Scaling to PB within Minutes – The Road to Full Automation for Scale-Out Storage with Cisco UCS

Building Scale-Out Storage solutions can be now fully automated to reduce the overall amount of work and to easily scale software-defined storage environments within minutes. Partners and customers can begin to leverage this capability using Ansible modules and playbooks for UCS Manager.

I have to admit that working in a Business Unit can be sometimes very challenging and fast and then there is no time to reflect and see the big picture, no matter which company you are working for. But sometimes projects are crystal clear, you can’t wait to see the result. One of those projects is Automation for scale-out storage.

Big Picture

In the 1990’s, where I started working in the storage industry, we handled GB of data and managed it by doing a lot of manual steps. Initial configuration and installation took a long time, sometimes days. In the 2000’s, storage arrays and disks got larger and we handled then TB of data but with the same problems as in the 1990’s. Now in the 2010’s the situation hasn’t changed that much. We’re now talking about PB of data, even EB but the initial work in the beginning is still the same and challenging.

There are exceptions but as soon as you come to a project where you need multi-PB, you run into an issue of scaling your work of configuration and installation.

Problem #1:

People might think of traditional storage systems solving their problem but they are limited in their ability to easily and cost-effectively scale to support large amounts of unstructured data. With now about 80 percent of data being unstructured, x86 servers are proving to be more cost effective, providing storage that can be expanded as easily as your data grows. Software-defined storage is a scalable and cost-effective approach for handling large amounts of data. Sounds good?

Problem #2

When scale-out storage grows, it can get complex in configuring and installing. This is one of the major obstacles when it comes to enterprise-readiness for software-defined storage. Touching each server and configuring network ports, disk for storage, or even the install media can take a long time and is mostly error-prone. And it’s a difference to prepare 5 servers or 50 servers.

Solution

But there are two ways out of the dilemma that can help a lot and reduce the overall amount of work to a minimum. Even large environments don’t take longer than smaller environments when it comes to the configuration and installation of the scale-out storage hardware.

◈ Cisco UCS Manager: Creating policies and profiles and associating them to servers simplifies scale-out storage solutions a lot. There is no need to repeat specific configurations for each server. Just assign the previously created Service Profile and you’re done. Cisco is doing it now for almost 9 years very successful.

◈ UCS Manager Ansible Modules: Sometimes it doesn’t make sense to create everything via the UCS Manager GUI and you want to further simplify the whole process for configuring and installing servers. Then Ansible for UCS Manager is the right way to move forward. You run a complete Ansible Playbook with all variables you need and within less than 2 minutes your UCS Manager Service Profiles get associated.

There are many ways to do it but we’ve seen a very good adoption of using Ansible for automation in data centers.

We have now published all Ansible Modules for UCS Manager to configure a complete scale-out storage solution. A couple of options for you to run a scale-out storage Ansible Playbook for UCS Manager:

◈ Ansible Role: You can use the Ansible Role

◈ Playbook:You could either use a hardcoded playbook or a playbook with variables and a JSON file.

I did a quick test of configuring and installing 2 x S3260 Dual Node Chassis. You could use much more hardware – the time would be around the same as the process of association works in parallel. Take a look at the 2 minute video.

That gives us now a couple of advantages:

◈ As much as I like the simplicity of UCS Manager GUI – when it comes to scaling and automation then Ansible for UCS Manager can do it in a much shorter time.

◈ You can run the playbooks as often as you want, even if you only want to change a small thing like MTU size for the storage network.

◈ The story gets even better when you integrate the northbound Cisco Nexus switches in Ansible.

Outlook:

The project won’t stop here. Our next steps for scale-out storage automation are:

◈ The full story obviously comes with the integration of scale-out storage vendors. Stay tuned for the first end-to-end Ansible full automation in the industry, from network to compute to storage to software.

◈ The big picture for the Cisco UCS team is certainly Cisco Intersight. Mid-term, we want to integrate the scale-out automation into Cisco Intersight to make it easy for customers and partners to use from a central user interface.

Continue reading

The Factory: A Living Organism for Wireless and Mobility

We live in a wireless world. We almost never plug our computers into a network. Our mobile phones and tablets provide constant connectivity. Some of us wear health tracking devices like Apple Watches, Fitbits, and Garmins. These devices count our steps, measure our heart rates, and log the number of hours we sleep. In doing so, health tracking devices create incredible volumes of data we use to monitor our personal health and improve the quality of our lives. When we don’t feel well, we can look back at hours slept and pulse rate to understand the cause and effect of our bodies’ inputs and outputs.

In many ways, our bodies are like machines requiring inputs like food for fueling, sleep for recovery, and exercise for maintaining optimal performance. When we take care of our bodies, we are rewarded with optimal outputs including increased awareness and productivity.

The same is true for machines on the factory floor. They require electricity for fuel and raw materials to manufacture products. Historically, machinists and engineers were the experts in operating their tooling. They learned through years of experience. Over time, sensors connected to the equipment and computers collected data used to monitor and improve visibility into operating characteristics. Sensors measure equipment performance like vibration, current draw, and lubricant temperatures assisted equipment operators in gaining maximum productivity from their equipment.

Initially many of these sensors and computers were wired and tethered. Over time, sensors became wireless and hard-wired computers morphed into wireless laptops, tablets, and mobile devices. And with wireless becoming pervasive, manufacturers gained considerable flexibility to monitor and manage the health of their factory equipment.

The shift to mobility

Previously, we described networks as being wireless. Over-time, we shifted from wireless to mobile and mobility. With mobility, we can drive the business benefits associated with the wireless features.

Building a mobile manufacturing network creates many challenges. The fundamental challenge is to ensure the wireless capabilities are built on a solid foundation. The foundation requires robust security and a common network infrastructure. Historically, the factory network operated independently of the enterprise network. However, today, it’s possible to secure and converge both the factory and enterprise networks with Cisco’s standard platform.

Once the foundation has been established, the mobile environment must be configured for the three foundational use cases.  These use cases enable data, communications, and video capabilities.

Although it sounds obvious, data drives everything.  Sensors enable access to data.  The simplest type of IoT sensors- vibration, current, particle, temperature, humidity, etc. connects wirelessly. These sensors then communicate with our networks where we secure, move, and reduce data we want to persist or keep, as well as discard the data when it’s perishable.

When we move to communication, the most tangible and relatable mobility use case, we typically think about providing workers with mobile devices like tablets and phones. Mobile communications enable workforces to do their jobs at the place of work. Wi-Fi enabled voice, makes it possible to replace licensed use of hand-held paid spectrum and cellular fees by shifting to Wi-Fi enabled communicators.

Of course, with Wi-Fi mobile communicators, everyone on the factory floor gains immediate access to factory floor personnel as well as receive real-time notifications, pages, and safety alert messages.

Wireless video has become part of our daily lives, typically through applications like Cisco WebEx, Facetime, and many others. On the shop floor or in a warehouse, the video capabilities take communications to the next level. Video on the shop floor, whether enabled by a mobile phone or tablet, immediately takes away the mystery of trying to imagine what is happening or what has happened.

The business benefits of mobility

Because every dollar spent in manufacturing is tied to a return on investment, it’s crucial to map mobility capabilities to business needs and benefits.

Ultimately, factory wireless solutions enable essential business benefits like less downtime, fewer line stoppages, improved worker efficiency, increased cycle time and higher OEE, which means better productivity, availability, and quality.

The Cisco Factory wireless platform includes our products, services, partners and solution implementation plans. Together, all of these components provide what’s necessary for customers to deploy and scale their wireless capabilities.

A manufacturing plant is like a living organism – requiring care and feeding in all areas. Every organism must be part of a connected ecosystem, sensing and sharing information across all parts to ensure not just survival, but growth as well.

While we wouldn’t attach a Fitbit to a piece of manufacturing equipment, we will deploy wireless and mobility capabilities in our factories to monitor and connect our equipment, resulting in operational benefits with improved cost, quality, and delivery.

Continue reading

5 Things You Need to Know about Webex Meetings

Webex has come a long way. We recently unpacked a lot of great innovation in the new meetings experience. The great thing about Webex Meetings is that it’s a full video and content-sharing cloud solution that you can join via desktop, mobile, browser, and video devices. Webex Meetings is more powerful than ever before. Bring meetings to the way you work, not the other way around.

We recently announced a whole new level of collaboration, bringing meetings and team collaboration together on a single platform. Now, everyone who uses Webex Meetings also has access to Cisco Webex Teams (formerly Cisco Spark), helping everyone collaborate, even after the meeting ends.

We’ve integrated the latest artificial intelligence (AI) and machine-learning technologies into the meetings experience to keep participants engaged. Webex Meetings can automatically detect background noise to remove distractions. The video delivers optimal views of people and content. Core functionality like start/join a meeting, attendee rosters, and more are at your fingertips no matter how you join.

Simple to join on any platform

I appreciate being able to join a scheduled meeting simply by pressing the big green button on my desktop, mobile device, or Cisco video device. Cisco is the only vendor to offer a single, consistent one-button join across devices and apps. We’ve simplified things. You don’t have to figure out how to join — the green join button comes to you.

Webex has the most comprehensive, browser-based meeting experience on the market today. If you are invited to a Webex meeting, all you need to do is click the big green button in the invitation and it takes you right in. This is especially important for first-time users. There’s nothing to install, plug in, or download to join from Chrome, Internet Explorer, Firefox, or Safari browsers. And joining from a browser doesn’t mean you have to compromise on features. Hosts and participants get the rich video and application screen-sharing of the desktop version. You have full control and can see everyone participating.

Plays well with others

We’ve also made sure that Webex works with your preferred collaboration tools. Webex not only works across our own hardware and software but also with third-party solutions. You can join or a start a meeting from Webex or do it from  Slack, Microsoft Teams, and Workplace by Facebook. It also works with calendars like Google Calendar. Support for Microsoft Office 365 is right around the corner. These integrations mean you do less switching between apps and have a more efficient workflow. You get the trusted, seamless, and reliable Webex features in the environment that you choose.

The best mobile meeting experience

Several enhancements make it easier be more productive and engaged – even on the road. For a long time, it was hard to see the other people in a meeting if you joined from a mobile device. Likewise, functionality like content sharing and scheduling weren’t options. We’ve turned the experience around and used the latest technologies to make significant improvements that help mobile users get an equal seat at the meeting table.

We’ve optimized the interface for better viewing. Pinch-and-zoom technology makes it easier to see who’s in the meeting and what they’re sharing. You’ll get native screen sharing and the easiest scheduling on the market. If you are an Apple user, you can now use voice commands, Touch ID, and Face ID.

Unparalleled speed and bandwidth

All Webex products use the Cisco network backbone, regardless of how attendees join. It’s a trusted, worldwide IP network built over the last 10 years with interconnects around the world. No other company can do this. Webex connects with both public cloud providers and our own data centers. Regardless of how you join, traffic hops off the Internet as soon as possible and enters the Webex backbone, minimizing latency, bandwidth, jitter, and packet-loss issues that happen so often on the public Web.

Grows with your business needs

Several options for using Webex let you mix and match between services as your business evolves. In addition to a free trial, there are several Webex Meetings subscription models for individuals, teams, departments, and, of course, companies. The offers are competitively priced and flexible so that you can choose a buying model based on your current requirements. Market-leading, secure, innovative Webex Meetings, plus team collaboration, unlimited VoIP, global PSTN audio services, technical support, customer success, and even analytics are all included so you always get the best features and services Webex has to offer.

Continue reading

BMC Remedy ITSM – Cisco ACI joint solution delivers robust and agile IT operations

Introduction

As companies strive to become digital enterprises, they need to make the best use of their existing assets and infrastructure, while introducing new technology and tools that drive the business forward. ITSM is one of the key digital accelerators that deliver improved performance, higher availability, and reduced risk, all while optimizing IT costs. Modern IT operations have to function in a continuous dev-ops model, manage numerous tools, and make sense of all the noise in an environment that lack any decipherable data and analytics to deliver modern applications that have a complex web of interdependencies across a distributed environment.

At Cisco, we observed the growing customer interest in ITSM/ITOM space since the announcement of ACI and quickly forged relationships with leading ITSM vendors like ServiceNow, Cherwell and brought to market joint solutions to automate and streamline incident management, health monitoring use-cases while simultaneously building a growing pipeline of customer deployments.

Today, we are proud to add BMC Remedy solution for Cisco ACI to this significant ITSM technology partner ecosystem portfolio. This blog captures the essence of the solution and how it enables intuitive service management for the digital enterprise, on-premises or in the cloud.

Solution overview

BMC Remedy ITSM suite provides out of box ITIL service support functionality, from architecture to integration and implementation to support. BMC Remedy ITSM has fast established itself as one of the market leaders addressing IT transparency, flexible and agile services, and effective collaboration and reporting, aided by a single, central shared data model. Cisco ACI, an SDN based networking architecture, enhances business agility, reduces TCO, automates IT tasks, and accelerates data center application deployments.

Organizations are increasingly looking to cut costs and find ways to optimize their IT investments. Tight integration of the ITSM layers with underlying IT infrastructure helps organizations to not only optimize their IT infrastructure but also helps them to streamline day to day IT operations.

BMC Remedy ITSM solution for Cisco ACI is a fully-automated policy-based enterprise service management solution that provides single console visibility into your data center and delivers business-aware IT operations.

Cisco ACI’s open API seamlessly integrates with BMC Remedy’s REST API and forms the foundation for the integration. The key solution component is the BMC ITSM App for Cisco ACI.  The APIC facing interface of the App pulls necessary information from the APIC object database and passes it to BMC instance.

Figure: Architecture and Use Cases of BMC Remedy ITSM – ACI solution

Major use cases covered as part of the ACI-BMC Remedy joint solution include CMDB enrichment, health and fault monitoring, and proactive incident management. With these ACI-BMC ITSM solution use cases, customers get unprecedented automation, visibility, and efficiency in their IT service management.

The solution brings a lot of value to the customer, including:

Single console visibility: The solution keeps track of the entire ACI fabric and passes that information periodically to BMC Remedy CMDB thus providing an accurate and up to date picture of the underlying infrastructure. This in-depth visibility allows admins to make more informed decisions and manage the data center infrastructure efficiently.

Healthy Data Center: Faults and dip in health scores in the ACI fabric triggers automatic ticketing workflows in BMC Remedy and further provides admins with the all the relevant information needed for troubleshooting. With all the workflows happening in near real-time, IT teams can quickly identify the root-cause and remedial solutions leading to a drastically reduced MTTR.

Proactive Incident Management: With Cisco ACI keeping an up-to-date view of service-aware infrastructure and informing BMC Remedy ITSM suite about any disruptions and outages, IT operations teams respond more proactively to incidents. Further, the user can use BMC Remedy Problem management workflows and record recurring problems and associated solutions in the Known Error DB (KEDB) building a rich repository of past incidents and actions thus creating a proactive incident management system.

As customer adoption of ACI-BMC Remedy ITSM suite becomes widespread, we will continue to explore newer use-cases to address IT operational pain-points.

Continue reading

Cisco Stealthwatch and DNA Center bridge the SecOps – NetOps divide

By sheer necessity, there is an increasingly interdependent role between NetOps and SecOps in many enterprises. Cisco has been monitoring three trends:

1. Networks are connecting ever more devices, locations and users. The complexity of managing them is creating openings for new threats.

2. As advanced threats multiply, organizations need to control the cost of containment by automating and extending visibility across different functions.

3. And as threats become more advanced, they are becoming an inhibitor to network assurance. For example, instead of breaking in, attackers simply hide in encrypted traffic to gain access to the network.

In short, SecOps needs immediate access to security telemetry to get visibility from all the new endpoints being added to the network, and NetOps needs to know about threats that could impact uptime, particularly encrypted threats.

These are some of the challenges that led to the integration of Cisco DNA Center and Cisco Stealthwatch.

Better IT workflow for faster threat resolution

Cisco Stealthwatch extends threat detection and containment to the DNA Center, the one-stop NetOps management for distributed enterprises.  DNA Center now automates enabling threat telemetry, including enhanced telemetry from encrypted traffic (Encrypted Traffic Analytics or ETA), to be sent to Stealthwatch. The critical threats from Stealthwatch, in turn, can now be monitored from the DNA Center, which provides a platform for custom resolution services such as opening a ticket for automated threat containment.

In the past, these workflows have never been integrated seamlessly. But now we have the ability to streamline them with the new, open DNA Center Platform. Highlighting the power of the DNA Center open platform approach, combined with the expertise of Cisco Advanced Services engineers – the application development and integration required for this workflow was completed in just 3 weeks

Step 0

Automatically find and turn-on threat telemetry from your network devices, including Encrypted Traffic Analytics. Today, customers can take weeks to months to identify and turn on necessary telemetry for security visibility.  We can do it in minutes.

Step 1

Stealthwatch applies advanced security analytics in the form of behavioral modeling, machine learning and global threat intelligence to pinpoint critical threats with high confidence, including where they are originating from. This info now appears in the 360 dashboard for every client on the network.

Step 2

DNA Center instantly communicates with the ITSM (IT Service Management) to generate a ticket related to this incident. And also communicates the incident to customer-specific Security Operations app (developed by Cisco Advanced Services) used by SecOps team to contain the threat.

Step 3

SecOps informs DNA Center to quarantine the user using the Security Operations App, and DNA Center isolates the user.

Step 4

DNA Center confirms containment and informs  SecOps that the user has been quarantined.

Step 5

SecOps uses the Security Operations app to update the ticket in the ITSM.

This workflow can be simpler or more complex depending on the type of threat, but the key is that it is seamless and intuitive between NetOps and SecOps.

Security is everyone’s problem now and containing threats quickly while maintaining network performance requires cooperation, automation, and visibility across IT, Network and Security Operations.

If you are attending Cisco Live Orlando this week, come and see the solution in action at the DNA Center Platform demo stand in the World of Solutions!

Continue reading

Solving Security and Compliance Problems with Cisco Business Critical Services

Organizations today need to be both nimble and secure. They’re adopting Cloud, IoT, and machine learning at increasingly quickening speed as well as evolving their applications and endpoints as well as campus, data center, and WAN networking to adapt to their digital business as well as address security risks. At the same time that compliance regimes are a moving target putting increasing pressure on organizations.

In this ever changing world, many organizations struggle with maintaining good security and compliance hygiene. Year over year, IT departments attempt to manage through compliance drift as networks evolve, new systems are added, configuration changes are made, and knowledgeable individuals leave their teams. Poor audit management practices increase audit fatigue and risk even higher rates of attrition. Add requirements for risk assessments, penetration tests, privacy impact assessments, and robust processes; not to mention the pressures of being able to identify and respond to an evolving security threat landscape and the operational pressures, including OpEx spending, can be immense.

About Business Critical Services 

Business Critical Services is the next generation of subscription based advanced services. By leveraging our expert guidance, analytics, and automation solutions, we can not only address resilience, flexibility, and support concerns, but can craft ongoing services to help manage security threats and reduce compliance overhead while decreasing OpEx, allowing customers to focus on activities that most contribute to the growth of their businesses.

Solving Compliance Problems with Business Critical Services

Business Critical Services includes a wealth of offers, or deliverables, which help customers reduce compliance drift, decrease operational churn, and drive increased compliance fidelity regardless of the compliance requirement. From automated compliance hygiene to Privacy Impact Analysis, Business Critical Services enables customers to right size a solution that meets most compliance requirements they face. For example, a customer that must be compliant to the Payment Card Industry – Data Security Standard (PCI-DSS) may choose to take advantage of the following Business Critical Services:

◈ Automated Software Compliance and Remediation, Configuration Compliance and Remediation, and Regulatory Compliance & Remediation form the core of our compliance offerings. These services automate the tasks of identifying and remediating compliance drift by validating that software versions are up to date, vulnerabilities are identified and remediated, and configurations are compliant to both regulatory requirements as well as defined gold standards.  All of this is central to several PCI-DSS requirements.  These services alone provide much needed operational relief from maintaining compliance and provide evidence for your auditors to review.

◈ Security Compliance Assessment augments our automated capabilities using Cisco compliance experts to validate policy, processes, and technical requirements where assessment cannot be automated. When combined with our automated compliance capabilities, this provides a comprehensive view of audit readiness and both tactical and strategic remediation requirements. For PCI-DSS, we review the complete set of requirements, enabling customers to make audit outcomes more predictable and eliminate last minute remediation scrambles.
Network and Application Penetration Testing within Business Critical Services can be used to meet the PCI-DSS requirements to perform these tasks regularly.

◈ Enterprise Security Advisor provides a strategic resource to help drive security and compliance. The best use of this service for Compliance is to engage Cisco as a program manager to collect, collate, and present evidence to your auditor while managing your IT compliance processes, reducing audit fatigue on your staff and freeing up individuals to focus on business growth and digital transformation.

Solving Security Problems with Business Critical Services

In addition, Business Critical Services, can be used to solve operational and ongoing security issues, helping reduce the attack surface of our customers while identifying and helping to remediate vulnerabilities, ensuring the upkeep of security infrastructure, planning and accelerating security architecture transformation, and managing to security threats and incidents. This includes:

◈ An Incident Response Retainer providing both proactive and reactive threat management activities to our customers. We offer one of the most robust and flexible retainers in the business.

◈ Our automated compliance offerings also support good security hygiene, evaluating and remediating configuration and software exposures that expose up attack surface

◈ Health checks and optimization services to facilitate proper maintenance and management of security systems, protecting and enhancing the return on investment for Cisco security architecture.

◈ A Technical Knowledge Library including guides and best practices for security infrastructure to help customer staff manage their security controls

◈ Network Device Security Assessment to analyze security device configurations and firewall rules to identify gaps and recommend remediation

◈ Collaboration Security Assessment to protect against threats to Cisco Unified Communications, video collaboration, and contact center solutions.

◈ Security Metrics Program support to design and manage KPIs to communicate control effectiveness and levels of risk to management

◈ Cyber Range Workshops to provide security operations training to SOC staff

◈ A robust set of security assessments to identify and recommend remediation to security vulnerabilities including Network, Wireless, Application, Social Engineering, and Physical

◈ Penetration Tests as well as Security Risk Assessment, Network Architecture Assessment, and third party risk management program support.

◈ Security Program Assessment and Security Strategy Planning Support to help support not just your strategic security initiatives, but also help review and improve your critical security practices and establish an enterprise security strategic roadmap

◈ Cloud Security Strategy support to help recommend security operations and technology improvements to support Cloud transformation

◈ Security Segmentation Architecture Design to help develop a roadmap to accelerate and transform the network security at our customers organization

◈ Finally, a flexible Enterprise Security Advisor service to provide program management, expert advice, and otherwise support security evolution as well as an Architecture Management Office to help drive technical change throughout customer organizations

Taken together, this robust set of subscription based offers within Business Critical Services can help customers address both the most mundane and repetitive, but critical, security tasks, drive security improvement through assessments and training, and both set and help execute strategic security direction at our customers. I can’t think of any other security company on the planet that can match this comprehensive set of security and threat management services and deliver them under an annual subscription besides Cisco.

Continue reading

5G Security Innovation with Cisco

We have been working with Service Providers and various colleagues across the world to develop the threat surface and use cases to properly apply 5G today and in applications coming tomorrow.  We call your attention to our white paper and to our session on this topic at Cisco Live US in Orlando.  The title of the session is BRKSPM-2010 (Security for Mobile Service Providers).

5G touches almost every aspect of the way we live our lives. It’s not just about faster, bigger or better, it’s about utilizing 5G as an enabler to a series of services that we all will consume in every aspect of our lives. The time is NOW to consider the security implications and cyber risk profile that come with 5G. The business operational risk, legal risk and reputational risk of not only the companies who provide 5G transport, but allcompanies, nation states and individuals who provide the services that will utilize 5G. The time is now to evaluate the cyber risk posture and apply innovative thoughts to how we can approach these challenges today and build for what’s to come tomorrow. Many IoT(Internet of Things) services will utilize 5G services. The intersection of 5G and IoT brings an extension of the existing threat surface that requires careful consideration from a cyber risk perspective. This white paper highlights innovative thoughts which enable you to take action and meet the challenges creating a security safety net for the successful deployment and consumption of 5G based services.

5G is as much the application of new architectural concepts to traditional mobile networks as it is about the introduction of a new air interface. The 5G mobile network intentionally sets out to be a variable bandwidth heterogeneous access network, as well as a network intended for flexible deployment. Aside from the usual reasons of generational shifts in mobile networks, i.e. those concerned with the introduction of networking technologies on lower cost curves, the 5th generation of mobile networks has to be able to allow the mobile service providers to evolve towards new business models that may result in future modes of operation that are very different from those of today. This presents a problem from the view point of securing such a network. The need to be flexible increases the threat surface of the network.

Security provides the foundation of service assurance. Adversaries and the threats that they impose against the networks used to deliver critical services continue to get smarter, more agile, and more destructive.

Networks used to deliver applications continue to converge, making it more important to properly segment threats and vulnerabilities by domain, while examining the aggregate threat landscape at the same time.

Examples of this include the evolved packet core where traditional and mobile services share an infrastructure leveraging the carrier data center and cloud for operational efficiency and also for service delivery. Cisco’s architectural innovations and evolution of existing networks to meet the needs of new service models like IoT services pushing technology evolution such as mobile edge compute and widely distributed secured data centers introducing a new set of visibility and control elements to handle the evolved threats.  In order to properly secure the “full stack” that delivers a connected application, two fundamental elements are applied: visibility and control. Visibility refers to the ability to see and correlate information from the carrier cloud to baseline proper behavior and then to measure deviation from that norm. Simply said, “If you can’t measure it, you can’t manage it.” Sources of visibility come from traditional network measurements (netflow, open flow, etc.), but the need to measure all aspects of a flow, from all elements of the carrier cloud to the application to the end customer, has changed what data is collected and where we get it. An example of the new visibility includes the use of application level probes that are synthetically generated and travel through the network to get a clear picture of how an application is behaving. Another example is where the Path Computation Element, which has a near real time database representing the network topology, is queried programmatically to determine the impact of a potential mitigation action on critical service classes for DDoS. Once all of the telemetry is gathered, a security controller and workflow will analyze it and determine, based on policy, suggested mitigation and controls to be applied. Of course, we have an iterative loop of constant learning. The Cisco Talos research team keeps our customers ahead of the game by its threat research and deployment of mitigation rules into our full portfolio of products, removing that burden from the Service Provider allowing them to focus on their core competencies.  Control refers to the actions taken to mitigate an attack. Some controls are taken proactively while others are applied after an attack takes place. There are two types of attacks. Day zero attacks are threats that we don’t previously have a fingerprint for. Typically deviations in known good behavior of the carrier cloud and applications that request service and state from it, are identified by the security controller and some action is then taken to mitigate the attack or to get additional visibility, an action sometimes taken to properly identify the adversary. Day one attacks are threats that we have a signature or fingerprint for and, quite often, a mitigation strategy exists in advance to handle the attack. Controls take the form of modifications to the carrier cloud to apply quality of service changes in per hop behavior to minimize the impact of an attack and also take the form of physical and virtual security assets applied as close to the source of the threat as possible in order to minimize collateral damage.

The information that the operator has that delivers the application is vast. Innovation in the way that we apply the information we have, in a close loop iterative process, is a recent innovation in threat visibility and mitigation. This is where automation, orchestration and NFV meets security to solve today and tomorrow’s security needs. The three elements of the closed loop iterative process are: policy, analytics, and the application delivery cloud (the whole transaction from the application to the networks used to serve it).  Operators can now apply innovative methods to correlate geo-location information to behavioral analytics, compare those against policy in the context of a threat to the carrier cloud, and ascertain the nature of that threat and what to do about it with far greater clarity. Visibility and control properly applied to the advanced threats of today offer the carrier cloud a level of protection. We must continue to evolve, grow and get smarter to keep our networks safe and resilient in the time of attack.

Continue reading