Solution Overview Cisco Tetration Analytics and ExtraHop: Real-Time Analytics for Security Policy Enforcement Take fast action against threats like ransomware and brute-force login attempts by combining real-time application (Layer 7) visibility from ExtraHop with powerful Cisco Tetration Analytics security-policy enforcement. The Cisco Tetration Analytics and ExtraHop Open Data Stream integration combines realtime application-layer visibility from ExtraHop with automated Cisco Tetration Analytics policy enforcement to simplify zero-trust implementations, detect anomalous network behavior, and automatically trigger enforcement policies. The result is a new layer of valuable context information through real-time applicationlevel visibility that reveals the specific activities behind abnormal network traffic patterns. This combined solution allows you to analyze and create baselines for traffic behavior so that you can solidify your security policies and microsegmentation plans. Segment your application servers from your database servers and external clients. Apply appropriate firewall policies at your endpoints immediately and automatically. And thwart major threats like ransomware with the industry s most targeted, accurate, and rapid security-policy enforcement. Benefits The Cisco Tetration Analytics and ExtraHop integrated solution delivers essential threatdetection and security-policy enforcement from the data center to the cloud and the network edge. The Cisco Tetration Analytics and ExtraHop combined solution gives you the power to easily and rapidly address the following scenarios, and more: Brute-force logins: Detect spikes in database traffic, determine whether spikes are due to brute-force login attempts, and locate attempts down to the specific table queries. Ransomware attacks: Examine Common Internet File System (CIFS) traffic to identify ransomware and automatically tag compromised hosts to stop the spread of the attack. Expired certificates: The Cisco Tetration Analytics platform helps customers identify expired certificates. ExtraHop takes this visibility one step further, identifying the specific server or servers on which the certificate has expired.
Trends and Challenges We now live in a data-driven economy A recent Gartner report discussing NetOps 2.0 stated, NetOps teams must embrace practices and skill sets that include intent- and policy-driven methodologies that are proactive and businesscentric, and that have a strong foundation in automation and analytics. In reality, 71 percent of network teams have difficulty balancing innovation, efficiency, and security which is why 70 percent of projects are delivered late1. This leaves networking teams stuck playing catch-up, unable to focus on the strategic data necessary to achieve digital transformation and promote growth. Data friction Eight out of 10 IT professionals rely on users to notify them of problems, and teams spend up to 60 days per year troubleshooting performance issues. Organizations around the world face this challenge of data friction, and it s time to start talking about it. Too many obstacles are standing between IT teams and the data they need to rapidly find and fix problems. 1 A new approach: Rethink the network as the main data source By combining the Cisco Tetration Analytics platform and ExtraHop, operations teams can overcome these challenges and more. Many operations teams are beginning to understand the true value of an asset they already own: the network. Using the network as a real-time data source enables these teams to address the data friction problem and run their operations with timeliness and confidence. By adding the power of Cisco Tetration Analytics trafficflow visibility, operations teams get a view into data center clients, servers, and applications, resulting in an extensive application-dependency map. This integration of ExtraHop s analytics-first approach with Cisco Tetration Analytics analysis empowers operations teams to handle an increasing influx of data and address both tactical and strategic data challenges. 2016 State of the CIO survey conducted by CIO.com: http://www.cio.com/article/3022833/cio-role/state-of-the-cio-2016-its-complicated.html NetOps teams must embrace practices and skill sets that include intent- and policy-driven methodologies that are proactive and business-centric, and that have a strong foundation in automation and analytics. 2
The integration with ExtraHop and Cisco Tetration combines real-time application-layer visibility from ExtraHop with Cisco s application dependency mapping, real-time flow analysis, and automated policy enforcement delivered via Tetration. How It Works/Key Features/Components How the solution works The integration of ExtraHop and the Cisco Tetration Analytics platform combines real-time applicationlayer visibility from ExtraHop with automated policy enforcement delivered through the Cisco platform. This integration delivers both powerful insight and the capability to detect incidents such as brute-force logins, ransomware attacks, and expired certificates. Deep analysis of packets flowing between applications helps ensure the detection of security challenges in real time. For example, the combined solution can both detect ransomware attacks and tag a compromised host. The Cisco Tetration Analytics platform can then enforce a restricted security policy on that host. This integration can be achieved by having an ExtraHop ransomware-detection trigger a call to the Cisco Tetration Analytics representational state transfer (REST) API to apply the custom tag. Main features: The Cisco Tetration Analytics platform can apply security policies at endpoint sensors, the Cisco Application Centric Infrastructure (Cisco ACI ) Application Policy Infrastructure Controller (APIC), or other third-party devices such as application delivery controllers (ADCs). These security policies can be enhanced with custom tagging to provide additional context. Cisco Tetration Analytics endpoint sensor device metrics (Layer 2 through Layer 4) in combination with ExtraHop Layer 7 applicationlayer visibility can provide much deeper context information for better custom tagging for securitypolicy enforcement. Components The ExtraHop Discover appliance provides realtime application-layer visibility to enhance securitypolicy enforcement. The Discover appliance can also detect security issues and then apply security tags or annotations in the Cisco Tetration Analytics platform to enforce security policies at endpoints. Additionally, an ExtraHop Explore and Trace appliance can be added for security forensics. Model sizing depends on the environment, but not the integration. 3
Use cases Table 1 provides use cases for the combined Cisco Tetration Analytics and ExtraHop solution. Use Case Application-level attacks (for example, ransomware) Description ExtraHop tags a compromised host. Cisco Tetration Analytics enforces a restricted security policy on that host. The ExtraHop ransomware-detection trigger calls the Cisco Tetration Analytics REST API to apply the custom tag. Both detect a spike in database traffic and determine whether the traffic spike is due to brute-force login attempts. See which specific tables are being queried. Identify the specific server or servers on which the certificate has expired. Identify rogue certificates. Cipher audits Identify the specific server or servers with weak cipher suites. Network forensics Brute-force logins Certificate audits Access detailed application transactions and packets to determine the circumstances of an incident. Visibility and enforcement Analytics engine Software agent REST API (monitoring and enforcement) Embedded network agent (monitoring) Third-party sources (configuration data) Ecosystem Cisco Tetration Analytics appliance Publish events Cisco Tetration Analytics applications 4
5
Why Cisco? Cisco customers can now gain the benefits of network traffic analysis for security. By adding the real-time application-layer visibility delivered by ExtraHop to Cisco Tetration Analytics behavioral analytics and machine learning, we offer the industry s most targeted, accurate, and rapid security-policy enforcement, helping customers thwart major threats like ransomware. For more information For more information about the Cisco Tetration Analytics and ExtraHop integration, please visit ExtraHop s Cisco partner page. To contact the ExtraHop sales team directly, email us at sales@extrahop.com. 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) 2017 ExtraHop Networks, Inc. All rights reserved. No portion of this work may be reproduced in any form or by any electronic or mechanical means including information storage and retrieval systems without written permission from ExtraHop Networks, Inc. C22-739271-00 06/17