Cisco Tetration came out of the gate as a deep analytics and insights platform and is rapidly iterating on a variety of use cases. In this briefing, Cisco presented how Tetration can be used for network security. Ethan Banks discusses. Listen via the embedded audio player above.
- Automated microsegmentation was the chief use case cited in this briefing. Cisco described the problem of whitelisting flows between applications, making the point that it’s very difficult to know what the network flow dependency tree looks like between apps. For a human to get the whitelist right is nearly impossible. This is where Tetration steps in.
- Tetration builds a profile of every single endpoint on the network, feeds the profiles through a machine learning algorithm, and then groups endpoints together based on the granularity the customer desires.
- With the groups built, Tetration determines what ports should be opened between which groups. Cisco says that Tetration is going to get this right because it sees every single packet on the wire collected via endpoint agents, hardware sensors, and metadata gathered from network devices. Even short lived microflows will be analyzed, increasing the odds that the whitelist generated by Tetration is going to work correctly.
- For customers with variant seasonal traffic patterns, Tetration comes with an enormous amount of storage to be sure to capture flow patterns over several months, helping to insure that the whitelist generated is valid no matter what the season, although it would take a quarter or so to gather the data needed before deployment.
- Tetration policies can be deployed in a monitor-only mode, so that IT teams can observe what traffic would be dropped before placing the policy into production.
- Particularly risk averse customers have the option to be notified by Tetration when flows are denied by the whitelist, allowing them to add the denied flow to the permit side of the list. Customers can also write their own policies leveraging tag metadata or subnets to be merged in with Tetration’s machine learning generated policies, a nice feature to give Tetration hints about coming infrastructure changes.
- For folks imagining a complex set of five-tuple rules that has to be maintained by hand once Tetration has done its magic, Cisco stresses that Tetration is constantly refactoring the nitty-gritty rule sets as the IT infrastructure changes. Customers just manage intent-based policies that express in a higher level language about what should be allowed to talk to what. No fussy rules management is expected of ops teams, which is just as well since Tetration scales to 1 billion policy rules per Tetration cluster according to Cisco. I don’t know about you, but I don’t want to manage that by hand.
- For folks invested in security platforms other than Tetration, Cisco mentioned that the policies generated by Tetration are exportable, citing AWS, ACI, and even a nebulous “other vendors” as possible targets to import Tetration’s rulesets.
- Cisco also pointed out that Tetration works without caveat across several different workload platforms, including Azure, Google Cloud Platform, and AWS alongside of ACI in the data center. The point being that with the Tetration agent, any workload can be secured no matter where it is. With the press of a button, Cisco demonstrated global policy deployment. Upon accepting the “New host firewall rules will be inserted and any existing rules will be deleted on the relevant hosts,” warning, a policy was deployed to impacted endpoints.
- At the tail-end of the briefing, Cisco dropped the SaaS bomb, mentioning that Cisco Tetration Analytics as a service was coming soon, currently in testing with some select customers.
For more detailed information, watch the YouTube video of the briefing from TechFieldDay.com below.