The Elisity Cognitive Trust platform provides rich policy and traffic telemetry while also offering effective search and filtering functionality for day two operations.
With Elisity, an administrator can monitor log-on/log-off events, visualize user/device/application traffic flows, troubleshoot policy consumption and violations, and quickly analyze system events and logs.
Cloud Control Center Overview
The overview page is a dashboard pre-populated with visibility widgets such as current active users and devices, traffic flow stats between assets, discovered applications, policy events, and much more. Data collected and displayed on the overview page is historical, and an administrator can select the time frame for displaying the information. Nearly everything on the overview page is interactive, and if selected, Cloud Control Center will go deeper and provide more details.
An administrator might find it helpful how the overview page indicates how many new users, devices, and applications have been discovered, in addition to showcasing high-level statistics focused on deployed policies, sites, and denied or unauthorized flows.
Clicking on any of the above sections will take you to a more detailed view of data collection. Clicking on the link indicating the newly learned asset will automatically filter the output on the preceding page to be focused on the new assets only.
Below the top bar, you will find a summary of active users, active devices, and a chart depicting traffic flows between assets. This section helps an administrator pinpoint who and what is currently using the network and which assets are potentially subject to policy enforcement.
Below this, you will find the output of discovered applications. Elisity leverages a robust deep packet inspection engine that can identify and categorize thousands of applications. With an Elisity enabled network, an administrator can know with certainty what applications are consuming network resources and seamlessly build policies to control who and what can access these applications. If a discovered application is not permitted on the network, Cloud Control Center can provide details on where it lives and who and what is using it.
Below the Applications Discovered section, you will find the Top Assets section, which provides even more network-level details around the consumption of applications and the activity of users and devices. The left side of the section allows an administrator to change the focus of the output to be based on either users, devices, or applications. Details such as data transferred, top peers, devices accessed, application usage are displayed in this section, and an administrator can click any component of the section to dive deeper.
Finally, the Events section of the overview page on Cloud Control Center offers a high-level view of policy violations, unauthorized and denied flows.
Cloud Control Center Analytics
When it is time to drive deeper into the telemetry collected by Cloud Control Center, an administrator can navigate to the Analytics page to discover an abundance of data presented in an easily digestible format.
Four tabs are available on the analytics page: Overview, Conversation partners, Flow View, and Flow Records. We will go through each tab.
The overview tab focuses on a holistic view of policy analytics and traffic telemetry from users, devices, and apps. The first graph details the number of flows with violation hits, active flows, completed flows, and more. When troubleshooting connectivity issues between assets on an Elisity network, violation hit details are valuable since it allows the administrator to map policy to assets activity quickly. For example, suppose a complaint comes in that a particular user cannot access specific resources. In that case, an administrator can promptly visualize which users are ramping up on policy violations and denied flows.
Clicking View Details creates a filter based on the user-selected and dives into the flow records for that user.
The second graph, called Top Assets is the same output described in the Cloud Control Center Overview page.
The third graph uses user-defined asset groups by displaying the top user, device, and application asset groups sorted by data usage. For example, in the following figure, the top application asset group is called Streaming, and the output further breaks down which assets make up the usage.
The last graph on the Overview tab provides details on which Elisity-enabled campus or cloud remote site is pushing the most traffic. Details around encrypted and unencrypted traffic will only be displayed if the remote Elisity Edge is actively forwarding across an Elisity data plane tunnel. Remember that the Elisity data plane is entirely optional for campus deployments and may not be leveraged in all Elisity Cognitive Trust protected networks.
Let’s move to the Conversation Partners tab and review the data presented. Cloud Control Center first displays Flow Count and Traffic Flow analytics in a matrix format. This matrix can show you the relationship between the assets in question. For example, the matrix can easily display the amount of user to app traffic, device-to-user traffic, app-to-app traffic, and so on. To ensure the dataset is manageable, it is advised to filter on a specific user, device, or application. Alternatively, you could build a custom filter in the advanced filtering options.
Clicking on any of the above device, user, or app figures creates a filter and displays details on that particular asset flow below. These details include source, destination, traffic count, and traffic data. This functionality allows an administrator to quickly narrow down conversations between specific assets in the Elisity secured network.
At the top of the Flow View tab, we can see a summary of the pertinent flow data across the Elisity secured network.
Selecting any one of these boxes filters the below Flow Context section to focus on the administrator during a troubleshooting session. Any flow displayed can be expanded to review granular details about the flow.
Below this section, you will find an Access Authorization matrix. This matrix displays the detailed authorized relationship between any combination of assets. Make sure to scroll over within the grid to see the entire dataset.
You can also customize the output by selecting the asset relationship dropdown and choosing your focus.
Finally, moving to the Flow Records tab provides you nitty-gritty details on every single flow in the system. At the top, a summary of flow records based on time is presented in a bar graph format.
Below the summary, you will find a list of the flow details. By default, this includes Start and End Times, Source and Destination addresses, URL, Application Protocol and Ports, Traffic in bytes, and Source/Destination Nodes. Make sure to scroll over within the list to see the entire dataset.
Many more columns of data can be added and removed by selecting the column modifier at the top right of the list.
Cloud Control Center Events
Elisity is hyper-focused on providing detailed information about the fabric, which includes fabric operations and faults.
After selecting the Events section of Cloud Control Center, the administrator is presented with an Events summary at the top of the page.
Selecting any one of these boxes filters the below Events section to focus the administrator during a troubleshooting session. Any event displayed can be expanded to review granular details about the event. In the following example, a recently dynamically discovered device was processed and added to the inventory. After expanding the event, the administrator is presented with details on how the device was discovered and some of the attributes that were gleaned.
One of the most useful outputs in the event section of Cloud Control Center is the Deny Flows output. This is usually the first place an administrator will go when trying to troubleshoot user, device, or application connectivity issues especially if there is a hunch that it is policy-related.
Cloud Control Center Logs
Finally, the Logs section of Cloud Control Center can be very useful for in-depth troubleshooting scenarios where the administration needs the nitty-gritty details about operations occurring within the Elisity secured network.
The Audit Log tab offers details around users, devices, and apps being attached or detached from the network. This includes Initiator, Date, Component, Target, Action, and IP address. This information is useful when trying to correlate network events to who/what/when/where a user, device, or application joined or left the Elisity secured network.
Advanced administrators and Elisity technical support staff have the option to review the Cloud Center Log tab of the Event section to gather fabric-level operations and details.
Troubleshooting Elisity Cognitive Trust Policies
Cloud Control Center offers a considerable amount of information to help with troubleshooting both connectivity and policy effectiveness in an Elisity-secured network. A good place to start is the Traffic Flow Visualization Matrix. Here we can see observed traffic flows including which protocol was observed and the number of flows, traffic flows blocked by policy, and what policy is in place, if any.
Clicking on any observed traffic shows the specific traffic flows that have been observed, and clicking add policy will automatically create a policy for the protocols that were observed which you can then customize to create a very granular policy.
Filtering Traffic Flows
Users can filter traffic flows to see the last hour, the last 24 hours, the last 7 days, or the last 28 days. The ability to filter traffic flows means that shortly after deploying new Policy Groups or implementing a new policy, administrators can filter down to the most recent traffic flows to get an accurate representation of how the devices in the Policy Group are interacting with the rest of the network, and how a policy change could have affected those traffic flows. Filtering for a longer period like 28 days gives admins a good idea of normal long-term traffic behaviors for established Policy Groups, simplifying policy decisions.
Below we can see the difference in traffic flows represented on the Traffic Flow Visualization Matrix if filtering for the last 24 hours vs filtering for the last 28 days.
filtering by last 24 hours - click to enlarge
filtering by last 28 days - click to enlarge
As more data is learned, policy should be continually revised and improved. New traffic flows, devices, user groups, processes, and added connectors can all require revision and improvement of policy groups and policy. Continually tightening and hardening network segmentation is important as attack vectors continually grow, and cyber attacks find new mediums to exploit network vulnerabilities.
Another great place to start would be within the Policy section as it provides a quick summary of Policy Hits and Violations. These counters will increase if the policy is being matched by a traffic flow and when a violation of the policy security profile occurs. If an administrator is troubleshooting a newly deployed policy, they could quickly confirm if the policy was even being matched and enforced before anything else. On this same page, an administrator can immediately confirm if a policy has been saved or fully deployed.
To get further information about the Policy Hits and Violations click the name of the policy to be presented with details of the policy. At the top is a summary of the policy statistics and intent. The Assets, Rules, and Violations counters are shortcuts to the respective sections further down on the page. A high-level visual of policy intent is also displayed including the source and destination, direction, and protocol.
The security profile rules for both application and protocol are presented below the summary.
The metrics section below is highly valuable to an administrator as it presents data on which assets in the network were matched as a part of the policy matching criteria, who and what violated the policy, and who and what hit the policy. This could be one of the first places to look when trying to troubleshoot a user, device, or application not adhering to a deployed policy or troubleshooting actions enforced by a policy.
First, check to see if the asset you are trying to protect is evenly matched in the Assets list output.
If it is, check the Violations tab to see if it has violated the policy. The violation count, start time, and end time is also presented.
Lastly, to confirm if the expected traffic flow is hitting the policy, check the Hits tab. This tab displays the source and destination of the flow, the traffic type as well as the enforcement action taken by the system.
Lastly, when troubleshooting Elisity policy, if the exact user, device, or application in question is known, an administrator can learn a lot from the respective section in Cloud Control Center. For example, navigate to the User section and select a specific user to display additional policy details focused on that chosen user.
Once the user is selected, scroll to the bottom of the page to display Denied Flows, Violations, Policies, Peers, and Login Activities. This should be everything an administrator needs to troubleshoot a connectivity or policy enforcement issue effectively.
Denied Flows describes the source (the selected user), destinations and application protocols that were denied, and when the denial action took place.
Violations describe which device the user was logged into had the violation and how much data was transferred.
Policies describe which deployed Elisity policies are effective for this user and device.
Peers provide a Sankey chart that visualizes the source and destination flows and the amount of data transmitted.
Lastly, Login Activities offers a log of when and where the user or device logged on and off the Elisity secured network.