Cisco this week expanded its Tetration Analytics system to let users quickly detect software vulnerabilities and more easily manage the security of the key components in their data centers.
Introduced in 2016, the Cisco Tetration Analytics system gathers information from hardware and software sensors and analyzes the information using big data analytics and machine learning to offer IT managers a deeper understanding of their data center resources. The idea behind Tetration includes the ability to dramatically improve enterprise security monitoring, simplify operational reliability and move along application migrations to Software Defined Networking.
Cisco said another key driver behind the technology is to give customers a single tool to collect consistent security telemetry across the entire data center and analyze large volumes of data in real time. In a multi-cloud enterprise, Tetration can lock-down tens of millions of whitelist policy entries across thousands of applications, Cisco said.
The new release (Version 2.3) of Tetration software brings a focus on protecting application workloads.
According to Yogesh Kaushik, senior director of product management at Tetration Analytics, protecting workloads requires a holistic approach to understand everything running and installed on the workload, as well as communications between the workloads to establish a clean baseline.
“This has to be done across thousands of workloads in an average data center. You have to discover each component of the application and map out the dependencies before making any changes to the security policy so applications don’t break,” Kaushik stated.
Tetration now provides a real-time inventory of all software packages along with version and publisher information. Using information learned from Cisco’s other security offerings – including Cisco Firepower Next-Generation Firewall (NGFW), Next-Generation IPS (NGIPS), Advanced Malware Protection (AMP), and Stealthwatch, as well as data from the Common Vulnerabilities and Exposure (CVE) database – it detects servers that have software packages with known CVEs and can quarantine or segment those devices away from important enterprise resources.
Tetration provides details such as a scorecard for the potential severity of the vulnerabilities and identifies all the servers running that specific software version. IT organizations can proactively set up filters to search for one or more vulnerabilities and set policies through the user interface or through APIs to take specific actions, such as quarantining hosts where servers are identified to have high-impact vulnerability, Cisco said.
Inventory running workloads
According to Cisco, Tetration can now collect and maintain inventory about workload processes running on enterprise servers on a minute-by-minute basis. “Using this information, IT managers can search inventory for the servers that are running or have run specific processes. The process information includes process ID, process parameters, and the user who is running the process, process duration and process hash or signature information. The process hash information is critical for security because IT managers can search for any servers in the data center that ran a malicious process by matching this hash information,” Cisco said.
With this release, Tetration can also now monitor workloads and the network to create a “normal” application behavior baseline that the system can then monitor for behavior deviations associated with malware behavior patterns like those found in side-channel or privilege elevation attacks.
Customers can use all of this data to develop policies that Tetration then follows and enforces.
Kaushik said that an example would be, “Block all workloads with known vulnerabilities from communicating with database servers that have sensitive data.” Tetration continuously translates the intent to concrete rules based on current attributes of the workloads.
Tetration also accounts for policy hierarchy and does automatic conflict resolution. If an app developer and database owner both agree to allow communication, but a higher order InfoSec rule denies it, Tetration will resolve in a deny action. The platform is role-based, access controlled and the roles can be mapped to administrative domains, Kaushik said.
Tetration stores several months of data on the platform, letting customers test the impact of policy changes in real-time, as well as run experiments with backdated traffic. All changes to the policy are tracked for auditing, Cisco said.
Another key component of Tetration is its ability to decouple policy creation and translation from policy enforcement.
“It’s an open policy model that can be used to implement policy in any plane through a REST API or a Kafka stream. Tetration enforces policy on the workload natively, and also streams that same policy to other infrastructure elements such as firewall orchestration systems, load balancers and SDN controllers, and the public cloud. The same policy model is used for bare metal, virtual and containerized workloads, both on-premises and in the public cloud,” Kaushik said.
The latest Tetration upgrade builds on features Cisco added to the 2.0 version package in 2017. At the time Cisco said Tetration Analytics policy recommendation and enforcement engine can now take micro-segmentation – a security technique enabling workload separation – a leap further by delivering application segmentation, which drives policies across the application layer, regardless of where the application resides: virtualized, bare metal, physical servers or in the cloud, Cisco said.
A key part of the 2017 upgrade was new implementation packages. For example it rolled out a small Tetration package designed for under 1,000 workloads that includes six UCS C-220 servers and two Nexus 9300 servers. A virtual appliance that runs in Amazon Web Services (AWS) for up to 1,000 workloads was also rolled out. In its first iteration Tetration supported 10,000 sessions and came in a full rack of hardware that included 36 UCS C-220 servers and three Nexus 9300 switches.
Tetration Analytics 2.3 will be available in April.