In This Article

As part of Cisco Live 2020, Meraki sponsored a Virtual Hackathon to showcase its open and extensible API services that empower developers to build custom solutions and integrations atop Meraki technologies.

The Meraki developer community was invited to submit solutions tackling one of several customer challenges across retail and hospitality, smart spaces, healthcare and manufacturing, and IT operations. Development teams had 48 hours to build a custom app, API or tool that transformed how customers solved a particular challenge by integrating with at least one of Cisco's Duo, Stealthwatch, Umbrella, Webex Teams or AppDynamics platforms.

WWT is pleased to announce that our team of Thelios developers took home first place in the IT Operations category for their custom solution, NORRIS, built to integrate with Cisco Stealthwatch for Meraki networks as a way to better fight malware and ransomware.

The WWT developers who partook in the Virtual Hackathon included Scott Nesham, Joseph Still, Robert Hager, Vandana Koul and Michael Petter.

The team's NORRIS submission allows network administrators to visually identify the extent of an infection across all clients, then quarantine malicious devices using APIs to automate the changing of VLANS plus firewall rules to isolate infected clients from the network until a technician can fix the issue.

Read on to learn how our development team came up with NORRIS, playfully named after everyone's favorite Chuck.

The birth of NORRIS

WWT has been building our Thelios Platform capabilities since 2018. Thelios integrates with and accelerates the creation of Cisco Meraki networks through enhanced automation, visualization, reporting and usability. It gives network operators a simple, intuitive way to quickly assess how all networks in their organization are performing.

With a strong working knowledge of Meraki's APIs and dashboard, the software developers who support Thelios saw the Virtual Hackathon as an opportunity to apply their experience by creating a unique integration that would provide high business value and ease administrative burdens.

They chose to focus their efforts on the hackathon's IT Operations category.

The team's inspiration sprung from the fact that malware and ransomware have become all too common. They've seen how such threats, if left unchecked, can devastate corporate networks (e.g., what happened to Maersk when the NotPetya attack was unleashed against Ukraine).

While existing tools like Cisco Stealthwatch can help identify which network systems have been compromised, the team identified a gap between identifying affected clients and taking swift action to prevent further spread.

IT Operations 

Within 48 hours, the WWT Thelios team built a web application (i.e., NORRIS) to query Stealthwatch APIs in order to identify rogue or compromised clients on the network. 

NORRIS visualizes the location and threat assessment of wired and wireless clients on a map, making it easy for operators to see which devices are compromised. The application enables these operators to quickly identify and quarantine compromised devices with the push of a button. Once quarantine is initiated, NORRIS' integration feature triggers the Meraki API to adjust Meraki MX or MR firewall rules so rogue devices are enclaved from non-compromised devices on the network.

Why would organizations find this innovation useful?

NORRIS speeds time to quarantine, minimizing the length of network exposure. Specifically, the solution eliminates the need for network operators to multitask by monitoring Stealthwatch for rogue clients on one screen and reacting to Stealthwatch alerts via Meraki on a separate screen. NORRIS effectively reduces operators' response time and, ultimately, allows them to automate quarantine protocols based on business rules or analytics through Meraki firewall APIs.


To realize their solution, WWT's developer team built a containerized application stack with a React frontend and Express backend. 

In the frontend, they used Google Maps to overlay building floor plans and position network clients, which they subsequently color coded and provided "quarantine" and "release" actions for suspicious devices.

For the backend, they created collectors that fetched Meraki API data about network clients and firewall rules, listened to the Meraki Scanning API for device locations, and then interrogated StealthWatch for devices that were behaving suspiciously.

The developers then correlated that data to tag the devices with an appropriate risk level in the user interface. When an admin or operator "quarantines" a device on the frontend, the backend uses the Meraki API to apply firewall rules to isolate the device.

Other components of the team's NORRIS solution include Docker, Node.js, PostgreSQL, Recoil, RxJS and TimescaleDB.

Biggest challenge

The biggest challenge our developers faced in developing NORRIS within 48 hours was the lack of data in the lab environment. According to one developer, "We were quite surprised to find that the lab networks had no clients of any kind, nor was a suitable StealthWatch instance available."

As a workaround, the team chose to leverage WWT's in-house CMNA stack to provide the Meraki data. And, thanks to WWT's ATC lab environment, the team was able to spin up access to a StealthWatch instance -- one of the significant perks of being part of the WWT ecosystem.


After all submissions were reviewed, judges at Meraki and Cisco selected WWT's NORRIS as the winner of the Virtual Hackathon's IT Operations category. In under 48 hours, our team had proved how Stealthwatch can work seamlessly with Meraki networks to provide operators with network traffic data that otherwise would have been unavailable.

What's next for NORRIS and WWT's crack team Thelios developers, you ask?

The team will continue to build new features and functionalities for our Thelios product, available to customers today for provisioning and monitoring Meraki networks. And given NORRIS' positive reception at Cisco Live 2020, WWT customers can expect our NORRIS Stealthwatch integration to be introduced in the near future.

What do you think?

If you're a network operator or have familiarity with network security challenges, we invite your feedback in the comments below. 

  • How do you go about quarantining rogue devices on your network?
  • Similar to how WWT created NORRIS, what products, platforms or technology have you used or developed to automate the sustainment of network security?
  • What kind of alerts, analytics and access would be most helpful to maintaining a secure and reliable network for your users?

Members of the WWT Thelios team are always seeking to learn more about new network security challenges to solve as they continue to enhance Thelios for network automation and visualization. Let us know if you have any ideas for where the team should focus next.