blogs.cisco.com Open in urlscan Pro
2600:1901:0:8658::  Public Scan

Form analysis
1 forms found in the DOM

POST https://blogs.cisco.com/wp-comments-post.php

<form action="https://blogs.cisco.com/wp-comments-post.php" method="post" id="commentform" class="comment-form" novalidate="">
  <p class="comment-notes"><span id="email-notes">We'd love to hear from you! Your comment(s) will appear instantly on the live site. Spam, promotional and derogatory comments will be removed and HTML formatting will not appear.</span></p>
  <p class="comment-form-comment"><label for="comment">Comment <span class="required" aria-hidden="true">*</span></label> <textarea id="comment" name="comment" cols="45" rows="8" maxlength="65525" required=""></textarea></p>
  <p class="comment-form-author"><label for="author">Name</label> <input id="author" name="author" type="text" value="" size="30" maxlength="245"></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit" class="submit" value="Submit Comment"> <input type="hidden" name="comment_post_ID" value="456567" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <p style="display: none;"><input type="hidden" id="akismet_comment_nonce" name="akismet_comment_nonce" value="8771d37b7c"></p>
  <p style="display: none !important;" class="akismet-fields-container" data-prefix="ak_"><label>Δ<textarea name="ak_hp_textarea" cols="45" rows="8" maxlength="100"></textarea></label><input type="hidden" id="ak_js_1" name="ak_js"
      value="1718398239340">
    <script>
      document.getElementById("ak_js_1").setAttribute("value", (new Date()).getTime());
    </script>
  </p>
</form>

Text Content

Skip to content


Cisco Blogs / Security / Cisco Hypershield – Our Vision to Combat Unknown
Vulnerabilities


May 6, 2024 2 Comments

--------------------------------------------------------------------------------

SECURITY


CISCO HYPERSHIELD – OUR VISION TO COMBAT UNKNOWN VULNERABILITIES

6 min read

Craig Connors

By now, I hope you have had a chance to learn about the first-of-its-kind,
groundbreaking solution we recently announced: Cisco Hypershield.

As I covered in my previous blog, the unique architecture of Hypershield makes
two powerful initial use cases possible: Distributed Exploit Protection and
Autonomous Segmentation.

Distributed Exploit Protection helps tackle the problem of the growing number of
reported vulnerabilities (over 1000 Common Vulnerabilities and Exposures or CVEs
per week) that teams are just not able to keep up with. This use case
prioritizes vulnerabilities that might be directly affecting an organization and
then recommends, tests and deploys compensating controls to protect the workload
from exploit, all while keeping the application running. This immediate response
closes the exploit gap between vulnerability disclosure and patching, giving
teams time for a comprehensive response.  

But these reported CVEs are the known vulnerabilities. What about the
yet-to-be-announced and even yet-to-be-discovered vulnerabilities, the unknown
vulnerabilities? Cisco Hypershield can help protect organizations against those
as well. Hypershield’s unknown vulnerability protection can help detect and
block unknown vulnerabilities within runtime workload environments. In addition,
suspected workloads can be isolated to limit the vulnerability’s blast radius.
This is made possible with:

 1. Deep visibility and surgical control at the workload level
 2. The use of machine learning and analysis of the relationships between the
    application process, file and network operations against Common Weakness
    Enumeration (CWE) database, which is a classification system for hardware
    and software security weaknesses
 3. Analysis of the application process graph and known application behaviors to
    classify suspicious or malicious activity

Expanding Hypershield’s Distributed Exploit Protection to include detection and
containment of unknown vulnerabilities can enhance the protection of workloads
against new security threats.


DEEP WORKLOAD AND APPLICATION VISIBILITY AND ENFORCEMENT

Attacks exploiting unknown vulnerabilities are much harder to detect compared to
known vulnerabilities, because defenders don’t have any documented signals
usually defined in CVEs that enable detection. And even beyond detection, it is
necessary to have options of graduated granular responses for complete
remediation. This is where Hypershield’s deep workload visibility and
enforcement comes into play, keeping in mind that an application may span
multiple workloads. Let’s review how the solution is architected to understand
that better.

A core component of Cisco Hypershield is the Tesseract Security Agent, which
runs on the workload. This could be a virtual machine running Linux or a
Kubernetes environment. Both private and public clouds are supported; in fact,
Hypershield can provide unified policy and management across the domains. The
Tesseract Security Agent interacts with workload processes via the operating
system’s kernel using extended Berkeley Packet Filter (eBPF). eBPF is an
open-source, cloud-native capability and is becoming the de facto standard for
high-performance, non-invasive visibility and security in hyperscalers. Any time
a process reads a file or opens a network connection, the eBPF code placed in
the kernel by the Tesseract Security Agent is executed. Hypershield uses this
technology in new ways to bring together a larger system that provides
visibility and control across workloads and networks.

The Tesseract Security Agent uses eBPF to provide exceptionally deep visibility
by sitting in the middle of each process invocation within the workload. The
Tesseract Security Agent can also step in and enforce when it detects anomalous
or malicious activity. This enables Hypershield to create an application
behavior graph and an application fingerprint. The application behavior graph
captures the relationships of the process and the invocations such as file
reads, child process launches, and network opens. As that application adjusts
and is updated, Hypershield can move in lockstep, recommending policy changes
and a security stance.

 
Figure 1. High-confidence application behavior graph and application fingerprint
from deep workload visibility provided by the Tesseract Security Agent.


ADVANCED METHODS FOR UNKNOWN VULNERABILITY PROTECTION

Hypershield uses various methods to detect and contain unknown vulnerabilities.
Some of the examples are below. Once detected, there are graduated responses to
contain the vulnerability, extending to isolating the workload if needed.


COMMON WEAKNESS ENUMERATION (CWE) ANALYSIS AND PROTECTION

CWE is a classification system for hardware and software security weaknesses. A
CWE can describe the type of vulnerability or the underlying weakness that leads
to specific vulnerabilities listed in Common Vulnerabilities and Exposures
(CVEs). For example, a CVE might detail a particular instance of a software flaw
in a specific program, and the underlying type of flaw could be classified under
a relevant CWE entry. Thus, while CVE focuses on specific vulnerabilities, CWE
addresses the broader types of weaknesses that those vulnerabilities may
exemplify. For example, the path traversal CWE is common to about 3000 CVEs in
the last two years. A single CWE mitigation may prevent multiple (known and
unknown) CVEs generically and might be considered a more robust solution.
Therefore, to get ahead of the high incoming rate of CVEs, we need to understand
CWEs better. 

One of the key components of Hypershield’s unknown vulnerability protection is
its deep analysis of the CWE databases and its updates. This analysis, along
with an application’s unique fingerprint and process graph, is used to identify
weaknesses in the specific application and Hypershield can suggest monitoring
and blocking constraints to protect the application in runtime. This analysis is
not just for the application development team but also a crucial part of
Hypershield’s AI, designed to understand and address weaknesses in near real
time without the need for code access.


APPLICATION-SPECIFIC BEHAVIOR CLASSIFICATIONS

As described above, one method Hypershield employs to identify unknown
vulnerabilities involves contrasting CWEs with the application behavior graph.
Furthermore, Hypershield also utilizes the application behavior graph in a
different analytical approach to enhance detection techniques.

Applications monitored by Hypershield have tailored profiles that detail
specific behaviors and associated risk classifications. For instance, the Apache
(httpd) application-specific profile is relevant across various customer
environments. This profile integrates with an environment-specific application
behavior graph to provide detailed insights and assessments.

Hypershield monitors applications and classifies new behaviors as valid,
suspicious or malicious based on the defined application profile and historical
context. Typically, most actions are valid, involving routine behaviors like
reading from low-risk, benign files and writing to designated files and network
connections. Occasionally, new and potentially suspicious behaviors may emerge,
which are flagged for further analysis.

Hypershield applies several analytical techniques to determine if a behavior is
malicious. One effective method involves tracking the sequence of suspicious
behaviors to ascertain malicious intent. For example, in the Apache web server
application, the analysis might follow these steps:

a. Detection of a payload identified as a web shell

b. Observation of the payload writing to the PHP directory

c. Execution of shell commands by the payload

In this scenario, writing to the PHP directory (step b) rapidly reclassifies the
behavior from suspicious to malicious due to the context and sequence of
actions.

Beyond file and network operations, Hypershield’s behavioral detection
capabilities extend to any actions undertaken by the application. The
comprehensive nature of the Hypershield application behavior graph, coupled with
AI-driven analysis, enables robust protection across applications. This system
identifies and blocks adverse actions and can isolate the application if
necessary, ensuring enhanced security and operational integrity.

Figure 2. CWE Analysis and application-specific behavior classifications.


CONCLUSION

CWE analysis, protection, and application-specific behavior classifications are
essential for defenders to address increasing vulnerabilities effectively,
especially unknown ones. These strategies enable Hypershield to help provide
protection for organizations broadly, rather than focusing on individual
vulnerabilities as they arise.

In increasingly complex and distributed environments, modern enterprises face a
growing number of security threats. Cisco Hypershield addresses this by offering
a holistic security solution for applications, workloads, and networks,
enhancing existing infrastructures. Hypershield employs AI analytics that
utilize deep visibility telemetry and external information to deliver actionable
insights and policy recommendations. We are committed to building trust by
granting operators access to underlying data, enabling them to review and
interact with our AI assistant. Moreover, operators can safely test policy
recommendations using Hypershield’s dual data plane on live traffic, ensuring
production environments remain unimpacted. This approach significantly
accelerates our ability to defend applications confidently and effectively.
Shields up!


WANT TO KEEP UP-TO-DATE ON CISCO HYPERSHIELD?

For more information on Cisco Hypershield availability, product announcements,
demos and more, please visit our Hypershield page.

Are you at RSA Conference 2024? Our booth team is ready to talk all things Cisco
Hypershield! Come visit us at:

 * North Hall #5845
 * South Hall #926

 

--------------------------------------------------------------------------------

We’d love to hear what you think. Ask a Question, Comment Below, and Stay
Connected with Cisco Security on social!

Cisco Security Social Channels

Instagram
Facebook
Twitter
LinkedIn

Share






Share:




AUTHORS


CRAIG CONNORS

VP AND CTO

SECURITY BUSINESS GROUP


Tags: Cisco Hypershield Featured RSA 2024 RSA Conference (RSAC) Vulnerability
Protection

--------------------------------------------------------------------------------


LEAVE A COMMENT CANCEL REPLY

We'd love to hear from you! Your comment(s) will appear instantly on the live
site. Spam, promotional and derogatory comments will be removed and HTML
formatting will not appear.

Comment *

Name





Δ


2 COMMENTS

 * Mike Poor says:
   May 9, 2024 at 3:20 am
   
   This is very interesting and could well change the game for defenders.
   
   Reply
   
 * Lawrence Monchonyane says:
   May 22, 2024 at 2:07 am
   
   I love this shield, would like to try it out on google chrome, any hints.
   
   Thanks LLM
   
   Reply
   


CISCO CYBERSECURITY VIEWPOINTS

Where security insights and innovation meet. Read the e-book, see the video,
dive into the infographic and more...

Get expert perspectives now


WHY CISCO SECURITY?

Explore our Products & Services

Learn More

CONNECT WITH US

 * 
 * 
 * 
 * 
 * 

Cookies allow us to optimise your use of our website. We also use third-party
cookies for advertising and analytics. Please read our Privacy Statement and
Cookie Notice for more information.
Manage cookie settings Reject Accept



CONSENT MANAGER




 * YOUR PRIVACY


 * STRICTLY NECESSARY COOKIES


 * PERFORMANCE COOKIES


 * TARGETING COOKIES


 * FUNCTIONAL COOKIES

YOUR PRIVACY

When you visit any website, it may store or retrieve information on your
browser, mostly in the form of cookies. This information might be about you,
your preferences or your device and is mostly used to make the site work as you
expect it to. The information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies. From the list on
left, please choose whether this site may use Performance and/or Targeting
Cookies. By selecting Strictly Necessary Cookies only, you are requesting Cisco
not to sell or share your personal data. Note, blocking some types of cookies
may impact your experience on the site and the services we are able to offer.
Privacy Statement

STRICTLY NECESSARY COOKIES

Always Active

These cookies are necessary for the website to function and cannot be switched
off in our systems. They are usually only set in response to actions made by you
which amount to a request for services, such as setting your privacy
preferences, logging in or filling in forms.    You can set your browser to
block or alert you about these cookies, but some parts of the site will not then
work. These cookies do not store any personally identifiable information.

PERFORMANCE COOKIES

Performance Cookies


These cookies provide metrics related to the performance and usability of our
site. They are primarily focused on gathering information about how you interact
with our site, including: page load times, response times, error messages, and
allowing a replay of a visitor’s interactions with our site, which enables us to
review and analyze visitor behavior, helping to improve site usability and
functionality. These cookies also allow us to count visits and traffic sources
so we can measure and improve the performance of our site. They help us to know
which pages are the most and least popular and see how visitors move around the
site. If you do not allow these cookies we will not know when you have visited
our site and will not be able to monitor its performance.

TARGETING COOKIES

Targeting Cookies


These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant adverts on other sites.    They do not store directly personal
information, but are based on uniquely identifying your browser and internet
device. If you do not allow these cookies, you will experience less targeted
advertising.

FUNCTIONAL COOKIES

Functional Cookies


These cookies enable the website to provide enhanced functionality and
personalisation. They may be set by us or by third party providers whose
services we have added to our pages.    If you do not allow these cookies then
some or all of these services may not function properly.

Back Button


COOKIE LIST

Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label

Clear
checkbox label label
Apply Cancel
Save Settings
Allow All