Cisco Tetration Analytics Enhanced security and operations with real time analytics John Joo Tetration Business Unit Cisco Systems
Security Challenges in Modern Data Centers Securing applications has become complex Rapid application deployment Continuous development Application mobility Microservices Policy enforcement Heterogeneous network Zero-trust security Policy compliance Applications are driving modern data center infrastructure
NSA TAO* Chief on Disrupting Nation State Hackers Approaches to defense Segment the network Whitelist applications https://www.youtube.com/watch?v=bdjb8wojyda Intrusion Phases Reconnaissance Initial Exploitation Establish Persistence Install Tools Move Laterally Collect, Exfil, and Exploit Figure out what s routine in your infrastructure (what s not) Figure out what you need to protect and segment that off Locking down at the host level * Tailored Access Operations
Introducing Tetration Software & Network Sensors: See everything OS Sensor Windows Linux Mid-Range Universal Network Sensor Cloud-Scale Nexus Nexus 9000 X v Data Analytics & Machine Learning Engine Open Access Analytics Cluster Appliance model On-Premise or Cloud Billions of Events Meta-Data generated from every packet Ingest Store Analyse Learn Simulate Act APPLICATION INSIGHT FLOW SEARCH & FORENSICS SEGMENTATION & COMPLIANCE Web Rest API Event Bus Lab
Operations Security Cisco Tetration Use cases Visibility and forensics Policy Application insight Policy simulation Neighborhood graphs & Cloud Migration Cisco Tetration Application segmentation Process inventory Compliance
Use Cases Accelerate Business Transformation Accelerate Technology Transformation v Secure Cloud & Data Centre APPLICATION INSIGHT FLOW SEARCH & FORENSICS SEGMENTATION & COMPLIANCE Operational Excellence
Cisco Tetration Analytics Architecture Overview Data Collection Analytics Engine Visualization and Reporting VM Host Sensors Tetration Telemetry Web GUI Network Sensors Cisco Nexus 92000YC-X Cisco Nexus 93000YC-EX Cisco Tetration Analytics Platform REST API Third-Party Metadata Sources Configuration Data Push Events
Cisco Tetration Analytics Data Sources Software sensors Available today Network sensors Next-generation Cisco Nexus Series Switches Third-party sources Third-party data sources Linux servers (virtual machine and bare metal) Windows servers (virtual machines and bare metal) Windows Desktop VM (virtual desktop infrastructure only) Universal* (basic sensor for other OS) Cisco Nexus 9300 EX Cisco Nexus 9300 FX Asset tagging Load balancers IP address management CMDB *Note: No per-packet telemetry; not an enforcement point Main features Low CPU overhead (SLA enforced) Low network overhead (SLA enforced) New Enforcement point (software agents) Highly secure (code signed and authenticated) Every flow (no sampling) and no payload
Holistic Approach to Server Protection Advanced behavior analysis Policy Enforcement Application control using whitelists Traffic visibility, server process baseline, and analytics Dynamic and heterogeneous environment Policy that enables application segmentation Break organizational siloes
Get Great Identity About Endpoints Discovered inventory Uploaded inventory and metadata (32 arbitrary tags) Inventory tracked in real time, along with historical trends Cisco Tetration Analytics sensor feed VMware vcenter (virtual machine attributes) AWS attributes (AWS tags) User-uploaded tags Cisco Tetration Analytics merge operation Real-time inventory merged with information with historical trends
The Goal Is to Describe Intent I want to Block non-production apps talking to productions apps Allow HR apps to use the employee database Block all HTTP connections that are not destined to web servers Allow and notify me when a new app request DNS server access Block and notify me when a new app uses requests AD server access
How Does It Work? Tetration automatically converts your intent into black and white list rules Block non-production apps talking to production apps Allow HR apps to use the employee database Block all HTTP connections that are not destined to web servers DENY SOURCE 10.0.0.0/8 DEST 128.0.0.0/8 ALLOW SOURCE 128.0.10.0/16 DEST 128.0.11.0/16 ALLOW SOURCE * DEST 128.0.100.0/16 PORT = 80 DENY SOURCE * DEST * PORT = 80 Intent Rules
Enforcement of Policy Across Any Floor Tile Cisco Tetration Analytics Google 1. Generates unique policy per workload 2. Pushes policy to all workloads 3. Workload securely enforces policy 4. Continuously recomputes policy from identity and classification changes Azure Compliance monitoring Amazon Enforcement Public cloud Bare metal Virtual Cisco ACI TM Traditional network
Policy-Related Notification Alerts every minute for enforcement Policy compliance event notifications Count of policy alerts until whitelisted Alerts when IP tables or firewall is flushed or disabled by user Alerts when enforcement sensor is disabled Publishes policy differences between versions Cisco Tetration Analytics Message publish Kafka Kafka broker Northbound consumers Northbound consumers
Cisco Tetration: Server Process and Process Hash Cisco Tetration Analytics Computed process hash for all the processes running on the server Search based on: Process Process ID All servers running a particular process Details for long-running processes User ID associated with process and process ID Use process hash information to search for suspicious processes against any IOCs
Insight-Based Notification: Neighborhood Graphs Neighborhood graphs Find up to two-hop communication neighbors for a selected workload Drill down into details about communication between these neighbors View dashboard display using graph database Determine the number of server hops between two workloads Get out-of-the-box and customer alerts through Kafka Cisco Tetration Analytics Message publish Kafka Kafka broker Northbound consumers Northbound consumers
Analyze Network Traffic for Cloud Migration Cisco Tetration Analytics Estimate usage and cost for your planned migration Google Run cost analysis on hypothetical migration scenarios, based on your actual network traffic Create a cloud profile > Define cloud migration scenario > Add your cloud pricing tiers and data to study an application migration Run hypothetical analysis to find out what will it cost to move certain workloads or full applications to cloud Support for AWS, Azure, and other cloud platforms Azure Amazon
Virtual Desktop Infrastructure: Visualization Cisco Tetration Analytics VDI instances Main features Support Microsoft Windows Desktop 7, 8, and 10 Get per-packet, per-flow visibility Correlate traffic with process on the desktop instances Tie VDI user traffic to application workspace
Cisco Tetration: Bring Your Own Data Northbound consumers Streaming JSON telemetry Data sink Public Cloud Main features Stream any JSON-based telemetry to a data sink Support up to 10 simultaneous streaming topics Bring up to 5 GB of data per hour per streaming topic Analyze and write your results through alerts or UI
Datacenter Wide Traffic Flow Visibility Detail information about the flow Information about Consumer Provider and type of traffic
Tetration Application Segmentation Policy Recommendation Public Cloud APPLICATION W ORKSPACES Private Cloud Cisco Tetration Analytics Application Segmentation Policy
Real-Time and Historical Policy Simulation BM VM VM VM VM BM VM VM VM VM VM BM VM Cisco Tetration Analytics Platform Validating policy impact assessment in real time Simulating policy changes over historic traffic View traffic outliers for quick intelligence Audit becomes a function of continuous machine learning
Tetration Analytics: Open Access NORTHBOUND APPLICATION NORTHBOUND CONSUMERS NORTHBOUND CONSUMERS Kafka Broker Programmatic Interface Message Publish Tetration Apps Cisco Tetration Analytics Platform REST API Tetration flow search Sensor management Push Notification Out-of-box events User defined events Tetration Apps Access to data lake Write your own application
Cisco Tetration Analytics: Ecosystem Service visibility Layer 4-7 services integration Cisco Tetration Analytics Security orchestration Service assurance Insight exchange
Insight Exchange Telemetry Data Ingestion Pipeline Workload Tetration Anotations Insight Exchange (or connect your own)
Cisco Tetration Analytics: Deployment options On-premises options Public cloud Cisco Tetration Platform (large form factor) Suitable for deployments of more than 5,000 workloads Built-in redundancy Scales to up to 25,000 workloads Includes: 36 x Cisco UCS C220 servers 3 x Cisco Nexus 9300 platform switches Cisco Tetration-M (small form factor) Suitable for deployments of less than 5,000 workloads Includes: 6 x Cisco UCS C220 servers 2 x Cisco Nexus 9300 platform switches Cisco Tetration Cloud Software deployed in AWS Suitable for deployments of less than 1000 workloads AWS instance owned by customer Amazon Web Services
Huntington bank Business value snapshot Cisco Tetration enabling Huntington National Bank to execute major IT initiative faster and more efficiently 80-90% Less staff timing to carry out application mapping We needed up to a month to map a complex application, and Cisco Tetration allows us to do this in days or less. This will help us complete a significant IT initiative with major cost implications in far less time. -Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank 60-65% Faster expected execution of significant IT initiative The big ROI for us of using Cisco Tetration is not having to do application mapping again; the dynamic mapping means that we don t have to go through the exercise again for future initiatives. -Patrick Drew, Assistant Vice President, Network Infrastructure Manager, The Huntington National Bank 98% Less time spent by application owners for application mapping IDC Analyze the future 2017 IDC. www.idc.com
Cisco IT: Business value 1 2 3 4 5 6 Traditional Hire a consultant Collect logs, interview teams Identify application dependencies Verify with every group Static map, change requests Implement policy, apps break Cisco Tetration platform 70% reduction in cost and time 3600 person hours of skilled staff time saved for every 100 applications 20-40% reduction in virtual machine footprint US$1M-$5M project; several months
Customer Video
Summary Real time and scalable Granular policy enforcement Easy to use Open Every packet, every flow Application segmentation for 1000s of applications Long term data retention Consistent policy enforcement Identify policy deviations in near real-time Support for workload mobility One touch deployment Self monitoring Self diagnostics Standard web UI REST API (pull) Event notification (push) Tetration applications
Tetration answers your Critical Questions Who talks with who? What was out of Policy? Audit & Compliancy Policy Enforcement Application Dependency Aut. Policy Discovery Network DVR Visibility