Acquiring Actionable Insight Into Data Networks
Back in October, I wrote a blog called Is Actionable Insight Your New Internal Currency? I wanted to circle back to that thought and talk about how business leaders can acquire the actionable insight into their networks that they need.
Actionable insight comes from being able to convert the various pieces of data on your network into general information, which can then be condensed into more specific information points. A basic visualization of this data transformation flow can be illustrated as follows:
Through the distillation process extraneous, unnecessary, and conflicting pieces of information are removed to leave the nuggets of wisdom – the actionable insight. Actionable insight is valuable because it can be directly used to:
- Create strategies to achieve a competitive edge,
- Reduce – if not eliminate – trial and error,
- Generate repeatable, efficient processes, and
- Minimize costs by reducing/eliminating non-productive courses of action.
But what do you need to implement to start achieving this insight? The exact implementation naturally depends upon your network architecture and the specific use cases you choose to implement. There are some generalities though, and here I’ll provide a quick summary.
The first starting point is to install a monitoring switch, also called a network packet broker (NPB). This switch provides a network access point where you can distribute the same information to a variety of monitoring tools as well as integrate it to your various specialized application systems. An alternative is to pull information from a SPAN port, but then you run into the problem of having duplicate data – as well as out of sync data – that can cause confusion and misinterpretation. Taps (test access points) could also be used stand-alone, but then you would have access points with no data control. Using an NPB with a tap can give you an information “control point” from where to start the path to Actionable Insight.
After you’ve installed an NPB, you need to integrate it with the workflows you plan to implement. I’ve included a simple diagram here as a discussion point. This diagram shows examples of some of the workflows that can be implemented on a typical enterprise data network.
There are three basic categories of use cases:
- Optimization of packet-based data
- Integration of NPBs with data center automation initiatives
- Integration of NPBs with IT business solutions
At this point, you have three general categories with which to generate Actionable Insight. The first workflow is the classical one for optimizing the distribution of packet-based data to monitoring tools. As part of implementing this workflow you need to decide what information (i.e., use cases) you are interested in, and then insert specific monitoring tools after the NPB to capture and analyze that information. This can become an involved process because there are so many possibilities. I’ve chosen five categories to illustrate: problem resolution, security tools, application performance monitoring, QoS monitors, and customer data correlation. The network packet broker can help with de-duplication of unnecessary packets, optimizing the flow of information to your various monitoring tools to prevent tool overload (and dropped packets that might have valuable information), and the correlation of relevant information.
Here is a summary of the five packet-based data categories:
- Problem Resolution – These tools are used for network problem debugging. The end benefit of these devices is better problem resolution which results in a faster mean time to repair (MTTR). Some examples include:
- Debug tools (e.g. NetTool)
- Packet analyzers/sniffers (e.g. Wireshark)
- Data recorder
- Security Tools – These tools look at packet information to limit and/or prevent data loss and usually work in conjunction with SIEM systems. Intrusion detection and prevention systems focus on identifying incidents, recording them, and reporting the detection. The end benefit of these devices is to prevent the loss of intellectual property and capture details about any security breaches. Examples here include:
- Intrusion detection system (IDS)
- Intrusion prevention system (IPS)
- Data loss prevention (DLP)
- Application Performance Management – These tools detect and diagnose application performance problems in order to maintain the users’ expected level of service. The focus of these tools is at the application layer rather than the packet transmission layers.
- VoIP / Unified Communications / Video Analyzers – Multi-media analyzers assess the quality of real-time communication services like instant messaging, video conferencing, data sharing, VoIP, video playback, and speech recognition with non-real-time communication services such as unified messaging.
- Session correlation – These tools take data from different transmission media and correlate them together and then pass the information on to specialized tools for data mining. The value of this information is that insight can be gathered into user activities to determine user preferences, event correlation, potential network problems, and preferred network applications and services. The benefit of these devices is determined by the specific use cases. For instance, wireless service providers can use this insight to reduce churn, properly portion out the network bandwidth based upon preferred applications and services, and generate better consumer marketing messaging.
A second workflow using network packet broker integration is to use them as part of data center automation initiatives. Combining a monitoring switch with your data center or central office automation initiative can have dramatic improvements for network visibility, because the flow of information is optimized to deliver the right data to the right destination at the right time. IT operations groups can either directly use the NPBs, or use built-in automation capabilities – like web-based API’s that allow other network devices (like provisioning systems, network monitoring systems and IT business systems) – to initiate commands towards the NPBs with regards to starting packet captures, diverting packets streams to particular monitoring tools, or diverting packet streams to other specialized devices.
The automated workflows can dramatically increase performance with real time responses that result in faster MTTR, maximum network uptime, maximum efficiency of monitoring tools, maximum network monitoring capability with minimized monitoring tools investments, and increased IT personnel productivity.
Some use case examples include:
- Orchestration Systems – Integration of NPBs with provisioning and orchestration systems allows large enterprises and cloud-based networks the ability to have faster access to monitoring services since filters can be deployed on VLANs and network segments as services and users are provisioned. This often has productivity benefits for the IT department as well.
- Network Monitoring Systems – Integration of NPB’s with centralized monitoring systems allows the network systems manager the option of either centrally or remotely managing the monitoring switch. This provides many benefits including:
- Reduced operations expenses due to centralized management that can distribute capabilities and tasks across the network for maximum efficiency. Some examples include automated backups and restore, centralized filter templates, and automated software upgrades.
- Improved performance due to application interface consolidation through a single pane of glass which allows the network administrator to see the network at a glance and then be able to drill down to the monitoring switch for more information.
- The ability to conduct proactive performance trending due to NMS reporting capabilities. Performance trending helps ensure maximum network uptime which also translates to maximum e-commerce uptime for enterprises involved with Internet-based sales models.
A third class of workflows focus on the integration of NPBs with IT business solutions to augment and optimize those solution sets. By combining a monitoring switch with business solutions focusing on network security, regulatory compliance, lawful intercept best practices, services management and/or application performance optimization, IT leaders can see dramatic improvements in agility and business solution performance.
Some examples of IT business solution use cases include:
- Security Information and Event Management (SIEM) – In this solution, the NPB is placed inline with your SIEM system so that a rapid response can be created against any cyber threats. Any anomaly can be investigated in real time and any corresponding cyber threats can be stopped and/or diverted to a honeypot for collection of threat vector details and isolation of particular threats as soon as they are recognized. This combination creates a rapid response to limit network disruption and any potential of intellectual property theft.
- Compliance – Compliance monitoring verifies that whatever regulations and/or limitations that are in force from some governing agency (such as government institutions) are being followed and maintained. An NPB can be set up to periodically check if certain parameters of a law or public standard are being adhered to. A simple example would be to check if certain protocols are in use on your network that comply with the Payment Card Industry (PCI) standard. You can set up the NPB to filter for traffic that shouldn’t be allowed on those network segments (say FTP or TFTP) and if encountered, that information/data could be stored in a log that is periodically reviewed. Maybe an alert could be sent to proactively notify someone in the IT department if such conditions are present. The possibilities, and Actionable Insight, depend upon your level of need and commitment.
- Lawful Intercept – This business solution has been required for several years, especially in the service provider market. However, a growing trend (due to Big Data, BYOD and smart phone hotspot capability) may make this solution a necessary component for enterprises as well. An NPB has the ability to optimize your data capture and diversion capabilities to improve your compliance to lawful intercept mandates, as well as reduce your costs for such activities. Cost reduction can be achieved through automation capabilities and advanced filtering capabilities that are contained within an NPB.
In a future blog, I’ll return to the actionable insight gathered and dive deeper into the actions that can be implemented from the insight.
For more information on detailed actionable insight, check out the following resources on the Ixia website.
Automation whitepaper – Automation: The Future of Network Visibility
Lawful Intercept whitepaper – Best Practices for Lawful Intercept in Enterprise and Service Provider Networks
Network Visibility improvement whitepaper – Five Steps to Build Visibility and Security Into Your Network