Enhanced security and operations with real time analytics · Le Anh Duc Solution Architect - ASEAN...

Le Anh Duc

Solution Architect - ASEAN

11 Jan 2018

How to strengthen DC Security with Cisco Tetration Analytics

Enhanced Security and Operations with Real Time Analytics

© 2018 Cisco and/or its affiliates. All rights reserved.

• Security Landscape and Overview

• Tetration usecases demo

• ADM and Whitelisting

• Security

• Pervasive Visibility

• Q&A


I’ve already invested in many security vendors …


… But am I safe?

Reference: http://map.norsecorp.com/

http://map.norsecorp.com/

How can we secure our DC?


National Security Agency(NSA) on securing your assets

1. When protecting your network, you have to know everything that is going

on.

2. Decrease attack surface. Lock down and disable services you are not

using.

3. Identify what is routine in your infrastructure and what is not. Monitor for

deviations.

4. Whitelisting is a must in today’s cyber security world

Usenix Enigma 2016 https://www.youtube.com/watch?v=bDJb8WOJYdA

Rob Joyce, Tailored Access Operations, NSA

https://techtalk.pcpitstop.com/2016/09/07/nsa-best-practices-whitelisting/

https://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_prote

ct_your_network_from_his_minions/

“If you really want to protect your network you have to know your network,

including all the devices and technology in it,” he said. “In many cases we

know networks better than the people who designed and run them.”

https://www.youtube.com/watch?v=bDJb8WOJYdA

https://techtalk.pcpitstop.com/2016/09/07/nsa-best-practices-whitelisting/

https://www.theregister.co.uk/2016/01/28/nsas_top_hacking_boss_explains_how_to_protect_your_network_from_his_minions/


Whitelist – highly strengthens security posture!

1. Whitelist

2. Patch Apps

3. Patch OS

4. Restrict Admin Priv

https://www.asd.gov.au/infosec/mitigationstrategies.htm


Reason #1: NWL Blocks Zero-day Attacks (compromised

server is not allowed to talk)

Reason #2: It Prevents Unintended Applications from

communication

Reason #3: Reduces IT Support Expenses

Source: http://blog.secureaplus.com/3-reasons-application-whitelisting-is-essential-for-enterprise-it


What if you could actually look at everything in your Data

Center that has ever traversed the network?


Tetration with Machine Learning answers your Critical Questions

What’s normal

/Baseline?

What’s going on now

and 6 months ago?

What’s outlier?

Who is talking to

who?Real time Whitelist

Policy?

How to enforce policy to

heterogenesis env.?

How to reduce

MTTI?

How to Lock down un-

used services/VMs?

• Provide Visibility in the traffic flow within Data Centers.

What’s next - NPMD Use case

vEPC

(S-GW, PGW, MME)

ACI as SDN fabric

Gi-LAN (LB, FW, IPS, Large Scale NAT)

ACI as Gi- LAN Fabric

Service Domain

The InternetIP

Backbone

Where is the

“congested

areas”? What

applications

(flows) are

impacted?

What applications

(flows) use which

links? What’s the

latency

through the

fabric?

Packet

drop?

What does

the hop by

hop path

look like for

this

application

(flow)?


Common Use Cases

Automated Application Dependency Mapping (ADM)

• Cloud/DC Migrations

• Operation and Troubleshooting

• Isolating Legacy Applications

• Software Defined Networks (ACI)

• Zero-Trust Security – automated whitelist policy generation

• Application Segmentation

Simulation – “Try” before you “Apply”

• Compliance

• Audits

Forensics/Trouble Shooting – Single Source of Truth

• Reduce MTTI (Mean time to investigate)

• Investigate performance issues

• Identify Zombie servers/VMs

Security

• Whitelist Policy

• Reduce Attack/Breach

Cisco IT reduced greater than 40% of their VM’s and 70% of ACI deployment time after using

Tetration


Cisco TetrationArchitecture overview

Software sensor and

enforcement

Embedded network

sensors(telemetry only)

ERSPAN sensors(telemetry only)

Analytics engine

Web GUI REST API Event notification Cisco Tetration apps

Third-party

sources(configuration data)

Data collection layer

Access mechanism

Bring your own

data(streaming telemetry)


Cisco Tetration analytics data sources

Main features

Low CPU overhead (SLA enforced)

Low network overhead

New Enforcement point (software agents)

Highly secure (code signed and authenticated)

Every flow (no sampling) and no payload

*Note: No per-packet telemetry; not an enforcement point

Software sensors

Universal*(basic sensor for other OS)

Linux servers(virtual machine and bare metal)

Windows servers(virtual machines and bare metal)

Windows Desktop VM(virtual desktop infrastructure only)

Cisco Nexus 9300 EX

Cisco Nexus 9300 FX

Network sensors

Next-generation Cisco Nexus® Series Switches

Third-party sources

Asset tagging

Load balancers

IP address

management

CMDB

…

Third-party data sourcesAvailable today


• Dedicated virtual machines on each host with 4 software sensors in each virtual machine

• Each sensor binds to a separate vNIC

• ERSPAN terminates on the virtual machine vNIC

• Each sensor terminates one ERSPAN session

• Sensor generates telemetry based on the data-plane traffic

• Horizontally scalable

Layer 3 connection

ERSPAN

Layer 3

switch

Cisco Tetration telemetry: ERSPAN option

Expanded telemetry

collection option

• Augment telemetry from other

parts of the network

• Useful when software sensor

or hardware sensor is not

feasible

Cisco Tetration™

telemetry

Cisco

Tetration™

Platform

Productio

n network

Productio

n network


Tetration Analytics: Deployment Options

Cisco Tetration Analytics

(Large Form Factor)

• Suitable for deployments more than 5000 workloads

• Built in redundancy

• Scales up to 25,000 workloads

Includes:

• 36 x UCS C-220 servers

• 3 x Nexus 9300 switches

Cisco Tetration-M (Small Form Factor)

• Suitable for deployments under 5000 workloads

Includes:

• 6 x UCS C-220 servers

• 2 x Nexus 9300 switches

Cisco Tetration Cloud

• Software deployed in AWS

• Suitable for deployments under 1000 workloads

• AWS instance owned by customer

On-Premise Options Public Cloud

Amazon Web

Services


Cisco Tetration Analytics: Ecosystem

Service visibility Layer 4-7 services integration

Security orchestration Service assurance

Insight exchange

Cisco Tetration

Analytics™

Enhanced security and operations with real time analytics · Le Anh Duc Solution Architect - ASEAN...

Documents

Transcript of Enhanced security and operations with real time analytics · Le Anh Duc Solution Architect - ASEAN...