Cisco announced on March 5 that it is expanding its Tetration analytics platform to provide new workload protection capabilities.
When Cisco unveiled Tetration in June 2016, the initial focus was on data center visibility. With the Tetration 2.0 update in February 2017, Cisco added application segmentation capabilities and the ability to build automatic security policies. Now Cisco is taking Tetration a step further, with new features to help detect software vulnerabilities, monitor running processes and detect application behavior deviations.
“Tetration is now evolving into a full-fledged, holistic workload protection solution,” Yogesh Kaushik, senior director of product management at Tetration analytics at Cisco, told eWEEK.
Kaushik explained that a core part of the Tetration workload protection update is the ability to detect known vulnerabilities. He noted that in modern distributed enterprises that run thousands or tens of thousands of workloads, understanding what is vulnerable is not an easy task. Kaushik added that even if an organization has known vulnerabilities, it’s often a not-trivial exercise to roll out patches rapidly.
To help limit the risk of software vulnerabilities, Tetration now provides real-time assessment of running workloads to look for known vulnerabilities. Understanding if a given vulnerability has been exploited is where Tetration’s new process behavior analysis component comes into play. Kaushik said that the process behavior analysis can find things like side-channel attacks and privilege escalation, among other attack vector signals.
“Our process behavior analysis capability looks at every process running inside the data center or the cloud and looks to see if the process deviates from the baseline,” he said.
Once a vulnerability has been detected, either via scanning for known issues or from process behavior analysis, Tetration helps to enable application segmentation to limit risks, according to Kaushik.
There are multiple sources for the data that Tetration consumes, with the primary source being a sensor that is deployed inside of a workload. Kaushik said Cisco has sensor agents that can be deployed on bare-metal servers, virtual machine hypervisors and containers, running on-premises or in the cloud.
Tetration collects other information from various systems across a network that can help provide context for workload activity. Kaushik said Tetration pulls data from load balancers, orchestration systems, IP address management as well as other analytics technologies.
“Tetration is open and programmable, so we can pull in attributes from many different places,” he said.
While Cisco has its own network segmentation technologies, Kaushik said Tetration will work with non-Cisco software-defined networking (SDN) approaches as well. Cisco has a defense in depth approach for Tetration that enables an organization to push a policy to an application host, as well as to the network perimeter and to SDN controllers, he said.
“We have decoupled the first 80 percent of everything the policy model does, with the last bit being about implementing the rule in a given infrastructure,” Kaushik said.
Cisco Tetration does workload enforcement natively via agents on bare-metal, virtual machines and containers. Kaushik added that the policy information is also streamed via a standard Apache Kafka interface. An SDN controller can just subscribe to the Kafka stream, parse it and then push it out to the network, he said. The same approach can work for a firewall or network perimeter security device as well.
“Decoupling allows us to be vendor-independent and vendor-agnostic,” Kaushik said. “Tetration can be deployed in any environment. In fact, we have customers that have very little Cisco technology deployed in their data center, and they are running Tetration.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.