$10,000 phantom app & playbook contest - f5 and cisco meraki

Joel W. KingEngineering and Innovations - Network Solutions, World Wide Technology, Inc.

joel.king@wwt.com

2016 Phantom Cyber, Proprietary and Confidential,

Goal

How we got here?

Focus on ‘Why’ rather than ‘What’

Data Ingest

F5 App

Meraki App

Key Take-aways

2016 Phantom Cyber, Proprietary and Confidential,

whoami

Past ExperienceNetApp: Digital Video Surveillance | Big Data | E-SeriesCisco: Enterprise Systems Engineering (ESE) Cisco Validated Designs (CVDs)AMP Incorporated: Network Architect | CCIE No. 1846 (retired)

Joel W. King

joel.king@wwt.com@joel_w_kinggithub.com/joelwkingwww.linkedin.com/in/programmablenetworks

4

World Wide Technology

Headquartered in St. Louis, Missouri 2015 revenue: $7.4 billion Integration labs in the U.S. and Europe 2 million+ square feet of warehousing,

distribution and integration space 3,000+ professionals 500+ engineers and technical resources Business classification: Minority Business

Enterprise (MBE) Ownership: Privately held

2016 Phantom Cyber, Proprietary and Confidential,

Why the Interest in Automation?

feature nx-api

Nexus 3000 | 9000

Nexus 9000ACI

APIC-EM

2016 Phantom Cyber, Proprietary and Confidential,

2016 Phantom Cyber, Proprietary and Confidential,

Why Start with Ingesting Data via REST API?

Prior experience with REST API calls

Provided a means to begin learning the architecture and Lexicon

Container

Artifact

Playbooks

Asset

Owners

CEF

Test data for apps andPlaybooks

2016 Phantom Cyber, Proprietary and Confidential,

IP Phone Metadata collectionREST Ingest to Phantom

VoIPRemoteAddr

REST API Phantom Server

REST API

SOHO – RTP NC

Advanced Technology Center

>python meta_data_collection.pyUsage:

python meta_data_collection.py <phone_ip_address> <token>

>python meta_data_collection.py 192.168.0.4 JWa4redactedRG2g=Created container: 7 and artifact: 4

2016 Phantom Cyber, Proprietary and Confidential,

PhantomIngest.py Class and methods to abstract creating a container and artifacts

https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest

import PhantomIngest as ingestfrom basic_test_constants import *## Initialize class#p = ingest.PhantomIngest(params['host'], params['token'])## Create container#kontainer = {"name": "Cras_scelerisque", "description": "characters bear no relation to living persons"}container_id = p.add_container(**kontainer)## Create artifact#art_i_fact = {"name": "Lorem Ipsum", "source_data_identifier": "IR_3458575"}cef = {'sourceAddress': '192.0.2.1', 'sourcePort': '6553'}meta_data = {"mock content": "Nunc in a velit eu, risus fusce leo ligula"}artifact_id = p.add_artifact(container_id, cef, meta_data, **art_i_fact)

print "%s \n%s \n%s" % (p.message, p.status_code, p.content)

2016 Phantom Cyber, Proprietary and Confidential,

2016 Phantom Cyber, Proprietary and Confidential,

Why develop an F5 app?

There wasn’t one! WWT is a F5 Platinum Partner and

2016 Unity™ U.S. Partner of the Year. Actively developing

automation solutions for deploying F5 using Ansible.

DC 2DC 1

F5 iControl – REST API

F5 Auto Config Sync

F5 Config.csv

2016 Phantom Cyber, Proprietary and Confidential,

F5 Appshares F5 iControl code base

2016 Phantom Cyber, Proprietary and Confidential,

F5 Network Firewall Policies

2016 Phantom Cyber, Proprietary and Confidential,

2016 Phantom Cyber, Proprietary and Confidential,

Why a Cisco Meraki app?

Meraki is Cloud Controlled WiFi, Routing and Security targeted at branch offices.

User interface primarily a GUI, provisioning APIs in Beta, now released.

Wireless APs, security (firewall) appliance, Ethernet switch.

Commonly deployed for both employee and guest access.

Goal:Demonstration of Meraki API,return output to the Phantom playbook.

2016 Phantom Cyber, Proprietary and Confidential,

Meraki “locate device”

OrganizationNetwork

DeviceClient(s)

Meraki dashboard provides a top down view of the topology

App walks the tree and locates device based on a match in MAC or Description

2016 Phantom Cyber, Proprietary and Confidential,

Key Take-aways

A community edition, extensible architecture is the ideal software delivery model in a Software-Defined world.

…select technologies that embrace open standards for ingesting data and enriching it.*

* https://blog.phantom.us/2016/07/14/series-defining-security-automation-orchestration-automatic-ingestion-enrichment-of-data/

Exploit regularity to create patterns, automate the patterns.

… Dinesh Dutt Chief Scientist at Cumulus Networks

2016 Phantom Cyber, Proprietary and Confidential,

References

github.com/joelwking/Phantom-Cyber

Thank You