Analysis of Intelligent Systems : Cisco’s AI-driven Security Solutions | CyberSecRad

Cisco’s AI-driven Security Solutions aim to redefine cybersecurity defense by integrating AI components called Encrypted Visibility Engine (EVE) and AI Assistant for Security in all of their products starting with Firepower Next Generation Firewall (NGFW), Extended Detection and Response (EDR). The main goals are to assist security teams, augment human insight and automate complex workflows. This document delves into the discussion about Cisco AI’s development, how it came into play with cybersecurity, case studies, ethical concerns as well as its bright future providing organizations the best tools for competitive advantage and better cyber defense.

With the recent hype in Artificial Intelligence (AI) and the continuing rise of cyber-related crimes, hacking and incidents, Cisco, a company that is considered as the long-term leader and king when it comes to networking, decided to jump into the AI rocket ship. They implemented AI and Machine Learning (ML) to further innovate cybersecurity with a plan of integrating it into all their products and services. Their security products have unique capabilities powered by AI, in which when combined, form a multi-layered defense strategy – defense in depth, which is very important in cybersecurity.

Cisco’s approach to developing such innovations is based on the belief that the future of cybersecurity is powered by AI, and if an organization fails to leverage AI, it will not have an effective platform for security. In addition, Cisco recognizes the need for machine-scale capabilities to protect systems, as the shortage of human skills is an issue. Professionals require a significant amount of time to develop cybersecurity skills and cannot process humongous amounts of data and tasks in a short period. Furthermore, they believe that warfare starts with cyber, and threats are ever-evolving at a very fast pace. For them, there is no risk in embracing AI—provided it does not eliminate human knowledge and intervention, as human judgment is still considered the best tool in cybersecurity.

This section discusses the key challenges encountered by Cisco in developing, integrating and maintaining their AI-driven cybersecurity products and services.

Hardware Challenges

• Scalability – When developing great technologies, there always comes a problem in terms of scalability. The challenge of maintaining system performance while being cost-efficient is a significant concern. For a large enterprise like Cisco, with humongous amounts of data and infrastructure to manage, scalability is a real challenge—not just for them but for all organizations of similar scale.
• Legacy Systems Integration – In every organization, there will always be legacy systems, which are systems whose software or hardware has reached end-of-life. This means the developers or creators no longer release patches or provide support for that version of the software or hardware. However, these systems may still be used due to compatibility issues. Legacy systems not only open gateways for vulnerabilities but also pose a real challenge when integrating new technologies such as AI.
• Real-time Processing – It is known that AI processes data in real time to detect threats or respond promptly to various user requirements. The demand for such computational power poses a significant challenge for Cisco, as they need to provide the right and powerful hardware technologies to address such issues.

Software Challenges

• Hallucinations – AI comes with an issue called “hallucinations,” where it provides incorrect answers or unrelated information to a given task or prompt. This poses a significant challenge to most AI companies. To combat hallucination issues, Cisco trained their model on very specific areas, mainly cybersecurity, ensuring that data is pulled from curated and relevant datasets instead of large, unfiltered sources like the Internet.
• Algorithm Accuracy – For Cisco’s AI for security, it is critical to develop highly accurate AI algorithms to prevent or minimize false positives and negatives as much as possible. Cisco addressed this issue by not isolating their AI model, instead designing it to work seamlessly with other established technologies and platforms within the cybersecurity space.
• Interoperability – As mentioned earlier, Cisco decided not to isolate their AI model. They designed it to work seamlessly with other technologies and security tools, ensuring more reliable and comprehensive results.
• Continuous Learning – Machine learning and AI model training must be a continuous effort, as the cybersecurity threat landscape is constantly evolving. The goal is to develop AI technologies that can learn and adapt on their own with minimal human intervention.
• Data Privacy and Security – AI systems rely on large datasets for training and proper functionality. Cisco addressed this by leveraging the vast amounts of data they gather daily, such as network packets from various devices. However, this data mining creates challenges around data privacy and security, which Cisco continues to navigate carefully.

This section covers the two (2) AI-driven components developed by Cisco to improve cyber defense – Encrypted Visibility Engine (EVE), AI Assistant for Security.

Encrypted Visibility Engine (EVE)

Encrypted Visibility Engine (EVE) is one of the AI-driven system components integrated into Cisco’s Next Generation Firewalls (NGFW). It offers a new way of enhanced traffic inspection, where it can identify possible malicious software or ‘malware’ by fingerprinting the client’s Hello packet in the TLS handshake to monitor and analyze its movement, behavior, origin, and patterns.

EVE employs machine learning techniques to accomplish such tasks without the need for decryption. Furthermore, almost everything on the internet is now encrypted. Decrypting an encrypted packet or session for inspection requires intensive resources, making it difficult and not an optimal choice.

To further understand how EVE works, let’s dive into its methodology below.

How EVE Works? (Software Architecture)

To understand how EVE works, let us first examine how the TLS Handshake works and is established in the first place.

Transport Layer Security (TLS) is a cryptographic protocol used to encrypt and authenticate online communications, making them secure and preventing Man-in-the-Middle (MITM) attacks, where an attacker could see unencrypted data such as passwords, credit card numbers, etc., in plain text when encryption is not applied.

The TLS handshake is essentially the process of starting and establishing a secure communication session between the client and the server. In a very non-technical terms, during this handshake, the two parties (client and server) exchange messages to recognize, acknowledge, and verify each other, decide on the cryptographic methods they’ll use, and agree on session keys. A very clear example of when a TLS handshake occur is whenever a user goes to a website with a Hypertext Transfer Protocol Secure (HTTPS), the browser that the user uses begins to query the server of that particular website, it is basically the start of a secure communication where the process encrypts the data.

Figure 1. TLS Handshake Process. Source: Cloudflare (n.d.). Retrieved from https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/

As seen on the Figure 1 above, the secure communication starts with the so-called Transport Control Protocol (TCP) three-way handshake, the blue-coloured boxes in the upper part of the image. The TCP three-way handshake is essential to first established a connection with the client and server’s TCP/IP node. The three-way handshake is summarized below.

1. SYN: This is when the client sends a SYN (Synchronize) packet to the server to initiate the connection.
2. SYN-ACK: This is when a server acknowledged the request and sends back a SYN-ACK (Synchronize-Acknowledge) packet.
3. ACK: The client then confirms the connection by replying back an ACK packet to the server.

Take note that the TCP three-way handshake happens before the TLS Handshake. To avoid confusion, take a look at the Figure 2 below where it depicts the separation of the two processes.

Figure 2. TCP 3-way Handshake and TLS Handshake. Chan (2020). Retrieved from https://medium.com/@alysachan830/tcp-and-tls-handshake-what-happens-from-typing-in-a-url-to-displaying-a-website-part-2-243862438cd9

Following the successful TCP three-way handshake, TLS handshake occurs. The entire TLS handshake process including with each step is summarized below.

1. ‘Client Hello’ Message – The client first sends a “hello” message to the server to initiate the handshake. This particular message includes very important data which are the following: TLS version the client supports as well as the cipher suites it supports, and lastly the random bytes also called “client random”, in which it generated.
2. ‘Server Hello’ Message – The server then replies to the message by sending back a “hello” message that contains its supported cipher suite and lastly the “server random”, a random string of bytes that it generated.
3. Server Certificate – After the Server Hello, the server then sends its Secure Sockets Layer (SSL) Certificate – a digital certificate that contains the public key, signed by a trusted Certificate Authority (CA), for example, digicert, RapidSSL, and more. CAs are basically a trusted company that manages digital certificates where they create, assign, authenticate and revoke those digital certificates if needed. The purpose of these digital certificates is to promote trust and legitimacy, where the certificate validates and authenticate that the website is what it claims to be (ex. uber.com is a legit website domain of the company itself – Uber Technologies Inc.).
4. Server Key Exchange – Now, the next process depends on the compatibility of the cipher suites of both the client and the server. The server then sends the appropriate key exchange information, whether it is a Diffie-Hellman (DH) parameters, Elliptic Curve Diffie Hellman Ephemeral (ECDHE) or Rivest–Shamir–Adleman (RSA). The said terminologies are known as cryptographic algorithms where they protect the data by using encryption and decryption technology. Take note that in this process, if it is RSA-based handshake, the public key of the server in its digital certificate is being used for key exchange.
5. ‘Server Hello’ Complete – This is the step where the server finalizes the initial handshake.
6. Client Key Exchange – Following the completion of the Server Hello, having the server’s public key (from the server’s digital certificate – RSA or DH-based public key), the client can now generate a so-called “Pre-Master Secret”, where it encrypts it using the server’s public key. Afterwards, the client then sends the Pre-Master Secret back to the server.
7. Session Keys Created – Now, both the client and the server calculate and generate the ‘session keys’, from the pre-master secret, client random and server random. Session Keys typically look like this, 2a3c9f81e5b7d4a2c1e9f78412ba7d23, a random generated string of bits in hexadecimal format. This session key will be used by both the client and the server for the entire duration of their single session communication. As long as they both have the session key, they can always communicate securely without going through the entire TCP and TLS handshakes again.
8. Finished Message – This is where both the client and the server send Finished messages, indicating that a secure symmetric encryption achieved and the handshake was successful.

What does EVE do during TLS Handshake?

During the TLS Handshake, EVE looks at the Client Hello part of the process to identify what process is running on the client side. The Client Hello is the very first piece of data the client sends to the server after completing the three-way handshake. This specific packet provides many clues about what the client is doing. By analyzing the Client Hello, along with other details like the destination IP address, EVE can accurately identify the application being used and then proceeds to fingerprint it.

Figure 3. EVE Communication. Source: Cisco (n.d.). Retrieved from https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine

Enter EVE’s machine learning (ML) technology. We all know that ML requires a very comprehensive set of data. In the case of Cisco, this is not an issue. Cisco processes data from 80,000 endpoints every day, where EVE fingerprints and stores these humongous datasets – a billion plus TLS fingerprints daily – identifying, and sandboxing and assigning threat score confidence to over 10,000 malware samples daily via EVE’s fingerprinting mechanism and machine learning. These data are then updated to Cisco’s Vulnerability Database (VDB) packages. To further understand what this means, an infographic is shown in Figure 3 below followed by the Threat Score Confidence in Figure 4 below.

Figure 4. EVE Machine Learning. Source: Cisco (n.d.). Retrieved from https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine

Figure 5. EVE Dashboard. Source: Cisco (n.d.). Retrieved from https://secure.cisco.com/secure-firewall/docs/encrypted-visibility-engine

EVE’s scoring system, Threat Confidence Score, ranges form 0% to 100% where the higher the percentage, the program and traffic is flagged as malicious in nature.

Example Scenario:

1. EVE analyses an encrypted session and it identified a process called _ransom.
2. EVE then assigned a threat confidence score of 100% to that particular traffic.
3. EVE then blocked the traffic based on the admin’s threshold settings of 90% (If the threat confidence score is above 90%, EVE will automatically block the traffic).

Note that EVE has a default setting of Threat Confidence Score threshold of 99% or higher. The admins can also change and adjust the threshold based on their own preference.

AI Assistant for Security

Now, we’ll dive into Cisco’s AI Assistant for Security, which is integrated into Cisco’s NGFW and XDR. The AI Assistant for Security is a virtual companion for security professionals powered by generative AI and natural language processing capabilities.

Cisco’s AI Assistant for Security belongs to the category of AI called Large Language Models (LLMs), where it uses Machine Learning (ML) technologies and techniques to perform Natural Language Processing (NLP) tasks, the same technology as OpenAI’s ChatGPT, Microsoft’s Copilot, Amazon’s Alexa, Apple’s Siri, and more.

• Cisco AI Assistant in Firewall – Firewall admins can now easily accomplish the challenging task of maintaining complex firewall rules and policies with the help of the AI Assistant for Security.
• Cisco AI Assistant in XDR – SOC analysts can now make critical and important decisions quickly with the guidance and insights provided by the AI Assistant for Security.

 

How AI Assistant for Security Works? (Software Architecture)

The AI Assistant works as a personal assistant trained specifically for cybersecurity—using it is easy, simply by interacting with it. A user may ask a prompt, for example, “What access control rules are disabled in my environment?” or “Help me write a playbook when there is a ransomware attack at my organization.”

Cisco’s AI Assistant for Security is trained specifically in cybersecurity, enabling it to identify anomalies within network traffic or provide security teams with reliable insights about the threat landscape.

Figure 6. Cisco AI Assistant for Security. Source: Cisco (n.d.). Retrieved from https://secure.cisco.com/secure-firewall/docs/ai-assistant

Moreover, unlike most common and popular Large Language Models (LLMs), Cisco’s AI Assistant for Security is trained specifically in cybersecurity, enabling it to identify anomalies within network traffic or provide security teams with reliable insights about the threat landscape. Its main focus of expertise revolves around cybersecurity stuffs like firewall, threat response, playbooks, and more. What this basically means is, it doesn’t pull data all over the Internet just like general LLMs do (which is very prone for hallucination issues).

Machine Learning is a very complex task where it requires a lot of reliable data and consistent learning. Because of that, the strategy of Cisco for its AI Assistant for Security is to not isolate it with other technologies and platforms that are known and trusted by the cybersecurity community. Below are some (of the top and reliable platforms where it gathers and analyze data for machine learning.

• National Vulnerability Database (NVD) – This website is a comprehensive collection of known and latest vulnerabilities, managed by the National Institute of Standards and Technology (NIST). It serves as the U.S. Government’s primary repository for such vulnerabilities. The database includes detailed descriptions, severity ratings, and suggested mitigation strategies.
• Common Vulnerabilities and Exposures (CVE) – The CVE is another valuable tool for cross-referencing vulnerabilities and exposures. It is managed by the MITRE Corporation and provides a standardized collection of vulnerabilities and their descriptions.
• Exploit Database (ExploitDB) – The ExploitDB is a useful database for referencing vulnerabilities. Managed by Offensive Security (OffSec), the leader in offensive security technology and the creator of Kali Linux, this platform is a primary resource for ethical hackers to test and validate security measures.
• National Software Reference Library (NSRL) – Managed by NIST, the NSRL provides a reliable database of known software, files, and data signatures used in digital forensic investigations. It is particularly known for validating the legitimacy of files and software by providing their unique file hashes.

AI Assistant for Security Feedback Feature

For a better AI model training and Machine Learning, another strategy by Cisco is to encourage users to provide feedback on answers they received from their respective prompts; as it is very important for the future development of the model. Cisco introduces a quick feedback feature by just clicking the Thumbs Up or Thumbs Down icons shown after each AI Assistant reply and answer. Moreover, if a user wants to explain or write more detailed feedback, he/she can use the optional text box to write on. See the image below for reference.

Figure 7. Cisco AI Assistant for Security Feedback Feature. Source: Cisco (n.d.). Retrieved from https://secure.cisco.com/secure-firewall/docs/ai-assistant

EVE’s and AI Assistant for Security’s Hardware Architecture

 

Cisco’s EVE and AI Assistant for Security hardware architecture consists of very complex and advanced technologies today powering the AI revolution. Those devices/appliances operate on high-performance capturing and processing encrypted traffic metadata. With the recent Cisco and NVIDIA partnership, specialized processor – Cisco Silicon 1 coupled with powerful NVIDIA GPUs handle complex AI computations in real-time.

Figure 8. Cisco/NVIDIA partnership. Source: Cisco (n.d.). Retrieved from https://blogs.cisco.com/datacenter/building-data-center-infrastructure-for-the-ai-revolution

 

Cisco AI/ML Data Center Network Architecture

 

Data center network architecture is a very crucial task and needs to be designed very carefully in order to support AI/ML workloads. As seen on the figure below (Figure 9), a complex architecture that involves sophisticated technologies combined from both Cisco and NVIDIA are in place for such task.

 

Figure 9. Cisco AI Data Center Networking Blueprint. Source: Cisco (n.d.). Retrieved from https://blogs.cisco.com/datacenter/building-data-center-infrastructure-for-the-ai-revolution

Summary of Cisco’s AI/ML Network Architecture Characteristics

 

• Non-blocking – It is very important to design a non-blocking network where different components perfectly work with each other to achieve uninterrupted data flow, enough bandwidth and high scalability.
• RoCEv2 support – Remote Direct Memory Access (RDMA) over Converged Ethernet version 2 (RoCEv2) technology is designed to have low-latency and seamless integration with IP networks which is perfect for high performance computing like AI and ML.
• Explicit Congestion Notification (ECN) – using congestion management technique like ECN is very important for managing congestion within IP networks. This type of mechanism is designed to signal congestion events before the packet loss happen.
• Priority Flow Control (PFC) – This type of mechanism is very important to prevent packet dops from critical traffics. It is a very efficient resource utilizer as well where it allows other traffic to normally continue their transmission even when there is a congestion preventing pauses of networks.
• Automated Operations – Automation is simply the process of the technology doing different tasks and solving it without the need for human intervention.
• Telemetry for Visibility – The word Telemetry means automation of the collection, analysis and reporting of data in real time from different systems and networks to provide useful and reliable data for future decision making and operations.

All of these hardware technologies that power Cisco’s AI/ML products are on their latest and cutting-edge characteristics in order to provide great products and innovations to their customers. Cisco promises a continuous development and improvements to their technologies as time progress.

AI in cybersecurity introduces new ethical dilemmas. This section discusses some of the ethical considerations with AI in cybersecurity.

• AI will replace human jobs – This is probably the main issue with the rise of AI. AI is so advanced that it poses a threat in replacing human jobs which is happening now very quickly.
• Privacy Concerns – This is one of the most important ethical issues when it comes to technological advances, not just with AI. AI is so advanced that it can uncover vast amounts of data for which consent has not been given. If misused, it can lead to privacy invasions of individuals or organizations.
• Over-Reliance on AI – AI, as a good assistant, is undoubtedly helpful. From a cybersecurity perspective, it can help professionals analyze, automate processes, generate playbooks, and even hunt for threats. However, it raises the issue of over-dependence, which can lead to complacency, opening doors for persistent threats if the AI fails.
• Potential for Abuse – Bad actors can definitely use AI as well. They can leverage it for phishing, creating and distributing malware, or disseminating misinformation, such as through Deep Fakes (fake images or videos of someone/something).
• Bias in Algorithms – Most AI models are trained using historical data that is primarily available on the Internet. However, not all information on the Internet is reliable or true.

AI technology is evolving rapidly and has no indication of stopping. Below are some of the AI technological innovations that we can expect in the near future.

• Predictive AI – This is one of the most promising developments in AI: the ability to predict or anticipate future events. This involves a variety of use cases. For example, in healthcare, we can predict diseases by analyzing a patient’s health or genetic history. In cybersecurity, we can identify potential threats and mitigate or stop them before they exploit vulnerabilities. This can be achieved by analyzing past events, codes, malware behavior, and more.
• Quantum Computing Integration – Quantum computing introduces a range of exciting and promising advancements for the future. It can process vast amounts of data at unprecedented speeds. With such power, we can develop numerous technologies across various industries. For instance, in the energy sector, quantum computing can enable the design of materials for next-generation batteries, optimize current energy grids, and advance nuclear fusion energy research.
• Autonomous Systems – These systems allow AI to function independently, requiring zero human intervention, so that humans can focus on more important tasks rather than dealing with boring, repetitive, and manual workloads. For example, self-driving vehicles, autonomous delivery robots, and more are already paving the way for this transformation.

In conclusion, AI is here to stay, and its innovation and development will not cease. In this report, we saw that Cisco’s Security Solutions demonstrate a good balance and synergy with humans to further improve cyber defense in an ever-evolving threat landscape. It is indeed that there are no perfect systems; all systems right now have vulnerabilities for the bad actors to find and exploit, it’s just normal. That’s why we, as defenders, need to enhance our tools to ensure a safer digital future.