Chapter 15
Introduction to Cisco DNA Analytics
Cisco Digital Network Architecture (Cisco DNA) analytics is the discovery and communication of business insights through the exploration of data from various sources that attach to the network.
Are you looking to find answers to questions such as the following?
How can I leverage the information that traverses the network to improve my user experience?
Is my network secure and compliant with the applicable regulations?
What is the “normal” behavior for my applications?
What are the performance levels of my network end to end?
If so, then you need to collect, correlate, and analyze a lot of data and present it in such a way that that it makes it useful and actionable. This is what analytics helps you to achieve.
This chapter introduces network analytics in the context of Cisco DNA. This chapter explains the following:
The definition of analytics
The value of analytics
Network analytics as a Cisco DNA component
A Definition of Analytics
The term “analytics” is overused and applies to different disciplines besides IT and networking. It’s becoming a buzzword and means different things to different people. So let’s start by defining “analytics” to set a common ground and eliminate ambiguity.
Analytics is commonly defined as the discovery, interpretation, and communication of meaningful patterns in data.
Analytics is definitely about the data and may actually involve a lot of it, to the point that it is often presented as a Big Data problem; but that is not enough to fully describe it.
Analytics is first of all the discovery of data, because you cannot measure what you don’t see.
Analytics is also the interpretation and correlation of data: digging through the information from different data sources and correlating it in a way that makes you discover the embedded value.
How many times have you looked through hundreds of lines of syslog output and were not able to identify the relevant messages you were really looking for? Or maybe your network is experiencing a peak in Dynamic Host Configuration Protocol (DHCP) requests and AAA login sessions; this could be a symptom of a security attack or an issue in the network, but if this happens in a university at 8 a.m., then it’s absolutely normal and you should not get a notification. A famous 19th-century American mathematician, John Tukey, explains it very well: “The greatest value of a picture is when it forces us to notice what we never expected to see.”1 This is exactly what analytics is supposed to do: extracting the value from the data.
1 John Tukey, Exploratory Data Analysis (Reading, MA: Addison-Wesley, 1977).
Finally, analytics is about the communication of the discovered meaningful patterns. It is about presenting the data in such a way that it becomes useful and actionable. Giving you access to the information you want is a first great step, but making that same data actionable is the main goal of analytics. This is how analytics ultimately enables assurance to verify that the business intent has been conveyed. If it has not, then assurance automates the necessary changes to remediate.
Cisco DNA Analytics
The general definition of analytics is now clear. More specifically focusing on IT and networking, network analytics is the process of extracting data from the network and correlating it to identify anomalies, derive insights, and enable data-driven decisions.
Referring to an IT industry definition and considering how the derived information can be used, network analytics may be represented by three different categories:
Operations analytics: Applying analytics to large data sets for IT operations to extract unique business insights. Examples are security threat detection and compliance, network performance, and user and application profiling.
IoT analytics: The processing and analyzing of data from multiple IoT sensors that attach to the network.
Business analytics: The use of the network information combined with social media and business-relevant data to extract business and customer insights.
If you consider the possible sources of information, network analytics is also defined through the following extended set of categories:
Infrastructure analytics: This refers to the analysis of the information extracted from the network devices themselves (switches, router, firewall, access points, etc.).
Endpoint analytics: Gaining information from the end devices (IoT sensors, video cameras, badge readers, etc.) attached to the network contributes greatly to the overall knowledge of the network and its performance.
Application analytics: Application profiling information is crucial to verify, for example, that SLAs are being met or to characterize traffic patterns.
User analytics: This is about gaining visibility on the user context, including authentication, authorization, and movements information and correlating it with traffic patterns.
Policy analytics: This involves gaining insights into how the Cisco DNA policies get applied throughout the network.
Cisco DNA Analytics is the Cisco implementation of network analytics that leverages the Cisco network as an incredible source of information. Just think about it, the network connects everything (users, devices, applications, and processes) and transports all the information that these assets produce. The network is the ideal place to get insights.
Cisco DNA Analytics gathers data from all the categories just mentioned. Single data source visibility and reporting is good, but not adequate for solving complex problems. Most of the analytics solutions available today just look at one of these data sets and provide a silo solution. The real value-add of Cisco DNA Analytics is the correlation of the multiple data sources; this is what transforms network data into actionable insights that help customers make business decisions, reduce operating expenses (OPEX), and create accurate forecasts.
Cisco DNA Analytics, Opportunities and Challenges
Analytics represents both opportunities and challenges, as represented in the following scenarios:
The new connection of people, process, data and things—The Internet of Everything (IoE)—is dramatically changing the role of information in today’s organizations and represents a tremendous opportunity: examining this data can yield critical insights into user behavior, security risks, capacity consumption, network service levels, fraudulent activity, customer experience, and much more.
On the other side, the IT infrastructure, the user devices, and the applications generate massive streams of data every second of every day, in an array of unpredictable formats that are difficult to process, analyze in a timely manner, and secure by traditional methods.
That’s why network analytics is an extremely interesting topic in the IT world today and a central component of Cisco DNA architecture. How to leverage the benefits of network analytics while overcoming the related challenges is made clear in this and subsequent chapters of the book dedicated to Analytics.
Brief History of Network Analytics
Networks are changing very rapidly with the adoption of new technologies and solutions to support always-new customer requirements. Similarly, network analytics has undergone a fast evolution represented by the following three phases:
Network analytics 1.0
Network analytics 2.0
Network analytics 3.0
Back in the 1990s, the initial phase (1.0) performed the network analysis on well-known structured data such as Simple Network Management Protocol (SNMP) Management Information Base (MIB) or NetFlow records. The data was stored in traditional data warehouses and the business intelligence was extracted and consumed in terms of hours or days.
As analytics entered the 21st century, a new phase emerged (2.0) where unstructured data was added to the collection of information. Unstructured data includes, for example, information in the form of syslog messages from a network device or a raw stream of metrics from multiple sensors attached to the network. This phase involves hauling large amounts of data to a back-end infrastructure, where that data is analyzed and processed. In general, the larger the volume, the better, as more data may yield more insights than less data. Much of the research and development in this phase was focused on making sure data processing scales well and can keep up with the volume of information. This is the phase of Big Data platforms where important technologies such as MapReduce algorithms2, Hadoop3, Hive4, and Kafka5 have made it possible to retrieve business insights in terms of minutes.
2 https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html
Starting from 2010, phase 3.0 represents the introduction of distributed network analytics where the analysis is conducted closer to the source of the data, which is often at the edge of the network. In some cases (imagine an oil platform in the middle of the ocean, for example), moving massive amounts of data to centralized data stores requires huge bandwidth and hence is unpractical. Also, changes are happening very fast and data loses value over time, so the analysis needs to be performed as close to the source as possible. This phase is characterized by the need for a very quick access to data: insights need to be available in terms of milliseconds.
Historically there have been two main approaches to adopting analytics:
Reactive analytics
Proactive analytics
Reactive analytics is the basic approach. When something happens, you get the data, analyze it, and then take action. This is “after the fact” analysis and it’s the typical methodology of a technical assistance service.
Proactive analytics has a different approach to analytics. You use multiple sources of data to analyze a particular problem and correlate them to gain insights. This correlation allows you to gain more valuable information and help you better identify the root cause of the problem. For example, one thing is to have information about a particular network flow (source and destination IP addresses); adding to this the user credential, the time of the day, and the location from which the flow was generated gives a much clearer picture of what’s happening in your network.
Proactive analytics may also mean running sophisticated algorithms (machine learning) to build models of the network behavior and predict what can happen and take preemptive actions. An example is studying the traffic patterns over multiple WAN links on a router and preemptively configuring a traffic-shaping rule to avoid network congestion. Another important use case is analyzing the end-to-end user throughput: leveraging machine learning, traffic is modeled and a baseline is created so that deviation from this “normal traffic” is detected and notified. Based on this information, the network administrator can take action to anticipate the problem or prevent it for happening again. Given its capability of implementing correcting action before the problem actually happens, this approach is also preemptive. Cisco DNA Analytics refers to this approach simply as “proactive” to differentiate it from a reactive one.
Today customers are mostly using a reactive approach, but they need to shift to more advanced analytics if they want to extract knowledge from the collected data and support their business strategy. This is what Cisco DNA Analytics provides.
Network analytics also evolved to become more and more critical to the business processes. The next section addresses two very simple but important questions: Why implement Cisco DNA Analytics? What is the value from a business prospective?
Why Cisco DNA Analytics?
As customers embark on a transformational journey to building a digital business, their networks need to evolve to respond to new requirements. Cisco DNA Analytics is a key enabler for this evolution and a critical component of any modern network architecture.
Let’s examine the main customer business requirements and how Cisco DNA Analytics contributes to fulfill them:
Faster innovation: The network needs to enable faster innovation by delivering deep insights into users’ behaviors, applications, and security threats, so that the business can take immediate action to optimize factors such as network performance, employee productivity, customer experience, and daily processes.
Lower TCO: IT is being asked to sustain the increasing demand in terms of devices joining the network, applications, and services, while reducing cost and complexity. Cisco DNA Automation and Assurance come to the rescue. Through the Cisco DNA Controller, Automation allows IT to define the business intent and automatically deploy it in the network. But it’s then Cisco DNA Analytics that extracts the right telemetry from the network and enables Assurance to verify that the business intent was delivered. If it did not, then Assurance automates the necessary changes to remediate.
Security and compliance: The network may act as a sensor and analyze all the traffic flowing through the network devices to rapidly detect and mitigate threats. Once again, Analytics plays a key role in providing the necessary information to then take the right action.
Cisco DNA Analytics also helps to overcome main technical challenges for IT with the following elements:
Data discovery: Over time the network has grown complex, and just using SNMP-based analytics is no longer sufficient. IT administrators need more data and they need it fast.
Data interpretation: As industry embraces software-defined networking (SDN) and moves to a centralized, software-defined network control, IT needs holistic and accurate data to make centralized decisions.
Data communication: Because mobility and cloud technologies increase the attack surface of businesses, eliminating the network perimeter, IT needs the security insights from the network to detect anomalies and mitigate possible threats.
In a nutshell, to respond to all the challenges of a digitized business, you need information; more specifically, you need a lot of data, you need the data to be accurate, and you need it fast. This is what Cisco DNA Analytics delivers and that’s why it’s a critical component of Cisco DNA.
The Role of Network Analytics in Cisco DNA
Cisco DNA provides the foundation for digital transformation and Cisco DNA Analytics is a key building block of the architecture that allows fulfilling the customer business requirements described earlier.
Cisco DNA analytics achieves this by enabling three important benefits of the Cisco DNA architecture: closing the Cisco DNA Assurance loop, gaining critical network insights, increasing security by real-time and dynamic threat defense. As illustrated Figure 15-1, Analytics plays an important and horizontal role in Cisco DNA by providing the necessary telemetry to Cisco DNA center and Assurance in order to verify if the business intent was met. Second, it extract important information about the wired and wireless devices and the user experience end to end, which helps the administrator to effectively monitor and troubleshoot the network. Last but not least, Cisco DNA Analytics provides relevant data that enables the network itself to behave as a sensor and hence increase the visibility of possible security threats.
The chapters that follow go into the details of the different components of Cisco DNA Analytics. Chapter 16, “Cisco DNA Analytics Components,” discusses the different Analytics components, including Instrumentation and Telemetry, so it explains how to extract information from the network (Instrumentation), and how to efficiently send it to a remote platform for further processing (Telemetry). Chapter 17, “Cisco DNA Analytics Engines,” introduces and describes how Cisco DNA Analytics leverages unsupervised machine learning, behavior analysis, and intelligent algorithms to provide smarter data.
Cisco DNA Analytics is a critical component of the Cisco DNA architecture as it enables other important functions like Assurance. Later in the book, Chapter 21, “Cisco DNA Analytics and Assurance,” explains how important Cisco DNA Assurance is to “close the loop”: with Cisco DNA Automation you are able to express business intent and apply it to the network. Analytics extracts the relevant information from the network and enables Assurance to verify that the business intent has been delivered. This is the “circle of life” of the Cisco DNA architecture, and this is what brings value to the customers.
Summary
Cisco DNA Analytics is the process of correlating data and extracting meaning to identify anomalies, derive insights, and enable data-driven decisions. Analytics enables Assurance to verify that the business intent, implemented through Automation, has been actually conveyed.
The chapter introduced the following:
The concept of analytics, starting with a common definition
A brief history of analytics and its evolution
Introduction to Cisco DNA Analytics: the reasons why Analytics is important in any modern network architecture and the role it plays as a key component of Cisco DNA