Cisco has announced new capabilities for its Tetration platform. Originally released as a data center visibility product, Tetration can now monitor applications for known vulnerabilities and anomalous behavior.
Cisco places software agents on application hosts to monitor application processes, system calls, memory access, user activity, and other data points to create a baseline of application activity.
The agents ship this data to Tetration, which combines it with packet analysis, flow records, and other data center network telemetry. Tetration sets a baseline of application and user behavior, and can alert administrators about deviations that may indicate compromise or malicious behavior.
Tetration also uses the CVE vulnerability database to identify servers running software packages that have known vulnerabilities. It provides a scorecard to help administrators prioritize critical risks. Administrators can also search for specific vulnerabilities.
Besides collecting application information, the host agent also serves as a firewall to enforce policies.
For instance, administrators can set whitelists to segment applications and workloads (for instance, you could set a policy to say that an application server should only communicate with databases X, Y, and Z). The host will block any connections not whitelisted.
In addition, administrators can configure the host to quarantine a server.
Tetration can be deployed on premises via 6- and 36-server clusters using Cisco’s UCS hardware. It’s also available as a virtual appliance for public clouds, including Azure and AWS.
Belt And Suspenders
Cisco positions Tetration as part of a defense-in-depth strategy. While Tetration focuses on application protection, it can integrate with other Cisco security products, including its Firepower firewalls and IPSs, Advanced Malware Protection, and the Stealthwatch network behavioral monitoring platform.
Tetration can be used to push policies to other Cisco security devices, such as firewalls, in response to behavioral changes that might indicate an attack, or to help quarantine vulnerable applications.
It can also ingest information from Cisco’s Talos threat intelligence service, which can report on active exploits to help administrators and SOC staffers decide how to remediate vulnerable applications.
Besides leveraging its own security portfolio, Cisco says third-party products can access information and telemetry collected by Tetration. The platform uses open APIs and a pub/sub model for third party products.
In addition, Tetration can integrate with firewall management software from vendors such as Tufin and Algosec to push policy changes out to third-party firewalls.
Tetration policies are built in a standardized JSON format, which Tufin and Algosec can then translate into the appropriate changes to other firewalls.
The company also says third parties can write software applications to run on Tetration.
The latest version of Tetration is available now.
1. We’ve had anomaly detection, vulnerability databases, flow records, application monitoring, and threat intelligence feeds for years. Cisco believes it has found the right formula to bake these raw ingredients into morsels that humans can consume. So have lots of other vendors. You’ll have to taste it and see for yourself.
2. Anomaly detection, like intrusion detection, is noisy. Be prepared to invest time in tuning and refining the system, even if it does include machine learning algorithms (which Tetration does).
3. Devote human responders to alerts thrown by Tetration. Some of those alerts will be wild goose chases. Others may lead down interesting rabbit holes that have nothing to do with malware or intrusions. And a handful may uncover raging dumpster fires that you didn’t realize were burning.
4. If you don’t give responders time and space to respond to alerts, Tetration is just going to be an expensive noise machine you eventually turn off. If you buy Tetration thinking you can cut costs on staff, you’re just throwing away money. Tetration is a tool, and tools need people to be useful.