Cisco this week expanded its Tetration Analytics system to let users quickly detect software vulnerabilities and more easily manage the security of the key components in their data centers.\nIntroduced in 2016, the Cisco Tetration Analytics system gathers information from hardware and software sensors and analyzes the information using big data analytics and machine learning to offer IT managers a deeper understanding of their data center resources. The idea behind Tetration includes the ability to dramatically improve enterprise security monitoring, simplify operational reliability and move along application migrations to Software Defined Networking.\n+More on Network World: Cisco CEO: "We are still only on the front end" of a new version of the network; How Chuck Robbins is turning Cisco around+\nCisco said another key driver behind the technology is to give customers a single tool to collect consistent security telemetry across the entire data center and analyze large volumes of data in real time.\u00a0 In a multi-cloud enterprise, Tetration can lock-down tens of millions of whitelist policy entries across thousands of applications, Cisco said.\nThe new release (Version 2.3) of Tetration software brings a focus on protecting application workloads.\nWorkload protection\nAccording to Yogesh Kaushik, senior director of product management at Tetration Analytics, protecting workloads requires a holistic approach to understand everything running and installed on the workload, as well as communications between the workloads to establish a clean baseline.\n\u201cThis has to be done across thousands of workloads in an average data center. You have to discover each component of the application and map out the dependencies before making any changes to the security policy so applications don\u2019t break,\u201d Kaushik stated.\nTetration now provides a real-time inventory of all software packages along with version and publisher information. Using information learned from Cisco\u2019s other security offerings \u2013 including Cisco Firepower Next-Generation Firewall (NGFW), Next-Generation IPS (NGIPS), Advanced Malware Protection (AMP), and Stealthwatch, as well as data from the Common Vulnerabilities and Exposure (CVE) database \u2013 it detects servers that have software packages with known CVEs and can quarantine or segment those devices away from important enterprise resources.\nTetration provides details such as a scorecard for the potential severity of the vulnerabilities and identifies all the servers running that specific software version. IT organizations can proactively set up filters to search for one or more vulnerabilities and set policies through the user interface or through APIs to take specific actions, such as quarantining hosts where servers are identified to have high-impact vulnerability, Cisco said.\nInventory running workloads\nAccording to Cisco, Tetration can now collect and maintain inventory about workload processes running on enterprise servers on a minute-by-minute basis. \u201cUsing this information, IT managers can search inventory for the servers that are running or have run specific processes. The process information includes process ID, process parameters, and the user who is running the process, process duration and process hash or signature information. The process hash information is critical for security because IT managers can search for any servers in the data center that ran a malicious process by matching this hash information,\u201d Cisco said.\nWith this release, Tetration can also now monitor workloads and the network to create a \u201cnormal\u201d application behavior baseline that the system can then monitor for behavior deviations associated with malware behavior patterns like those found in side-channel or privilege elevation attacks.\nCustomers can use all of this data to develop policies that Tetration then follows and enforces.\nKaushik said that an example would be, \u201cBlock all workloads with known vulnerabilities from communicating with database servers that have sensitive data.\u201d Tetration continuously translates the intent to concrete rules based on current attributes of the workloads.\nConflict resolution\nTetration also accounts for policy hierarchy and does automatic conflict resolution. If an app developer and database owner both agree to allow communication, but a higher order InfoSec rule denies it, Tetration will resolve in a deny action. The platform is role-based, access controlled and the roles can be mapped to administrative domains, Kaushik said.\nTetration stores several months of data on the platform, letting customers test the impact of policy changes in real-time, as well as run experiments with backdated traffic. All changes to the policy are tracked for auditing, Cisco said.\nAnother key component of Tetration is its ability to decouple policy creation and translation from policy enforcement.\n\u201cIt\u2019s an open policy model that can be used to implement policy in any plane through a REST API or a Kafka stream. Tetration enforces policy on the workload natively, and also streams that same policy to other infrastructure elements such as firewall orchestration systems, load balancers and SDN controllers, and the public cloud.\u00a0 The same policy model is used for bare metal, virtual and containerized workloads, both on-premises and in the public cloud,\u201d Kaushik said.\nThe latest Tetration upgrade builds on features Cisco added to the 2.0 version package in 2017.\u00a0 At the time Cisco said \u00a0Tetration Analytics policy recommendation and enforcement engine can now take micro-segmentation \u2013 a security technique enabling workload separation \u2013 a leap further by delivering application segmentation, which drives policies across the application layer, regardless of where the application resides: virtualized, bare metal, physical servers or in the cloud, Cisco said.\nA key part of the 2017 upgrade were new implementation packages. For example it rolled out a small Tetration package designed for around 2,000 workloads but is now certified to support 5,000 and includes six UCS C-220 servers and two Nexus 9300 servers. In its first iteration Tetration supported 10,000 sessions but now supports 25,000 and came in a full rack of hardware that included 36 UCS C-220 servers and three Nexus 9300 switches.\u00a0 A virtual appliance that runs in Amazon Web Services (AWS) for up to 1,000 workloads was also rolled out. This week Cisco added Tetration appliance for Microsoft Azure environments.\n\u00a0\nTetration Analytics 2.3 will be available in April.