As various private organizations and high-value government bodies figure out the blast radius of the recent state-sponsored SolarWinds attack, with Cisco Endpoint Security Analytics (CESA) in your toolkit you could quickly assess your own exposure...like the CESA customer noted below.

CESA brings together the unparalleled endpoint behavioral visibility of Cisco's AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform to help address the endpoint visibility gap left behind by traditional EDR/EPP solutions and network security analytics platforms.

So how does CESA accomplish this for the SolarWinds breach?  Well, it's actually in its wheelhouse.

CESA's ability to associate what endpoint accessed what domain, as well as what software processes and protocols were used, enables immediate visibility to what endpoints are exposed-for both on-net and off-net endpoints-within minutes.  How do we know?  Our CESA users have told us.

Here's an excerpt from a customer email we received:

"(IR analyst) brought up a great point today while digging out of this Solarwinds mess. We were able to connect local Windows processes to domains that were reported in theIOC lists.   
With this information we could quickly understand what our endpoint exposure was for all managed hosts from their NVM logs. It also gave us a view into other domains that might have been associated with this attack, but not yet publicly published.

We likely never would have seen this data and could not explain our exposure to this severe threat.  (AnyConnect) NVM logs in Splunk once again helped to save the day."

If you want to get deep on this, below is a sample CESA Splunk query tuned for this scenario that the customer used to discover stage-2 C&C activities from SolarWinds that their malware solution missed.

CESA Splunk-query:

earliest=-365d index=anyconnect (avsvmcloud OR digitalcollege OR freescanonline OR deftsecurity OR thedoccloud OR virtualdataserver OR websitetheme OR panhardware OR zupertech.com OR highdatabase OR incomeupdate OR databasegalore) | fields *| fields *

Below is an actual sample result from this simple query showing details of an endpoint exposed:

pr="6