The News: Cisco introduces Hypershield, a security architecture that uses artificial intelligence (AI) to provide distributed and adaptive security measures for applications, devices, and data across on- and off-premises data centers. Hypershield is slated for availability in early August 2024. Additional details are available in Cisco’s press release.
Cisco Hypershield: Autonomous, Application-Centric Security
Analyst Take: Under the umbrella of its Security Cloud, Cisco has been steadily building from its entrenchment as the networking glue connecting applications, devices, and data, into cybersecurity capabilities that make it even stickier among enterprises. The strategy is intended to bridge on- and off-premises infrastructure, IT and OT environments, and the full application stack with centralized visibility, as well as automated and, increasingly, autonomous application of security capabilities.
Cisco’s vision addresses challenges facing IT and security teams, pertaining to the complexities of the large and intricate web of point security solutions required by most enterprises, limited headcount resources, and skill gaps when it comes to complex multi-hybrid cloud environments and ever-more sophisticated security threats. Not to mention, it addresses C-Level priorities around addressing the ever-more sophisticated and potentially devastating cyberthreat landscape with increased cyber-resilience.
Hypershield represents a culmination of this strategy by providing an architecture that can detect known vulnerabilities alongside anomalous and potentially nefarious behavior and respond accordingly in nature. It is, of course, backed by AI.
Hypershield is distributed in nature. It uses “enforcement points,” which act like micro-firewalls and run on a server or in data processing units ([DPUs] which offload data processing from the CPU) that are installed on servers or networking hardware. In other words, they make security enforcement possible in software, virtual machines, and network and server systems.
Cisco’s acquisition of Isovalent, which closed just days before the Hypershield announcement, is fundamental in Cisco’s ability to monitor and enforce. This functionality is eBPF technology, which Isovalent has worked with heavily. eBPF allows for the injection of custom code directly within the Linux kernel, providing fine-grained control and visibility without needing to modify the kernel itself. It allows for everything to be tracked—such as database writes in addition to network calls, for example, providing a comprehensive view into the application to intercept and block attackers even if they are not yet on the network. Developers can run code in a sandboxed and privileged environment, helping administrators to be able to trust what ultimately become automated remedial actions that are based on the visibility facilitated by the eBPF technology. For example, updates may be tested on a digital twin, which allows them to be applied not only without errors but also without downtime.
These eBPF enforcement points observe, assess, and baseline “good” or typical behavior. This assessment is supported by Cisco’s security intelligence teams, which use signals and data for regular updates on new vulnerabilities and attacks. The key differentiator is that visibility and the application of AI extend beyond network flows, permeating into the inner workings of the application itself. The result is a deeper understanding of the application’s processes and patterns of behavior – including special events, such as a quarterly payroll adjustment that is likely to impact payroll and HR systems in an anomalous though legitimate way, for example. Given that application activity is often event-driven as opposed to a collection of gradual changes over time, this is important when it comes to confidently detecting malicious activity.
When anomalous behavior is detected, the enforcement points can automatically act to control and remediate the threat. In other words, Hypershield can detect, prevent, and control exploits. The specific initial use cases are:
- Autonomous network micro segmentation, which is a core tenet of a Zero Trust strategy, and as a result, is critical when it comes to combatting the rising incidence of identity-based data breaches (that is, a “log in versus hack in” approach, for example using stolen credentials). These stakes are further amplified by the fact that lateral movement of attacks occurs via the network.
- Distributed protection from exploits and vulnerabilities, in particular through what Cisco describes as “self-qualifying updates.” That is, the ability to autonomously apply updates based on Hypershield’s understanding of vulnerabilities. Network infrastructure is notoriously difficult to update because of the fact that it cannot go down. With the ever-growing increase in vulnerabilities, this creates a particular issue—and it is one that Cisco is specifically targeting with Hypershield.
The solution is entirely software-based. Looking ahead, Cisco has announced its intention to integrate DPUs onto future generations of its network switch hardware. It is notable that this approach will allow customers to granularly apply enforcement points on each port in a switch. The result will be a natural path to positioning the future DPU-enabled switches as customers’ logical upgrade path. In addition, it will potentially provide a competitive lever against peers in the firewall market, as its goal is to infuse these capabilities into the network itself. Note that re-training of customers’ mindsets and how they think about applying their skills will be a hurdle for Cisco to overcome.
In addition to addressing the headcount limitations and skills gaps affecting IT operations and security teams with automation and autonomous capabilities, Hypershield is likely to prove useful in scenarios where devices cannot be easily updated to address security vulnerabilities. These include scenarios such as healthcare, where devices are supporting lifesaving measures, and remote sites without an IT staff.
Disclosure: The Futurum Group is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Analysis and opinions expressed herein are specific to the analyst individually and data and other information that might have been provided for validation, not those of The Futurum Group as a whole.
Other Insights from The Futurum Group:
Cisco Bolsters Identity Security in Its Security Cloud
Cisco to Acquire Cloud-Native Networking & Security Leader Isovalent
Comprehensive Analyst Coverage of Cisco Live EMEA
Author Information
With a focus on data security, protection, and management, Krista has a particular focus on how these strategies play out in multi-cloud environments. She brings approximately 15 years of experience providing research and advisory services and creating thought leadership content. Her vantage point spans technology and vendor portfolio developments; customer buying behavior trends; and vendor ecosystems, go-to-market positioning, and business models. Her work has appeared in major publications including eWeek, TechTarget and The Register.
Prior to joining The Futurum Group, Krista led the data protection practice for Evaluator Group and the data center practice of analyst firm Technology Business Research. She also created articles, product analyses, and blogs on all things storage and data protection and management for analyst firm Storage Switzerland and led market intelligence initiatives for media company TechTarget.