Cisco Blogs


Cisco Blog > Data Center and Cloud

Pros and Cons: Do-It-Yourself Approaches to Monitoring Shadow IT & Cloud Services

Shadow IT is estimated to be 20-40 percent beyond the traditional IT budget. The ease by which organizations can purchase apps and services from cloud service providers (CSP) contributes significantly to this spending. This is an eye-catching number worthy of investigation—not only to identify and reduce costs, but to discover business risks. So, it is no surprise that CIOs and CFOs have started projects to identify and monitor unknown CSPs.

I often get questions from customers asking if it is possible for IT to monitor cloud service usage and discover shadow IT using existing technologies, and what the pros and cons would be.

The first CSP monitoring approach I am asked about is the use of secure web gateways. A gateway captures and categorizes incoming web traffic and blocks malicious malware. The benefit of this approach is that the gateways are typically already in place. However, there are several limitations in relying exclusively on this approach. Gateways cannot differentiate between a traditional website and a CSP which might be housing business data. They also have no way of discerning whether a given CSP poses a compliance or business risk. Most importantly, to use gateways to track CSPs, IT would need to create and maintain a database of thousands of CSPs, and create a risk profile for each CSP in order to truly understand the specific service being consumed.

The second approach I get asked about is whether organizations can use NetFlow traffic to monitor CSPs. Many customers feel that they can build scripts in a short amount of time to capture usage. Simply answered, yes this can be done. But organizations would face a similar challenge as if they were using web gateways. To capture CSP traffic using NetFlow, IT would need to develop scripts to capture every CSP (numbering in the tens of thousands). Then identify how each CSP is being used, the risk profile of the CSP to an organization, and how much the CSP costs to project overall spend. This is just the beginning. An IT department would then need to build reporting capabilities to access the information as well as continually maintain the database; and apply resources to this undertaking on a monthly basis to ensure the database was current.

The good news, Cisco has done this work for our customers! We have developed Cloud Consumption Services to help organizations identify and reduce shadow IT. Using collection tools in the network, we can discover what cloud services are being used by employees across an entire organization. Cloud Consumption includes a rich database of CSPs and can help customers identify the risk profile of each CSP being accessed, and identify an organization’s overall cloud spend.

Cisco has helped many IT organizations discover their shadow IT. For example, we worked with a large public sector customer in North America who was struggling to embrace the cloud, but were concerned about business risks. Employees were pushing for cloud services to improve productivity when 90% of Internet traffic was blocked by the organization’s policy. Despite these restrictions, 220 cloud providers were being used already and less than 1% were authorized by IT. Leveraging Cloud Consumption Services, the customer was not only able to manage risk, but also authorize future cloud services based on employee needs in a controlled manner.

It is a good practice for every IT organization to understand how employees are using cloud services and monitor usage on an on-going basis. I encourage our customers to determine which approach would work best for their organization; otherwise they may face unknown business risks and costs.

To learn more about avoiding the pitfalls of shadow IT and how you manage cloud services, please register to attend an upcoming webinar on Dec 11, 2014 at 9:00 a.m. PT.

 

Tags: , , , , , , , , ,

Step-by-Step Setup of ELK for NetFlow Analytics

Contents

 

 

Intro

 

The ELK stack is a set of analytics tools. Its initials represent Elasticsearch, Logstash and Kibana. Elasticsearch is a flexible and powerful open source, distributed, real-time search and analytics engine. Logstash is a tool for receiving, processing and outputting logs, like system logs, webserver logs, error logs, application logs and many more. Kibana is an open source (Apache-licensed), browser-based analytics and search dashboard for Elasticsearch.

ELK is a very open source, useful and efficient analytics platform, and we wanted to use it to consume flow analytics from a network. The reason we chose to go with ELK is that it can efficiently handle lots of data and it is open source and highly customizable for the user’s needs. The flows were exported by various hardware and virtual infrastructure devices in NetFlow v5 format. Then Logstash was responsible for processing and storing them in Elasticsearch. Kibana, in turn, was responsible for reporting on the data. Given that there were no complete guides on how to use NetFlow with ELK, below we present a step-by-step guide on how to set up ELK from scratch and enabled it to consume and display NetFlow v5 information. Readers should note that ELK includes more tools, like Shield and Marvel, that are used for security and Elasticsearch monitoring, but their use falls outside the scope of this guide.

In our setup, we used

  • Elasticsearch 1.3.4
  • Logstash 1.4.2
  • Kibana 3.1.1

For our example purposes, we only deployed one node responsible for collecting and indexing data. We did not use multiple nodes in our Elasticsearch cluster. We used a single-node cluster. Experienced users could leverage Kibana to consume data from multiple Elasticsearch nodes. Elasticsearch, Logstash and Kibana were all running in our Ubuntu 14.04 server with IP address 10.0.1.33. For more information on clusters, nodes and shard refer to the Elasticsearch guide.

Read More »

Tags: , , ,

Creating a More Secure Internet

Trust is a fundamental requirement for people to use the Internet with confidence, and Cisco continues to find opportunities to make the Internet even more secure.

I am happy to share that we are a founding sponsor of a new public benefit consortium called the Internet Security Research Group (ISRG). The goal of the ISRG is to advocate the use of SSL/TLS technologies by promoting the installation, use and maintenance of digital certificates for Internet services such as Web servers.

Digital certificates provide the anchor for secure communication, and more certificates enable more trusted network traffic. This initiative will significantly reduce the total surface area of exposure by preventing untrusted traffic from becoming bigger attacks.

Currently, deploying secure Internet services requires an intricate series of administrative steps. The ISRG is developing a set of open, standardized APIs for managing certificates and an initial Certificate Authority (CA) that implements these APIs. The vision is that all Internet services will seamlessly acquire and renew certificates during the normal server installation and maintenance processes. Over time, this frictionless approach should greatly expand the number of Internet services that are more rigorously secured.

The ISRG is launching with a diverse set of commercial and non-commercial sponsors. One of the reasons Cisco supports the ISRG approach is their commitment to the open community – its protocols and APIs will be open standards. The ISRG will develop them using a collaborative process, and as much of the software as possible will be open source. The CA it operates will make all records of issuance and revocation available for public inspection, for complete transparency.

Learn more about our involvement with the ISRG and how we collectively plan to support the ubiquitous use of encryption to keep our Internet safe.

Tags: , ,

Insights for Remote Mobility

November 21, 2014 at 10:37 am PST

Your mobile strategy needs to consider the user’s point of view and the highly dynamic nature of the mobile threat landscape.  Weighing the threat risk includes evaluating the cost of insecure mobile devices.

User Point of View

The Cisco 2014 Connected World Technology Research tracked the users’ outlooks on the evolving work environment.  Being mobile, off premise with your device was well noted.
•    Most believe a flexible, mobile and remote work model is competitive.
•    Over 25% work from organizations that allow working from home (WFH).
•    Over 50% consider themselves available 24 hours 7 days.
•    Most believe the most connected device for work will be the smartphone in 2020.
The trend for mobile remote work environments cannot be disputed but the mobile device threat vector expands to a broader range of access points. This puts your corporate resources at risk of being corrupted or stolen. Let’s consider the cost of an insecure mobile environment.

Read More »

Tags: , , , ,

Endpoint Protection and Least Prevalence

Let’s face it, malware is everywhere now, and it’s here to stay. The statistics are staggering. According to the 2014 Cisco Annual Security Report, “100 percent of the business networks analyzed by Cisco had traffic going to websites that host malware” and 96 percent of the business networks analyzed had connections to known hijacked infrastructure or compromised sites. It’s a pretty scary reality for organizations and the security teams that are tasked with protecting these organizations from threats.

Not only is malware abundant and pervasive, but it comes in all shapes and sizes, including trojans, adware, worms, downloaders, droppers, ransomware, and polymorphic malware to name a few. Furthermore, it’s attacking us on all fronts, regardless of the device or operating system that we are using.

Read More »

Tags: , , ,