Network security

Cisco Tool Opens Telemetry for Advanced Network and Security Analytics

Cisco is offering a new tool that it says democratizes the use of key telemetry feeds to help customers more efficiently complete analytics applications and efficiently run enterprise network management systems.

Telemetry metrics are generated from corporate resources, such as switches, routers, wireless infrastructure, and IoT systems, and used by business and technology applications to monitor trends and help IT respond to threats or react to changing network conditions.

As the use of monitoring and analysis programs increases, so does the need to recover advanced and reliable telemetry data to power these applications.

Typically, telemetry information is dumped into a data lake or proprietary repository where its use is really limited, said TK Keanini, senior engineer in Cisco’s Security Platform & Response group. This may be acceptable if a company has a single analytics platform, but today’s client companies have 20 or more systems competing for telemetry, Keanini said.

“Visibility also becomes an issue as security professionals have to work with a range of different and often proprietary protocols for their tools,” Keanini said. “Simply managing an organization’s telemetry is often a full-time job with complex spreadsheets handed over by multiple admins. “

Cisco Telemetry Broker, available now, is designed to address these issues by simplifying the consumption of telemetry data by negotiating hybrid cloud data, filtering out unnecessary data and transforming the data into the customer’s preferred format, Keanini said. The idea is to put in place a telemetry infrastructure that works across corporate silos and has no connection to proprietary protocols or data, he said.

Cisco Telemetry Broker includes two pieces of software: a management node that runs on any industry standard hypervisor and a broker node that runs on the network or at a location close to resources from which clients wish to glean telemetry data.

“If you manage hundreds or thousands of applications and devices that all send out some form of telemetry – syslog, NetFlow, SNMP, VPCflowlogs, etc. – you just need to direct it to a Cisco Telemetry Broker knot and you’re done. This is probably the last time you will ever need to touch this setup, because now all of those telemetry streams are becoming programmable, ”Keanini said.

“On the other hand, if you are the manager of an analytical platform, whether in SaaS mode or on site, instead of having to ask several hundred exporters to send it to you, or worse, having to go begging for a Another analytical platform to get a copy of the data feed, you can just go to Cisco Telemetry Broker and specify the feeds and format you need, ”Keanini said.

Telemetry management itself increases in complexity with increasing network complexity, Keanini wrote in a recent Blog presentation of the broker.

“The network is growing rapidly and the demands placed on security administrators to provide telemetry to tools are only increasing,” Keanini said. “Current telemetry and data management options can also become expensive as more sources are added to the network, forcing security teams to make tough budget choices,” Keanini said.

Keanini says the new broker has its roots in Lancope’s UDP-Director Stealthwatch, which used network telemetry to detect a wide range of security attacks and replicated UDP traffic to multiple destinations. It was introduced in 2006, and Cisco bought Lancope for $ 425 million in 2015.

The idea of ​​an open and democratic telemetry broker is a positive development for users, analysts said, but there are concerns.

“Conceptually, it’s a good idea,” said Tom Nolle, president of consulting firm CIMI Corporation. “The question is whether something that is essentially a telemetry distributor is moving the ball enough to really simplify business monitoring and analysis. You still end up with the potential of disconnected monitoring applications running on unified sources; is it really better? “

“Overall, however, they don’t seem to be talking about unifying the scans, only ensuring that telemetry sources can feed into multiple destinations, which means perpetuating separate scanning processes,” Nolle said. “For me, this dog doesn’t hunt for long.”

Join Network World communities on Facebook and LinkedIn to comment on matters of concern to you.

Copyright © 2021 IDG Communications, Inc.


Source link