cisco tetration analytics · azure amazon cisco tetration ... •validating policy impact...
TRANSCRIPT
Cisco Tetration AnalyticsEnhanced security and operations with real time analytics
John Joo
Tetration Business Unit
Cisco Systems
© 2018 Cisco and/or its affiliates. All rights reserved.
Rapid application deployment
Continuous development
Application mobility
Microservices
Policy enforcement
Heterogeneous network
Zero-trust security
Policy compliance
Security Challenges in Modern Data Centers
Securing applications has become complex
Applications are driving modern data center infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved.
NSA TAO* Chief on Disrupting Nation State Hackers
Approaches to defense
Intrusion Phases• Reconnaissance
• Initial Exploitation
• Establish Persistence
• Install Tools
• Move Laterally
• Collect, Exfil, and Exploit
• Segment the network
• Whitelist applications
• Figure out what’s routine in your infrastructure (what’s not)
• Figure out what you need to protect and segment that off
• Locking down at the host level
https://www.youtube.com/watch?v=bDJb8WOJYdA
* Tailored Access Operations
© 2018 Cisco and/or its affiliates. All rights reserved.
Introducing Tetration
APPLICATION
INSIGHT
FLOW SEARCH &
FORENSICS
SEGMENTATION
& COMPLIANCE
v
Open Access
Web Rest API Event Bus Lab
Billions of EventsMeta-Data generated
from every packet
Software & Network Sensors: See everything
OS SensorWindows
LinuxMid-RangeUniversal
Network SensorCloud-Scale Nexus
Nexus 9000 ‘X’
Data Analytics & Machine Learning Engine
Analytics ClusterAppliance model
On-Premise or Cloud
▸ Ingest
▸ Store
▸ Analyse
▸ Learn
▸ Simulate
▸ Act
© 2018 Cisco and/or its affiliates. All rights reserved.
Opera
tions
Cisco TetrationUse cases
Security
Cisco Tetration™
Visibility and
forensics
Application
insight
Policy
Neighborhood
graphs &
Cloud
Migration
Application
segmentation
Compliance
Policy
simulation
Process
inventory
© 2018 Cisco and/or its affiliates. All rights reserved.
Use Cases
APPLICATION
INSIGHT
FLOW SEARCH &
FORENSICS
SEGMENTATION
& COMPLIANCE
v
Accelerate Business
Transformation
Accelerate Technology
Transformation
Secure Cloud &
Data Centre
Operational
Excellence
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Tetration Analytics ArchitectureOverview
Analytics Engine
Cisco Tetration Analytics™ Platform
Visualization and Reporting
Web GUI
REST API
Push Events
Data Collection
Host Sensors
Network Sensors
Third-Party Metadata Sources
TetrationTelemetry
ConfigurationData
Cisco Nexus®
92000YC-XCisco Nexus 93000YC-EX
VM
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Tetration Analytics Data Sources
Main features
Low CPU overhead (SLA enforced)
Low network overhead (SLA enforced)
New Enforcement point (software agents)
Highly secure (code signed and authenticated)
Every flow (no sampling) and no payload
*Note: No per-packet telemetry; not an enforcement point
Software sensors
Universal*(basic sensor for other OS)
Linux servers(virtual machine and bare metal)
Windows servers(virtual machines and bare metal)
Windows Desktop VM(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Third-party sources
Asset tagging
Load balancers
IP address management
CMDB
…
Third-party data sourcesAvailable today
© 2018 Cisco and/or its affiliates. All rights reserved.
Holistic Approach to Server Protection
Dynamic and heterogeneous environment
Traffic visibility, server process baseline, and analytics
Policy that enables application segmentation
Policy Enforcement
Application controlusing whitelists
Advancedbehavior analysis
Break organizational siloes
© 2018 Cisco and/or its affiliates. All rights reserved.
Get Great Identity About Endpoints
• Discovered inventory
• Uploaded inventory and metadata (32 arbitrary tags)
• Inventory tracked in real time, along with historical trends
User-uploaded tags
Cisco Tetration Analytics™
sensor feed
Real-time inventory merged with
information with historical trends
Cisco Tetration Analytics
mergeoperation
VMware vCenter
(virtual machine attributes)
AWS attributes
(AWS tags)
© 2018 Cisco and/or its affiliates. All rights reserved.
The Goal Is to Describe Intent
• Block non-production apps talking to productions apps
• Allow HR apps to use the employee database
• Block all HTTP connections that are not destined to web servers
• Allow and notify me when a new app request DNS server access
• Block and notify me when a new app uses requests AD server access
I want to…
© 2018 Cisco and/or its affiliates. All rights reserved.
How Does It Work?
Tetration automatically converts your intent into black and white list rules
Intent Rules
ALLOW SOURCE 128.0.10.0/16 DEST 128.0.11.0/16
DENY SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 Block non-production apps talking toproduction apps
Allow HR apps to use the employee database
Block all HTTP connections that are not destined to web servers
ALLOW SOURCE * DEST 128.0.100.0/16 PORT = 80
DENY SOURCE * DEST * PORT = 80
© 2018 Cisco and/or its affiliates. All rights reserved.
Enforcement of Policy Across Any Floor Tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network
© 2018 Cisco and/or its affiliates. All rights reserved.
Policy-Related Notification
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
• Alerts every minutefor enforcement
• Policy complianceevent notifications
• Count of policy alertsuntil whitelisted
• Alerts when IP tables or firewall is flushed or disabled by user
• Alerts when enforcement sensor is disabled
• Publishes policy differences between versions
© 2018 Cisco and/or its affiliates. All rights reserved.
• Computed process hash for all the processes running
on the server
• Search based on:
• Process
• Process ID
• All servers running a particular process
• Details for long-running processes
• User ID associated with process and process ID
• Use process hash information to search for suspicious
processes against any IOCs
Cisco Tetration: Server Process and Process Hash
Cisco Tetration Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved.
Insight-Based Notification: Neighborhood Graphs
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
Neighborhood graphs
• Find up to two-hop communication neighbors for a selected workload
• Drill down into details about communication between these neighbors
• View dashboard display using graph database
• Determine the numberof server hops betweentwo workloads
• Get out-of-the-boxand customer alertsthrough Kafka
© 2018 Cisco and/or its affiliates. All rights reserved.
Analyze Network Traffic for Cloud Migration
• Estimate usage and cost for your planned migration
• Run cost analysis on hypothetical migration scenarios,
based on your actual network traffic
• Create a cloud profile > Define cloud migration scenario
> Add your cloud pricing tiers and data to study an
application migration
• Run hypothetical analysis to find out what will it cost to
move certain workloads or full applications to cloud
• Support for AWS, Azure, and other cloud platforms
Cisco Tetration Analytics™
Azure Amazon
© 2018 Cisco and/or its affiliates. All rights reserved.
Virtual Desktop Infrastructure: Visualization
Main features
Support Microsoft Windows Desktop 7, 8, and 10
Get per-packet, per-flow visibility
Correlate traffic with process on the desktop instances
Tie VDI user traffic to application workspace
VDI instances
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Tetration: Bring Your Own Data
Main features
Stream any JSON-based telemetry to a data sink
Support up to 10 simultaneous streaming topics
Bring up to 5 GB of data per hour per streaming topic
Analyze and write your results through alerts or UI
Northbound
consumers
Datasink
Public Cloud
Streaming JSON telemetry
© 2018 Cisco and/or its affiliates. All rights reserved.
Information about Consumer –
Provider and type of traffic
Detail information
about the flow
Datacenter Wide Traffic Flow Visibility
© 2018 Cisco and/or its affiliates. All rights reserved.
Tetration Application Segmentation Policy Recommendation
Cisco TetrationAnalytics™
APPLICATION WORKSPACES
ApplicationSegmentation
Policy
Public Cloud
Private Cloud
© 2018 Cisco and/or its affiliates. All rights reserved.
• Validating policy impact assessment in real time
• Simulating policy changes over historic traffic
• View traffic “outliers” for quick intelligence
• Audit becomes a function of continuous machine
learning
Cisco Tetration Analytics™ Platform
VM BM
VMVM
BM VM
VMVM
BM
VM
VM
VM
VM
Real-Time and Historical Policy Simulation
© 2018 Cisco and/or its affiliates. All rights reserved.
Tetration Analytics: Open Access
NORTHBOUND APPLICATION
Kafka Broker
NORTHBOUND CONSUMERS
NORTHBOUND CONSUMERS
ProgrammaticInterface
MessagePublish
TetrationApps
REST API
Tetration flow search
Sensor management
Push Notification
Out-of-box events
User defined events
Tetration Apps
Access to data lake
Write your own application
Cisco Tetration Analytics Platform
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Tetration Analytics: Ecosystem
Service visibility Layer 4-7 services integration
Security orchestration Service assurance
Insight exchange
Cisco TetrationAnalytics™
© 2018 Cisco and/or its affiliates. All rights reserved.
Insight Exchange
Workload
Ingestion
Pipeline
Telemetry Data
Insight
Exchange
Tetration Anotations
(or connect your own)
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco Tetration™ Cloud
• Software deployed in AWS
• Suitable for deployments of less than 1000 workloads
• AWS instance ownedby customer
Cisco Tetration™ Platform (large form factor)
• Suitable for deployments of more than 5,000 workloads
• Built-in redundancy
• Scales to up to 25,000 workloads
Includes:
• 36 x Cisco UCS® C220 servers
• 3 x Cisco Nexus® 9300 platform switches
Cisco Tetration-M (small form factor)
• Suitable for deployments of less than 5,000 workloads
Includes:
• 6 x Cisco UCS C220 servers
• 2 x Cisco Nexus 9300platform switches
Cisco Tetration Analytics: Deployment options
AmazonWeb Services
On-premises options Public cloud
© 2018 Cisco and/or its affiliates. All rights reserved.
98% Lesstime spent by application owners for application mapping
Cisco Tetration enabling Huntington National Bank to execute major IT initiative fasterand more efficiently
Huntington bank – Business value snapshot
80-90% Lessstaff timing to carry out application mapping
“We needed up to a month to map a complex application, and Cisco Tetration allows us to do this in days or less. This will help us complete a significant IT initiative with major cost implications in
far less time.”
-Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank
60-65% Fasterexpected execution of significant IT initiative
“The big ROI for us of using Cisco Tetration is not having to do application mapping again; the dynamic mapping means that we don’t have to go through the exercise again for future initiatives.”
-Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank
IDCAnalyze the future
© 2017 IDC. www.idc.com
© 2018 Cisco and/or its affiliates. All rights reserved.
Cisco IT: Business value
70% reduction in cost and time
3600 person hours of skilled staff time
saved for every 100 applications
20-40% reduction in virtual machine
footprint
Traditional Cisco Tetration™ platform
Hire a consultant1
Collect logs, interview teams…2
Identify application dependencies
Verify with every group
Static map, change requests
Implement policy, apps break
3
4
5
6
US$1M-$5M project; several months
© 2018 Cisco and/or its affiliates. All rights reserved.
Open
Summary
Real time and scalableGranular policy
enforcementEasy to use
• Every packet, every flow
• Application segmentation for 1000s of applications
• Long term data retention
• Consistent policy enforcement
• Identify policy deviations in near real-time
• Support for workload mobility
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetrationapplications
© 2018 Cisco and/or its affiliates. All rights reserved.
Tetration answers your Critical Questions
What was out of
Policy?
Audit & Compliancy
Network DVR VisibilityAut. Policy Discovery
Policy Enforcement
Application Dependency
Who talks with who?