AI features boost Cisco’s Panoptica application security software

Cisco has added a variety of new AI-based security features to its cloud-native security platform that promise to help customers more quickly spot and remediate threats. The features extend the vendor’s Panoptica platform, which is designed to secure cloud applications from development to deployment with a focus on protecting containerized, microservice applications running on platforms such as Kubernetes. 

Panoptica lets customers define and enforce security policies through tools like Terraform, and it monitors application behavior to detect and prevent threats in real time. This includes features found in intrusion detection and prevention systems and specifically designed for cloud-native environments, Cisco says.

A recently added AI Assistant understands plain, everyday language and offers custom assistance in prioritizing, investigating, and remediating a customer’s specific security issues. For example, administrators can ask questions such as “What are my most important vulnerabilities?” and “Help me understand this attack path and how to fix it.” The assistant has awareness and intelligence about an enterprise’s live environment, including all the data Panoptica tracks about its security posture, vulnerabilities, and attack paths, according to Vijoy Pandey, senior vice president of Cisco’s Outshift advanced development group. 

Adding to Panoptica’s current level of AI support, Cisco integrated OpenChat’s large language model GPT-4 in a feature called GenAI Dynamic Remediation. With this support, Panoptica can derive targeted remediations based on the security risk context presented by the system’s Attack Path Analysis engine. It “provides step-by-step instructions on how to apply the controls using CLI, code snippets, and Terraform tailored to the unique characteristics of each attack path,” Pandey wrote in a blog about the new features.

“Panoptica integrated GPT-4 with our graph engine, enabling it to present users with in-depth, tailored remediations for each detected attack path, including remediation guidance tailored to each of the critical points of infiltration: network exposure, workload at risk, and identity exposure,” Pandey wrote. “This rapidly decreases response time by giving teams sample code that gets right to the source of the issue. No more wasted time figuring out how to solve the problem; a simple code sample shows you exactly how you can fix it right now.”

Another new AI-based feature, Smart Cloud Detection & Response (CDR), offers security teams a head start in detecting attacks, continuously monitoring security events as they occur, and correlating them with insights and information so that they can respond, Pandey stated. Based on Cisco internal research, Smart CDR provides forensic information about the attack. “Every bad actor has an intent, and our job is to help describe what’s going on by painting a picture of the attack story,” Pandey wrote.

Smart CDR detects threats in real time and promptly notifies security teams, Pandey stated. “Most competitors stop at threat detection, but we go further, stitching these threats together to describe the attacker’s intent,” Pandey wrote. “Our approach involves generating synthetic attack simulations to train our ML models to detect attacks like ransomware, data exfiltration, crypto-jacking, container escape, and data destruction.”

Lastly, Cisco added the ability to more easily create, manage, and enforce security policies across a multicloud environment via a new feature called Security Graph Query. The feature integrates with the system’s policies engine to let customers enforce security policies directly from the Security Graph Query Builder and Query Library, Pandey stated.

The Security Graph Query Builder lets users build customized queries that combine data and insights from Panoptica’s different security modules, such as cloud security posture visibility, runtime workload protection, and Attack Path Analysis for analyzing potential attack vectors, according to Cisco. The idea is to offer unified view of an organization’s cloud assets, security posture, vulnerabilities, and threats across their entire cloud-native application stack. This lets security teams identify risks, investigate issues, and take appropriate actions, according to Cisco.

“The feature is a comprehensive search and visualization tool that aggregates data across multiple cloud providers, code repositories, APIs, SaaS applications, and Kubernetes clusters,” Pandey stated.

“It utilizes queries crafted for assets and their relationships and security insights such as attack paths, risk findings, and vulnerabilities,” he wrote. “The goal is to streamline policy creation, improve security compliance, and make policy management more efficient and data-driven.”

Pandey listed a few use cases, including:

• Proactive threat hunting: search for signs of compromise and emerging threats by constructing custom queries that indicate potential security risks.
• Contextual analysis: understanding the context of an event or entity within the graph allows security teams to make more informed decisions.
• Resource optimization: security teams can use the insights from the graph to optimize resource allocation, focusing efforts on areas of the network that are most vulnerable or frequently targeted.

The Panoptica announcement was timed with the ongoing RSA Conference 2024, where Cisco also announced plans to integrate Splunk’s enterprise security technology (gained in its recent $28 billion Splunk acquisition) with Cisco’s extended detection and response (XDR) service.