Cisco claims its Tetration Analytics platform can monitor everything in the data center. It uses machine learning and applies policy across each application, regardless of where the application lives: in on premises data centers, or in private or public clouds. This means companies can move the workload and the policy stays intact.
Tetration also works across any vendor’s infrastructure, so companies aren’t locked into Cisco switches and servers. “It’s truly a very open model” said Yogesh Kaushik, director, Cisco Tetration Analytics. “In fact, some of our larger customers have no Cisco infrastructure ties at all and they are still using Tetration.”
According to Kaushik, using analytics and machine learning to improve security is top of mind for chief security officers (CSOs) across industries. SDxCentral senior editor Jessica Lyons Hardcastle recently caught up with Kaushik to talk about security and what the future holds for Tetration. The following interview has been lightly edited for clarity.
What can you tell me about how many customers are using Tetration?
Kaushik: This is typically not something we share. I can tell you we have penetration across all geographies as well as all major segments we play in, including federal, public sector, state, education, health care, and financial, across the world. U.S. is our biggest market but we do have quite a few customers in EMEA (Europe, Middle East, and Africa), Australia, Japan, India, and China.
We covered the Tetration Analytics software rollout in February. What’s new since then?
Kaushik: We started off with analyzing and whitelisting what the workloads can talk to — what comes in, what goes out — and putting a policy at scale in place that automatically gets computed and enforced on all these workloads. Now we’re taking the next step and going deeper on what happens on these workloads. We track all processes, for example, so now we’re starting to track what does the process hash look like? Is this the right image that you downloaded, could this potentially be malicious? Another aspect: we’re spending a lot of time integrating with our router security portfolio inside Cisco. A lot of that is slated for Q1 calendar year 2018 timeframe.
What does Tetration do that’s unique compared to other security products?
Kaushik: There’s been this whole buzz about zero-trust security. A zero-trust security model, or a whitelist security model, at a high level is pretty simple: block everything unless it’s specifically permitted. If it’s very small scale, and if it’s an environment that doesn’t change as much, then zero trust is achievable. But some of our customers have tens of thousands of VMs [virtual machines] where they deploy Tetration. The scale is prohibitive for defining trust and creating a zero-trust model, and these environments change all the time.
Tetration can monitor thousands of workloads, millions of events per second, and then we use machine learning to essentially create policy. We also track what happens to these workloads, how do they change in behavior, how do they move around. These attributes are tracked, and then we compile the policy again every minute, and then push it back to the environment. So not only are we doing it at scale, we’re also responding to the changes in that environment. That’s where most of our competitors lack. They lack the scale, and they also lack the ability to respond to it fast enough.
In June, Cisco partnered with ExtraHop to boost Tetration’s analytics capabilities. Why do you need to supplement Tetration, which was supposed to monitor everything in the data center?
Kaushik: We made a conscious choice on Tetration not to ever look inside the packet. We don’t monitor payload, mostly because it tends to be encrypted. We look at the behavioral patterns. Tetration, as an open platform, does two things. One is if a customer wants to put a policy in place that is actually tied to something that’s available in the payload, we can glean those attributes from platforms like ExtraHop, as well as platforms like Cisco Stealthwatch or our threat intelligence platform, which is Talos. We kept an open model where we can ingest data with any solution that is willing or has an open interface to give us certain attributes that we can pull in. Then we can track those attributes over time, and as those attributes change we can define and recompute and push the policy out based on those attributes.
Where do you see the industry moving in terms of using analytics and machine learning to improve security?
Kaushik: This is a trend that’s going to continue. The main reason for that: if you talk to CSOs there is a severe lack of talent. Security experts are expensive and there are not as many as the industry needs. The reason machine learning comes in: data crunching, number crunching, computation — machines are really good at that. Humans are not as good at number crunching. They are good at decision making. So there’s a shift that’s happening in the security industry. It’s saying let machine learning or artificial intelligence take care of most of your repetitive tasks, but also some of the more complex tasks like number crunching at a very large scale that’s very hard for humans to achieve. But once you get the outputs, humans can interpret that and make informed decisions. It’s not that it’s going to be all AI and all machine learning; you’re always going to have people making decisions. But you’re offloading the bulk of these other tasks to machine learning.
The other thing that makes it very complicated is scale. Once you get to a few thousand workloads the environment is extremely dynamic. Everyone wants agility. The primary driver is I want to do things fast. At that level of dynamic environment, it is not possible to scale it with people. You have to have automation, you have to have event-driven security, you have to have machine learning capabilities in house. So that’s why you see more vendors, including us, pushing more and more toward machine learning and analytics to drive security outcomes.
Can security ever be fully automated?
Kaushik: Not 100 percent. The reason for that is as you respond to events happening in the environment there are two types of problems. One is not being able to detect something bad, but an equally bad problem is to flag something that’s not bad as bad. If you look at our security portfolio that’s a huge emphasis for us. For example, we did encrypted traffic network analysis as part of network intuitive launch. We spent a lot of time making sure the rate of false positives is extremely low. But it’s never zero. You’re not going to have full automation unless you’re 100 percent certain. You want to have that human in the loop. But 90 percent of the tasks are very repetitive in nature and they can be fully automated.