At Cisco Live, Las Vegas Monday, IT analytics firm Corvil announced the integration of its Security Analytics with the Cisco Tetration Analytics platform. The intention is to combine Corvil’s realtime packet-level analysis with Tetration’s vast big data repository of downstream application-level data flows to provide an early, rich, granular and consistent detection of anomalous communications indicative of compromise.
Tetration was launched by Cisco in June 2016. It was described as “a platform designed to help customers gain complete visibility across everything in the data center in real time — every packet, every flow, every speed.” The aim is to provide CIOs and CISOs complete visibility into today’s complex, dynamic and heterogenous data center.
In February 2017, Cisco announced Tetration 2, now automating policy enforcement and providing APIs. “Cisco is continuing its tradition of open ecosystems by working with partner companies to build applications and integrations with their solutions,” it announced. It can be used, said the announcement, to “define use cases specific to their environment, and deploy validated application segmentation policies.”
It is into this that Corvil has integrated its Security Analytics product.
“Cisco records the communications flows, and puts those flows into this big repository called Tetration,” David Murray, chief business development officer at Corvil, told SecurityWeek. “It then uses those flows to be able to map application interdependencies and say here is how applications are communicating — but it’s a lot of data they’re aggregating, billions of flows that are communicating on an ongoing basis, across an enterprise.”
This is an essential step in the evolution of network surveillance, suggests Murray. “If you think about historical systems surveillance — especially where regulation and governance requires that surveillance — the original perimeter and signature surveillance is no longer adequate. Surveillance has now evolved into monitoring what is communicating with what and when — but even then it is hard to provide sufficient granularity. It is increasingly not just who is communicating with what and when, but also what is actually being communicated.”
This is where Corvil’s Security Analytics with its realtime packet-level analyses adds value to Tetration. “For example,” said Murray, “flow data by its nature is going to see a certain amount of communication between two points. It may even understand that a particular protocol is being used; for example, it might recognize DNS traffic. But by opening up the packet we are able to see what is happening within that flow; that, for example, there is something tunneling within that DNS traffic. Or we’re able to see specific filenames, or error types that are being reported back and forth within that communication. Furthermore, we’re able to see things like which user is logged on by analyzing packet data for LDAP and Kerberos.”
This is where the integration with Tetration 2 becomes particularly valuable. “By taking this information,” he continued, “and enriching the flow data (such as administrator level tunneling data with a particular type of fileset) we provide the ability to initiate an automatic response through Tetration that says ‘immediately quarantine that host’.”
The value of Corvil to Tetration customers is that security policy enforcement can be invoked on an analysis of the flow content rather than just the flows themselves. The value of Tetration to Corvil is that it provides a massive big data repository of downstream data that can be analyzed to provide more accurate responses and reduce false positives.
“Improvements in security operations, network optimization, and business process optimization hinge on applying advanced analytics techniques to network data,” said Shamus McGillicuddy, senior analyst for Enterprise Management Associates. “The depth and insight from Corvil Analytics combined with Cisco’s Tetration Analytics will provide richer understanding of workload characteristics, improved detection of evasive security threats, and more effective transaction insight. This type of integration is needed to drive tighter alignment between network, application, security, and business teams.”
“It takes an ecosystem to address today’s complex challenges of data center visibility, service assurance, and security,” said Murray. “The combination of Cisco Tetration’s data and our packet-level data helps provide very granular and enforceable security policies.”
Further information on the integration of Corvil Security Analytics with Cisco Tetration Analytics will be available at Cisco Live this week.