AlgoSec Security Management Solution available on Cisco Global Price List

Today marks an important milestone for Cisco’s Data Center offerings to our customers with the unveiling of a new ACI technology ecosystem partner solution. We are pleased to announce availability of “AlgoSec Security Management Solution” on Cisco’s Global Price List.

“AlgoSec Security Management solution (ASMS)” has delivered tremendous value to our joint customers across the world, with its ability to extend ACI’s policy-driven automation to security devices in the fabric, helping them automate policy enforcement for security devices in the fabric and ensure continuous compliance across multicloud ACI environments. To make it easier for our customers to procure that solution, we onboarded AlgoSec to Cisco Global Price List through Cisco DevNet Solutions Plus Program. Now Cisco’s direct and channel sales network can offer AlgoSec’s solution together with Cisco networking products as a single package. For details on AlgoSec solution orderability, check Cisco commerce.

What makes this solution compelling for you as a Cisco customer or a partner? Rapidly changing business needs and application connectivity requirements in modern data centers pose big challenges to ensuring compliance and security. With thousands of firewall rules across many different security devices, frequent changes, limited visibility and lack of trained security personnel , managing security policies manually is now impossible. This is where ASMS (AlgoSec Security Management Solution) comes in.

ASMS automates and orchestrates network security policy management, maps and migrate application connectivity, and proactively analyze risk to applications risk –  across any cloud and on-premise networks.

AlgoSec integrates with Cisco ACI to extend ACI’s Application centric policy- based automation to AlgoSec managed security devices across their data center, on its edges and in the cloud. AlgoSec Security Management Solution for ACI enables customers to ensure continuous compliance and automate the provisioning of security policies not just across the ACI fabric but also across multi-vendor security devices connected to ACI fabric, helping customers build secure data centers. The solution is based on Cisco APIC and ASMS integration to deliver a powerful multi-tenant, policy-driven, application-centric model for network security. Read Solution brief for details.

The AlgoSec Security Management Solution comprises three key components – AlgoSec Firewall Analyzer, AlgoSec Fireflow, and AlgoSec Application Connectivity Management.

AlgoSec Firewall Analyzer (AFA) – Network Security Policy Analysis, auditing and compliance

AlgoSec Firewall Analyzer delivers visibility and analysis of complex network security policies across Cisco ACI, firewalls attached to ACI fabric and other upstream security devices. The solution automates and simplifies security operations including troubleshooting, auditing policy cleanup, risk and compliance analysis and audit preparations.

AlgoSec FireFlow (AFF) – Security Policy Change Automation

AlgoSec FireFlow helps you process security policy changes in a fraction of the time, so you can respond to business requirements with the agility they demand. FireFlow automates the entire security policy change process — from design and submission to proactive risk analysis, implementation, validation and auditing with the support for automated policy enforcement on Cisco ACI and multi-vendor security devices, including Cisco ASA & FTD, Check Point Software, Fortinet and Palo Alto Networks.

AlgoSec Application Connectivity Management: AlgoSec AppViz & AppChange

The AppViz (Application Visibility Add-On) add-on accelerates identification and mapping of all the network attributes and rules that support business-critical applications – making it easier for organizations to make changes to their applications across any on-premise and cloud platform, and to troubleshoot network and change management issues across the entire enterprise environment.

AlgoSec’s AppChange (Application Lifecycle Change Management Add-On) automatically translates and implements network security policy changes on all relevant devices across the entire network to reflect specific connectivity requirement for applications. This saves time for IT and security teams and eliminates manual errors and misconfigurations. AppChange addresses the critical issues of human error and configuration mistakes that are the biggest causes of network and application outages.

These components are offered as independent software licenses and bundles on Cisco’s Global Price List.

In summary, the AlgoSec Security Management Solution integrates with and complements Cisco ACI Anywhere, providing consistent security policy management and visibility across data centers and clouds.

Continue reading

Our focus on security in an open collaboration world

Interoperability and openness should never be a trade-off with security, and our users shouldn’t believe they need to sacrifice one over the other. Interoperability and security can and should work in unison, and this requires today’s software companies to work with some basic norms on how we collectively secure our mutual customers.

Cisco has created a rich partner, developer, and integrator ecosystem so our customers have the flexibility and choice to super-charge their tools and workflows with our collaboration technologies, seamlessly.  We are serious about interoperability with the tools you love and use every day. Some examples of the work we have done in this regard include our native integrations with Google, Apple, Microsoft, Slack and more.

This flexibility, choice, and interoperability, however, must come with zero compromises on security and data integrity.

Unsupported collaboration integrations could lead to increased customer risk. Compatibility and security can be challenging, and that is why we will only support third-party collaboration vendors who meet our security standards and who integrate with our products and services through our supported open APIs.

Zoom Connector for Cisco Issue: Interop between Zoom and Cisco Video Devices

Cisco was notified of a serious security risk with the Zoom Connector for Cisco on October 31st, 2019 and followed our well-established process to investigate the issue. We believe Zoom had also been notified on October 31 or thereabouts.  On November 18th, our CISO notified Zoom’s CISO of our findings and advised immediate action to address all security risks. I am sharing the details of this issue as we are committed to transparency and to protecting our customers in the constantly evolving security landscape.

The Zoom Connector for Cisco, owned and operated by Zoom Video Communications, connects their cloud to a customers’ internal network and specifically a Cisco Endpoint/Video Device and its management interface.

What was the issue? Regrettably, the access (through a Zoom URL) for the Zoom Connector for Cisco hosted on zoom.us was accessible without authentication.

Issue details: Cisco Webex Devices can be managed through a web interface that provides management of configuration, status, logs, security and of integrations such as in-room controls and macros. The Zoom Connector for Cisco created a device specific URL hosted on the Zoom website for each endpoint configured in the connector. This URL provided access to the device’s web interface by using Zoom’s on-premises API Connector to modify the Cisco web pages so they could be accessed from the Zoom URL outside the customer’s network. Regrettably, this Zoom URL provided from their website was accessible without authentication. In addition, Zoom provided a landing page that copied Cisco’s landing page, including Cisco’s logo and brandings, misleading customers into believing they were on a Cisco webpage with Cisco security, rather than a publicly accessible URL.

The Zoom Connector for Cisco created the following critical security risks:

1. The Zoom URL did not require credentials. Anyone with knowledge of the URL could access it from the public internet, allowing unauthenticated access to a Cisco Webex Device configured and managed through the Zoom Connector for Cisco. Once a person had the URL, they could reach the endpoint directly and control it, including creating a call from that endpoint to eavesdrop onto critical business meetings.

2. Zoom exposed Cisco Webex Devices to perpetual administrative exposure by placing itself between the user and the Cisco interface, modifying the Cisco webpage using unsupported methods through a Zoom URL, thereby bypassing all Cisco Security norms. The Zoom URL did not expire during our testing period. Even when the Zoom administrator changed their password, the Zoom URL managing the Cisco Webex Device lived on.

3. The Zoom URL link did not get revoked if the Zoom administration password was changed or upon deletion of a Zoom administrative user. Thus, an ex-employee would continue to have access to the devices through the firewall from the public internet, if they had the Zoom URL stored in their history.

On November 19th, 2019, Zoom released a “bug fix” that partially addressed the security issues and, after further communication from Cisco, provided an email with incomplete information on the security risks to their affected customers.

Our promise to our customers

At Cisco Webex, we live by secure, simple, and scalable principles. Over my decades in the software industry, I have learned that it is never acceptable to bypass security norms for the sake of convenience and simplicity. And when so much sensitive data is being shared through video conferencing, including the ability to use a device’s camera, security must be of utmost importance. That is the promise we at Cisco hold dearly for every one of our customers, and embodied by the steps we took for this issue:

1. We take every notification seriously, especially from our customers.

2. We engaged our Cisco Product Security Incident Response Team (PSIRT)and the Talos Security Intelligence and Research Group (Talos) to investigate this security risk. The Cisco PSIRT team is a dedicated, global team that manages the receipt, investigation, and public reporting of security vulnerability information related to Cisco products and networks. Talos is made up of leading threat researchers supported by sophisticated systems to create threat intelligence for Cisco products. Cisco has well established practices for investigating and reporting security issues (https://tools.cisco.com/security/center/resources/security_vulnerability_policy.html), and cooperates with industry in researching security issues.

3. As I noted previously, these findings were shared with Zoom on November 18th, 2019.

4. We all live in a heightened state of alert, ready to act proactively as and when notified. Each of us have, over the years, had our own issues and need to cooperate in the future for the sake of our mutual customers. We appreciate Zoom password-enabling these Zoom URLs starting November 19th, 2019. It is a good first step, but we need them to do more. We would like them to take additional steps to use our supported APIs and work with us to certify the solution so that we can secure our mutual customers effectively.

Call to action

If you are a customer using the Zoom Connector for Cisco, please review your administrative logs and analyze the usage to see if there was any breach as a result of the implementation described here.

At present, the Zoom Connector for Cisco is not a Cisco supported solution that meets our standards of enterprise-grade security. Our supported solutions meet the standards our customers expect out of Cisco by using our well documented open APIs.

Continue reading

Everything you love about SD-WAN on vEdge, now on the ISR

Ever wish you could take the best of Cisco SD-WAN software and combine it with the best routing platform? Well, you’ll be pleased to know we’re introducing new models, the ISR 1100-4G and ISR 1100-6G, which run Viptela OS on ISR hardware. Now you get best-in-class SD-WAN with best-in-class hardware. All the SD-WAN features you’ve loved on vEdge devices are now available with the ISR 1000 Series.

The ISR 1100-4G and 1100-6G are feature-rich platforms with Cisco SD-WAN delivering WAN, security and multi-cloud capabilities. Viptela OS and Cisco SD-WAN’s vManage provide automated, network-wide deployment, configuration, monitoring, and troubleshooting as well as transport independence, network services, and endpoint flexibility. So, if you are looking to upgrade from the vEdge 100B or vEdge 1000 the ISR 1100-4G/6G provide a powerful replacement.

Give me the specs!

◉ Up to 4 built-in 10/100/1000 Ethernet ports for WAN or LAN with SFP support

◉ 4 GB DRAM, 8 GB bulk flash

◉ Dedicated control plane for service reliability, multicore data plane for higher performance

◉ Embedded device security with high platform reliability

◉ Fanless, compact form factor perfect for branch offices

What can you accomplish with the ISR 1100-4G/6G?

◉ Create a secure automated WAN – Using Cisco SD-WAN you can automatically provision and maintain secure connections across the WAN.

◉ Optimize application performance – Provide a consistent user and application quality of experience for optimal performance across any transport, location and cloud.

◉ Provide secure Direct Internet Access – Multi-layer cloud security delivers comprehensive protection against external and internal threats and provides your users with direct internet access. With Cisco SD-WAN you’ll get cost effective and secure access over the internet and secure access to business critical applications for remote sites.

◉ Simplify management and operations – A single, centralized user interface that is open and programmable gives you the ability to easily scale to thousands of sites.

Not only do the new ISR platforms provide full SD-WAN feature parity with Cisco vEdge devices, they also offer investment protection with the ability to switch to IOS XE SD-WAN in the future.

Continue reading

Deep-dive into Cisco DNA Software Subscriptions for Switching

What is the structure?

Cisco DNA Software for Switching is divided into three tiers: Cisco DNA Essentials, Cisco DNA Advantage and Cisco DNA Premier. As you go up in tiers, the features and capabilities become more differentiated. When you attach a Cisco DNA software subscription to your switch, you will also get the bundled perpetual license: Network Essentials or Network Advantage. Network Essentials is bundled with Cisco DNA Essentials, like the name suggests. Network Advantage is bundled with Cisco DNA Advantage or Cisco DNA Premier.

Cisco DNA Essentials, the base tier, offers simplified management and base automation & monitoring, which you’d have access to on the Cisco DNA Center application. Cisco DNA Advantage offers policy-based and all other advanced automation and assurance capabilities, including SD-Access, although some of these capabilities and features do require an integration to Cisco Identity Services Engine (ISE), which is licensed by number of endpoints as well as an ISE instance (you can choose either a physical appliance or a virtual machine/VM). As a result, you can get full SD-Access capabilities in the Advantage level tier if you already have an ISE server and endpoint licenses in your network. If you do not have ISE in your network and want SD-Access, Cisco DNA Premier would offer the best value to get these ISE endpoint licenses, as well as Stealthwatch flow licenses for those who want to deploy Encrypted Traffic Analytics (ETA). With Cisco DNA Premier, all Cisco DNA use cases and required licenses are provided.

Why should I purchase a subscription for my switches?

Subscription matters because it gives you faster access to innovation with access to the latest features, and it gives you enhanced agility and better financial planning with license portability and a linear, predictable budget.

Now, with the bundled perpetual Network stack and DNA subscription licenses, you will get a lot more value for the same price. For those who were accustomed to purchasing LAN Base access switches, you can now get a next-generation Catalyst 9000 series switch with Network Essentials as well as a 3-year Cisco DNA Essentials subscription for less. For those who used to purchase IP Base or IP Services, you can get Network Advantage and a 3-year subscription to Cisco DNA Advantage for less. See the details below:

I purchased Cisco ONE, what about me?

For Cisco ONE customers, we have you covered for an easy transition to Cisco DNA Software subscriptions. When you renew your SWSS (software support service) contract, we will provide entitlement to Cisco DNA Software subscription at no additional cost. So, for the same term and price that you are paying for SWSS, we will include Cisco DNA Essentials or Cisco DNA Advantage subscription licenses. (Cisco ONE Foundation receives Cisco DNA Essentials, and Cisco ONE Advanced receives Cisco DNA Advantage).

What support do I get with the subscription?

With Cisco DNA subscription for switching, there is embedded software support that includes 24/7 TAC support, new software downloads, and knowledge base access. Please note that this support is for the Cisco DNA Subscription components only. All switches also come with E-LLW (Cisco Enhanced Limited Lifetime Warranty) which include the following:

◉ 90 days of Cisco TAC support; local business hours, 8×5

◉ Hardware replacement (next business day where available)

◉ Duration is lifespan of hardware product

For those who are looking for TAC support beyond 90 days on the network stack (Network Essentials/Advantage), you should purchase Solution Support or Smart Net Total Care on the switch, which covers both the hardware and the network stack.

Continue reading

The Rise of Cisco SD-WAN

Today, many businesses are shifting from a centralized infrastructure to decentralized applications that run in many clouds. The workload is also shifting from the corporate data center to the edge to access a multicloud environment more efficiently. When you combine the increasing number of users, devices, and locations that need access to cloud applications, you end up with overwhelming IT complexity.

Cisco SD-WAN is a wide area network (WAN) that extends the principles of software-defined networking (SDN) into the WAN. This secure, cloud-scale architecture is designed to meet the complex needs of modern wide area networks and includes:

◉ A predictable application experience that can help improve user productivity by optimizing cloud and   on-premises application performance with real-time analytics, visibility, and control.

◉ Security to help protect users, devices, and applications that quickly deploys embedded or cloud security and threat intelligence.

◉ Simplicity at enterprise scale with a single user interface to make it easy to deploy SD-WAN and security while maintaining policy across thousands of sites.

◉ End-to-end visibility with Cisco vManage, which can quickly establish an overlay fabric to connect data centers, branches, campuses, and colocation facilities.

Optional vAnalytics, which identifies connectivity and contextual issues to determine optimal paths for users to get to their destination, regardless of their connectivity.

Cisco SD-WAN includes application-aware routing and application-aware policies that allow real-time policy enforcement for cloud and on-premises solutions. A recent survey showed that many IT organizations were able to bring unplanned outages down by 82% and their software updates now take 51% less time with Cisco SD-WAN.¹

Cisco SD-WAN solutions can help you decrease costs, increase profitability, improve operational efficiencies, provide better performance and integrate security. In a single overlay that extends to data center, cloud, and branch locations, Cisco SD-WAN optimizes software-as-a-service (SaaS) performance for Office 365, Salesforce, and other cloud-based applications. It also delivers seamless connectivity to the public cloud to simplify workflows for Amazon Web Services (AWS), and Azure.

Cisco Delivers a Secure, Intelligent Platform for Multicloud Access

In a multicloud environment, access from distributed branches can lead to challenges such as network management costs and complexity. For example, to deploy or maintain solutions at each branch, you may need to dispatch technicians. Having separate solutions and services at each branch can reduce security, and the geographic distance to many cloud applications can result in suboptimal performance.

Cisco SD-WAN helps you solve these challenges by consolidating regional branch locations into a co-location facility. With the Cisco SD-WAN Cloud onRamp for Colocation solution, you can:

◉ Aggregate your network services for SD-WAN or traditional routing by connecting branch offices to key regional locations and colocations

◉ Deploy secure virtualized network services automatically in minutes, on demand, with centralized policy management

◉ Maintain SLAs and improve user experiences because of proximity to multiple clouds

◉ Reduce transport costs by connecting to multiple clouds and colocation centers

◉ Decrease the need for trained IT professionals at each branch site without sacrificing security

With Cisco SD-WAN, enterprises can choose to deploy and manage Cisco SD-WAN themselves or work with any of our service provider partners who offer Cisco SD-WAN as a managed service.

Managed SD-WAN

With a managed SD-WAN solution, the service provider monitors and maintains the SD-WAN solution for you. The biggest benefit of managed services is that instead of spending time managing the SD-WAN connectivity, your IT resources are freed to perform other important tasks. By taking the managed service approach, you can:

◉ Take advantage of the expertise the service provider has in implementing and managing the SD-WAN infrastructure

◉ Recover the time your IT staff spends on running the business, so they can spend more time implementing IT strategy

◉ Potentially shift to an OpEx model from a purely CapEx model

Continue reading

Modernizing to Oracle 19c with Hyperconverged Infrastructure

Oracle Database 19c is a long-term support release of the database, offering customers the best performance, scalability, reliability, and security for all their operational and analytical workloads. The core aim for 19c is stability, as it forms a foundation for next phase of autonomous database optimizations. These optimizations include the ability for the database to automatically create indexes, which allow for the database to self-optimize and maintain optimal configuration.

Additional optimizations in Oracle Database 19c include real-time statistics for all operations and the ability to automatically quarantine problematic sequel. It also includes key unique innovations for core enterprise capabilities. For a lot of customers who run standby databases, Oracle 19c accepts updates to those standby databases, thereby turning the standby from a read-only to a read-mostly asset. In order to deal with streaming data or to have IOT type workloads, 19c provides a new in-memory rows store and API to provide very high speed and high volume data ingest.

Below is the list of some of the new features in Oracle Database 19c:

◉ General – Flashback Standby database when primary database is flashed back
◉ Performance – SQL Quarantine
◉ RAC & Grid Infrastructure – Zero-Downtime Oracle Grid infrastructure patching
◉ Availability – Dynamically change Fast-Start Failover (FSFO) target
◉ Application Development – REST Enabled SQL Support
◉ Automatic Indexing
◉ Database IN-Memory
◉ REAL-TIME Statistics Collections
◉ High Availability

Oracle on A Hyperconverged Infrastructure

The rapidly emerging world of hyperconverged infrastructure (HCI) promises many technical and financial benefits. The marketplace has been quick to recognize and validate the advantages of HCI, which combines the main features of a three-tier architecture – compute, storage, and networking – into a single solution. Having superior, vendor-supplied software is crucial to facilitate easy and efficient management of resources. In addition to managing the essentials of compute, storage and networking layers, HCI solutions also provide features to handle DR and the ability to scale up, with additional nodes as needed.

For an Oracle customer, the benefits of HCI from a technical optimization perspective are clear. You reduce unused hardware capacity through better resource management, eliminate network devices, and scale up your Oracle deployments easily and rapidly in response to rising demand. Adding nodes and moving workloads becomes seamless.

Various considerations while choosing an HCI environment:

◉ A Simple, integrated software stack which allows to do more with less
◉ Consistent, high performance that satisfies demanding business critical applications
◉ Flexible deployment models that align IT expertise with business priorities
◉ Advanced automation capabilities that enable IT agility
◉ Hypervisors that offer confidence and lower risk

Cisco’s Hyperconverged Infrastructure

Businesses across all verticals are seeing benefits behind this tight integration with virtual technologies as well. HCI reduces complexity and fragmentation around having to manage resources sitting on heterogeneous systems; it can reduce data center footprints; and it can greatly reduce deployment risks with validated deployment architectures.

There’s clear demand in the market. Consider this: according to the latest Gartner Magic Quadrant for Integrated Systems report, “hyperconverged integrated systems will represent over 35 percent of the total integrated system market revenue by 2019.” This makes it one of the fastest-growing and most valuable technology segments in the industry today.

With a co-engineered hardware and software solution Cisco has become a Gartner Magic Quadrant leader in HCI with Cisco HyperFlex. Taking in all the considerations listed above while choosing an HCI environment, Cisco’s HyperFlex is a great solution and a great technology to consider while running oracle on. That said, there are numerous critical features that set this technology apart from any other HCI solution out there. One of those aspects revolves around the fact that HyperFlex comes with full network fabric integration. This type of integration allows administrators to create QoS policies and even manage vSwitch configurations that scale throughout the entire fabric interconnect architecture. This approach provides data reliability and fast database performance. Cisco HyperFlex integrates servers, storage systems, network resources, and storage software to provide an enterprise-scale environment for an Oracle Database deployment. This highly integrated environment provides reliability, high availability, scalability, and performance to handle large-scale transactional workloads.

Oracle Databases and Real Application Clusters (RAC) are the core of many enterprise applications, including online transaction processing (OLTP), data warehousing, business intelligence, report generation, and online analytical processing (OLAP). As the amount and types of data increase, you need flexible and scalable systems with predictable performance to address database sprawl. By deploying Cisco HyperFlex with All Flash or All NVMe nodes, you can run your Oracle Database and RAC deployments on an agile platform that delivers insight in less time and at less cost.

Cisco HyperFlex systems with Oracle Database and RAC:

◉ Closely match the needs of databases and applications
◉ Reduce Storage footprint
◉ Optimize storage costs
◉ Deliver predictable database performance
◉ Keep enterprise applications and database available

The first fully engineered hyperconverged appliance based on NVMe storage delivers more of what you need to propel mission-critical workloads:

◉ It provides 71 percent more I/O operations per second (IOPS) and 37 percent lower latency than our previous-generation all-flash node.
◉ Also provides 15% more storage efficiency due to less storage needed when using the Cisco HyperFlex Acceleration Engine.

All-NVMe solutions support the most latency-sensitive applications with the simplicity of hyperconvergence. Our solutions provide the first fully integrated platform designed to support NVMe technology with increased performance and RAS.

As mentioned above, Cisco HyperFlex systems best suites Oracle Database and RAC deployments, best performance at a cost of very low latency. To help you deploy Oracle 19c and Oracle RAC, we deployed Oracle 19c Database on a 4 node HyperFlex cluster and tested it with various configuration profiles. Below are the links to the Oracle whitepaper references containing validation results tested internally. From the test results, it’s clearly evident that Cisco HyperFlex systems can handle OLTP highly intensive workloads by delivering best performance at a very low cost and latency.

Continue reading

The Importance of the Network in Detecting Incidents in Critical Infrastructure

The network plays a key role in defending critical infrastructure and IoT. The devices that we are connecting drive our business, enabling us to make smarter decisions and gain greater efficiency through digitization. But how do we ensure those connected devices are acting as intended? From an industrial operations perspective, we need to know that plant operations are nominal, irrespective of cyber threat. The network is well positioned to assist us in detecting misbehaving devices.

Network telemetry for visibility

In order to have assurance of business operations, it is critical to have visibility and awareness into what is occurring on the network at any given time. Network telemetry offers extensive and useful detection capabilities which can be coupled with dedicated analysis systems to collect, trend and correlate observed activity. In the security world we can infer much from network telemetry, from malware behaviour and reconnaissance, to data exfiltration. It is even possible to infer to some extent what is contained in encrypted traffic. Not only can we use this traffic for detection, but also for investigation. Having a historical record of communication also assists with investigating incidents. We can see, for example, what other hosts may have talked to a command and control server, or we can look at any lateral movement from a host.

The first step is to collect Netflow, which is a unidirectional sequence of packets with some common properties that pass through a network device. These collected flows are exported to an external device, the NetFlow collector. Network flows are highly granular; for example, flow records include details such as IP addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces.

Exported NetFlow data is used for a variety of purposes, including enterprise accounting and departmental chargebacks, ISP billing, data warehousing, network monitoring, capacity planning, application monitoring and profiling, user monitoring and profiling, security analysis, and data mining for marketing purposes.

For most network devices (including many ruggedized devices used in OT environments), Netflow is simply an option you can turn on sending this data to a Netflow collector. Lower-end switches may not have this option; however, a span port can send traffic to a Netflow Sensor to accomplish this task. Gathering network telemetry visibility is the first step for organisations. The next steps are to utilise tools that can analyse the traffic and look for behavioural anomalies. For more advanced use cases, Encrypted Traffic Analytics (ETA) offers insights into encrypted traffic as well.

Accelerating detection through smarter tooling

The problem of scale in IoT, is also evidenced in security incident detection and response, where we have more traffic to review, and accordingly, more events. We need tools to help us, and Machine Learning (ML) and Artificial Intelligence (AI) based tooling are important technologies, particularly when it comes to network behaviour. Devices, as opposed to humans, tend to have very defined behaviour, so leveraging ML and AI to observe and baseline this behaviour offers high fidelity alert sources.

Machine Learning in Network Security

Leveraging context for better results

To really accelerate detection and lower our median time to detect, we need all our tools to work together. We discussed network context and understanding what a device policy should be, at scale. What if we could leverage that same information to assist with detection? Understanding contextual information and what a device’s policy should be, can help increase fidelity of behavioural alerts. Investigators also benefit from having this information integrated into their tools, which helps speed investigations.

Continue reading