Introduction to ClearPass Device Insight · ARUBA SECURITY USER/DEVICE LIFE CYCLE Aruba 360...

Introduction to ClearPass Device Insight

Viswesh Ananthakrishnan, Senior Director, Product Mgmt.

2019 September

2@ArubaAPAC | #ATM19APAC

ARUBA SECURITY USER/DEVICE LIFE CYCLE

Aruba 360 Security

Authorize

Respond

Enforce

Act on attacks with a wide range of policy actions

Detect attacks

with range of analytics

IT access based on user/device attributes

Visibility through profiling and classification

ClearPass

Device

Insight

MonitorDiscover

CURRENT CHALLENGES IN DEVICE VISIBILITY

IT/Security teams lack visibility into devices on the network i.e. factory

controllers, medical equipment

Current toolset fails to adequately address visibility and IoT use cases

Volume, variety and the innovation of “things” means manual approaches cannot keep pace

Without comprehensive visibility, effective security and compliance is not possible


HALF OF ENTERPRISE STRUGGLING TO SECURE IOT

Source: Ponemon Institute


CLEARPASS DEVICE INSIGHT OVERVIEW

Reduces Risk by Eliminating Blind Spots

through DPI-based discovery and profiling of devices

Automatically Clusters Unknown Devices and recommends

classificationusing advanced machine learning

and crowdsourcing intelligence

Ensures Secure Accessvia seamless integration with ClearPass Policy Manager


TRADITIONAL PROFILING TECHNIQUES LACK DEVICE CONTEXT

STATIC ATTRIBUTES

NMAP | SNMP | WMI

GENERIC “WINDOWS” OR “LINUX” DEVICE


CLEARPASS DEVICE INSIGHT: FROM GENERIC TO GRANULAR DEVICE VIEW

WINDOWS DEVICE

AXIS DEVICE

AXIS SECURITY CAMERA

AXIS Q35 NETWORK CAMERA

DEEP PACKET INSPECTION (DPI)

BEHAVIORAL ATTRIBUTES

APPLICATIONSWEB SITES

PORTSPROTOCOLS

CROWD-SOURCING

MACHINELEARNING


TRADITIONAL PROFILING TECHNIQUES ARE PRONE TO MISCLASSIFICATIONS

STATIC ATTRIBUTES

MAC OUI | DHCP

Device Category: APDevice Family: MotorolaDevice Name: Motorola AP


TRADITIONAL PROFILING TECHNIQUES ARE PRONE TO MISCLASSIFICATIONS

STATIC + DYNAMIC ATTRIBUTES

MAC OUI | DHCP | TCP attributes

"dst_conns": [ "10.31.22.26:3613:tcp", "alrsprd.sharp.com:3613:tcp", "SOCALARISPRD.shcsd.sharp.com:3613:tcp", "socalarisprd.shcsd.sharp.com:3613:tcp" ], "dst_hosts": [ "alrsprd.sharp.com" ], "mac_oui": [ "001723" ], "mac_vendor": [ "Summit Data Communications" ], "ports": [ "49160", "49161", "49162", etc.]

Device Category: Medical DeviceDevice Family: AlarisDevice Name: Alaris Infusion Pump


CLASSIFIES UNKNOWN DEVICES

Device Attributes

IP/MAC Address

Application Access

Communication Protocols

Communication Frequency

Deep Packet Inspection (DPI)

MACHINE LEARNING

CROWDSOURCING


Drilling Down into Device Attributes

Discovered Devices Classify known

devices with

fingerprintsClassification based on

static, flow and

behavior based

attributes

Checks for Fingerprint

Device Identified and

Labeled

ML-basedClustering & Classification

Utilizing Machine Learning for Unknown Devices

What kind of a document is this?

How many genes does an organism

need to survive? Last week at the

genome meeting here, two genome

researchers with radically different

approaches presented complementary

views of the basic genes needed for life.

One research team, using computer

analysts to compare known genomes,

concluded that today’s organisms can be

sustained with just 250 genes, and that

the earliest life forms required a mere

128 genes. The other research mapped

genes in a simple parasite and

estimated that for this organism, 800

genes are plenty to do the job – but that

anything short of 100 wouldn’t be

enough.

Topic Modelling - Latent Dirichlet Allocation

Although the numbers don’t match

precisely, those predictions “are not all

that far apart “ especially in comparison

to the 75,000 genes in the human

genome, notes Siv Anderson of Uppsala

University in Sweden, who arrived at the

800 number. But coming up with a

consensus answer may be more than just

a genetic numbers game, particularly as

more an more genomes are completely

mapped and sequenced. “It may be a

way of organizing any newly sequenced

genome,” explains Arcady Mushegian, a

computational molecular biologist at the

National Center for Biotechnology

Information (NCBI) in Bethesda,

Maryland. Comparing an ..


















enough.



















gene 0.04

dna 0.02

genetic 0.01

Words

Biology

Topics


















enough.



















gene 0.04

dna 0.02

genetic 0.01

number 0.01

computer 0.01

information 0.03

Biology

Computer

Words Topics


















enough.



















gene 0.04

dna 0.02

genetic 0.01

number 0.01

computer 0.01

information 0.03

organism 0.04

survive 0.02

life 0.01

Biology

Computer

Living

Words Topics

Mostly about ComputersMostly about Biology

Classification using topic distribution within a document


Document 1 Document 2 Document 3 Document 4


Behavior features separate IOT iPads from BYOD iPads

120 devices

Labels:

74% Apple iPad (89)

26% Apple iOS Device (31)

Cluster characteristics:

Significant traffic:

types: amazon_aws, apple,

cloudflare, http2, ntp

destinations:

104.20.254/24

104.20.255/24

domains: apple.com

Vendor Apple

Floors 1-5 wall iPads BYOD iPads

Separate clusters emerge for IOT vs non-IOT behaviorAruba US IT - iPad

I P a d s c l a s s i f i e d b y R u l e s

Topic 50 Topic 48

Topic 108

Topic 168

Topic 150


Behavior features separate IOT iPads from BYOD iPads

120 devices

Labels:

74% Apple iPad (89)

26% Apple iOS Device (31)

Cluster characteristics:

Significant traffic:

types: amazon_aws, apple,

cloudflare, http2, ntp

destinations:

104.20.254/24

104.20.255/24

domains: apple.com

Vendor Apple

Floors 1-5 wall iPads BYOD iPads

Separate clusters emerge for IOT vs non-IOT behaviorAruba US IT - iPad

I P a d s c l a s s I f I e d b y R u l e s

Topic 50 Topic 48

Topic 108

Topic 168

Topic 150

6th floor IOT iPads

Topic 50

Topic 150

cnn_tx_dyn 22xgoogle_tx_dyn 21xcnn_rx_dyn 21xgoogle_rx_dyn 20xapple_location_tx_dyn 12xapple_location_rx_dyn 12xindexexchange_rx_dyn 8xkrux_tx_dyn 7xicloud_tx_dyn 7xhttp2_tx_dyn 7xkrux_rx_dyn 7xgoogle_tags_rx_dyn 7xoutbrain_tx_dyn 7xoutbrain_rx_dyn 7xhttp2_rx_dyn 7xoptimizely_rx_dyn 7xoptimizely_tx_dyn 7xicloud_rx_dyn 7xindexexchange_tx_dyn 7xgoogle_tags_tx_dyn 7xapple_rx_dyn 6xapple_tx_dyn 6x

184.51.85_rx_dyn 15x184.51.85_tx_dyn 14x172.217.9_tx_dyn 14x172.217.9_rx_dyn 14x23.46.224_tx_dyn 9x151.101.180_tx_dyn 7x151.101.181_rx_dyn 7x216.58.194_tx_dyn 7x23.77.84_tx_dyn 7x216.58.193_tx_dyn 7x104.214.30_rx_dyn 7x151.101.180_rx_dyn 7x23.46.224_rx_dyn 7x104.214.30_tx_dyn 7x13.249.55_rx_dyn 7x17.248.141_rx_dyn 7x13.249.55_tx_dyn 7x23.77.84_rx_dyn 7x17.248.141_tx_dyn 7x216.58.193_rx_dyn 7x17.253.3_rx_dyn 6x17.252.194_rx_dyn 6x17.167.192_tx_dyn 6x216.58.194_rx_dyn 6x17.252.194_tx_dyn 6x151.101.181_tx_dyn 6x17.253.3_tx_dyn 6x17.167.192_rx_dyn 6x

browser_family:Chrome_ua_stat 6xbrowser_family:Safari_ua_stat 3x

50,12,81_ops_stat 2x61,50,12,81,60_ops_stat 2x53,61,50_ops_stat 2x53,61,50,12,81_ops_stat 2x12,81,60_ops_stat 2x61,50,12_ops_stat 2x81,60,55_ops_stat 2x53,61,50,12,81,60,55_ops_stat 2x50,12,81,60,55_ops_stat 2x12,81,60,55,54_ops_stat 1x53,61,12,60,55_ops_stat 1x61,12,60,55,50_ops_stat 1x53,61,12_ops_stat 1x60,55,50,54,81_ops_stat 1x53,61,12,60,55,50,54_ops_stat 1x61,50,12,81,60,55,54_ops_stat 1x55,50,54_ops_stat 1x60,55,50_ops_stat 1x12,60,55_ops_stat 1x12,60,55,50,54_ops_stat 1x60,55,54_ops_stat 1x61,12,60_ops_stat 1x61,12,60,55,50,54,81_ops_stat 1x50,54,81_ops_stat 1x

46,47,119,121,249_op55_stat 1x47,119,121,249,252_op55_stat 1x33,43,44,46,47,119,121_op55_stat 1x33,43,44,46,47_op55_stat 1x3,6,15,31,33_op55_stat 1x3,6,15,31,33,43,44,46,47,119,121_op55_stat 1x1,3,6,15,31,33,43,44,46,47,119_op55_stat 1x15,31,33,43,44,46,47,119,121,249,252_op55_stat 1x6,15,31,33,43,44,46_op55_stat 1x43,44,46,47,119_op55_stat 1x1,3,6,15,31,33,43_op55_stat 1x44,46,47,119,121_op55_stat 1x3,6,15,31,33,43,44_op55_stat 1x6,15,31,33,43,44,46,47,119,121,249_op55_stat 1x3,6,15,31,33,43,44,46,47_op55_stat 1x31,33,43,44,46,47,119_op55_stat 1x33,43,44,46,47,119,121,249,252_op55_stat 1x31,33,43,44,46,47,119,121,249_op55_stat 1x15,31,33,43,44,46,47,119,121_op55_stat 1x15,31,33,43,44_op55_stat 1x6,15,31,33,43_op55_stat 1x44,46,47,119,121,249,252_op55_stat 1x1,3,6,15,31_op55_stat 1x31,33,43,44,46_op55_stat 1x1,3,6,15,31,33,43,44,46_op55_stat 1x6,15,31,33,43,44,46,47,119_op55_stat 1x43,44,46,47,119,121,249_op55_stat 1x15,31,33,43,44,46,47_op55_stat 1x

MSFT 5.0_op60_stat 15x

Hon Hai Precision Ind. Co.,Ltd._macoui_stat 50x

40% - App ID

10% - Dest IP 20% - DHCP fingerprint

10% - MAC vendor10% User_agent

10% DNS domains

Device document (mac = 9cd21eafdeef)

Clustering devices

ClusteringPer tenant hierarchical clustering using Euclidean distance on the LDA features

0.00336

0.00399

0.00494

0.00537

0.00910

---

0.00408

0.00188

0.00002

0.00900

0.00771

---

0.00287

0.00026

0.00012

0.00705

0.00446

---

0.00615

0.00233

0.00472

0.00397

0.00687

---

Feature Vectors

Clustering Enables Easy Labeling of Devices


ARCHITECTURE OVERVIEW

On-premises data collector (appliance or virtual) and cloud-

based analyzer

Through Deep Packet Inspection (DPI), device attributes are

extracted and metadata is sent to the cloud for analysis

Campus Branch

DEVICE INSIGHT

ANALYZER

CLOUD PLATFORM

Device InsightVirtual Collector

VDevice Insight

Hardware CollectorDevice Insight

Virtual Collector*

VDevice Insight

Hardware Collector*

* roadmap


CLOUD-ENABLED COMMUNITY CROWDSOURCING

Aruba receives the signature when

rules were used to label

Signature is made available for use by

all customers

Customer labels a device using clusters or rules

Signature is tested and validated


Multi-Vendor Switching

Multi-Vendor WLANs

ClearPass Policy ManagerAUTOMATED SEGMENTATION AND

ENFORCEMENT

Internet of Things (IoT)

BYOD and Corporate Owned

ClearPass Device InsightENHANCED DISCOVERY /

PROFILING

Bi-Directional Data Exchange

CLEARPASS POLICY MANAGER AUTOMATES SECURE ACCESS

40%Of the Global 500

140+ Ecosystem Partners


PORT-BASED DYNAMIC ROLE-BASED

StaticCamera port

Printer port

PoS port

Manual configuration of ACLs, VLANs, QoS

Automate configurations with context

PCI-compliant

Hard to scale for device type and quantity across multiple

sites

Dynamic

Flatten configurations at high scale based on user, device,

app

ENFORCED BY DYNAMIC SEGMENTATION


IOT IN HEALTHCARE


PROFILING



PROFILING

IOT IN RETAIL

ZEBRA

SES

HOW WE’RE DIFFERENT

CONTINUAL INNOVATION IN CONNECTIVITY, SECURITY, AND AI

COMPLETE VISIBILITY ACROSS THE ENTIRE INFRASTRUCTRE

AUTOMATED, MACHINE LEARNING-BASED, DISCOVERY AND

PROFILING

DYNAMIC ROLE-BASED ACCESS CONTROL

DEMO


Questions?


Thank You

Rate this sessionAccess this survey via the mobile app and let us know

what you think.

Locate this session:

- Agenda

- Select Date

- Find this session

- Click Survey

Download the Event AppGain access to the latest event information.

Scan. Play. Win.Play Now! Switch your thinking, say goodbye to the old ways and

get ready for new innovations.

Visit the Tech Playground now!

Ask Aruba - Session 1: Tuesday, 24 Sep, 2:00pm – 2:45pm- Session 2: Wednesday, 25 Sep, 1:45pm – 2:30pm - Location: Town Hall at Tech Playground

Submit your Ask Aruba questions using the mobile app now!

Join the Airheads Community Scan the QR code to sign up now!

Date post:	02-Jun-2020
Category:	Documents
Upload:	others
View:	11 times
Download:	0 times

Introduction to ClearPass Device Insight · ARUBA SECURITY USER/DEVICE LIFE CYCLE Aruba 360...

Documents