Showing posts with label SecOps. Show all posts
Showing posts with label SecOps. Show all posts

Tuesday, September 13, 2022

How Deep Observability Forms the Gift that Keeps Giving for Hybrid IT Security, Performance, and Agility

Transcript of a discussion on gaining the best visibility into all aspects of the hybrid- and multi-cloud continuum to close the gap between daunting complexity and today’s performance and security requirements. 

Listen to the podcast. Find it on iTunesDownload the transcript. View the videoSponsor: Gigamon.

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect.

Gardner

For those tasked with delivering unwavering performance of their apps and data, there have never been more unknowns to account for and manage. That’s because today’s hybrid clouds and mixed-network environments come with a multitude of dynamic variables -- and an unprecedented degree of complexity.

Yet modern digital business demands that the entire constellation of these far-flung cloud services, resources, and application constituent parts coalesce perfectly. The end result must be real-time and always-on user experiences that delight, and business transactions that are both highly secure and never fail.

Bridging the gap between such daunting complexity and awesome performance and security requirements means gaining the best visibility into all aspects of the hybrid- and multi-cloud continuum.

Stay with us now as we explore the ways that deep observability moves past the limitations of metrics, events, logs, and traces to deliver far richer and faster data-driven insights. By exploiting these new means of pervasive deep observability, the highest levels of security, performance, and agility can be attained by nearly any business and organization.

To learn how, please join me now in welcoming our guest, Bassam Khan, Vice-President of Product and Technical Marketing Engineering at Gigamon. Welcome, Bassam.

Bassam Khan: Hello, it’s good to be here. Thank you, Dana.

Gardner: Bassam, what are the main pain points you’re seeing for the cloud security operations (SecOps) and network operations (NetOps) teams as they strive to keep their environments performant, dynamic, and responsive -- given all of this difficulty and complexity?

Khan: Yes, it’s about being dynamic, performant, secure, and economical -- that’s the other aspect we keep hearing about. The pain for operations teams nowadays is to stay out of the way of progress, and to not get in the way of application development, business transformations, workload modernization, and application modernization. Progress can be defined truly as an organization’s ability to move fast by leveraging all of the applicable cutting-edge technologies out there today.

Khan
The pain is also about allowing developers to move very fast, without any involvement from IT groups -- particularly from operations -- unless something goes wrong. That could be when an application breaks, costs overrun, or the worst case -- some kind of security incident. The operations teams tend to be an afterthought -- until there is a problem.

Gardner: For those Ops teams then -- rather than there be a lag, rather than be reactive -- you want to be proactive and to get out in front of these potential problems as much as possible. That requires more visibility, more knowledge, and more understanding about what’s going on before the problems set in.

Khan: Exactly.

Gardner: What are some of the obstacles to getting to that forward-looking approach? How do you get out in front of security risks and be able to deliver a rapid remediation response?

Get out in front of risks early

Khan: One of the main obstacles is being able to get involved early. Development teams can move very fast using their own cloud platforms du jour, their favorite environment. Now, having visibility from an operations and security perspective into any infrastructure du jour is not easy. Every platform, preferred infrastructure, cloud container, and hyperconvergence environment has their own way of providing visibility. They all have a different methodology for accessing traffic information on how to scale up, or for seeing all the virtual machines (VMs) and containers as they pop in and out of existence. That’s the hard part -- because the orchestration and automation for every platform is different. That’s what makes it very, very challenging.

For example, in some environments you have simple things like virtual private cloud (VPC) mirroring to analyze all the packets coming in so I can get the visibility I need from a security perspective. Yet some environments -- let’s say Microsoft Azure -- don’t quite have such a packet mirroring capability. There are also other ways -- eBPFSidecar, and other technologies -- involved in container insights.

There is value that can be extracted from the IT and network infrastructure information. Accessing that is how the security, network, and IT ops teams can bring value back to the developers, DevOps, and CloudOps teams.

So, the best way that operations teams can get involved early is by showing and adding value that’s tangible and front-and-center for cloud developers, for DevOps, and for the cloud operations (CloudOps) teams. To this day, the development team, the cloud team, the DevOps team -- they tend to not look at the infrastructure. In fact, they don’t want to worry about the infrastructure. It’s something they’re built to not have to deal with. However, there is value that can be extracted from the IT and network infrastructure information. Accessing that is how the security, network, and IT operations teams can bring value back to the developers, DevOps, and CloudOps teams.

Gardner: Today we have a mixed bag of deployment options, each with many different variables in how to gather and share infrastructure information. But even that doesn’t necessarily give a complete picture. We also have a chasm between what the developers are doing and what is going to happen in hybrid operations, post-production.

How do we achieve the almost impossible – the end-to-end and full lifecycle levels of insights?

Khan: There are many different ways of seeing what’s going on in your environments, and ways of getting the data points from all of those insights. There’s something called MELT, which is metrics, events, logs, and traces. It consists of the most common ingestion telemetry and input data that all of the cloud tools operate with.

As you know, logs are quite informative and provide a very broad view, whether it’s from on-premises or cloud-type workloads. Logs are a good normalization mechanism. However, that’s not sufficient because logs only track the environment creating the log files. There could be more hosts out there, there could be communications not generating the level of log files needed from a security perspective.

We’re finding that -- while lot of people feel comfortable with the MELT data -- when we bring up the larger pool of telemetry-based communications happening between the hosts -- not just for managers, but for all hosts in the systems, and all the communications -- our customers say, “Wow, that is something that’s very cool, very helpful, and was never possible before.”

Gardner: How do we get past the MELT data and advance into deep observability? How do we excise that data and provide the fuller, richer, and faster view of what’s truly happening across all relevant activities?

Cooperate, collaborate for security’s sake

Khan: We have been talking to a lot of customers over many months and years about where the industry is headed. If you talk to IT industry analysts and other industry gurus, they describe where things are headed from a technology perspective.

But we took a different approach by doing research through more than 100 closed-door conversations, looking at our customer’s futures, by talking to our partner vendors, and based on other knowledge we have about the industry. Our approach evolved from a teams, tools, and telemetry perspective.

First, there are the people. What are their roles and responsibilities? In most of the cloud initiatives, there are different teams responsible for deploying and managing various workloads. You have developers on one end, all the way through to operations, and also all the way over to the NetOps side.

Now, these teams have tended to not be very cooperative or collaborative. The DevOps team is not pulling in the SecOps and NetOps as early as possible, as they should be. As a result, the SecOps team has to play catch-up. The NetOps team has to go into a mode of mean-time-to-innocence, to say, “Hey, this was not an infrastructure thing. This was some other application-related issue.”

What we have found, Dana, is these relationships are beginning to improve. People are starting to become more collaborative. It’s not overnight, but it’s getting better because of -- security. Security is the common denominator and common cause across all of these groups.

Nowadays, a DevOps person is much more conscious and spends more time working on security-related issues. The same thing with NetOps. Today, we find much better collaboration between networking and security.

Nowadays, a DevOps person is much more conscious and spends more time working on security-related issues. The same thing with NetOps. I joined Gigamon about four years ago, and I’ve had lots of conversations with NetOps teams and SecOps teams. There was a much deeper chasm between these two groups before.

But today, we find much better collaboration. It’s not perfect yet relationship-wise, but it’s better collaboration. You cannot be a network operator today and not spend at least half of your time working on security-related issues.

Now, as we said, security spans a lot of different areas. When we talked to customers, we talked to C-suite-level people in very large IT organizations. When it comes to detection, that’s not going to change; that’s going to stay a SecOps function and will stay in the security operations center (SOC), as far as we can tell.

However, when something is detected, like a breach or cyber threat activity, that’s when the other teams become involved in making the response, working on remediation, and then an even further, more-proactive stance around vulnerability mitigation. Detection and management -- that’s where all of the teams are involved working together.

Once you set down a zero trust approach, which is starting to pick up adoption as an architecture, the DevOps, NetOps, and SecOps teams are much more involved.

Now, the challenge has been that MELT consists of very powerful information. However, the tools that people use to leverage that information are siloed. They tend to be defined based on the ingestion data that they’re getting. So, when you look at metrics, events, logs, and traces, that’s the ingestion point for the tools that the developers are working with.

When you look at security-related tools, particularly data center security-related tools, which all of compliance is built on -- controls, knowledge base, all of that -- that tends to be more around packet-type information because that’s what you had in the data center. This chasm is causing a lot of problems. It prevents, for example, a DevOps person from doing security work because they’re missing out on endpoints that are not managed and don’t have an observability agent.

They’re not seeing the unmanaged traffic. There are not many security use cases that they can get to. That’s the chasm. That’s what we’re hoping the industry can address and we can help out with in the IT world.

Gardner: I completely agree that the security imperative provides a common denominator that joins disparate IT cultures, which is a good thing. If security drives a common purpose, an assimilation value, we need to get the right data to spur on that common security value proposition. How does the deep observability pipeline help get the right information to empower security as an imperative and then bring these groups together to take the proper action?

Visibility fabric sees past siloes

Khan: If the two worlds remain separate, even though a DevOps person wants to do security, they’re not able to. That’s true even using in-house observability tools based on Kibana and Grafana. These tools and the data ingestion approach is causing the groups to stay siloed, which is not ideal.

Instead, based on what we have seen over the years at Gigamon, and at other vendors as well, we have developed the notion of a visibility fabric.

Here’s why. The tools on the left-hand side cannot ingest network information, like packets and flow records, and do deep packet inspection. Yet that information is essential. We open up the packets, look at what’s inside, and create a bill of materials of what’s in the packets. We send that to the tools using such means as Kafka or JSON, depending on the tools.

Now, you’re able to use the observability tools to look for more security use cases, such as self-signed certificates, which are usually a red flag. Are there any old Secure Sockets Layer (SSL) ciphers out there in production today? That’s another vulnerability that needs to be flagged.

So, now the observability tools can be used for security functions, and not just for managed hosts, but unmanaged hosts as well.

Where the observability pipeline comes in, Dana, is something Gigamon has introduced quite recently. We have stretched the value out further so it’s not just security information, saying, for example, that Bassam is running cryptocurrency mining activity on some AWS instance. But we can also now say where Bassam downloaded an application, identify a command control communication, and determine how and where the crypto mining software was installed. All of this is packaged into a contextualized export -- a very targeted and small export -- that gets sent to an observability tool, such as New RelicDatadog inventories, or even a security information and event management (SIEM) tool like a Sumo LogicSplunk, or QRadar.

Based on the new level of network visibility, we can deliver much more contextualized data. The deep observability pipeline approach not only provides much stronger defenses in depth, which is what security wants, they are able to democratize a lot of the functions of security. That means they are much more efficient. A lot of the preventative and proactive vulnerability management can be done by other teams, very voluntarily. They are getting pulled into cloud projects earlier, and the DevOps people are very accepting of the security use cases.

They’re very open to it, and they’re very fast to deploy the security use cases because now they have that capability. And the vendors such as the New Relics and the Datadogs and others are now saying that the security use cases are their number one goal because there’s a lot of value.

Are they looking to move into the system-on-a-chip (SOC) and become a SOC tool? Probably not for a while. And they’ll tell you that if you talk to them. However, being able to do security functions is very important for the DevOps and the developer sides. So, they’re bringing in that capability.

The last point is kind of interesting. We’re now finding that the DevOps people don’t want to have to go into a deep observability pipeline and deploy tools that collect and aggregate network traffic. That’s infrastructure stuff.

Instead, they say, “Hey, Mr. or Ms. NetOps, can you please come over and help me deploy this because the metadata value that I’m getting out of that traffic is super useful to me.” So now the NetOps people teams are being called in early.

Based on a new level of network visibility, we deliver much more contextualized data. The deep observability pipeline approach provides much better defenses and democratizes a lot of the functions of security. That means they are much more efficient.

And here’s the side effect that we’re seeing. I’m going to date myself. I started my career in IT in the 1990s and for an investment company in Boston. We didn’t have a network team when I first joined. We had a telecoms team, and this team went through a transition throughout the 90s because they were wiring phones. But they’re also wiring network connections -- Ethernet cabling all over.

What we found is that over the years, there was a split within that group. Some of the group decided to stay in telephony and they ran the telephone systems and switches. But part of that group became the networking group -- network engineers and then ultimately architects and operators. We saw that split happen.

Now, some 20-odd years later, we’re seeing a similar kind of split happening because of this observability technology, which allows the NetOps teams to be much more involved in the cloud projects. We are seeing a split in careers as well. A lot of the network engineers are contributing and becoming much more involved -- and almost forward-looking -- with cloud initiatives. It’s kind of cool.

Gardner: Well, now you have raised another group that we should be addressing, the NetSecOps people.

Increase visibility in the cloud and network

Khan: Yes, NetSecOps becomes even more relevant because what they’re now able to do is provide a lot more value to the essential cloud operations, cloud applications, and application modernization efforts by getting more contextual information from the networks.

A lot of the cloud migration and the cloud mentality is, “Oh, I’m moving this to the cloud. It’s a cloud workload now. I don’t have to worry about the network.” And that’s true. The cloud service provider will guarantee your up-times, response rates, and bandwidth -- all of that is guaranteed. You don’t need to worry about that.

However, it’s a little bit like the baby with the bathwater, there is important information you can glean from network communications – and you don’t want to throw it all out. Now, we like to say, the network analytics data is less about gathering intelligence about the network. It’s much more about intelligence derived from the network -- and that’s where NetSecOps and even NetOps teams are playing bigger and bigger roles.

Gardner: All right, let’s unpack the packets, if you will. When we go to the network to get the intelligence, the data there can be overwhelming. Also, is there a performance hit from the tools and the analysis? What are some of the nuts and bolts, brass tacks, if you will, about practically accessing that crucial and more strategic data in a meaningful way from the networks and then sharing it in an impactful way?

Khan: You hit the nail on the head. If not done correctly, costs can overrun very quickly. I am talking about data and communication costs. The two use cases are packets, which are still very relevant in the cloud, we are finding. As people move closer to the cloud, they realize that, “Hey, we’re not able to have as much control over and visibility to the data that we need.”

For example, we recently had a conversation with Lockheed Martin about Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance. As part of their requirement from a CMMC compliance perspective they need to inspect the packets -- even in the cloud workloads. The problem is you have multiple tools.

There are the CMMC compliance tools, a network detection response (NDR) tool, and more. So, you have three, four, five tools. The packets are flowing all over the place to the instances, where the tools are running in the VMs. The compliance reporting is running, and all of this can get pretty expensive. You’re paying for bandwidth over and over and over -- and not all tools need to see all the traffic.

If you take the entirety of your VM traffic, pull it all together, and send it over the wire, it’s going to get really expensive. This is where the cost-optimization comes in. It can find the tool and say, “You know what? This tool is only going to see this needed traffic.”

Not all of your monitoring tools -- or even security tools, for that matter -- need to look at all the kinds of traffic. If there’s a multi-GB Windows update, for example, not all tools need to see that traffic as well.

The deep observability pipeline approach allows customers to fine-tune -- from a packet perspective – both what types of protocols they want to see, and also, very specifically, what applications to exclude. That way we can get very, very efficient. That’s the packet inspection efficiency use case.

The second big efficiency use case is the notion of metadata, which is very important because of its capability to extract important elements from the traffic and send that off. If, for example, you have 1 gigabit per second of traffic, metadata exploitation will bring that down to less than 1 percent of the traffic coming in because it extracts intelligence about the traffic.

And, as we mentioned before, MELT data is great for a lot of purposes, particularly if there’s an agent running. If there’s an agent running on a host -- whether it’s an application, device, or a user machine or laptop endpoint -- it can get a lot of information. It can go deep into that host, find out how much CPU consumption is being taken, how much memory is left, and what are all the different services running on the machine.

However, what if there are certain data aspects it’s not able to deliver? What if that host does not have an agent? What if it doesn’t have the observability agent generating the needed level of visibility?

And there are security considerations, which are really important, particularly for our US federal agencies that use Gigamon, which is all 10 major agencies. What we hear over and over is network data is the ground truth. It’s something that’s been around for a very long time, and it’s still very true.

One of the first things a threat actor will do once it reaches the system is they’ll try to cover their footprints. The way they do that is by turning down logging levels, by hiding themselves from the logging.

Well, you can’t hide the fact that Bassam’s machine went out and talked to this command-and-control system or moved laterally. Just can’t hide that. And, so, the network data is immutable. Also, importantly, the network insights are passive in the sense that when you put an agent on a system, it’s going to impose some level of resource consumption and from a maintenance perspective. There’s patching, upgrading, and a certain level of work involved in that.

But when you’re listening to network traffic, it’s completely passive. There’s no impact on the hosts themselves, whether they are managed or unmanaged. It could be an Internet of things (IoT) device, a printer, a surveillance camera, a heart machine, or even a fish tank. There was a case of a breach in a fish tank a while ago. But the point here is that these are the two big different use cases, and the two come together to make what we call a deep observability pipeline.

Gardner: All right. Given how important this network traffic information is, let’s get deeper into what Gigamon does, specifically that is differentiated and brings this information out in such a way that it can be used across different personas, use cases, and by both the security and  operations teams.

Deep observability pipeline to all the data

Khan: Our deep observability pipeline has four basic functions. The workload can run on any platform, any container, or on any physical endpoint, it doesn’t matter. We worry about the access mechanism, and we support every native data access mechanism so that our customers don’t have to worry about it. So rather than plugging in their 50 different tools that need access to network data or metadata, having to plug those tools into all of the different parts of infrastructure, we plug it in, they plug those tools on our port, either physical port or virtual port depending on whether it’s cloud or not.

We are responsible for accessing all the data. Then we can broker that out to any tool that wants packet data or metadata about the traffic. And that supports about 24 different – what we call GigaSMART applications -- where we’re cleaning up the traffic. Not all tools need to see all your traffic.

One of the most deployed functions that we have, for example, is called packet deduplication. When you have any kind of infrastructure you end up with duplicate packets because it’s an artifact of any complex type of infrastructure. And when you have duplicate packets, you’re flooding the tool with duplicate information. There’s absolutely no need for it. So, by deduplicating the duplicate packets, you’re saving a lot of traffic. A lot of organizations we go into have some 30, 40, or 50 percent duplicate packets, sometimes more. By deduping, you are instantly able to double the capacity of the tool because you’re not losing any fidelity of the data because the duplicate packets don’t do anything.

The 24 different traffic optimization and transmission capabilities come into any tool in any format that people may want. And we have been providing a lot more context around the data itself.  

The 24 different traffic optimization and transmission capabilities come into any tool in any format that people want. As for Gigamon’s unique capabilities, a lot of these things are part of the visibility fabric that we talked about. The investigation part is something that’s unique where we’re contextualizing the data using our NDR technology that we have in providing a lot more context around the data itself.

Our integration with cloud-based observability tools is super unique. When you have a managed host, whether it’s running in the cloud or on physical devices, or hybrid IT, the cloud versions of the observability tools, of the SIEMs, need access to the data, and that comes in over an agent. For example, you install a Datadog agent to all of your managed hosts out there or whatever your observability tool of choice might be and you’re able to send it.

Gigamon’s GigaVUE V Series forms the intelligence, the brains, of another product. We get the traffic using our own tapping, or using native packet mirroring, if that’s available. Then using the same agent, we collect and send that data as events to the tools. It’s a completely different perspective that complements existing observability dashboards, in your queries, the alerts, and everything else your DevOps person has set up.

Again, this enables being able to do security use cases. Again, it’s not necessarily intelligence about the network -- it’s intelligence from the network. And it’s the entire network. It’s managed and unmanaged hosts. It’s hosts that are talking without any kind of agent running on them.

A simple use case: Let’s say your SIEM, your Splunk, is supposed to be tracking all of the activities of all the hosts running in your system. What our customers find, as soon as they bring in this level of visibility, is some things are missing. All the hosts are supposed to be tracked by your SIEM but there’s a delta. You’re not seeing all of the hosts. Some applications or APIs are running that are unsanctioned. Something weird is going on. They need to worry about that.

That is an example of a vulnerability, assessment, and management detection that’s now within the realm of a DevOps person who has never done that before. And in order to get this sorted out, typically, a NetOps person will come in and make sure that the agent is installed, and the V Series is running and sending the needed data over. The NetOps people get pulled in early because there’s a lot of value that the DevOps person, the right-hand side, is able to get from this and the use cases.

Gardner: We can’t do this just based on what the cloud provider has served us in terms of visibility. We can’t do this just from what we had inside our respective data centers because it doesn’t consider the entire hybrid cloud extensions of our workloads. And there may be unseen hosts. But we need to track it all.

To attain this new level of deep observability, what do people need to put in place to get there?

See all data in all the directions

Khan: The capabilities come in basically two different groups. One is the packet-type of capabilities. It is a better level of security from a NDR perspective, and from a compliance perspective.

For example, Five9, one of the largest cloud-based contact centers, needed PCI-compliance when needed they moved to a public cloud. You can’t do that without having this deep level of observability having your arms around all of the communications going on. Keep in mind this is not just for the edge, north-south communication is their public cloud. This is for east-west traffic as well, which includes VM-to-VM as well as container-to-container traffic.

For such, larger organizations with multiple on-premises and cloud workloads, the attack surface grows, which makes the need for this high visibility into packets foundational as a security requirement. The second big round-up bucket of benefits comes from the metadata.

I’ve talked a lot about the DevOps-ready pipeline. Let’s see what it looks like. As I mentioned, there are multiple partners we use. In this case, I shall go into New Relic. And what we’re seeing here is a dashboard that we have created.

We have the data coming into an agent and into the New Relic observability tool. This data is completely derived from network intelligence, from the deep observability pipeline. This is the first-ever capability of having this level of network intelligence. There will be some red flags going off. There’s SSL running in this environment, even if there’s one or two flows, one or two hosts talking SSL; that’s a big red flag. That should not be happening. Some weak cypher is running. This is the type of information that people find very valuable -- and even more so because this is being sent to a DevOps person.

Are there any Dynamic Host Configuration Protocols (DHCPs)? Are there any Domain Name Server (DNS) redirections going on? For example, I might have installed a browser plug-in, so if I type in Gigamon.com rather than just using the on-premises DNS name resolution, it’s going into a third party and that’s a big red flag. It’s just not an acceptable security practice.

I mentioned some security use cases, but they’re also performance use cases. What we can show, for example, is the HTTP response time. We also have a widget that shows the Transmission Control Protocol (TCP) response time. When data calls up and says, “Help, my application is running slow.” If the NetOps person or even the DevOps person in this case can see that TCP response time is trending flat, it hasn’t changed. But HTTP response time has spiked. That means guess what? It’s not a network connection issue, it’s an application issue because it’s at the TCP level, it’s an application-level issue. So, there is instant resolution for some of these troubleshooting types of issues.

We can also see, via simulated data, that BitTorrent is running. So peer-to-peer (P2P) traffic, which is the thing by the way. Side story, we went into one of our government agencies and when they turned on what we call this application intelligence capability, I said, “This is great. I can see all the applications. I can see what’s running.” But it’s not right because it says we have BitTorrent running in our environment, and this is a pretty secure environment. And then our sales engineer said, “No, that’s what it says and then their NetOps person looked into it like, “Come with me.” He just grabs our sales engineer’s laptop and drags him into their SOC, and says, “Guys, we have BitTorrent running.” And everybody in the room said, “No, that’s not possible.” But when they looked into it, sure enough, they had BitTorrent running. Somebody, somehow, installed that.

So even in a very safe environment, you will find unknown applications called rogue applications. Where it gets interesting is that these are sometimes crypto mining applications. There was a case a couple of years ago, where Tesla’s AWS infrastructure was compromised and rather than attacking using some direct attack onto Tesla’s applications, bringing down systems, the actor installed cryptocurrency mining called Monero, which is actually this MINEXMR, Monero, and they sat there for months and months just mining cryptocurrency.

Google report came out about seven months ago. They looked at all of the breaches that happened in Google Cloud. They found that 86 percent of the time the attacker came in and installed cryptocurrency mining. The attackers did other things, that’s why the percentages can be over 100; they did other nefarious activities. People install cryptocurrency mining, why? Because this is the shortest route from point A to point B, which is monetization.

Gardner: How does this then relate to zero trust architectures? How does the deep observability pipeline relate to zero trust now that it’s being mandated in the public sector and it’s becoming a de facto standard in the private sector?

Gigamon at the core of the zero-trust

Khan: Yes, zero trust has been advancing in the federal space, where Gigamon has a strong presence. We’ve been going on that journey with our customers. And we’re starting to hear more about it in the enterprise business world as well.

One of the foundational approaches to zero trust is about policies. It’s about identities and segmentation. The policy engine input assumes that all of the communications are being captured. If you have blind spots, if you’re not looking at inspecting Transport Layer Security (TLS) traffic, encrypted traffic, you should be. If you’re not looking at east-west communications, container communications, that’s going to lead to blind spots, and zero trust assumes that there is visibility in all of the traffic in all of the communications that are going on.

That’s where Gigamon comes in. We provide the core foundation to what John Kindervag, a Forrester analyst, first wrote about around zero trust more than 12 years ago. He used to call it the DAN, the Data Access Network. The foundation to zero trust is being able to have access to all of the data, and that’s where Gigamon comes in.

We provide the needed telemetry, the visibility, and the blind spot elimination that are foundational for every zero-trust journey. So as a result, we’re baked into almost all of the federal organizations and federal department agency projects to build a zero-trust journey on. And we’re starting to see that happen more and more on the enterprise side.

Gardner: We’ve talked in general terms about the deep observability value, and it certainly sounds very compelling. It makes a great deal of sense given the hybrid and dispersed nature of workloads these days. Going to the network for the required insight is absolutely something that you can’t deny. But we haven’t talked about metrics, or public key infrastructures (PKIs). Do you have any demonstrative definitions, qualitative or quantitative, of when you do deep observability in these complex environments what you can get as security performance agility cost savings?

Khan: There are a number of ways our customers measure how efficiently Gigamon helps. By optimizing traffic, we are also helping all the other tools, too. So, people say, “Hey, you have this intrusion detection system (IDS) tool, you have this web application firewall (WAF), you have this application performance monitoring (APM) tool that we pay for. If I’m going to ask for additional budget to buy more of those tools, it is because I’m running this as efficiently as possible.” Gigamon shows how much traffic is coming into each tool and how much it’s been made efficient.

The first metric really is around return on investment (ROI). If you have a tool that does not need to look at, as I mentioned before, for example, Netflix traffic, they can say this is exactly what’s being excluded and this is how we’re running this tool very, very efficiently. We have six to nine months of ROI for our product itself, but then after that it’s all efficiency. And we have a very powerful ROI model that’s been used by over 200 customers. And in many of those cases we find the non-vendor spreadsheet model shows how efficiently their IT organizations are running. And a lot of our customers use that to justify additional budget.

When they put a proposal in to buy anything in the data center, we find they staple the model to the actual proposal to their finance group on why they need more equipment. That’s because we have visibility and all the data in motion to quantify the benefits from a cost-savings perspective, which is a big factor given all the budget uncertainty that’s happening right now.

Gardner: You mentioned deep observability as a force accelerator among the tools ecosystem. It frees the network data for use by many insights and analysis values. You work in an ecumenical orientation. What do your partners say to that?

Khan: Most of the new customers we work with are brought to us by partners, both technology and channel partners. We allow their deployments to be much more successful. We do that by eliminating blind spots. They need to see, for example, decrypted traffic to do their job, but they don’t need to see things that are not essential. Things like masking technologies that we provide allows a much safer way of decrypting with compliance and that allows tools to be much more efficient and effective.

The new category of deep observability pipeline and tools is where the real innovative work is happening. It’s an expansion of a DevOps person’s ability to look at 10 to 20 percent of an infrastructure that have agents running and opening their eyes to the entire 100 percent of the infrastructure by seeing all communications happening from a security and vulnerability perspective. That’s where we’re seeing a ton of traction and new partners coming to us saying, “Hey, I heard you do this. Let’s work together.”

Gardner: That’s exciting because oftentimes when you provide new capabilities into the field, people will be innovative and find creative new ways of using them that hadn’t been determined before. And it certainly sounds like we’re right on the cusp of some of that innovation using deep observability.

Khan: That’s right. Exactly.

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on bridging the gap between daunting complexity and awesome performance requirements by getting the best visibility into all aspects of hybrid and multi-cloud continuum deployments.

And we learned how pervasive deep observability brings the highest levels of security, performance, and agility to nearly any business and organization. So, a big thank you to our guest, Bassam Khan, Vice President of Product and Technical Marketing Engineering at Gigamon. Thank you so much, Bassam.

Khan: Thank you. My pleasure, Dana.

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect Cloud Complexity Risk Reduction discussion.

I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this Gigamon-sponsored interview. Thanks again for listening. Please pass this along to your CloudOps, SecOps, NetworkOps, and NetSecOps communities -- and do come back next time.

Listen to the podcast. Find it on iTunesDownload the transcript. View the video. Sponsor: Gigamon.

Transcript of a discussion on gaining the best visibility into all aspects of the hybrid- and multi-cloud continuum to close the gap between daunting complexity and today’s performance and security requirements. Copyright Interarbor Solutions, LLC, 2005-2022. All rights reserved.

You may also be interested in:

Tuesday, August 23, 2022

How Deep Observability Powers Strong Cybersecurity and Network Insights Across Complex Cloud Environments

network deep observability
Transcript of a discussion on how new advances in deep observability provide powerful access and knowledge about multi-cloud and mixed-network behaviors. 

Listen to the podcast. Find it on iTunesDownload the transcript. View the video. Sponsor: Gigamon.

 

Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions, and you’re listening to BriefingsDirect. The growing prevalence of complex multi- and hybrid-cloud environments has opened a Pandora’s Box of unseen risks around security and performance.

 

Gardner

But unlike when IT and network operators had the tools and access to track their own internal systems and data, the mixed-cloud model of today is much harder to know and secure. Pandora’s Box is open but observing what’s going on in and around it is cloaked by inadequate means to gain actionable insights amid all the distributed variables.

 

Enter deep observability and its capabilities, which are designed to provide rich access to multi-cloud and mixed-network behaviors. Such observations and data gathering can be analyzed to rapidly secure end-to-end applications and protect sensitive data.

 

Stay with us now as we explore the latest advances around deep observability and how a neutral deployment approach for observation technology spans more infrastructure and services to best protect and accelerate digital business success.

 

To learn how deep observability puts cloud chaos and hard-to-know risks back under control, please join me now in welcoming our guest, Shane Buckley, President and CEO of Gigamon. Welcome, Shane.

 

Shane Buckley: Thanks, it’s great to be here.

 

Gardner: Shane, what makes knowing and securing today’s complex cloud activities especially challenging?

 

Buckley: That’s a great opening question. We’ve seen over the last half of a decade or more the desire for organizations to be able to be flexible in terms of where they deploy their workloads. Traditionally workloads were deployed in the data center, with a hard perimeter, lots of security, and compliance needs were met within the organization.

Buckley
Then came the desire to create more flexible workloads, to run faster, to scale better, and also to reduce cost. The cloud model offered ways to gain these great advantages. But, as we often say here at Gigamon, the cloud is simple -- until it isn’t.

And so now organizations are looking at deploying more workloads in the public clouds as well as using colocation providers and within private cloud environments by leveraging technology such as VMware. We are also seeing the emergence of containers and Kubernetes as a technique to provide better automation, higher scalability, and lower cost.

 

The cloud conundrum

 

The great flexibility that the cloud provides is very positive to companies. It allows them to move faster. And that’s essential in the era of digital transformation because more organizations, driven by the COVID-19 pandemic, want their applications to flexibly reach more customers through remote access, handheld devices, mobile phones, and computers.

 

The snag is that the security footprint doesn’t track as straightforwardly as the workload boost when moving from the protected data center to a shared cloud environment. This is the conundrum companies face today. How do they make sure they can run their apps fast, stay secure, and innovate? These requirements are at loggerheads with each other. And that’s one of the major challenges that the Gigamon team’s solutions address.

 

Gardner: There are always trade-offs when adopting technology, of course, but when we’re forced to move quickly, the trade-offs can become riskier. When businesses could control their network perimeter, they knew what was coming and going. Now, we must take the good with the bad traffic. So, if you can’t control the perimeter, how can you at least moderate the risk?

 

Buckley: For many years technologies such as observability have been used for application performance monitoring. Observability, of course, is the technique of looking at an application’s performance remotely, leveraging things such as metrics, events, logs, and traces, which are commonly called MELT data, and have been very effective.

When you shift an application to the cloud, you don't have the same controls you enjoy when the application sits within your own infrastructure and you have control from the network layer right up to the app layer.

The issue though is one of security. And if you want to secure your applications, if you want to take a workload from a protected data center where you have layers and layers of security --  because security has always been about defense and depth -- and you want to shift that application into a cloud-based environment, you don’t have the same controls that you enjoy when the application sits within your own infrastructure and you get control from the network layer right up to the application layer.

 

So, the big question for chief information security officers (CISOs) and security professionals today is, “How do I secure the applications I have deployed to give the organization the flexibility, but maintain the security posture and compliance?” It’s become the number-one issue that CISOs face today as they try to support the business and the organization’s desire to run fast and innovate. The missing part is how to stay secure. It’s really, really complex.

 

Gardner: Now, ideally you should be able to attain the same level of control, visibility, and security in the cloud deployments that you had on-premises. Is that not ever going to be possible? Isn’t it simply a matter of putting the right technology in place?

 

Buckley: Traditionally, organizations have used layered defense tools such as firewalls, web application monitoring technologies, data leakage-prevention technologies, and the capability to encrypt and decrypt traffic streams. Yet more than 90 percent of the threats in organizations sit inside these encrypted traffic streams, which are largely bound to the tools.

 

As one moves to the cloud environment, this gets a lot more complicated because you don’t own the network. The network is owned by the cloud provider. And so how, in a public cloud environment specifically, or as one deploys via containers, can you see inside and see what’s happening?

 

Observe deeply to stay out of deep trouble

 

The emerging technology to fix this issue is deep observability. We refer to it as the deep observability pipeline. Deep observability is about taking the technique of observability to the applications by looking deeply inside the flow of the network traffic. Because logs and traces are mutable, they can be turned off.

 

And, in fact, in many environments where applications are compromised, the nefarious actor will either turn logging off or more perniciously they will overwrite the log. In that way, the security operation center (SOC) is fooled into thinking the application is performing as usual, because logs have been muted.

 

Network traffic is immutable. It cannot be changed. If you take a hard copy of traffic going to or from an application or server and you diagnose it, you know exactly what’s happening within that traffic flow. The ability to get to that level of granularity, that level of fidelity in terms of what’s happening inside the application -- and extract key information, which then you can send to the tools -- is really, really powerful.

 

It’s a technique that we at Gigamon have used for more than 15 years: The ability to extract network traffic insights and send them to advanced tools in a consistent way, same as we have done when the workload sits in a data center. Now, one can do the same with an application or workload in a data center, or move it inside a container, or inside the private cloud, or any public cloud. Anywhere across the hybrid-cloud continuum, we have a consistent approach in how we implement your security insights layer.
 

Gardner: It’s one thing to be able to capture and observe; it’s another thing to be able to deal with a fire hose of data. How, during the past 15 years, have we benefited from handling streaming in near-real-time these massive amounts of data in and around networks and cloud environments?

 

Buckley: You raise an interesting point. Networks are now operating faster and faster. More and more applications are talking to each other, particularly using technology like microservices where one application may make a call to multiple other applications -- often referred to as east-west traffic. That east-west traffic is not just traditionally inside the physical data center, this time it could be across multiple cloud service providers, or across multiple different domains; who knows?

How do you capture all the east-west traffic? Cyber professionals will tell you that lateral movement is how nefarious actors and hackers get access across the estate.You need to catch them from an east-west perspective.

As more of this traffic exists, how do you capture all the information about the traffic? Traditional firewalls, even cloud-based firewalls, typically capture north-south traffic. How do you capture all this east-west traffic, too, because as cyber professionals will tell you, lateral movement is how nefarious actors and hackers get across the estate. You need to catch them from an east-west perspective as well.

 

Secondarily, a lot of the key information happens on that east-west basis. It’s where you get the context of use. But trying to take all the traffic from all the applications all the time creates massive bloat. Typically, a customer’s security information and event management (SIEM) capability will fill with pretty useless information, and so it takes the SOC way too long to delve through the details and find that one needle in multiple haystacks.

 

The ability to instead extract only the relevant information, the metadata, from this traffic flow reduces the data volume by more than 90 percent, meaning you have a lot fewer haystacks to find that one needle in.

 

It also means that you can extract the data from public-cloud networks and reduce the cost of the deployment. You pay less in fees to the cloud providers as they take traffic in and out of the cloud environment to support custom or on-premises tools -- even though the application is sitting inside a public cloud. And that gives tremendous flexibility and tremendous consistency. It means that you can keep your security posture and ensure compliance is maintained across an organization.

 

Gardner: We want deep observability to also be extensible observability. It must observe across an end-to-end continuum of hybrid-cloud services and data flows. How difficult is it to get both deep and pervasive observability?

 

Buckley: It isn’t as difficult as it used to be. The technology now exists. Certainly, at Gigamon we’re providing what we call our deep observability pipeline to customers in addition to the traditional observability they get from many IT vendors. And by deep observability pipeline I mean the ability to look at the application workflows and the traffic that’s going to and from those workflows at the network level and extract the data. Typically, it’s metadata that’s extracted and creates the pipeline of actionable intelligence. That is then sent forward to the relevant tools, to SIEMs and other devices, which can then absorb or extract the information.

 

If you have a network detection and response tool, Gigamon provides high-fidelity traffic that has been optimized, via metadata extraction, to provide the best possible context behind that information. That’s in addition to the other observability infrastructure that you may have. Gigamon also has partnerships with many of the leading observability vendors, whereby we feed directly into their dashboards and systems the high-fidelity pipeline of deep observability information. Customers have the option of doing it multiple ways.

At the end of the day, security is about defense and depth. It’s important for organizations to ensure a consistent security posture regardless of where the workload sits. Nobody gets a hall pass if they move a workload from a protected environment such as a physical data center to a cloud environment where it’s less protected. That doesn’t make business sense. We have to make sure we provide the same level of protection as that application workload moves in a flexible way from on-premises to colocation or public-cloud models.

 

Gardner: I suppose all the players in this ecosystem benefit when they have access to the network data and observations. There’s no sense in trying to corner the market, if you will, or building a walled garden around the observations. It should be ecumenical observability data access in order to be the most useful and impactful, right?

 

Observability that’s neutral and scalable

 

Buckley: That’s 100 percent correct. You hit the nail on the head. We often describe Gigamon as being Switzerland; neutral, we don’t have a dog in the fight. Our job is to do the best possible job to take the most relevant information across all these different platforms and these different workloads and send it to whatever toolset that the customer is looking for -- whether you have one tool or whether you have 1,000 tools, it doesn’t matter to us.

 

We’ve always been neutral at Gigamon in providing the best contextual information to make the best possible decisions from a network, application performance, and security perspective. And the ability to provide deep observability pipeline information extends that now to all forms of cloud in a way that’s never been done before. We are completely egalitarian. We are completely open. We will send whatever information you want, to whatever tools you want.

 

Gardner: At Gigamon, you said that this deep observability technology has been in the works for 15 years, but this use case, this hybrid-cloud problem set, wasn’t evident 15 years ago. How has the background of Gigamon put you in a position to be able to deliver on these technologies and capabilities?

 

Buckley: If we rewind back a number of years, customers attached a toolset to a SPAN port or a switch to access the traffic. That, of course, becomes very unreliable because switches are not designed to ensure that every single packet of data on the SPAN port is transferred. There’s congestion inside the switch, too. When some anomaly happens in the network, oftentimes those packets and that information is lost, and so it’s just not fit for function.
 

Gigamon pioneered and invented the attack-and-aggregation technology that allows you to take a copy of traffic -- whether it’s north-south or east-west -- you can aggregate it together and send the traffic to the desired tools. Over the last 12 or so years, we’ve enhanced that to optimize the traffic, extract the metadata from the network, put application filtering rules in, and decrypt traffic at the center. As a result, we see the information uniquely across the entire infrastructure. You only do an encryption once; you don’t have to do it multiple times.

 

We have protected and supported the largest, most secure, most complex networks in the world. As these networks evolved to provide cloud, multi-cloud, and hybrid-cloud techniques, we have used the same architectural approach. It’s been tried and tested over the past 15 years. So instead of physical taps inside these physical networks, you have virtual taps or Open vSwitch (OVS) mirroring techniques in the cloud. We then have virtual aggregation versus physical aggregation. We have virtual optimization versus physical optimization.

The technique we use inside the cloud is the same textbook approach that we've provided to CISOs and organizations for many years, and they have relied and depended upon. Now we can scale this within cloud environments.

The technique we use inside the cloud is the same textbook approach that we’ve provided to CISOs and organizations for many years and that they’ve relied and depended upon. Now we’ve been able to transform this technology from an embedded solution inside a very high-performance hardware device to provide tremendous scalability -- scale up and scale out -- within cloud environments.

 

As a result, you get low overhead and very light touch. This can be built into the orchestration and automation systems that the customers have. Then it can be scaled up and scaled out, always providing the same level of protection as we used to do with our Gigamon hardware technologies that are famous within the biggest and the fastest data centers on the planet.

 

Gardner: If we have deep observability and it’s pervasive across cloud environments, we extract the metadata, which can be very valuable. We’ve talked about the security use case, but it seems to me that such observability provides intelligence in other areas, too.

 

Particularly nowadays, as the general cost of cloud use is going up, are there ways to extend observability value to help make the best use of your cloud spend? Perhaps to compare and contrast your cloud activities for the best minimum and viable fit?

 

Make the most of your cloud spend

 

Buckley: Super question, and, of course, the answer is, yes. The concept that one has to send everything to everywhere all the time is not scalable in today’s world. Whether you’re running 400 gigabits per second links to your physical data center or whether you’re running on the fastest cloud platforms in the world, it doesn’t matter.

 

There is a nearly infinite amount of data being sent across these very large networks on a daily basis. So, the capability to optimize the data flow, to eliminate the unnecessary data -- whether it’s duplicates of the data, whether it’s having the full payload that’s no longer required because the metadata is sufficient -- the ability to extract that information without losing the fidelity of information and reduce the quantity of information by over 90 percent saves companies and organizations tremendously.

 

Take, for example, the speed and the capacity of their firewalls, of their other security devices across the network, and their application performance tools. If you’re seeing a tenth of the traffic across the infrastructure, you need a tenth of the performance of the tools. This is beneficial to the customer because you end up saving money, and in a potentially recessionary environment, this is even a more important message.

 

But, in addition to that, because we also see all the east-west traffic, we can send more information to the tool, while it actually needs to process less. So instead of just seeing an onset of traffic, we can add that east-west dimension as well. We can also ensure that the traffic is decrypted so that all the bad stuff inside the encrypted stream is highlighted. In a very simple way, the blind spots are where the bad guys and gals hang out. We illuminate those blind spots, so we can know where they hang out. We do that in a way that sends less traffic to the network.

 

Gardner: What are some of the top cloud use cases for deep observability in practice? What are the benefits that organizations are getting in real terms? How does this help a CISO sleep better at night?

 

Migrate to cloud with good security

 

Buckley: Typically, a customer comes to us, and they have used Gigamon for a decade or more. We are the visibility analytics provider for their infrastructure. We have helped protect their infrastructure for a long time.

 

And now they have a cloud-migration project and so a requirement to move workloads. In many cases, financial institutions want to move workloads to a colocation provider or private-cloud environment. They often leverage a solution like VMware’s NSX to move an application or workload to a public-cloud provider, such as AWSMicrosoft Azure, or Google Cloud Platform, whatever. And they’re saying, “How do I do this in a way that ensures that I can get compliance approval and maintain my security posture?”

 

We’ll work with them usually on two types of migrations. One that’s a lift-and-shift, where you take the application as it is, which is the preponderance of applications within larger organizations. You pick it up, bring it across, and drop it inside the environment -- the container, private cloud, public cloud, or whatever. Then we reattach all the network, application forms, and the security tooling in a way that is similar to what they did before. You don’t lose anything, and you maintain everything that you had from a security and applications forms’ perspective.

 


T
he second type of application migration has the customer saying, “Hey, we’re modernizing this application to make sure it works more efficiently in a cloud environment, so it can scale up and scale out, and be in line with what the environment needs.”
 

That migration approach might require different tooling, but we use the very same technique. We ensure that we can capture all the traffic going to and from that application. We can process it and optimize it, as I just described, and then we work with the customer to determine the tooling for compliance and what the CISO needs to ensure the security posture of those business applications -- and then we put that all in place.

 

Also, now we’re seeing as many workloads move from the public clouds to a hybrid-cloud model as we’ve seen going the other way. Oftentimes customers say, “I tried an application in a public-cloud environment, but it doesn’t give me the performance and the cost savings that I expected -- and so I want to move it back.”

 

We enable that type of customer to have the flexibility to take the application and put it back where it was -- or put it somewhere else. Maybe they want to put it inside a private-cloud environment, or maybe they’re moving from a private-cloud environment to 100 percent public.

 

Whatever the customer wants to do, we will work with them to understand where it was, where it’s going, what the potential needs are. We will ensure they maintain the compliance and the security posture of that application, as well as the performance because that remains a very important component, too.

 

Gardner: We’re not just talking about deep observability for security and performance benefits, but you’re bringing up an important workload's portability capability. And any way to help move workloads among hybrid-cloud deployment options while maintaining security posture presents a huge digital business and economic benefit. Have people been able to share with you some of the cost benefits that I suspect are there?

 

Money-saving choices, app by app

 

Buckley: When we run the analysis with customers, we see a return on investment (ROI) in less than six months in terms of the cost associated with the Gigamon deployment and the savings that they’ll get on a go-forward basis. And that’s just direct costs. That doesn’t include operational costs and efficiencies that come with modernizing applications or moving them to a cloud framework to begin with. The multiple benefits are quite significant.

 

Incidentally, the latest research shows that the level of deployment to the public clouds is not as great as had been forecast. The forecast was that we should now be close to having 60 to 70 percent of applications moved to the public cloud. But we’re seeing a resurgence of the colocation model as people leverage container-based technologies and private-cloud technologies. As a result, we’re seeing the public-cloud providers themselves offering on-premises and/or colocation capabilities to leverage the flexibility and the ease-of-use of those data center-hosted application stacks.

 

And so, the visibility gained from deep observability to choose whatever is best on a per application basis is becoming very, very important. Regardless of what the enterprise does in terms of deployment options, they will ultimately be able to save money.

 

Gardner: Your heritage places you in the wheelhouse of a network operations executive or leader. But what you just described is something a bit higher, if you will, in the organization, at the architecture decision-making level. That means those making major decisions about deployment strategies. Do you need to make Gigamon’s value then known to a different persona, perhaps at the architect or Chief Technology Officer (CTO) level?

 

Buckley: I would say network operations executives and organizations have always been core to the success of our business. They saw uniquely the advantage of having a single platform or a fabric that gave flexibility of deployment, flexibility of scale, load balancing, and all the great advantages that our technology provides to customers.

From a deep observability perspective, most organizations have handed the responsibility of securing their hybrid cloud environment to the CISO. So now we have the opportunity to work with the app security and SecOps people, as well as the network security people.

For over half a decade now we’ve been working very closely with security groups as well -- from CISOs to security architects, security operations groups, etc. -- to understand their problems. In many ways, the value of our fabric has been tremendously well-received within security operations over half a decade.

 

From a persona perspective, whether you’re a network operations (NetOps) leader or a security operations (SecOps) leader, obviously we work very closely with both. From a deep observability perspective, most organizations have handed the responsibility of securing their hybrid-cloud environment to their CISO. Now, oftentimes within the CISO’s organization, which is becoming larger clearly, there are new sub-personas within that space. And so we have the opportunity to work with application security people as well as the traditional network security or security operations folks in addition to who we work with today.

 

The good news though is that they’re all super-connected. They have a lot of alignment between them.

 

Gardner: They should be.

 

Buckley: Yes, they should be. And so, we’re well-known. Gigamon is well-known as being inside these environments. It’s been the core platform to ensure that we provide that security footprint.

 

Certainly, we are spending a lot more time talking to business information security officers (BISOs), too, as well as the application security folks to help them understand how this technology can be leveraged within a hybrid-cloud environment.

 

Gardner: How about vertical use cases? Is there low-lying fruit? You mentioned finance. I imagine the regulatory issues there are pressing. But where does the rubber hit the road first and best for deep observability needs?

 

Zero trust everywhere

 

Buckley: Financial services obviously is a hotspot for organizations trying to secure their infrastructure, for obvious reasons. The other area that’s very important to us is our public sector business, on a global basis. The US federal government particularly has taken a very progressive view on security, with the recent executive order from President Biden for zero trust and the implementation of zero trust across federal organizations and contractors. We’re very close to that issue as well.

 

Security in hybrid-cloud uses many of the techniques that we leverage within zero trust. And within zero trust there are typically seven pillars, one of which is visibility and analytics. It’s considered foundational to have zero trust security, in that if you can’t see stuff, you can’t secure it. And all elements and the other pillars depend on the visibility and analytics pillar to operate.

 

Zero trust is not just sought by the governments; it’s of course being adopted and being used by organizations around the world. If you look at protecting critical infrastructure, for example, it’s a really big deal. So sometimes we get involved in conversations with operational technology (OT) and protecting OT devices, whether it’s healthcare, nuclear facilities, and other hardened and critical facilities for organizations, that becomes a really big deal for customers as well.

 


Within the hyperscalers and the software as a service (SaaS) vendors, many of the big SaaS vendors use Gigamon to provide that layer of protection to their applications because the customer often can’t secure it intrinsically themselves. So, you’ll find Gigamon’s approach or connection across many different verticals on a worldwide basis.
 

As we increasingly move to 5G, a core element of 5G is the capability to extract information from these ultrahigh speed networks and to provide correlation between the user plane and the control plane to provide the right traffic to the right tools at the right time.

 

In many of those networks, you see Gigamon is at the center of the ability to deploy the infrastructure as well. So, we’re present in a lot of these different verticals and ecosystems because it’s the same problem, but it’s just used in a slightly different way. And when you’re a fabric, which Gigamon is, you have the benefit of being able to deploy, whether it’s a software footprint or software/hardware footprint or any combination across all these different environments.

 

Gardner: We’ve used the word ecosystem quite a bit and that implies partners working together with other companies. Is there a channel and/or partnership benefit here? How does Gigamon and deep observability fit into a whole larger than the sum of the parts?

 

Buckley: As you would imagine, we work with some of the best and leading system integrators and value-added resellers and other partners on a worldwide basis. They have the ability to take all the piece-parts and bring them together. When Gigamon is deployed successfully, we’re a fabric. We provide this pipeline of actionable intelligence to customers and to tools. And then there are other tools to take advantage of that.

We're the heartbeat that makes the networks and applications run. We bring the whole value chain together. We can ensure that one plus one equals three -- or five or six.

The architectural design of the network is somewhat changed because we’re at the center. We’re the heartbeat that makes the networks and applications run. We work with a lot of the vendors to ensure that they bring the whole value chain together. They have the experience dealing with all of the security, application, performance, and networking tools so that they can interconnect it all in the appropriate way to optimize and protect the network traffic.

 

Partnerships within the channel and vendor community are super important. Many ecosystem vendors we work with include through joint marketing, jointly entering global markets with better capabilities, and via joint events. In doing so, we can ensure that one plus one equals three -- or five or six. We do that on a regular basis.

 

Gardner: Shane, in conversations I have in the field, we often talk about the most important imperatives facing organizations. Security, best use of the cloud, understanding and controlling your data, and being better able to understand your customers to provide a better experience are all among the top concerns.

 

And one of the salient common elements among all of these is having better intelligence about what’s going on, both in the business operations and the IT systems, and then how to constantly improve them. It seems to me that deep observability is an essential core constituent in supporting an intelligence drive within any organization.

 

Do you see machine learning (ML) and other analytics capabilities evolving from the benefits of deep observability and the metadata that you’re providing?

 

Eliminate blind spots, increase intelligence

 

Buckley: I agree a billion percent with what you just said. Having the right information at the right time is incredibly important for professionals, whether you’re in security or to make the appropriate decisions to protect the organization. How many times do people say, “If only I knew; if it was only possible for me to see. I had no idea that they lay inside this application or this part of my network when I was compromised.”

 

The ability to eliminate blind spots so that the security team has the best possible opportunity to protect the infrastructure is of prominent importance. Make no mistake, this is a cat and mouse game. In 2021, 68 percent of US organizations were hacked, and ransomware was demanded. Some 50 percent of those had to pay ransomware. And in the cat and mouse game, the mouse is winning, not the cat.

 

Our job is to make sure that we slow the mouse down and give the cat an opportunity to catch it faster and protect the infrastructure. But it will continue to be that cat and mouse game because as soon as we -- and I mean the whole ecosystem, not just Gigamon -- put our systems together better, the bad folks figure out ways to compromise it. That’s just the way it is.

 

But by streamlining the information, by optimizing the information, and ensuring that we can provide absolutely the right information -- actual intelligence -- to the right tools at the right time, we minimize the chance that the mouse gets away.

 

Gardner: I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on how new advances in deep observability provide powerful access and knowledge about multi-cloud and mixed-network behaviors. And we’ve learned how a neutral deployment approach to observability that spans more infrastructure and services best protects and accelerates digital business value across nearly any cloud configuration.

 

A big thank you to our guest, Shane Buckley, President and CEO of Gigamon. Thank you, sir.

 

Buckley: Thank you very much, Dana.

 

Gardner: And a big thank you as well to our audience for joining this BriefingsDirect cloud complexity risk reduction discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host for this Gigamon-sponsored interview.

 

Thanks again for listening. Please pass this along to your IT operations and security communities, and do come back next time.

 

Listen to the podcast. Find it on iTunesDownload the transcript. View the video. Sponsor: Gigamon.

 

Transcript of a discussion on how new advances in deep observability provide powerful access and knowledge about multi-cloud and mixed-network behaviors. Copyright Interarbor Solutions, LLC, 2005-2022. All rights reserved.

 

You may also be interested in: