Cisco AI Network Analytics: Making Networks Smarter and Simpler to Manage

Enterprise networks generate a lot of data. A lot. Imagine a network with 6000+ access points, 10 wireless controllers, a data center, dozens of branch offices, and over 10,000 roaming wireless devices covering an area the size of a small city. Every AP collects telemetry on its operating environment, radio performance, interference statistics, and the identities of devices that are connecting to them. The SD-WAN fabric connects distributed branch offices and remote workers to cloud applications and data center resources, managing thousands of connections and traffic flows over the course of a work day.

Trying to manually analyze and troubleshoot the traffic flowing through thousands of APs, switches, and routers is a near impossible task, even for the most sophisticated NetOps team. In a wireless environment, onboarding and interference errors can crop up randomly and intermittently, making it even more difficult to determine probable causes. How long does it take for devices to onboard as they are carried from segment to segment? Is taking 5 seconds to connect to an AP satisfactory or unacceptable performance? Is onboarding time consistent regardless of device density or does it vary unpredictably? How do you measure and compare application performance from SaaS providers to distributed branch offices and remote workers?

The irony of having mountains of telemetry and activity logs awaiting analysis by overworked IT teams is that there is too much noise from too much data for humans to deal with in a timely manner. Machine learning (ML) and applied artificial intelligence (AI) automates the analysis of trillions of bytes of telemetry, radio fingerprints, and network access points to uncover patterns in the chaos, and turn the findings into actionable insights or automated mitigation actions. Where is the nexus of AI/ML for enterprise network analytics? In the Cisco DNA Center and the Cloud.

Cisco AI Network Analytics in the Cloud

For years now, Cisco has been integrating AI/ML into many operational and security components, with Cisco DNA Center the focal point for insights and actions. Now we are adding new capabilities with Cisco AI Network Analytics in the Cloud. AI Network Analytics collects massive amounts of network data from Cisco DNA Centers at participating customer sites, encrypts and anonymizes the data to ensure privacy, and collates all of it into the Cisco Worldwide Data Platform. In this cloud, the aggregated data is analyzed with deep machine learning to reveal patterns and anomalies such as:

◈ Highly personalized network baselines with multiple levels of granularity that define “normal” for a given network, site, building, and SSID

◈ Sudden changes in onboarding times for Wi-Fi devices, by individual APs, floor, building, campus, and branch

◈ Simultaneous connectivity failures with numerous clients at a specific location

◈ Changes in SaaS and Cloud application performance via SD-WAN direct internet connections or Cloud OnRamps

The Worldwide Data Platform leverages a growing knowledgebase of over 35 years of Cisco engineering problem resolutions and AI-derived insights. As patterns are discovered and anomalies uncovered in the diverse ocean of data, alerts with correlated information—such as physical locations, histories, possible causes, and potential remedies—are sent to the corresponding Cisco DNA Centers for evaluation and action by NetOps.

AI Analytics Provides Visibility, Insight, and Action

The AI processes in the cloud perform the logical troubleshooting steps that a network engineer executes to resolve problems, but much faster and against a much larger data set than humans’ can handle. In large campus networks and remote branch offices, the number of alerts and false-positives for minor to major issues can come fast and furious at times, making triage the first step for NetOps teams. The AI processing helps triage issues by categorizing them according to severity, location, number of affected devices, and the ability to automatically remedy a subset of issues. As a result, NetOps can focus on high-priority alerts instead of hunting through a blizzard of data for disruptive problems. Cisco AI Network Analytics and DNA Assurance provides visibility, insight, and action for resolving network issues and improving performance.

Visibility into Personalized Baseline Behavior

Using machine learning to determine a baseline range for network activity—error rates, onboarding times, application performance, for example—helps spotlight relevant deviations in behavior that impact network availability. Once a personalized baseline is established, NetOps can measure performance over periods of time to determine the effects of network design changes, adding devices, changing segmentation, and adding SaaS application connections to distributed branches. A baseline enables NetOps to focus on significant anomalies rather than the noise of minute-to-minute deviations, saving time and resources for IT projects that add value.

Insights Gathered From Around the World

With a baseline of normal network operations established, Cisco AI Network Analytics examines abnormal behaviors to pinpoint specific issues and their root causes. A knowledgebase of engineering experience—accumulated by Cisco over decades of network monitoring and troubleshooting—works with the patterns and anomalies uncovered by ML in the Worldwide Data Platform to prescribe actions to fix issues. Workers in a remote branch office that are taking longer than the normal baseline to onboard, for example, trigger an alert in Cisco DNA Assurance, along with potential remedies, enabling NetOps to take proactive remediation steps before the delays impact productivity and customer experience.

In IP networks, a problematic event is often preceded by a benign event or series of events. Using the Proactive Exploration features of AI Network Analytics, NetOps can, for example, be forewarned of increases in Wi-Fi interference, network congestion, and office traffic loads. By learning how a series of events are correlated to one another, system-generated insights can help foresee future events before they happen and alert IT staff with suggestions for corrective actions. These insights can recommend changes to Wi-Fi, switch, or application configurations that will improve system performance and user experience, improve issue relevancy, and accurately identify trends and root causes.

AI Network Analytics can also compare activity and patterns among, for example, branch offices, to determine “normal” activity and pinpoint performance issues pertaining to individual sites. Since all the data in Worldwide Data Platform is anonymized, Cisco AI Network Analytics can securely compare a campus network’s performance against other sites of similar size and configuration, helping to identify opportunities for network upgrades while optimizing IT spending.

Action and Guided Remediation from Expert Knowledgebase

Insights lead to action with guided remediation suggestions resulting from the fusion of machine pattern recognition and AI-derived workflows from the engineering knowledgebase. Events similar to those that have occurred in other enterprise sites provide possible solutions that have previously resolved analogous issues. This demonstrates the value of leveraging the Worldwide Data Platform and ML to capture issues that crop up sporadically in networks all over the world and resolve them quickly and efficiently.

Note that participating in the Worldwide Data Platform is optional when using Cisco DNA Center, but will result in more limited capabilities. Even though all data received from customer DNA Centers is anonymized, and each customer has a unique private key for decryption, not participating in the Worldwide Data Platform is an option for organizations that have privacy and compliance issues that limit data sharing.In

Intent-based Networking is Smarter and Simpler to Manage with AI Network Analytics

Cisco AI Network Analytics, within Cisco DNA Center, adds another layer of intelligence to Intent-Based Networking, making networks even smarter, simpler to manage, and more secure. Integrating decades of Cisco network engineering experience into the AI Network Analytics platform to continuously analyze network operations and deviations leads to faster problem resolution and thus greater IT efficiency. By identifying the most relevant optimization opportunities for each customer’s unique configuration and usage patterns, IT resources can be allocated to high priority projects providing the most benefit instead of chasing minor fluctuations in network performance.

Cisco will continue to add AI and machine learning to bring simplicity and security to enterprise networks of all sizes and shades of complexity. The more telemetry, operational statistics, and security threat indicators flow into the Cisco Worldwide Data Platform, the more value enterprises using Cisco DNA Center will gain.

Continue reading

F5 ACI ServiceCenter App Pushes the Envelope in DC Networking Automation

Introduction

In tune with changing technology trends, our data center customers are increasingly adopting a solution-focused approach, instead of a point product one, for managing and monitoring their Data Center operations. This trend is very much pronounced with intent-based networking technologies, such as ACI, that provide customers a cloud-like experience with their on-prem infrastructure. A very understandably popular request from our customers – and this was heard loud and clear in our most recent Cisco Live EMEA – is to consume networking and application-delivery services together as a cohesive solution. With the goal to enable customers to do just that, Cisco and F5 have collaborated on a F5 App for the Cisco ACI App Center.

Today, I am pleased to share with you my thoughts on this newly designed F5 ACI ServiceCenter App, a multi-function and operations focused solution, covering its key L2-L7 operational use-cases. You’ll be able to see how customers can leverage its capabilities combined with the speed and flexibility of its host, the ACI App Center.

What does this mean?

Customers want a native ACI solution and a single point of automation and visibility for L2-L7 infrastructures. The F5-ACI App represents a strategic and new directional transference from the erstwhile device-package based integration approach. Centered around ease-of-use and customer experience, this App is quick to install and intuitive in its design flow for the end user. This forms the basis for the design innovation of the F5-ACI App addressing flexibility without compromising features, domain expertise, or ease of use.

F5 ACI App – Key Use Cases and Value Proposition

F5-ACI App – Use Cases

1. Enhanced Visibility across Cisco ACI and F5 BIG-IP
(correlation of APIC components and BIG-IP configurations)
2. Configure network connectivity between ACI and BIG-IP
(deploy ACI-to-BIGIP L2-L3 connectivity)
3. Provision application services on BIG-IP from App UI
(use pre-defined json files to push custom configuration from App-to-BIGIP)
.

F5-ACI App – Key Benefits

1. Native and easy deployment from ACI App center
2. Operational model alignment with ACI and F5 users
3. Applicability to “Brownfield/Greenfield” user deployments
4. Consistent with F5’s overall approach towards automation leveraging a declarative automation approach through AS3 from the F5 Automation Toolchain

We are committed to a robust roadmap evolving the App to address the strong demand of this integration by our customers. This is a phenomenal milestone – two industry leaders collaborating to enable our customers with success and cutting edge, yet simple, technology.

Continue reading

Security Analytics and Logging: Supercharging FirePower with Stealthwatch

When we consider network threat detection, most of us immediately think of signature and rule-based intrusion detection and prevention systems (IDPSs). However, it is a little discussed fact that the very first intrusion detection systems, built back in the ‘80s, were actually based on anomaly detection!

Those pioneers understood that with the presence of zero-days and the lack of exhaustive black-lists, we needed to use the full range of analytical techniques at our disposal to be effective.

Those anomaly detection roots may not be so evident in today’s IDPSs however they were not totally lost. In fact, a whole new branch of network threat detection systems were developed that used those very same anomaly detection techniques. That heritage manifests itself, today in so-called Network Traffic Analysis (NTA) tools.

While IDPSs have made detecting the initial intrusion in the packet stream their relentless focus, NTA systems take a very different approach. They generally work on metadata generated from the network, often called network flows, so they can expand our scope of analysis in both time and space to become essential in post-breach analysis, incident response, and even threat hunting situations.

Well Cisco has arranged a family reunion!

We are proud to announce the combination of our best-in-class IDPS and NTA products, Cisco Firepower and Cisco Stealthwatch. The Security Analytics and Logging (SAL) solution brings the best of perimeter-based protection and detection with the power of visibility and security analytics over the entire network. We believe we have created the most comprehensive network-centric threat protection, detection, and response solution – something that only Cisco is in the position to achieve.

Raising the bar on Network Security

It is very well understood how IDPSs are effective in security protection: blocking activity that can be identified as a threat or violates some policy. However, we accept that threats still get through and that is why IDPS have robust rules-based detection engines based on content-inspection.

But what do we do with all these detections? What if the traffic cannot be inspected? What if decryption is not an option? What if the threat is spreading internally?

Security Analytics and Logging service is specifically designed to augment your Cisco Firepower deployment with security analytics, from the Stealthwatch Cloud platform, to drive improved threat detections and provide the insight needed for more effective protection.

It All Starts with Visibility

The foundation of the solution is the aggregation of the connection and detection logs from Cisco Firepower with the network flows that the Stealthwatch platform collects. Just think about that. A dataset that gives us unprecedented visibility into the entire breadth of your network from perimeter to access, from campus to branch. But that’s not all! That “general ledger” not only contains all the header-based metadata, but now also includes all the metadata and inferences derived from all the deep content-inspection the Cisco Firepower engine provides.

Now you might be thinking to yourself, “there are plenty of tools I can use to gain this type of visibility.” However, in practice the sheer volume, velocity, and variety of the data can lead to staggering costs. The Stealthwatch team has made working at these scales our speciality and because our back ends are optimally engineered for the security outcomes we desire, we can offer this visibility in a much more cost-effective manner.

Security Analytics Driving Rapid Response

With all that visibility comes the opportunity to apply security analytics that can detect breaches that have bypassed the content-inspection based rules at the perimeter.

The security analytics powered by Stealthwatch can achieve this by baselining normal behavior of endpoints on the network in a process we call entity modelling. These models are then used to detect malicious activity based on any changes in behavior and indicators of compromise. The Stealthwatch engine can then combine these observations with others that may come from other parts of the network or even the detection engine in Cisco Firepower to create reliable and useful alerts.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs, all from within Cisco Defense Orchestrator (CDO) and from that same interface, you can modify your network-wide policy to immediately deploy a remediation strategy. In addition, CDO is fully integrated with Cisco Threat Response which allows you to build incident casebooks and drive response actions across the whole of the Cisco security portfolio.

Closing the Loop: Improving Protection through Policy Tuning

Up until now, I have discussed the during and after phases of an attack but with SAL we can close the loop and reason more effectively about the before phase. In this phase we, as security practitioners, try to understand what is actually on our networks and what activity is to be allowed or blocked.

We express this intent through policies that enshrine both threat defense and compliance considerations. But designing and managing these policies across an increasingly complex digital business has historically been a major challenge and can leave many organizations vulnerable to attack.

The insight that it brings to the game drastically improves the way you can make policy decisions from within CDO. Through this capability you can query the logs collected from Cisco Firepower devices to play out what-if scenarios and validate the correct behavior of the policy at the enforcement point. In addition, the extended visibility of the rest of the network that the Stealthwatch platform provides can even allow you to determine if traffic is bypassing your enforcement points.

You can then turn around and deploy these highly tuned policies across the entire portfolio of security products right from within CDO! This is an entirely new paradigm that is required to not only scale with your growing network but also help you seamlessly manage policies across your environment powered by intelligence and insight.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs all from within Cisco Defense Orchestrator (CDO) and from that same interface you can modify your network-wide policy to immediately deploy a remediation strategy.

Continue reading

20 Years of Wireless with the Wi-Fi Alliance

In 1999, the idea of connecting to a network wirelessly was mostly a dream. The only device one might want to connect was a laptop, and they were generally expensive and often restricted to the executive suite in larger enterprises. But 1999 was also the year that the IEEE 802.11 Working Group approved the IEEE 802.11b standard, the technological base of Wi-Fi.

However, the mere existence of a standard written by a bunch of smart engineers is rarely sufficient to ignite a revolution. Wireless technology needed a savvy champion, an industry organization to market the technology to the world and ensure it really works in the hands of users. Aironet (acquired by Cisco in 1999) was one of six companies to recognise this need and co-founded the Wireless Ethernet Compatibility Alliance (WECA), also in 1999.

The WECA took on two vital tasks immediately: to ensure the technology really worked in a multi-vendor environment, and to find a better name, one that would resonate around the world. It succeeded in both.

In 2000, WECA changed the name of its technology from Wireless Ethernet to Wi-Fi. Today, the Wi-Fi label is recognized across the globe and Wi-Fi is so valued that, according to at least one survey, people would rather give up beer or their morning coffee than their Wi-Fi.

Technical diligence

In 2000, the newly renamed Wi-Fi Alliance issued its first interoperability certification for an IEEE 802.11b product, operating at 11Mb/s. This certification was the first of over 45,000 product certifications over the next twenty years. As Wi-Fi technology has expanded, Wi-Fi Alliance certifications have kept users confident that their devices will work with products from other vendors. In 2019, users can be sure of interoperable, reliable and secure Wi-Fi access using the latest IEEE 802.11ax standard (now branded Wi-Fi 6) at rates of up to 5 Gb/s.

In the early years of the Wi-Fi Alliance, it was not always clear that Wi-Fi was going to become the dominant wireless access technology. It certainly was not pervasive. I recall IEEE 802.11 Working Group meetings in 2001, where most engineers designing standards for the next generation of Wi-Fi did not even have Wi-Fi access on their laptops; during Working Group meetings we often had to borrow Wi-Fi cards from a big box at the front of the room.

Today, the idea of a laptop not having perfectly-working Wi-Fi connectivity built-in is alien. Every laptop has Wi-Fi, as does just about any device that generates or uses data. Over 30 billion devices have been made with Wi-Fi, from security cameras in homes to badge readers in enterprises to entertainment systems in cars, industrial sensors, and, of course, mobile phones. There are so many devices using Wi-Fi that by 2022, Cisco’s Visual Networking Index forecasts more than half of all global IP traffic will access the network using Wi-Fi. Unfortunately, this traffic includes my Wi-Fi enabled bathroom scale, telling the cloud each morning that I really should do more exercise.

Challenges along the way

Wi-Fi is not perfect and never will be, but the Wi-Fi Alliance has provided a forum for ongoing development and improvement. For example, a flaw in Wi-Fi security was revealed in 2001 in the form of the WEP Debacle, in which it was shown WEP actually provided very poor security. It was almost a death sentence, because Wi-Fi without security is close to useless. Fortunately, the whole Wi-Fi ecosystem, led by the Wi-Fi Alliance, quickly pulled together and defined WPA (as a temporary solution) and then WPA2 (as a solution that has lasted more than 15 years) to ensure Wi-Fi had appropriate security to meet users’ needs. Of course, you can never take your eye off the ball with security. The Wi-Fi Alliance has continued to promote improvement, most recently with the release of WPA3 (with significant leadership from my Cisco colleague, Stephen Orr).

The Wi-Fi Alliance does not always get it right in its certification programs either, but every experience improves the process, and some “failures” hold the keys to future success. The Wi-Fi Direct certification for peer-to-peer communications was technically successful, in terms of the number of certifications, but the technology didn’t see widespread use. The Wi-Fi Alliance has not given up on peer-to-peer communications, though. Instead, it has learned from the experience;  there are great hopes that the recently introduced Wi-Fi Aware certification will better meet user’s needs.

The WiGig program for 60GHz access is another example where the Wi-Fi Alliance continues to persevere. This activity started in the Wi-Fi Alliance back in 2010. WiGig is still not yet successful, but it represents a significant opportunity for new spectrum and new use cases. The Wi-Fi Alliance’s ongoing work and perseverance means it is an opportunity that still has an excellent chance of being fulfilled in the near future.

Despite the Wi-Fi Alliance’s “learning experiences” over the years, the key point is that Wi-Fi has been successful because it has always fulfilled a promise to enable anyone, anytime, anyplace to construct a cost effective solution to solve real user’s problems. And the problems Wi-Fi solves are evolving. In 2000, the problem was connecting a laptop. Today, it is connecting anything to everything in homes, enterprises, factories, transport and public spaces.

The key to fulfilling this promise has been the Wi-Fi Alliance members’ cooperation across the Wi-Fi ecosystem. The Alliance is a forum for making sense of the alphabet soup of standards from the IEEE 802.11 Working Group, and for developing additional specifications as necessary. It’s also the primary forum for bringing vendors together to ensure interoperability of basic Wi-Fi technology as it continues to develop.

Proud to lend a hand

Cisco is proud to have played a role in the Wi-Fi Alliance since 1999. The company has been a driving force in the Wi-Fi Alliance from the very beginning, as a Sponsor member influencing its strategic direction and as a participant in Task Groups and Interoperability Test Beds. The Wi-Fi Alliance has a provided a basic interoperable Wi-Fi platform for Cisco to provide innovative features that meet the particular needs of our customers; features including Cisco Compatible eXtensions (CCX), controllers with coordinated Access Points, Cisco CleanAir® interference detection and mitigation, location based solutions such as Cisco DNA Spaces, Application Visibility & Control, Hyperlocation, Flexible Radio Assignment (FRA) of dual 5 GHz radios, Software Defined Access, and Intelligent Capture and real-time telemetry. In many cases, Cisco has contributed our proven features back into the Wi-Fi ecosystem, ultimately with certification by the Wi-Fi Alliance.

After twenty years, the global economic value of Wi-Fi is almost $2 trillion per annum (as of 2018). However, it is not the only globally-used wireless data network. Many claim that cellular data, in particular 5G, will take over from Wi-Fi in several key market segments. But Cisco don’t see this as a game with only one winner.

Cisco project that both Wi-Fi and 5G will succeed, and in fact strengthen each other’s success. Wi-Fi will continue to grow to meet the needs of the local area (in unlicensed spectrum), and 5G will meet the needs of outdoor, high speed needs (mostly in licensed spectrum). They will be better together – especially if users can move between the systems smoothly.

To help bring that vision to life, Cisco recently introduced OpenRoaming, building on the Wi-Fi Alliance’s Passpoint certification, which will allow users easy and secure access to Wi-Fi networks globally via a cloud-based federation of access networks and identity providers – including mobile carriers.

I am proud to have been personally involved with the Wi-Fi Alliance since 2003, most of that time on the Board of Directors, including as Chair of the Board from 2006 to 2011. I participated in its 10 year and 15 year anniversary celebrations, and now its 20 year anniversary. I look forward to watching Wi-Fi continue grow and develop in the future under the guidance of the Wi-Fi Alliance.

Continue reading

Driving Simplicity and Convenience for our Customers and Partners

At Cisco, one of our guiding principles is simplicity and convenience for our customers and partners. We believe that seeking and ingraining feedback in the future design and roadmap is a key factor which enables us to continually improve our products and solutions to solve real customer issues. In that vein, we received important customer feedback in three critical areas.  Here is what you told us:

1. You want to see all of your purchases in a single view. Without full visibility into what you own and what you are using, your organization could fall prey to significant legal, financial and operational issues. Legal issues like software compliance and audits.  Financial issues such as over or under purchasing or ineffective contract negotiations. And operational issues such as poor utilization of hardware and entitlements or expired service and support contracts.  It is difficult, if not impossible, to properly manage what you can’t see.

2. You need to be able to easily view and control who has access to service transactions and data. IT Administrators need to be able see and manage who has access to what, at any given time. Roles change, people move in and out of an organization, projects start and stop. Admins need instant access and control to generate or re-host licenses, manage user roles, and be able to quickly turn off access to critical network assets and entitlements when needed.

3. There are too many tools and processes, along with multiple, uncoordinated touch points.  Network infrastructures are getting more and more complex every day. With more tools, more portals, more subscriptions, more services, you need a solution that will consolidate all of the touch points and connect the dots for you.

Your feedback drove a new solution

My Cisco Entitlements (MCE) is a new, secure, user-friendly solution to manage assets and entitlements including technical support, software upgrades and downloads – all in one place, on one platform. MCE provides complete end-to-end IT infrastructure transparency. Building on the power of Cisco Smart Accounts, it brings visibility and control together on one platform that provides access to all Cisco services, subscriptions, licenses, and devices throughout their lifecycle.

No more portal hopping

With MCE you can now view everything in one place, instead of many. Real-time insights provide a forward view into products and services along with activation and utilization metrics.

A streamlined dashboard provides a customized view based on pre-selected filter choices. You can instantly obtain status on your systems and equipment, location of components, asset warranty, expiration dates, and more.

The flexible MCE platform provides the ability to:

◈ Filter, sort, export, tag and organize assets and entitlements
◈ Assign assets to Smart Accounts/Virtual Accounts
◈ Open a new support case
◈ Request software version upgrades on the fly

Providing insight into critical IT questions

IT managers and network administrators are confronted daily with questions that directly impact their organization’s investments. Questions like:

◈ Are we fully optimizing the utilization of our existing assets and entitlements?
◈ Do we need additional or fewer services, subscriptions, licenses, or devices?
◈ What is nearing expiration or approaching end of support?

MCE provides valuable and actionable insights and answers to these important questions. For instance, MCE can proactively identify what’s at risk and the changes required to optimize an organization’s investment to its maximum potential. Dashboards and filters show usage metrics as well as service and support contracts that are near expiration.  Additionally, an organization’s investments are protected with secure and consolidated user access management using MCE.

We’re not done yet.

In the future, MCE will offer self-service MACD (Moves, Adds, Changes, and Deletes) on assets and entitlements. It will be the unified entry point to access all of your Cisco products and services entitlements such as rehosting licenses, requesting an RMA, and registering products and services. Features such as device management APIs, customizable and actionable notifications and alerts, and legacy licensing capabilities will all be standard.

While this is a giant leap in the right direction, we are not done yet. We will continually strive to build upon the platform and deliver more value, insights and capabilities for our users. We appreciate the partnership and the straight talk with our customers and partners, which has enabled us to bring together this unique platform.

MCE delivers on our simplicity and convenience for customers and partners ethos and I look forward to sharing more in the future.

Continue reading

MUD is officially approved by IETF as an Internet Standard, and Cisco is launching MUD1.0 to protect your IoT devices

With over 8 billion “things” being connected today, IoT security has undoubtedly evolved from a mysterious buzzword to one of the biggest real threats to our network today. According to Gartner, over 51% of survey respondents believe that cybersecurity is the number one technology-related challenge for IoT deployment.

Overwhelmed by the countless number of IoT security comments and stories, let’s try to demystify this seemingly complex concept. To begin, let me ask you three simple questions: What types of IoT devices are connected to your network? What behaviors are appropriate for these IoT devices? Is there an industry standard to follow while connecting these IoT devices? If you don’t know the answers to these questions yet, that’s when we say the IoT security risks are probably right around the corner staring at you.

What is MUD?

To answer the above three questions, Cisco has been working on a solution known as Manufacturer Usage Description (MUD) to arm IoT security with you.

The key idea of MUD is to facilitate device visibility and segmentation by allowing your network administrators to effortlessly identify the type of IoT device and define the corresponding appropriate behaviors for that device. To do this accurately, we are introducing a participant to the conversation: the manufacturer. IoT manufacturers are able to disclose to us what their devices are, and what network policies they need for the devices to correctly function.  This whitelist statement is something that customers can use to deploy access policies in their own networks without any guesswork.

As shown in Figure 1, an IoT device first sends out a pre-embedded MUD-URL to the network devices (e.g. switch & AAA server), through which the MUD-URL will be received by the MUD controller (software). According to the specific MUD-URL, a matching MUD file will be provided from the MUD file server and translated into policy format through the MUD controller, to then enforce the access control list to the device.

Clear benefits to both customers and device manufacturers brought by MUD

If you get the overall idea of MUD so far, you may see that IoT device manufacturers and customers are two key stakeholders in the MUD ecosystem. MUD offers distinct benefits for customers and manufactures:

Benefits to customers:

◈ Automate IoT device type identification thus reducing operational costs

◈ Simplify and scale IoT device access management by automating policy enforcement process

◈ Reduce threat surface of exploding number of IoT devices by regulating traffic and thus avoiding lateral infections

◈ Secure enterprise network through standard-based approach

Benefits to manufacturers:

◈ Improve customer satisfaction and adoption due to reduced operational costs and security risks

◈ Enhance device security through standard-based onboarding procedure

◈ Differentiate device offerings with embedded network-based device security feature

◈ Reduce product support costs to customers by following an easy-to-implement process

In addition to these benefits, we’ve received positive feedback from our partners:

“MUD technology is valuable for Innovative Lighting. MUD technology will enhance our commissioning process by identifying our devices on the network. Furthermore, MUD technology will provide the appropriate access control policy promoting a more secure system. We look forward to working more with Cisco and the MUD technology.”

-Harry Aller, CTO at Innovative Lighting

 “MUD was selected to protect Molex IoT solution against malicious parties. MUD is a relatively simple solution to implement at the device level, light on constrained IoT devices but takes advantage of strong network infrastructure including network switches and authorization server. Our goal to reduce exposure footprint and the overall solution allows us to provide a level of security to our customers that is scalable and flexible at the same time. The ability to whitelist specific devices in the field allows us to lock down the network but also to respond quickly to events that may take place post deployment.”

-Mo Alhroub, Manager of Software Engineering at Molex

MUD is approved as an Internet Standard and released as RFC8520 by IETF

I am delighted to announce that MUD has been officially approved as an Internet Standard by the Internet Engineering Task Force (IETF) and is now released as RFC 8520. Meanwhile, MUD is also part of the NIST Mitigating IoT-Based DDoS project, and an optional component of the Open Connectivity Foundation’s framework now.

MUD 1.0 is ready

Besides the IETF approval, I am also thrilled to announce that we are launching MUD1.0, the first phase of the entire MUD solution. While MUD itself is an open standard, Cisco is pioneering our unique version by leveraging Cisco switch and ISE (Identity Service Engine, a AAA server) as the network devices shown in Figure 1.

In this Cisco MUD1.0 release, we focus on providing device visibility by enabling the IoT device identification inside the enterprise network. As shown in Figure 2, the IoT device sends out the MUD-URL to the switch and then passes it to ISE. The administrators will see the device specific information on ISE UI including the device model, manufacturer, etc. Specifically, MUD1.0 supports profiling IoT devices, creating profiling policies dynamically, and automating the entire process of creating policies and Endpoint Identity Groups. Furthermore, administrators can leverage these profiling policies to create Authorization Policies and Profiles manually for securely on-boarding IoT devices.

To make the sophisticated story simple, through MUD1.0, you would know exactly what devices are coming to your network the minute they are connected. Even more, you can define policies for these IoT devices. Isn’t that amazing?!

With MUD1.0 released, future releases will more fully automate the policy control part. On top of MUD1.0 when ISE receives the MUD-URL to extract the visibility information, the MUD-URL will be passed to the MUD controller (software) which will then go out to the MUD server to get the MUD file and translate the content into policy (as shown in Figure 1). The network devices will then enforce the appropriate policy onto the devices. The whole process will be fully automated. Want more flexibility as well? No worries, we’ve got you covered! Before the automation process, you get the choice to edit the recommended policy as needed.

Continue reading

Data Evangelism: Oxymoron, Fluff, or Business Driver?

At first pass, data evangelism may sound more like an oxymoron than a corporate function. Most of us (and our dictionaries) associate evangelism with faith, while data & analytics is core to the scientific method. Evangelism is predominantly qualitative while data & analytics is the definition of quantitative.

In practice, data evangelism has become synonymous with spreading the good word of data.  Need to inspire your team to balance their gut-based approach to problem solving with data-driven insights? Call in a Data Evangelist.

However, if we delve beneath the surface, data + evangelism reveals a richer value proposition. Evangelism teaches us to practice what we preach. Lead by example. Be the change we want to see in the world. Data & analytics teaches us to measure what matters. Hypothesize, test, minimize our biases, refine, and always let our data be our guide.

-----------------------------------------------------------------------------------------------------------------------
If we marry the tenets of data + evangelism, the result is:  Practicing the data & analytical methods we preach. Leading others to leverage data as an asset via a data-driven approach. Challenge ourselves as data evangelists to be at the forefront of data-driven models and insights, especially in the most qualitative domains.
----------------------------------------------------------------------------------------------------------------------

Data Evangelism Needs a Model

In data science, once you understand the data and its significance to the business, the next step is to create, stress test and refine a model which presents a simplified version of the business problem or opportunity you’re seeking to address. This model is a first attempt to explain the workforce’s relationship to data and provide actionable insights into creating (or maintaining) a data-driven enterprise.

The Axes:

◈ Data IQ — The level to which a person is capable of leveraging data & analytics relative on his or her role and goal. For example, a food coordinator who is data literate and comfortable using a simple forecasting model will have a high Data IQ. If, however, s/he wants to lead an engineering team responsible for a machine learning-based technology, a Master’s or PhD in AI will be the new standard for a high Data IQ.

◈ Data Enablement — The level to which a person is enabled (or unable) to leverage data & analytics relative to his or her role and goal. For example, a people manager in HR may be fully Data Enabled via: data literacy, foundational data science for leaders, a dashboard which provides him/her the relevant people analytics and insights about their team, access to data & analytical talent on a project-by-project basis, and a steady stream of curated content including training, best practice sharing, and success stories. However, someone managing a data science team would need all of that and much more, including tools and platforms which allow for reusable asset (i.e. models and code) sharing, to be Data Enabled.

The Quadrants:

◈ Enthusiasts — Low Data IQ; Data Enabled: Well connected to their data & analytics community, fluent in its success stories but unsure how to begin leveraging data. Example: A marketing new hire with a degree in literature who marvels at chatbots.

◈ Data Illiterate — Low Data IQ; Data Unable: Lack of understanding regarding the value of leveraging data & analytics as well as how to do so. Example: An experienced technical writer who leans into his/her qualitative strengths.

◈ Siloed High Performers — High Data IQ; Data Unable: Limited by their isolation. Typically start from scratch instead of having a library of assets at their fingertips and peers with whom to collaborate. Example: a data scientist working on a non-data science team without access to mentorship, peers, enterprise tools, platforms and data products/services.

◈ Data-Driven — High Data IQ; Data Enabled: Individuals have the platforms, infrastructure, tools, services, and knowledge to leverage data & analytics in their role. Connections into the larger community provide them with a constant stream of ideas, best practices, and opportunities to collaborate as well as share their work. This is the target state.

-----------------------------------------------------------------------------------------------------------------------
Data-driven workforces, whose employees have High Data IQs and are Data Enabled, power the most digitally disruptive companies in the world.

Should we start looking to data evangelism as a business driver?
-----------------------------------------------------------------------------------------------------------------------

Data-Driven by an Evangelism Engine

How does this play out? Let’s say a Customer Success Executive leverages data that is 22% more accurate than previously possible to enable 96% adoption of the collaboration tools his/her customer purchased. The customer wins by realizing a high ROI; Because the customer wins, the Customer Success Executive wins. Evangelism’s “win” is in enabling the person or team behind the 22% increase in data accuracy and the Customer Success Executive to leverage said data to achieve (and know s/he achieved) 96% adoption.

Our Approach

Our efforts to influence Data IQs take the form of a multi-pronged (and evolving) strategy of recruiting, learning & development, and continuous education.

We approach Data Enablement more broadly. Success in this domain doesn’t just take a village, but rather the support of the entire Data & Analytics business unit in addition to strong cross-functional partnerships. Data Enablement encompasses building, buying, supporting and/or co-creating the data products and services needed to enable each role- as well as those products’ and services’ adoption.

While far from an exhaustive list, Data Enablement includes global virtual and live events, Kaggle-style data science competitions, collaboration platforms for technical and non-technical best (and worst) practice sharing, an enterprise data science platform with reusable asset libraries, and democratized trustworthy datasets… and as data & analytics (and data evangelism) matures, who knows?

Continue reading