1.1 Purpose, Audience, and Scope
Purpose: This document describes the offer structure, required components, and the procedure to order Cisco® Security Analytics and Logging (SAL).
Audience: Cisco sales teams and Cisco Security Specialized Partners.
Scope: This ordering guide covers the following:
● Cisco Security Analytics and Logging Overview
● Cisco Security Analytics and Logging Licensing Structure
● Ordering Security Analytics and Logging via Cisco Commerce Workspace (CCW)
● Security Analytics and Logging Software Support
1.2 Cisco Security Analytics and Logging Overview
The Cisco Security Analytics and Logging is a Software as a Service (SaaS) that provides enhanced visibility into advanced threats by identifying suspicious patterns of traffic within customer network environments, using metadata generated from traffic traversing the network. The current sources of supported traffic include event logs from Cisco Firewalls, which can be combined with flow logs from private network elements as well as public cloud infrastructure for enhanced end-to-end visibility. This functionality therefore provides correlated analysis and visibility into infrastructures at the perimeter, internal network and the public cloud. Other contextual information supplements these suspicious patterns to improve the overall threat posture, and to establish specific threat levels associated with observed activities and/or traffic flows. This process is described as “behavioral threat detections.”
Behavioral threat detections algorithms use traffic metadata, rather than actual packet contents, to alert users for indicators of compromise. In this manner, SAL can detect anomalous behaviors symptomatic of threats that have bypassed perimeter and signature based defenses. Typical examples include, but are not restricted to, unknown (zero-day) malware, insider threats resulting from stolen credentials or bad actors, or any traffic patterns that do not conform to those entities’ normal behavior. In this manner, threats that have breached perimeter defenses using an encrypted payload can also be exposed.
Cisco Security Analytics and Logging is a SaaS offering. The Analytics engine for the service is powered by Cisco Stealthwatch® Cloud, and at launch the service is offered through a tight integration between Stealthwatch Cloud (SWC) and Cisco Defense Orchestrator (CDO). Security Analytics and Logging leverages both SWC and CDO products’ technology stacks and User Interfaces (UIs) to present its outcomes.
Cisco SAL ingests Cisco Firewall Event Logs, as well as aggregates and normalizes large volumes of network telemetry from on-premises and cloud network elements. It then provides an Event Viewer within the CDO UI for viewing Firewall Event Logs, and also applies advanced security analytics to detect suspicious or malicious traffic patterns from those logs. Results of the analytics outcomes are visible in the Stealthwatch Cloud Portal, enabled through a cross-launch from CDO using Cisco’s Secure Sign-On (SSO). Access to Cisco’s Stealthwatch Cloud portal is part of the solution, and a separate Stealthwatch Cloud license is not necessary to view SAL outcomes in that environment.
Note: Currently only Cisco NGFWs running Cisco Firepower® software/services are enabled to send logs to SAL, with logs generated by the Adaptive Security Appliance (ASA) platform being enabled in summer 2020.
1.2.1 Required components and setup to run Cisco Security Analytics and Logging:
● Cisco Defense Orchestrator: Cisco SAL supports only Cisco Defense Orchestrator (CDO)-managed Firewalls today, with a plan to support all Cisco Firewall configurations in the future.
Note: A CDO account is mandatory to apply the Security Analytics and Logging licenses onto Firewall tenants, which have been set up and are being managed using that CDO account. The CDO ordering guide details the process to trial and order a CDO subscription. While CDO is mandatory today, the requirement for managing devices using CDO will be relaxed soon.
● Secure Event Connector: To capture Firewall Event Logs from on-premises deployments, a Secure Event Connector (SEC) is needed. The SEC is a containerized application that is installed on an on-premises Secure Device Connector (SDC) that receives events from Firepower Threat Defense (FTD) devices and Adaptive Security Appliance (ASA) devices and forwards them to Cisco SAL Cloud. Installation instructions can be found here. While SEC remains the most scalable route to send logs to SAL, with Cisco Firepower 6.5 and later versions, events can be sent directly from the FTD device to SAL. This capability has been found to support sustained peak rates of up to 8500 events per second (eps) without losses.
● Stealthwatch Cloud virtual connector: To capture Private Network Monitor (PNM) telemetry from on premises, a Stealthwatch Cloud virtual appliance is needed to collect network flow data from network elements and send them to Stealthwatch Cloud. The Virtual Appliance (VA) is available as an ISO file, which contains the necessary Stealthwatch Cloud packages as part of an Ubuntu Linux image. A separate email is sent to the customer after provisioning with instructions on how to get the sensor software. There is no additional charge for this sensor agent. This Stealthwatch Cloud reference guide covers additional options for installing and configuring the VA. The details of the installation can be found here.
Note: The SWC virtual connector is needed only for the highest license of the tier, Total Network Analytics and Monitoring (TA).
● Security Analytics and Logging Licenses: A Cisco Security Analytics and Logging License needs to be purchased and applied to the CDO Firewall tenant for which logging and analytics is needed. The licenses themselves are available per tenant, and are available in three classes or tiers, metered by daily volume of data (GB/day) to be sent to the cloud. The three licenses follow a nested structure, which is detailed in Section 2.
1.3 Estimating Daily Volume (GB/day) Required
A daily volume estimator (GB/day) has been designed to help customers estimate the daily volume requirements for their Firewall Logs. This estimator tool calculates logging data volume and load based on most common traffic mixes and network conditions for an average deployment, taking known events per second (eps) rates, or firewall models as an input. Actual logging volumes may vary materially from the tool’s output, based upon actual traffic composition, protocols used, and other factors. Another important consideration is that logging relies on the syslog protocol over UDP, which by design does not guarantee data transfer. The average throughput calculated is the minimum upload bandwidth needed to the cloud for lossless log transmission. It is recommended to purchase a daily volume slightly above the average throughput to account for peak traffic. Note: The Firewall logging estimator tool provides logging volume in GB/day after compression of the Firewall logs has been completed in the SAL pipeline. It is therefore certainly possible that the volume recommended by the estimator tool is materially lower than the volume that may be needed for storage of uncompressed Firewall logs, in a generic syslog server for example. The best way to estimate logs therefore remains enablement of a no-commitment 30-day free trial for SAL, which can run concurrent to the 30-day CDO trail.
Example of a Cisco Security Analytics and Logging billing PID (Product Identifier)
2.1 Security Analytics and Logging Licenses
The Cisco Security Analytics and Logging licenses are available in three tiers and follow a nested model in which a specific license contains all features of all lower-level licenses. This means that the mid-level license contains features of the lowest-level license, and the highest-level license contains features of both licenses below it. Each license PID has a volume of 1 GB/day, with desired quantities being purchased for 1-, 3-, or 5-year terms. The licenses come with 90 days of rolling cloud storage by default. For example, 10 GB/day volume comes with 900 GB of 90-day rolling storage, which means that on the 91st day, the 1st days logs are replaced by the 91st day’s logs, and so on. Log retention period can optionally be extended to 1, 2, or 3 years for an additional charge. Data received above the daily volume does not result in data being throttled, but instead may produce an overage bill if the daily average is exceeded over the period of a full calendar month. Only one license tier can be applied to a tenant, since the licenses are nested, but licenses from the same subscription may be applied to multiple tenants.
2.1.1 License Logging and Troubleshooting
The Logging and Troubleshooting License provides 90-days rolling cloud store based on ingest rate for logs, which today support Firewall Event Logs (FTD only, with ASA support coming soon). This license allows for troubleshooting using basic search and filter capabilities of the viewer. The license presents its outcomes through the Event Logging tab nested under the Monitoring tab of the CDO UI, with a SWC native event viewer for non-CDO manged devices being made available in early FY 2021. This and all subsequent licenses leverage the Secure Event Connector (SEC) covered in section 1.2.1 for sending Firewall logs to the cloud, although devices running Firepower 6.5 and later can send events directly to the cloud without need for an SEC. The expansion Product Identifier (PID) of this license is SAL-CL-LT-1GB, with volume discount built in for higher quantities, and the associated overage PID is SAL-CL-LT-OVRG.
2.1.2 License Logging Analytics and Detection
Provides Stealthwatch Cloud’s best-in-class behavioral threat detections, applied on logs ingested as part of previous license. This license presents its outcomes through the Security Analytics tab nested under the Monitoring tab of the CDO UI, by cross launching the user into an instance of Stealthwatch Cloud, access to which is included at no extra charge with this license. Alternatively, users can log in directly to the SWC instance/tenant associated with their license. The expansion PID of this license is SAL-CL-LA-1GB, with volume discount built in for higher quantities, and the associated overage PID is SAL-CL-LA-OVRG.
2.1.3 License Total Network Analytics and Detection
Provides Stealthwatch Cloud’s best-in-class behavioral-based detections, applied on both log data and Private Network telemetry. This license presents its outcomes through the Security Analytics tab nested under the Monitoring tab of the CDO UI, by cross launching the user into an instance of Stealthwatch Cloud, access to which is included at no extra charge with this license. In addition, this license analyses network telemetry of up to 50 endpoints per GB/day of log volume purchased. For example, a volume of 10GB/day includes a daily volume of 10GB of logs, plus 10GB/day X 50 = 500 endpoint support for Private Network Telemetry. The storage taken by the private network telemetry does not come out of the log storage purchased in GB/day volume, but is priced into this license and does not contribute toward the daily volume, storage used, or overage calculation. The network telemetric data leverages the Stealthwatch Cloud Virtual Connector for sending private network telemetry to the cloud, in addition to the SEC used for Firewall log data. The expansion PID of this license is SAL-CL-TA-1GB, with volume discount built in for higher quantities, and the associated overage PID is SAL-CL-TA-OVRG.
The daily ingest rate purchased for any license does not throttle the logging or analytics functions when the limit is reached, but the overage instead may trigger a single monthly bill in arrears, even if the subscription was applied across multiple teanants. The overage bill is aggregated over the entire calendar month, to allow monthly peaks to be averaged out. For example, a 10GB/day daily volume entitles the license holder up to 300GB of logs for a month which has 30 days. Therefore, if 330 GB of data was sent during the month, an overage bill of 1GB/day [(330GB–300GB)/30 days] may be produced for that month. To help estimate the amount of daily volume for various configurations, an estimator tool has been provided based on average events emission rates, as well as a 30-day trial that can be used to assess requirements.
Note: The daily volume for SAL Licenses is based on compressed data volume stored in the cloud, and not on volume of data emitted by the sensor. For example, 5 GB/day of logs emitted by a Firewall may be compressed (in some cases) to 1GB/day of cloud data, and so only 1 GB/day of license is required to be purchased.
2.1.5 Extended Log Retention
Storage does not need to be purchased separately, but is entitled for 90 days at the licensed daily volume by default at no additional cost. This means that a 10GB/day daily volume comes with 90 X 10GB/d = 900 GB total of rolling storage for Logs. On the 91st day, the 1st day logs are purged, and so on for the term of the license. In addition to the 90-day default Logs retention, an option has been provided to extend the Log retention period to 1, 2, or 3 years. Customers who chose this option will be able to retain their Logs for the desired duration for an extra charge. This extended Log retention data set will also be available for download, the latter being a feature that is being enabled shortly.
2.1.6 Stealthwatch Cloud Add-on Licenses (Optional)
Since Log and Endpoint Analytics for SAL are provided by Stealthwatch Cloud, customers can order additional endpoint licenses, or include public cloud licenses within the same instance of the SAL tenant in SWC. This add-on option thus provides ease of monitoring of additional endpoints and effective mega flows of Stealthwatch Cloud within SAL tenants. Refer to Sec 2.3 of the Stealthwatch Cloud Ordering Guide for Stealthwatch Cloud license details.
SAL is available for order through Cisco Commerce using the appropriate subscription part number.
1. Begin by searching for the Stealthwatch Cloud Product ID: SAL-SUB
2. From the subscription configuration:
a. Select the requested start date for the term.
b. Select the desired term length. The default selection is 36 months; 1-, 12-, 24-, and 60-month terms are also available.
i. For month-to-month subscriptions, a 1-month initial term must be selected.
c. Select the desired auto-renewal term. The default selection is 12 months; 36 months, 60 months, and “Do Not Auto Renew” options are also available.
3. Currently Cloud Data Store is selected by default, which indicates that logs are stored in the cloud. This is in contrast to On-premises Store, which is not yet available at the time of publication. The screen presented to the user allows for selecting any one of three licenses, as shown below.
4. On selecting license type, user selects desired daily volume in GB/day, an integer greater than zero.
5. Choosing any of the daily volumes automatically populates the configuration summary to the left, as well as includes an overage PID. This functionality helps produce an overage bill at the end of each calendar month, to be used whenever the daily volume is exceeded in aggregate over the calendar month. Following are the expansion PIDS for the various SAL licenses:
(a) SAL-CL-LT-1GB: License Logging and Troubleshooting for 1GB/day.
(b) SAL-CL-LA-1GB: License Logging Analytics and Monitoring for 1GB/day.
(c) SAL-CL-TA-1GB: License Total Network Analytics and Monitoring for 1GB/day.
(d) SAL-CL-LT-OVRG: Usage-based overage PID for License Logging and Troubleshooting, which is not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.
(e) SAL-CL-LA-OVRG: Overage PID for License Logging Analytics and Detection, which is not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.
(f) SAL-CL-TA-OVRG: Overage PID for License Total Network Analytics and Monitoring, which is not charged at time of placing order but is used to calculate overage charges if entitlement is exceeded.
6. On choosing the license type and quantity, the selection for logs retention is presented, with a 90-day default available for no extra charge, while the 1-, 2-, and 3-year retention PIDs expanded below are chargeable.
(a) SAL-CL-1GB-1Y-EXTN: 1 year of logs retention (up from default of 90 days).
(b) SAL-CL-1GB-2Y-EXTN: 2 years of Logs retention (up from default of 90 days).
(c) SAL-CL-1GB-3Y-EXTN: 3 years of Logs retention (up from default of 90 days).
7. The last step for order completion is to indicate the desired Stealthwatch Cloud Public Cloud Monitoring (PCM) or Private Network Monitoring (PNM) licenses needed. This allows provisioning of the SWC tenant to be the same as the SAL tenant. The PIDs for Stealthwatch Cloud are:
(a) ST-CL-PCM: Stealthwatch Cloud’s Public Cloud Monitoring License, sold per efm (effective mega flows).
(b) ST-CL-PNM: Stealthwatch Cloud’s Network Cloud Monitoring License, sold per endpoints monitored.
8. When the order configuration is complete, select the Done button at the bottom.
3.1 Security Buying Programs
The offer intends to leverage various Security buying programs, such as Enterprise Agreements (EAs), SVPs (Software Volume Program), and Master Service Level Agreements (MSLAs). Security Analytics and Logging is not available through security buying programs at the time of this publication.
For the most up-to-date information regarding product inclusion and ordering processes, please visit https://www.cisco.com/c/en/us/products/security/security-analytics-logging/index.html.
4.1 Cisco Software Support for Security Analytics and Logging
The basic online support option of Cisco Software Support for Security is available for Cisco Security Analytics and Logging subscriptions. Basic online support provides foundational support for the full term of the purchased software subscription, including access to support through online tools or email. Cisco will respond to a submitted case no later than the next business day during standard business hours. Telephone access is not provided.
When a Cisco Security Analytics and Logging subscription is ordered, basic online support is embedded as part of that subscription. It is not a separate orderable service. Therefore, when a subscription is renewed, basic online support will also renew with the same term. No additional products or fees are required to receive this support with an SaaS subscription.
For more information about Cisco Software Support for Security, refer to the service description.
Table 1. PIDs for Basic Services–Transaction
Basic software support
The significant benefits offered by Cisco Security Analytics and Logging make it the natural choice for network security. As with any technology investment, the question is its affordability. The answer is Cisco Capital® financing. Whether through flexible repayments to match expenditure to benefit and help mitigate cash flow issues, or an operating lease to help negate capital expenditure, we can provide the financing solution that works best for your customers.
Cisco Capital can help remove or reduce the barriers preventing organizations from obtaining the technology they need. Total solution financing programs help our customers and partners:
● Achieve business objectives
● Accelerate growth
● Acquire technology to match current strategies and future needs
● Remain competitive
Cisco Capital also helps your customers achieve financial goals such as optimizing investment dollars, serving more than 100 countries so that regardless of location, customers and partners have access to a trusted means to secure Cisco products and services. Learn more.