Focus on HyperFlex: Sizing A New Cluster Using the Sizer and Profiler Tools

In this ‘Focus on HyperFlex’ blog, we’ll zero-in on different aspects of the Cisco HyperFlex (‘HX’) hyperconverged system and ways to make HX work best for you and your organization. This edition will illustrate on how to size a cluster when you might not have all the details of the workload worked out. In this situation, HyperFlex Profiler is the right approach to learn more about the workloads.

During my time in sales, teams often asked me to size a HyperFlex cluster and provide a customer quote. It was customary to have many more questions than the team or customer could answer about the application. Normally, they would provide me with an Excel sheet with some CPU and memory values. That is a great start, and it gave me deep insight into the customer’s application. However, an application profile is not only about averages of CPU and memory.  There are several more parameters needed, including the performance and latency peaks. With the customer’s permission, I would run a HyperFlex Profiler in their environment to gain more information about their application. Before installing the OVA on their vCenter, I would explain what HyperFlex Profiler is and how it helps with sizing their new HyperFlex environment. 

HyperFlex Profiler 

If there is no historical insight into the potential clustered application environment, then start with HyperFlex Profiler. HyperFlex Profiler will gather data on the vCenter environment and consolidate that mass of data to a single, easily digestible file. This file will quickly size the cluster after importing it into the HyperFlex Sizer tool and paint a clearer picture of the environment and workloads. 

However, profiling the environment is not a quick hit in a short period of time. The best approach is to run the HyperFlex Profiler for at least seven days or, preferably, 30 days. A longer measuring period ensures you capture data when “end of the month reports” are run. Of course, don’t just measure the environment during a weekend when there is little traffic! Be sure to capture at least one logical business cycle for that application. 

The HyperFlex Profiler is an OVA installed on a VMware environment. The only configuration is to provide (read-only) access to the vCenter environment and define which servers the HyperFlex Profiler will monitor. Multiple servers and/or clusters can be selected. For environments running different types of workloads, it is recommended to isolate them by selecting the servers in their environments – for instance, the VDI or the SQL environment. Of course, selecting all servers and workloads is also an option. Keep in mind that you will have more overhead this way. 

When it is monitoring the environment, you will see the following: 

More details about the environment can be shown in other tables and graphics, that can be exported in pdf format. 

It is essential to see the peaks of the environment. This way, you can make sure the new HyperFlex designed cluster can handle the workload, and ensure there is room for expansion. 

There are different graphs in the HyperFlex Profiler. Here you can see the metrics of the storage reads. Here, you have more insight into the frequently used block-size of the environment. This is one of them:

The next step is to use the power of the HyperFlex ProFiler to create a bill of material out of all the information from vCenter.  The data of the HyperFlex Profiler can be manually or automatically downloaded and uploaded to the HyperFlex Sizer. 

HyperFlex Sizer 

The HyperFlex Sizer is an online tool (https://hyperflexsizer.cloudapps.cisco.com/) accessible to both partners and customers. With this tool, you can add your personal, most commonly used workloads to a HyperFlex cluster and have the sizing tool decide the best option. HyperFlex Sizer takes the HyperFlex best practices into account when calculating the optimal solution. 

Furthermore, you can customize the sizing tool, using only the preferred components the customer wishes to see in the new HyperFlex environment. Different elements, like CPU, memory, types and sizes of drives, and more, can be customized. 

Uploading the data of the HX Profiler to the HX Sizer is entirely straightforward. After claiming the HX Profile into the HX Sizer, the tool will produce a practical Bill of Materials that can be the baseline of a  discussion with your partner about the best solution for your applications. 

Here is a screenshot of the HyperFlex Sizer where a HyperFlex cluster is calculated with the requested workload:

A variation of HyperFlex clusters may be advised. This is possible when you want to have different workloads, each with their characteristics. 

It shows the amount of HyperFlex or compute nodes, what type of nodes and  includes all the parts that are needed to create the solution. This way, you don’t have to configure everything manually, eliminating human errors.  

Create an estimate

Once you know the total size of the new HyperFlex cluster, partners or Cisco experts can easily upload the Bill of Material to Cisco Commerce Workspace (CCW) and estimate the HyperFlex cluster.

In CCW, the estimate can be converted to an order.

Source: cisco.com

Continue reading

EIS in Transition: Impacts on Digital Transformation for Federal Networks

For Federal agencies, Enterprise Infrastructure Solutions (EIS) has provided a comprehensive, solution-based method to address their IT telecommunications and infrastructure needs. Over the years, EIS has seen many changes that directly impact stakeholders. But its primary purpose as a key driver for the digital transformation of enterprise telecommunications and networking solutions remains unchanged. Yet many agencies, such as Networx and WITs, face contract expirations on May 31, 2023. To maintain momentum for digitization, Federal agencies must begin the transition now by strategically mapping how and where it should start.

What’s next for Federal Digital Transformation?

For decades, Cisco has built a strong relationship with the U.S. Federal Government. Our portfolio of products, solutions, and services provide Federal agencies with the critical technology and support they need to enable the transformation of their networks within the EIS contract.

By leveraging these existing contracts, agencies are reducing costs and acquisition time. They’ve been able to digitize aging systems and catch-up to the private sector in capabilities. But now what? Which direction should Federal agencies go as they transition contracts within EIS? The simple answer: Cisco SD-WAN.

Beyond EIS with SD-WAN

Cisco SD-WAN is the premier choice for replacing expensive and aging legacy WAN. Federal agency networks leveraging Cisco’s SD-WAN solution can benefit from:

◉ Enhanced user experience

◉ Reduced costs

◉ Simplified operations

◉ Improved performance

◉ And robust security.

Cisco SD-WAN enables more efficient bandwidth allocation, powering critical applications to faster, smoother performance. This capability is now a necessity as Federal agencies move to cloud services and witness an explosion of app-wielding users connecting remotely.

Wi-Fi6 for the Federal Government

The transition in EIS contracts also provides Federal agencies with the opportunity to rethink their adoption of new and emerging technologies. One example is Wi-Fi 6. It builds on earlier Wi-Fi standards to provide Gigabit Ethernet Access – but with the reliability and predictability that comes from a licensed radio.

Cisco Wi-Fi 6 Solutions let users of modern, more agile networks benefit from new capabilities while connecting wirelessly. Cisco’s Wi-Fi 6 gives access points the power to support more clients in dense environments, plus it provides a better experience for users of typical wireless LAN networks.

Partnering for the future of EIS

In late 2021, the General Services Administration (GSA) issued a Request For Information (RFI) seeking comments to modify the EIS contract so that agencies can more quickly obtain mobility-as-a-service (MaaS) offerings (starting in late 2022). This expansion of EIS would allow for the use of 5G and bring the benefits of edge compute to the government workforce.

At Cisco, we’re also planning to provide additional capabilities to the U.S. Government, including 5GaaS capabilities. This could be a game-changer, enabling the U.S. Government to take advantage of mobility services.

For Federal agencies, the transition in EIS contracts provides a unique opportunity to leverage innovative technologies that can maximize network agility and security while enhancing workforce productivity.

At Cisco, we understand this and are helping shape the future of government with products, solutions, and services that empower agile networks, enhanced collaboration, and a holistic security approach. By preparing now, your agency can leverage the upcoming EIS transition to help shape that future.

Source: cisco.com

Continue reading

Cisco 300-435 ENAUTO | Syllabus | Exam Overview | Questions | Study Guide

 

Cisco ENAUTO Exam Description:

The Automating and Programming Cisco Enterprise Solutions v1.0 (ENAUTO 300-435) exam is a 90-minute exam associated with the CCNP Enterprise, Cisco Certified DevNet Professional, and Cisco Certified DevNet Specialist - Enterprise Automation and Programmability certifications. This exam tests a candidate's knowledge of implementing Enterprise automated solutions, including programming concepts, Python programming, APIs, controllers and automation tools. The course, Implementing Cisco Enterprise Automation Solutions, helps candidates to prepare for this exam.

Cisco 300-435 Exam Overview:

• Exam Name- Automating and Programming Cisco Enterprise Solutions
• Exam Number- 300-435 ENAUTO
• Exam Price- $300 USD
• Duration- 90 minutes
• Number of Questions- 55-65
• Passing Score- Variable (750-850 / 1000 Approx.)
• Recommended Training- Implementing Automation for Cisco Enterprise Solutions (ENAUI)
• Exam Registration- PEARSON VUE
• Sample Question- Cisco 300-435 Sample Questions
• Practice Exam- Cisco Certified DevNet Specialist Enterprise Automation and Programmability Practice Test

Related Study Guide:-

300-435 Exam: Passing Strategies to Earn Cisco Certified DevNet Specialist Enterprise Automation and Programmability Certification

Continue reading

Public Sector: Five Steps to Accelerate Digital Transformation Towards eGovernment

If the past two years have taught us anything, it’s if, given the chance, we’ll choose the ease of clicking a button or an automated service over waiting in line any day. Renew my driver’s license online instead of going to the Department of Motor Vehicles? Yes please! I can opt to have my local government agency call me back when it’s my turn in the call queue instead of waiting on hold for hours? Sign me up!

Yes, delighting customers goes beyond traditional customer service industries. It also applies to the superior digital experiences public sector citizens expect from their local and federal municipalities and government agencies. A 2021 study of U.S. state CIOs showed that 90 percent felt the pandemic increased demand for digital government services, with 75 percent stating that the biggest driver behind expanding digital services was to provide a “better online experience for citizens.” And globally, it’s estimated that more than 60 percent of governments will triple citizen digital services by 2023, and half of all digital government key performance indicators will include a citizen/customer experience metric to ensure that services delivered are citizen-centric.

Accelerating digital transformation

Public Sector’s ability to digitally transform and adopt new technologies is key to providing a superior digital experience. But in an industry known for dealing with legacy-driven infrastructures and siloed strategies and resources, this transformation can be a bit of a challenge. Below are five key strategies which should be of keen focus.

1. Empower hybrid work

Now that hybrid work has proven to be technically viable, government needs to create better online experiences for citizens and employees. Empower employees to work from wherever they are – at home or in the field. Expand work-from-home options to include work from anywhere. The key is to enable secure and wireless connections combined with various multi-faceted collaboration tools. This effort allows employees to work, maintain productivity, enhance civic life, and stay mobile.

2. Unify and secure network connectivity

This powers hybrid work and enables employees to work from anywhere. There’s a need to invest in the unifying and hardening of networks. Now more than ever is the need to identify and resolve events faster and keep vigilant for threats. As a government agency, it is imperative to offer encryption and security for work-at-home devices and expand your identity and access management (IAM) solution to employees and your citizen users. A must-have is a zero-trust secure network and sturdy endpoint detection to accompany that expansion. Proactively stopping breaches and automating updates with an expanded unified network and security solution vs. chasing threats and risking vulnerabilities is now a reality.

3. Accelerate cloud migration

One thing we learned from recent events – It’s now time to “Go to the Cloud”. Digital transformation means a better online experience for citizens as well as employees. It also represents productivity increases and cost savings. If you don’t have a cloud smart strategy in place now, you should be working on it. Most public sector agencies see the benefit of modernizing by moving applications to the cloud where feasible. Whether via infrastructure-as-a-service or a hybrid model with a state-owned data center for many legacy applications. Low code intuitive and friendly apps are replacing web-based forms. These and the new breed of cloud-based applications enable instant flexibility, scalability, and accessibility. Combined with low development and start-up cost via SaaS vendor models enables testing, refinement, and ability to scale as needed. Pilot early, pilot often. Migrate what you can and combine a solid external identity and access management (IAM) cloud security solution, your team can be twice as productive with lower cost.

4. Leverage built-in data analytics

Speaking of budget. Forward-thinking agencies also leverage the innovation built into cloud platforms to leap their public services ahead. With big data and predictive analytics tools, they can purchase and use only what they need, when they need it. The ability to stand up new services and enhance existing ones by processing massive amounts of transactional data enables giant leaps of civic lifestyle, from wait times in lines to stoplight optimization, even public health emergencies. The ability to leverage data analytics is a game-changer for understanding public data.

5. Power automation with AI/Machine Learning 

There is no greater game-changer than the ability to use Artificial Intelligence and Machine Learning. AI and ML are now available for even the smallest agencies with limited budgets to make life better for their citizens. Small agencies now can run license plate cameras at heavy thoroughfares; police agencies can process massive amounts of audio/video from stoplights and drone cameras. These smaller agencies can run valuable lifesaving and revenue-producing public services with little to no staff with simple automation.

Make public sector digital transformation a reality

Adoption of these strategies and new technologies shines a light on the widening skills gap in public sector.  Case in point, a recent study of European health, government, and education organizations showed that 63 percent said lack of skills and experience is a barrier to their cloud migrations.

Cisco Business Critical Services provides expert, analytics-driven guidance throughout the entire lifecycle to create transformative, adaptive, and resilient IT to improve digital experience for public sector citizens. Steeped in 35 years of experience, Business Critical Services expertise transcends architectures and provides in-country experts to ensure data sovereignty and security clearance needs are met in over 20 countries.

Reach out to your Cisco sales representative or partner today and accelerate your digital transformation journey today.

Source: cisco.com

Continue reading

Cisco stands on guard with our customers in Ukraine

Summary

◉ As the Russia-led invasion intensifies, Ukraine is being attacked by bombs and bytes. Cisco is working around the clock on a global, company-wide effort to protect our customers there and ensure that nothing goes dark.

◉ Cisco Talos has taken the extraordinary step of directly operating security products 24/7 for critical customers in Ukraine while over 500 employees across Cisco have come together to assist in collecting open-source (public) intelligence.

◉ In critical Ukrainian networks, we are taking advantage of advanced product features to create Ukraine-specific protections based on intelligence we have received.

◉ We are closely monitoring telemetry and aggressively convicting threats to protect both our Ukrainian and global customers.

◉ Customers with a mature security model should design their intelligence programs to drive changes in the organization’s defensive posture based on their findings.

◉ We have been successful in our work in Ukraine up to this point and will continue to support our partners there

Introduction

You may not have noticed, but Cisco has been a different place in the past month. The unjust invasion of Ukraine, and the sense of helplessness we all have felt, has created a motivated collection of Cisco employees working to make life just a little safer and easier in a part of the world many have never been. Teams have set aside their normal tasks and now watch over Ukranian networks, some have focused on caring for and protecting refugees and others have turned their obsession with social media into a critical component of our open-source intelligence work. The plans have been creative and, while many would have been unthinkable just a week ago, approvals have come fast and everyone has been stretching far beyond their normal workload.

In today’s situation in Ukraine, lives and livelihoods depend on the up-time of systems. Trains need to run, people need to buy gas and groceries, the government needs to get messages out to civilians for morale and for safety. Cybersecurity can be invisible behind all of this. In this blog we talk about a small part of Cisco’s response to this crisis. It is just one of many stories about how the people that make Cisco what it is have responded to an unprecedented crisis. There are lessons here for the defender as well, on what a world-class intelligence team can do when handed a network to defend and a capable set of security tools. But mostly this is a story about the people – from the cubicle to the C-Suite – who would do what little they could.

Calm Before the Storm

This effort has extended through all parts of Cisco and started with Talos – Cisco’s threat intelligence arm – more than a month ago, when we initiated an internal process to manage large-scale events. We began by increasing monitoring in Ukraine as the Russian troop buildup continued. Telemetry from Ukraine customers was closely scrutinized by intelligence analysts and our SecureX Hunting team. At that point, we were not working with customers directly, just quietly watching over them.

As it became clear that there was a real possibility that Russia would invade, our intelligence team began its quiet work. We do not talk about this a lot, but speaking broadly, any major event will have many small groups of researchers who have grown to trust each other cooperating and sharing information that is not publicly available. Most of these groups are informal, but one of the newer ones, the Joint Cyber Defense Collaborative (JCDC), which works out of the Cybersecurity and Infrastructure Security Agency (CISA), has been public that it is serving as a platform for collaboration between public and private sector partners. Whether organized or informal, public or private, all these groups have been eager to work together to protect Ukraine and the world from Russian aggression online.

When both the website defacements and the first WhisperGate malware deployments occurred in mid-January, we were contacted by three Ukrainian government agencies we have worked with in the past. From that point on, we have continued to support the State Special Communications Service of Ukraine (SSSCIP), the Cyberpolice Department of the National Police of Ukraine and the National Coordination Center for Cybersecurity (NCCC at the NSDC of Ukraine). This support has largely taken the form of incident response, and we have turned the lessons learned in those responses into protections for all our customers.

Our investigations with our government partners in Ukraine led to additional protections for our customers globally as well as a blog post to inform the world of the threats we were aware of and our perspective on those threats. This is a common cycle that has been repeated both before and after the WhisperGate deployments: Ukraine experiences an event, we help investigate, we publish new protections based on what we learned and share our understanding of what happened.

A Growing Threat

As the invasion approached, there were other minor events, but none that had any appreciable impact. These were distributed denial-of-service (DDoS) or unsuccessful wiper attacks and an unconfirmed manipulation of Border Gateway Protocol (BGP) routing. Our assessment is that the best of Russia’s cyber capability was focused elsewhere, likely in espionage activities trying to understand the global response to Russia’s invasion. Regardless of the reason, there were no major cyber incidents against Ukraine in the days leading up to the invasion.

Once the invasion began, things moved very quickly. The amount of information to be processed about what was happening in Ukraine exploded. Talos would like to thank the over 500 Cisco employees from a variety of backgrounds and with many different skillsets who have joined a space dedicated to sharing open-source intelligence about Ukraine to ensure that the intelligence team didn’t miss anything.

Early on, we deployed Secure Endpoint in some new environments under a demo license that was set to expire. When we went to the business to extend it, the decision was made to extend all security licenses for all Cisco customers in Ukraine. During this chaotic period, no customer would lose protection because they were dealing with more important matters than license renewals.

Defending Critical Networks

Additionally, we extended a new offer to critical organizations in Ukraine: Talos would monitor their Secure Endpoint configurations, modify them based on our intelligence and aggressively hunt in their environments for threats at no cost. For each organization that accepted this offer, we assigned a set of engineers to manage the protections and configurations and two hunters from Talos to work with that specific data set.

One of our frequent recommendations to mature organizations is to have an intelligence operation that drives material protections into their defensive tools. Here is an example of why we make this recommendation: In reviewing several pieces of malware, we found multiple command and control (C2) servers in a certain network. Typically, we would block those IPs and move on. But within the context of a nation under an existential threat, for Secure Endpoint installations we control we blocked the entire network so that if additional C2s opened, they were already blocked. This isn’t appropriate globally – we have no idea what the connectivity needs are for all our customers – but when tasked only with making decisions for Ukranian critical infrastructure, it’s an easy call.

Another example is the case of HermeticWiper. As part of its activity, the malware drops one of several drivers to support its wiper actions. In Ukraine, for networks we’re actively protecting, we chose to block all of these drivers. Again, globally, we can’t do that – some of our customers may well be using the software that those drivers were stolen from. But when we are looking only from Ukraine’s perspective, we can check the network quickly to confirm those hashes aren’t in use and block them.

In both cases, we are building our defense in depth. Ideally, we block HermeticWiper or a variant when it drops – but if we don’t, then the drivers are blocked. Hopefully, we block any trojan that uses the network we described above when it is dropped by a loader, but if we don’t, then the C2 communications themselves will be blocked. We are always looking for ways to layer defenses so if the adversary out-maneuvers us in one area, we have protections waiting for them.

So far, this activity has been successful in protecting our customers, including blocking what we assess to be wiper attacks very early in the attack chain. The work of our intelligence group – and let me be clear that this includes our cooperation with organizations and individuals outside of Cisco – has allowed us to have insight into several different attack chains. While we can’t publish this information because of information-sharing restrictions (mainly to protect operational security), we can leverage that information in specific networks, blocking certain things or writing advanced content signatures that look for certain patterns. This intelligence work has led directly to successful defense in Ukraine. For that, we thank all the unnamed partners – corporations and individuals – who have quietly worked with us.

Guidance for Customers

Now is not the time to tell every story, but we shared these examples because of the risk that this conflict will extend beyond the borders of Ukraine. Organizations globally should look at their intelligence teams and work to ensure they are directly driving the defensive posture of the organization. Organizations should consider how their tolerance for false positives has changed given the current threat environment and allow their teams to move more aggressively if possible.

The world right now is more dangerous than it has been in decades, and organizations need to be creative in how they restructure their defenses. We often say that in the end, humans are the most critical part of your defense. This is the kind of threat we have in mind when we make that statement.

Source: cisco.com

Continue reading

How Diverse Experience and Simplicity Drive Innovation

I’ve found that there are many ways to innovate. In my current role in Cisco’s Customer Partner Experience Chief Technology Office, I generate and collect insights that shape our strategy, interface with our teams around the globe and mentor innovators from ideation to iteration to execution. In my 40 years of experience in networking and related fields, including 22 years at Cisco and 17 years as a Distinguished Engineer, I’ve seen innovation work best through the following general process:

1. First, you’ve got to Think of an idea.

2. Then, you need to make that idea real: Create a prototype.

3. Your idea has to have some Value that others want. Now, this value can either be a standalone invention or something that is innovative but part of a bigger system.

4. A natural next step after thinking about your idea’s value is whether it will sell in the marketplace. I’ve put value in the 3rd spot, but it could equally be after the thinking step. But you need to be careful not to stifle your creativity by fixating too much on whether your idea will sell, lest you get so distracted you lose your innovation-mojo (Innomojo).

5. The ultimate aim of innovation is to create better outcomes for people, so once you have your gizmo, hopefully you have created something that people will want/Use.

Figure 1: There’s More To Thinking

In this blog, I’ll go into more detail into the “Think” step (Figure 2). Thinking requires some knowledge of the subject, a bit of know how or practical experience in making similar items — those nuances learnt over time of what and what not to do — and, of course, imagination! (I, for one, think you need a lot of this last ingredient).

Figure 2: There’s More To Thinking

How Diverse Experience Leads to Minimal Bias

Now sometimes you can have too much knowledge or overthink things to the point where your biases and preconceived notions of what to create start to kick in, which may be more of a hindrance. You start to go down the path of pessimism, saying things like, “This is why we shouldn’t,” or “This is why it can’t be done,” or “It’s too hard” and so on. You then need to introduce diverse experiences and opinions into the innovation process to give you a more balanced approach.

Diversity comes in many forms: gender, race, age, skills, experience level (such as novice to expert), location, culture, and so on. By seeking different points of view for an idea, you are more likely to end up with a more solid innovation proposal.

Figure 3 shows an example of what can happen when you have minimal bias and experience. Back in the mid-1980s a young student by the name of Rob Newman at the University of Western Australia came up with a new way of providing high speed connections across an urban city area (referred to as a Metropolitan Area Network). Ethernet in those days was still confined to the local area — i.e., buildings and floors — so there needed to be a way to connect those buildings across a cityscape. His invention, which was called QPSX, went on to become the global Metropolitan Area Network standard called IEEE 802.6.

The interesting part to this story was that Rob had no practical experience in running WAN/LAN networks, only theoretical experience, and had no preconceived ideas!

Figure 3: An Example Of No Bias

A great example (Figure 4) of how innovation can come from viewing at a problem through a different lens is how what3words.com made GPS coordinates easier to use and remember. By statically assigning every 3 sq meters on earth with a unique combination of three words, you can now find, share and navigate to precise locations using three simple words. For example it is possible to enter a phrase like “warns.booed.snoring”  to describe your location instead of making you deal with confusing number co-ordinates like 250 20‘22.3.

Figure 4: what3words are you?

The Power of Simplicity

Not all innovation needs to be complex. Some of the best ideas might come from complex minds, but they still can be simple in nature. In some cases, to execute a simple idea is usually complex behind the scenes, but from the layman’s point of view, they seem straightforward. Take, for instance, the flush system in a toilet. Simple? Sure, but wait until you have to replace a washer!

An example of a patent that was simple, novel, and at the time, not obvious is one that was thought up by two of the top inventors at Cisco, Pascal Thubert and Eric Levy-Abegnoli, when they were at IBM 20+ years ago. It was called CAPTCHA; Implementing a robot-proof website.

You most certainly have come across the “I am not a robot” box on websites. This is the essence of CAPTCHA. It’s a simple, yet ingenious invention. As simple as it may be, has protected websites from malicious actors for many years now.

Figure 5: CAPTCHA A Robot Proof Website

To Innovate, Embrace Diversity and Simplicity

The process of thinking up the next new big idea can be daunting, but you can help the process along by employing diverse and even seemingly irrelevant perspectives and backgrounds. Part of the art of innovation is being able to view the same problem, mechanism, or process through a different lens — or, thinking outside of the box, if you will. The quote below from Dr. Szent-Györgyi remains relevant for eternity.

“Innovation is seeing what everybody has seen and thinking what nobody has thought.”

Combining such cognitive diversity with the drive to make using an invention as simple as possible can result in innovation magic.

Source: cisco.com

Continue reading

Cyber Asset Attack Surface Management with Cisco Secure Cloud Insights: Beyond CSPM

In today’s digital-first world having enterprise grade information, services, and workloads in the cloud is becoming increasingly important for success. Nonetheless the lack of asset visibility that haunted private networks has not disappeared in the cloud era; it has been transferred, or some may say even aggravated.

In its Hype Cycle for Security Operations, Gartner has defined Cyber Assets Attack Surface Management (CAASM) as “an emerging technology focused on enabling security teams to solve persistent asset visibility and vulnerability challenges”. This tackles our lack of visibility concerns. However, it extended CAASM’s definition to include “enables organizations to see all assets (both internal and external) through API integrations with existing tools, query against the consolidated data, identify the scope of vulnerabilities and gaps in security controls, and remediate issues.”  This highlights the fact that while there is no lack of data, processing and assessing remains challenging due to silos. This is where Secure Cloud Insights (SCI) steps in.

Secure Cloud Insights (SCI) is a technology that delivers multiple CAASM’s benefits:

◉ Ease of provisioning: Native API integrations make provisioning and deploying SCI a simple task. A wide range of integration types are supported such as cloud providers, vulnerability assessment tools, code repositories, identity sources, endpoint solutions, workflow

◉ Cyber asset visibility and classifications: Numerous pre-defined integrations feeds SCI with diverse assets and asset types and their associated “state” or “configuration” that defer from one integration to the other. The graph database and the classification engine play a big role in grouping assets by their class and type. For example a data store class contains asset types such as an S3 bucket, EFS, google storage bucket, etc.

Mapping asset relationships: SCI maps asset based on their relationships as shown below: A security group ‘Allows’ access to the internet and ‘Protects’ an EC2 instance (Figure 1).

Figure 1

This Instance ‘Uses’ a specific role (Figure 2)

Figure 2

This role is ‘Assigned’ a policy that ‘Allows’ full control to an S3 bucket(Figure 3)

Figure 3

This graph not only reveals the connected asset types with various relationships but also expands to disclosing the risk of having the publicly accessible instance compromised, which leads to the exposure of data in the private S3 bucket to leakage or destruction.

◉ Flexible asset querying: SCI’s simple query language and relationship graph database structure make it easy to query the data to answer questions that are the bread-and-butter of security teams, such as:

    ◉ Which hosts are vulnerable in my environment?

    ◉ Who has not completed the required security training?

    ◉ Are my data stores encrypted at rest?

    ◉ …

◉ Expansive Question Library: The querying language is expanded in SCI with a built-in library of more than 650 security questions that makes it easier to answer challenging enquiries with simple spoken language without having to learn the technicalities of the underlining querying language.

◉ Compliance reporting and configuration drifts detections: SCI supports pre-built security compliance frameworks including SOC2, HIPAA, FedRAMP, CIS benchmarks etc. SCI simplifies configuration drift detection with always-on compliance and gap analysis that does not wait for auditors to knock asking for reports. Moreover, SCI eliminates another layer of time-consuming processes by removing the need to contact system owners for evidence collection by automating it where applicable.

Secure Cloud Insights ticks all the boxes for a CAASM solution and goes beyond by offering simplicity and flexibility in operation with built-in customizable question library and reporting features that focus on security gaps and compliance drifts.

In fact, every feature is built on top of graph relationship database and the simple querying language that makes any piece of data accessible and visible with a simple modification of the query as per the user needs. SCI emerges from the realm of CAASM and CSPM by turning into a framework that answers security team challenges around visibility, compliance, threat risk, incident impact investigation, threat blast-radius and many others with simple few clicks.

Source: cisco.com

Continue reading