Cisco has announced that its Tetration workload protection product is now available as a SaaS offering. The company is also releasing a virtual appliance version that runs on VMware’s ESXi hypervisor.
Originally requiring a significant stack of Cisco hardware (either a full rack, or a unit with six servers and two Nexus 9300 switches), these new Tetration options let customers start smaller, at a lower cost, and with less infrastructure to set up and manage.
Tetration In The Sky
To use the SaaS service, customers install software agents on any workloads they want to protect, including bare metal servers and applications running on a hypervisor or in containers. The agent then collects data on application behavior, including running processes, system calls, and user interaction.
It sends this data to the SaaS service, which analyzes the data to establish a baseline of normal behavior. If the service detects anomalies, it alerts an administrator. The data is encrypted via TLS before it’s sent to the cloud.
Cisco also offers virtual versions of Tetration that can run in AWS and Azure VPCs. The public cloud workloads send workload data to the SaaS platform.
Besides examining processes, Tetration monitors software and application versions and matches them against known databases of software vulnerabilities to help organizations identify software that may need to be patched or otherwise presents a risk to the company.
The agents can also enforce policies, such as quarantining an application, or blocking communication with applications or services that don’t match an administrator-defined whitelist.
Cisco has partnered with an infrastructure provider to operate its SaaS offering from two geographically separate data centers in North America. Cisco wouldn’t say which provider it’s working with. The company plans to make the service available in other countries based on demand.
Aside from the fact that the SaaS service relieves the burden of infrastructure operation from customers, there are a two significant differences between the premises hardware option and the SaaS offering
First, the premises version of Tetration can also ingest network data, including flow records from Netflow/IPFIX sensors, streaming telemetry from Cisco Nexus switches, and data from ERSPAN sensors. The premises version of Tetration uses this data to provide more context for behavioral analysis and threat detection.
However, the SaaS service doesn’t collect this network data: it only works with information collected from the workload agents. Cisco says it will support Netflow collection and ERSPAN sensors in the SaaS platform at a later date.
Cisco also allows customers to run their own or third-party apps on top of the premises Tetration version to extract more value from the data being collected.
However, Cisco is being more cautious with apps on its SaaS platform; customers will have to get third-party applications approved by Cisco before they can be used. The company says this is to prevent “noisy neighbor” problems that might affect the service’s performance for other users.
The Virtual Appliance
In addition to the SaaS offering, Cisco has expanded its virtual appliance versions of Tetration. As mentioned, Cisco already offers virtual versions of Tetration that can be deployed in AWS and Azure VPCs.
Now a virtual appliance that runs on the ESXi hypervisor is available for customers to use on on premises. Like the hardware version, the virtual appliance analyzes workload data. At present, it doesn’t ingest network-based telemetry, but Cisco says that capability is on its roadmap.
Note that Cisco says customers are responsible for providing appropriate hardware, including compute and storage, for the virtual appliance to perform within specifications.
Cisco says the virtual appliance is suitable for data centers with fewer than 1,000 servers. The SaaS platform can support up to 25,000 workloads, according to the company.
The virtual appliance is shipping now. The SaaS service is expected to be available in May 2018.