Cisco's recent announcement of HyperShield, a new "AI-Native" Security Architecture, marks a significant step forward in addressing the need for innovative solutions to address growing cybersecurity threats.

Before you turn the keys to the network over to Skynet though, let’s talk about why a next-gen Security Architecture like HyperShield is sorely needed, and how Cisco’s never-before seen application of AI hopes to get us there.

The Problem with Traditional Security Architectures

Historically, network & application security has depended heavily on centralized devices like routers and firewalls to properly segment and filter traffic at the edge of the network.  The result of these single points of entry and exit for traffic create several classical design issues:

• Choke Point for Traffic: All network traffic must pass through these central firewall devices, leading to potential bottlenecks.

• Scalability Concerns: As network size and traffic volume increase, scaling centralized devices requires significant hardware upgrades, often referred to as "forklift upgrades."

• Limited Internal Security: Once inside the network, the protection offered by the perimeter devices is minimal, exposing internal systems to threats from within.

Furthermore, even with the latest and greatest edge filtering out there, there’s no guarantee that none of the traffic being sent to the applications has a malicious intent. With an ever rapidly growing list of exploits, the amount of effort needed to effectively find and respond to new threat vectors may seem like an insurmountable task. Rapidly qualifying and applying new firmware and software updates to plug these holes is one of the biggest challenges that network and security operators face today. With Cisco’s new HyperShield solution though, the scales may have tipped back in the favor of the defenders for once.

What is Cisco’s HyperShield?

We all know that Cisco loves to play buzz-word bingo with their product naming - and re-naming - conventions (I’m looking at you “Catalyst Center” 😉), but this one actually makes sense once you peel off the layers and look at what’s going on underneath.

The “Hyper” in HyperShield refers to HyperScale providers, like Google, Amazon, & Meta,  (e.g. FAANG), where their Network Architectures have largely been custom-developed in software through years of R&D, to the tune of billions of dollars. Many of these custom solutions came out the other end as standardized protocols, and a key one of these, which is at the heart of Cisco’s HyperShield solution, is called eBPF.

Hyper-Visibility using Software

eBPF, or extended Berkeley Packet Filters, allows you to intercept things like network packets directly in the Linux kernel space, without changing kernel source code or loading kernel modules. This very powerful tool forms one of the core functionalities of HyperShield, which is to get full visibility into every software process and I/O operation your applications are running, whether it be in a Kubernetes container or a Virtual Machine.

Based on this visibility of network flows & behaviors, HyperShield can then automatically segment traffic to protect against lateral movements inside the network. More importantly though, as applications & requirements change over time, HyperShield can dynamically refine and update these rules.  Furthermore, while the management & control of the HyperShield solution is centralized (i.e. you manage it via the cloud), the actual enforcement of policies is distributed in nature.

Hyper-Distributed using Hardware

Like many of the HyperScale providers have shown us, using a distributed system - or “scaling out” horizontally instead of “scaling up” vertically  - has huge advantages. Unlike traditional security systems that rely on centralized functions like edge firewalls, HyperShield distributes these functions closer to individual workloads across the network. This method not only enhances security, but also maintains high performance and scalability as network demands grow.

Hardware is still part of the equation in the HyperShield solution, and it comes in the form of both the network fabric and the servers. Specialized hardware accelerators called Data Processing Units (DPUs) will be used not only in devices like Top-of-Rack (ToR) switches to implement security enforcement in hardware, but also on the servers themselves to offload filtering from the general-purpose CPU, leaving it available for other compute related tasks.

Hyper-Automated using AI

In previous years, distributing a function like firewall filtering to the applications themselves was simply not feasible, as the number of management points would quickly outgrow any currently available solution. Most Network & Security Operations Engineers already have trouble dealing with complex firewall rules on a few centralized devices, so scaling this to potentially thousands of touch points of the applications themselves simply won’t work. Also, these applications likely span both public and private clouds, making the issue even more complicated. Cisco’s HyperShield aims to provide an automated “AI-Native” solution to this problem of scale.

Since it’s AI-based, HyperShield learns 24/7 about new vulnerabilities that could affect your systems, prioritizing their potential impact, and can automatically apply patches where needed. Before applying these updates or modifying any filtering rules though, HyperShield offers the hugely important step of qualifying the impact of these changes. By using a feature called dual dataplane, traffic is actually processed twice by the system. Once for the actual forwarding of traffic based on the current state of the system, and a second to test the proposed changes of any updates or rule modifications.

This revolutionary automated step provides you with the confidence to now adopt a more proactive approach to your security posture, without the need for potentially thousands of man-hours to correctly qualify the change-control process over and over.  Normally a slow update cycle would leave an organization open to emerging threats, but HyperShield can be used to perform this process in a completely automated manner, applying the changes it deems a best fit for your particular systems as new vulnerabilities are discovered. Additionally, HyperShield features an AI assistant to explain its analysis & recommendations, allowing you to build trust in the fact that it is taking the correct actions.

The Future Impact on the Industry

The introduction of an AI-driven, distributed network security architecture like Cisco’s HyperShield will no doubt have a profound impact on the industry. By resolving the inherent weaknesses of traditional models, HyperShield promises a scalable, efficient, and secure framework that can adapt to the evolving landscape of cybersecurity threats.

Businesses can look forward to enhanced security measures that protect not only the perimeters of their networks but also their internal data and systems. This level of comprehensive security is crucial as enterprises continue to expand and diversify their digital operations.

Furthermore, the ability of HyperShield to autonomously manage and deploy security measures frees up valuable IT resources, allowing companies to focus more on growth and innovation rather than constant threat monitoring and management.

Conclusion

Cisco's HyperShield represents a significant evolution in network security, addressing longstanding issues with traditional systems and setting a new standard for future developments. With its innovative use of AI and distributed security measures, Cisco is again poised to lead the industry in protecting enterprises against the next generation of cyber threats. 

HyperShield is set to debut in August 2024, with additional functionality such as DPU offload being introduced after the initial launch.