cisco tetration analytics · azure amazon cisco tetration ... •validating policy impact...

Cisco Tetration AnalyticsEnhanced security and operations with real time analytics

John Joo

Tetration Business Unit

Cisco Systems

© 2018 Cisco and/or its affiliates. All rights reserved.

Rapid application deployment

Continuous development

Application mobility

Microservices

Policy enforcement

Heterogeneous network

Zero-trust security

Policy compliance

Security Challenges in Modern Data Centers

Securing applications has become complex

Applications are driving modern data center infrastructure


NSA TAO* Chief on Disrupting Nation State Hackers

Approaches to defense

Intrusion Phases• Reconnaissance

• Initial Exploitation

• Establish Persistence

• Install Tools

• Move Laterally

• Collect, Exfil, and Exploit

• Segment the network

• Whitelist applications

• Figure out what’s routine in your infrastructure (what’s not)

• Figure out what you need to protect and segment that off

• Locking down at the host level

https://www.youtube.com/watch?v=bDJb8WOJYdA

* Tailored Access Operations

https://www.youtube.com/watch?v=bDJb8WOJYdA


Introducing Tetration

APPLICATION

INSIGHT

FLOW SEARCH &

FORENSICS

SEGMENTATION

& COMPLIANCE

v

Open Access

Web Rest API Event Bus Lab

Billions of EventsMeta-Data generated

from every packet

Software & Network Sensors: See everything

OS SensorWindows

LinuxMid-RangeUniversal

Network SensorCloud-Scale Nexus

Nexus 9000 ‘X’

Data Analytics & Machine Learning Engine

Analytics ClusterAppliance model

On-Premise or Cloud

▸ Ingest

▸ Store

▸ Analyse

▸ Learn

▸ Simulate

▸ Act


Opera

tions

Cisco TetrationUse cases

Security

Cisco Tetration™

Visibility and

forensics

Application

insight

Policy

Neighborhood

graphs &

Cloud

Migration

Application

segmentation

Compliance

Policy

simulation

Process

inventory


Use Cases

APPLICATION

INSIGHT

FLOW SEARCH &

FORENSICS

SEGMENTATION

& COMPLIANCE

v

Accelerate Business

Transformation

Accelerate Technology

Transformation

Secure Cloud &

Data Centre

Operational

Excellence


Cisco Tetration Analytics ArchitectureOverview

Analytics Engine

Cisco Tetration Analytics™ Platform

Visualization and Reporting

Web GUI

REST API

Push Events

Data Collection

Host Sensors

Network Sensors

Third-Party Metadata Sources

TetrationTelemetry

ConfigurationData

Cisco Nexus®

92000YC-XCisco Nexus 93000YC-EX

VM


Cisco Tetration Analytics Data Sources

Main features

Low CPU overhead (SLA enforced)

Low network overhead (SLA enforced)

New Enforcement point (software agents)

Highly secure (code signed and authenticated)

Every flow (no sampling) and no payload

*Note: No per-packet telemetry; not an enforcement point

Software sensors

Universal*(basic sensor for other OS)

Linux servers(virtual machine and bare metal)

Windows servers(virtual machines and bare metal)

Windows Desktop VM(virtual desktop infrastructure only)

Cisco Nexus 9300 EX

Cisco Nexus 9300 FX

Network sensors

Next-generation Cisco Nexus® Series Switches

Third-party sources

Asset tagging

Load balancers

IP address management

CMDB

…

Third-party data sourcesAvailable today


Holistic Approach to Server Protection

Dynamic and heterogeneous environment

Traffic visibility, server process baseline, and analytics

Policy that enables application segmentation

Policy Enforcement

Application controlusing whitelists

Advancedbehavior analysis

Break organizational siloes


Get Great Identity About Endpoints

• Discovered inventory

• Uploaded inventory and metadata (32 arbitrary tags)

• Inventory tracked in real time, along with historical trends

User-uploaded tags

Cisco Tetration Analytics™

sensor feed

Real-time inventory merged with

information with historical trends

Cisco Tetration Analytics

mergeoperation

VMware vCenter

(virtual machine attributes)

AWS attributes

(AWS tags)


The Goal Is to Describe Intent

• Block non-production apps talking to productions apps

• Allow HR apps to use the employee database

• Block all HTTP connections that are not destined to web servers

• Allow and notify me when a new app request DNS server access

• Block and notify me when a new app uses requests AD server access

I want to…


How Does It Work?

Tetration automatically converts your intent into black and white list rules

Intent Rules

ALLOW SOURCE 128.0.10.0/16 DEST 128.0.11.0/16

DENY SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 Block non-production apps talking toproduction apps

Allow HR apps to use the employee database

Block all HTTP connections that are not destined to web servers

ALLOW SOURCE * DEST 128.0.100.0/16 PORT = 80

DENY SOURCE * DEST * PORT = 80


Enforcement of Policy Across Any Floor Tile

Azure Amazon


1. Generates unique policy

per workload

2. Pushes policy to all

workloads

3. Workload securely enforces

policy

4. Continuously recomputes

policy from identity and

classification changes

Google

Enforcement

Compliance monitoring

VirtualBare metal Cisco ACITMPublic cloud Traditional network


Policy-Related Notification

Cisco Tetration

Analytics™

Kafka

broker

Northbound

consumers

Northbound

consumers

Message publish

Kafka

• Alerts every minutefor enforcement

• Policy complianceevent notifications

• Count of policy alertsuntil whitelisted

• Alerts when IP tables or firewall is flushed or disabled by user

• Alerts when enforcement sensor is disabled

• Publishes policy differences between versions


• Computed process hash for all the processes running

on the server

• Search based on:

• Process

• Process ID

• All servers running a particular process

• Details for long-running processes

• User ID associated with process and process ID

• Use process hash information to search for suspicious

processes against any IOCs

Cisco Tetration: Server Process and Process Hash



Insight-Based Notification: Neighborhood Graphs

Cisco Tetration

Analytics™

Kafka

broker

Northbound

consumers

Northbound

consumers

Message publish

Kafka

Neighborhood graphs

• Find up to two-hop communication neighbors for a selected workload

• Drill down into details about communication between these neighbors

• View dashboard display using graph database

• Determine the numberof server hops betweentwo workloads

• Get out-of-the-boxand customer alertsthrough Kafka


Analyze Network Traffic for Cloud Migration

• Estimate usage and cost for your planned migration

• Run cost analysis on hypothetical migration scenarios,

based on your actual network traffic

• Create a cloud profile > Define cloud migration scenario

> Add your cloud pricing tiers and data to study an

application migration

• Run hypothetical analysis to find out what will it cost to

move certain workloads or full applications to cloud

• Support for AWS, Azure, and other cloud platforms


Azure Amazon

Google


Virtual Desktop Infrastructure: Visualization

Main features

Support Microsoft Windows Desktop 7, 8, and 10

Get per-packet, per-flow visibility

Correlate traffic with process on the desktop instances

Tie VDI user traffic to application workspace

VDI instances

Cisco Tetration

Analytics™


Cisco Tetration: Bring Your Own Data

Main features

Stream any JSON-based telemetry to a data sink

Support up to 10 simultaneous streaming topics

Bring up to 5 GB of data per hour per streaming topic

Analyze and write your results through alerts or UI

Northbound

consumers

Datasink

Public Cloud

Streaming JSON telemetry


Information about Consumer –

Provider and type of traffic

Detail information

about the flow

Datacenter Wide Traffic Flow Visibility


Tetration Application Segmentation Policy Recommendation

Cisco TetrationAnalytics™

APPLICATION WORKSPACES

ApplicationSegmentation

Policy

Public Cloud

Private Cloud


• Validating policy impact assessment in real time

• Simulating policy changes over historic traffic

• View traffic “outliers” for quick intelligence

• Audit becomes a function of continuous machine

learning

Cisco Tetration Analytics™ Platform

VM BM

VMVM

BM VM

VMVM

BM

VM

VM

VM

VM

Real-Time and Historical Policy Simulation


Tetration Analytics: Open Access

NORTHBOUND APPLICATION

Kafka Broker

NORTHBOUND CONSUMERS

NORTHBOUND CONSUMERS

ProgrammaticInterface

MessagePublish

TetrationApps

REST API

Tetration flow search

Sensor management

Push Notification

Out-of-box events

User defined events

Tetration Apps

Access to data lake

Write your own application

Cisco Tetration Analytics Platform


Cisco Tetration Analytics: Ecosystem

Service visibility Layer 4-7 services integration

Security orchestration Service assurance

Insight exchange

Cisco TetrationAnalytics™


Insight Exchange

Workload

Ingestion

Pipeline

Telemetry Data

Insight

Exchange

Tetration Anotations

(or connect your own)


Cisco Tetration™ Cloud

• Software deployed in AWS

• Suitable for deployments of less than 1000 workloads

• AWS instance ownedby customer

Cisco Tetration™ Platform (large form factor)

• Suitable for deployments of more than 5,000 workloads

• Built-in redundancy

• Scales to up to 25,000 workloads

Includes:

• 36 x Cisco UCS® C220 servers

• 3 x Cisco Nexus® 9300 platform switches

Cisco Tetration-M (small form factor)

• Suitable for deployments of less than 5,000 workloads

Includes:

• 6 x Cisco UCS C220 servers

• 2 x Cisco Nexus 9300platform switches

Cisco Tetration Analytics: Deployment options

AmazonWeb Services

On-premises options Public cloud


98% Lesstime spent by application owners for application mapping

Cisco Tetration enabling Huntington National Bank to execute major IT initiative fasterand more efficiently

Huntington bank – Business value snapshot

80-90% Lessstaff timing to carry out application mapping

“We needed up to a month to map a complex application, and Cisco Tetration allows us to do this in days or less. This will help us complete a significant IT initiative with major cost implications in

far less time.”

-Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank

60-65% Fasterexpected execution of significant IT initiative

“The big ROI for us of using Cisco Tetration is not having to do application mapping again; the dynamic mapping means that we don’t have to go through the exercise again for future initiatives.”

-Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank

IDCAnalyze the future

© 2017 IDC. www.idc.com


Cisco IT: Business value

70% reduction in cost and time

3600 person hours of skilled staff time

saved for every 100 applications

20-40% reduction in virtual machine

footprint

Traditional Cisco Tetration™ platform

Hire a consultant1

Collect logs, interview teams…2

Identify application dependencies

Verify with every group

Static map, change requests

Implement policy, apps break

3

4

5

6

US$1M-$5M project; several months


Customer Video


Open

Summary

Real time and scalableGranular policy

enforcementEasy to use

• Every packet, every flow

• Application segmentation for 1000s of applications

• Long term data retention

• Consistent policy enforcement

• Identify policy deviations in near real-time

• Support for workload mobility

• One touch deployment

• Self monitoring

• Self diagnostics

• Standard web UI

• REST API (pull)

• Event notification (push)

• Tetrationapplications


Tetration answers your Critical Questions

What was out of

Policy?

Audit & Compliancy

Network DVR VisibilityAut. Policy Discovery

Policy Enforcement

Application Dependency

Who talks with who?

cisco tetration analytics · azure amazon cisco tetration ... •validating policy impact...

Documents