This might be a very existential question… a bit like Plato’s Allegory of the Cave. “How do I know what is reality?” Well, I have the answer for this: Cisco ThousandEyes can help with this! It might not be able to help distinguish between shadows on a wall and the real world behind it, but it can help with verifying your policy enforcement. In this blog post I will tell you all about it, and how to get started!
Now you might ask yourself, “why would you want to verify your policy enforcement?” Let me give you an example: Say you are an analyst in a Security Operations Center (SOC) and you are investigating a malware infection. You can see that the command-and-control server used by the adversary was internetbadguys[.]com. You probably want to know 2 things at that point: 1) why wasn’t this blocked in the first place, and 2) is this reachable from other devices in my organization. Well, to answer these questions we can actually use Cisco ThousandEyes!
Set up tests with ThousandEyes
ThousandEyes let’s you leverage vantage points across the Internet, inside your corporate network and on employee endpoints, to set up tests. These vantage points, or sensors, can test reachability to destinations and troubleshoot network outages quickly. They provide path and route visualizations that highlight faulty interfaces and links in any network and get you to root cause faster.
We can actually leverage these sensors as well to verify if certain policies are being enforced – like the blocking of a certain domain. We can use so-called HTTP instant tests for this. To do this we can run scheduled and instant tests. The Instant Test feature can be used to troubleshoot problems without waiting for a scheduled test, or to validate a new test’s configuration.
Below are two examples of automations with ThousandEyes, that will make the life of the afore mentioned hypothetical analyst a lot easier.
Umbrella and ThousandEyes
This Python script first blocks a domain (e.g. internetbadguys[.]com) in Cisco Umbrella. It then creates a HTTP instant endpoint test for selected sensors (possible to query Group ID’s for ease of use) to verify if the domain is reachable. You can configure how often to rerun the test and the amount of time in between (it could be that policy was not enforced directly but after 2 minutes or so. This option gives you the visibility into this). It will then retrieve and parse the test results automatically. If domain/URL is reachable it will send a Webex Teams notification to warn that policy is not enforced. Vice versa, if domain/URL is not reachable, it will send a confirmation via Webex Teams that policy is enforced.
SecureX and ThousandEyes
This SecureX response workflow allows users to right click on domain and URL observable from Cisco SecureX threat response and check whether they are reachable from Cisco ThousandEyes endpoint sensors. This is important for multiple reasons. First of all, an analyst can check whether a potentially harmful destination is reachable, and thus can cause a threat (e.g. a command-and-control server). Second, it can also be used to verify the policy enforcement across your organization. Cisco ThousandEyes can, for example, be used to verify a domain block in Cisco Umbrella, offering a good SASE use case. Obviously, there are many more use cases that this is useful for.
Learn more about ThousandEyes, Umbrella, and SASE
If you want to learn more about ThousandEyes, Umbrella, and other components of the Cisco Secure Access Service Edge (SASE) platform, then you should check out this new learning track.
Want more information on cool SASE use cases? Hop on over to the Cisco SASE dev center.
We’d love to hear what you think. Ask a question or leave a comment below.
And stay connected with Cisco DevNet on social!
Visit the new Developer Video Channel