Consider this: Riverbed polled 40,074 Mac devices and found an average of 31 agents per device. Some of these agents take three minutes or more to boot, and they average just under one crash per month per device.

Does this sound familiar? What if you could cut through the alert fatigue, overcome staffing shortages, and reduce the number of software agents you need to manage?

A single Unified Agent solution

Riverbed Unified Agent is an essential element of the Riverbed Observability and Optimization Platform. It was built from day one to be a single agent solution for deploying and managing Riverbed agent-based modules, as well as select third-party offerings.

Unified Agent provides a combination of selectable services. Today, these services include:

• Aternity EUE for end-user experience monitoring of device and application performance
• Aternity Digital Assistant for polling user sentiment
• NPM+ Core for monitoring TCP network and application performance (beta)

Additional modules will be coming soon.

Simply deploy Unified Agent once, then load the desired modules onto the devices you choose. This results in massive scalability and efficiency with less effort.

Unified Agent makes it easy to deploy, update, and manage agent modules. Deploy it once and get automatic updates of both the agent and modules (or opt to update them manually, it’s your choice).  Easily add or disable agent modules and see the status of all deployment of all modules.

Additional benefits of using a single agent include:

• A single installation process
• A single point of management for enabling module features
• One-time validation of agent security
• Easy addition or disabling of agent modules
• Built-in governance to protect customer assets
• Automatic updates of modules
• Support for third-party modules certified by Riverbed

In short, Unified Agent enhances IT efficiency, reduces costs, and improves user experience.

Selectable modules support full-stack observability

Unified Agent future-proofs your agent strategy by providing immediate access to a library of selectable modules. These modules are controlled through a single SaaS-based management console. They capture full-fidelity data across the spectrum and direct key metrics to either Riverbed Aternity or the new Riverbed NPM+ cloud network observability service.

To learn more about Riverbed Unified Agent, click here.

As we all know, ITOps teams face the daunting task of managing vast amounts of data and alerts without sufficient context or actionable insights. Riverbed’s Platform empowers IT professionals by streamlining cross-domain data analysis and correlation to reduce the number of alerts your team must triage and then automates diagnosis and remediation.

The Riverbed Platform

The innovative Riverbed Platform approach combines observability and acceleration modules with enabling technology that supports accurate data collection and analysis, and our integration library of pre-built expert remediations, automations, and application integrations that automate problem identification and resolution. More specifically,

• Platform modules collect high-fidelity data across the entire IT stack, including digital experience, infrastructure, network, cloud, and application observability and application acceleration solutions. Key metrics from across Riverbed Observability modules are ingested into our powerful AI automation service to identify service-impacting events and automate diagnosis and remediation.
• The enabling technology layer supports accurate data collection using our Edge Collector, Riverbed Unified Agent and the Riverbed Data Store, while capabilities like Topology Viewer, AI, Automation and dashboards ensure accurate analysis of this data.​
• The integrations library gives our customers access to out-of-the-box third-part integrations. Pre-built application integrations facilitate easy integration with popular third-party software into automation workflows, including ITSM, business process, business productivity, and security solutions. While low-code graphical workflow processes permit IT to build or customize remediations, automation and integrations to optimize them for their specific IT environment.

With the ability to integrate data sources into a single view, the Riverbed Platform makes it easy to deliver precise answers that keeps IT running. In short, the Riverbed Platform offers the means to not only cope with the evolving digital landscape but to thrive in it, relieving IT of the burden of manually collecting and analyzing data from across IT systems.

Only Riverbed delivers full-stack observability  

Modern IT and cloud environments are highly complex and dynamic, creating a significant need for observability solutions that leverage AI automation. Similarly, organizations are facing more digital experience challenges as they increasingly rely on mobile devices for employees to do their jobs. ​According to Samsung, 61% of organizations provide “corporate owned” mobile devices to a portion of their workforce. ​

Today’s announcement significantly expands Riverbed’s observability capabilities to include monitoring end user experience on mobile devices; support for integrated overlay and underlay visibility for popular SD-WAN solutions; and new cloud monitoring capabilities.

The new observability capabilities include:

• Riverbed Aternity Mobile makes employees more productive and improves business results by enabling IT teams to proactively identify digital experience issues on enterprise-provided mobile devices to enable prescriptive, targeted remediation actions. No other DEM vendor supports these capabilities.

• Riverbed NPM+ is a new cloud observability service that overcomes traditional network blind spots created by remote work, public cloud, and encrypted architectures. Riverbed NPM+ ensures holistic network observability by extending visibility to previously unmonitored network locations. By collecting decrypted data at every user and server endpoint (including Kubernetes environments), NPM+ fills the visibility gaps caused by encrypted tunnels in Zero Trust environments.
• Riverbed Unified Agent is an innovative common agent strategy to streamline deployment, management, and updates of Riverbed’s agent-based offerings. Using selectable modules, it helps IT reduce agent fatigue and agent conflict. The only agent management solution to support endpoint monitoring for both end user experience and network observability, Unified Agent helps realize the value of Riverbed’s AI-ready telemetry, delivering intelligence, observability and a seamless experience anywhere, for anyone.
• Riverbed NetProfiler adds support for VeloCloud SD-WAN and Cisco SD-WAN (formerly Viptela). It integrates overlay and underlay views for clearer troubleshooting of SD-WAN health and performance issues.

New Intelligence 

AI is the next big transformation in IT and a number one priority of IT leadership. The Riverbed Platform is well positioned to help customers build successful AI and automation strategies with easy deployment and implementation. Our AIOps service enables IT teams to apply AI across their observability tools and embed AI-driven automation to increase IT efficiencies, scale to increased workloads, and reduce the time and cost of problem identification and remediation.

The cornerstone of the Riverbed Platform is Riverbed IQ, a SaaS-delivered AI automation. This 2.0 release enhances automation by enabling workflow processes to be scheduled or run on-demand, while custom tags support more detailed prioritization. The new Integration Library lets customers easily incorporate third-party data into their troubleshooting workflows using ready-made sub-flows. Finally, direct integration of Riverbed AppResponse improves the richness of IQ’s analytics and correspondingly improves automated diagnosis.

Also new is Intelligent Service Desk by Aternity that increases service desk and call center efficiency and availability. Unlike other DEM solutions that offer a multitude of remediation scripts designed to address narrow use cases, Aternity sets itself apart with AI-driven intelligent service desk for troubleshooting and resolving recurring device issues before they are raised as tickets. Using customizable workflow processes, Aternity replicates advanced investigations by correlating end-user impact and real-time granular performance data to identify incident root cause. Aternity dynamically mimics expert decision-making by integrating user sentiment with its remediation workflows using composable actions. Its flexible logic employs interactive feedback with optimal engagement levels to resolve simple and complex issues. For unresolved issues, a ticket is routed to the right level with the necessary context for swift resolution.

View this Intelligent Service Desk video to learn more:

For more information, please watch the launch webcast with Riverbed CEO Dave Donatelli and CTO Richard Tworek!

AIOps combines big data and machine learning techniques to support IT operations functions. Its primary aim is to improve root cause analysis, enable predictive insights, and automate responses, all while significantly reducing mean-time-to-resolution (MTTR) and elevating the digital experience.

EMA asserts that confidence in AIOps remains high, with nearly 92% of organizations believing AI/ML-driven network management can lead to better business outcomes. In fact, 40% of organizations have already integrated AI/ML technology into nearly all aspects of their network management processes.

Drivers of AIOps adoption

The top priority for using AI/ML is network optimization. Organizations are looking for ways they can tune the network to best meet specific business needs. What’s worth noting is that IT executives are increasingly placing their faith in AI/ML techniques to facilitate this critical endeavor. Additionally, other important use cases for larger organizations include automated troubleshooting, intelligent alerting and escalations, and predictive capacity management.

Top benefits of AIOps-driven networks

Most organizations apply AI/ML and AIOps to network management via their network management and network infrastructure solutions. Although domain-agnostic AIOps products such as Moogsoft and Big Panda exist, they are somewhat less prevalent in network management use cases.

AIOps offers significant advancements to monitoring the network. The biggest opportunity is network optimization. The network operates at its best when AI/ML identifies and correlates events in real-time, resulting in a smoother overall system. The report also indicates benefits in network agility, security, and resiliency.

Riverbed NetIM adds AI/ML techniques to improve results

With the addition of dynamic thresholding in Riverbed NetIM infrastructure monitoring, all Network Observability products support AI/ML techniques. NetIM now uses dynamic baselining that automatically and continuously updates historical performance baselines to identify significant changes in behavior. Instead of setting and tuning per device static thresholds for utilization, memory, and CPU, Riverbed NetIM dynamically baselines these metrics to identify significant changes in behavior. As a result, it significantly reduces “noise” stemming from non-actionable alerts and minimizes ongoing maintenance related to manual threshold tuning.

For a deeper dive into Riverbed NetIM IT infrastructure monitoring, click here. To explore the myriad of benefits and applications of AIOps, download our ebook today.

Immediately identify device hot spots 

The NetIM Health Sunburst automatically identifies infrastructure hot spots that are impacting network and application performance. It isolates data by country, region, and city or by sites. This level of visibility enables fast root cause analysis by supporting fast drill down into a list of worst performing devices.

The Sunburst color codes (orange, yellow, green) areas that need improvement, so you can act fast to make appropriate changes. It helps:

• Provide an immediate picture of overall infrastructure health and the factors that contribute to it to prioritize remediation efforts.
• Identify infrastructure hot spots with color-coded health scores to speed up problem investigation.
• Drill-down into problem area to identify poorly performing devices.

The new sunburst health visualization provides an easy alternative to the geographic heatmap and geo-topology visualization options.

How Health Sunburst works

A device’s geographic location data, which can be set in the Device Manager, is used to aggregate by Country, Region, and City. The size and color of the slices in the sunburst is based on the relative number of devices and worst device health, respectively. When you mouse-over a slice, you get a summary of the devices in the slice. Clicking on a slice provides the list of devices in the slice.

Alternatively, you can use device site membership and site hierarchy to aggregate and display health by site with the separate but related Site Health Sunburst visualization panel.

NetIM for comprehensive infrastructure monitoring

Riverbed NetIM is a holistic solution for discovering, mapping, monitoring, and troubleshooting your IT infrastructure. It captures infrastructure topology, detects performance and configuration changes, maps application paths over the network, diagrams your network in real-time, and helps troubleshoot infrastructure problems and plan for capacity changes.

NetIM is built on a modern, containerized architecture for scalability, ultra-high performance, and cloud deployment for operational agility. As an integrated component of the Riverbed NPM platform, customers can manage infrastructure issues in the context of overall  performance health.

For more information on Riverbed NetIM, click here.

Network fault management

Network fault monitoring typically involves the deployment of monitoring tools that collect data from network devices in real-time. These tools often use techniques such as SNMP, WMI, streaming telemetry, ping tests, flow analysis, and log analysis to monitor network health and identify faults.

When a fault or anomaly is detected, the monitoring system generates alerts or notifications to network administrators or operators. These alerts provide information about the nature of the fault, its severity, and its potential impact on the network. Network administrators can then take appropriate actions to diagnose and resolve the issue, ensuring the network operates optimally.

Fault management is a critical aspect of network and systems administration that focuses on detecting, diagnosing, and resolving various types of faults or issues that may arise within a system, network, or application. The key capabilities of fault management include:

1. Fault Detection and Isolation: The ability to identify deviations from expected behaviors or conditions, then determining the scope and impact of a fault. This involves monitoring various parameters, metrics, and performance indicators to detect anomalies, errors, or failures.
2. Root cause Analysis: Identifying the underlying cause of a fault. This involves analyzing metrics and logs to determine the sequence of events that led to the fault and pinpointing the specific component or process responsible.
3. Alert Generation: Generating alarms, alerts, or notifications when a fault is detected. These alerts can be in the form of emails, text messages, dashboard indicators, or other notifications to inform administrators or users about the presence of a fault.
4. Reporting and Analytics: Generating reports and insights on the frequency, duration, and types of faults that occur. This information can be used for trend analysis, capacity planning, etc.

Configuration management

Network configuration management is the process of monitoring, maintaining, and organizing the information pertaining to your organization’s network devices. It is responsible for the setup and maintenance of network devices along with the installed firmware and software.

The primary goal of configuration management is to confirm that the system’s components work together seamlessly, facilitate efficient, reliable deployment and maintenance processes, and ensure compliance with regulatory standards. Configuration management allows you to quickly configure and replace the functionality of a network device after a failure. If you don’t have a recent backup of that device, you’ll be starting over from scratch to configure new devices.

Key characteristics of configuration management include:

1. Network device discovery and diagramming: Having an accurate account of your network inventory and its status is critical to network configuration management. The first step is to map the network elements, including physical, logical, and virtual components, to create a high-definition network diagram. These automated network diagrams highlight new and modified devices, as well as devices with configuration errors.
2. Configuration backup: Configuration backup is the process of extracting configuration settings from a device and storing it to disk. The configuration restore process uses backup configuration data files for the system to restore a specific system configuration, whether on that same device or similar devices.
3. Configuration change management: Obviously, your network change management solution must be designed to keep track of any changes anyone makes to your devices or systems. This is crucial to avoid any errors or unauthorized changes that might bring about unfavorable consequences. It also speeds the troubleshooting process immensely by automatically comparing before and after configurations and highlighting differences.
4. Policy compliance and reporting: Network configuration management helps ensure compliance with regulatory, organizational, and security policies, like FISMA, SOX, HIPAA, PCI, NIST 800-53, SAFE, or DISA STIG. Out-of-the box templates make sure devices and systems are configured correctly to conform to organizational and regulatory policies. Leverage fully customizable rules to validate against a “gold-standard” configuration.

In short, configuration management promotes consistency, helps in identifying and resolving issues more efficiently, and ultimately leads to more stable and reliable systems. Additionally, configuration management can play a crucial role in handling complex configurations and managing dependencies between different components.

Network performance management

Network Observability consists of tools that leverage a combination of data sources to provide a holistic view of how networks are performing. Data sources include network device-generated traffic data (like network flows), raw network packets, and network device health metrics and events.

Network performance management tools provide diagnostic workflows and forensic data to identify the root causes of performance degradations — increasingly through the adoption of advanced technology, such as artificial intelligence (AI) or machine learning algorithms (ML). Based on network-derived performance data, NPM tools provide insight into the quality of the end-user experience.

NPM use cases provide the ability to monitor, diagnose and generate alerts for dynamic end-to-end network service delivery as it relates to digital experience. Key capabilities of network performance management include:

1. Monitoring: NPM involves continuous and real-time monitoring of various network parameters such as bandwidth utilization, latency, and packet loss.
2. Analysis: After gathering data through monitoring, NPM tools analyze the collected information to identify trends, patterns, and potential performance bottlenecks. This analysis, which typically leverages AI and machine learning, helps IT Operations teams understand the current state of the network and identify areas that need improvement.
3. Troubleshooting: When issues arise, NPM allows IT to quickly diagnose and troubleshoot problems. This includes identifying the root causes of performance degradation, locating faulty devices or configurations, and resolving performance bottlenecks.
4. Reporting: NPM tools generate comprehensive reports and dashboards that provide insights into network performance over time. These reports help in tracking key performance indicators (KPIs), identifying recurring issues, and measuring the effectiveness of performance improvement measures.
5. Capacity Planning: NPM involves planning for future network requirements based on historical performance data. By predicting future demands, organizations can allocate resources more efficiently and avoid unexpected performance issues.
6. Security: Network performance management can also supplement network security since poor network performance can be a sign of security breaches or cyberattacks. NPM tools typically include security monitoring features to detect anomalies and potential threats as they cross the network.

In summary, network performance management is a crucial aspect of maintaining a healthy and responsive network infrastructure, ensuring that organizations can meet the demands of their users and applications while maximizing the efficiency of their network resources.

Network security forensics

Network security forensics centers on the discovery and retrieval of information about cyberthreats within a networked environment. Common forensic activities include the capture, recording and analysis of events that occurred on a network to establish the impact and source of cyberattacks.

Investigators use network forensics to examine network traffic data that are involved or suspected of being involved in cyberattack. Security experts will also look for data that points in the direction of data exfiltration, outbound communication with blacklisted IPS, internal reconnaissance, etc. With the help of network forensics, security experts can track down all communications and establish timelines based on network data captured by the network monitoring solutions.

The main objectives of network security are to:

1. Prevent unauthorized access: Network security measures are designed to prevent unauthorized individuals or entities from gaining access to sensitive data, systems, and resources. This includes protecting against external attackers as well as unauthorized internal users.
2. Protect data integrity and confidentiality: Network security ensures that data remains unaltered and trustworthy during transmission and storage. It prevents unauthorized users from accessing or modifying data in transit or at rest.
3. Maintain network availability: Ensuring network availability is essential for maintaining business operations. Network security measures aim to minimize the risk of disruptions and downtime caused by cyberattacks.

Riverbed supports four types of network management

Riverbed offers a complete and integrated portfolio of network management solutions:

• Riverbed NetIM provides fault and configuration management. It leverages SNMP, WMI, streaming telemetry, CLI, synthetic testing, IP SLA metrics, syslog, and traps to monitor and troubleshoot network infrastructure health, availability, and performance. Use NetIM to detect performance issues, map application network paths, diagram your network, identify configuration changes, plan for capacity needs, and troubleshoot infrastructure problems.
• Riverbed NetProfiler provides enterprise-wide network flow monitoring. It supports a wide range of flow types and is used for monitoring bandwidth consumption, top talkers, and network utilization. It also supports discover and dependency mapping, capacity planning, and security forensics.
• Riverbed AppResponse provides real-time packet capture and analysis. In addition to monitoring round trip time, network errors, and bandwidth, AppResponse can also analyze more than 2500 business applications, including web transactions, SQL databases and VoIP and video application performance. Packet capture is also critical to network security forensics.

To learn more about Riverbed’s network management capabilities, please click here.

Streaming telemetry enables network administrators to gather a wide range of data, including performance metrics, operational statistics, health information, and other relevant details from network devices such as routers, switches, firewalls, and servers. This data is typically transmitted using network protocols like gRPC (Google Remote Procedure Call), NETCONF (Network Configuration Protocol), or other lightweight protocols.

Overall, streaming telemetry transforms network management by providing continuous, real-time data streams that facilitate proactive troubleshooting, optimization, and decision-making in large, complex network environments.

Streaming telemetry vs SNMP?

Streaming telemetry and Simple Network Management Protocol (SNMP) are two different approaches to network monitoring and data collection. Here are the key differences between the two.

• Data Collection Method: SNMP uses a polling mechanism where the management system periodically queries network devices to retrieve specific data. The devices respond with the requested information. The issue is that a delay between polling intervals can resultin a lag in detecting and responding to network issues. Streaming telemetry, on the other hand, uses a push mechanism. The network devices proactively transmit data as a continuous, real-time stream without waiting for requests from the management system. It enables faster detection and response to network anomalies and events.
• Data Frequency and Granularity: SNMP collects data at regular polling intervals, for example, every five minutes or longer. The data collected is typically limited to predefined metrics specified in the MIB (Management Interface Base). Whereas streaming telemetry can collect and transmit data at sub-second intervals, providing real-time network visibility. It also enables IT to collect a wider range of data points, including custom metrics. It can deliver a more comprehensive view of network performance and behavior.
• Network Overhead: SNMP polling generates additional network traffic as the management system sends requests and devices respond with data. The frequency of polling can impact network performance, especially in large-scale deployments. Streaming telemetry reduces network overhead since data is sent proactively without the need for queries. Network utilization is also more efficient and can scale better in complex network environments.

In short, both SNMP and streaming telemetry have their strengths and are suitable for different monitoring scenarios. SNMP is a mature protocol supported by a wide variety of network devices, while streaming telemetry provides more real-time, granular, and flexible data collection capabilities. Organizations often use both, based on their monitoring requirements, device support, and need for real-time insights.

When should I recommend streaming telemetry vs SNMP?

The decision to use one versus the other depends on several factors, including the specific use case, the network infrastructure, and your clients’ requirements. Here are some considerations to help you decide when to use each.

Use streaming telemetry when your clients need to:

• Stream real-time data for applications that require immediate and continuous updates.
• Collect highly granular data, including fine-grained statistics, counters, or operational information.
• Monitor large-scale deployments and handle high data rates.
• Define custom data models and collect specific information.

Continue to use SNMP polling if:

• Your client’s network primarily consists of devices with SNMP capabilities. It might be simpler to stick with SNMP monitoring.
• Your clients needs to perform configuration changes or control devices remotely.

In some cases, using a combination of streaming telemetry and SNMP might be best. For example, you can use streaming for real-time monitoring and granular data collection while still using SNMP for device management and compatibility with legacy systems. Ultimately, the decision between which you use depends on your specific needs, the capabilities of your network devices, and the ecosystem of tools and systems you are using.

Riverbed NetIM

Fortunately, Riverbed NetIM supports both SNMP and streaming telemetry, as well as WMI, CLI, API, and synthetic testing for a comprehensive picture of how infrastructure performance affects network and application performance and ultimately, user experience. It provides integrated mapping, monitoring, and troubleshooting of network infrastructure. NetIM can capture infrastructure topology information, detect, and troubleshoot performance issues, map application network paths, plan for capacity needs, and diagram the network.

For more information on the benefits of Riverbed NetIM infrastructure monitoring, log into the Partner Portal.

Riverbed IQ is a SaaS-delivered Unified Observability service that surfaces impactful issues with the context to solve problems fast. It accomplishes this by leveraging full-fidelity data–across networks, infrastructure, applications, and end users–then applying AI/ML, correlation, and intelligent automation to surface actionable insights.

About CRN’s Tech Innovator Awards

According to CRN, these awards are meant to help solution providers identify products that are truly innovative and offer value for their customers. The 2023 CRN Tech Innovator Awards showcase IT vendor offerings that provide significant advances in IT–and partner growth opportunities–across a broad range of technology categories including cloud, networking, security, storage, and software. The awards spotlight innovative products across a wide range categories. The winners and finalists were chosen by CRN staff.

Four powerful intelligent automation use cases

The June release of Riverbed IQ, which was submitted for the award, focuses on intelligent automation across the Riverbed platform. Powered by the Riverbed LogiQ Engine, the Riverbed platform leverages AI, correlation, and automation to streamline repeatable processes with minimal human intervention and improved user satisfaction. Riverbed IQ uniquely offers broader automation use cases that extract insights across Riverbed telemetry and existing 3rd party tool silos to enable faster time to resolution.

With its powerful automation, analytical and integration capabilities, Riverbed currently supports four automation use cases:

1.  Incident response runbooks automate troubleshooting by replicating the best practices of IT experts. With the Riverbed portfolio’s full-fidelity insights, complex troubleshooting workflows become razor sharp, highly automated processes. Riverbed IQ replicates the advanced investigative processes of IT operations teams, providing context-driven insights that empower them to proactively resolve issues without escalating.
2. Security forensics automation with Riverbed IQ bridges the gap between NetOps and SecOps by leveraging automation to distill forensic data from the Riverbed NPM portfolio for use in traditional security tools, like SIEMs and SOARs. SecOps teams need easy access to all data sources and to easily integrate that data into their existing security tools. Riverbed IQ provides out-of-the-box runbooks for security investigations and threat hunting. These runbooks provide SecOps teams with easy access to Riverbed NPM and DEX data to help SecOps fully investigate threats with more context, reducing risk to the business.
3. Logic-driven desktop remediations harnesses the power of the Riverbed LogiQ Engine, logic-driven endpoint remediation workflows are capable of dynamically mimicking expert decision-making, resulting in instant fixes for simple to complex issues. Unlike other solutions that demand a multitude of remediation scripts customized to address narrow use cases, Riverbed Aternity sets itself apart by offering one-click remediation actions that can dynamically mimic expert decision-making by constructing logic-driven remediation workflows using reusable steps. This enables the resolution of both simple and complex issues. Combined with the fact that Aternity offers an extensive catalog of Mac and PC remediation actions for recurring end user experience issues such as application hangs, boot and login times, network connectivity, application crashes, OS crashes and more, IT can have more time to focus on innovation.
4. Intelligent ServiceNow ticketing empowers IT with their ideal scenario – automated ticket generation that is prioritized, remains up to date, and contains all the context IT needs to quickly remediate, directly from ServiceNow. Riverbed IQ’s integration with ServiceNow, combined with its ability to integrate with third party tools, uniquely provides ITOps users with context-driven insights directly in their ServiceNow UI.

The results are better IT agility and efficiency, fewer errors, and reduced risks.

More on Riverbed IQ

Interested in an observability platform that unifies data, insights, and actions across IT? To learn how your teams can harness the power of Intelligent Automation to gain efficiency, quality, speed, while reducing costs, visit Riverbed today for more information on Riverbed IQ or to Request Demo.

Visit CRN to learn more about this year’s Tech Innovator Awards.

Streaming telemetry enables network administrators to gather a wide range of data, including performance metrics, operational statistics, health information, and other relevant details from network devices such as routers, switches, firewalls, and servers. This data is typically transmitted using network protocols like gRPC (Google Remote Procedure Call), NETCONF (Network Configuration Protocol), or other lightweight protocols.

Overall, streaming telemetry transforms network management by providing continuous, real-time data streams that facilitate proactive troubleshooting, optimization, and decision-making in large, complex network environments.

Streaming telemetry vs SNMP?

Streaming telemetry and Simple Network Management Protocol (SNMP) are two different approaches to network monitoring and data collection. Here are the key differences between the two.

• Data Collection Method: SNMP uses a polling mechanism where the management system periodically queries network devices to retrieve specific data. The devices respond with the requested information. The issue is that a delay between polling intervals can result in a lag in detecting and responding to network issues. Streaming telemetry, on the other hand, uses a push mechanism. The network devices proactively transmit data as a continuous, real-time stream without waiting for requests from the management system. It enables faster detection and response to network anomalies and events.
• Data Frequency and Granularity: SNMP collects data at regular polling intervals, for example, every five minutes or longer. The data collected is typically limited to predefined metrics specified in the MIB (Management Interface Base). Whereas streaming telemetry can collect and transmit data at sub-second intervals, providing real-time network visibility. It also enables IT to collect a wider range of data points, including custom metrics. It can deliver a more comprehensive view of network performance and behavior.
• Network Overhead: SNMP polling generates additional network traffic as the management system sends requests and devices respond with data. The frequency of polling can impact network performance, especially in large-scale deployments. Streaming telemetry reduces network overhead since data is sent proactively without the need for queries. Network utilization is also more efficient and can scale better in complex network environments.

In short, both SNMP and streaming telemetry have their strengths and are suitable for different monitoring scenarios. SNMP is a mature protocol supported by a wide variety of network devices, while streaming telemetry provides more real-time, granular, and flexible data collection capabilities. Organizations often use both, based on their monitoring requirements, device support, and need for real-time insights.

When should I use streaming telemetry vs SNMP?

The decision to use one versus the other depends on several factors, including the specific use case, the network infrastructure, and your requirements. Here are some considerations to help you decide when to use each.

Use streaming telemetry when you need to:

• Stream real-time data for applications that require immediate and continuous updates.
• Collect highly granular data, including fine-grained statistics, counters, or operational information.
• Monitor large-scale deployments and handle high data rates.
• Define custom data models and collect specific information.

Continue to use SNMP polling if:

• Your network primarily consists of devices with SNMP capabilities. It might be simpler to stick with SNMP monitoring.
• You need to perform configuration changes or control devices remotely.

In some cases, using a combination of streaming telemetry and SNMP might be best. For example, you can use streaming for real-time monitoring and granular data collection while still using SNMP for device management and compatibility with legacy systems. Ultimately, the decision between which you use depends on your specific needs, the capabilities of your network devices, and the ecosystem of tools and systems you are using.

Riverbed NetIM

Fortunately, Riverbed NetIM supports both SNMP and streaming telemetry, as well as WMI, CLI, API, and synthetic testing for a comprehensive picture of how infrastructure performance affects network and application performance and ultimately, user experience. It provides integrated mapping, monitoring, and troubleshooting of network infrastructure. NetIM can capture infrastructure topology information, detect, and troubleshoot performance issues, map application network paths, plan for capacity needs, and diagram the network.

For more information on the benefits of Riverbed NetIM infrastructure monitoring, click here.

Traditional security tools like Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) are only as good as the intelligence that they ingest.

In a recent report from Enterprise Management Associates (EMA), Analyst Ken Buckler reflects on why SecOps needs to leverage observability data for faster, more complete incident response.

Cybersecurity facing mounting challenges

According to Buckler, modern cybersecurity faces a range of challenges that IT leaders must overcome to ensure effective threat detection. One example is the complexity of today’s networks, which feature copious devices, endpoints, and applications. This complexity hinders SecOps’ ability to gain consistent monitoring of the environment for threat detection.

The exponential growth of data volume by network devices and applications, analyzing and processing this data in real time is a formidable task. It demands scalable data collection, storage, and analysis techniques, plus advanced technologies, like machine learning, correlation, and automation. As a result, insufficient visibility into certain network constructs, devices and applications lead to security blind spots. Addressing this challenge involves implementing standardized monitoring practices and utilizing network visibility tools to enhance observability.

Integration is essential

Integrating observability with existing security tools is vital for a comprehensive security pos­ture. However, the complexity and diversity of security technologies pose integration challenges. Overcoming this obstacle requires careful planning, ensuring interoperability, and leveraging auto­mation and orchestration capabilities.

To tackle these challenges, organizations must invest in comprehensive observability solutions, such as Riverbed IQ, that encompass real-time monitoring, advanced analytics, and intelligent automation. By implementing standardized monitoring practices, utilizing efficient data processing technologies, enhancing visibility through full-fidelity telemetry, and integrating observability with existing security tools, organizations can bolster threat detection, incident response, and overall cybersecu­rity resilience.

Riverbed IQ automates cybersecurity incident response

Riverbed IQ can aid in the investigation of cyberthreats using the Riverbed LogiQ Engine intelligent automation capabilities. It investigates threats found in traditional security tools, like SIEM or SOAR solutions. The SIEM or SOAR initiates a request for supporting diagnostic data using an API. Riverbed IQ then parses this request and the kicks off a low-code security runbook that automates the collection of network forensics data from across the Riverbed portfolio or from third-party data. By distilling the forensic data and sending actionable insights back to the requesting solution, SecOps teams gain easy access to the supporting data they need to drive intelligent security investigations and mitigate cyber threats.

For more information on the need for observability data in cybersecurity, read the EMA white paper, From Complexity to Clarity: Resolving Challenges in Cybersecurity Observability.

This blog looks at these three pillars and analyzes how Riverbed takes them further to unify data, insights and actions for all IT.

What are logs?

Logs refers to the collection of data generated by an application or system as it runs. Logs record events that happen within a system and provide a detailed record of its behavior. Logs are important because they record events and activities that happen within a system, providing a detailed history of its behavior. Logs are helpful for debugging issues, troubleshooting, and auditing. When something goes wrong, logs can help engineers identify what happened and when, as well as providing clues as to why it happened.

What are metrics?

Metrics are numerical values that represent the behavior of a system over time. They are typically collected at regular intervals and can be used to track trends and identify anomalies. Metrics are often used to monitor system performance, such as CPU usage, memory utilization, or traffic throughput.

Metrics are important because they provide data that can be used to track system performance over time. By collecting and analyzing metrics, engineers can identify patterns and trends, which allows them to optimize performance, troubleshoot issues, and make informed decisions about system capacity and resource allocation.

What are traces?

Traces refer to the ability to follow a request as it moves through a distributed system. Tracing helps engineers identify the source of a problem, understand the flow of data, and optimize the performance of a system. Tracing involves instrumenting the code and collecting data at various points in the system, then aggregating and analyzing that data to create a trace of a request’s journey. Traces making it easier to diagnose and resolve problems. They can help identify where performance bottlenecks are occurring and help pinpoint the root cause of issues.

Together, the three pillars of observability provide a comprehensive view of a system, enabling engineers to monitor, debug, and optimize it. They form the foundation of observability, allowing engineers to gain insight into complex systems and improve their reliability, scalability, and maintainability.

Riverbed Unified Observability unifies data, insights and actions across IT

Riverbed IQ is a SaaS-delivered unified observability service that captures full-fidelity performance metrics, applies machine learning and correlation to identify to separate false positives from critical events, and then automates the investigative workflows of IT experts to gather the diagnostic data necessary to resolve problems quickly.

In short, Riverbed expands on the three pillars of observability to deliver an observability solution that unifies data, insights, and actions for all IT.

Unified data is the comprehensive support of full-fidelity telemetry from across diverse sources, including devices, networks, applications, cloud-native environments, users, and third-party solutions. Unlike other solutions that sample data to deal with the scale of today’s distributed environments, Riverbed captures every transaction, packet, and flow, as well as actual user experience for every type of application. Full-fidelity data gives IT a complete picture of what’s happening and what has happened, without missing key events due to sampling. It provides the foundation of unified observability.

Unified insights mean IT solves the right problems fast to keep users productive. With the best data, AI and multifaceted correlations, plus workflow automation, Riverbed IQ delivers context-rich, filtered, and prioritized insights that help IT teams understand the scope and severity of issues and the cause of poor performance.

Unified actions employs low-code runbooks to replicate and automate the best practices of IT experts to provide probable root cause of performance of security incidents. By automating the gathering of supporting diagnostic data from disparate solutions, Riverbed IQ helps IT teams accelerate problem-solving, break down silos, and avoid time-consuming war rooms.

Why Riverbed IQ Unified Observability?

Riverbed IQ Unified Observability unifies data, insights, and actions to empower all IT teams to deliver seamless digital experiences and end-to-end performance visibility. It uniquely leverages a combination of enterprise-wide data collection, sophisticated AI techniques, and intelligent automation to speed common and repetitive IT tasks. As a result, IT can achieve the following benefits:

• Faster problem detection and resolution: With unified observability, it becomes easier to detect problems as they occur, rather than waiting for user complaints or failures. Once a problem is detected, Riverbed IQ can help pinpoint the root cause of the issue. Riverbed Unified Observability uses intelligent automation to gather supporting evidence and context. This reduces the time it takes to resolve the problem and get the system back up and running.
• Better performance: By monitoring key metrics and indicators, unified observability helps identify performance areas that are not optimal. This can help improve performance of networks, applications, and users and prevent potential issues before they occur.
• Improved collaboration: Observability tools can provide visibility into the IT environment to multiple teams across an organization. This visibility can improve collaboration between teams and help everyone work towards a common goal of improving performance and reliability.
• Better customer experiences: By resolving problems faster, Riverbed IQ helps improve digital experiences, which leads to increased customer satisfaction and loyalty.

Extend the three pillars of observability to include unified data, insights and actions.

Riverbed uses intelligent automation to automate a wide range of IT processes, including incident response, security forensics investigations, desktop remediation, and providing intelligence to trouble ticketing. Automation can help improve operational efficiency, reduce errors, and enhance the overall quality of IT services.

Intelligent IT automation also provides actionable insights to help IT teams identify and address potential problems before they occur. This can help organizations achieve greater agility and flexibility in their IT operations, while also reducing costs and improving the overall quality of service.

Why use Intelligent Automation?

The proliferation of new applications is generating an overwhelming volume of data, leading to alert overload. It is simply no longer possible for IT teams to analyze and correlate all this data manually and still meet operational expectations.

In addition, alert overload is compounded by today’s scarcity of skilled IT resources–fewer IT staff are left to do more of the work. And, these already short-staffed IT teams must often chase false positives, events that don’t impact digital experience. The lack of automation of these workflows results in longer resolution times of critical issues and higher error rates, both of which can negatively impact user experience and business performance.

How Riverbed IQ leverages Intelligent Automation

Riverbed IQ unified observability service automates incident response of performance and security events and provides intelligent trouble ticketing to ServiceNow.

Incident response

With the Riverbed portfolio’s full-fidelity insights and rich analytics, complex troubleshooting workflows become razor sharp, highly automated processes. Riverbed IQ replicates the advanced investigative processes of Network Operations teams, providing context-driven insights that empower them to proactively resolve issues without escalating.

Security forensics investigations

SecOps teams want easy access to all data sources and to integrate that data into their SOAR and SIEM tools. Riverbed IQ provides out-of-the-box runbooks for security investigations. These runbooks give SecOps teams easy access to Riverbed telemetry data to help fully investigate threats. As a result, security tools gain more context for threat investigations, reducing risk to the business.

Auto-populating trouble tickets

In today’s modern IT market, targeted delivery of fast, context-driven insights to ITSM solutions can mean the difference between business triage and business optimization. Riverbed IQ uniquely delivers deep ServiceNow incident context that streamlines ticket creation and reduces escalation. Riverbed IQ links back to the originating source telemetry to assemble supporting troubleshooting data. Data collected can include network, infrastructure, application, and end user experience.

Automation guides Aternity remediations

Aternity end user experience monitoring is also leveraging intelligent automation from the Riverbed Observability platform. Unlike other solutions that require a multitude of remediation scripts that address narrow use cases, Aternity sets itself apart by offering one-click remediation actions that can dynamically mimic expert decision-making by constructing logic-driven remediation workflows using reusable steps. This enables the resolution of both simple and complex issues. Combined with the fact that Aternity offers an extensive catalog of Macintosh and PC remediations for recurring desktop issues such as application hangs, boot and login times, network connectivity, application crashes, OS crashes and more, IT can have more time to focus on innovation.

What’s the difference between AI and Intelligent Automation?

AI or Artificial Intelligence is excellent at sorting and classifying both structured and unstructured data. It can provide deep insights into trends, patterns and outliers. For example, a well-trained AI algorithm can execute tasks like recognizing the contents of an image, understanding the contents of a document, correlating related events, and more.

Intelligent automation, on the other hand, refers to the use of advanced technologies such as AI, machine learning, correlation, and automation workflows to automate IT processes. Intelligent automation combines the power of automation with AI to create systems that make decisions with minimal human intervention.

AI is a necessary component of intelligent automation. The main difference between the two is that AI is focused on creating intelligence, while intelligent automation is focused on automating specific tasks or processes to increase efficiency and productivity.

Benefits of Intelligent Automation

McKinsey Global Institute estimates that knowledge work automation tools could take on tasks that would be equal to the output of 110 million to 140 million full-time equivalents (FTEs). They feel it’s possible this incremental productivity could have as much as $5.2 trillion to $6.7 trillion in economic impact annually by 2025.

Other benefits of IT automation, include:

• Increased efficiency: Automation can significantly improve efficiency by automating repetitive tasks, reducing manual effort, and speeding up processes.
• Improved accuracy: Automation can decrease the risk of human error, improving accuracy and reliability of IT processes.
• Better resource utilization: By automating routine tasks, IT staff can focus on more strategic and complex tasks, making better use of their skills and expertise.
• Faster MTTR: Automation reduces the time required to complete tasks, speeding the recovery of applications and services.
• Cost savings: Automation decreases the need for manual labor, saving costs on other operational expenses and allowing staff to work on more strategic projects.
• Scalability: Automation helps organizations scale their operations easily and cost-effectively, by limiting the need for manual analysis.
• Improved customer satisfaction: Automation delivers consistent and high-quality services, leading to increased customer satisfaction.

Overall, Intelligent Automation helps organizations improve their agility, reduce costs, and deliver better quality services to their customers. For more information on how you can use Riverbed’s Intelligent Automation capabilities to improve your IT environment, visit the new Intelligent Automation page.

Monitoring refers to the practice of collecting and analyzing data from network, applications, infrastructure, and user experience data to detect issues or anomalies. Monitoring typically involves setting up threshold alerts to notify operators or developers when something goes wrong. The goal of monitoring is to provide insight into availability, performance, and usage.

Observability takes monitoring a step further by emphasizing the importance of understanding the internal workings of a system, rather than just monitoring its inputs and outputs. Observability involves collecting and analyzing data at a deeper level and requires full-fidelity cross-domain data to gain a holistic view of system behavior. The aim of observability is to enable proactive detection and resolution of issues, rather than just reactive problem-solving.

In short, observability and monitoring are like different sides of the same coin. Monitoring provides a basic level of visibility into a system, while visibility provides a more comprehensive view of performance behavior. Observability takes this even further by emphasizing the need to understand the internal workings of a system to improve its overall performance and reliability.

What is observability?

Observability is a concept used in various fields, including engineering, computer science, and systems analysis, among others. It refers to the ability to understand and analyze the internal workings of a system or process based on the data and information that it produces. Essentially, it is the degree to which we can observe and measure what is happening within a system.

In computer science, observability is often associated with software and application development. It involves the ability to monitor and debug complex software systems by collecting and analyzing data from various sources, such as application logs, metrics, and traces. By doing so, developers can identify and resolve issues within the software and improve its overall quality and performance.

It expands the concept of observability to all IT systems, including the network, infrastructure, applications and user experience. It leverages full-fidelity data, analytics and correlation, and intelligent automation to gather contextual data that supports fast identification and resolution of performance and security issues.

Overall, observability is a crucial concept that enables us to gain insight into the internal workings of complex systems and processes, which can help us improve their performance, reliability, and overall effectiveness.

What is monitoring?

Performance monitoring is the process of tracking and analyzing the performance metrics of a system or process, such as a computer system, network, or application, to ensure that it meets the required performance levels or SLAs (service level agreements). It involves monitoring various metrics, such as response time, throughput, and error rates, and comparing them against predetermined benchmarks or thresholds.

The goal of performance monitoring is to identify and diagnose performance issues, such as slow response times, high resource utilization, or system crashes, and take appropriate action to resolve them. This can involve adjusting system configurations, upgrading hardware or software components, or optimizing code or algorithms.

Performance monitoring is critical for ensuring the efficient and effective functioning of systems and processes, as well as for ensuring customer satisfaction and maintaining business continuity. It is commonly used in industries such as IT, telecommunications, finance, healthcare, and manufacturing to monitor and optimize the performance of critical systems and applications.

Observability and monitoring: what’s the difference?

Observability and monitoring are both important concepts in IT operations, but they have slightly different meanings.

Monitoring generally refers to the process of collecting data about a system, such as its performance, availability, and usage, and using that data to identify and diagnose problems or to optimize performance. Monitoring is typically done using specialized telemetry that collects and analyzes data from various sources, such as from the network or applications.

Observability, on the other hand, is a more holistic concept that refers to the ability to understand and reason about a system’s behavior and performance from its outputs. An observable system is one that provides enough information to allow IT to understand how it is behaving and to diagnose problems more easily. It typically has a well-defined interface that allows IT to collect and analyze data about its behavior.

In summary, monitoring is a subset of observability, where monitoring is a way to gather data about a system, while observability is the ability to reason about that system from its data outputs.

What are the benefits of observability?

There are several benefits of observability, including:

1. Faster problem detection: With observability, it becomes easier to detect problems as they occur, rather than waiting for user complaints or failures. This can help reduce downtime and improve overall reliability.
2. Faster problem resolution: Once a problem is detected, observability tools can help pinpoint the root cause of the issue. Riverbed Unified Observability uses intelligent automation to gather supporting evidence and context. This reduces the time it takes to resolve the problem and get the system back up and running.
3. Better performance: By monitoring key metrics and indicators, observability can help identify performance areas that are not optimal. This can help improve performance of networks, applications, and user experience and prevent potential issues before they occur.
4. Improved collaboration: Observability tools can provide visibility into the internal state of a system to multiple teams across an organization. This can improve collaboration between teams and help everyone work towards a common goal of improving performance and reliability.
5. Better customer experiences: By detecting and resolving issues faster, observability can help improve users’ digital experiences, which leads to increased customer satisfaction and loyalty.

What is Riverbed Unified Observability?

Riverbed IQ, a SaaS-delivered Unified Observability service, surfaces impactful issues with context to solve problems fast. It leverages key metrics across a full range monitoring telemetry—from the network, infrastructure, applications, and end users—to provide the foundation of unified observability. It applies a diversity of analytics and correlates across five dimensions to group related indicators into a single incident for more accurate alerting and faster problem identification. It then employs intelligent automation that replicates the best practices of IT experts to gather evidence, build context, and set priorities. As a result, IT can fix problems faster and more efficiently.

For more information on Unified Observability and monitoring, click here.

However, many of these monitoring tools are necessary to provide different perspectives of network, application, and end user performance. Yet, some tools can be so entrenched that any change or attempt to consolidate is significant endeavor. To move away from these ingrained tools often means incurring significant costs and time.

Riverbed IQ Unified Observability

Riverbed IQ, Riverbed’s SaaS-delivered Unified Observability service, empowers IT to identify and fix problems fast. It leverages Riverbed full-fidelity end user experience, network and application data, then applies machine learning (ML) to contextually correlate the disparate data streams to identify business-impacting events. This intelligence informs IQ’s automated runbooks that gather supporting context, filter out noise, and set priorities. As a result, Riverbed IQ reduces alert overload and accelerates root cause analysis of the most impactful alerts.

Riverbed IQ now includes third-party data

Now the Riverbed team recognizes that when a company uses an abundance of monitoring tools, they want to integrate all their data in Riverbed IQ to truly simplify the troubleshooting process. So, we added the capability to import data from other solutions (think third-party monitoring tools or business intelligence). Plus, IQ can export intelligent insights to third-party solutions like Slack, ServiceNow, custom scripts, Ansible runbooks, etc.

The third-party data is added through the automated runbooks where the data can then be used as if it’s native Riverbed data. Use it for decision making (if X happens, get relevant data from solution Y and visualizations. Because IT can now use all data in its environment, IQ better tailors the automated investigations to the organization’s troubleshooting process.

How it works

The integration process is simple yet flexible enough to support a non-Riverbed solutions in just a few, easy steps. First you need to authenticate with the third party solution. Then you can build an “HTTP Request,” which enables IQ to leverage data from any solution with a public REST API. Finally, “Transform” translates the third-party data into terms Riverbed IQ understands.

Watch this video to see how to build and use third-party integrations:

Leverage any data

With this announcement, Riverbed IQ can leverage any data in the IT or business environment that could inform troubleshooting. In fact, one Riverbed IQ customer in the petroleum industry pulls in oil viscosity data when troubleshooting certain issues.

For more information about Riverbed IQ or how to leverage third-party data within runbooks, visit the Riverbed IQ web page.

With adoption growing quickly, Zero Trust Network Architectures (ZTNA) like SASE and Security Service Edge (SSE) enable users to securely access to their applications, devices, data, etc. wherever they are located. For companies, this means that a threat can be easily contained and isolated in the event of a breach. The problem is that the tunnels that secure the data also reduce visibility and add monitoring and troubleshooting complexity.

ITOps teams can no longer look into traffic directly within these environments. As the traffic enters a Zscaler or Netskope tunnel, for example, it gets combined and homogenized. As a result, IT loses the detail it needs to identify where slowdowns are occurring and what is causing them.

Riverbed IQ observes Zero Trust environments

Riverbed IQ Unified Observability leverages end user experience metrics plus advanced logic and correlation to deliver much needed visibility into Zero Trust environments. By viewing the application traffic before it enters the VPN or CASB gateways, IT can now monitor and troubleshoot access and performance issues.

When problems occur, Riverbed IQ surfaces performance indicators, including valuable context about the scope, severity, and probable root cause. Key measurements that Riverbed IQ uses include:

• Which applications are having performance issues?
• Which users are impacted? Are there users who are not impacted?
• Which locations are impacted?
• How severe is the impact?
• How are the impacted users accessing the application? (CASB, VPN, etc.)
• Is the issue caused by a specific ISP?
• Is the VPN or gateway causing the problem?

Watch this video to learn more about how Riverbed IQ works in Zero Trust environments.

Riverbed IQ for the win

Providing IT teams with the means to troubleshoot problems within today’s modern architecture is not always easy. Many organizations resort to synthetic testing, but this only lets you know there’s a problem. It does not provide root cause details.

Riverbed IQ delivers the unified observability that IT teams need to diagnose and resolve new blind spots by integrating and correlating user experience data from Riverbed Aternity. IT teams can now determine where problems reside, who is impacted, and problem severity. Armed with this information, they can now troubleshoot previously difficult-to-diagnose issues in hybrid work and Zero Trust environments.

When employees work from an office, the network team is responsible for application access and network transport issues, and has access to a mature toolset to help identify and resolve issues. As work from anywhere proliferates, the responsibility for identifying and troubleshooting remote issues in these new direct-to-cloud environments still falls within the network teams’ domain. Yet, because of the new blind spots, they lack the visibility to be effective.

When it comes to hybrid work, Level 1-2 techs need to be able to identify network access and performance issues for end users accessing business applications. They need to be able to understand:

• The scope and severity of the issue so that they can prioritize appropriately and understand if they need to escalate to level 3.
• The impact on end users so that they can document and communicate the incident to the affected end users.
• The cause of the issue so they can know which resources to call (ISP, CASB supplier, application owner, security team, device issue, etc.) and understand when the issue might be resolved.

However, the problem space has changed. There are several environmental challenges that limit NetOps visibility into application performance.

Hybrid work visibility challenges for NetOps teams

Split Tunnels

In modern hybrid work environments, it’s common to have three different routing options for traffic: direct to internet, VPN, or through a security broker such as a CASB or ZTNA. There are often routing rules established where specific applications use one route (such as the CASB) and other applications go direct to the internet. The routing or tunnel being used can have a significant impact on application performance and end user experience.

CASB

CASBs are widely adopted and create a bottleneck for performance while optimizing for security. CASBs are often implemented by the security team. They make it more difficult for the network team to troubleshoot as the tunnels add complexity and reduce visibility through encryption of traffic. In a few ad hoc tests, CASB bandwidth is as low as 3Mbps and there is added security scanning time for an additional slowdown.

Multiple gateways

There are typically multiple gateways being used by each type of tunnel. For example, users in the northeast United States may have CASB traffic tunneled to gateway X, while users in central United States are connecting to gateway Y. If only one gateway is causing problems, it is difficult to determine that. This gateway issue is also applicable to corporate VPNs.

SaaS vs corporate applications

The percentage of companies using SaaS to meet their software needs is steadily increasing, with 80% of companies relying on SaaS apps in 2022. The remaining corporate applications are usually hosted in a data center. Remote user traffic traverses a physical network which can cause additional slowdown. This is still the responsibility of the network team to diagnose.

ISP variables

Remote workers typically use their own ISP. This variability is an additional challenge when trying to identify root cause.

Home network variables

Remote workers are typically responsible for their home network. Variables such as poor Wi-Fi or congestion on the home network are an additional challenge when trying to identify root cause.

Many locations

Finally, in hybrid work environments, location is less specific than with on-premises users. There may be users in a general geographic area that are having issues due to an ISP or gateway, but it is not as easy to use a specific site or location to identify problems.

Riverbed IQ brings visibility to hybrid work

By adding Riverbed Aternity end user experience metrics to Riverbed IQ, Riverbed’s SaaS-based unified observability solution, NetOps teams can gain visibility into traffic that leaves the home computer and goes to a data center or SaaS application.

IT teams can now answer questions like:

• Which applications are having network performance issues?
• How many users are impacted, and how severe is the impact?
• How are the impacted users accessing the application? (VPN, Direct to internet)
• Which locations are affected?

To learn more about how Riverbed IQ helps organizations shift left, visit this page.

Often related to the remote work issue is SSE (Security Service Edge), which security teams use to secure cloud computing, edge computing and remote work. SSE is the security portion of SASE (Secure Access Service Edge). Its capabilities include access control, threat protection, data security, security monitoring, and acceptable use control.

Gartner predicts that by 2025, 80% of enterprises will have adopted a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.

The problem with both remote work and security service edge is that monitoring network performance is extremely difficult by traditional means. Riverbed customers have voiced that the security team uses SSE to build tunnels upon tunnels, making it next to impossible to figure out where slowdowns are occurring. This is why we announced the next release of Riverbed IQ unified observability service.

Riverbed IQ supports Riverbed Aternity

Customers need to know when connectivity or transport issues are affecting performance, regardless of where the user is located or which type of application they are using (data center, cloud, or SaaS app). With the integration of Riverbed Aternity, Riverbed IQ unified observability surfaces impactful incidents from both physical networks, remote work environments, cloud apps, as well as SSE-protected apps.

This release adds the first of the Aternity metrics, specifically Application-Location and Application-Activity data. Application-level metrics are native and derived high-level metrics associated with application performance from the user perspective. Activity-level metrics provide detailed metrics associated with the “activities” that comprise an application, such as download a Salesforce report. Activity-level metrics offer excellent visibility into issues affecting a specific activity or part of an application.

Riverbed IQ leverages these metrics to identify performance problems where hybrid work or SSE tunneling is involved. It includes details regarding where the problems are occurring, the user impact, and problem severity, including:

• Which applications are having network performance issues?
• How severe is the impact?
• How many users are impacted?
• Which locations are impacted?
• How are the impacted users accessing the application? CASB, VPN, Direct to internet?
• Is the issue caused by a specific ISP or VPN?

Read the solution brief on Monitoring Remote Work and SSE Environments.

Third-party integrations

Importing/exporting third-party data is the number one question asked about Riverbed IQ. Riverbed IQ now allows customers to use data from any third-party solution with a public REST API. Riverbed IQ can pull third-party data into its runbooks for use in decision branches to make decisions based on this data or to add visualizations to impact summaries to tailor the automated investigations to an organization’s specific troubleshooting processes.

Alternatively, Riverbed IQ runbooks can push incident data to third-party solutions. For example, Riverbed IQ can send context-rich, actionable alerts to solutions like Slack or ServiceNow for consolidated alerting.

Check out the solution brief on how Riverbed IQ’s third-party integrations work.

Other important new features

Riverbed IQ has achieved SOC2 Type II and ISO 27001 security certifications. These certifications give organizations confidence that Riverbed IQ has the policies, procedures, and technology to keep their data secure and private. Lastly, Riverbed IQ is now also hosted in Frankfurt, Germany to support our European customers.

More info

Powered by full-fidelity telemetry and leveraging a combination of AI/ML and workflow automation, Riverbed IQ unified observability service detects business-impacting events while facilitating fast, efficient problem diagnosis. Visit this page for more information on Riverbed IQ or, to start a free trial, click here.

In fact, the purpose of this report is to define network observability for IT buyers, so they can effectively communicate about emerging NetOps requirements and the innovations that vendors, like Riverbed, offer to address those requirements.

Network teams besieged

Network operations teams are struggling to maintain visibility in today’s rapidly changing digital environment. In fact, fewer NetOps teams are successful in their mission than ever before, with the number declining from 47% in 2018 to 27% in 2022.

Some of the significant challenges the survey uncovers includes:

• Data conflicts between individual tools, limiting IT’s ability to correlate insights across data types  
• Lack of actionable alerts generated by network tools
• New drivers of new NetOps visibility requirements, like remote work and real-time applications 
• Organizations prioritizing the optimization of their network tools so lower-skilled admins can do more problem-solving

Network Observability

The report also includes interesting data about what network teams are looking for in a network operations solution. Essentially, the most essential observability features include:    

• Data visualization              
• Traffic analysis
• Change detection and validation
• Automated escalations

Respondents also want to automate troubleshooting with their network observability tools, however they are most interested in automating root-cause analysis and problem isolation. Additionally, nearly half of respondents believe anomaly detection is essential for efficient troubleshooting.

Riverbed IQ Unified Observability

Riverbed IQ is Riverbed’s Unified Observability service, which empowers network teams to solve problems fast by simplifying and accelerating troubleshooting. It leverages these key features:

• Full-fidelity Riverbed telemetry for network, infrastructure, application, and end user experience data
• Anomaly detection (AI, ML, and correlation) to identify only the most business-impacting events
• Automated workflows to gather relevant data for one-stop troubleshooting

Watch this short video to see Riverbed IQ in action:

For more information about Riverbed IQ, click here, or if you like to read the EMA Network Observability report, visit this link.

Forrester Research has disclosed that without the comprehensive insights they need to succeed, technology leaders are struggling to keep up with business demand and enable future growth. The modernization of IT operations is coming at these leaders from multiple areas. It centers, however, on the need for operational insights to drive value-based and AI-driven actions.

Forrester also feels various capabilities must work together for observable insights to deliver value and, therefore, defines these four functionality categories of observability:

• Telemetry data is the bedrock of observability. This is the origination of all data and telemetry that an observability solution might leverage.
• Exploration leads to a deeper understanding of entities. The aggregation, standardization, and time series collection of telemetry data prepare it for analysis and processing.
• Insights surface important opportunities to act on. The application of AI/ML and other data science approaches identify patterns, trends, correlations, and anomalies.
• Utilization of insights delivers high value. The insights surface so the organization can take proper actions to remedy or prevent various scenarios. The goal is to progress from predominantly manual consumption and dissemination toward analytics-based automated remediation and issue avoidance as maturity grows.

Riverbed IQ leverages analytics

Riverbed IQ follows these four functionality capabilities to provide actionable insights for our customers. It extensively leverages analytics, including machine learning (ML) and artificial intelligence (AI), to identify business-impacting events and reduce the noise from low-level or related incidents.

A quick overview of Riverbed IQ’s capabilities to set the background for our analytics discussion and to show how it supports Forrester’s observability functionality categories: Key metrics from Riverbed full-fidelity data are gathered, distributed, and accessed through the Data Ocean. A subset of the metrics stream through the Analytics Pipeline to monitor the health and performance of the IT environment and alert on anomalies. The anomaly data is then accessible to the Runbooks for no-code investigations, which gather contextual information about the incident to expedite impact assessments, troubleshooting, and resolution times.

The Analytics Pipeline receives all key metrics to aid in the detection and correlation of anomalies. It processes them through multiple stages to reduce the noise associated with too many alerts:

1. Anomaly Detection

As metrics flow through the Analytics Pipeline, they are monitored for anomalies that could be leading indicators of issues. These indicators are then associates with a monitored object (i.e. Application, Device, or Interface) to provide metric-relevant context, including associated metadata.

Riverbed IQ applies machine learning and AI algorithms, like baselining, and variance to detect anomalies and surface potential problem indicators. It also leverages thresholds to set high watermark indicators.

• Thresholds are simple “trip-wires” applied to metrics that will quickly create an indicator when the associated threshold is violated. For example, thresholds are used to detect issues like device down or when interface utilization is above 90%. Thresholds work well in situations where there is a known range, such as interface utilization. Threshold are also paired with a baseline to handle cases where high values are normal.
• Baselines are a method of assessing performance or behavior by comparing it to a historically derived baseline. Baselining is useful for handling performance metrics that do not have a fixed range, and where it is difficult to know when a performance indicator has entered a bad state. For example, organizations today use hundreds of applications, and the performance across the applications varies widely. Static threshold for latency or response time across all applications does not work, so we use baselines to learn what is the normal behavior for each application and then create anomalies when the applications metrics are outside of the normal range
• Variance analysis is the comparison of predicted and actual outcomes.

The Riverbed IQ engineer and data science teams are continuously updating Riverbed IQ with more machine learning tools (i.e. algorithms) to grow and improve its AI capabilities.

2. Correlation Engine

The correlation engine determines if there is any commonality or relationship between the detected anomalies. This is done to reduce noise. It organizes indicators into associated groupings to correlate related indicators through use of time, location, connection, and relationship maps.

3. Incident Manager

The incident manager assesses the newly reported detections to determine if they constitute a new incident or if they are associated with an existing incident. A trigger is generated for new incidents so that the proper Runbook can be executed automatically.

For more information on Riverbed IQ and how it leverages analytics and runbooks to provide actionable insights that aid customers in faster, more efficient troubleshooting, click here.

These incident details are then stored in the Impact Summary, which show the results of the runbook investigations, so all data about an incident is in one spot. The insights are immediately actionable as they deliver context-rich, filtered results that are ready for IT.  Using a broad range of network, infrastructure, application, and end user experience data to develop the insights, means cross-domain IT teams can effectively collaborate on root cause analysis. The benefits are faster mean time to know and mean time to resolution of the most business-impacting alerts.

Out-of-the-box runbooks

Riverbed IQ ships with a library of runbooks to ensure you get immediate value with minimal effort. Out-of-the-box, Riverbed IQ provides three runbooks–Interface Analysis, Device Analysis, and Application Analysis. These runbooks automate the process of gathering evidence, building context, and setting priorities for everyday IT problems.

You can use runbooks just as they come out-of-the-box, as many customers are doing. The Riverbed engineering team has spoken to hundreds of customers about how they troubleshoot, so they are reflective of that experience.

Administrators also have full flexibility to edit runbooks. This means administrators can customize or create any runbook, so it is tailored exactly to the organization’s particular needs. Admins can also create new runbooks and export, import, duplicate or delete them.

View Riverbed IQ runbooks in action

No-code runbooks in Riverbed IQ are easy to edit or create to ensure they are tailored to your organization’s requirements. Watch the video below to see how simple it is to edit a runbook.  In this short video, we walk though how to:

• Add another branch to an existing runbook
• Ensure the runbook executes specific behaviors based on data unique to each incident
• Verify it displays properly in the Impact Summary

Watch Video

In summary, Riverbed IQ unified observability provides easy control over your runbooks and troubleshooting data to simplify root case analysis and reduce alert overload. The intelligence built into the Riverbed IQ runbooks replicates the troubleshooting workflows of IT experts to gather context, set priorities and highlight events that impact the most users, devices, and/or applications. As a result, Riverbed IQ reduces the volume of alerts to the most business impacting and empowers staff at all skill levels to identify and solve problems fast. ​

Shift left for NetOps teams using the Riverbed IQ offers significant benefits:

• Reduces alert fatigue by identifying only business-impacting events
• Enhances IT satisfaction by enabling junior staff while taking the burden off the IT experts
• Improves digital experience by reducing mean time to know/resolution (MTTK/MTTR)
• Improves IT efficiency by solving problems sooner
• Increases productivity by enabling IT experts to focus on revenue-generating projects

Let’s explore each of these benefits in more detail…

Reduce alert fatigue

Today’s IT environments are profoundly more complex than in the past, with immensely more data and alerts to contend with. Most monitoring alerts provide little context to guide the troubleshooting process. For some companies, it’s has become impossible to manually investigate every alert; others turn alerting off altogether and wait for the phone to ring. In short, it’s becoming more difficult for IT to separate critical events from the noise, to identify business-impacting events, or to resolve incidents quickly.

Riverbed IQ can separate the noise from impactful events and get more IT staff troubleshooting at all levels, not just the experts. By leveraging AI/ML-based correlations to identify business impacting issues, and low-code investigations (runbooks) to automate the process of gathering evidence, building context, and setting priorities, the Riverbed IQ service provides the right details to enable incidents to be resolved by first-level responders.

Enhance IT satisfaction

Enterprises often rely on a small number of highly skilled IT to troubleshoot complex issues. These skilled team members typically have wide technical and institutional knowledge, which puts them in high demand. Frequently, when the experts aren’t available, it takes an organization longer to get to resolution, or the problem may not get resolved until the expert returns.​ And, for IT team members who get pulled into troubleshooting when it’s not their primary job, it means they are being removed from strategic projects. This may lead to project delays and cost overruns.

Riverbed IQ codifies the knowledge that resides in your experts into automated runbooks that can easily be tweaked to your organization’s requirements. These customizable troubleshooting workflows enable more IT staff to troubleshoot effectively. By spreading the burden across more people, precious expert resources won’t get burnt out and we empower the junior staff to learn faster and take on more responsibility.

Improve digital experience

Companies that enable level 1-2 IT staff to proactively identify and resolve problems early in the troubleshooting process achieve more first-time resolutions. Earlier resolution leads to less downtime, better service quality and increased user satisfaction.

Improve efficiency

By avoiding the need to escalate incidents to IT experts, the organization improves MTTR. Shift left also enables IT experts to focus on revenue-generating projects. By freeing up time previously dedicated to incident or fault resolutions, IT experts can focus on forward-looking initiatives that advance the organizations digital transformation.

Enable shift left with Riverbed IQ

Riverbed IQ is a cloud-native, SaaS-delivered, open, and programmable solution for Unified Observability that empowers all IT staff to identify and fix problems efficiently. It uses full-fidelity end user experience and network performance data and then applies AI and machine learning (ML) to correlate disparate data streams and identify business-impacting events. This intelligence also informs low-code investigative runbooks that replicate the troubleshooting workflows of IT experts to gather additional context, filter out noise, and set priorities. The result reduces the volume of alerts to the most business impacting, and empowers staff at all skill levels to identify and solve problems faster. ​

To learn more about how Riverbed IQ helps organizations shift left, visit https://www.riverbed.com/products/riverbed-iq.

This blog will dig into the importance of using full-fidelity telemetry with the Riverbed IQ unified observability service. But first, let’s define what Riverbed means by “full-fidelity.”

What is full-fidelity telemetry?

Full-fidelity data means you see and preserve every session in detail. It’s the capture and retention of every flow, every packet, every application transaction, and all user experience metrics so you see every incident. Having all data at your fingertips means you can rapidly search, pivot, and filter on any and all traffic of interest. Full-fidelity data enables quick answers to difficult questions—even if it happened weeks or months ago.

Riverbed full-fidelity telemetry

Riverbed offers a broad set of telemetry across multiple IT domains. Riverbed IQ currently supports network, infrastructure, and end user experience metrics from the following products:

• Riverbed NetProfiler leverages full-fidelity network flow monitoring to proactively identify and quickly troubleshoot performance and security issues.
• Riverbed AppResponse captures and stores all packets. It delivers all-in-one packet capture, application analysis, transactional details, and flow export on the same box.
• Riverbed NetIM is a holistic solution for discovering, modeling, monitoring, and troubleshooting your IT infrastructure. It supports SNMP, streaming telemetry, WMI, CLI, and syslog.
• Riverbed Aternity provides rich visibility into employee experience for your organization’s cloud, SaaS, thick client, and enterprise mobile apps.

The problem with sampled data

Sampling is the opposite of full fidelity. Metadata generated from sampled metrics can leave significant gaps in visibility and lead to blind spots that makes it difficult to detect performance and security issues. For example, some vendors only collect packet metrics based on KPIs. While this may be okay for many incidents, but not storing the actual packets means when you do need more details, it’s not available.

Another example is using sampled flow data. Sampling is typically employed to reduce the volume of flow records exported from each network device. While this practice allows you to deploy cheaper, lower spec’d telemetry solutions, it also effectively cuts corners on providing the complete view that IT needs for fully effective visibility and forensics. As such, Riverbed does not recommend sampling if you are using flow, and instead, encourages using raw flows whenever possible.

There are trade-offs when it comes to using sampled flow, especially for security or forensics analysis. Metadata generated from sampled flow leaves a big gap in visibility. If we consider a 10G link where the sampled flow data is generated by typical sampling 1 in 2000 packets, that means 99.95% of traffic is not being viewed or stored for future use. This also means we are only getting visibility into 0.05% of traffic flows; this might be fine for capacity planning but it’s not nearly sufficient for good visibility or observability.

Riverbed IQ leverages full-fidelity visibility

Riverbed IQ works best with full-fidelity telemetry. In fact, it can analyze more than 10 million data points per minute from supporting Riverbed telemetry. Because Riverbed telemetry captures everything and doesn’t sample, you’ll never miss a performance problem. The fact that Riverbed solutions provide deep and broad visibility, it’s perfect for providing baseline metrics for Riverbed’s new Riverbed IQ unified observability service.

Alerting overload

Today’s IT environments are profoundly more complex than in the past, with immensely more data and alerts to contend with. Most of these alerts provide little context to help prioritize issues or help expedite the troubleshooting process. For some companies, they get so many alerts it’s impossible for them to manually investigate every incident. We’ve run into other organizations that turn alerting off altogether and wait for the phone to ring. This overabundance of alerts and lack of actionable insights consumes IT’s bandwidth and makes it more difficult for them to separate critical events from the noise.

Riverbed IQ employs Machine Learning (ML) to continuously analyze key metrics that characterize the IT environment and “fits” the most appropriate algorithm, so we leverage the most information from the data. Riverbed IQ continuously assesses the run-time environment and performance to learn behaviors and automatically adapts as the system evolves.

The Artificial Intelligence (AI) inherent in Riverbed IQ algorithms does the heavy lifting and can sift through many datasets to quickly identify and correlate anomalous behaviors that are then run through automated investigations (aka runbooks). Riverbed IQ’s out-of-the-box runbooks gather critical context to provide insight into Impacts (specifically impacted users, locations, and applications) so IT can prioritize and collect supporting data to help IT expedite resolution. In this way, Riverbed IQ surfaces the most critical issues so IT can tackle the most critical incidents, rather than “clear-cutting the forest” of alerts, or chasing false positives.

Skilled resources​ scarcity

In addition, enterprises often rely on a small number of high-impact, in-demand, and highly skilled IT personnel to troubleshoot complex issues. Often IT management can even name the individuals responsible. When these skilled team members are unavailable, it takes longer to get to resolution, or the problem may not get resolved until they return. ​For IT experts who get pulled into troubleshooting when it’s not their primary job, there could be unplanned impacts on work-life balance (employee satisfaction) and potential delays to strategic projects. ​

Additionally, these skilled team members have vast institutional knowledge. It is important to retain and share this tribal knowledge as these employees are in high demand and are frequently poached.​

Riverbed IQ helps improve the quality-of-life for these skilled team members, while also enabling first-level personnel to contribute at a higher level. Riverbed IQ provides low-code automated runbooks that skilled team members can easily use to codify their knowledge. Once tribal knowledge is captured in runbooks, the skilled team members are free to pursue planned high-value tasks, while at the same time first-level personnel have immediate access to the context and supporting details needed to quickly assess/resolve issues.

Data granularity

Some companies deal with the volume, variety, and velocity of data and alerts by limiting or sampling data. For example, they may collect one out of every 10^th or 100^th data point or collect only metrics. Essentially, they are making decisions based on incomplete snapshots of data. Without the full picture, this sampling can have disastrous consequences when monitoring security issues and can make troubleshooting more complex than it needs to be.

Riverbed IQ leverages the full-fidelity telemetry of our market-leading network, infrastructure, and end user experience products rely on. Because we capture everything and we don’t sample, and because Riverbed IQ analyzes 10+ million data points per minute, you’ll never miss a critical performance problem.

Hybrid work blind spots

Lastly, “hybrid work” architectures are becoming the norm (i.e., there is no longer a difference between in-office and remote users). Hybrid architectures leverage tunneling technologies to establish “work from anywhere” environments—but tunnels create blind spots that complicate troubleshooting and problem resolution.

When employees work from an office, the network team is responsible for application access and network transport issues—and it has access to a mature toolset to help identify/resolve issues.

As work from anywhere proliferates, the responsibility for identifying and troubleshooting remote issues in these new direct-to-cloud environments still falls within the network teams’ domain. Yet, because of the new blind spots, they lack the visibility needed to be effective.

Riverbed IQ leverages Riverbed Aternity end user experience data to triangulate from the edge and provide the visibility NetOps teams need to identify and prioritize network access and performance issues, the impact it has on end users, and who to call to resolve the issue (ISP, CASB supplier, application owner, security team, etc).

Riverbed IQ leverages Riverbed Aternity end user experience data to provide the visibility NetOps teams need to identify and prioritize network access and performance issues, the impact it has on end users, and who to call to resolve the issue (ISP, CASB supplier, application owner, security team, etc).

Unified Observability solves common IT challenges

Riverbed IQ is a cloud-native, SaaS-delivered, open, and programmable Unified Observability service that empowers all IT staff with actionable insights that help identify the critical issues and provide important context so they can fix problems fast. It leverages full-fidelity end user experience management (EUEM), network performance (NPM) and infrastructure data across the digital enterprise and then applies AI and machine learning (ML) to correlate data streams and identify business-impacting events.

This intelligence also informs the investigative runbooks that replicate the troubleshooting workflows of IT experts to gather context, filter out noise, and set priorities. It effectively changes the NetOps model from a reactive and woefully inadequate alert-driven approach to a more intelligent solution that proactively surfaces the most business-impacting issues. The result is that IT staff of all skill levels—not just IT experts—have the context they need to identify and solve problems fast.

Learn more

To learn more about how Riverbed IQ can solve today’s common IT challenges, please check out this Riverbed checklist, “9 Ways to Achieve Actionable Insights with Unified Observability.”

Differentiator #1: Unlock the power of full-fidelity telemetry

Riverbed IQ’s approach to unified observability begins with the full-fidelity telemetry that our market-leading NPM and DEM products rely on. While today we leverage network, infrastructure, and end user experience metrics, the future will bring support for APM and device metrics. Because we capture everything and we don’t sample, and because Riverbed IQ analyzes over 10 million data points per minute, you’ll never miss an impactful performance problem.

Differentiator #2: Apply intelligence to problem detection

Monitoring for past decade has used rule-based alerting. It’s time consuming to set up and the thresholds are seldom reviewed often enough to be meaningful. This often leads to over alerting, creating a high volume of alerts that are often false positives of an impactful issue.

Riverbed IQ removes the need for rule-based alerting by using machine learning and logic built by a data science team. The analytics in Riverbed IQ learn what is normal for a specific device, interface, or application, and then passes the problem on to automated investigations only when something is outside normally behavior and in the range of creating a performance issue.

Riverbed IQ leverages AI and machine learning (ML) to correlate and accurately identify cross-domain insights to surface only business-impacting events. It applies 10,000+ correlations per minute across devices, locations, and applications and displays the associated events by “Most Impacted Users, Locations and Apps” so IT can quickly see the worst problems and their impact on the business.

Differentiator #3: Automate the investigation process​

Riverbed IQ also leverages automated, investigative workflows to handle the scale and complexity of today’s IT environments.​ These low-code runbooks replicate the best practices of expert IT teams. Pre-built runbooks gather evidence, build context, and set priorities to enable IT teams to save time, reduce escalations, and turn knowledge that resides in the minds of a few experts into knowledge that is usable by all IT. By spreading the burden for troubleshooting across the entire team, your highly skilled experts can now focus on high-value digital transformation projects rather than spending all day troubleshooting.

Differentiator #4: Codify expert knowledge​

Riverbed IQ codifies the institutional knowledge that resides with IT experts and turns it into automated runbooks that can easily be customized to your organization’s specific requirements. These automated troubleshooting workflows (or runbooks) enable more IT staff to troubleshoot effectively. By spreading the burden across more people, Riverbed IQ reduces the risk that expert resources get burnt out and empower all IT staff to learn faster and take on more responsibility.

Differentiator #5: Empower NetOps in hybrid work environments​

Prior to the pandemic, when users worked in branch offices, the NetOps team was responsible for identifying network access and performance issues for end users accessing business applications. Surprisingly, that didn’t change when users went remote. NetOps is still responsible for identifying network access and performance issues for end users, even though they are blind to remote work problems.

By leveraging Riverbed end user experience metrics, Riverbed IQ removes these blind spots to enable network teams to:

• Establish the scope and severity of remote work issue so that they can prioritize and determine whether they need to escalate it.
• Determine the root cause, whether it’s an ISP, CASB, application, or security issue, and estimate when the issue might be resolved (for example, an ISP issues takes more time and an internal issue).
• Document the incident, understand its impact on end users, and communicate to the affected users.

Differentiator #6: Focus on what’s important

The combination of AI/ML and codified runbooks is unique. We’ve spoken with hundreds of customers who have been burned before by black box AI/ML, where they have no insight into why they got the results they did. By pairing the results of Riverbed IQ’s AI/ML correlations with our transparent runbooks, IT can see exactly why Riverbed IQ highlighted the issues it did. They can trust the output because they can always customize runbooks to their organization’s needs.

No competitive solution offers this combination of capabilities that leads to quicker resolutions, without having to escalate to your IT experts as often.

Differentiator #7: Riverbed Unified Observability Platform

Next in the list of differentiators is the Riverbed Unified Observability Platform, which provides comprehensive, standards-based cloud-native capabilities to enable Riverbed engineers to quickly create new Riverbed unified observability services and customers to deploy and administer them.

Deployed on Azure, the Riverbed Unified Observability Platform supports a suite of SaaS-based observability tools that IT can deploy quickly, administer securely, and scale seamlessly. The Riverbed platform centralizes authentication, privacy, and provisioning so IT can efficiently administer multiple observability services. It provides capabilities for ingesting, correlating, and storing massive volumes of data that supports observability use cases for today’s highly distributed IT infrastructures. With advanced AI and ML-powered analysis and the workflow engines, the Riverbed platform enables new services that streamline repetitive tasks so IT can deliver better digital experience.

About Riverbed IQ

To summarize, Riverbed IQ is a cloud-native, SaaS-delivered, open and programmable solution for Unified Observability that empowers all IT staff to identify and fix problems efficiently. It uses full-fidelity end user experience and network performance data to gain a complete picture of your environment. It applies AI and machine learning (ML) to correlate disparate data streams and identify business-impacting events. This intelligence also informs investigative runbooks that replicate the troubleshooting workflows of IT experts. The investigative runbooks gather additional context, filter out noise, and set priorities—reducing the volume of alerts to the most business impacting, and empowering staff at all skill levels to identify and solve problems fast. ​

To learn more about Riverbed IQ’s key differentiators, visit www.riverbed.com/riverbed-iq.

As a result, IT professionals spend a lot of time in war rooms trying to figure out how to solve problems and are often forced to turn to a few highly skilled, senior-level individuals who understand how to manually investigate and troubleshoot issues. These experienced experts are in short supply, and their time is better spent on helping implement strategic initiatives rather than having to figure out why the network is down again.

There’s also the challenge of disparate, siloed tools that fail to provide IT with a holistic technology to enable seamless digital experiences. But finally, there’s a solution that can unite IT teams—Riverbed IQ. Discover how this new unified observability platform is the long-hoped-for solution to the many challenges plaguing IT teams.

What is Riverbed IQ?

Riverbed IQ is a cloud-native, SaaS-delivered unified observability product that correlates data across Riverbed Network Observabiloty and Riverbed Aternity Digital Experience Management to detect and resolve critical events, even in hybrid work and hybrid cloud environments. Riverbed IQ achieves this by analyzing 10+ million data points per minute. By capturing all data points rather than relying on sample data, you’ll never miss a performance problem. Best of all, Riverbed IQ surfaces context-rich data so teams can quickly understand the problem and how to solve it.

Below, we explore how Riverbed IQ:

• Heavily reduces the volume of alerts IT teams receive.
• Delivers context-rich, actionable insights that empower staff at all levels to solve problems faster and without escalating.
• Provides investigative workflows to automate the process of gathering contextual evidence.

Applying Intelligence to Problem Detection

While competing tools correlate based solely on time or keywords, Riverbed IQ applies over 10,000 correlations per minute across time series, devices, locations, and applications to provide greater insights. And unlike rule-based products that are often improperly defined and applied to single metrics, Riverbed IQ applies different models to a range of metrics using AI-powered baselining, thresholds, change detection and correlations.

What this means for IT teams: IT teams can be more proactive about identifying and fixing issues before they can frustrate users, ensuring smooth digital experiences.

What it means for the business: Riverbed’s intelligent automation facilitates quicker resolutions by providing the context IT needs to troubleshoot more easily and effectively. IT professionals can spend more time implementing strategic initiatives that add value to the business, rather than using their time to keep current technologies up and running.

Democratize Knowledge Through Scripted Investigations

Senior-level IT professionals are a wealth of knowledge, and best understand how to work out and troubleshoot issues. All too often, level 1 and 2 staff must turn to them for help in troubleshooting. But not anymore.

Riverbed IQ codifies its expert troubleshooting knowledge so junior IT professionals no longer have to escalate. It features automated investigative workflows designed to replicate the best practices of expert IT teams. These no-code runbooks are customizable so additional workflows can be created using a highly graphical, easy-to-use interface.

What this means for IT teams: These pre-built runbooks gather evidence, build context, and set priorities to accelerate mean time to resolution (MTTR), reduce escalations, and turn knowledge that resides in the minds of a few experts into knowledge that is usable by everyone within IT.

What it means for the business: It allows senior-level staff to reclaim their time so they can focus on high-priority projects that can take the business to the next level.

All the Information IT Needs in One Place

According to a recent IDC survey, “54% of organizations use six or more discrete tools for IT monitoring and management. Yet, 60% of respondents agree that most monitoring tools serve narrow requirements and fail to enable a unified and complete view of current operating conditions.”

Simply put, IT teams are using too many tools and still don’t receive the precise information they need to take action. In fact, the tools are drowning them in unusable data and signals, contributing to alert fatigue.

Riverbed IQ remedies the persistent headache of too much data. It’s a single, comprehensive solution that leverages AI and ML to unify and correlate network performance and end-user experience data.

What it means for IT teams: A significant reduction in the volume of alerts and a single source of truth that surfaces the most business-critical events. The solution reduces time spent in war rooms, finger-pointing, and excessive escalations, resulting in happier and more productive IT teams.

What it means for the business: Businesses can rely on the power of Riverbed IQ and immediately realize a return on investment.

Riverbed IQ Promotes Happier Teams and Customers

From excessive alerts to tribal knowledge, Riverbed IQ reduces the pain points IT teams encounter so they can better improve digital experiences for customers and employees, making everyone happier all around.

Discover how Riverbed IQ can positively impact your business and IT team by signing up for a Request Demo today.

Although AppResponse users are generally responsible for the upkeep of the network infrastructure and its core connectivity and transport functions, they are not part of IT teams that make the decisions that determine which applications use network resources. It’s therefore quite common for AppResponse users to want to “discover” which applications and protocols are present in the network. Often, they are surprised by what they see!

Web applications constitute an increasing share of mission-critical apps. Some AppResponse customers choose not to use the Web Transaction Analysis (WTA) module for very detailed performance analysis of HTTP/S, but they still want the Application Stream Analysis (ASA) module to tell them which apps are present in the network. The ASA module primarily looks at fields in the IP and TCP/UDP headers. These fields do not have enough information to recognize internal web apps because that information is only present deep in the bowels of HTTP/S that ASA does not analyze. This creates the following problem: How do AppResponse customers using (only) ASA know which traffic on the network belongs to important internal web applications?

Discovering internal Web apps

Good news! A new feature, called Discovered Service Names, enables the ASA module to identify internal web apps by extracting the service name from the HTTP CONNECT, TLS SNI, or X509 Certificates. Public web apps, like SAP, Google, etc. that are already tracked by DPI aren’t discovered by this feature. The URL app is not automatically created; the user must choose to explicitly monitor an application. This feature is disabled by default.

How does it work?

By inspecting the SNI (Server Name Indication) field in SSL/TLS handshakes, AppResponse ASA can classify web traffic. SNI is an addition to the TLS encryption protocol that enables a client device to specify the domain name it is trying to reach in the first step of the TLS handshake, preventing common name mismatch errors. Using SNI, AppResponse ASA is now able to classify internal web applications traffic more accurately by inspecting the contents in SSL/TLS handshakes, in addition to fields in the IP and TCP/UDP headers.

AppResponse can also classify internal web traffic by matching the content of the HTTP Connect message that browsers send to web proxies, including CASBs that act as web proxies. HTTP Connect messages will typically contain the name of the web application or web service, e.g., hr.company.com, booking.company.com, etc. This lets ASA accurately classify traffic into internal web applications.

TLS 1.3 traffic decryption (PFS API)

Web applications dominate the mission-critical traffic that AppResponse sees in most of its in-production deployments. As a result, WTA is the second most used analysis module. It delivers vital insight into network and application behavior for web applications, e.g., seeing web traffic organized by user sessions, auto-stitched web pages and their network, client, and server delays, and analyzing web server behavior by looking for unexpected HTTP Status Codes and so on.

All mission-critical web apps use either TLS 1.2 or 1.3 encryption. AppResponse must decrypt these application packets to calculate and derive the statistics whose analysis (via Insights, Navigator, or Transaction Search) delivers the deep visibility AppResponse users expect. Because TLS 1.3 mandates the use of encryption algorithms that guarantee Perfect Forward Secrecy (PFS), any man-in-the-middle network appliance that intercepts TLS 1.3 packets cannot decrypt them even if it has access to the private keys. As a result, we’ve added support for TLS 1.3 to our PFS API that enables the decryption of traffic encrypted by TLS 1.3, in addition to the previously supported SSL and TLS 1.2. We still need an external source (like a F5 load balancer) to send the keys. For more information on how AppResponse PFS API works, check out this blog Riverbed AppResponse Adds SSL/TLS Analysis and PFS API.

Backup and restore

An AppResponse deployed in production is a source of network and application performance data

– both packets and metadata/metrics derived from DPI. The metadata/metrics contain data that spans a few weeks, to several months, to a few years. A deployed AppResponse also contains a lot of user customizations in the form of configurations, e.g., Host Groups definitions, app definitions, traffic policy definitions, WTA page analysis rules, etc.

Performance data includes aggregate data (ASA, WTA, DBA, VOIP, CXA), alert events, scheduled reports, and system metrics. AppResponse customers want data loss protection in place for this information set. Together, an AppResponse’s configuration and forensic data represent very valuable information.

AppResponse can backup and restore both configuration and performance data to local and remote backup servers. You can initiate a backup manually or create a schedule and automate when backups are performed, e.g., after working hours or on weekends. However, you must restore to the same software and hardware.

Faster transaction analysis

What makes AppResponse transaction data invaluable is that it’s never topped. AppResponse power users use HD Insights and Transaction Search when they need to analyze all types of network and application behavior, including occasional low-volume communication. For example, a security use case like finding the IP address that generated just a few bytes of traffic six hours ago and went quiet after that.

We continue to make writing and querying faster when accessing critical transaction data (e.g., 1-min. summaries of each TCP connection, detailed summary metrics of each HTTP/S request-response pair, 1-min. summaries of each voice/video media stream, 1-min. summaries of every SQL query-response pair).

We addressed this problem in a two-part project: The first part was delivered in 11.12 and included updating to a newer version of the database we use for write-once many-reads data store for transaction data. This feature delivers the second part of this performance improvement by optimizing the structure of the underlying database tables to better leverage data sparseness and facilitate highly selective record processing times.

Support for VMWare ESXi 7.0

For customers who operate private clouds based on VMware ESXi, deploying a virtual AppResponse appliance as a guest VM is the NPM packet analysis option we have long delivered to address this need. Just like any other OS platform, the ESXi hypervisor evolves over time and shows up as newer release versions. In the release, we added support for VMware ESXi version 7.0. We continue to support versions 6.5 and 6.7 but dropped support for ESXi 6.0.

To summarize, Riverbed AppResponse provides the ability to extract valuable network and application performance information using real-time packet analysis and do it at the peak scale. We continue to enhance this capability by

• Improving AppResponse’s built-in intelligence to auto-recognize enterprise-internal web apps,
• Enabling decryption of TLS 1.3 using our PFS API,
• And delivering performance improvements for packet write to disk and HD Insight transaction queries.

Riverbed Network Performance Management (NPM) solutions can identify and alert on traffic coming from countries where your organization may not normally do business, e.g., North Korea. However, once this traffic is identified, the IT Operations or SecOps team must determine if that traffic is legitimate or suspicious.

CIDRs & Host Groups screen traffic

Here’s how a financial services company recently started to screen traffic coming from the Russian Federation. They use Riverbed AppResponse, packet-based application analysis, and Riverbed NetProfiler, full-fidelity flow monitoring.

The ITOps team, with the help of their Riverbed SE, started by putting together a list of the CIDR blocks for the Russian Federation, then separating them into 12 Host Groups. Host Groups allow you to manage similar objects together. These 12 Host Groups were added to both AppResponse and NetProfiler.

Next, the ITOps team set up monitoring at the port level. Immediately, they started to see traffic from the Russian Federation! Tweaking settings helped determine if the traffic is suspicious and required further investigation by SecOps. Here are some of the features they used:

1. Network Monitoring – receiving traffic information from any combination of sources. Aggregating, de-duplicating, and processing traffic data to prepare it for network behavior analytics. Behavior analytics builds profiles of typical network behavior for specified times so it can identify unusual changes that indicate performance or security issues.
2. Event Detection – analyzing compliance with service policies, performance and availability policies, security policies, and user-defined policies. Assigns each security policy violation event a severity rating number based on the likelihood of being a threat to network performance, availability, or security.
3. Alert Generation – checking the severity of each network event against a set of user-defined tolerance levels or alerting thresholds. When the severity of an event exceeds a tolerance or alerting threshold, NetProfiler alerts users to the existence of the event by indicating an alert condition and displaying information about the event.
4. Notification – automatically sending email, SMTP, or SMS alert messages to designated security or operations management personnel or systems.
5. Event Reporting – saving details of all events that triggered alerts. Event detail reports can be viewed on the NetProfiler user interface or retrieved by remote management systems for analysis.

Setting User-Defined Policies

The next step for this company is to leverage user-defined policies. User-Defined Policies is customizable event detection that lets you configure your own alerts based on hosts, ports, interfaces, and response time.

This financial services company is planning to create policies to alert when traffic from any of the 12 Host Groups hits any sensitive servers or on ports associated with mission-critical applications. User-defined policies will simplify the identification of suspect traffic since only internal employees should be accessing these servers.

If you are interested in leveraging these capabilities, check out this video that explains how to create a user-defined policy to proactively monitor high-risk subnets.

If you’d like the Russian Federation CIDR blocks with instructions on how to import them as Host Groups in AppResponse and NetProfiler, see this Knowledge Base article on Riverbed Support.

1  verizon.com/dbir/

2  https://www.govtech.com/security/hacking-top-ten.html

While most organizations are not fully prepared to deliver a seamless hybrid experience, nearly all have adopted some remote communication and collaboration tools. Despite this, a surprising 31% still need collaboration and virtual relationship building.

Zoom is the leading communications app with 300 million daily meeting participants, both paid and free,¹ while Microsoft Teams hit 250 million monthly active users in July 2021.²

The one problem with these and other collaboration solutions is that they are bandwidth-intensive and often suffer from performance issues, especially when users are working from low-bandwidth home networks.

Zoom and Teams

To solve this problem, Riverbed AppResponse added full visibility into all Zoom and Teams media, voice and video. The AppResponse Unified Communications Analysis (UCA) module can now auto-detect Zoom and Microsoft Teams media streams. Customers can now better support Zoom and Teams audio and video traffic and surface the full complement of quality metrics, such as MOS-CQ, MOS-V, Jitter, packet loss, new channel rate, and more. These details will help IT diagnose call and video quality issues.

DNS

The Domain Name System (DNS) is like a phonebook for the Internet. It translates a web domain name into an IP address and vice versa. People access websites through domain names, like Riverbed.com or Aternity.com then the web browser interacts through Internet Protocol (IP) addresses. In short, DNS translates domain names to IP addresses so browsers can load Internet resources.

AppResponse 11.12 added three new DNS Insights to the Application Stream Analysis (ASA) Module to help troubleshoot the DNS performance and security issues, such as:

• DNS service outages, i.e., “Can’t find server”
• High DNS latency or high load times
• DoS or DDoS attacks that can bring down the service

The new DNS Insights include:

• DNS Servers—analyzes all DNS servers. The types of metrics on this chart include All DNS Traffic with DNS Timeouts and All Errors, Slowest DNS Servers, DNS Servers with Errors, DNS Servers with Timeouts.
• DNS Server—shows results for an individual server. The metrics in the chart include DNS Requests & Responses, Response Time TruePlot, DNS Timeouts, DNS Errors, and a new graph called Top Queried Domains.
• DNS Transactions—helps you understand the performance of individual DNS transactions. The types of metrics you can utilize include DNS Errors, DNS Response Time, Slowest DNS Transactions, DNS Timeouts, Query Names, Client Groups, Client IPs, Server IPs, Opscodes, Query Types, and a GeoMap.

TCP Metrics

TCP is the heartbeat of the network. In fact, it’s the protocol used by nearly all modern applications and the AppResponse ASA module functions like an MRI for TCP, providing rich details into TCP-based apps. In fact, ASA calculates more than 60 health and activity metrics for TCP.

This release is taking our TCP analysis to the next level by adding TCP Receive Window, TCP Zero Window, and TCP Out-of-Order to the ASA module. These new TCP metrics enable NetOps users to diagnose these serious problems without having to dive into the packets using Riverbed Packet Analyzer Plus or Wireshark.

• TCP Receive Window—is the amount of free space in the client’s receive buffer. This field tells the sender how much data can be sent before an acknowledgment is received. If the receiver is not able to process the data as fast as it arrives, gradually the receive buffer will fill and the TCP window will shrink. This will alert the sender that it needs to reduce the amount of data sent to allow the receiver time to clear the buffer.
• TCP Zero Windows—happens when the client says, “I don’t have any available buffer space, stop sending data.” This tells the TCP sender to stop sending data. Typically, this indicates that the network is delivering traffic faster than the receiver can process it. When the client begins to digest the data, it will let the server know to resume sending.
• TCP out-of-order—occurs when a packet has a sequence number lower than the previously received packet. If too many packets are received out of order, TCP may cause retransmission of packets, like dropped packets. As such, the impact of out-of-order packets is can be similar to packet loss.

Other New Features

Other features released in AppResponse 11.12 include:

• The ability to search TLS Handshake and DNS Transactions, in addition to previously supported Web and Database queries
• The ability to import/export custom Insights
• Business Hour profiles for Insights & Navigator; in addition to previously supported Scheduled Reports and Policies
• Remote out-of-band system access and management for AppResponse xx80 appliances
• RFC 5425 encrypted Syslog notifications
• Performance improvements for HD (High-Def) queries

If it wasn’t clear, the theme for this AppResponse release was application and network intelligence—the ability to extract useful network and application performance information via real-time packet analysis. It’s our hope these new features make your life easier and your network safer and higher performing.

Riverbed AppResponse customers with support contracts can download AppResponse version 11.12 for free from the Riverbed Support Site. Otherwise, click here for more information.

¹ https://www.businessofapps.com/data/zoom-statistics/

² https://www.zdnet.com/article/microsoft-teams-hits-250-million-monthly-active-user-milestone/

Tangential to the topic of alerting, NetIM added a new Synthetic Test Object View Page and an IP SLA Views Page. The new Synthetic Test Object View page has four tabs that show results, alerts, browse configurations, and metrics. And, the IP SLA Views page allows you to view, navigate and search through all the IP SLA test results you’ve collected via polling.

This is a big and exciting release, so let’s dig into details and explore the ins and outs.

Re-imagined alerts page

The NetIM alerts page and alerts banner has been reimagined from the backend and the frontend. What we are providing now is a view and count of what is in active threshold violation. This is the “right now” view. It’s not time-based. We also provide aggregation of the counts, views into the counts, and the ability to filter the active alerts and the counts. Note that the Time-base Legacy Alerts page is still available.

The alerts page is organized into three sections. The top section is the alert banner that aggregates alerts in three ways:

• Alert Counts by Severity
• Affected Objects currently in Alert
• Count of Alert Profiles that are triggering active threshold violations

We have multiple tabs that you can use to slice and dice and view the alerts that are in an active state, for example, Alert Counts by Object Type, Metric Class and Metric Name. You can also aggregate and view Affected Objects in Alert and Affected Geographic Region/Country. Another view NetIM provides is Alert Count by Alert Profile. This provides you with information on which of your defined alerts are causing the devices or objects to be in alert at that time.

There are lots of features in the Active Alerts view. The Active Alert Table has filtering. You can launch a Quick View of the metric. You can search and perform grouping within the table. You can customize the columns per user, and you can download the entire table to CSV.

NetIM also gives you two historical alert views so you can see when things went into alert first and when you had the most things in alert.

Alert suppression

Alerts can be suppressed to avoid generating too many alert entries or too many non-actionable alerts when the triggering condition occurs often. In this case, the site-based gateway alert suppression allows you to suppress all related devices and interfaces if the gateway is down. That way you only receive the one gateway alert. Once the site gateway is fixed, it should fix most, if not all the device and interface alerts. And, you don’t have all these extraneous alerts hiding the true issue.

To put it another way: if all configured site gateways are down, then all notifications for all devices & interfaces configured for that site are suppressed. If at least one gateway device is up for a site, then all configured notifications are sent.

You can configure Site Gateway suppression by going to Settings/Organize. There is also the Notification setting you must configure.

IP SLA Views page

NetIM still supports Cisco and Juniper IP SLA tests and the polling is configured at the device level. What’s changed is the IP SLA Views page and IP SLA tabs for source and destination devices of the test as well as the associated site and group. This Views page is launched from the menu item ‘More’ and allows you to view and navigate through all the IP SLA tests you have in your managed network. It supports search, filtering, or a Metric Quick View and a drill down to the source and target device and the site. Additionally, in the section below the table, you can view Top-N tests by various metrics.

You can now view the IP SLA tests scoped to device, site or group. Finally, we provided an IP SLA page. This is a page dedicated to each IP SLA test. It provides the test configuration and the test metrics.

Synthetic Test Object View page

The Synthetic Test Object View page has four tabs that show at-a-glance results, browse configurations, associated alarms, and metrics. In addition, the Synthetic Test TCP Port and other configuration properties are now available within Portal.

Reporting enhancements

NetIM now supports business hours, multiple discontinuous time periods, for example, Monday to Friday, 9:00 a.m to 5:00 p.m. In Performance Summary Reports, you select either All Hours, Business Hours, or Non-Business Hours to filter the timeframe of any report.

The Performance Summary Report now includes Component Type support. This has been expanded from the core base objects to components in the form. You select the Component Type from the drop-down list, then you select the relevant Metrics Class type for that Component Type, and finally the relevant Metrics.

AWS C2S

NetIM supports AWS C2S, extremely secure cloud computing for the U.S. Intelligence Community. The AWS Secret Region can operate workloads up to the Secret U.S. security classification level. Cloud security at AWS is the highest priority. AWS customers benefit from data center and network architecture built to meet the requirements of the most security-sensitive organizations.

Out-of-the-box metrics

This release added new out-of-the-box metrics, including a slew of Wireless LAN Controller metrics, F5 Load Balancer System Throughput, Group Status, and, of course, Site Gateways Status.

To summarize, NetIM 2.4 is a vital release that totally revamps how NetIM manages alerting. It also takes a major step forward in managing and reporting on synthetic and IP SLA tests, among an array of other updates.

Existing Riverbed NetIM customers with support contracts can download version 2.4 from the Riverbed Support Site. Customers running NetIM 1.x and NetCollector customers can easily upgrade to NetIM. Just ask your account manager for details.

Riverbed NetProfiler recently introduced new features that enrich information sharing and simplifies its UI with a new homescreen and free-form search. It also improved security and enhanced cloud visibility, supporting native Azure NSG Flow Logs and augmenting support for AWS VPC Flows Logs (learn more about these updates here).  

NetProfiler’s theme is to make it easier to use by new users, helpdesk, support tier 1 and 2 users, and even users of other Riverbed NPM solutions. By simplifying and modernizing the user interface and menu and making the look and feel more consistent with the rest of the Riverbed NPM product line, we want more users to be able use it more of the time. 

New Home Screen  

The Network and Applications Overview insight is the new home screen. It helps new or infrequent users quickly understand how the network and applications are performing, what issues need attention, and how issues are trending. Users can easily search or contextually drill deeper into the data. 

These at-a-glance performance summaries are customizable on a per-user basis. Toggle between last hour, last day, or last week timeframes, this insight loads quickly ensuring fast responsiveness to performance queries.  

The Network and Applications Overview insight consists of four widgets: 

1. Summary widget has high-level network statistics and counts with optional comparison timeframes and trends. Metrics are configurable via Column Chooser and you can edit the appearance of the Summary widget. 
2. Top Talkers Sankey widget shows top hosts and what apps they are using on the network. It displays both traffic flows and volume, which is shown proportionally through the width of the arrows. You can choose Host to Application mapping or the reverse, Application to Host. Hover over any flow for the metric value and any flow details. 
3. Traffic Volume widget displays traffic in a time series with a time comparison using the same timeframe as the Summary widget.  
4. Cards widgets—There are six card widget slots that are individually configurable: 
   • Watched card allows for watching up to three different objects per widget for a select set of metrics.
   • Alerts display alert counts for different types of NetProfiler alerts, e.g. performance or security alerts. 
   • New Hosts, New Applications, New Ports show the top objects that were not previously seen in NetProfiler. 
   • Hosts, Interfaces, Ports, Applications show top objects with a select set of metrics; these cards offer a launching pad for deeper drill-down.

Free-form search 

The feature that will change users’ lives the most is the new Google-like search. Comparable to AppResponse search, the search bar sits right on the banner. With this new search, you can look up an IP address or an interface without having to understand where to find this information in NetProfiler, without having prior knowledge of specific NetProfiler workflows. The Search Results page will not only show you a list of relevant reporting queries and links but the definitions too.   

This free-form search feature uses type-ahead and autocomplete to show relevant suggestions. Tabs allow you to limit the results to a particular object type. Providing multiple results in a tabbed format helps you quickly find what you are searching for.  

Now you can also use the search field to look for a Host IP, CIDR or wildcard. A Host Data Search will provide a Host Information Report in the Search Results if data is found for that host. 

Improved security 

TLS 1.3 is the newest version of transport layer security and provides reliable encryption for data sent over the internet. TLS 1.3 dropped support for older, less secure cryptographic features, and is faster and more secure than TLS 1.2, among other improvements. One of the changes that makes TLS 1.3 faster is an update to the way a TLS handshake works: TLS handshakes in TLS 1.3 only require one round trip (or back-and-forth communication) instead of two, shortening the process by a few milliseconds. As a result, it’s quickly becoming the latest standard for HTTPS encryption. 

NetProfiler 10.20, now supports TLS 1.3 for its services, including syslogs. Out of the box, new systems are now installed with a minimum of TLS 1.2 and 2048-bit cipher certificates. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.

NetProfiler Simplifies 

To summarize, this release simplifies NetProfiler’s user interface and how you interact with it. It aligns more closely with the look and feel of the Riverbed NPM product family, especially AppResponse, so you can more easily switch between tools. It provides new and improved charting and graphics to wow users and simplify where possible to cater better to the helpdesk and support tier 1 and 2 users, while still serving Riverbed’s traditional power users. To learn about NetProfiler’s cloud updates, check out my  blog “Riverbed NPM Enhances Cloud Visibility.” 

NetProfiler customers with a current support contract can download version 10.20 from the Riverbed Support site. Otherwise, click here for more information.  

Multi-cloud continues to be the dominant cloud strategy, implemented by more than three-quarters (76%) of organizations.1  Analyst firm ESG defines multi-cloud as more than one IaaS provider. Also, the use of infrastructure as a service (IaaS) has almost doubled in the last five years, from 42% in 2107 to 78% in 2021.2 

So clearly, today’s new normal is multi-cloud and hybrid networks, with an almost endless array of cloud-based business applications and workloads. As a result, enterprises are addressing concerns about the unpredictable performance of cloud workloads impacting overall business productivity. Moreover, mapping all the relationships across apps, hardware and networking devices for each IT-delivered service is notoriously difficult to do, especially in a rapidly evolving cloud environment. Therefore, it’s no surprise that 51% of organizations claim understanding app dependencies as the top cloud migration challenge. Further, 45% view the ability to assess on-premises vs cloud costs as a top challenge.3   

Support for Azure NSG Flow Logs 

This release of Riverbed NetProfiler (v10.20) does its part to jump on the cloud bandwagon and to address some of these challenges. It now supports the ingestion of Azure NSG Flow Logs, the native mechanism of flow generation offered by the Azure platform. Azure NSG Flow records are collected and exported to our Azure Function. 

Using this Azure flow data, NetProfiler provides two specific Azure cloud reports:  

• Azure NSG Flow Information  
• Azure Billable Data Transfer 

The Azure NSG Flow Information Report provides rich visibility into usage in the cloud. It shows applications, hosts, and conversations by VNETs, Regions, and Availability Zones. Most importantly, it can map any application relationships across the network for any service, addressing that top concern. NetProfiler’s extensive traffic reporting can also be used to report on and to study Azure NSG Flow log data. 

On the other hand, the Azure Billing Data Transfer report helps you understand where cloud costs are occurring so you can make better plans and decisions to help minimize costs. It provides visibility into traffic volumes by Azure pricing policies. For example, it lets you know how much traffic is egressing the cloud – the most expensive type of cloud data – versus how much is traversing VNETs, the next tier of pricing. Knowing how the traffic is flowing across VNETs, regions, and cloud-egress also help determine whether services and their dependencies are all efficiently deployed, or whether there are more efficiencies to be had. By placing different services in the same VNET or same region, you gain pricing and latency efficiencies.  

Together these reports help answer the tough questions: 

• What apps are running in the cloud? 
• How’s the cloud network performing? 
• Who’s talking to whom? 
• How and where is traffic flowing through the cloud?  
• Which VNETs, Regions, and Availability Zones are experiencing the most traffic? 
• Are apps and services efficiently deployed? 
• Is any traffic leaving the cloud? 
• Where are you are incurring costs? And how can you save money? 

The new Azure reports are located at Reports->All Reports->Cloud Reports. Except for the Azure vs AWS terminology differences, the reports are similar to their AWS counterparts. 

AWS updates 

In NetProfiler 10.14 (August 2018) we introduced AWS VPC Flow Log support. It required customers to manually configure and maintain AWS hostgroups (Region/AZ/VPC) to run the AWS visibility reports. This can be a laborious and error-prone process. 

With recent improvements made by AWS to their AWS VPC Flow logs, NetProfiler utilizes those improvements to automate the groupings. NetProfiler polls the AWS Management Console for the metadata and populates the corresponding AWS hostgroup definitions. However, there are two requirements for this polling to work: 

• It requires outbound Internet access from NetProfiler to your AWS management console. 
• And, you cannot have overlapping CIDR definitions. 

Lastly, by popular demand, we added a new widget in the Billable Transfer Report called “Billable Data Transfer between VPCs in the same Region” to the AWS Billable Data Transfer Report, and a comparable version to Azure. I think the title of this report makes it pretty clear what data this report provides!  

To sum it up, NetProfiler 10.20 is an important release. In addition to these cloud enhancements, we made a slew of other updates, including a new easy-to-use homepage, free-form search, security updates, and more.

If you’re an existing customer, you can download the latest version of NetProfiler on the Riverbed Support Site. If you are new to NetProfiler, contact Riverbed sales

 1 ESG Master Survey Results, Technology Spending Intentions Survey, March 2019. 

2 ESG Master Survey Results, Technology Spending Intentions Survey, Dec 2020 

3 Flexera 

What’s more, they found a very strong correlation between close NetOps and SecOps (henceforth NetSecOps) collaboration and overall network operations success. Successful teams are very likely to have converged groups or share integrated tools and processes. Bridging the gap between groups is more likely to ensure a secure, highly performant network. Here are five reasons why your Network Operations and Security Operations teams should collaborate in a more formal manner:

1. Better network performance. Data shows that organizations with unified NetSecOps teams spend less time on reactive troubleshooting and more time on proactive problem prevention. This enables collaborative teams to focus on improving network performance, leading to a better user experience and business results.

Security system problems and security incidents are common root causes of IT service problems, so by joining forces, NetSecOps teams are also better equipped to root out security problems that affect network performance. For example, DDoS issues that take the network offline might formerly be considered a network issue but can now be properly diagnosed as a security problem and can be mitigated more quickly.

2. Accelerated security incident detection and response. Unified NetSecOps teams (36%) and teams that share tools and processes (27%) are focused more often on accelerating security incident detection and response. These teams identify and respond more quickly to incidents and breaches than separate NetOps and SecOps teams. Together they can investigate malware, breaches, and misconfigurations that can affect both security and performance. Surprisingly, infrastructure management (SNMP, WMI, etc.) is a key tool of unified teams. It can detect unusual activity on a network device, such as saturation of an interface by an attack or a misconfiguration and is not a tool that is typically in the security toolbox.

3. Cost efficiency. A side benefit of this collaboration is both operational and capital cost efficiency. By sharing tools—full-fidelity flow monitoring, packet capture and analysis, network infrastructure monitoring, NACs, etc.—then teams share one solution, and don’t have to purchase two very similar products. That also means there’s only one support contract and fewer devices to support in the data center (less power costs, rack space, etc.). It’s a win all around: faster, more secure network performance at a cost savings!

4. Faster response to business change. When two teams are comfortable working together, they get comfortable planning for changes together—like cloud migrations or work for home (WFH). Integrated plans are always more comprehensive and reduce the risk that change introduces, which brings me to my last benefit…

5. Risk reduction. When network operations and security operations work well together, the outcome is risk reduction. This is the ultimate measure of success for any NetSecOps team. As the adage goes, more hands make light work. Even if NetOps aren’t complete security experts, they are bound to notice some issues, because they are covering different ground, often in the network’s deepest recesses. And, as we established above, incident detection and response is accelerated, then malware and the like stays in the network for a shorter time. All of this is goodness when you have more brains thinking security.

The benefits of unifying your NetOps and SecOps teams should be clear by now. Ensuring your integrated NetSecOps team has the tools to enable full visibility from cloud to edge, assuring your network is always secure and high performing. Your enterprise-wide visibility toolset should include:

• Full-fidelity flow data (no sampling)—enterprise-wide traffic and security visibility; behavioral analysis; threat detection; threat hunting
• Packet data, not just metrics—network and application analysis; forensic analysis; encrypted traffic analysis; certificates analysis, etc.
• Infrastructure management (SNMP, WMI, CLI, API, synthetics, etc.)—performance metrics; configuration/change management; device compliance; path analysis; network diagrams

To learn more about unifying your network and security operations teams and the benefits you can achieve, check out this EMA analyst paper, The Convergence of Network and Security Operations.

Supports Observability-enabling Technology

Launched in 2019, Virtual Private Cloud (VPC) Traffic Mirroring allows AWS customers to gain native insight and access to the network traffic across their VPC infrastructure for network and application performance analysis, and threat monitoring. With this feature, customers can copy network traffic from an Elastic Network Interface (ENI) of supported compute instance types in their VPC and send it to Riverbed AppResponse for network and application analysis in order to monitor and troubleshoot performance issues.

AppResponse Cloud provides rich, unparalleled network and application visibility into AWS environments. It enables IT Operations to quickly pinpoint performance degradations and high latency in cloud and hybrid networks. AppResponse Cloud automatically identifies more than 2,500 applications for detailed application analysis as well as identifies and troubleshoots network issues faster. AppResponse Cloud supports a number of packet sourcing options; chief among them is AWS-native VPC Traffic Mirroring. This allows you to replicate the network traffic from EC2 instances within your VPC to security and monitoring appliances for use cases such as content inspection, threat monitoring, and troubleshooting.

Amazon is expanding the availability of this critical observability-enabling technology. Traffic Mirroring now supports additional select non-Nitro instance types. Until now, customers could only enable VPC Traffic Mirroring on their Nitro-based EC2 instances. With this announcement, customers can now enable VPC Traffic Mirroring on additional non-Nitro instances types such as C4, D2, G3, G3s, H1, I3, M4, P2, P3, R4, X1 and X1e that use the Xen-based hypervisor (it is not supported on the T2, R3 and I2 instance types and previous generation instances). This feature is available in all 22 regions where VPC Traffic Mirroring is currently supported.

Public cloud-based infrastructure has become the dominant platform for delivering mission-critical IT applications and services. Broader availability of VPC Traffic Mirroring enables Riverbed AppResponse Cloud to keep up with that trend and deliver end-to-end network and application analysis for the growing diversity of cloud compute infrastructure.

To test drive AppResponse Cloud with  VPC Traffic Mirroring, please contact Riverbed sales.

[1] https://www.gartner.com/en/newsroom/press-releases/2020-07-23-gartner-forecasts-worldwide-public-cloud-revenue-to-grow-6point3-percent-in-2020#:~:text=The%20second%2Dlargest%20market%20segment,of%20legacy%20infrastructure%20operating%20models.

[2] https://www.gartner.com/en/newsroom/press-releases/2020-11-17-gartner-forecasts-worldwide-public-cloud-end-user-spending-to-grow-18-percent-in-2021

The new Riverbed AppResponse Transaction Search makes it easier to get the transaction data you need and provides more granular control over search parameters. In past versions of AppResponse, you chose from a limited set of pre-selected Insight filters using a classic report query workflow; you had to know what you wanted to search for.

The new Transaction Search works more like Google search and is a very natural way of searching for transaction data. You simply enter your query into the Criteria Bar. You can use any number of operators (and, >, >=, etc.) to refine your query. Just hit “search” to get your answer. One of the benefits of Transaction Search is that it also supports a bunch of new filters, including high-definition (HD) data and metric values.

Displaying the results

As you can see in Figure 1, the search results page is broken into multiple sections:

• The very top section lets you limit your search X to the top 1000, for example
• The top right section is the graph TruePlot, which plots every matching transaction. It supports Time Interval selection and Matching Counts.
• Search results are in the transaction table below TruePlot.
• The sidebar on the left tells you the relationship between results and what you searched for. You can click on any item in the sidebar to further refine/filter results.

If we click on the top selection in the sidebar “Page Families,” it will further refine the results so that you can explore them even deeper (See Figure 2).

If you are looking for Transaction Search, you can find it on the main menu. You’ll see a new menu item called Transactions when you upgrade your AppResponse to version 11.11. Currently, Transaction Search supports three data types:

• Page View Search (WTA: Pages)
• Web Request Search (WTA: PageObjects)
• DB Query Search (DBA: Queries)

Another of the handy things about this feature is that you can “search with assist.” As you type a search term, the system will contextually auto-complete any search term. There also no need to know the AppResponse data model, like you did with the old way. Transaction Search supports top groups, group-paths and drill-down groups. And, it can see summary metrics for multiple groups or objects.

Here’s the complete list of both the WTA and DBA searches, just to show group and metric values that can be used as filters:

To summarize, Transaction Search simplifies the way you search for Web Page, Page View and Database queries by allowing you to use the new Criteria Bar to create free form search queries. It’s a whole lot more flexible and powerful. You can search any and every transaction using a combination of more than 50 filter criteria that range from basic IP and application names to transactions that exceed a performance threshold to those that exceed a number of HTTP errors, and more.

If you’re an existing customer, you can download Transaction Search and other new features in Riverbed AppResponse 11.11 on the Riverbed Support Site. If you are new to AppResponse, contact Riverbed sales.

The massive surge in work-from-home (WFH) affected hundreds of millions across the globe as more than half of the workforce was forced to shelter in place. IT teams toiled to get team members up, running, and secure in their WFH environments—wherever that might be.

Keeping their WFH teams productive became priority one—overnight. Only 67% of IT executives say this transition was smooth.[1] The smoothest transitions came from companies in technology, finance and business services sectors where they already had a high deployment of cloud apps and remote workers.

One of the surprising side effects of COVID-19 is that it is reinforcing the value of technology and potentially reshaping the work environment. In fact, 60% of IT executives believe COVID-19 will make their organizations more reliant on IT,[2] while 95% of business leaders report being comfortable with remote work and anticipating more of it in the future.[3]

Improvements Required for Remote Work

However, many IT improvements are still required for ongoing operations and the security of employees, wherever they decide to work. On-premises data centers will feel the long-term impact of COVID-19 and its emphasis on arms-length operations. According to the Riverbed Future of Work Global Survey, based on 700 respondents, plans include the greater use of public cloud services to replace data center infrastructure and improving visibility to manage hybrid application and network performance.

Also not surprisingly, organizations will increase their budget for cybersecurity products and services. Cybersecurity is always a top contender. However, this year they are responding not only to the increased number of remote workers accessing corporate data from offsite locations—raising concerns about network security, stolen devices, and data encryption—but also the increased threat level due to the rise in cybersecurity attacks attributed to COVID-19.

As a result of these trends, Riverbed announced new Unified NPM capabilities, which were showcased at the Riverbed Global User Conference 2020. Riverbed’s unified NPM solution makes it easier than ever to ensure application performance, network security and user experience across the hybrid IT landscape:

New Cloud and HA Deployments

Riverbed Unified NPM has long offered hybrid-normalized visibility, providing the same industry-leading visibility across on-premises, cloud, hybrid and multi-cloud environments. Our network flow monitoring lets you discover applications, hosts and conversations inside the cloud. It also helps you identify usage by VPCs, regions, and availability zones. This detailed visibility helps minimize costs by reducing inefficient or unnecessary traffic and lets you build more efficient cloud architectures.

What’s new is that you can now also deploy Riverbed NetProfiler, Flow Gateway and NetIM in the cloud (remember AppResponse Cloud is already deployable in the cloud). These solutions run in AWS, AWS GovCloud, Azure and Azure Government with all the bells and whistles of the on-premises version. Additionally, NetIM offers robust High Availability (HA) capabilities to ensure that real-time insight into the health and performance of IT infrastructure is reliable and always accessible.

Increased Insight into Encrypted Traffic

Nearly 90% of all Internet traffic is encrypted[4]—and it won’t be long before nearly all Internet in transit will be secure. While this is great for privacy, it creates significant security blind spots. By leveraging encryption, attackers can bypass most inspection tools to deliver malware into the network. In fact, 71% of malware uses encryption to communicate secretly to command and control locations.[5]

To solve this challenge, Riverbed has introduced two new capabilities:

1. A new PFS (Perfect Forward Secrecy) API allows Riverbed symmetric key intercept integrations with two partners: Nubeva and The Load Balancer Crew (LBC). This technology allows Riverbed AppResponse users to gain visibility into TLS encrypted application traffic for use in performance and security analysis.
2. New TLS Analysis Insight reports for Riverbed AppResponse lets your users track, report and validate the integrity of SSL and TLS sessions, certificates and cipher suites for easy key maintenance and improved security.

To read more about these capabilities, check out this blog Riverbed AppResponse Adds TLS Analysis and PFS API.

New Behavioral Analytics of Packets, Apps & Users

Lastly, a new set of powerful capabilities makes it easier for you to understand what is most important about your network by bringing relevant insights to the surface.

AppResponse Adaptive Thresholds use behavioral analytics to automatically detect and flag abnormal changes in server response times and total throughput. These new capabilities reduce the noise and overhead associated with unimportant or unactionable alerts so you won’t have to fiddle to find that perfect threshold. AppResponse does all the work for you, continuously. It’s always learning what’s normal, which means it proactively detects abnormal conditions, giving you early warning that something is amiss.

 To read more about AppResponse Adaptive Thresholds, try this blog New AppResponse Adaptive Thresholds Reduces False Positives.

AD Connector 3.0 extracts user identity information from an Active Directory source, pulls it into Riverbed NetProfiler and makes it available for use within reports. Being able to resolve to the user name is useful for troubleshooting both security and performance problems, which is especially helpful when monitoring work-from-home environments.

See the related blog: NetProfiler Users Are More Than a Number With AD Connector 3.0.

Finally, NetProfiler expanded its integration with Riverbed SteelHead with support for custom application groups and enhanced reporting of inbound Network QoS (in addition to the already supported outbound QoS). These help you find and fix performance issues with a unified platform.

There’s a blog on this topic, too: Add Visibility to Your SteelHead to Optimize Network Performance.

To learn more about the Riverbed Unified NPM solutions, you can go to www.riverbed.com/npm.

[1] ESG, The Impact of the COVID-19 Pandemic on Remote Work, IT Spending, and Future Tech Strategies, 2020

[2] ESG, The Impact of the COVID-19 Pandemic on Remote Work, IT Spending, and Future Tech Strategies, 2020

[3] https://lp.buffer.com/state-of-remote-work-2020

[4] F5, Detect Encrypted Malware, 2020

[5] F5, Detect Encrypted Malware, 2020

Even more importantly, according to Gartner, more than 70 percent of malware campaigns in 2020 used some type of encryption to conceal malware delivery, command-and-control activity or data exfiltration. Clearly, it is becoming essential to have visibility into encrypted traffic.

TLS stands for Transport Layer Security and it is responsible for encrypting data in transit over the network. TLS is an updated, more secure version of SSL or Secure Socket Layer. TLS performs data encryption, prevents eavesdropping by intermediaries by using symmetric cryptography, and allows the client to verify the identity of the server.

On the server side, there’s a private key and a public certificate that’s been signed by a trusted third party called a Certificate Authority (CA). Certificates are typically valid for up to two years, although some can be as short as 90 days. Because certificates are issued for a limited time, it is crucial to monitor their expiration date.

AppResponse’s new PFS API

Earlier this summer, Riverbed created a PFS API (Perfect Forward Secrecy) which allowed us complete integrations with two partners—Nubeva and The Load Balancer Crew (LBC)—on symmetric key intercept SSL/TLS decryption technology. This technology allows Riverbed AppResponse users to gain visibility into TLS encrypted application traffic for use in performance and security analysis.

LBC’s integration with AppResponse’s PFS API is an LBC-authored iRules LX script that runs on F5 load balancers and sends TLS 1.2 PFS crypto ephemeral keys to AppResponse. Nubeva offers cloud-hosted and software versions of their symmetric key intercept. It can discover symmetric keys from container and Kubernetes environments, intra-zone VPCs, cloud and pinned traffic. It requires three components:

• A Key Sensor learns and extracts the symmetric keys inter-/intra-host;
• Key Depots are an aggregation and key distributions buffer system, which enables scaling and multi-use;
• A Controller that simplifies management and rule definition along with elastic and automatic deployment of sensors.

SSL/TLS Analysis

Just this week, the AppResponse team released version 11.10, which adds TLS analysis to the Application Stream Analysis (ASA) module among a slew of other great enhancements. AppResponse 11.10 keeps track of the TLS handshake metrics and certificate information. You can enable the new TLS Analysis on the configuration page just by checking the enable box. Once enabled, new rules filter the traffic for TLS handshakes and certificates. All traffic is filtered by default, so you may want to customize the rules to get just the traffic you need.

TLS Handshake Insight

First off, SSL/TLS handshake data is available as a new ASA Insight. It helps you answer important security questions like:

• Which versions of SSL/TLS are being used on the network and in how many sessions?
• Is anything in the network using an obsolete cipher suite?
• Which clients and servers are using specific SSL/TLS versions and cipher suites?
• Is anything in the network using expired X.509 certificates?
• Is anything in the network using renegotiation?
• How many sessions are experiencing SSL/TLS errors in the network?

TLS Handshake Insight makes it easy to determine which versions of SSL and TLS are being used and in what quantity.

New Certificates Tab

You can find all the certificates listed with information pertaining to expiration, hosts and servers in a tabular format under SSL Decryption for easy viewing and maintenance. It has five sections to help you maintain cert compliance: Installed Keys; Certificates with Installed Keys; Certificates with Missing Keys; Ignored Certificates and PFS. The tab lists all server IPs for a given certificate, and there is more information about the certification in the certificate details section.

In short, AppResponse’s new TLS Analysis Insight is essential for anyone who wants to understand their encryption situation. Enterprises are using a variety of encryption technologies and some of them are now obsolete and risky. Riverbed AppResponse can give you the visibility you need to keep your network secure.

For more information

To get TLS Analysis, you need to be running AppResponse version 11.10, which current customers on active maintenance can download free of charge at https://www.riverbed.com/support-overview/. Others should contact Riverbed Sales.

To learn more about our PFS integration partners and how to interact with them, go to the following Knowledge Base articles (login required to access this content):

• SteelCentral AppResponse11 – Setting up Perfect Forward Secrecy (PFS) to decrypt Diffie-Hellman (DH) traffic for Servers
• SteelCentral AppResponse11 – Setting up Perfect Forward Secrecy (PFS) to decrypt Diffie-Hellman (DH) traffic for F5 Load Balancers

For example, “response time” usually varies based on the time of day and day of week. At night, when the network load is negligible, response times would likely be minimal, too. In the middle of the day, when the network loads increase, the thresholds should be a bit more tolerant. 

Adaptive Threshold Analytics

Riverbed AppResponse 11.9 has fixed this problem by using the machine learning technique known as “adaptive thresholds.” Adaptive thresholds help deal with the problem of setting thresholds when you don’t know what they should be.

Adaptive thresholds work by analyzing historical data to determine what normal should be. In AppResponse, you can select a historical comparison interval (1 hour, 1 day or 1 week) and the tolerance factor. The alerting engine compares the current traffic to the historical and creates alerts if necessary. The historical data updates constantly with the latest data so it’s always current.

AppResponse offers both user-defined and built-in adaptive thresholds. You apply user-defined adaptive thresholds on any metric for a specific network entity (i.e., an individual host, a host group, or an app, most commonly). Built-in policies apply an adaptive threshold to a set of network entities. There are two built-in adaptive policies:

• Application Response Time
• Host Group Traffic

The Application Response Time analytics builds a response time profile for every application defined on the system, while the Host Group Traffic analytics tracks total throughput for each defined host group on the system. The user is limited in how these two policies can be configured; for example, you can’t change the metric being measured, but can change the deviation factors and comparison interval. The user can also choose a subset of objects to monitor for a built-in policy, rather than all of them (the default).

In summary, user-defined adaptive policies let you monitor a broad set of metrics, but for a specific network object. The built-in policies are monitoring a specific metric but for a class of network objects (apps and host groups.)

Setup and configuration details

When first setting adaptive threshold policies, there’s a delay that is approximately equal to the chosen historical interval before alerting starts. For example, if you choose a threshold of one week, then a week must pass before the system collects enough historical data to be able to make a comparison to current data.

Another handy tidbit about configuring an adaptive policy is that administrators can do “what-if” analysis. This lets you see the approximate number of alerts that would be generated over a period of several hours, before the policy is actually configured. It also lets you adjust the tolerance parameters and see how the tolerance bands and detected anomalies adjust accordingly.

Benefits of Adaptive Thresholds

I think you’ll find that using AppResponse’s new adaptive threshold capabilities will reduce noise by reducing false positives. In addition, you won’t have to fiddle with live data anymore to find that perfect threshold. AppResponse does all the work for you, continuously. It’s always learning what’s normal, which means it proactively detects abnormal conditions, giving you early warning that something is amiss. Often you can detect impending trends before users feel the impact.

Most NPM tools treat end users just like masked guests, or even worse, numbers!  IP addresses are known, but the actual user names are not.

AD Connector helps make the personal connection

Riverbed’s AD Connector extracts user identity information from an Active Directory source, pulls it into NetProfiler (Riverbed’s enterprise flow monitoring and reporting solution), and makes it available for use within reports. Being able to resolve to the user name is useful from multiple perspectives including security, performance, and troubleshooting.

Case in point: troubleshooting

When viewing a traffic report, you notice a spike in utilization that is attributable to BitTorrent traffic coming from a specific IP address. You’ll want to know which users are logged in at this particular time as well as which computer originated the traffic. With data and name in hand, you can talk with the individual user, stop the offensive action, and take immediate corrective action. The integration with Active Directory makes this quick and easy.

Here are a couple of other reports in NetProfiler that help you understand your user data:

• The Users List shares users by log-in time, log-out time, or log-in failures. You can also filter by host, time duration, and other criteria to help you quickly understand the impact of specific individuals on the network.
• Host information reports with added user information shows which host is talking to another and provides a clearer picture by knowing which user was logged in at that time.

Additional information

AD Connector 3.0 is now available on Windows Server 2016, Windows Server 2019, and Windows Server 2012. It supports IPv6 and encrypted communication support between AD Connector and NetProfiler.

You can download a copy of the Riverbed AD Connector 3.0 for use with your NetProfiler at no charge from the Riverbed Support site.

Collaboration applications have evolved over the past few months from being a nice-to-have tool to become the go-to means for connection and communication between remote teams. Organizations across the globe are using video collaboration apps, like Zoom, for a wide variety of interactivity – including everything from video chats and one-on-ones to team meetings, webinars, and even virtual conferences.

As a result, it should come as no surprise that Zoom usage has exploded from 10 million daily users in December 2019 to more than 300 million daily participants (paid and free) in April 2020.¹  

With 74% of companies planning to permanently shift to more remote work post COVID², it means collaboration apps like Zoom are here to stay.

Zoom is a cloud platform that combines video meetings, voice, webinars, and chat across mobile and fixed environments. Like traditional VoIP applications, Zoom performance is highly sensitive to network latency, and despite using modern compression algorithms, it consumes massive bandwidth when compared to most apps.

Zoom performance is critical to the success of virtual teams

Consistently providing a high-quality end-user experience is critical to the success of virtual teams and is core to driving the productivity enterprises need now more than ever. Here are several must-do’s to maximize your Zoom performance:

1. Understand how Zoom is being used and how much bandwidth it is consuming on your Internet links. You do not want to over subscribe your Zoom links. At the same time, if you limit Zoom’s bandwidth, your users will likely experience jitter, which causes choppy audio and blotchy, pixelated video. You’ll want full-stack real-time and historical analysis that gives you visibility into the H.323 and SIP protocols that Zoom uses.
2. Monitor quality of service (QOS) and ensure your Zoom traffic is appropriately classified so that it receives appropriate bandwidth and prioritization. Flow monitoring gives you visibility into all your DSCP markings and is your choice for QoS analysis.
3. Monitor and understand the network performance for interrelated components like the session border controller, the routers handling the video traffic, and the external connection to the Zoom cloud service. Make sure they don’t get overwhelmed. Infrastructure management can help here by monitoring the availability of devices and interfaces.

How can you be sure? Well, we’re already helping many of our existing customers with their on-prem and VPN-based Zoom performance, including a global financial services firm. We’re helping them work through these exact steps to ensure their Zoom environment is optimized for end-user experience and productivity while also managing its impact on their broader network. We accomplished this using a collection of flows and packets, which provides integrated and seamless monitoring and troubleshooting.

¹ https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/

² https://www.gartner.com/en/documents/3982949/covid-19-bulletin-executive-pulse-3-april-2020

This rapid workplace shift is increasing pressure on existing IT systems (many of which were not fully prepared to handle this scenario at scale) while economic uncertainty is driving increased focus on cost containment across every industry. Ensuring remote workers remain productive and the data they share secure are two significant ways IT can contribute.

Network visibility for work-from-home users

Typically organizations have 59% more east-west traffic than north-south (Gigamon) and the expanded WFH policies are essentially driving that entire LAN traffic base over to VPN. During this transition, having accurate visibility into this new traffic profile is critical. Riverbed provides visibility into exactly what’s happening across your hybrid network.

1. Application Intelligence automatically identifies over 2,000 applications on the network, allowing IT to prioritize business-critical and collaboration applications, and de-prioritize others. For example, most networks prioritize the burgeoning VoIP, WebEx and Zoom traffic. You can ensure they remain in a prioritized QoS category and troubleshoot outliers.
2. Resolve remote access and VPN issues. This is a big one. A lot of NetOps teams are worried about how they’re going to support a huge increase in the number of people that connect to the enterprise via VPN. Two of the questions they look for Riverbed to answer are: “Does our VPN setup have the capacity to handle the additional work-from-home triggered workload?” and “How well is our VPN setup holding up under this additional load?” Riverbed AppResponse provides this visibility and more. Know what level of network performance your WFH remote users are actually experiencing.
3. Measure real user experience of web applications and easily troubleshoot performance problems for remote workers.
4. Another form of user experience is synthetic testing. Use synthetic testing to monitor network performance, infrastructure, or application performance 24 x 7. Create test scenarios to monitor essential applications like Microsoft Exchange, database transactions.

   

5. Re-plan for capacity changes, identify critical traffic, and optimize bandwidth usage for new traffic flows.
6. If you use SteelHead WAN optimization, gain a centralized view into application performance, bandwidth reduction, QoS categories, responsiveness, and more.

Network security is a top concern with a distributed workforce

Unfortunately, as the employee base moves to work-from-home and other remote locations, cyber bad guys will try to take advantage of any lapses in security that are created by this shift. Now more than ever, your organization needs to be prepared. Riverbed helps with threat detection and mitigation on all network traffic. Riverbed’s NetProfiler Advanced Security Module helps detect and respond to threats by monitoring flow data from across your hybrid enterprise.

1. Know when workers communicate with blacklisted systems, such as known malware download sites or command & control sites, so you can investigate and mitigate before additional systems in the network are infected.
2. DDoS detection quickly identifies a broad range of DDoS attacks so you can make informed mitigation decisions to end interruptions to business sooner. The VPN has become a target for DDoS attacks and phishing for VPN account credentials – don’t let it become your weak link.

1. Network security analytics baselines traffic and automatically identifies threats that generate unusual patterns, such as unexpected new services, hosts, or connections. These patterns could indicate data exfiltration, password brute force attempts, etc.
2. App Intelligence automatically identifies more than 2,000 applications, helping you identify and close down “shadow IT” usage that could leave you vulnerable.
3. Cyber threat hunting lets you explore for hidden, but suspected threats, before they become business-impacting events.

Riverbed has been helping enterprises across the globe with these exact challenges. Our customers are relying on our network visibility and security solutions, now more than ever, to help them handle the work-from-home surge. We can help your IT team, too!

As you work to re-architect your infrastructure for this work-from-home shift, remember that Riverbed Unified NPM is there to support your visibility needs. Riverbed delivers a Unified NPM platform that offers enterprise-scale visibility and analytics. It monitors all packets, all flows, and all infrastructure metrics enterprise-wide to quickly detect and remediate performance issues and security threats. Riverbed Unified NPM combines the breadth, depth and scale of information across on-premises, hybrid and multi-cloud architectures so you get end-to-end visibility with no blind spots.

For more information, go to www.riverbed.com/npm.

I can see clearly now the rain is gone
I can see all obstacles in my way
Gone are the dark clouds that had me blind
It’s gonna be a bright (bright)
Bright (bright) sunshiny day…

Whether you are an existing SteelHead user or just thinking about adding WAN optimization to your portfolio, adding Riverbed NetProfiler to your SteelHead environment makes a lot of sense. Check out the solution brief for more info.

You see, SteelHeads utilizes SteelFlow, Riverbed’s proprietary version of network flow data. SteelFlow allows SteelHeads to send unique and rich optimization metrics to NetProfiler, our enterprise flow monitoring and analysis solution. This flow information includes application mapping, bandwidth reduction, optimized traffic latency, QoS, and retransmission metrics.

I can see all obstacles

When your organization uses WAN optimization to improve application performance, it can complicate your network visibility story.WAN optimization can mask many of the details necessary to monitor end-to-end visibility. NetProfiler overcomes the visibility blind spots that WAN optimization sometimes introduces into the network by its very nature. When you add NetProfiler to your SteelHead deployment it becomes a bright sunny day in the NetOps Center again. You gain:

• The ability to see all applications (2000+ auto-defined apps, plus custom-defined apps) everywhere they run.
• Centralized quality of service (QoS) policy configuration and visibility. NetProfiler aligns both inbound and outbound QoS results with business objectives using NetProfiler QoS rules.

  

• Accurate response time analysis of optimized applications.
• The ability to understand bandwidth reduction benefits. Report on all SteelHead optimization results simultaneously, and uncover additional optimization opportunities.
• WAN visibility (optimized and non-optimized traffic) into utilization for every location.
• Centralized troubleshooting of remote LANs.

Gone are the dark clouds that had me blind

The results are widespread and instantaneous. By using NetProfiler to optimize network performance management with your SteelHead, you gain tremendous benefits:

• Understand the end-to-end picture of your optimized network and application performance for faster troubleshooting.
• Keep critical applications running at peak performance—all the time, in all places—not just across the WAN.
• Identify performance issues earlier, as soon as they start, to avoid business-impacting issues.
• Troubleshoot performance problems quickly and efficiently, no matter where they occur.

To learn more about how NetProfiler can provide comprehensive visibility into SteelHead WAN optimization, download the solution brief.

#1: Diverse data collection and analysis

NPM tools that correlate multiple data sources provide better insight into application performance, security, events, anomaly detection, and ultimately end-user experience. They gather data more than packet data. They include data from device metrics, flow records, tests (ping and traceroute), logs, synthetic traffic, and even pull events and data from other systems.

#2 Workflows for key unified NPM use cases

Unified NPM solutions should support workflows and functionality for each of the key use cases listed:

• Performance monitoring
• Troubleshooting
• Security monitoring and response
• Capacity management
• Cloud application migration assessment

#3 Platform scalability

NPM tools must be able to do everything at scale: collect, process, store, and analyze. The amount of data is always expanding and includes data from all your physical and virtual networks whether they are in the cloud or on-prem. Even if you are not supporting IoT (Internet of Things) edge devices, you will probably need to do so at some point in the future.

 #4 Data granularity

With so much data to collect, process, store, and analyze, the temptation is to aggregate the data. But, then what do you do when you need to drill into the details? Do you have the raw data captured at high frequency that allows you to drill down and gain critical insights?

#5 AIOps-driven NPM

Artificial intelligence for IT operations or AIOps is used to very quickly surface anomalies and detect patterns in large volumes of data. With AIOps, these enterprises can better automate key network management processes, including network traffic analysis, root cause analysis, capacity management, and security remediation. It’s no wonder that 92% of enterprises are using or want to use AIOps-driven NPM, according to EMA.

Do you have others to add to the list? Or, if you’d like to learn more about the big five, must-haves for unified NPM, check out the infographic.

Back to the elephant

For those unfamiliar with the story, six blind men come into contact with an elephant for the first time. The first man touches the elephant’s solid side and says that the elephant is exactly like a wall. Then the second touches the tusk and says he is round and sharp like a spear. He is followed by a third man who feels the trunk and says snake. The fourth wraps his arms around the leg and says that an elephant is like a tree. The fifth the ear and says it is like a fan. And the sixth grabs the elephant by the tail and says he is exactly like a rope. Each man comes to his own conclusion based on his own data points and his own previous knowledge. At last, the elephant moves on, yet the blind men continue arguing, each one believing that he was absolutely right.

You’re probably nodding your head at this point, especially if you work in NetOps. IT environments are becoming more complex, more distributed, and more dynamic. And infinitely harder to manage. Yet, without a well-performing and secure network, your digital transformation initiatives and workforce productivity are put at risk.

Patchwork doesn’t work

Like with the elephant, getting information on only part of the picture in isolation makes it difficult for you to resolve the complex problems that can impact your business-critical applications. Many teams are like the blind men, arguing based on their own data and unable to collaborate and form a complete, unified picture. Only by bringing multiple sources of data together can you see the whole of the elephant.

“Patching together legacy tools and disparate solutions doesn’t work. Instead, it reduces agility and efficiency, diminishes the user experience, and drives up costs,” according to ESG’s new report.

Pulling the sources of data together

Here is a short list of sources of data that you will need to integrate and analyze to troubleshoot and proactively resolve network issues effectively and efficiently:

• Device metrics
• Flow records
• Packets
• Tests, like ping and traceroute
• Logs
• Synthetic traffic
• Events/data collected from other IT systems

Conquer fragmentation with integrated NPM tools

Best-in-class integrated NPM tools collect raw data in tight intervals, store as much data as possible, and facilitate drill downs in to the data that provide critical insights. Learn how to conquer fragmentation and integrate your approach to NPM with Riverbed in this new report.

Let’s dig into this in a little more detail. There are currently two main parts of Portal:

1. Dashboards, that allows you to bring data from AppResponse, NetProfiler, NetIM, Aternity End User Experience Monitoring, Aternity Application Performance Monitoring and/or third-parties into a single, curated view that can be shared with executives, line of business, app owners, etc.
2. Central management, which makes managing large numbers of AppResponse appliances easier

So what specifically does Central Management do? It streamlines the management of distributed AppResponse appliances with features such as:

• Software upgrade orchestration: Allows you to remotely update connected AppResponse appliances (virtual, physical or cloud appliances). Just upload a valid AppResponse update ISO obtained from the Riverbed support site and Portal pushes it out to the selected AppResponse appliances during the remote update procedure.
• System & traffic health status: Lets you monitor system and traffic health metrics for connected AppResponse appliances. These metrics include disk health, chassis health, monitoring interface drops, time sync, and power supply. Typical red-yellow-green LED status values come directly from the AppResponse System Health info while tool tips provide the status reason. Clicking any LED indicator takes you to the corresponding page on the appliance for more info.
• Users & roles management: Using an existing AppResponse centrally managed by Portal, you can clone that system and all roles and users. You can add, edit, or remove a role or user, just like you would on a local AppResponse, and these changes will be pushed to any remote systems. The distribution column tells you how many AppResponse systems the role or user is distributed to.

• App & host group definitions: You can also centrally manage your host group and app definitions. Apps definitions include general, URL, and Web apps. You can create, edit and delete apps within Central Manager; push, remove and import apps on remote appliances; and apply tags to the apps and host groups.

Portal Central Management simplifies the process of managing remote AppResponse environments. If you don’t already have it, and you have several AppResponse appliances, you need to get it! It will take the hassle out of upgrading, monitoring, and managing your AppResponse appliances.

To get started, you simple download Portal 3.3 from the Riverbed support site.”