BRKDEV-2483

Advanced
Programmability with
Tetration
Remi Philippe
And…
Tim Garner
What You Signed Up For
• Cisco Tetration is a security platform which offers holistic workload
protection for multi cloud datacenters. Join us in learning about how to
automate your security related use cases by using Tetration
Programmability options. In this session you will learn how to use Tetration
APIs, leverage security and compliance related alerts through Kafka
message bus on Tetration and use the Tetration data platform to access
Tetration data lake.

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• What is this Tetration thingy?
• How can I access the platform programmatically?
• What are we building today?
• Ingesting Notifications via Kafka
• Triggering Actions through OpenAPI
• Crunching some data via User Apps

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
What is this Tetration
thingy?
What does it do?
 Real time

 Thousands of
workloads

 On premises
Micro
Data Leakage
Detection
and public
Segmentation cloud

 All types of
Integrity workloads
from
Vulnerability Management
Exploit
Assessment (process, file)
Detection
(Spectre / mainframes to
Meltdown) containers

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
The Big Picture Our Focus Today

Baseline workload
protection posture

Role based intent

SW Vulnerabilities Enforcement

Public
Process behavior

Threat
Application Insights Baseline policy Intel

Policy
violation
Network Unified policy s
Assess Impact
communications Compliance Process
alerts anomalies

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
How can I…
access the platform
programmatically?
Not all data is created equal
Programmatic interface

Northbound
Rest API application
Rest API
• Tetration
flow search
• Sensor management Message publish Northbound
consumers
Push notification
Tetration Kafka
• Out-of-the-box events Kafka
Analytics broker
• User-defined events platform
Data Provider
Tetration
applications Tetration
• Access to data lake applications

• Write your
own application

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
What are we building today?

Tetration Notifier Amazon

Lambda Kinesis

Echo

Tetration Action
Lambda

Barcelona AWS Datacenter

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Big idea
• When a sensor enforcement is tampered I want to notify Alexa
• From Alexa I want to be able to Quarantine a host

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Ingesting Notifications
via Kafka
 Using Tetration Alert Notifier (TAN)
1 Deploy the TAN appliance
(VMware OVA)

2 Download the Pairing

Certificates

3 Follow the instructions in the

user guide

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Configuring the Kinesis Stream
Configure Parameters

Go to Kinesis

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
And the User Access
IAM Policy

Create a new IAM user

with Programmatic Access
and generate the API key

Programmatic Access

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Configure TAN to connect to Kinesis

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Demo
What did we do?
• We connected Tetration Notifier to AWS Kinesis
• We created an AWS lambda that sends a notification to Alexa when a
sensor is tampered.

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Triggering Actions
through OpenAPI
Approach
• In this context, we’re trying to isolate a tampered host. There are 2
possible approaches:
• Create a Policy for every host isolated Programmatically
• Add a ”Tag” to a host and define the policy manually

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Option 1: Creating a Policy
POST /openapi/v1/applications/:application_id/policies

• Using this REST endpoint you can define a policy that will block a single IP,
for example:

Problem with this approach is that you need to search for the filters first, and
the policy will quickly have a large number of entries.

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Option 2: Adding a Tag
POST /openapi/v1/inventory/tags/{rootAppScopeName}

• Using this REST endpoint you can add a Tag to a single IP address

• You can then match all endpoints based on this Tag

This method is more scalable and more readable. We will be using this
approach.

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Demo
What did we do?
• Based on the quarantine notification we have isolated a workload without
having to modify the policy set

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Crunching some data
via User Apps
What are User Apps
• User Apps are designed to provide local computing and IO for data
intensive jobs. For example:
• What are all the escaped flows for the last 3 weeks?
• What is the average packet size distribution in my environment?
• They can also be fed by external data via Kafka, and also interact with a
Kafka output.

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Overall Input / Output

Kafka “in” = Data Sinks

Kafka “out” = Data Taps

Data Lake

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Scheduling
• Users Apps are designed to run as batch jobs
• They can be schedule to run at regular intervals (every hour, every day…)

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Demo
In Short…
Openness is critical for Tetration
• We reviewed:
• How to get data out of the platform
• How to rely on alerting to reduce the processing outside the cluster
• How to take action based on alerts
• How to interface with 3rd party systems
• How to crunch large volumes of data in optimized time frames
• If you want to know more:
• DEVNET-2423 Tetration APIs (Workshop)
• DEVNET-1722 Exploring Tetration APIs (Classroom)

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
 Cisco Webex Teams

Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session

How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space

cs.co/ciscolivebot#BRKDEV-2483

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations

Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Continue Your Education

Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings

BRKDEV-2483 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Thank you