/
Illumio Products

Little-Known Features of Illumio Core: Core Services Detector

In this ongoing series, Illumio security experts highlight the lesser known (but no less powerful) features of Illumio Core.  

A common challenge for security teams is deciding how to label workloads so they reflect which applications are running on them. All too often, it’s not clear exactly which applications are running on which workloads, and there can be more than one application running on a workload.  

Figuring out what those applications are can be time-consuming, delaying time to value for your security solutions. Worse still, if you don’t have visibility into your applications and their workloads, you may accidentally break dependencies.  

How can you quickly find a complete inventory of which applications are running on all your workloads? Illumio’s Core Services Detector can help. Keep reading to learn how.

What is the Core Services Detector?

Illumio Core manages workloads directly on the workload. This allows it to collect a lot of information about that workload. One of these pieces of information is which flows and associated port numbers are being sent and received on that workload.  

Illumio’s virtual enforcement node (VEN) on a workload will report this information back to Illumio’s policy compute engine (PCE) from each managed workload. The PCE will analyze this information and associate these flows with specific applications. The PCE will refer to these discovered applications as Core Services, and the ability to collect this information on the PCE is called Core Services Detector.

How the Core Services Detector works

The Core Services Detector is designed to simplify the complex task of discovering and labelling essential network services. Here’s the three-step process the feature uses to help you better understand and protect your most critical assets:

1. Discover traffic flows and process information running on workloads

The Core Services Detector will start by collecting information from all VENs on managed workloads. It’ll analyze traffic flows and process information to identify which applications are using them.  

The feature uses a combination of machine learning (ML) and rule-based models to create a list of all application traffic it's discovered.  

The Core Services Detector uses two approaches for analyzing traffic:

  • A combination of process information analysis and traffic flows
  • Traffic flow analysis alone

Combining these different approaches allows the Core Services Detector to create a list of services running on each workload.

A diagram of a computer programDescription automatically generated
Machine learning algorithms used by the Core Services Detector.
2. Build an inventory of discovered services

The longer the Core Services Detector runs, the more details it’ll collect. We recommend allowing it to run for 14 days to catch services that only run occasionally. But it’ll start discovering and analyzing information on day one. At this time, the Illumio PCE can detect 51 core services.

When it detects services, it’ll then display a list of the services running on specific labeled hosts.

A screenshot of a computerDescription automatically generated
All services discovered on a specific workload.
3. Recommend labels

Illumio will recommend human-readable role and application labels for workloads based on its analysis of the services it’s discovered running on them.  

For example, the results in the above list of discovered services includes a database related traffic. In this case, Illumio will recommend specific labels for those workloads where the database traffic was discovered.

A screenshot of a phoneDescription automatically generated
Illumio’s label recommendations for discovered services.

You have the option to accept or decline Illumio’s label recommendations. This gives you the option to get an accurate inventory of services, decide which services can stay or go, and then apply labels when you’re ready.  

Automatically discover applications with Illumio Core Service Detector

You can’t secure what you can’t see. Discovering what is running across an environment is the first step to building a robust, least-privilege security architecture. By illuminating your workloads, you can illuminate your security policy needs.

If you can’t sleep at night because you don’t know what’s running in your network, Illumio’s Core Services Detector can help. Get the peace of mind that comes with knowing exactly what is running in your network.

You can’t enforce what you can’t see. Illumio discovers what is running in your environment, it displays it clearly along with all dependencies, it then enables the labeling of workloads and applications along business-defined boundaries, with the result being a robust, least-privilege access model being enabled without the overhead of an overly complex deployment. Illuminate your workloads, then illuminate your policy.

To learn more about using Enhanced Data Collection, contact us today for a free consultation and demo.

Related topics

Related articles

Your Endpoints Are Talking Behind Your Back
Illumio Products

Your Endpoints Are Talking Behind Your Back

Learn why endpoint security tools aren't always securing against lateral movement and how Illumio Endpoint can help fill the gap.

Illumio is a Leader in Zero Trust...So, How Did We Get Here?
Illumio Products

Illumio is a Leader in Zero Trust...So, How Did We Get Here?

Learn how Illumio came out on top in Forrester's Zero Trust Wave report.

Making Application Owners Microsegmentation Heroes
Illumio Products

Making Application Owners Microsegmentation Heroes

Explore Illumio's latest product offering, App Owner View.

Little-Known Features of Illumio Core: Traffic and Map
Illumio Products

Little-Known Features of Illumio Core: Traffic and Map

Learn how Illumio’s Traffic and Map tools help you quickly and easily understand what’s happening in your network.

Little-Known Features of Illumio Core: Enhanced Data Collection
Illumio Products

Little-Known Features of Illumio Core: Enhanced Data Collection

Learn how Illumio’s Enhanced Data Collection feature helps you monitor your traffic volumes to find anomalies and take action if needed.

Little-Known Features of Illumio Core: SOAR Platforms Integrations
Illumio Products

Little-Known Features of Illumio Core: SOAR Platforms Integrations

Learn how Illumio Core's integrations with third-party SOAR platforms ensures new and unknown malware can't spread through your network.

Assume Breach.
Minimize Impact.
Increase Resilience.

Ready to learn more about Zero Trust Segmentation?