1. Joel W. King
Engineering and Innovations - Network Solutions,
World Wide Technology, Inc.
joel.king@wwt.com
2. 2016 Phantom Cyber, Proprietary and Confidential,
Goal
How we got here?
Focus on ‘Why’ rather than ‘What’
Data Ingest
F5 App
Meraki App
Key Take-aways
3. 2016 Phantom Cyber, Proprietary and Confidential,
whoami
Past Experience
NetApp: Digital Video Surveillance | Big Data | E-Series
Cisco: Enterprise Systems Engineering (ESE) Cisco Validated Designs (CVDs)
AMP Incorporated: Network Architect | CCIE No. 1846 (retired)
Joel W. King
joel.king@wwt.com
@joel_w_king
github.com/joelwking
www.linkedin.com/in/programmablenetworks
4. World Wide Technology
Headquartered in St. Louis, Missouri
2015 revenue: $7.4 billion
Integration labs in the U.S. and Europe
2 million+ square feet of warehousing,
distribution and integration space
3,000+ professionals
500+ engineers and technical resources
Business classification: Minority Business
Enterprise (MBE)
Ownership: Privately held
4
5. 2016 Phantom Cyber, Proprietary and Confidential,
Why the Interest in Automation?
feature nx-api
Nexus 3000 | 9000
Nexus 9000
ACI
APIC-EM
7. 2016 Phantom Cyber, Proprietary and Confidential,
Why Start with Ingesting Data via REST API?
Prior experience with REST API calls
Provided a means to begin learning the architecture
and Lexicon
Container
Artifact
Playbooks
Asset
Owners
CEF
Test data for apps and
Playbooks
8. 2016 Phantom Cyber, Proprietary and Confidential,
IP Phone Metadata collection
REST Ingest to Phantom
VoIP
RemoteAddr
REST API Phantom
Server
REST API
SOHO – RTP NC
Advanced Technology Center
>python meta_data_collection.py
Usage:
python meta_data_collection.py <phone_ip_address> <token>
>python meta_data_collection.py 192.168.0.4 JWa4redactedRG2g=
Created container: 7 and artifact: 4
9. 2016 Phantom Cyber, Proprietary and Confidential,
PhantomIngest.py
Class and methods to abstract creating a container and artifacts
https://github.com/joelwking/Phantom-Cyber/tree/master/REST_ingest
import PhantomIngest as ingest
from basic_test_constants import *
#
# Initialize class
#
p = ingest.PhantomIngest(params['host'], params['token'])
#
# Create container
#
kontainer = {"name": "Cras_scelerisque", "description": "characters bear no relation to living persons"}
container_id = p.add_container(**kontainer)
#
# Create artifact
#
art_i_fact = {"name": "Lorem Ipsum", "source_data_identifier": "IR_3458575"}
cef = {'sourceAddress': '192.0.2.1', 'sourcePort': '6553'}
meta_data = {"mock content": "Nunc in a velit eu, risus fusce leo ligula"}
artifact_id = p.add_artifact(container_id, cef, meta_data, **art_i_fact)
print "%s n%s n%s" % (p.message, p.status_code, p.content)
11. 2016 Phantom Cyber, Proprietary and Confidential,
Why develop an F5 app?
There wasn’t one!
WWT is a F5 Platinum Partner and
2016 Unity™ U.S. Partner of the Year.
Actively developing
automation solutions for
deploying F5 using Ansible.
DC 2DC 1
F5 iControl – REST API
F5 Auto Config Sync
F5 Config.csv
12. 2016 Phantom Cyber, Proprietary and Confidential,
F5 App
shares F5 iControl code base
15. 2016 Phantom Cyber, Proprietary and Confidential,
Why a Cisco Meraki app?
Meraki is Cloud Controlled WiFi,
Routing and Security targeted at
branch offices.
User interface primarily a GUI,
provisioning APIs in Beta, now
released.
Wireless APs, security (firewall)
appliance, Ethernet switch.
Commonly deployed for both
employee and guest access.
Goal:
Demonstration of Meraki API,
return output to the Phantom playbook.
16. 2016 Phantom Cyber, Proprietary and Confidential,
Meraki “locate device”
Organization
Network
Device
Client(s)
Meraki dashboard provides a
top down view of the topology
App walks the tree and locates
device based on a match in MAC
or Description
17. 2016 Phantom Cyber, Proprietary and Confidential,
Key Take-aways
A community edition, extensible architecture is the
ideal software delivery model in a Software-Defined
world.
…select technologies that embrace open standards
for ingesting data and enriching it.*
* https://blog.phantom.us/2016/07/14/series-defining-security-automation-orchestration-
automatic-ingestion-enrichment-of-data/
Exploit regularity to create patterns, automate
the patterns.
… Dinesh Dutt Chief Scientist at Cumulus Networks
18. 2016 Phantom Cyber, Proprietary and Confidential,
References
github.com/joelwking/Phantom-Cyber