How to Create a Threat Response System Using Cisco Tetration

Standard industry plug-ins Kafka, Splunk and Phantom Cyber can turn Cisco Tetration into a cybersecurity powerhouse.

Threat response in today’s world is a key capability to ensure the security of your data center. Threat response consists of monitoring the network for attacks, notifying when an attack has occurred and instilling a workflow that automates the response process.

I hear a lot of pain points from customers on this very topic. As an experiment, a few colleagues and I wanted to determine the feasibility of creating a threat response system with Cisco Tetration using standard industry plug-ins for Kafka, Splunk and Phantom Cyber.

Cisco Tetration is a large-scale big data analytics platform that provides pervasive visibility for the data center. Utilizing host based sensors for telemetry gathering, Cisco Tetration employs unsupervised machine learning algorithms that enable the understanding of application flows over extended periods of time.

This application insight can be used to develop extensive security policies for the data center, and when coupled with application programming interfaces (APIs) a user can create a system that monitors, notifies and responds to data center security threats.

Hurdles to integration

Setting out to prototype an architecture, we saw two challenges with developing such a system.

The first hurdle to overcome would be communicating between the software components of the system. Given the challenges in maintaining and coordinating software between various products, we wanted to minimize the writing of custom code for the system. Employing standard APIs provides the interoperability of disparate systems while greatly reducing the need for custom code. This approach translates to a quicker deployment time and reduced costs in developing this type of system.

The second challenge would be assembling the knowledge needed to build this system. A threat response system requires expertise in the domains of data center analytics, cybersecurity and automation. This type of knowledge and experience is not typically found in one individual.

We found that using an API-based approach, which provided distinct lines of responsibility, enabled experts from distinct disciplines to work effectively as a team in constructing the system.

For most, building out a threat detection prototype with various platforms integrated would be impossible. But because we have access to our Advanced Technology Center (ATC), we were able to house the system in this lab space and run simulations to prove it out.

Creating a prototype for threat detection and response

In assembling our threat detection system, we knew it needed to have five key functional areas:

  • Monitoring: Monitor all traffic in the data center for policy violations by servers
  • Isolation: Isolating the server for observation and remediation
  • Notification: Issuing policy violation messages
  • Message Consolidation: Storing policy violation messages for reporting and auditing purposes
  • Response Automation: Notifying personnel and responding to the policy violation

We assembled the threat response system using Cisco Tetration, Kafka messaging, Splunk, Phantom Cyber and ServiceNow as the components.

Cisco Tetration provides the pervasive monitoring and visibility into all network flows for the data center and can isolate the effected server when policy violations are detected. It also has the ability to stream large amounts of data with its interface to Kafka. The Kafka message server is used to transmit notifications.

Splunk helps with message consolidation and providing query and summary alerts, while Phantom Cyber provides security operations and automation point of control for alerts to be processed.

Threat detection and remediation process

Once we had all the software components communicating with one another, we devised a seven-step detection and remediation process.

Cisco Tetration monitors all flows in the data center for security policy violations. This flow of information is gathered by light weight agents, called sensors, that are installed in the operating system of the data center servers. This flow information is stored in the HADOOP file system for monitoring and analysis. This flow information consists of multiple data points including Source and Destination IP addresses, TCP and UDP port information and process information.

Cisco Tetration analyzes the flow information to determine the “normal” communication patterns of the servers. Once those patterns have been validated by humans, those flow patterns form a policy that can be monitored. This policy can also be used by Cisco Tetration for enforcement purposes.

As a platform, Cisco Tetration has the capability to host applications for monitoring purposes.  As one of those hosted applications, the compliance application will examine the flow of data for a specific application container (called a scope) for policy violations. If a policy violation is observed, the compliance application will send out a message to an external Kafa server.

Splunk subscribes to the Kafka message topic and then the Kafka plug-in processes the policy violation message and stores it for further Splunk analysis. The Splunk plug-in (for Phantom Cyber) sends the message to Phantom Cyber for responding to the threat.

When an alert arrives at Phantom Cyber (from Splunk), multiple actions occur.

First, an authorization request is sent to the smartphone of a security analyst using DUO for notification purposes. Once the operations analyst approves the action, Phantom Cyber issues an API request to Cisco Tetration to isolate the impacted server. At this point, Phantom Cyber issues an API call to ServiceNow to create a ticket to document and track the resolution of the problem. This ticket creation also creates an alert on the smartphone of the operations analyst and sends an email to the appropriate personnel.

Once the operations analyst approves the action, Phantom Cyber issues an API request to Cisco Tetration to isolate the impacted server.

Prototype takeaways

The API approach we employed significantly reduced the number of resources and time needed to construct the system.

The only custom coding used was for Phantom Cyber to call the Tetration API to isolate the server.  All other interactions were handled by the APIs of Tetration, Kafka, Splunk, Phantom Cyber, DUO and ServiceNow.

This approach also made it possible for subject matter experts from analytics, cybersecurity and network automation to effectively work together to improve threat response in the data center through their combined knowledge and experience.