Brkaci 2060

BRKACI-2060
Cisco Tetration:
Data Center Analytics
Deployment and Use Cases
Remi Philippe
Tim Garner
What You Signed Up For
• It begins with visibility. Streaming telemetry of flow, network state, and
process events, combined with flexible identity sources yields Tetration an
unparalleled view of the data center landscape. From this vantage point
powerful analytics lead to effective segmentation and threat protection. In
this session, we will overview the solution architecture, explore sensor
options and work through a use case where we will breach our own
application and then journey to a more secure data center through policy
discovery, validation, multi-level segmentation (network and host), and
compliance. Once all the workloads in our environment are segmented, we
will explore threat protection through integrations and deep system signals.
BRKACI-2060 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• What is Workload Protection?
• What can we do to help?
• Where do I start?
• What about the Operating System?
• And Operations?
• How did we do that?
What is Workload
Protection?
Is this secure?
And this?
What about this?
Feeling Secure?
• Attacks are mainly driven by application vulnerabilities, not network
• In most cases the port will be legitimately open
• Apache Struts?
• What about attacks coming from other workloads on the same hypervisor
• Spectre / Meltdown?
• Let’s see an example
Topology
db
server
struts
server
db
server
struts
server
file
server
security group
Demo
What Happened?
• Firewall Configuration was good
• I accessed a public (or intranet) facing website
• But…
• His Application had a security flaw (CVE-2017-5638)
• https://nvd.nist.gov/vuln/detail/CVE-2017-5638
• Traffic ”looked” legit
• He did not implement Segmentation, so it was not contained
What can we do?
The best way to secure a workload?
More Realistically
• Australian Signals Directorate TOP4
• https://www.asd.gov.au/publications/protect/top_4_mitigations.htm
• Application Whitelisting
• Patching Systems
• Restricting Administrative Privileges
• Creating a Defense in Depth System
• Lets look at our options
Protecting server workloads in hybrid cloud
Depth
Breadth Micro segmentation
Containers, VM, Bare Metal, Vulnerability management
On premises, public cloud, Integrity monitoring
legacy apps, appliances …
Exploit prevention
Data leakage prevention
Application control
Encryption
Scale
Tens of thousands of Speed
workloads Real time detection and
response; Address ephemeral
workloads
Where do I start?
Applications
• First we need to baseline what is going on in our environment
• Which Applications are running?
• On which servers are they running?
• How are they interacting with each other?
• To do this… We need to rely on facts, not humans
Dynamic Application Mapping
Host A Host B
Role = Web Role = Web
Scope = App1 Scope = App1
Host E Host F
• Discover Application Clusters Cluster Web Role=Web and Scope = App1 Role = DB Role = DB
• Creates Clusters based on Scope = App1 Scope = App1
annotations
• Enable auto-scale based on
scope and annotations Host C Host D
Role = App Role = App
Scope = App1 Scope = App1 Cluster DB Role=DB and Scope = App1
Cluster App Role=App and Scope = App1
Segmentation Policy
Express Policies in Human Language
Development can’t talk to production
• Cisco Tetration knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications

change
Allow computers to perform the heavy lifting
Tetration automatically converts your intent into blacklist and whitelist rules
Intent Rules
Block nonproduction applications from SOURCE 10.0.0.0/8

talking to production applications DEST 128.0.0.0/8
Allow HR applications to use the SOURCE 128.0.10.0/24

employee database DEST 128.0.11.0/24
SOURCE * DEST
128.0.100.0/24 PORT = 80
Block all HTTP connections that are
not destined for web servers
SOURCE * DEST * PORT = 80
Enforcement of policy across any floor tile
Cisco Tetration Analytics
Google
1. Generates unique policy per

workload
Azure Amazon
2. Pushes policy to all workloads
3. Workload securely enforces

policy
4. Continuously computes policy

from identity and classification
changes
Enforcement
Public cloud Bare metal Virtual Cisco ACITM Traditional network
Demo
How are policies enforced within a workspace?
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
How are policies enforced between workspaces?
dport 80
OUTPUT NEW, ESTAB INPUT
sport 80
INPUT ESTAB
OUTPUT
server1 server2
How are policies enforced between workspaces?
dport 80 dport 80
OUTPUT NEW, ESTAB NEW, ESTAB INPUT
sport 80 sport 80
INPUT ESTAB ESTAB
OUTPUT
server1 server2
Up to date with Immunizations?
OUTPUT policies protects

workloads by preventing
traffic from getting out…
Up to date with Immunizations?
…And INPUT protects other

workloads in case of breach
(of workload or process)!
Back to our example
• How does the application segmentation helps in our case?
• What do you think?
• Let’s punch through the application again, shall we?
Demo
What Happened?
• Tim didn’t prevent the attack
• Application Segmentations didn’t help?
Or did it?
• This time I got in, but I couldn’t do anything more
• I was contained to the breached server
Did we help?
1. Application Whitelisting
• We set the scene by segmenting application tiers
2. Patching Systems
3. Restricting Administrative Privileges
4. Creating a Defense in Depth System
• We’ve setup the first stages of our defense in depth approach with multi-level
segmentation
Let’s see if we can do more
What about the
Operating System
It’s not only about the network
• We can continue creating policies
• This will not prevent or identify this kind of attack
• Payload parsing? What about encrypted traffic with forward secret?
• How about tracing a security event?
• How / Where did it start?
• What happened?
• The protection needs to be elevated to Operating System
• Get CVE and patching information?
• Detect Side Channel Attacks?
• Identify Privilege escalations?
CVE
• Common Vulnerabilities and Exposures (CVE) is a centralized repository of
publicly known vulnerabilities
• https://nvd.nist.gov/ for example
• CVE exposes:
• Vulnerability details
• Impacted versions
Understanding Exposure
• Tetration Stores all CVE information since 1999
• And collects the list of installed packages in order to detect known
vulnerabilities
And Taking Action!
• As Tetration is Tag and Metadata driven we can easily segment based on
CVE
• Or Installed packages
• And implement across the datacenter
Process Based Anomalies
• Arm and detect security events
• Understand what happened after the
event was fired
• Just like a step by step debugger!
Back to our example
• Will process level metrics help us detect this event?
• What do you think?
• Can we easily secure this once CVE is identified?
• Let’s punch through the application again, shall we?
Demo
What Happened?
• We got alerted immediately on attack, and on privilege escalation
• We identified our vulnerable struts servers and quarantine them until the
owner patches them
Did we help?
1. Application Whitelisting
• We set the scene by segmenting application tiers
2. Patching Systems
• We identified Vulnerable systems and were able to take action on them
3. Restricting Administrative Privileges
• We identified and alarmed on privilege escalation
4. Creating a Defense in Depth System
• We’ve setup the first stages of our defense in depth approach with multi-level
segmentation
Closing Thoughts
What did we do?
• We Implemented a Defense in Depth Strategy through
• Application Discovery
• Policy Generation
• Segmentation
• Then we enhanced our security posture starting from the Operating
System
• Alarming of Process Anomalies
• Taking Actions on CVE
• And finally we made sure this was an “operable solution”
• Segmentation Visibility
What about a… Dashboard?
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKACI-2060
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you

Brkaci 2060

Uploaded by

Document Informationclick to expand document information

Copyright:

Available Formats

Brkaci 2060

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkaci 2060

Uploaded by

Copyright:

Available Formats

BRKACI-2060

• Lets look at our options

Cluster App Role=App and Scope = App1

• Cisco Tetration knows who is production

• Cisco Tetration knows who is development

• Policies are continuously updated as applications

Block nonproduction applications from SOURCE 10.0.0.0/8

Allow HR applications to use the SOURCE 128.0.10.0/24

1. Generates unique policy per

3. Workload securely enforces

4. Continuously computes policy

Public cloud Bare metal Virtual Cisco ACITM Traditional network

OUTPUT policies protects

…And INPUT protects other

Let’s see if we can do more

• And implement across the datacenter

Don’t forget: Cisco Live sessions will be available for viewing

Demos in Meet the Related

You might also like