Friday, 4 January 2019

Hybrid Chat for Cisco Journey Solutions


Cisco Customer Care, now Cisco Customer Journey Solutions (CJS), is by definition the best architecture to ride and support the current highest priority in large enterprises – Customer Experience sales innovation, the #1 priority for 71% of the business leaders (2017 Global CX Benchmarking Report).  CJS, very often considered a cost center in the past, is now seen by enterprises as a driver of revenue, able to increase customer loyalty, retention rate, and important financial metrics such as the Annual Renewal Rate (ARR).

Today, 65% of customers prefer Chats versus traditional voice calls to customer care (BT Global services-Cisco-Davies Hickman Partners 2017). Thus, to consider these changes of users habit, a modern CJS has to offer a selection of contact methods, called Omnichannel, and at the same time offer the possibility to move seamlessly between interaction channels bringing the context along.

Conversational self service powered by artificial intelligence


Customers also expect a near instant response time and quick resolution of their needs – both being key business metrics proven to drive customer retention and loyalty. One third of the time it needs two or more interactions to resolve the issue, causing customer dissatisfaction and 40% of them eventually leaving to find a new provider (ICMI, 451 Research). This business ask is setting another mandatory need for a modern CJS: it has to offer Conversational Self Service solutions powered by Artificial Intelligence that are efficient, productive and cost effective.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material
The four major business needs addressed by the “Hybrid Chat, Artificial Intelligence solution for Cisco CCE/CCX/HCS”

The next picture describes the architecture of the solution developed by Bucher & Suter and Expertflow, a Cisco Ecosystem partner. The architecture is constituted of several building blocks able to interact, dialogue, and orchestrate through OPEN API’s to allow easy customization of the end customer solution:

◈ DIGITAL TOOLS (any sort of present and future type of CHAT tools used by end users)
◈ ARTIFICIAL INTELLIGENCE services and vendors
◈ Cisco CJS architecture: CCX, CCE, PCCE, HCS and CJP
◈ A CONVERSATIONAL ENGINE developed by the ECOSYSTEM partner, being the broker, the orchestrator between digital tools, CJS APIs, AI vendors and NLP services, and offering the integration of both end users and agents front ends.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Let’s see the way it works, beginning with a description of its hybrid approach

When implementing a chat bot in a digital CJS you always need a hand-off strategy for all those cases where the BOT isn’t confident enough to answer and thus needs a human agent. This means that in a standard solution a chat is always managed either by a BOT or by an agent, which very often results in very low productivity of the CJS, especially if the chat bot is not powered with AI.

The solution presented in this article features a different innovative approach where the agent, the BOT, and the user are always engaged in a Continuous Chat Conference, and the agent can monitor multiple chats and leverage the BOT during the entire conversation, thereby reducing the workload and response time. After a hand-off to an agent, the BOT remains in the conversation and works as an agent assistant so upon every customer utterance query, the Hybrid Chat presents the most appropriate answers identified by the BOT to the agent.

A colored icon signals the agent which chats demand an intervention (RED), the conversations where the BOT can run independently (GREEN), and those where the BOT has multiple options (including a “strike probability view”) but it is not 100% sure so best would be having the agent picking the right one or overwriting (YELLOW). The agent can let the BOT auto-answer with the highest-scoring answer, intervene and select one among those that the BOT suggests, or even draft a new response to the customer.

A timer displayed with a colored circle around the chat icons indicates timeouts upon which certain configurable actions are taken.

The BOT uses a model created with Machine Learning powered by Google Dialogflow to answers chats, but the solution is quite innovative also because the messages tagged and validated by the agents can be used as new training data to the BOT in order to improve future recognition rates (Natural Language Understanding) and answers (Dialogue Engine).

The chatbot is constantly learning through conversations from person-to-person (clients and agents) making the whole solution self-tuning on the job, where the performances of the BOT are continuously improving in a specific contest further reducing engagement of the agents and therefore raising productivity and lowering costs. The interplay between customer, agents, and the BOT also reduces the response time, increasing the quality of the service delivered and enabling higher customer satisfaction and loyalty.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

Let’s now analyze the way this solution interacts and integrates with a Cisco CCX/CCE or HCS CJS.

Cisco Tutorial and Material, Cisco Guides, Cisco Learning, Cisco Study Material

edia (SMS is slower than FB Chat). Based on such analysis, it assigns multiple chats in parallel to agents interacting with Cisco CJS through Open APIs (CTI and UQ API), ensuring that each agent has the same work volume. If an agent is fully charged, the Conversational engine makes a new synchronous media routing request to the CJS to reserve the next full-time agent. Conversely, if a chat session requires a full-time collaboration session (escalation to audio and/or video and screen sharing), all other ongoing chats are given back to the general chat pool and distributed to other agents and that agent is reserved for the full-time session.

The solution presented in this article is showing the incredible potential of combining together the Cisco architectures with Google artificial intelligence to design custom solutions targeting the modern business needs of large, medium, and small enterprises: Customer Experience, customer loyalty, customer retention, increased renewal revenue, decreased costs.

Wednesday, 2 January 2019

Cognitive Intelligence: Empowering Security Analysts, Defeating Polymorphic Malware

In psychology, the term “cognition” refers to a human function that is involved in gaining knowledge and intelligence. It helps describe how people process information and how the treatment of this information may lead to various decisions and actions. Individuals use cognition every day. Examples as simple as the formation of concepts, reasoning through logic, making judgments, problem-solving, and achieving goals all fall under the purview of this term.

In cybersecurity, applying the principles of cognition helps us turn individual observed threat events into actionable alerts full of rich investigative detail. This process improves over time through continuous learning. The goal is to boost discovery of novel or morphing threats and streamlining of the cybersecurity incident response. The work of the security operations teams can be vastly optimized by delivering prioritized actionable alerts with rich investigative context.

Enhancing Incident Response


Let’s take a moment to think of the tasks that a security team performs on a day-to-day basis:

◈ Looking through ever-increasing numbers of suspicious events coming from a myriad of security tools.
◈ Conducting initial assessments to determine whether each particular anomaly requires more investigation time or should be ignored.
◈ Triaging and assigning priorities.

All of these actions are based on the processes, technology, and knowledge of any particular security team. This initial decision-making process by itself is crucial. If a mistake is made, a valid security event could be ignored. Or, too much time could be spent to investigate what ends up being a false positive. These challenges, coupled with the limited resources that organizations typically have, as well as complexities associated with attack attribution, may be daunting.

That’s why security teams should embrace automation. At Cisco, we’re committed to helping organizations step up their game through the use of our Cognitive Intelligence. This technology allows correlating telemetry from various sources (Cisco and 3rdparty web proxy logs, Netflow telemetry, SHA256 hash values and file behaviors from AMP and Threat Grid) to produce accurate context-rich threat knowledge specific to a particular organization. This data, combined with the Global Risk Map of domains on the Internet, allows organizations to confidently identify variants of memory-resident malware, polymorphic malware with diversified binaries, and in general any innovative malware, that attempts to avoid detection by an in-line blocking engine.

As a result of automation like this, less time needs to be spent on detailed threat investigations to confirm the presence of a breach, identify the scope and begin triage. And that will in turn dramatically help mitigate the shortage of skilled security personnel by increasing the effectiveness of each analyst.

Cisco Tutorial and Material, Cisco Certification, Cisco Learning, Cisco Study Materials, Cisco Malware, Cisco Security
Example of a Confirmed Threat Campaign

In a sense, Cognitive Intelligence algorithms mimic the threat hunting process for observed suspicious events. It identifies combinations of features that are indicative of malware activity, in a similar fashion that an incident responder would do, starting with relatively strong indicators from one dataset and pivoting through the other datasets at its disposal. The pivot point may lead to more evidence, such as behavioral anomalies that help reinforce the infection hypothesis. Alternatively, the breach presumption may fade away and can either be terminated very quickly or re-started when new data becomes available. These algorithms are similar to incident response playbooks used by Cisco CSIRT and other incident response teams, but operate on a much larger scale.

What’s New in 2018: Probabilistic Threat Propagation


One of the example algorithms that we call Probabilistic Threat Propagation (PTP) is designed to scale up the number of retrospectively convicted malware samples (threat actor weapon), as well as the number of malicious domains (threat actor infrastructure) across the Cisco AMP, Threat Grid, and Cognitive knowledge bases.

Cisco Tutorial and Material, Cisco Certification, Cisco Learning, Cisco Study Materials, Cisco Malware, Cisco Security
Probabilistic Threat Propagation in a Nutshell

PTP algorithm monitors network communications from individual hashes to hosts on the Internet and constructs a graph based on the observed connections. The goal is to accurately identify polymorphic malware families and yet unknown malicious domains, based on the partial knowledge of some of the already convicted hashes and domains. The key here is that malware authors often reuse the same command-and-control (C2) infrastructure. Hence the C2 domains often remain the same across polymorphic malware variants. At the same time, these domains are usually not accessed for benign purposes.

For example, if an unknown file connects to a confirmed malicious domain, there’s a certain probability that this sample is malicious. Likewise, if a malicious file establishes a connection to an unknown domain, there’s a probability for this domain to be harmful. To confirm such assumptions, Cisco leverages statistical data surrounding the domain to determine how frequently it’s accessed, by which files and so on.

Cisco Tutorial and Material, Cisco Certification, Cisco Learning, Cisco Study Materials, Cisco Malware, Cisco Security
Graph built by Probabilistic Threat Propagation Algorithm

The capability that we have introduced helps security analysts track and detect new versions of malware, including polymorphic and memory-resident malware, given the fact that C2 infrastructure remains intact. Similarly, this method is capable of tracking migrations of attacker’s C2 infrastructure, given the knowledge of malicious binaries which belong to the same malicious family. Cognitive Intelligence helps leverage specific telemetry from a stack of security products (file hashes from AMP, file behaviours from Threat Grid, anomalous traffic statistics and threat campaigns from Cognitive). That allows Cisco to model threat actor behaviors across both the endpoint and the network to be able to better protect its customers.

Probabilistic Threat Propagation algorithm also provides additional sensitivity to file-less malware (that doesn’t have file footprint on the disk of the system) and process injections. Such infections can be detected when a legitimate process or a business application starts communicating with domains associated with C2 infrastructure, that other malicious binaries predominantly contacted.

The beauty of this capability is that it runs offline in the Cisco cloud infrastructure, and therefore does not require any additional computational resources from customers’ endpoints or infrastructure. It simply works to provide better protection and the increased count of retrospective detections for novel variants of known malware.

Measuring Results


This blog entry wouldn’t be complete if we didn’t speak about the initial results, that just this single algorithm delivers. From a single malicious binary, Probabilistic Threat Propagation algorithm is able to identify tens if not hundreds of additional binaries that are a part of the same threat family and that also get convicted as a part of this analysis. Similarly, with this new mechanism of tackling polymorphism, we will generally be able to identify tens of additional infected hosts affected by a polymorphic variant of a particular threat. That is especially rewarding when it comes to measuring the positive impact on Cisco customers.

Cisco Tutorial and Material, Cisco Certification, Cisco Learning, Cisco Study Materials, Cisco Malware, Cisco Security
Scaling threat detection efficacy with Probabilistic Threat Propagation

Cisco AMP for Endpoints and other AMP-enabled integrations (AMP for Email Security, AMP for WSA, AMP for Networks, AMP for Umbrella) leverage AMP cloud intelligence to provide improved threat detection capabilities boosted by the PTP algorithm.

Sunday, 30 December 2018

A Hybrid Cloud Solution to Improve Service Provider Revenue

Media and Telecom service providers serve millions of customers, and it is a challenge to monitor and assure that customers have a satisfactory experience with the services. Service providers incur high operation costs through customer support and truck rolls. Reactive customer support often causes customer dissatisfaction resulting in churn and revenue loss. Large volume and variety of data (network, CPE, billing, customer issues etc.) is maintained across multiple systems but is underutilized to add value to business. Different business units work in silos and non-availability of integrated customer profile leads to half-matured marketing efforts, unsatisfactory customer experience and loss of business opportunities. Common roadblocks for business improvement include:

◈ Lack of consolidated data & accurate insights
◈ Extended cycle time to process data and delay in access to insights
◈ Dependency on legacy systems to process data

Cisco Study Materials, Cisco Tutorial and Material, Cisco Guides, Cisco Learning
Barriers to business improvement

A container-based, hybrid cloud solution


A container-based hybrid cloud analytics solution that will help service providers to understand their customers better. It will provide a unified view about end customers and help improve the services and grow their business.

Cisco Study Materials, Cisco Tutorial and Material, Cisco Guides, Cisco Learning
Inputs to gain customer insights

POC scope


Customer churn analysis and prediction

Aggregate data from different data sources (billing, customer support, service usage, CPE telemetry etc.), create an integrated view of customer data and analyze churn
Implement a simple churn prediction model using hybrid cloud service

Tools and services used

Cisco Container Platform for CI/CD and management of micro services
GCP Pub/Sub for data aggregation
GCP Datalab for data exploration
GCP Dataflow for stream and batch processing of data
GCP BigQuery for analysis and BigQuery ML for churn prediction

Solutions architecture

Cisco Study Materials, Cisco Tutorial and Material, Cisco Guides, Cisco Learning
Solution diagram

Model training and serving with Google Cloud Platform:

Cisco Study Materials, Cisco Tutorial and Material, Cisco Guides, Cisco Learning
Model Prediction Data Flow

Overview of steps involved to develop the POC


1. Preliminary analysis on data consolidated across all (US) regions is performed, for example, Customer Sentiment analysis. Once this data is ready with all the feature labeling, etc, Cisco Container Platform (CCP) and Google Cloud Platform (GCP) are leveraged for gaining meaningful insights about this data.

2. Service catalogue is installed on the master node of the CCP cluster. It will provision and bind service instances using registered service broker. Custom application will leverage these service bindings and enable true hybrid cloud use cases.

3. In the CCP platform, using the Pub/Sub application, Media telecom customer data gets posted to GCP Pub/Sub.

4. Once data gets published to GCP Pub/Sub topics from periodical batch program, published data object will be consumed through Cloud data flow Job

5. Cloud Dataflow allows user to create and run a job by choosing google predefined dynamic template Pub/Sub to big query dynamic templates which initialize pipeline implicitly to consume data from topics and ingest into appropriate Big Query data set configured while creating Dataflow.

6. Once Dataflow predefined template Job gets started, it begins consumption of data object from input topics which get ingested into BigQuery table dynamically as a pipeline. This table data is then explored using Datalab, and required data pre-processing steps — such as removing null values, scaling features, finding correlation among features, and so on — are performed (please see the Model prediction data flow diagram above). This data is then returned back to BigQuery for ML modeling.

7. ML model built using BigQuery will be used for prediction of Customer churn for subsequent data received.

8. This processed churn data is retrieved using service broker to CCP and later consumed by UI

Dashboard

1. From the Solution dashboard (see sample screen shot shown below) service providers can view the forecasted churn based on region, service, and reason. Customer reported issues, and the services currently being used by the customers can also be visualized.

2. Solution dashboard allows service providers to take quick action. For instance, improving the wireless service or 4K streaming service, thereby preventing customer churn.

Cisco Study Materials, Cisco Tutorial and Material, Cisco Guides, Cisco Learning
Customer Insights Dashboard

Solution Demo Video

Friday, 28 December 2018

Transforming Enterprise Applications with 25G Ethernet SMF

Bandwidth Drivers for 25G


Bandwidth requirements in today’s Enterprise networks are now being driven by dramatic increases in video conferencing by such systems as Cisco’s Telepresence and other real-time applications such as Augmented Reality, Mixed Reality and Virtual Reality. These are taxing the limits of traditional 10G infrastructure. Whether it’s IEEE802.1ax WiFi Access Points or direct wired equipment with copper/fiber ports that require 1G/2.5G/5G/10G backhaul interfaces, new enterprisenetworks are being built with high speed equipment that now requires 25G ethernet interfaces.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 1. Cisco Telepresence and new applications demanding high bandwidth.

Cisco’s new SFP-10/25G-LR-S transceiver provides Single Mode Fiber (SMF) interfacing for Cisco’s newest platforms with 25G interfaces, including the new Catalyst 9500/9400/9300/9200’s, other new switches, new routers, and new servers / NICs (Network Interface Cards).

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 2. Cisco’s SFP-10/25G-LR-S transceiver .

What is “LR”?


For SFP (Small form Factor Pluggable) transceiver technology “LR” stands for Long Reach that traditionally refers to a reach of 10km. The 25G SFP form factor, called SFP28 (28 Gb/s to account for encoding overhead) has been standardized and the LR specifications are available in IEEE P802.3cc™ – 2017 Amendment 11: Physical Layer and Management Parameters for Serial 25 Gb/s Ethernet Operation Over Single-Mode Fiber.

The 25G transceiver is similar to the 10G transceiver in that it uses a simple NRZ (Non-Return-to-Zero) modulation but it has higher bandwidth transmitter and receiver for 25G communication. It also includes a CDR (Clock Data Recovery) circuit to clean up the signals. The 25G transceiver also requires that the host ports support RS-FEC (Reed Solomon – Forward Error Correction), which is not required for 10G.

Cisco’s newest 25G products, including the Catalyst Enterprise switches 9500/9400/9300/9200’s, have advanced ASICs that implement RS-FEC for 25G communication so that transmission error rate can be improved from a BER (Bit Error Rate) of 5×10-5 to 1×10-12. A BER of 1×10-12 is traditionally considered to be “error free” and is associated with other ethernet rates where upper layer protocols can deal with infrequent transmission errors.

Inter-building and Intra-building applications for SFP-10/25G-LR


Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 3. Inter-building and Intra-building applications for 25G.

25G-LR SMF transceivers are now being used for both inter-building and intra-building campus applications to provide high speed connectivity.

Inter-building applications: In large campus environments 25G is used to connect from the building’s distribution switches to a core switch(es) in another campus building. Because of the 25G-LR’s reach of 10km (~6.2 miles) the transceiver provides an excellent low-cost solution for relatively large campus environments such as hospitals, medical offices, college campuses, and business parks. The core switch typically connects to the service provider’s metro/core network with 40/100G links, but those links may also use 25G LR technology.

Intra-building applications: In many situations SMF is used (or has been used) to connect wiring closet switches for distribution. In these applications, network builders and architects go beyond the limits of the traditional 300m over OM3 (or 400m over OM4) MMF (Multi Mode Fiber) by using SMF for large spans found in mega shopping malls, huge airports, and large manufacturing buildings. Now with Cisco’s SFP-10/25G-LR, networks can communicate at 25G without changing the SMF fiber infrastructure.

Migration from 10G to 25G


The new SFP-10/25G-LR transceiver has dual-rate capability that enables interoperability with 10G-LR SMF transceivers. This allows the network to be incrementally upgraded at either the end of the fiber. For example, Figure 4 shows how a Catalyst distribution switch is replaced with a new switch equipped with a SFP-10/25G-LR, but still communicates with the legacy 10G Catalyst wiring closet switch using 10G. Then when the wiring closet switch is replaced with a new 25G Catalyst switch, it communicates with the distribution switch at 25G without changing the transceiver at the latter end.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 4. Migration to 10G from 25G.

Interoperability with 40G and 100G


In some circumstances, the distribution switch (or far end switch) may only have QSFP interfaces. The new SFP-10/25G-LR it can interoperate with Cisco’s QSFP-100G-PSM-S transceiver or with Cisco’s QSFP-4X10G-LR-S transceiver via fiber breakout cables or cassettes, thereby connecting QSFP ports with SFP ports. 25G mode requires the use of RS-FEC (Forward Error Correction) on both hosts, which is available on Cisco 100G and 25G ports.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Figure 5. SFP-10/25G interoperates with 25G and 10G.

Wednesday, 26 December 2018

Cisco Complete Visual Network Index (VNI) Forecast and what it means for Service Providers in Asia Pacific

This quarter, I’m excited to announce we released our annual Cisco Complete Visual Network Index (VNI) Forecast, which covers global, regional, and country-level projections and trends associated with fixed and mobile networks. It’s a must-read for every Asia Pacific service provider seeking to optimize network investments and performance. The report is a treasure trove of insightful findings covering everything from devices/connections growth, Internet of Things (IoT) advances by industry verticals, IPv6 adoption, traffic growth by application (video, AR/VR, gaming, etc.), traffic patterns (peak vs. average), network transformation at the edge, cord cutting implications, a 5G mobile preview, Wi-Fi hotspots and broadband network performance to security issues.

Cisco Study Materials, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning

But what does this mean for a service provider in the Asia Pacific region? We’ve distilled the latest VNI report data through this lens, and came up with four key regional trends for the next five years.

Trend 1: Adapt to shifts in device usage


Devices and connections are growing faster than the population and internet users. According to the latest Cisco Complete VNI Forecast, there will be an increase in devices and connections from 8.6 billion in 2017 to 13.1 billion in 2022. 86% of Asia Pacific IP traffic will be due to non-PC devices like smartphones and tablets. In comparison, PCs will account for 14% of Internet traffic in 2022, down from 45% in 2017. On top of that, video devices will have a multiplier effect on traffic. By 2022, nearly two-thirds (62%) of connected flat panel TVs will support 4K, and Ultra high-definition (UHD) IP video will account for 19% of Asia Pacific IP video traffic by 2022.

Cisco Study Materials, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning

Due to the proliferation of smart mobile devices and connections, the surge in traffic will exert tremendous pressure on service providers to maintain an optimal user experience on their networks.  Moving forward, service providers will need to ensure their systems are ready to handle traffic growth and support new and emerging technologies. Failure to do so could have dire consequences.

Trend 2: A future-ready network is key to growth


The IoT is no longer a phenomenon and will shortly become mainstream as more people, processes, data and things connect to IoT. By 2022, M2M connections will be nearly half of total connections in Asia Pacific. Connected homes will represent the largest amount of M2M connections, and connected cars will experience the fastest growth.

Cisco Study Materials, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning

With content providers moving towards IPv6 adoption and enablement in the Asia Pacific region, this will allow for more unique TCP/IP address identities to be created, enabling IoT connectivity. And service providers that are able to not only enable IoT connectivity, but also manage and secure IoT traffic, will be in a solid position to unlock more opportunities to drive new customer experiences, revenue streams and a competitive advantage.

Trend 3: Meet the increasing demand for video


Building on the “cord cutting” phenomenon, more families today are turning towards internet video, with cord-cutting households generating 141GB per month in 2017 as compared to 82 GB generated by an average household.

Not only that, we are seeing a trend in which the growth in digital television service that denotes television viewing across all digital platforms (cable, IPTV, satellite, etc.) is growing much more slowly relative to mobile video. Also, mobile video growth rates are even higher in emerging regions because these areas are bypassing fixed connectivity.

This will mean increase in internet traffic per user and average household. Average traffic per user per month will increase from 20GB in 2017 to 69 GB in 2022, as well as average traffic per household per month from 60GB in 2017 to 205GB in 2022. There’ll also be a huge opportunity for content delivery networks, which is set to deliver 72% of Internet traffic by 2022 globally.

Cisco Study Materials, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning

Content is and will continue to be king. And with a bulk of mobile network traffic coming from video content over the next five years, the question is whether you’ll be able to meet this demand.

Trend 4: Make security a priority


The last several years have certainly been the most eventful from a security threat perspective, with breaches like WannaCry and NotPetya making headlines around the world.

Cisco Study Materials, Cisco Tutorial and Materials, Cisco Guides, Cisco Learning

Peak attack size increased 174% Y/Y. In fact, Distributed-Denial-of-Service (DDoS) attacks can represent up to 25% of a country’s total Internet traffic while they are occurring. Average DDoS attack size between 1-2 Gbps increased 37% Y/Y which is faster than Internet traffic at 33% Y/Y. Also, across industries, 864 total breaches were observed, and 34.2 million records were exposed, with an average of 39,554 records exposed per breach. And the bad news is that security threats are only going to accelerate as 5G networks become a reality.

Based on the latest projections, attacks will double to 14.5 million by 2022 globally. That said, cybersecurity can longer be treated as a mere IT issue, but a top business priority. In the coming years, users will be looking for service providers who can improve their organization’s security posture.

Wednesday, 19 December 2018

How Stealthwatch Cloud protects against the most critical Kubernetes vulnerability to-date, CVE-2018-1002105

The increasing popularity of traditional cloud computing technologies such as server-less, on-demand compute and containerized environments has made technologies like Kubernetes part of our daily vernacular as it relates to running our applications and workloads.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Kubernetes solves many of the problems with managing containers at-scale. Automation, orchestration, elasticity are a few of the major draws for organizations to leverage Kubernetes, either in the cloud, on premises, or hybrid. Kubernetes creates a network abstraction layer around the siloed containers that allows for this facilitation. Think of it as a wide open highway that allows you to route throughout the many containers that are actually performing your workloads.  From web servers to database servers, these containers are the flexible, scalable workhorses for an organization.

With great accessibility comes a drawback, however. Should an attacker gain access to a pod, a node or an internal Kubernetes service, then part or all of that cluster is at risk of compromise. Couple that with the fact that in many instances Docker containers are actually running scaled down Linux operating systems like CoreOS or Alpine Linux. Should one of those containers become exposed to the Internet (and many workloads require access to the Internet), you now have an exposed attack surface that expands along with the exposed workloads themselves.

Last week the most severe Kubernetes vulnerability discovered to-date was announced, CVE-2018-1002105. It scored a 9.8 out of a possible 10.0 on the CVSS severity score…which is unprecedented.  In a nutshell this vulnerability allows an attacker to send an unauthenticated API request to the Kubernetes API service. Despite being unauthenticated, the access request leaves a remaining TCP connection open for the API backend server. This connection then allows an attacker to exploit the connection to run commands that would grant them complete access to do anything they desire on the cluster.  Scary stuff!

This vulnerability underscores the fact that organizations need to have both the visibility to see such traffic and also the analytics to know if the traffic represents a risk or compromise. Suppose you unknowingly expose a group of Apache Kubernetes pods to the Internet to perform their intended web services and a new vulnerability is exploited on that pod, like Struts. The attacker would then have root access on the pod to perform recon, install necessary tools and pivot around the cluster. And, if they are aware of the API vulnerability, then it’s a walk in the park for them to take full control of your cluster in a matter of minutes.

Not a good day for an organization if – and more likely when – this occurs. Data theft, compute theft, skyrocketing bills….just to name a few, are immediate side effects to a takeover of this magnitude.  So how can Stealthwatch Cloud help in this scenario and similar potential exploits?

How Stealthwatch Cloud Protects Kubernetes Environments 


Stealthwatch Cloud deploys into a Kubernetes cluster via an agentless sensor that leverages Kubernetes itself to automatically deploy, expand and contract across a cluster. No user interaction is required. The solution deploys instantly to every node in a cluster and exposes every pod and the communication with those pods between internal nodes and clusters, as well as externally. This allows for an unprecedented level of visibility into everything a cluster is doing, from pods communicating to the internet to worker nodes communicating internally with the master node. We then add entity modeling which compares new behavior to previous behavior and machine learning based anomaly detection to alert on IOC’s throughout the Kill Chain to alert on over 60 indicators of suspicious activity across a cluster.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorial and Material

Hypothetically speaking, if one of your Kubernetes clusters were compromised, Stealthwatch Cloud would send alerts in real-time on various aforementioned activities. The tool would alert on the initial pod reconnaissance, and on connection activity once the pod was exploited. If the attacker moved towards the API server, Stealthwatch Cloud would alert on internal reconnaissance, suspicious connections to the API server itself, further data staging, data exfiltration and a variety of other alerts that would indicate a change from known good behavior across every component of a Kubernetes cluster…all in an agentless, automated, scalable solution.

Sunday, 16 December 2018

Planning a Cloud Communications Migration: Navigating IT Priorities & LAN/WAN Management

In this post, we take on another common challenge in migrating business communications to the cloud – the increased demands on IP access connectivity – both from a technical and commercial perspective. From a technical standpoint, hosted voice and video communications are some of the most sensitive traffic to circuit quality and bandwidth limitations. From a commercial standpoint, IP access service contracts typically bring extended terms, multiple planning horizons, and a broad set of stakeholders and priorities.

The substance of this topic has led us to split the fourth installment of this series into three parts. These parts align to key steps common in IP access service procurement: 1) situation analysis; 2) requirements definition; and 3) options review and selection.

Part 1: Background and communications delivery model comparison
Part 2: Key methodologies for delivering service assurance
Part 3: Key elements in the “stack” of IP access service connectivity

Background and Communications Delivery Model Comparison


We start by looking at the breadth of challenges for IT managers and the CSPs when it comes to IP Access and WAN procurement. IT managers have a wide and growing list of priorities outside of communications. In fact, communications often sits at the bottom of the queue unless there is a problem that requires urgent attention. We see evidence of this through a review of the 2018 Tech Target Survey of IT Priorities which tracked the responses of more than 1,300 enterprise IT professionals.

The results of the survey (see figure 1 below) show an array of disparate priorities – from wireless networking and network automation to WAN optimization. Note that these priorities are tracked separately from “security,” which is covered in a separate survey question. Security cuts across all enterprise networking initiatives and typically sits at first or second overall. Back to the results shown in figure 1 – look at the position of UC applications and platforms. It actually rates at the bottom of the list at 14%. This is not surprising, especially as this equates roughly to the number of businesses at any one time that are in the midst of a communications networking project. This finding also suggests that most IT managers take a somewhat “reactive” stance to communications networking – which comes back to the entire point of this blog series – helping IT managers get ahead of communications issues by taking a more proactive and structured approach to their communications.

In addition, this survey result shows the number of competing priorities IT faces when the time comes to move communications to the cloud. They see 11 or more enterprise networking priorities, most of which are impact communications networking. Facing these obstacles, no wonder many businesses extend the operation of their PBXs five and 10 years beyond their planned end-of-life.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials, Cisco Live

Figure 1: Tech Target Top Enterprise Network Initiatives Survey Results for 2018

Add to this mix of priorities the available options for access IP. For IT managers evaluating connectivity, they still see a “mixed bag” of circuit types – various types of fiber, copper, and wireless services. Consider the April 2018 report from Vertical Systems Group that only 54.8% of US businesses even have access to fiber-based connectivity. Yes, this is an advance over 39.3% availability in the US in 2013. With most countries still near or below 50% fiber availability, it means that IT planners need to work with a variety of non-fiber based connectivity options. This should not halt cloud communications migrations. In fact, there are plenty of excellent non-fiber based options in the market today with new solutions on the horizon, including new 5G point-to-point technologies.

To help IT planners, we will do a round-up of common types of IP access connectivity suitable for supporting cloud communications. We will also look at service assurance mechanisms and CSP managed services typically delivered as part of network connectivity. We will outline how these mechanisms and managed services support QoS and can help IT managers move forward with confidence.

PBX-Based Communications


In a PBX-based communications architecture, the PBX or private branch exchange is typically located at the businesses site location. The PBX serves as a local registration point for communications devices and manages inbound and outbound communications traffic. The PBX together with the site’s access device enable businesses to separate their network architecture, both physically and from a management standpoint, into a “local area” and a “wide area.”

The local area network (LAN) is often managed by the business’s site IT team or can be outsourced to a 3rd party IT firm. The LAN typically serves applications that vary from business systems (ERP, CRM), security systems (entry/exit, surveillance), communications (voice, video, paging), and IT device management (printers, copiers).

If the business still operates a TDM PBX or analog lines, then the LAN may represent multiple local networks – one dedicated physical plant for voice traffic and a separate network for the broader set of IT applications.

For calls and communications that originate or terminate outside the business’s site, the calls need an outside connection. Businesses typically procure access connectivity from their communications service provider (CSP). For larger businesses that might need to manage site-to-site services, the business would procure wide area network (WAN) services from their CSP to provide PSTN access, internet access, and specialized connectivity (e.g., private lines) across sites.

As the PBX came to dominate the business communications landscape, the importance of this distinction between LAN and WAN grew. The interconnect point between the LAN and WAN became known as a “demarcation” point which represented the physical, logical, and contractual hand-off point between CSP-managed WAN traffic and IT-managed LAN traffic. In the case of PSTN services, the CSP provides voice “trunking” which might be sold a set of simultaneous call paths, minutes of use (MOU), and regulatory services such as 911.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials, Cisco Live

Figure 2. Common PBX deployment with Site 1 operating a TDM PBX and Site 2 an IP PBX

Cloud-Based Communications


In a cloud communications solution, PBX functionality such as device registration, call processing, and media mixing are moved into the cloud and delivered by the CSP. The preferred way to deliver cloud-based communications is through voice-over-IP protocols and requires an end-to-end IP connection between CSP systems and user endpoints, including handsets, soft clients, conference room video systems, and more. With the call processing moving to the cloud, the nature of the LAN to WAN boundary changes. Now, the CSP directly manages endpoints and services that sit within the customer’s LAN.

This seemingly subtle change in how cloud communications services are delivered creates a significant shake-up in telecom and communications services procurement – breaking the long-established demarcation point between CSP and IT department service responsibilities. Ideally, the CSP owns “end-to-end” responsibility for the service. In reality, the IT department owns some measure of responsibility given that LAN management is outside the control of the CSP.

This shake-up in responsibilities is compounded by the opportunities to consolidate more and more services and applications in the cloud and on IP networks. WAN links will carry a lot more traffic when ERP, CRM, HR, and other apps move to the cloud. And where a business might have procured a combination of IP access, TDM, and analog circuits for resilience and legacy application needs, businesses are increasingly able to procure a single, high-quality fiber-based IP connection that can handle all or most applications requirements. While more efficient and cost-effective, this “shared services” environment also sets the stage for more questions around CSP vs. IT responsibilities for issue-resolution, SLAs, and performance optimization.

To help CSPs and IT departments address these challenges, we return to the overall theme of this blog series – reducing migration risk, building a working partnership between CSP and IT departments, and taking a more staged and structured migration approach.

To these ends, one of the areas where CSPs and IT managers need to partner is in the assessment of access network connectivity options available for each site. A business’s preferred CSP for hosted voice services may not offer bundled access connectivity with service assurance at any or most of the sites targeted for migration. In some cases, the CSP may partner with 3rd party access connectivity providers who offer access solutions with service assurance options for communications traffic. In other cases, the only option will be to carry media traffic “over the top” (OTT) on unmanaged IP connectivity.

IT managers should understand the key characteristics of access network connectivity and how these characteristics impact communications application performance. These characteristics can be broken into two areas:

◈ Layer 1 and 2 connectivity type
◈ Network services to support access layer service quality

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials, Cisco Live

Figure 3.  Common Hosted UC Deployment Supporting Services Across Site 1, Site 2, and Mobile Users