As recently announced, Cisco AnyConnect 4.2 extends visibility to the endpoint with the Network Visibility Module (NVM). Users are one of the most vulnerable parts of any security strategy, with 78% of organizations saying in a recent survey that a malicious or negligent employee had been the cause of a breach. However, until now, IT Administrators had been blind to user behavior on their devices. NVM allows you to monitor and analyze this rich data to help you defend against potential security threats like data exfiltration and shadow IT, as well as address network operations challenges like application capacity planning and troubleshooting.
AnyConnect NVM supports the Cisco Network Visibility Flow protocol or nvzFlow for short
(pronounced: en-vizzy-flow). The protocol is designed to provide greater network visibility of endpoints in a lightweight manner by extending standard IPFIX with a small set of high-value endpoint context data. Leading IPFIX vendors have begun implementing the new protocol to provide customers with an unprecedented level of visibility.
You can lock every window and bolt every door to keep out intruders, but it won’t be of much use if the attacker is already inside; if the attacker is an insider. Most security reports and headlines highlight stories of organizations that are attacked by an external party, but incident statistics highlight a growing number of attacks from insiders and partners. These incidents are real, and threaten your most sensitive information. How do you know when an insider is exfiltrating data from your organization? Cisco Managed Threat Defense (MTD) monitors for advanced network security intrusions using expert staff and OpenSOC, which Pablo Salazar introduced last month. Our staff has a decade of experience investigating security attacks and resolving benign anomalies. In my twelve years as an InfoSec professional, I’ve seen cases where employees conceal their activity for a variety of reasons. In one particularly interesting incident, it was discovered an employee was encrypting and obfuscating outbound traffic from his laptop over a period of several weeks, using for-purchase VPN software called Private Internet Access.
Banner image for Private Internet Access, which was used by the employee on the corporate network.
The ELK stack is a set of analytics tools. Its initials represent Elasticsearch, Logstash and Kibana. Elasticsearch is a flexible and powerful open source, distributed, real-time search and analytics engine. Logstash is a tool for receiving, processing and outputting logs, like system logs, webserver logs, error logs, application logs and many more. Kibana is an open source (Apache-licensed), browser-based analytics and search dashboard for Elasticsearch.
ELK is a very open source, useful and efficient analytics platform, and we wanted to use it to consume flow analytics from a network. The reason we chose to go with ELK is that it can efficiently handle lots of data and it is open source and highly customizable for the user’s needs. The flows were exported by various hardware and virtual infrastructure devices in NetFlow v5 format. Then Logstash was responsible for processing and storing them in Elasticsearch. Kibana, in turn, was responsible for reporting on the data. Given that there were no complete guides on how to use NetFlow with ELK, below we present a step-by-step guide on how to set up ELK from scratch and enabled it to consume and display NetFlow v5 information. Readers should note that ELK includes more tools, like Shield and Marvel, that are used for security and Elasticsearch monitoring, but their use falls outside the scope of this guide.
In our setup, we used
For our example purposes, we only deployed one node responsible for collecting and indexing data. We did not use multiple nodes in our Elasticsearch cluster. We used a single-node cluster. Experienced users could leverage Kibana to consume data from multiple Elasticsearch nodes. Elasticsearch, Logstash and Kibana were all running in our Ubuntu 14.04 server with IP address 10.0.1.33. For more information on clusters, nodes and shard refer to the Elasticsearch guide.
One of the best times I always have at Cisco Live involves getting to play ‘TV Anchor’ for the various live shows we stream. Well the Cisco TV team lets us use their equipment to do a live version of TechWiseTV each afternoon as well. Now honestly, I do plan these out…a little. But our day three show is generally a ‘hey…what do we WANT to do” kind of show. Planning for day 3 simply involved asking Jimmy Ray and Tina what they wanted. We had TWO wireless cameras this year to play with so it felt like we could do a little more. As for me (with input from the hillbilly of course), we wanted to take advantage of Wireless Stew’s presence and get him up to tell his story…so that is how we started.
Stewart Gouman’s is a fantastic fan of the show, running his wireless consultancy and very informative blog from the Great White North. He has sought us out in just a few visits over the years stopping by the studio in San Jose or catching us while at Cisco Live when we all end up in the same place. Watch the show and get his career and community advice.
Founded in 2007, RetailMeNot.com is the largest digital coupon site in the US. They help hundreds of thousands of customers save money when shopping online. They are headquartered in Austin Texas, in the hip “Live Music Capital of the World”. Since the company went public in 2013, the company has doubled the number of employees from 250 to over 500.
In previous blogs, I have covered what is AVC, SuccessEHS and how Plixer’s Scrutinizer accepts Netflow, sFlow and IPFIX exports. This post will cover how these key products are combined by RetailMeNot in their WLAN deployments to optimize and support this fast growing company.
Recently Michael Patterson, the Founder and Product Manager at Plixer, Matthew St. Jean the Marketing Manager at Plixer and I had an opportunity to talk to Tim Tyndall, the Lead Network Engineer at RetailMeNot. Tim shared with us the highlights of the wireless LAN deployment and explained how they use Cisco Application Visibility and Control and Plixer’s Scrutinizer to stay in control of how their WLAN is being utilized.
Tim described the environment and culture that has become a huge part of the company’s success. RetailMeNot provides hip new offices for its employees with open work spaces and other awesome perks.
The Cisco powered wireless network supports this initiative. In fact, nearly all network connectivity is wireless. He said that employees are issued a laptop by the company and many carry in their own smartphones and tablets as well; Most of those devices being from Apple.
Employees can roam freely with reliable service that spans the company’s five floors. Even during large meetings where access density increases dramatically, service continues without any interruptions and the performance metrics they can obtain using NetFlow is exceptional and reinforce that the traffic is optimized. Read More »