Little-Known Features of Illumio Core: Core Services Detector
In this ongoing series, Illumio security experts highlight the lesser known (but no less powerful) features of Illumio Core.
A common challenge for security teams is deciding how to label workloads so they reflect which applications are running on them. All too often, it’s not clear exactly which applications are running on which workloads, and there can be more than one application running on a workload.
Figuring out what those applications are can be time-consuming, delaying time to value for your security solutions. Worse still, if you don’t have visibility into your applications and their workloads, you may accidentally break dependencies.
How can you quickly find a complete inventory of which applications are running on all your workloads? Illumio’s Core Services Detector can help. Keep reading to learn how.
What is the Core Services Detector?
Illumio Core manages workloads directly on the workload. This allows it to collect a lot of information about that workload. One of these pieces of information is which flows and associated port numbers are being sent and received on that workload.
Illumio’s virtual enforcement node (VEN) on a workload will report this information back to Illumio’s policy compute engine (PCE) from each managed workload. The PCE will analyze this information and associate these flows with specific applications. The PCE will refer to these discovered applications as Core Services, and the ability to collect this information on the PCE is called Core Services Detector.
How the Core Services Detector works
The Core Services Detector is designed to simplify the complex task of discovering and labelling essential network services. Here’s the three-step process the feature uses to help you better understand and protect your most critical assets:
1. Discover traffic flows and process information running on workloads
The Core Services Detector will start by collecting information from all VENs on managed workloads. It’ll analyze traffic flows and process information to identify which applications are using them.
The feature uses a combination of machine learning (ML) and rule-based models to create a list of all application traffic it's discovered.
The Core Services Detector uses two approaches for analyzing traffic:
- A combination of process information analysis and traffic flows
- Traffic flow analysis alone
Combining these different approaches allows the Core Services Detector to create a list of services running on each workload.
2. Build an inventory of discovered services
The longer the Core Services Detector runs, the more details it’ll collect. We recommend allowing it to run for 14 days to catch services that only run occasionally. But it’ll start discovering and analyzing information on day one. At this time, the Illumio PCE can detect 51 core services.
When it detects services, it’ll then display a list of the services running on specific labeled hosts.
3. Recommend labels
Illumio will recommend human-readable role and application labels for workloads based on its analysis of the services it’s discovered running on them.
For example, the results in the above list of discovered services includes a database related traffic. In this case, Illumio will recommend specific labels for those workloads where the database traffic was discovered.
You have the option to accept or decline Illumio’s label recommendations. This gives you the option to get an accurate inventory of services, decide which services can stay or go, and then apply labels when you’re ready.
Automatically discover applications with Illumio Core Service Detector
You can’t secure what you can’t see. Discovering what is running across an environment is the first step to building a robust, least-privilege security architecture. By illuminating your workloads, you can illuminate your security policy needs.
If you can’t sleep at night because you don’t know what’s running in your network, Illumio’s Core Services Detector can help. Get the peace of mind that comes with knowing exactly what is running in your network.
You can’t enforce what you can’t see. Illumio discovers what is running in your environment, it displays it clearly along with all dependencies, it then enables the labeling of workloads and applications along business-defined boundaries, with the result being a robust, least-privilege access model being enabled without the overhead of an overly complex deployment. Illuminate your workloads, then illuminate your policy.
To learn more about using Enhanced Data Collection, contact us today for a free consultation and demo.