Cisco Security DNA
•
5 likes•1,997 views
Cisco Digital Network Architecture is based on these pillars 1) Service Virtualisation (eNFV and 3th party hosting) 2) Automation/SDN/Policy based networking 3) Analytics 4) Orchestration 5) Hybrid 6) Open and Programmable 7) Physical and Virtual 8) Software Driven Analytics are key to implement NaaS (Network as a Sensor) and NeeE (Network as Enforcer) https://masimatteo.wordpress.com/2016/06/21/from-we-must-have-a-network-cheap-to-ask-the-network-how-to-reinvent-the-business/
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to Cisco Security DNA
Similar to Cisco Security DNA (20)
More from Matteo Masi
More from Matteo Masi (10)
Recently uploaded
Recently uploaded (20)
Cisco Security DNA
- 1. University of Milan The Future of Network & Security Security IN the Network 28 Apr 2016 Matteo Masi Sales Specialist Enterprise Networks & Software @masimatteo
- 2. Cisco Confidential 2© 2014 Cisco and/or its affiliates. All rights reserved.
- 3. The Network Enables Digital Business Zorawar Biri Singh (CTO) “What we have done, what we do, what we’ll do has been, is, will be tied to the Network. Our center of gravity”
- 4. Cisco Confidential 4C97-731192-02 © 2015 Cisco and/or its affiliates. All rights reserved. from 2010 to 2020, the digital universe will grow Source: IDC Digital Universe in 2020 Report The Digital Vortex
- 5. Cisco Confidential 5C97-731192-02 © 2015 Cisco and/or its affiliates. All rights reserved. Process Internet of Things DataPeople
- 6. Reimagine Digital Retail 66% Switched brands due to poor customer service * 80% Retail purchases in physical stores *** 86% will pay more for a better customer experience **** 55% of US consumers look up product information on mobile ** * Accenture Consumer Pulse Survey ** Forrester Retail Report *** McKinsey Future of Retail Article **** Oracle Customer Impact Report People Centric Digitization 3D Virtual Reality Concierge Assistance Store Experience at Home Amazon Dash Button, Echo, HoloLens – Augmented Reality Automated Retail Fulfillment Real-Time Individualized Manufacturing and Delivery
- 7. Consumer as Creators Additive Manufacturing: From Prototypes to Production Robotics in Logistics Human-Less Factories Reimagine Digital Manufacturing 50% of Manufacturers will use robotic fulfillment by 2019 * 3D printer market will grow at 103.1%CAGR from 2015 to 2018 ** * Forrester Retail Report ** Gartner Machine Centric Digitization
- 8. Network has to Change, IT has to change Cisco VNI 2019 Italy 3 devices/person 13,5M Wereable Cloud App > 90% Mobile traffic DC Traffic from Mobile CAGR 50% IoTMobilityMobile traffic will Exceed wired traffic by 2017 50B devices in 2020
- 9. Digital Transformation Is Moving IT to the Boardroom Accelerate Business Processes, Introduce New Innovative Offerings UPS Tracking Data Driven Business Intelligence Mobile Point of Sale Starbucks Apps Philips Connected Lighting Nike Digital Sport Outperform Your Competition by Mastering Digital Profit 26% Revenue 9%
- 10. Insights & Experiences Drive Business Innovations Empower Workforce Personalize Experience Increase Loyalty Security & Compliance Real-time and Dynamic Threat Defense Automation & Assurance Speed, Simplicity & Visibility Faster services rollout and time to market The Network Enables Digital Business Network Requirements for the Digital Organization Faster Innovation Reduce Cost & Complexity Lower Risk & Meet Compliance
- 11. Delivering Digital Capabilities with Cisco DNA Workforce Experience Customer Experience Branch Agility Security Business Needs Virtualization Automation Analytics Cloud Network Requirements Faster Innovation | Reduced Cost and Complexity | Lower Risk DNA Technologies Partner Ecosystem Services
- 12. Cisco Digital Network Architecture Automation Abstraction & Policy Control from Core to Edge Open & Programmable | Standards-Based Open APIs | Developers Environment Cloud Service Management Policy | Orchestration Virtualization Physical & Virtual Infrastructure | App Hosting Analytics Network Data, Contextual Insights Insights & Experiences Automation & Assurance Security & Compliance Network-enabled Applications Cloud-enabled | Software-delivered Principles
- 13. The Future of Enterprise Networking Mobility Collaboration Security Endpoints APIC EM Branch Business Agility Automated Enterprise Consistent Policy Investment Protection APIC-EM Core of Automation Application Policy Infrastructure Controller – Enterprise Network FREE
- 14. Automation & Analytics of QOS Policy Client A calls client B1. 2. 3. Calls end1. 2. 3. Optimal Experience Dynamic QoS in 250 ms Reduce voice jitter by 300% 50% improvement for video traffic RESTAPIRESTAPI Cisco® UCM calls APIC- EM to set up policy Cisco UCM calls APIC- EM to set up policy QoS policy enabled on network device QoS policy enabled on network device
- 15. NETWORK ITTrouble Ticket Path VisualizationUser Simple Workflow SDN Open ArchitectureApplication Path Monitoring Automation & Analytics for Troubleshooting APIC-EM Path Trace Application Easy visual discovery of trouble spots in communication path based on 5-Tuple OPEX for ticket processing decreased by 98% From 1.4 hours to 1 minute
- 16. Analytics for Location Based Services CMX (Connected Mobile Experiences) Presence Analytics Heat Maps Correlation Visitors vs. Passerbys Repeat vs. New Visitors Dwell Time Busiest Hour, Day Visitor Sentiment Conversion Rate Building/Floor Where do visitors spend time? Which paths did visitors take? Timeframe Parameters Heat Map
- 18. Security Challenges Growing Attack Surface Dynamic Threat Landscape Complexity and Fragmentation
- 19. How Data Breach Happens Reconnaissance Victim clicks phishing email link Malware dropped via backdoor Lateral Movement to find Admin Escalate Privilege to become Admin Data Exfiltration using Admin privilege Information monetized after breach
- 20. Motivated Threat Actors Behind Breaches: Social Security $1 Medical Record >$50 DDOS as a Service ~$7/hour Credit Card Data $0.25-$60 Bank Account Info >$1000 depending on account type and balance Exploits $1000-$300K Facebook Account $1 for an account with 15 friends Spam $50/500K emails Malware Development $2500 (commercial malware) Global Cybercrime Market: $450B-$1T Mobile Malware $150 SSN DDoS
- 21. You Can Not Protect What You Don’t See 60% of data is stolen in HOURS 85% of point-of-sale intrusions aren’t discovered for WEEKS 54% of breaches remain undiscovered for MONTHS 51% increase of companies reporting a $10M loss or more in the last 3 YEARS A community that hides in plain sight avoids detection and attacks swiftly
- 22. The Threat: For the last couple of years I have used this “Organisations” slide to illustrate “The Threat” Now I am more inclined to just agree with JC below Enterprise Security is still a Growing Concern. Threats get more Sophisticated– the results more devastating The Security Challenge is NOT going away!
- 23. Network Without Visibility 192.168.19.3 10.85.232.4 10.4.51.5 192.168.132.99 10.43.223.221 10.200.21.110 10.51.51.0/24 10.51.52.0/24 10.51.53.0/24 Internet Cryptic network addresses that may change constantly Difficult to manage policy without any context
- 24. A Threat-Centric Security Model Before Discover Enforce Harden After Assess Contain Remediate Attack Continuum Detect Block Defend During Network as an Enforcer Network as a Sensor
- 25. Network with Visibility and Control NaaS (Network as a Sensor) Employee Employee Supplier Quarantine Shared Server Server High Risk Segment Internet Network Fabric Clear understanding of traffic flow with context Easier to create & apply policy based on such context Allowed Traffic Denied Traffic
- 26. Building Complex Security Policy Very Simply deny icmp deny udp employee employee eq domain deny tcp employee employee eq 3389 deny tcp employee employee eq 1433 deny tcp employee employee eq 1521 deny tcp employee employee eq 445 deny tcp employee employee eq 137 deny tcp employee employee eq 138 deny tcp employee employee eq 139 deny udp employee employee eq snmp deny tcp employee employee eq telnet deny tcp employee employee eq www deny tcp employee employee eq 443 deny tcp employee employee eq 22 deny tcp employee employee eq pop3 deny tcp employee employee eq 123 Network Fabric Employee Employee Supplier Quarantine Shared Server Server High Risk Segment Internet Block Lateral Movement & Privilege Escalation
- 27. NaaS: Visibility and Enforcement with Cisco Identity Services Engine (ISE) PARTNER CONTEXT DATA NETWORK / USER CONTEXT How WhatWho WhereWhen CONSISTENT SECURE ACCESS POLICY ACROSS WIRED, WIRELESS and VPN Policy pxGrid
- 28. NaaS: Lancope StealthWatch pxGrid Real-time visibility at all network layers • Data Intelligence throughout network • Assets discovery • Network profile • Security policy monitoring • Anomaly detection • Accelerated incident response Cisco ISE Mitigation Action Context Information NetFlow
- 29. access-list 102 permit tcp 37.85.170.24 0.0.0.127 lt 3146 77.26.232.98 0.0.0.127 gt 1462 access-list 102 permit tcp 155.237.22.232 0.0.0.127 gt 1843 239.16.35.19 0.0.1.255 lt 4384 access-list 102 permit icmp 136.237.66.158 255.255.255.255 eq 946 119.186.148.222 0.255.255.255 eq 878 access-list 102 permit ip 129.100.41.114 255.255.255.255 gt 3972 47.135.28.103 0.0.0.255 eq 467 Network as an Enforcer (NaaE) with TrustSec Traditional Security Policy TrustSec Security Policy Security Control Automation Simplified Access Management Improved Security Efficacy Network Fabric Switch Router DC FW DC SwitchWireless Flexible and Scalable Policy Enforcement segmentation software defined
- 30. Integrated Threat Defense (Detection & Containment) NaaS + NaaE Employee Employee Supplier Quarantine Shared Server Server High Risk Segment Internet Lancope StealthWatch Event: TCP SYN Scan Source IP: 10.4.51.5 Role: Supplier Response: Quarantine ISE Change Authorization Quarantine Network Fabric
- 31. Architecting a Secure Network Combining Network as a Sensor / Network as an Enforcer Network Sensor (Lancope) Campus/DC Switches/WLC Cisco Routers / 3rd Vendor Devices Threat PxGRID Network Sensors Network EnforcersPolicy & Context Sharing Cisco Collective Security Intelligence Confidential Data NGIPS PxGRID ISE NGFW TrustSec Software-Defined Segmentation
- 32. Protect EMR; Protect medical equipment from malware Healthcare Scope reduction for PCI compliance; Protect sensitive information from other connected devices Retail Security controls for IoE, Simplified segmentation for manufacturing zones, Supply- chain partner security Manufacturing Control access to regulated apps; Simplify audit & compliance; Accelerate security policy provisioning for new server Financial Control student access to classroom media, Scalable access control policy for students and faculty Education Policy across campus, branch & DC for ACI & non-ACI Consistent Policy Differentiated access for contractors & partners Secure Remote Access Threat Mitigation Mitigate malware scanning and propagation with actionable intelligence to find needle in haystack Secure BYOD Maximizing BYOD investment while protecting sensitive information Simplified Firewall Rule Management Faster data center service / application provisioning Network as a Sensor / Enforcer Use Cases
- 33. Network as a Sensor and Enforcer Summary TrustSec provides software defined (micro) segmentation NetFlow and Lancope StealthWatch provides visibility and intelligence The network is a key asset for threat detection and control
- 34. Integrating Security IN the Network Discover and Classify Assets Understand Behavior Enforce Policy Active Monitoring Network Segmentation Design and Model Policy
- 35. 28 Apr 2016 Matteo Masi Sales Specialist Enterprise Networks & Software @masimatteo
Editor's Notes
- I recently met with the Head of Infrastructure of one of the largest European bank. As we were discussing the future requirements of his infrastructure , he shared how much he currently struggles to operate at the digital speed its Business Units require. Those BUs are used to the kind of SLA we now see in Data Centers (in terms of instantiating VM and Infrastructure through ACI for instance), and are expecting the same to happen in their networks (Branch, Campus, Security, ..). And he added: "I just do not know how!" What I am discussing in this 30 mins video is how we can now help our customers operate at digital speed! Cisco is introducing DNA, which is the biggest evolution of our enterprise network architecture and messaging in years. And which will differentiate us further from our competitors, but above all , represents a fantastic opportunity to help our customers on that journey to Digital while giving them a compelling reason to refresh their installed base
- (30 seconds max) In fact, IDC projects that by 2020 the digital universe will reach 40 zettabytes (ZB), which is 40 trillion GB of data, or 5,200 GB of data for every person on Earth. This amount exceeds previous forecasts by 5 ZBs, resulting in a 50-fold growth from the beginning of 2010.
- Now let’s look at the future Retail 3D VR Shopping: What if you have an endless aisle in your store and you have a personal shopper who is ready to answer every question? At the NYC Rebecca Minkoff store, customers can select products from racks or a digital fashion wall and head to the dressing room, where they meet their personal fashion consultant. Once in the dressing room, a digital mirror displays all the products and sizes the customer has in the room. The customer can easily request a new size by selecting it on the mirror. The consultant delivers the new sizes to the dressing room without the customer having to redress or wander the store half-undressed. In the fitting rooms, an antenna in the light fixture reads RFID tags in merchandise brought to the room, and images automatically appear on the mirror, which doubles as a touch screen. It suggests other clothes or accessories that pair well with what the customer is trying on. The connected fitting room tells the store not only what shoppers bought, but also what they left behind. "The fitting room has come to life for the consumer as she walks in," Minkoff says. "She can change the lighting. We have four options, so she can see how the outfit will look in bright sunshine, for example. If she is looking at a dress for a cocktail party, she can see how she will look in it in more dim, evening light." The Impact - Customers quickly find more products that satisfy their desires. The Result - Richer shopping experiences = increased brand loyalty, increased avg. basket size, increased customer lifetime value Source - Forrester, https://www.forrester.com/The+Future+Of+The+Retail+Experience/fulltext/-/E-RES122102 http://www.wsj.com/articles/designer-rebecca-minkoffs-new-stores-have-touch-screens-for-an-online-shopping-experience-1415748733 http://www.rfidjournal.com/articles/view?13985 http://www.fastcompany.com/3044831/the-science-behind-how-pepsico-gives-customers-exactly-the-flavors-they-want In Home Augmented Reality: Now what if you could bring this experience home and never negotiate traffic and rush through the aisles to set foot in a store. What if the store came to you? HoloLens brings augmented reality to in-home shopping experiences that will allow digital retailers like Amazon to compete more effectively with the physical in-store experience. At the same time, augmented reality will also give omnichannel retailers an in-home extension of their physical store. The AR shopping experience has the potential to reduce online shopping return rates while also increasing online purchases of products where customers prefer to experience the product. Source - https://www.forrester.com/The+Future+Of+The+Retail+Experience/fulltext/-/E-RES122102 Automated Retail Fulfillment: What if robots ran a warehouse? Source - http://www.zoomsystems.com/what-we-do Real-Time Individualized Manufacturing and Stocking: Now what if we apply this to just in time retailing and manufacturing Integration of real-time individual consumer context and analytics with existing fulfillment capabilities gives rise to “Omnichannel fulfillment capabilities — that is, the ability to offer the customer cross-channel visibility and ordering options — have become the standard for leading traditional retailers. Order online for in-store pickup, Ship-to-store, Endless aisle, and even reserve online/pickup in store — all of which could utilize in-store pickup.” – Forrester https://www.forrester.com/Omnichannel+Mastery+Optimize+InStore+Pickup/fulltext/-/E-RES116388 Sources: 66% of Consumers Switched Brands Due to Poor Customer Service. https://www.accenture.com/t20150523T052453__w__/us-en/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Strategy_3/Accenture-Global-Consumer-Pulse-Research-Study-2013-Key-Findings.pdf 55% of US consumers now prefer to use a device to look up product information. https://www.forrester.com/Its+Time+For+Retail+Stores+To+Open+Their+Doors+To+The+Digital+Org/fulltext/-/E-RES129314 80% of Retail Purchases are Still Made in a Brick and Mortar Store. http://www.mckinseyonmarketingandsales.com/sites/default/files/pdf/CSI_Bricks_Click.pdf 86% of consumers will pay more for a better customer experience. http://www.oracle.com/us/products/applications/cust-exp-impact-report-epss-1560493.pdf
- We are living in the digital age. Digital capabilities are moving IT to the boardroom. Because IT has to accelerate business processes and introduce new services. These IT shops are digital masters. Digital Masters excel at two essential capabilities. They build digital capabilities by rethinking and improving their business processes, their customer engagements, and their business models. They also build strong leadership capabilities to envision and drive transformation. Westerman, George; Bonnet, Didier; McAfee, Andrew (2014-09-23). Leading Digital: Turning Technology into Business Transformation (Kindle Locations 155-157). Harvard Business Review Press. Kindle Edition. Processes based Innovation You no longer have to turn on your light switch. Proactive alerts to maintenance / cost savings You no longer need your credit card, you just use your phone You no longer watch a “channel” you get on demand. You no longer physical CD, you stream on demand. UPS: (Data from Leading Digital book) Challenge: For decades, UPS has been a leader at optimizing its processes. By standardizing its processes, even to the extent of telling drivers how to step off the truck, UPS continually improves efficiency, safety, and quality. UPS controls a complex logistical web with millions of possible permutations in service options and delivery routes. Route Optimization is a key opportunity and complex challenge, every driver at UPS has trillions of ways to run their delivery routes. Solution: UPS used advanced algorithms to shave millions of miles from delivery routes. The project crunches business rules, map data, customer information, and employee work rules, among other factors, to optimize package delivery routes within six to eight seconds. Results: Analytics has helped UPS to reduce eighty-five million miles driven per year. The reduction equates to over eight million fewer gallons of fuel used. Boeing: (Data from Manufacturing EBC deck) Challenge Avoid misplacing toolkits, machinery, parts and WIP (Work in Progress) inventory which cost as much as $1 million per incident Solution Cisco’s Unified Wireless LAN Infrastructure Location capabilities and Wi-Fi asset tags Results Locates tagged assets instantly Reduces delays in the production Reduces government fines “In the factory, the ability to locate major parts and tooling on a timely basis is critical... [Wi-Fi-based Active RFID] will streamline our production environment and make it more efficient time-wise and dollar-wise, by not having to replicate tooling and pieces of gear.” Jim Farrecker, Chief Network Engineer, Boeing Stanley: (Data from Manufacturing EBC deck) Challenge Get better transparency of real-time production to schedule Dissect why actual labor costs exceeds standard costs Need to understand effects of shift changes Gain better visibility to real-time OEE Solution Leverage Cisco Connected Factory Wireless in the plant Combine with AeroScout RFID tags Integrate RFID Tags to PLC and Quality Control scales Results 24% in OEE improvement in router line Reduced labeling error rate by 16% Improved labor utilization from 80 to 92% Reduced inventory holding costs by 10% “With the help of the Cisco and AeroScout Industrial solution, we are on our way toward realizing our vision of a virtual warehouse and fully connected factory, with complete visibility and traceability.” Gary Frederick, CIO Industrial Division, Stanley Starbucks: (Data from Leading Digital book) Challenge Following a rapid expansion, Starbucks faced declining same-store sales in 2008, and its share price had been cut nearly in half over the prior two years. Senior leaders, under the helm of CEO Howard Schultz, took a number of strategic actions, key among them using digital technologies to engage customers in new ways. “Digital for Starbucks was not just about a website or a point-of-sales system, but about an ability to connect with customers and transform their experience and drive the company.” (Adam Brotman, Chief Digital Officer) Solution The first Starbucks foray into mobile was the company’s myStarbucks app, released in 2009. In January 2011, Starbucks took its loyalty program digital with the introduction of its Starbucks Card mobile app. Starbucks has continued to expand its mobile payment capabilities. In 2012, it announced that customers would be able to make payments at the register via Square— an app-based mobile payment system— following a $ 25 million investment in the service. Results Mobile payments at Starbucks have been a success for customer convenience, but they are proving to have financial benefits as well. With over three million mobile payment transactions per week in 2012, the mobile-payments introduction has significantly reduced transaction fees. “Everything we are doing in digital is about enhancing and strengthening those connections [with our customers] in only the way that digital can and only the way that Starbucks can.” (Brotman, CDFO) Philips Connected Lighting: For Cisco, Major Partners On-Board: Phillips (vertically integrated), Cree (LEDs), Microchip (controller). Gap: Lighting Management Application (just started discussions with a startup – Enlighted) Challenge: Imagine . . .a world of beautifully illuminated indoor and outdoor spaces . . . where every light point is connected to an intelligent system that delivers high-quality, reliable illumination . . . and that serves as a pathway for information and services . . . to deliver extraordinary value beyond illumination to the users and managers of spaces. (From Philips Website) Solution: Connected Lighting– IoT for the carpeted area. Results: For Manufacturers: Big Market: Lighting market will be € 100B by 2020 (McKinsey). LEDs will be 54% of this market For Customers: Save energy Up to 80% savings over conventional lighting (Philips website) Digital Disruption quotation – from John Chambers at Cisco Partner Summit 2015.
- There are three major IT priorities for IT to lead digital transformation in their respective organizations Faster Innovation – digital demands businesses to differentiate customer experience and re-define models quickly. Yet only 30% of digital projects will succeed [Cisco study]. This is partly because IT processes are slow and costly and new technologies are being developed faster than they can be adopted. Reduce Cost and complexity – over time the network has grown complex and our customers are spending 2-3 times more on OpEx than CapEx which is unsustainable in a digital world where there growing numbers of devices, apps, users, threats and static IT budgets. Lower Risk and Meet Compliance – mobility and cloud by definition increase the attack surface of business, there is no perimeter … and it take 80 days to detect threats and even longer to remediate while 60% of data is stolen in the first few hours. All this while strict new regulations like the European Data Protection and Affordable Care Acts are being introduced. How does the network need to evolve to enable growing business needs? As we said before, the network connects all things digital. But let’s discuss how it needs to evolve to address IT priorities for digital. The network needs to enable faster innovation by delivering Deep Insights on users behaviors, application performance, and threats, so the business can take Immediate Action to optimize factors like employee productivity, customer experience, and daily processes -- all around BUSINESS innovations and new differentiating or disrupting models. For example, in order to Personalize Experiences it needs to deliver context relevant information like what users and devices are on the network and where. And this is possible when the network has visibility and can deliver the analytics, helping businesses make better decisions faster. The network can tell a bank a VIP client has entered a store or what promotions are driving store front conversion or how well expensive real-estate is being utilized (CMX and CMX Cloud, available now). Or the network can see no users are on premises, and lower energy usage of lighting, HVAC, etc. (Digital Ceiling, available Feb 2016). As IoT solutions becoming more pervasive, we’ll see the network share information with applications to drive decisions. Example, Schindler Elevators are running their IoT app over the network to capture analytics on service elevators so they can proactively determine when to send technicians on site. (Non-pubic use case). Today we collect data through devices using CMX, Prime, Lancope; by end of CY16, we will have a Network Data Platform based in the Cloud that will collect rich network data and provide in a structured database with open APIs that customers and partners can tap into for supporting business decisions. To sustain the increasing devices, apps and services, while reducing cost and complexity the network needs to deliver automation and service assurance. This will allow IT to get a branch office running quickly, or roll out new services and applications faster with efficiency and optimal experience. The focus here is IT agility, providing capabilities that allow speed at the lower costs. Cisco provides deep visibility into users and applications, and with controller innovations, we are fully abstracting the network and providing simple workflows following Cisco best practices, so IT can focus on business intent, and allow the controller enforce the policies dynamically. Security continues to be a top priority for business and IT leaders! We know 69 percent of customers are less likely to do business with a breached organization. Also, maintaining compliance is difficult to sustain and less than 1/3 of companies remain compliant more than a year [Verizon PCI Compliance; 2012], opening themselves up to fines and legal procedures. The network needs to contain risk through integrated security services that rapidly detect and mitigate threats. Here the network – touching all things digital – can provide Security Everywhere and Consistently Enforce Compliance so that it acts as both a sensor and enforcer all the way from the clients to the cloud. We all can agree, all these network requirements are very critical to supporting a Digital Organizations, and are the objectives of the Digital Network Architecture, that moves the network beyond a platform of connectivity to a platform for insights, automation and security. However, while business leaders fully acknowledge the importance of the network in enabling digital, less than 10% of enterprises implementing digital business have very clear integration between their network and digital business strategies. (Source: Gartner). Let’s discuss why this is the case. (go to evolution of networking software)
- In short, the objectives of the Digital Network Architecture, is that it moves the network beyond a platform of connectivity to a platform for insights, automation and security. Lets look at FOUR digital capabilities that are all top of mind with many customers. Making the Network Secure Improving Workforce Productivity Extending Services to Branch Enhancing Customer Engagement Depending on verticals, they could be obviously different : asset tracking, data protection, faster time to market, supply chain visibility, etc It is critical to have the right network in place to support these initiatives. the network needs to be built on the principles of Virtualization, Automation, Analytics and Cloud. And all of these capabilities are delivered through on premise or cloud managed solutions. Let’s now look at the DNA architecture and the new capabilities we are introducing
- Cisco DNA is an open and extensible, software-driven architecture built on a set of design principles with the objective of providing outcomes: Insights & Actions, Automaton & Assurance, Security & Compliance as we saw earlier. What are the key principles of the architecture? Virtualized everything to give organizations freedom of choice to run services and applications on any platform. Design for automation leveraging controllers to simplify the complexity of the network and speed up deployment. Deliver pervasive analytics giving business information – workers, customers, applications, devices, threats – they cannot get from anywhere else. Offer cloud service management providing a unified interface for customers and partner ecosystem to support network-enabled applications. Enable openness and extensibility at every layer – Cisco and 3rd party hardware, open API’s, developers platform, all supporting network-enabled applications. DNA is delivered across three layers 1.) Layer 1 – is the network element layer. Here we have physical and virtual devices the bring together the network. A core principle at Network Layer is Virtualization. We are taking 30 years of networking innovations and virtualizing functions so customers can easily run any service anywhere. We are now introducing Enterprise Network Function Virtualization, that build the full software stack from the infrastructure software that can reside on servers, to virtualized network functions like routing, firewalls, to the orchestration tools to support E-NFV on physical and virtual devices. We are also modernizing our operating system with evolved IOS XE that is much more open and programmable through APIs. 2.) Layer 2 – is the platform layer. Here we leverage controllers to fully abstract the network and automate all day 0, 1, 2 functions. Also at this level this is where we can gather rich data analytics. Today, we do this through Prime, CMX, Lancope, but you can expect by end of CY16 a single analytics platform providing structured data and open APIs that both Cisco and third parties contextual insights 3.) Layer 3 – are the network enabled application that support key business services like collaboration, mobility & IoT. As we build to the design principles, we’ll leverage the cloud for: - Cloud managed – using the cloud to securely manage all elements in the network through a single pane view - Cloud edge – providing critical network functions at the edge to support business moving their operations to the cloud (like AWS, Azure) - Cloud delivered – enabling flexible subscription models where possible (statring with CMX) And of course, DNA will support the critical north and southbound APIs to enable the broadest ecosystem to be supported.
- Only the network has access to users, devices, location, applications and even threats. Today we offer contextual data through a number of services like CMX, Prime and StealthWatch, and we’ll continue to exposure more information overtime in a structured way so Business and IT can gain more value from the network to drive business decisions as well as troubleshoot efficiently.
- Cisco Plug and Play Day-zero automation Simplifies and speeds up day-zero provisioning securely through zero touch and removing steps like centralized staging and truck rolls. Provides dramatic reduction in operating expense: customer data indicates up to 79 percent reduction in device installation costs. Available now SWM, an EFT customer for PnP, spends around $100 per 2960C for installation via a partner – Low end Access Rolls Royce Engines pays $6000 per access switch installation and deployment through their partner British Telecom – 3850 Access Kaiser Permanente spends $$ > cost of switch for day0 installation & configuration - 3850 Access Per customer conversations, access device installation cost varies, based on switch, router, AP, partner’s involvement, etc. Range is $200 - $2000
- Dealing with application-centric designs and policies requires visibility into the current topology as a prerequisite. This may sound trivial - but accurate, real-time and application-specific path information is typically not available to network operators and system integrators today. The dynamic nature of networks makes it virtually impossible to maintain exact and complete external topology databases. Path information between specific application endpoints however, can be discovered at any point in time within the network. However, due to the variety of protocols and abstractions involved at layers 1, 2 and 3 this is still a non-trivial task. APIC-EM's Path Visualization application provides simple interfaces for human operators (graphical) and software applications (REST) to specify a query and obtain current path information within seconds: Obtaining accurate 5-tuple path information is both: a low risk read-only first step towards the possibilities of software-defined, providing operational benefits on a daily basis with minimal effort a building block towards more sophisticated software-defined architectures
- Cisco Aironet 2800 and 3800 Access points can provide deep packet visibility <<Click>> This allows organizations to visibility into the network, monitor the critical applications that drive success and prioritize applications as they make sense to align to goals. This is all done without any impact to the how the access point serves the end user devices.
- I recently met with the Head of Infrastructure of one of the largest European bank. As we were discussing the future requirements of his infrastructure , he shared how much he currently struggles to operate at the digital speed its Business Units require. Those BUs are used to the kind of SLA we now see in Data Centers (in terms of instantiating VM and Infrastructure through ACI for instance), and are expecting the same to happen in their networks (Branch, Campus, Security, ..). And he added: "I just do not know how!" What I am discussing in this 30 mins video is how we can now help our customers operate at digital speed! Cisco is introducing DNA, which is the biggest evolution of our enterprise network architecture and messaging in years. And which will differentiate us further from our competitors, but above all , represents a fantastic opportunity to help our customers on that journey to Digital while giving them a compelling reason to refresh their installed base
- Talking points Growing Attack Surface Does your customer have full handle on the personal devices brought into their premise? If they do, they are doing great job! If they don’t know, that’s no surprise. It is hard to track and manage all of those devices touching corporate network. We are seeing about 90% of organizations not fully aware of all network devices coming in. Those devices are meant to increase your productivity but at same time, we are not sure whether those devices can be trusted or malicious. Now you can use all of those cloud services using such devices and also from corporate managed asset like laptop. (http://lerablog.org/business/it/emerging-trends-for-byod-in-2014/) More Cloud based application used: 5 – 10 times more cloud services are being used than known by IT (http://blogs.cisco.com/security/beyond-data-securityfive-biggest-risks-of-shadow-cloud-it-services/) Virtualized service: Virtualization has surpassed 50% of all server workloads—and will reach 86% by 2016 (http://www.cioinsight.com/it-strategy/cloud-virtualization/slideshows/useful-virtualization-stats-trends-and-practices.html#sthash.Ptkluq2i.dpuf) Social Media: 14% of organizations had malware enter the corporate network through social media/web apps (between November 2012-November 2013) http://solutions.webtitan.com/blog/bid/157457/New-Research-on-the-Risks-posed-by-Social-Media-in-your-Business-Network-Security http://www.ostermanresearch.com/whitepapers/orwp_or_201204a.pdf Dynamic Threat Landscape More sophisticated attack and motivated threat actors IOT devices everywhere increasing attacking surface Complexity and Fragmentation 50+ security vendors for some customers (too many silo technology) 500 security vendors at RSA (many working on same business / security issues) 12x demand for security talent (shortage in security operation) More compliance requirements that require security professionals
- I think when you talk about Security you should always start with the threat
- Now if you connect the dots together, Network as a sensor and enforcer brings tremendous value to your customer. It will increase visibility inside their network and they can use this visibility to detect anomaly going on in the environment. ISE can translate this “visibility” and “detection” to something more actionable feedback to the network, which could be the proper segmentation or even remediation of the threat. Since Security Group used in TrustSec becomes the common classifier that network devices such as switches, routers, wireless controller, ASA Firewall, Web Security Appliances, data center switches, and hypervisor switches, customer can leverage their investment to simplify security operation, automate remediation based on detection, and secure their environment in depth. Now this wraps up the intro section, but you will learn Network as a Sensor and Enforcer in depth, in the following section this morning and afternoon.
- I recently met with the Head of Infrastructure of one of the largest European bank. As we were discussing the future requirements of his infrastructure , he shared how much he currently struggles to operate at the digital speed its Business Units require. Those BUs are used to the kind of SLA we now see in Data Centers (in terms of instantiating VM and Infrastructure through ACI for instance), and are expecting the same to happen in their networks (Branch, Campus, Security, ..). And he added: "I just do not know how!" What I am discussing in this 30 mins video is how we can now help our customers operate at digital speed! Cisco is introducing DNA, which is the biggest evolution of our enterprise network architecture and messaging in years. And which will differentiate us further from our competitors, but above all , represents a fantastic opportunity to help our customers on that journey to Digital while giving them a compelling reason to refresh their installed base