It feels like all of Cisco’s recent security acquisitions – Isovalent, Splunk and Accedian, among others – have been leading up to this.
The company just unveiled Cisco HyperShield, a new AI-enabled distributed security solution that is designed to be built into the fabric of a network rather than bolted onto it.
Jeetu Patel, Cisco’s EVP and GM of Security and Collaboration, on a call with media pitched HyperShield as “the most consequential innovation” the company has ever brought to market. HyperShield, he said, isn’t just the “next version of something that already exists” but something entirely new that is designed to address the AI-driven structural shifts happening in the networking and data center realms.
While that’s quite a lofty claim to make, IDC Group VP for Security and Trust Frank Dickson said in response to a question from Fierce on the call that he’s unaware of any competitors in the market doing what Cisco is with HyperShield. Most security solutions today are bolt-ons.
But HyperShield? “It’s a fundamentally different approach,” he stated.
So, what exactly is Cisco’s approach?
How it works
Well, there are three main tools HyperShield brings to the table: a distributed protection mechanism, autonomous segmentation and self-qualifying upgrades.
By using eBPF (an open source technology created by the team at Isovalent), HyperShield is able to provide customers with distributed visibility from workload actions all the way down to the kernel level. As is implied by the use of eBPF, HyperShield will initially be compatible with Linux. But Patel hinted at future expansion of the system’s capabilities, noting it won’t always be “constrained to Linux.”
HyperShield is also equipped with AI security agents, which can spot vulnerabilities, undertake autonomous segmentation to instantly isolate threats and recommend remediation actions.
Those recommended actions, as well as patches and other security updates, are pre-tested in the customer’s environment using HyperShield’s digital twin feature.
“We’re actually bringing CI/CD to the embedded world by running the end of the promotion pipeline as a digital twin on every single enforcement point at every single customer in the world in a transparent way,” Craig Connors, CTO for Cisco’s Security Business Group, said on the call.
“That allows us to test every possible combination of what can happen in your environment, everywhere.”
Every update will initially require a confidence score of 90% or above before it is presented to HyperShield users. Updates that score lower than that will be sent back to Cisco’s engineers for tweaking. Connors told Fierce that in the future it plans “to use AI to generate synthetic traffic which will allow us to ensure we always exercise sufficient variety to reach ~100%.”
The idea is not to bombard users with AI recommendations and updates, but actually give them confidence that what is being suggested has already been tested and will work.
When not in use for verifying of software upgrades or modeling security policy changes, the secondary data plane will be available to provide high availability failover in case an issue takes down the primary data plane.
The end of security patches?
Lest we gloss over the bit about autonomous segmentation, it seems like it could (but not necessarily should) spell the end of patches. How?
Well, by segmenting the vulnerable portions of the network, HyperShield can prevent resources from being exploited even before a patch is issued.
While this capability can be used as a stopgap to provide time for a patch to be developed, it can also help protect legacy applications and hardware which are no longer supported and for which patches might not be issued at all.
Patel likened the situation to repairing a window that breaks in a storm with plywood. Yes, replacing the window with a fresh one would be ideal. But you could leave the plywood up and that would still protect the home from the elements.
“I think one of the biggest challenges the market has right now is when you have end-of-life, end-of-service software or hardware…they might not issue a patch,” Patel said. “In that case, you now have a solve that’s a very elegant solve that doesn’t require heavy lifting.”
He added that multiple compensating controls can be deployed on top of one another to address different vulnerabilities – think multiple sheets of plywood.
In the wild
Connors told Fierce HyperShield can be deployed on ARM or x86, in bare-metal, virtual machine, Kubernetes and native public cloud environments. In terms of what different deployments might look like, Connors said HyperShield can run as an agent on a customer’s bare metal, virtual machine or Kubernetes host; as a standalone VM or container; in a data processing unit (DPU); or as part of a customer’s Cilium fabric.
In the future, Cisco plans to introduce networking hardware with “intelligent silicon that will allow for embedding this directly into the network hardware itself,” he added.
Connors said Cisco has been working with 60 reference customers to develop HyperShield and noted it will go into field trials in May. It is set to be generally available in August. Oh, and Cisco is working with Nvidia to optimize HyperShield on its stack.
IDC’s Dickson concluded that HyperShield is a “fantastic” approach to solve today’s problems but noted the threat landscape is constantly evolving.
“Bad people are going to create something new and we’re going to be having this kind of conversation about the next Cisco technology that’s announced for the next thing,” he said.