Cisco wants to revolutionize IT security: Is Hypershield really the future?

Cisco wants nothing less than to revolutionize IT security with Hypershield. The manufacturer mentions exploit protection without patches, software upgrades without downtime and autonomous network segmentation. Hypershield is supposed to detect malicious behavior and automatically reconfigure networks to eliminate threats. But what is really behind this grandiose announcement?

In essence, it is about a security product based on eBPF, which is the result of the acquisition of Isovalent. Cisco wants to integrate eBPF into components such as switches and servers, including VMs and containers. The provider calls this Enforcement Points – it is therefore not an entirely new approach in terms of methodology, but rather the familiar "centralized management, decentralized enforcement" approach that has been used for years in network access control (NAC), for example.

The difference lies more in the enforcement points, which are intended to act as a kind of tiny firewall and therefore regulate data flows and behavior as early as possible at the point of origin. These should be able to run based on data processing units (DPUs), i.e. special network cards – also known as SmartNICs – that are installed in servers or network hardware. Cisco points out that these do not have to be special Cisco DPUs.

Dealing with threats

To be able to detect anomalies, Hypershield should first learn the normal behavior of the applications used via baselining. This will be enriched with information from Cisco's security intelligence team (Talos) about new attacks. The team evaluates the data collected online with the help of AI to detect malicious behavior more quickly.

The decision on how to deal with potentially malicious behavior can vary. One option is to provide basic information to administrators about which applications they need to patch. Another option is to implement compensating protection that protects the application. This could, for example, be a new network segment that does not allow any suspicious traffic. Specifically, certain communication patterns – such as known malicious URLs or lateral movements in the data center – could be blocked or isolation could be carried out after a successful attack. Hypershield's approach is to intercept these communication relationships as close as possible to the application. This should also make it easier to control data traffic in Kubernetes environments, for example.

The enforcement points should contain two data paths: One for productive and positively tested communications and a shadow path. The latter receives live data and, according to Cisco, uses AI to test whether the update works as expected. If the automated tests are successful, Hypershield switches the shadow path to productive.

The enforcement points rely on eBPF for this purpose. The extended Berkeley Packet Filter allows programs to be loaded from user space and run in the kernel without changing the kernel source code or loading kernel modules. As this generates some load, this process can be outsourced to DPUs/SmartNICs to minimize the impact on productive workloads. Cisco is also aiming to develop switches with dedicated DPUs for these functions. However, these are not yet available.

Hypershield is managed in the cloud-based security policy manager Cisco Defense Orchestrator. It displays CVEs, for example. An AI assistant provides additional information and suggests solutions, such as segmentation due to missing patches. According to Cisco, protection should also be able to run completely autonomously in the future.

Conclusion

The announcement seems a little early, as many components such as the special switches for applying the security guidelines are not yet available. Nevertheless, the approach seems quite interesting, although the use of AI in the security environment, especially in the autonomous operation Cisco is aiming for, is likely to cause many administrators and security managers to break out in a sweat.

(dahe)