Managing VMware Proactively with Runecast

As technologists, how do you troubleshoot problems? Does this cycle sound familiar:

  1. bad thing happens

  2. Google the error message

  3. land on a knowledge base/blog article

  4. fix the issue

  5. if not…. rinse and repeat.

I am sure we can all relate.

As admins/operators we are constantly pressed for getting things working in short order. This results in much of our time reactively troubleshooting issues, digging through logs and using Google to try to find a fix. While most of us have the desire to stay on top of issues and become more proactive - the reality is that it is an uphill battle.

I am sure we can all relate.

Runecast - For VMWare admins, built by VMWARE ADMINS

At VMworld this year I got to learn a little bit about Runecast during their Tech Field Day presentation. Runecast is a company focused on helping VMware admins with the task of keeping their environments healthy, secure and in line with published best practices. The company was founded by a set of practitioners who ran the VMware Center of Excellence for IBM, where they were in the trenches living and breathing VMware for many years. From these trenches arose the idea for product which would help tackle many of the common operational problems VMware operators face: combing through VMware knowledge base articles and logs, awareness and adherence to VMware best practices, security compliance checks, and spending too much time troubleshooting. A product was born to address these problems and it is called Runecast Analyzer.

Runcast Analyzer deploys as a single VM that aggregates information from a variety of sources including the VMware Knowledge Base, social media, and security hardening guides and synthesizes them into a central repository. Using this information, the analyzer runs a discovery against the environment to identify potential issues before they have the ability to cause outages. The technical details of how this is done is nicely explained in the white board/chalk talk presented by Runecast co-founder, Stanimir Markov.

RUNECAST Analyzer

Once deployed, Runecast Analyzer can be accessed via it’s web interface and presents several different views highlighting the health of your VMware environment. Runecast is not a performance and capacity alerting tool (as there are many of those available), but rather places its focus on configuration, manageability, security and VMware best practice conformance. The dashboard below shows the overall health based on those standards and allows you to drill down into items that may be of most importance in your organization.

RunecastDashboard.png

Looking at the inventory view for critical items across this vSphere environment, it is easy to see a series of patches that should be installed on the vCenter and ESXi hosts. This details of this critical alert provides the relative risk rating, KB article reference, and resolution details for how to address the problem. Runecast does not currently provide the ability to take remediation action from within the web interface, but that is something that may be provided in the future.

RunecastPatch.png

Best Practices, Security Hardening, Compliance & VMware KBs

In it’s first iterations Runecast Analyzer was focused on analyzing configuration items contained within VMware Knowledge Base articles, best practices and security hardening guides. Recently the Analyzer has been expanded to include log analysis and specific security/compliance standards (DISA STIG and PCI DSS). This means that it can cross check against VMware logs for known issues, as well as call out items that don’t comply with specific security standards.

Below is a shot of the inventory view in which all items can be categorized, sorted and filtered based on what is most important including a categorization by product and impact. It is encouraging to see these new items added into the product, and I can envision additional sources and levels of analysis being included moving forward.

RunecastCategories.png


Try it Out

During the Tech Field Day presentation there was a cool demo of Runecast Analyzer which you should check out, but why not try it for yourself? Runecast provides both an online/interactive demo as well as a free trial of Runecast Analyzer for you to run in your environment. Also, if you happen to be a vExpert you can take advantage of their NFR offering. This was my first exposure to Runecast, and overall I would have to say I am highly impressed. This is a product for VMware admins, built by VMware admins and aimed at helping VMware admins move ever close to proactive management of their environments.

Disclaimer:  I was personally invited to attend Tech Field Day Xtra at VMworld 2018. I was not compensated for my time or travel.  I am not required to blog on any content; blog posts are not edited or reviewed by the presenters or Tech Field Day team before publication.

Security has Failed, Analytics to the Rescue

Security has Failed.  A refreshing, and I believe honest, statement presented by Dr. Richard Ford, Chief Scientist of Forcepoint when talking about the current state of traditional Computer Security.  Computers are complicated and by their very nature are a difficult landscape in which to separate the good from the bad - the core function of security.  Using traditional computer security means (anti-virus, firewalls, secure web gateways) is no longer an adequate way in which to draw these lines.  In the words of Dr. Ford, when it comes to the computer security playing field, "it is much easier to play offense then defense."

SecurityFailedForcepoint.jpg

Can Analytics Help?

Realizing that traditional means are not adequate, Forcepoint is taking what they call a "human-centric approach" to security.  This approach seeks to understand normal human behavior as it relates to the flow of data in and out of an organization.  The goal is to become better at drawing the lines between the good and bad, allowing their customers to identify and respond to risks in real-time.  Rather than static definitions (firewall rules allowing system A and system B to communicate on a specified port), it is far more valuable to provide dynamic intelligence which incorporates both system context and user behavior into computer security decision making.  Forcepoint is working to provide this value through User and Entity Behavior Analytics (UEBA).

UEBA is what is referred to as the "Brains" of the Forcepoint suite of products.  UEBA allows a dynamic risk score to be calculated and assigned to users and computers through the use of data modeling.  Much like data modeling helps financial institutions determine if an applicant is at risk of default before approving or denying a loan, UEBA utilizes data modeling to determine the security risk of a given person and/or system.  The risk score calculated through these models is then utilized by the Forcepoint security products to make a more informed decision.

Of course, no two customer environments and policies are indentical so identifying system context and user behavior goes through a learning and training process.  Forcepoint states that the training of their data models to detect what is normal in a customer environment can be accomplished in days.  The UEBA models are purposely generic at their start and updated over time.  This flexibility allows for refinement of the models as new threats are presented within an environment.  Once in place, the models assist in distinguishing and alerting anomolies from normal activity.

UEBABrains.png

Having worked a number of years now in the data analytics space helping customers reduce the noise-to-signal ratio within their data environments, it seems obvious to me that analytics can provide immediate value to a 'failed' traditional computer security industry.

At What Expense

So if behavior based analytics seems intriguing and scary to you all within the same breath, you are not alone. Forcepoint is in the business of intersecting people and data, therefore they are very conscience in designing and creating solutions in which privacy and personal protection are a core focus.  Anytime you record, model, analyze and act on human behaviors the topic of privacy must be understood.  The tradeoff between minimizing insider threats while protecting personal information is non-trivial.  While time did not allow us to drive into how privacy in implemented within the UEBA product, perhaps we can learn more in a future session.

Learn More

If you are interested in learning more about Forcepoint's computer security offerings or wish to view the entire UEBA Tech Field Day presentation, I have embedded the recording below.  This and other presentations can be found on the Tech Field Day website.

Jim Birmingham, VP Research & Development, starts the session by defining what insider threats are for organizations, which constitute the majority of security threats against an organization. He then reviews how Forcepoint's User and Entity Behavior Analytics platform provides a holistic view of insider behavior to help detect threats. Recorded at Tech Field Day in Austin, TX on February 21, 2018. For more information, visit http://TechFieldDay.com/event/tfd16/

Disclaimer:  I was personally invited to attend Tech Field Day 16, with the event team covering my travel and accommodation costs.  However I was not compensated for my time.  I am not required to blog on any content; blog posts are not edited or reviewed by the presenters or Tech Field Day team before publication.

Heading to Tech Field Day

We all have those moments during our day, week, month or year that we absolutely look forward to.  Morning coffee, 3:00 Friday afternoons, summer vacation, an upcoming conference.  Tech Field Day has worked its way into my 'something I look forward to' category.  I honestly love hitting the do not disturb button, firing up the browser, logging into twitter, throwing the headphones in, and connecting up to the live stream.  I have found myself camped out in the lab, a remote part of the datacenter, hotel rooms, and sometimes in the convenience of my home office to take in all of the TFD goodness.

Some folks like reality television, sitcoms, or bing watching their favorite series - but for me, I must admit Tech Field Day provides for me a simliar level of enjoyment.  Maybe it is the thrill of being "front and center" and catching the latest in what the industry has to offer.  Maybe it's the joy of the "damn that is cool" or "why didn't I think of that" thoughts that cross my mind.  Maybe it is the guilty pleasure of watching the interaction between the delegates and the presenters, anticipating what is going to happen next.  Maybe it is spontaneity of the whole thing - like the nerf gun war during the Pure presentation, which I still remember to this day.  Maybe it is the "ah ha" moments and realizing just how much I don't know and jotting down a bunch of things I need to go learn about.  I am sure it is a combination of all of the above.

Last year, I was fortunate to engage with TFD in a new way, and participate first hand at TFD Xtra at VMworld as a presenter for DataGravity, which was an absolute highlight.  Once getting warmed up and getting a few of the nerves out (which goes along with sitting in the proverbial "hot seat"), I thoroughly enjoyed myself.  It was a blast to share customer stories, dialogue and answer questions from the delegates, as well as  listen and gather input.  TFD provides such a valuable format for all those involved and as I have seen directly the impact it makes for a presenting company, with new features and functions being introduced as a result of delegate feedback.

And so now, in less then two weeks I have been invited to participate in yet a new way to this series of events for which I have become so fond.  It is an absolute privilege to be asked to participate as a delegate at the upcoming Storage Field Day 10.  Sometimes I have to pinch myself that all of this is happening but not for too long, as there is some good work to be done. After all, this is my rookie debut as a delegate and so some solid preparation is required - like reading the newbie FAQs, reviewing past presentations from the tech vendor lineup, and catching up on some rest before the event.

To state that I am excited would be a major understatement.  What a great opportunity to engage with TFD in a new way, with a new perspective, working alongside amazing delegates - all while learning about some of the great new innovations coming out of the tech community.  My geek tank is full.  See you in Silicon Valley or on the twitter stream at #SFD10

 

Disclaimer: I am attending Storage Field Day 10 as a guest of GestaltIT and they paid for travel and accommodations. I have not been compensated for my time and am not obliged to blog.