Unlocking the Power of Network Telemetry for the US Public Sector
Co-authors: Lou Norman and Erich Stokes
A golden nugget can be seen as a valuable piece of information that significantly enhances security measures. In cybersecurity, identifying and leveraging such golden nuggets can be crucial for maintaining robust security postures and preventing breaches.
Unlocking the Power of Network Telemetry
Network telemetry is a transformative tool for the US Public Sector, acting as a ‘Golden Nugget’ within Cisco network and other vendor hardware. It provides a wealth of insights that can significantly enhance network management and security strategies. By effectively harnessing telemetry data, public sector organizations can gain a comprehensive understanding of network performance, detect anomalies, and optimize resource allocation.
This capability not only improves operational efficiency but also strengthens security measures, ensuring that networks remain robust and resilient against potential threats. Cisco’s network telemetry solutions empower public sector entities to unlock the full potential of their network infrastructure, driving innovation and efficiency in their operations. Yet, many organizations are not fully utilizing this powerful feature.
This blog is structured into a three-part series to facilitate a deeper understanding of network telemetry.
In Part 1, “Defining Network Telemetry”, we will define network telemetry, providing a solid foundation for readers new to the topic.
In Part 2, “A Deeper Dive Understanding Network Telemetry”, we will explore a more comprehensive understanding of network telemetry.
In Part 3, “Applications and Benefits of Network Telemetry”, we will shift the focus into the practical side, discussing the benefits of network telemetry and how Cisco can help its US Public Sector unlock its potential.
Part 1: Defining Network Telemetry
As noted, network telemetry is a transformative tool for the US Public Sector. It is a technology used to gain insights and involves various techniques for remote data generation collection, correlation, and consumption.
According to the Internet Engineering Task Force (IETF), network telemetry is a technology for gaining network insight and facilitating efficient and automated network management
Any information that can be extracted from networks and used to gain visibility or as a basis for actions is considered network telemetry. Furthermore, telemetry data can include statistics, even records, logs, snapshots of state, and configuration data, which are extracted from networks to provide visibility or serve as a basis for actions. Telemetry data can come from routers, switches, firewalls and can even come from the logs of public cloud providers like AWS, Google, and Azure.
Network Telemetry Visibility Security Benefits
Network telemetry visibility significantly enhances security by providing organizations with the ability to identify every entity and monitor all communications within their network. This capability allows organizations to establish a baseline of normal behavior for each user or host by understanding who accesses what information at any time. This baseline is essential for detecting anomalies and potential threats, as it enables immediate alerts when deviations from normal behavior occur. Such comprehensive visibility ensures that businesses can swiftly respond to threats, thereby minimizing their impact on critical information.
By leveraging rich telemetry data, organizations can conduct forensic investigations, understand the source and spread of threats, and ensure compliance with security policies. This capability is essential for maintaining a robust security posture and supporting efficient network management.
Definitions
Let’s define the following types of network telemetry:
NetFlow
NetFlow is a Cisco technology that provides statistics on packets flowing through devices. It is the standard for acquiring operational data from IP networks and provides data to enable network and security monitoring, network planning, traffic analysis, IP accounting, and is supported by many vendors
IPFIX
Internet Protocol Flow Information Export (IPFIX) is an IETF standard export protocol for sending NetFlow packets. It is based on NetFlow version 9 and is used for exporting IP flow information for purposes such as accounting, auditing, and security. IPFIX formats NetFlow data and transfers the information from an exporter to a collector using UDP as the transport protocol. IPFIX is also supported by many vendors.
NSEL
NetFlow Secure Event Logging (NSEL) is a network telemetry type supported by Cisco Firewalls that provides a stateful, IP flow tracking method. It exports records indicating significant events in a flow, such as flow-create, flow-teardown, flow-denied, and flow-update. It also can provide translation for NAT and PAT connections through the firewall.
NSEL generates periodic flow-update events to provide byte counters over the duration of the flow, similar to traditional NetFlow. These events are triggered by state changes in the flow and are used to export data about flow status.
Encrypted Traffic Analytics (ETA)
ETA a Cisco patented technology, is a type of network telemetry that leverages Flexible NetFlow (FNF) technology to export useful information about network flows to collectors, providing visibility into the network. ETA is used for enhanced telemetry-based threat analytics and identifying malware, even in encrypted traffic, without the need for decryption.
Encrypted Visibility Engine (EVE)
EVE is a technology used by Cisco to inspect the Client Hello portion of the TLS handshake to identify client processes. EVE also does a similar function with the Quick UDP Internet Connections (QUIC) protocol. QUIC is faster than TLS and is rapidly becoming the protocol of choice over TLS for many applications. This initial data packet sent to the server helps in identifying the client process on the host. EVE uses this fingerprint, along with other data like destination IP address, to identify applications and take appropriate actions such as allowing or blocking them. It can identify over 5,000 client processes and map them to client applications for access control rules without enabling decryption.
EVE also uses machine learning to process TLS fingerprints and malware samples daily, updating its fingerprints through the Cisco Vulnerability Database package. It can block encrypted malicious traffic without outbound decryption and allows for the creation of exception rules to bypass its block verdict for trusted networks or internal testing activities.
NVM
Network Visibility Module is a technology that provides endpoint telemetry by creating continuous enhanced IP Flow Information Export (IPFIX) data. It offers rich user behavioral data, allowing visibility into user traffic direction and volume, destination of that traffic, software processes and applications present on the endpoint, and details about the device.
NVM telemetry is used to analyze endpoint-specific security risks and breaches, and it can be integrated with other security solutions for comprehensive endpoint visibility.
Network telemetry refers to the collection and analysis of data from network devices to gain insights into network performance, security, and usage patterns. Cisco’s network hardware is equipped with the capability to generate various types of telemetry data.
Conclusion
In conclusion, network telemetry serves as a transformative tool for the US Public Sector by providing comprehensive insights into network performance, security, and usage patterns. In Part 1 of this blog series, we defined network telemetry. In Part 2 we will do a deeper dive to understand network telemetry and discuss how Cisco’s network hardware, equipped with advanced telemetry capabilities, enables organizations to harness data effectively, thereby enhancing decision-making processes and operational efficiency.
By leveraging telemetry data, public sector entities can proactively address potential threats, optimize resource allocation, and ensure compliance with security policies. This capability not only strengthens security postures but also supports the efficient management of complex network environments, ultimately contributing to improved service delivery and public sector resilience.
Resources
Cisco Telemetry Architecture Guide
Cisco Secure Network Analytics + Splunk
Share:
