In my previous post, I described how machine learning simplifies microsegmentation by automating the rule creation process. I'd now like to talk briefly and more specifically about how Edgewise's PolicyGraph Engine™ (the machine learning system that forms the underpinnings of Edgewise Protect’s ability to suggest policy) makes that happen.
We'll look at the three stages of how machine learning contributes to this:
- Observe and describe the network's intended state.
- Define optimized policies to enforce that observed/intended state.
- Continue to learn, adapt and optimize policies while enforcing that intended state.
Step 1: Observe and describe
In this stage, we want to understand what the network is doing and what it's supposed to look like (click to tweet this). Edgewise does this from the point of view of communicating applications, and uses knowledge of application communication patterns to identify anomalous traffic in the future that doesn't fit in with previously observed network patterns.
Most people we talk with about our machine learning capabilities are really interested in this stage since application-centric policies are very different from what they've encountered before. We often have to describe in more detail what we do to accomplish this. Edgewise collects fixed, immutable data about applications–hundreds of attributes that can securely identify applications. Communication patterns between applications, and the hosts and users involved, are also stored.
Within 48 hours (often less, depending on the nature of your network and how "locked down" it already is), there’s enough information for Edgewise to begin using machine learning to create policies automatically.
Step 2: Define and enforce
The wealth of information Edgewise collects about the applications and their communication patterns allows it to discover a nearly optimal set of policies which describe what’s been observed, using a relatively small number of features for each policy.
The Edgewise PolicyGraph Engine™ produces a set of policies that are dramatically smaller than sets constructed using address-based solutions. Plus they're easier to understand, so even managers who aren't application experts can understand how to secure them.
For example, one customer previously required more than 13,000 address-based security policies to protect their applications. Edgewise was able to accomplish the same protection using only 180 application-based policies (click to tweet this). That's the real benefit of combining application-based policy creation with machine learning. It becomes much easier to understand security, because the policies are few enough that you can browse them all, and clear enough that you can understand and act upon them.
It’s important to note that these policies don't decide what's “good” or “bad” on the network; they only describe what's actually happening on the network, as efficiently and simply as possible. The goal is to make it as easy as possible for humans to understand what's happening on their network and decide for themselves whether a given suggested policy should be deployed, modified or eliminated.
Step 3: Learn and optimize
It’s important to note that Edgewise’s machine learning doesn't stop after the first few days of use. Because application traffic on the network continues, and, more importantly, the network changes and the applications change, there's always more information to gather, and it may be new and different information than what was gathered initially.
Hence, Edgewise continues to create new policy sets based on all the collected information. Since it would be likely that new policies could contradict (or confuse) existing policies, already-enforced policies are taken into account while creating new rules. For parts of the network where no policies are in place, however, the Edgewise's PolicyGraph Engine™ regularly updates its recommended policies to keep up with the evolving network, and provides a current confidence score so users have a sense for how accurately the policies reflect current network behavior.
These three stages—observation, creation, and optimization—explain how Edgewise creates policies that provide effective security and can be understood by people. This frees security professionals to do their most important job—protecting the most important applications on their network from attack—without excessive drudgery. That’s how the use of machine learning accelerates the time-to-deploy for a microsegmentation project from weeks or months to days, and allows users to create security policy without needing to write security policy.
I recently hosted a webinar on the subject of machine learning and microsegmentation. Take a look, if you want to see PolicyGraph Engine™in action.