Cisco Releases Tetration Analytics Platform

Cisco announced on Wednesday Tetration Analytics, a rack-size platform due next month that it says will provide full visibility across a data center and hybrid cloud in real time.

This is not for closets — at a hefty 39 RU cluster with 36 UCS-C220 servers and three Cisco Nexus 9300 switches running the analytics software, the initial release is for large data centers. Later this year, Cisco will launch a smaller unit, about one-third the size of the current platform, that’s more suitable for midsize companies, and Yogesh Kaushik, director, product management of Cisco’s Insieme group, told Channel Partners that a multi-tenant model is also on the road map. With that, MSPs could host the appliance on their sites and sell Tetration Analytics in an as-a-service model to multiple customers.

Cisco says a single Tetration appliance will monitor up to one million unique flows per second and can store billions of data points for later analysis.

Peter Christy, research director, networks, 451 Research, says pricing for the initial platform is likely to run around $3 million.

“Starting out with the biggest, most sophisticated use cases makes perfect sense,” says Christy. “You can incorporate that learning into the smaller-scale models.”

The platform does unsupervised machine learning, and Kaushik says the Tetration API is completely open; any data center or public cloud server can be monitored via agents installed on either virtual machines or bare metal.{ad}

“It’s a one-touch appliance,” says Kaushik. “You just power it up and it starts working. In about three hours it orchestrates everything. It’s designed to integrate with whatever tools [customers] have.”

That said, Cisco-centric shops – specifically, Nexus 9000 data centers – will gain deeper insights.

“If you have ACI, you can do more telemetry,” he says.

The initial value pitch is around traffic and application analysis, security and forensics, and raising the conversation to line-of-business leaders.

“It’s a very margin-rich space,” said Nirav Sheth, senior director, architectures and engineering, for Cisco’s global partner organization. “Our most profitable customers are …

{vpipagebreak}

… absolutely coming back and saying they’ve been able to drive business relevancy.”

Sheth says the sweet spot for Tetration is partners with security and data-center practices that can attach their own services.

Brian Finzen, VP of networking at Cisco master partner Sirius RE, is one such MSP. Finzen has had some hands-on time with Tetration and says he’s seen good insight into applications. For customers with hybrid setups, it can help determine suitability for migration to the public cloud or enable a partner to architect a disaster-recovery site with fewer errors stemming from a lack of understanding of application interdependencies.

“It’s easier said than done to decide, ‘Let’s just toss that application to the cloud,'” he says. This tool will help with assessments, a services opportunity, and he also sees long-term potential for analysis as a service with a multi-tenant version.

Security Do-Over

For security, Cisco says Tetration can help build a manageable, automated white-list-based security model, a goal about as elusive as the white whale. The problem with whitelisting is that infrastructures are constantly changing, so blocking or containing anything that is unknown – the inverse of the broken “try to track all the bad things” model – is unwieldy in large or dynamic environments. A small change may break a seemingly unrelated system, and IT or a partner must also define “good,” a moving target.{ad}

Tetration can help by automating white-list creation. It can also spot unusual east/west traffic or deviations in communication patterns that may indicate a breach and flag policy noncompliance. By learning what constitutes “normal” traffic, Cisco says it can spot spikes that might indicate a DDoS attack, for example, and allow for forensic analysis. 

“We have a simulation engine so they can do ‘what if’ assessments,” says Kaushik. He likens the process to rewinding a DVR. For example, say a customer wonders if a breach could have been prevented. You can jump back, apply a new policy rule and see the results without downtime.

From a UI perspective, Sirius’ Finzen says partners don’t need experience with command line interfaces. Queries are similar to a search engine.

“This doesn’t look at what traffic is, it just looks at header information, so it’s not a heavy payload analysis piece,” said Finzen. “You can therefore save a lot of data for a long time.”

“Initially the market is going to be relatively small,” he said. “But later this year, the smaller form factor will open more doors.”

Not-So-Secret Agents

Mike Fratto, research director, business technology and software for Current Analysis, says there are a few caveats partners should be aware of. Tetration looks only up to Layer 4, and some customers will resist installing agents on endpoints, even with low CPU demand and the insight they provide into inter-process communication.

“Nobody likes agents,” says Fratto. “You have to manage them, and what happens if companies have products from another vendor where you’re legally disallowed from running an agent?”

Moreover, the system is much more costly than point products, like ExtraHop or Cisco’s Lancope, that could provide some similar functionality. Still, traffic flow analysis can be …

{vpipagebreak}

… very informative.

“Hop-by-hop visibility is valuable,” says Fratto. “What’s not normal just lights up like neon.”

He sees the system augmenting an APM suite, unless the customer is heavily invested in Cisco gear. “It’s really designed for a Nexus 9000 network,” says Fratto. “That’s where it shines, where custom silicon delivers deep telemetry.”{ad}

Other selling points are the ability to export policies direct into APIs. Developers could write scripts to take data out of Tetration and, for example, use it auto-generate firewall rules.

“The simulator is also interesting, as is the ability to go back in time and apply ‘what if’ scenarios,” he said. “What if six months ago, I had done this, or that? What happens to traffic? I haven’t seen anything similar on the market.”

Market Ops

Cisco’s Sheth says there are both upfront and back-end rebate opportunities for partners, but more valuable is the ability to engage with line-of-business leaders and provide consulting around, for example, modeling a change before it’s executed to understand the impact on applications or validating that policy changes have been applied properly.

“I fundamentally believe that there are a lot of professional-services opportunities attached for our partners,” said Sheth. “They can build a net new MSP practice.”

But don’t discount good old hardware deals, either. “I believe it will drive a lot of 9K sales for the partner community,” said Sirius’ Finzen.

Some fine print: In the first Tetration release, software sensors support only Linux and Windows server hosts, so mind the hypervisors. Hardware sensors are embedded in ASICS in Nexus 9200, 9300-EX and Nexus 9500-EX switches to collect flow data at line rate from all ports. For non-Cisco devices, Tetration provides about 85 percent visibility.

451’s Christy says that Cisco followed its “eat your own dog food” tradition with Tetration. The product was in use for a year by internal Cisco IT, mainly run as software agents on a mixed network.

For selling points, he says more and more applications are being delivered from a typical data center; the nature of traffic has shifted dramatically, with many more east-west flows; and people have finally given up on the concept of perimeter defense. All of these make traffic flow analysis valuable.

“For those who can afford it, Tetration should provide a wealth of interesting data,” said Christy.

Agree? Disagree? Let me know, either in comments or direct. Follow executive editor @LornaGarey on Twitter.