Cisco amps up security analytics software

Cisco unveiled a new version of its Secure Network Analytics (SNA) software aimed at making it easier to track more data flows and act faster on relevant security alerts. Enhancements in SNA release 7.4.2 include the ability to more efficiently gather, process and store data; advanced detection capabilities; improved telemetry support; and the ability to run on Cisco’s high-performance UCS M6 hardware.

Cisco’s network analytics software is designed to help organizations detect and respond to security threats by harnessing telemetry data from multiple sources and providing insights into network behavior to proactively identify risks, according to a blog post by Jay Bethea, product marketing manager with Cisco’s secure email group.

SNA release 7.4.2 has tremendous scale and performance, easily processing 3 million flows per second and improving reporting and query performance by 94%, said Crystal Storar, director of product management with Cisco Security. That’s more than double the previous rate, according to Cisco.

The new package continues to add to the centralized data storage capabilities first implemented in SNA release 7.3. With a centralized storage system, rather than having telemetry data stored on individual, distributed Flow Collectors (the monitoring system that gathers network data traffic packets), a central database now processes the flows coming from those devices. By centralizing the data store, Cisco says the system can process large amounts of data very quickly, which means that Cisco Analytics queries can be answered faster than they would be if the data were stored on individual Flow Collectors.

The new software also lets data from the FCs be retained for periods of a year or more, improving trendspotting and historical analysis, Cisco said.

Other key features of SNA 7.4 target areas such as on-premises delivery options, expanded telemetry support, and enhancements to its threat detection engine.

“With [SNA 7.4] we’ve packaged our new MITRE-mapped detections, entity modeling and automatic role-based classification from our cloud-first delivery model back into our on-premises software releases,” Storar said.

Secure Network Analytics has also added new data sources to power its network detection and response outcomes: AWS & Azure flow logs for coverage of public cloud infrastructure, Cisco Secure Client Network Visibility logs for endpoint and remote worker coverage, and Cisco Next Generation Firewall logs for a deeper view into the network traffic, Storar said.

The SNA architecture allows for a scalable telemetry ingestion mechanism; it currently supports NetFlow, NVM, FTD, and ASA firewall telemetry and will support other types in the future, Cisco said.

For example, Cisco and others are working to develop and implement the OpenTelemetry system. OpenTelemetry is a collection of tools, APIs, and SDKs used to instrument, generate, collect, and export telemetry data to analyze software performance and behavior. OpenTelemetry is being developed under the Cloud Native Foundation by contributors from AWS, Azure, Cisco, F5, Google Cloud, and VMware, among others. Storar said that OpenTelemetry is “under investigation for a future release.” 

Cisco already supports OpenTelemetry in its Full-Stack Observability Platform, which is designed to collect and correlate data from application, networking, infrastructure, security, and cloud domains to provide a clear view of what’s going on across the enterprise and make it easier for enterprises to spot anomalies, preempt and address performance problems, and improve threat mitigation.

The new SNA software also brings support for a more efficient threat detection engine, and centralized database information is used to create reliable, relevant alerts, according to a blog from Claudio Lener, a product manager for Cisco Secure Analytics.

“Compared to the original SNA alarms, these are drastically quieter – and more in-tune with what’s happening now – delivering context based on the network and advanced behavioral analytics,” Lener wrote. “In other words, SNA creates an instant baseline, learns what behavior is considered ‘normal’ over time, and only triggers an alert if a user fails to follow that trend.”

SNA also now integrates with the latest M6 hardware appliance. This yields better Flow Collector ingestion rates, faster flow search queries, and an overall increase in the throughput for the Flow Sensors, Lener wrote.

Another key issue for enterprise customers is the system’s support for third-party products. “We have an extensive ecosystem of partners ready to assist in implementing, integrating and managing the solution on behalf of our customers,” Storar said.

“We collaborate with a wide range of technical alliance partners who serve as both data source providers – such as Baracuda, Checkpoint, Gigamon, IXIA, Palo Alto, TripWire, and more – and destinations for our findings, seamlessly integrating with our customer’s existing workflows. Notable examples of these destinations include Splunk, QRadar, ArcSight, ServiceNow, and many others,” Storar said.

In a recent network analysis and visibility report from Forrester that looked at a variety of systems, including SNA 7.4, the analyst firm stated:

“The Cisco ecosystem provides an impressive amount of telemetry data across all aspects of the network, from end users to the cloud and everywhere in between, provided that the organization is a heavy Cisco shop. Secure Network Analytics (SNA) is a powerful tool for threat hunting that provides comprehensive insights into network activity through recorded communications and deduplicated records. Its user-friendly interface enables quick access to critical information for enhanced incident response and network security operations.”

SNA 7.4.2 is available and can be deployed on virtual machines, such as VMware and KVM, or dedicated Cisco UCS appliances.