《大规模企业全栈可观测性:多域操作可视性.pdf》由会员分享,可在线阅读,更多相关《大规模企业全栈可观测性:多域操作可视性.pdf(85页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMedi Jaafari,Technical Solutions ArchitectBRKMER-2009Multi Domain Operational VisibilityEnterprise Full-Stack Observability At Scale 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 3Questions?Use Cisco Webex
2、 App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 202
3、3 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKMER-2009Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIntroduction&ExpectationsThe Visibility ChallengeCisco Multi Domain ObservabilityTroubleshooting ExamplesObservability ExamplesConclusionBRKMER-20094Day 2&
4、BeyondBeyond speeds,feeds&AI/ML buzz words 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA Users Journey To Any Application Traverses Multiple DomainsMulti Domain RCA Is Complex Multi Domain RCA Is Complex Multi Domain Observability Challenges:Multi Domain Observability
5、Challenges:Day 2&BeyondDay 2&Beyond Operations After Initial DeploymentOperations After Initial DeploymentBRKMER-20096 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicProblem#1 Problem#1 LTE:LTE:Is it the carrier?LAN:LAN:Is it WIFI?Wired?WAN:WAN:Is it the router?PE or WAN link?Secur
6、ity:Security:Which security inspection?SASE?SSE?Internet Backbone:Internet Backbone:Is it hops across SP or internet?User Device:User Device:Is it a user device issue?(Memory/CPU)Workload:Workload:is it server,compute or an application issue?7Common Common Performance Performance Complaints:Complain
7、ts:Performance RCA*BRKMER-2009*RCA Root Cause Analysis 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicProblem#2Problem#2Policy:Was it allowed,denied,shaped,modified?Source:Which policy?(LAN/WAN/DC/App/Sec/SASE)8Common Common Policy Policy Complaints:Complaints:Policy RCA*Policy RCA
8、*BRKMER-2009*RCA Root Cause Analysis 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicProblem#3Problem#3Isolated Isolated performance,security incident or widespreadwidespread?9Scale of Impact:Scale of Impact:Order Magnitude AnalysisOrder Magnitude AnalysisBRKMER-2009Multi Domain Obs
9、ervabilityWhy is it complex?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUser&Application Experience ChallengesA Closer look11BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Other Complex ProblemEncryption12BRKMER-2009Trust Tru
10、st&Visibility Visibility Has To Move To The Edge How Cisco TacklesThis Complex ProblemMulti Domain Observability 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKMER-2009Evolution Of Visibility14Alerts and events PassivePassive SamplingRoot Cause IdentificationActiveActi
11、ve TelemetryBusiness Context Context+Business ImpactImpactMonitoringVisibilityFull-Stack Observability 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Multi Domain With Consumption Flexibility5 Key Domains+Data Lakes+EAs 15BRKMER-2009 2023 Cisco and/or its affiliates
12、.All rights reserved.Cisco Public#CiscoLiveInherently AwareIntegration automation16BRKMER-2009The 5 API keys used for all demos in this sessionThe 5 API keys used for all demos in this sessionCisco UmbrellaCisco Meraki Cisco Secure Cloud Insights(StealthWatch Cloud)Cisco Threat Response(CTR)Cisco Th
13、ousandEyes 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSlices of SecOps IntelligenceSlices of SecOps Intelligence17Security Domain IntegrationsBRKMER-2009Network-as-a-Sensor+Security Effective“Composite Verdicts”+XDR*XDR Extended Detection&Response 2023 Cisco and/or it
14、s affiliates.All rights reserved.Cisco Public#CiscoLive18Ease Of Integrations:Umbrella BRKMER-2009Based on Umbrella API:Based on Umbrella API:1-Generate Umbrella API keys 2-Add Umbrella API keys to Meraki 3-Configure Umbrella policy on SSID API Key Guidelines:API Key Guidelines:Consider service acco
15、unts service accounts when possible(Read/Full)DocumentDocument all keys+key passwords Key API passwords passwords are displayed ONCE ONCE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity IntegrationsSSID SSID oror SDSD-WAN WAN+Umbrella APIs Umbrella APIs Composite
16、Security Automation+XDR19BRKMER-2009Cisco TALOS feedsCisco TALOS feedsCisco WBRSCisco WBRSPartner feedsPartner feedsCustom URL block listCustom URL block listRequests for Requests for“RISKY”“RISKY”domainsdomainsSelective Proxy+Selective Proxy+SSL Decrypt SSL Decrypt(On Demand Proxy)URL inspectionFil
17、e inspectionAV EnginesAV EnginesCisco AMP Cisco AMP Composite Verdict 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMulti Domain Cloud Native ContainmentMeraki System Manager EMM*&Networks+Cisco Secure Client+DUO 20BRKMER-2009Meraki SM:Meraki SM:Push Push+Maintain Securi
18、ty Sensors Maintain Security Sensors Enforce Sentry PoliciesEnforce Sentry PoliciesA Malware Event DetectedON/Off NetworkCisco Secure Client Cisco Secure Client running on the devicerunning on the devicedetected malware.detected malware.Cisco Secure ClientCisco Secure Clientnotifies DUO about the no
19、tifies DUO about the infected device.infected device.*EMM Enterprise Mobility Management 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEndpoint Security InsightsMeraki SM+Secure Client+Umbrella Roaming+Secure Endpoint+More21BRKMER-2009Meraki SM:Push+Maintain Security Sen
20、sors&Enforce Sentry Policies 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive22Automation With Cisco XDR(Extended Detection&Response)BRKMER-2009Based on XDR Client API Keys Based on XDR Client API Keys 1-Generate Cisco XDR API Client key2-Add XDR plugin to admin browser3-C
21、onfigure XDR plugin with API keyAPI Key Guidelines:API Key Guidelines:Per Admin Per Admin Device Keys DocumentDocument all keys+key passwords Key password are ONLY displayed ONCE Key password are ONLY displayed ONCE Day 2&Beyond NetOps:Is It My LAN?2023 Cisco and/or its affiliates.All rights reserve
22、d.Cisco Public#CiscoLive24Observability Needs Lots Of DataBRKMER-2009The Largest Cloud PlatformsThe Largest Cloud PlatformsThese are JUSTJUST the Cisco Meraki numbersData lakes across multiple Cisco domainsDomains:Transport+Sec+Collab+DC Large collection of data lakesAbility to feed RCA logic at a m
23、assive scaleOTA(over the air)push External API monthly callsDaily end-userdevicesDaily splashpages served4.1+MILLIONCustomernetworks12+MILLIONMeraki devices online190+Countries6+BILLION195+MILLION250+MILLION 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive25Anomaly Detecti
24、on BRKMER-2009Were there any WIFI connectivity anomalies?Were there any WIFI connectivity anomalies?Smart Thresholds detection vs.static baselines 15 min slices,24/7 for up to 6 weeks Related to key stages of WIFI connections:RF+Auth+DHCP+DNS 2023 Cisco and/or its affiliates.All rights reserved.Cisc
25、o Public#CiscoLive26Client WIFI Roaming RCABRKMER-2009Client Roaming DetailsClient Roaming DetailsUp to 1 week of client roaming detailsQuick fault isolation based on roam failure type Details for each roam(before&after)Ping-Pong roam identification 2023 Cisco and/or its affiliates.All rights reserv
26、ed.Cisco Public#CiscoLive27AP&Client Level RCA BRKMER-2009Client Performance Detailed ViewClient Performance Detailed ViewTop app visibility Signal,latency,channel and AP historical telemetryData rate analysis over time 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRCA A
27、nalysis28BRKMER-2009RCA,Order Magnitude&Suggested ActionsRCA,Order Magnitude&Suggested ActionsAP or Client level Pre analyzed to eliminate PCAP overheadRCA of problematic events&connectivity stagesOrder of magnitude evidence&recommendations 2023 Cisco and/or its affiliates.All rights reserved.Cisco
28、Public#CiscoLive29Organization Overview BRKMER-2009Use Cases Use Cases Top level Org reporting on devices/networksSingle OR Multi Org MSP instant visibility with any custom admin context,EX:tag based admin details(IP blocks here)Pro active RMA and Security Patch awarenessAbility to pivot directly to
29、 any Org/Site 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive30Organization Level AlertsBRKMER-2009Rapid Ord Level Fault Isolation Rapid Ord Level Fault Isolation Quick filter RCA based on Alert or Device typeAbility to pivot directly from Org Alerts 2023 Cisco and/or its
30、 affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork Level Alert Hub31BRKMER-2009Use Cases Use Cases Instant Site level RCA&fault isolation Ability to take action on key RCAs(CRC)Ability to pivot directly alert hub 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive3
31、2Network&Client Level RCABRKMER-2009Wired&WIFI Client Overview:Status&Connectivity Path DetailsWired&WIFI Client Overview:Status&Connectivity Path DetailsClient capability and WIFI session details(history,PCAP or disconnect)Client location and interactive network path details Ability to see AI/ML RC
32、A overlaid on the path and pivot from any portion of the path to PCAP 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive33Live Topology RCABRKMER-2009Topology ViewTopology ViewSite level detailed topology viewNear real time updates Data science driven RCA overlaid on top L2/
33、L3&Multicast logic overlayEasy pivot to any deviceBut Wait!But Wait!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive34Topology 2.0 EnhancementsBRKMER-2009Device SummaryPorts PanelDetails on IssuesVisio ExportAdvance Filtering 2023 Cisco and/or its affiliates.All rights res
34、erved.Cisco Public#CiscoLive35Topology 2.0 EnhancementsBRKMER-2009Client Connectivity PathClient ListTroubleshooting ToolsBut Wait!But Wait!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveControl Hub+The Meraki Network 36BRKMER-2009Day 2 DemoTraffic Analysis+XDRWhats going
35、 on with my hosts and encrypted flows?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKMER-2009Encryption Encryption+VisibilityVisibility:%90+of my peak work from home traffic is%90+of my peak work from home traffic is encryptedencryptedLive WFH Example Live WFH Example
36、The Complex Problem:The Complex Problem:38 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBRKMER-2009Encryption Visibility Encryption Visibility Live WFH ExampleLive WFH Example39 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMy Multi Fabric D
37、aily Admin Journey:My Multi Fabric Daily Admin Journey:Sec Ops Admin View:All info here is fed by Meraki Full StackSec Ops Admin View:All info here is fed by Meraki Full Stack40BRKMER-2009Demo(Prod Historical):Security incident investigationWhat happened?!SSID Security+XDR 2023 Cisco and/or its affi
38、liates.All rights reserved.Cisco Public#CiscoLiveOrder Magnitude 42Conference Booth DNS FailureConference Booth DNS FailureBRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOrder Magnitude 43Conference BoothConference Booth DNS Failure RCADNS Failure RCABRKMER-20
39、09 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive44Conference BoothConference Booth DNS Failure InvestigationDNS Failure InvestigationBRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConference Booth XDR Analysis Of DNS FailureConfer
40、ence Booth XDR Analysis Of DNS FailureSuspected DNS hijack&confirmed via Cisco Threat Response45BRKMER-2009Order Magnitude Order Magnitude 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTraffic sourceTraffic destinationProxy decisionBlock decisionRCA for blockSecurity Pol
41、icy RCA:Proxy or SSL Decrypt?Security Policy RCA:Proxy or SSL Decrypt?Umbrella Activity SearchUmbrella Activity SearchBRKMER-200946Day 2 Demo(Prod Historical):Meraki SM+Malware Drop+XDRStudent security incident investigationWhat happened?!End Use(device&behavior)+XDR 2023 Cisco and/or its affiliates
42、.All rights reserved.Cisco Public#CiscoLiveCisco XDR Device InventoryCisco XDR Device InventoryCompromise Flagged&Alerts TriggeredBRKMER-200948 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki SM Details in Cisco XDR InventoryMeraki SM Details in Cisco XDR InventoryW
43、indows User Profile Clearly IdentifiedBRKMER-200949 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecure Endpoint Details in Cisco XDR InventorySecure Endpoint Details in Cisco XDR InventoryCompromise Detected By Secure EndpointBRKMER-200950 2023 Cisco and/or its affilia
44、tes.All rights reserved.Cisco Public#CiscoLiveSecure Endpoint Trajectory DetailsSecure Endpoint Trajectory DetailsTrajectory Details,File Location&Tactic DetailsBRKMER-200951Day 2&BeyondXDR SOC&User Automations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive53Secure SSID&
45、SD-WAN Automation With XDR BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSSID Security+Umbrella+XDR AutomationHow did we do it?How did we do it?54BRKMER-2009Cisco XDR automation based on compromise detectionCisco XDR automation based on compromise detection 1
46、-Cisco XDR opens a ticket(ServiceNowServiceNow)2-Cisco XDR notifies users or SOC automatically of ticket details via Webex Teams 3-Cisco XDR provides pre defined actions for SOC Analysts via Webex TeamsGuidelines&Recommendations:Guidelines&Recommendations:A library of pre defined flows are available
47、 in Cisco XDR Use pre build GitHub repositories available from Cisco Use pre build API scripts from https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKMER-200955The What Now Problem?The What Now Problem?Weve build a scalable distributed networkWeve added security domain inte
48、grationsLets look at day-2&beyond observabilityOrganization level transport tshoot&RCAUser level tshoot&RCABeyond the network observability Day 2&Beyond Transport ObservabilityIts not my LAN now what?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive57Transport Observability
49、 Challenges OFF NetBRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive58Organization Level WAN Health SummaryBRKMER-2009Use Cases Use Cases Ethernet,LTE or Satellite WAN Uplink visibility Instant Application RCA in table viewSpeed test&capacity data up to one mont
50、h for trending&report exportTelemetry API for any external use cases 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive59Organization Level WAN Health SummaryBRKMER-2009Use Cases Use Cases Instant global level Application health visibility on LAN and WAN“handoff”Ability to f
51、ilter and pivot to see actual app health issue cause 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTE Endpoint Agents TE Endpoint Agents TE Enterprise Agents TE Enterprise Agents TE Enterprise Agents TE Enterprise Agents Cloud App DIADC AppUser Devices ON/OFF SiteEnterpr
52、ise AgentEndpoint AgentTE Windows AgentTE MAC AgentTE L3 Catalyst AgentTE Router AgentTE FTD AgentTE MX AgentEnterprise Networks+ThousandEyesBRKMER-200960 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive61ThousandEyes on Meraki MX(SDW+License)BRKMER-2009Cloud delivered act
53、ive monitoring for critical apps on MXSimplify&automate onboardingSD-WAN performance impactsDay 2&Beyond Historical Prod Demos:Observability with TE 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBad Video Conferencing Quality Meraki Insights LAN is%100 healthy,WAN Insigh
54、ts on MX shows WAN drops63BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBad Video Conferencing Quality-Endpoint Agent LAN is%100 healthy,TE shows several hops inside MetroE/MPLS provider64BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco
55、Public#CiscoLiveNew WIFI6 APs Are Slow Endpoint AgentWIFI is%100 healthy,TE shows L2 hidden hop 7yr old switch IDF saturation65BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNew WIFI6 APs Are Slow-Endpoint AgentWIFI is%100 healthy,new mGig switch&TE confirms I
56、SP MetroE policing66BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDemos Visibility Demos Visibility We used this to show visitors value of FSOWe used this to show visitors value of FSOTE Endpoint agent installed on all demo stations We uncovered 2-4Mbps down
57、BW most of the day%80+drop during solution floor saturation Observability For SASEObservability For SASE-Endpoint AgentRSA Booth EX:RSA Booth EX:Underlay vs.overlay+SASE visibility outside our networksBRKMER-200967Day 2&Beyond Advance Workload ObservabilityIts not my network Its not the WAN/SD-WANIt
58、s not my security policiesBut I control this application now what?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCompute&Storage VisibilityCisco Intersight Top Level Visibility:Storage+FI+Servers+HyperFlex+WorkloadBRKMER-200969 2023 Cisco and/or its affiliates.All rights
59、reserved.Cisco Public#CiscoLiveCompute&Storage VisibilityCisco Intersight:Server Critical Health Impact Order Magnitude+RCABRKMER-200970 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Stack VisibilityCisco APPDYNAMICS:Overall historical application health repo
60、rtingBRKMER-200971 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Stack VisibilityCisco APPDYNAMICS:Application tier flow details&alert states BRKMER-200972 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Stack Visibility
61、Cisco APPDYNAMICS:Overview of application tierBRKMER-200973 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplication Stack VisibilityCisco APPDYNAMICS:Exact application node impacted&whyBRKMER-200974 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisc
62、oLiveApplication Stack VisibilityCisco APPDYNAMICS:Exact RCA of the issue detected BRKMER-200975Day 2&Beyond Advance Workload ObservabilityIts not my network Its not my security policiesI cant even control the Cloud App Now what?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cisco
63、LivePure Cloud Applications We Cant ControlPure Cloud Applications We Cant ControlEx:Prod Cloud App Ex:Prod Cloud App Wheres it hosted and how do we get there?Wheres it hosted and how do we get there?BRKMER-200977 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePure Cloud
64、Applications We Cant ControlPure Cloud Applications We Cant ControlEx:Prod Cloud App Ex:Prod Cloud App Why was the score%96?Why was the score%96?BRKMER-200978In Summary 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicStart Your JourneyNow What?!Now What?!Take the journeyTurn it up!T
65、urn it up!Crawl,Walk,Run!Start at critical boundariesActivate existing observability workflowsAsk for a PoC80BRKMER-2009 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related deeper demosAttend the interactive education with DevN
66、et,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisc
67、o Live-branded socks(while supplies last)!82BRKMER-2009These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Game for every survey completed.Thank you#CiscoLive 2023 Cisco and/or its affiliates.Al
68、l rights reserved.Cisco Public#CiscoLive84Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123484 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKMER-2009#CiscoLive