging to fuel the Endpoint Security Analytics (CESA) solution. CESA, along with the Cisco AnyConnect Network Visibility Module (NVM Agent), maximizes endpoint and user network visibility by collecting endpoint telemetry and integrating telemetry data with Splunk Enterprise. It is based on nvzFlow (en-vizzy-flow), the foundation of NVM technology. Cisco AnyConnect NVM supports the Cisco Network Visibility Stream protocol, or nvzFlow for short. The protocol is designed to provide endpoints with better visibility into the network by augmenting standard IPFIX with a small set of high-value endpoint binding data.

 

CESA Story

The CESA solution was developed by the Cisco Security CTO Office. Cisco Information Security Teams were not able to obtain all the endpoint data they needed to perform incident response and were experiencing many difficulties in gaining endpoint visibility. Together with Cisco Information Security Teams, they integrated Cisco AnyConnect and Splunk products to solve some of the problems. Many Cisco employees were working off-site; they had some blind spots in the endpoint security area because they were connected to both corporate and cloud resources at the same time. They needed a way to collect and store at least a year of data for incident analysis. They also needed real-time information to see what was happening on the network. CESA was developed as an answer to all this confusion.

CESA Benefits

Endpoints (End User)  provide device visibility:  It helps find endpoint threats at zero point without problems such as malware, dangerous user behavior, data leakage, etc., provides visibility into which applications or software as a service (SaaS) are in use, and provides visibility into device types and operating systems in the network for incident response.

Endpoints (End User) Allows tracking wherever they go: It ensures whether the device is connected to the network through endpoint telemetry.

Quickly and easily find searches: Leverages existing AnyConnect telemetry (no additional endpoint agents required), instantly gain insights from pre-built Splunk dashboards, and easily find the questions and answers you need through searches.

Provides predictable costs: Can be budgeted per endpoint rather than per variable volume of data transferred to Splunk.

Support for different devices: Windows, macOS, Linux and Samsung Knoxenabled devices are supported.

How Does CESA Work?

Many companies want to know what their employees and devices are doing at work, on the road, or at the coffee shop. That’s why Cisco invented the AnyConnect Network Visibility Module (NVM) to provide unprecedented endpoint behavioral visibility.

Cisco AnyConnect NVM is enabled with AnyConnect agent version 4.2 and is supported in later versions. NVM can generate IPFIX endpoint telemetry when the device is in use, even when the device is off the network. This data is streamed to stream collectors and forwarded to Splunk, where it becomes instantly available. With the “Splunk NVM” application developed by Cisco, users get ready-to-use dashboards so they can quickly understand the data and start using it to answer critical security questions (incident response).

CESA can be used as a standalone NVM analytics deployment or added to an existing Splunk Enterprise environment. Cisco Endpoint Security Analytics built on Splunk provides deep endpoint visibility. Cisco AnyConnect NVM is powered by Splunk Enterprise.

The AnyConnect Network Visibility Module provides visibility into mobile devices with rich user behavior data through IPFIX data (IP Flow Information Export), allowing employees to monitor whether they are endpoints and threatening their company’s security. The behavioral data generated by NVM is complementary to antimalware agents that primarily focus on file analysis, such as Cisco Advanced Malware Protection (AMP) for Endpoints.

NVM telemetry is captured and analyzed in CESA Built-Splunk to address endpoint security use cases such as:

Data loss detection

  •  Data accumulation activity — download and upload behavior
  •  Excessive filtering — loading external domains and network shares

Zero-day malware and threat detection

  •  Unusual application/process behavior — running on standard or non-standard ports
  •  Command and Control detection — creation of connections to new, unusual or bad domains
  •  Threat detection – hosting domain correlation

Zero trust monitoring

  •  Off-network device monitoring — user, device, traffic, application and data behavior monitoring
  •  SaaS usage behavior — Monitoring SaaS services
  •  Untrusted connections — track who connects to untrusted networks

Unapproved apps and SaaS visibility

  •  Access to SaaS domains — connections and SaaS behavior are used
  •  Application and process visibility — find applications and processes running on devices

Security evasion and user attribution

  •  Endpoint security applications — detecting if they are disabled
  •  CESA — detecting whether it is disabled
  •  Attribute user network access — user activity goes down to the network interface controller level

Asset inventory

  •  Device type and OS inventory — can be defined and reported by type
  •  Data privacy compliance

The post Son Kullanıcı Güvenlik Görünürlüğü Bundan Sonra Sorun Olmayacak! appeared first on Morten.

]]>