Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Tetration Platform for Workload Protection Data Sheet

Available Languages

Download Options

  • PDF
    (772.0 KB)
    View with Adobe Reader on a variety of devices
Updated:May 21, 2019
Document ID:1520251557573103

Available Languages

Download Options

  • PDF
    (772.0 KB)
    View with Adobe Reader on a variety of devices
Updated:May 21, 2019
Document ID:1520251557573103
 

 

The Cisco Tetration platform enables holistic workload protection for multicloud data centers, providing a secure infrastructure for applications.

Product Overview

Today’s datacenters consist of a hybrid multicloud infrastructure that use bare-metal, virtualized, and container-based workloads. As everything revolves around software, applications running on these infrastructures are the crown jewels, they are dynamic—they are constantly evolving. One of the key challenges that you face is how to provide a secure infrastructure for applications without compromising agility. Even today, the majority of datacenters are designed with traditional perimeter-only security, which is insufficient. A new approach is needed to address this challenge.

The Cisco® Tetration platform is designed to address this challenge in a comprehensive and scalable way. Tetration enables a holistic workload protection for multicloud data centers by using:

     Whitelist-based segmentation, that allows implementation of a zero-trust model

     Behavior baselining, analysis, and identification of deviations for processes and communication

     Detection of common vulnerabilities and exposures associated with the software packages installed on the servers

     Act proactively by quarantining server(s) when vulnerabilities are detected and blocking communication when policy violations are detected

     Understand the datacenter security posture and where to focus in order to improve the overall datacenter security

datasheet-c78-740328_0.jpg

Figure 1.           

Multidimensional Workload Protection Approach using Cisco Tetration

By using this multidimensional workload protection approach (Figure-1), Cisco Tetration significantly reduces the attack surface, minimizes lateral movement in case of security incidents, and more quickly identifies Indicators Of Compromise (IOCs).

The Cisco Tetration platform makes it possible to implement such security approach seamlessly by collecting rich telemetry from servers, applying machine learning and other algorithmic approaches, and automating the application policy lifecycle.

     Software sensors: These lightweight sensors run as user processes and can be installed on servers running Linux or Microsoft Windows operating systems. These servers can be virtualized or baremental or container-based and run in on-premises data centers or on any public cloud. The CPU overhead for these sensors by default is capped at 3 percent, and is self-monitoring to guarantee the Service-Level Agreement (SLA). These software sensors can collect telemetry data and also act as enforcement points for segmentation. They collect the following telemetry data:

     Flow information: Contains details about flow endpoints, protocols, and ports, when the flow started, how long the flow was active, etc.

     Interpacket variation: Captures any interpacket variations seen within the flow, including variations in the packet’s Time To Live (TTL), IP/TCP flags, and payload length

     Process details: Captures processes executed on the server, including information about process parameters, start and stop time, process binary hash, etc.

     Software packages: Creates an inventory of all the software packages installed on the server along with the version and distributor information

     Analytics: Cisco Tetration is a big-data platform designed to support modern data center scale requirements. Tetration processes the information from the sensors, providing a ready-to-use solution including:

     Accurate insight into application-component communications based on observed behavior

     Automated and consistent whitelist policy recommendations for applications

     Flexibility to extend policy definition using workload context and other attributes such as users, user groups, location, etc.,

     One-click policy enforcement to enable consistent application segmentation

     Monitoring to track policy compliance deviations and update policy in near-real time

     Baselining of the processes running on each server, its communication behavior and identifying deviations

     Discovery of all the software packages installed on the server and identification of any vulnerabilities and exposures

     In-depth forensics using powerful search filters, visual queries, customer events, and more

     Access: In addition to having a robust web-based user interface, Cisco Tetration provides system-generated, northbound event notification and the flexibility to define events with right severity. These capabilities enable you to carry out security operations efficiently and proactively.

Features and Benefits

Table 1 lays out the key features of the Cisco Tetration workload protection features and their benefits.

Table 1.             Key Features and Benefits

Feature

Benefit

Zero-day readiness

  Plug zero-day vulnerabilities.
  Policy from the Cisco Tetration platform allows only the required traffic, blocking everything else. This approach prevents a persistent threat from entering or searching for additional vulnerabilities on day zero.

Automated whitelist policy generation

  Auto generate whitelist policy based on application dependency and behavior.
  Coordinate whitelist policy definitions and validations across organizational boundaries. Use built-in workflows to collaboratively define a policy set for policy enforcement across a multicloud environment.
  Back-test the policy against historic data stored on the cluster appliance.

Extend policy definitions based on additional context

  Eliminate time-consuming manual creation of resource lists to segment applications. Define application segmentation default and absolute policies using asset tags.
  Quickly develop consistent policies for applications using real-time asset tagging:
   Associate rich business context with the servers.
   Define policies based on users and user groups that needs access.
  Integrate with vCenter, Kubernetes, Openshift and other CMDB systems to automatically bring in the workload context.

One-click policy enforcement across a multicloud data center

  Enforce the security framework using application segmentation and reduce the surface vulnerable to attack.
  Enforce policies with a single click. Use the mechanism in Linux and Microsoft Windows environments to enforce security policy.
  Normalize the policy for each server, eliminating the need for manual intervention to identify policy for each of the servers.

Process inventory baselining

  Get an accurate inventory of the processes running on each server.
  Identify all servers currently executing or that have executed a process, including process hash.
  Get a tree view of the process execution hierarchy for easier understanding.
  Receive proactive notifications on critical process-behavior deviations.

Software vulnerability detection

  Get a baseline software inventory and the version information installed on servers.
  Quickly identify if any of the package versions have known vulnerabilities or exposures, along with the severity.
  Get an accurate inventory all the servers that have the vulnerable package.
  Tie this information to a policy that designates a specific action, such as quarantining a specific server.

Data exfiltration signals

  Temporal communication behavior baselining between workloads to identify changes in those patterns.
  Correlate with other activities within the workload to determine if it is an indicator of compromise.
  Generate alerts for such events to enable proactive security operations.

User-defined analytics, reports, alerts, and dashboards using custom applications

  Use industry-standard notebook applications to create custom live content.
  Create live reports, which can tie local data together with external Internet-based context information.
  Create custom alerts and avoid alert fatigue.
  Build dashboards with graphics using open-source libraries.

Policy compliance and notifications

  Monitor policy compliance on a minute-by-minute basis and generate alerts for policy noncompliance.
  Generate policy-related alerts through the Kafka messaging interface.
  Monitor alerts through the user interface. Provide access for consumption by other northbound systems, such as Security Incident and Event Management (SIEM).

Key Capabilities for Cisco Tetration Cloud Workload Protection Functionality

Automated Whitelist Policy Recommendation

Using the Cisco Tetration platform, you can automatically generate highly specific whitelist policies based on the application-communication behavior and dependency (Figure 2). Tetration also provides the flexibility to include other predefined policies from higher level entities such as security operations. You can specify policy using abstract information including tags and annotations. For example, a security policy might specify that production servers cannot talk to nonproduction servers. With the latest release of Tetration software, you can also use users, user groups information within the policy to restrict application access. Using this approach, Cisco Tetration provides an infrastructure-agnostic whitelist that can be consumed through the northbound interface and enforced across different environments.

datasheet-c78-740328_1.jpg

Figure 2.           

Automated Whitelist Policy Recommendation Based On Application Behavior

Scalable Policy Enforcement to Enable Application Segmentation

Cisco Tetration application segmentation allows network administrators to implement a secure, zero-trust model using an auto generated application-whitelist policy. It normalizes this policy based on the priority and hierarchy before enforcing it. When policy enforcement is enabled for an application, software sensors carry it out using native operating system capabilities such as ipsets and iptables, in the case of Linux servers, and the Windows advanced firewall, in the case of Microsoft Windows servers. This approach delivers a stateful and consistent segmentation across multicloud data centers at scale (Figure 3). It also allows you to minimize lateral movement in case of security incidents.

In addition, in a virtualized environment, this mechanism helps ensure that segmentation policy moves with the workload, allowing increased application mobility without no need for an infrastructure-specific segmentation policy. As application dependencies and communication patterns evolve, Tetration helps ensure that the policy is updated automatically.

datasheet-c78-740328_2.jpg

Figure 3.           

Policy Enforcement Across a Multicloud Infrastructure to Enable Consistent Segmentation

Process Behavior Baseline and Deviation

Cisco Tetration collects and baselines the process details running on each of the servers, including process ID, process parameters, the associated user, process start time, and process hash (signature) information. It provides a tree view snapshot of all the processes running on a server (Figure 4). Users can search for servers running specific processes or for process hash information. Cisco Tetration also has algorithms available to track behavior pattern changes and match those to malware behavior patterns, such as a privilege escalation followed by a shell code execution. Cisco Tetration raises security events for such behavior deviations. Security operations teams can customize those events, their severity, and associated actions using simple-to-define rules. In this way, security operations can quickly identify indicators of compromise and take remediation steps to minimize the impact.

datasheet-c78-740328_3.jpg

Figure 4.           

Process Behavior Baseline Tree View

Software Vulnerability Detection

The Cisco Tetration platform discovers the installed software packages, package version, patch level, etc. The platform includes 19 years’ worth of Common Vulnerability and Exposures(CVE) database. Using this information, Tetration checks whether any of the software packages have known information-security vulnerabilities listed in the Common Vulnerabilities and Exposures (CVE) database. When such a vulnerability is detected, complete details—including the severity and impact score—are included (Figure 5), and all the servers with the same version of the package installed for patching and planning purposes can quickly be identified. Security operations can predefine policies with specific actions, such as quarantining a host when servers have packages with certain vulnerabilities. This capability can be used to identify a broad set of identified vulnerabilities, including high-impact threats such as Specter and Meltdown.

datasheet-c78-740328_4.jpg

Figure 5.           

Software Vulnerability Detection and Exposure Details

Data Exfiltration Signals

The Cisco Tetration platform baselines the communication behavior between the workloads in the datacenter and between any external client to the server. It uses temporal analysis to capture the seasonality of the communication behavior. Cisco Tetration platform then looks for deviation in this behavior beyond set thresholds. When such deviations occur, it correlates with other security events associated with the workloads to determine if the pattern is similar to an event like data exfiltration. Alerts are generated for such events that can be integrated with SIEM system.

datasheet-c78-740328_5.jpg

Figure 6.           

Data Exfiltration Signals

Composite Security Dashboard

It is highly critical for security operations team to understand the security posture of the datacenter and what elements of security aspects are contributing to the current posture. Cisco Tetration security dashboard is designed to provide a composite security score based on number of different aspects.

     Vulnerabilities associated with the software packages

     Process hash consistency and process behavior

     Segmentation policy compliance

     Data leak signals

It also provides the score breakdown for each of these elements to understand where to focus in order to improve the security posture.

datasheet-c78-740328_6.jpg

Figure 7.           

Security Dashboard with Composite Security Score

Deployment Options and Scale

Information regarding the deployment options and supported scale can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Licensing

Information regarding the licensing options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Licensing Terms

In addition to being subject to the Cisco End User License Agreement (EULA; see https://www.cisco.com/go/eula), Cisco Tetration software is subject to Cisco Supplemental End User License Agreement terms (SEULA; see https://www.cisco.com/c/dam/en_us/about/doing_business/legal/docs/cisco-tetration.pdf).

Supported Operating Systems

Information regarding the supported operating systems can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Ordering Information

Information regarding the ordering options can be found in the platform datasheet - https://www.cisco.com/c/en/us/products/collateral/data-center-analytics/tetration-analytics/datasheet-c78-737256.html?cachemode=refresh.

Put Cisco Expertise to Work to Accelerate Adoption

Cisco provides professional and support services from Advisory, Implementation and Optimization to ongoing Solution Support, to help organizations get the most value from the Cisco Tetration platform. Cisco Services experts help integrate the platform into your production data center environment, define use cases relevant to your business objectives, tune machine learning, and validate policies and compliance to improve application and operation performance. Cisco Solution Support for Cisco Tetration provides hardware, software, and solution-level support.

We offer a selection of custom and fixed-price, fixed-scope services for Cisco Tetration that help you experience faster time to value, comprehensive adoption in your environment, optimized policies and application performance, and solution wide support.

Cisco Capital

Flexible Payment Solutions to Help you Achieve your Objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For More Information

For more information about the Cisco Tetration platform, please visit https://www.cisco.com/c/en/us/products/data- center-analytics/tetration-analytics/index.html or contact your local Cisco account representative.

Learn more