There is no shortage of problems in the cybersecurity industry: Attackers are using automation to reduce attack times, patching software is costly, establishing defenses such as segmentation remains difficult, and a shortage of skilled cybersecurity workers is holding back efforts. all these areas.
It’s no surprise, then, that Cisco decided to launch an AI-powered distributed security platform to protect cloud workloads and AI systems from cybersecurity threats. Dubbed Hypershield, the platform will push security to the limits, using AI-enhanced agents to maintain security controls across every workload in the data center and even across distributed and connected devices. Cisco says the platform will be able to automatically patch environments, test software updates within the environment using simulated systems known as digital twins, and block attacks by detecting anomalous behavior.
There was no shortage of hyperbole and “reimagined” seemed to be the word of the day.
Jeetu Patel, executive vice president and general manager of Cisco’s security and collaboration division, called it “one of the biggest platform changes we’ve experienced in our lifetime.”
“For the last billion years, when we’ve looked at security, the advantage has always been on the adversary’s side,” Patel said during a press conference announcing Hypershield. “We are approaching an era… where… why [of this platform]you could have a world where you could have an advantage as a defender, and wouldn’t that be a wonderful world to live in.”
Cybersecurity is certainly a field that could benefit from using AI for augmentation or assistant purposes, and pushing security to the distributed edge – closer to the devices being protected – can help simplify some aspects of vast networks that need to be protected.
The company’s choice of technologies makes sense, says David Holmes, a principal analyst at Forrester Research. Using eBPF, a technology that allows sandbox programs to run in a privileged contextparts of the workload can be instrumented, and data processing units (DPUs) enable efficient data processing using high-bandwidth network interfaces.
“They’re describing a more modern approach to building a private cloud data center architecture, and that’s good,” Holmes says. “eBPF for automation [and] security, container-like workloads – their DPUs – overall, this is good for the industry if they can pull this off.”
Digital twins enable automated patching
Craig Connors, chief technology officer of Cisco’s security business group, demonstrated how a workload or application can be automatically patched and run in parallel using digital-twin technology to test the stability and correctness of updated software. Digital twins are simulations – originally used in product development and manufacturing – which allow software engineers to test and observe a version of a device or application.
If the patched code passes all tests and meets policies, then it can be promoted to production, Connors said during the demonstration.
“What we’ve done is essentially introduced the digital twin into every application point that we deploy,” Connors said. “So we are actually introducing CI/CD [continuous integration and continuous delivery] to the embedded world by running the end-of-promotion pipeline as a digital twin on every single application point for every single customer in the world in a transparent way. This allows us to test every possible combination that could occur in your real-world environment anywhere.”
While the company will start with Linux environments, Cisco has hinted at future plans to support other operating systems.
According to Connors, the same digital twin approach can be applied to developing segmentation policies for networks of devices and workloads. The AI assistant built into the Hypershield platform could recommend microsegmentation policies and provide a confidence score on whether each policy would perform well within a given environment.
“Imagine if the AI didn’t just recommend microsegmentation policies, but modeled them into a digital twin of your environment and told you exactly how it tested those policies to make sure they were correct before recommending them to you.” Connors said. “So we’re really trying to bring in that aspect of trust and not just ‘AI bombard’ you with advice.”
Distributed exploit protection
Cisco says the platform will also protect against exploits in real time by using threat intelligence to inform anomaly detection and response. Because companies never know which vulnerabilities an attacker will find, the system allows all high-impact vulnerabilities to be treated equally.
According to Connors, this approach benefits companies with legacy hardware and software that have reached end-of-life and are no longer receiving updates.
“There are cases where we can never patch, because let’s say the software is on its way out, but my company still relies on it and there’s a critical vulnerability,” Connors said. “So while these are intended to be short-lived patches to bridge the gap between patch availability and deployment and then we’ll automatically retire these deployed shields, it’s potentially feasible that you want to run them for the lifetime of the application for continue to protect yourself [exploitation].”
Having the vision and individual technologies is a good first step, but like the platform that manages driver-assist features in cars, the trick is how it all comes together, says Jon Oltsik, analyst emeritus at Enterprise Strategy Group. Coordinating the pieces across multiple systems, rather than looking at each separately – as well as understanding “normal” activity – and then responding will be tricky.
“It’s a good goal, but to achieve it requires many things to come together, including user consent,” he says, adding: “AI-based security needs to undergo rigorous testing and be proven in the field before security i professionals will trust it.”
Cisco has promised that the platform will be generally available in four months by August 2024.