Enterprise networking is a constantly evolving set of technology solutions. From an engineering perspective, it presents an endless series of fascinating problems to solve as we strive to connect more people, devices, and applications around the world. Cisco customers also have a seemingly endless list of use cases that they need our help in solving as they progress through their own digital transformations. We are starting this “Networking Demystified” blog post series to explore different aspects of networking technology that impact everyone today. This first deep dive is into the “mystery” of protecting endpoints like your laptop, phone, sensors, cameras, and the other thousands of types of devices that are so critical to running our modern world. Join us on this journey and maybe you too will be the next engineer to solve the hard problems of enterprise networking.

So, what is an endpoint? In simple terms, it is a device that connects to a network to serve a purpose: from something as simple as delivering IoT sensor data, to connecting people socially or professionally, accessing SaaS and cloud applications, or performing machine to machine exchanges of information to solve complex problems. Endpoints are everywhere. In our homes, office spaces, manufacturing floors, hospitals, and retail shops—literally everywhere, serving a multitude of purposes.

The Good, the Bad, and the Ugly

In an ideal world we expect all endpoints will behave the way they are supposed to and do no harm, just like the people interacting with the endpoints. But in the real world this is not actually the case. As a result, we need to categorize endpoint behavior into The Good, The Bad, and The Ugly.

  • Good endpoints follow all the rules for network onboarding, use secure protocols for access, have up-to-date secure software installed, and do only what they are supposed to do.
  • Bad endpoints are those outliers that still do what they are supposed to do but have loopholes which can be exploited to create security and performance problems.
  • Ugly endpoint behavior can be categorized as being actively exploited and creating problems from local to global scale.

So, what do we do? We reward good behavior by providing the right level of access to permitted network resources. We punish bad and ugly behavior by restricting access or completely isolating an endpoint from the network based on how it is behaving.

But wait, how do we decide on the levels of access? We need to know what the endpoint is, before giving it the required access because we cannot protect what we don’t know. A printer does not need access to financial servers. Similarly, a CT scanner in hospital does not need access to patients’ medical records. But if we do not know whether the endpoint is a printer or a CT scan machine, how can we manage their behavior? We can assign a generic access policy to endpoints so that they can do their job, but that opens up a host of security problems. So how to identify and tag endpoints to determine the right access? Follow the breadcrumbs—the trail endpoints leave on the network as they communicate with other endpoints.

Great, that seems easy! So now our endpoints and network are secured. Unfortunately, not yet. Will endpoints behave in the same way all the time? They may not! If we want to secure all endpoints, we need to continuously monitor them to identify any change in behavior so that the network can act on the next steps, which could be a warning to the endpoint owner, a restriction on access via segmentation, or a more severe punishment—such as completely cutting off network access—until the behavior is fixed.

So, we need technology that focuses on how to identify endpoints effectively to assign the right level of network access, plus continuously monitoring endpoint behavior to determine when endpoints are acting abnormally. At Cisco, we think about this a lot. At a global scale there will soon be 30 billion+ endpoints connected by various private and public networks as well as the internet. Around 30-40% of endpoints may be of an unknown type when they first connect. This creates an incredibly large threat surface available for the bad guys to compromise endpoints and networks. To defend the enormous range of endpoints requires innovative networking access protection technologies. With the biggest market share in endpoint connectivity, Cisco understands the problem of secure access to defend networks and assets.

Breadcrumbs, Surgical Procedures, and Analytics

Let’s talk about the methods that Cisco uses to identify endpoints and defend the network before diving into some of the technical details.

Each type of endpoint coming on the network uses different protocols throughout its lifetime. For some of the protocols, these details are readily available in the network and can be used to understand the endpoint type. That is one of the simplest approaches. For some protocols, the information about endpoint identity is hidden deep inside the packets and we need a surgical procedure called Deep Packet Inspection (DPI) to reveal their secrets. Like any surgical procedure when surgeons open the human body to diagnose or fix the problem, DPI opens up and examines protocol packets until enough information is extracted to enable an endpoint to be identified. Since no two protocols work in same exact way (no two operations are same, right?), the challenge is to catalog each protocol and then methodically plan protocol operations (analytics) to identify endpoints.

With this in mind, you might think that endpoint classification using DPI must require special separate hardware in the network. Fortunately, with Cisco’s innovative application recognition technology embedded in Cisco Catalyst switches, you don’t need any new hardware. All processing of endpoint types occurs within the IOS XE switching software. How cool is that? The capability adds up to a lot of CapEx savings.

With Cisco’s Deep Packet Inspection technology, we can reduce the unknown endpoint count significantly. But is that enough? Not really, because the number of endpoints connecting to a network is going to increase exponentially, with manufacturers creating new types of endpoints that use different types of protocols to communicate. Just trying to keep pace with the changing types of endpoints is going to be a huge challenge. Does it mean we leave these newer endpoints on network operating without supervision—remember, you can’t protect what you don’t know.

Bring on Cisco AI/ML Analytics, the solution to reduce the number of unknown endpoints. AI/ML Analytics identifies endpoints and groups them according to similar operating and protocol characteristics and show them in context to IT. As AI/ML Analytics learns more about millions of endpoints across enterprise networks, its understanding improves significantly to assign endpoint identities with increasing accuracy. The result is that hundreds of thousands of endpoint identities can be categorized with minimal effort from IT.

The Next Level of Access Security

The above technologies help identify endpoint types and assist in applying the right access policy for an endpoint to do its job. But the story doesn’t end there. Using continuous, anomaly-focused monitoring, any change in endpoint behavior can be detected, enabling access decisions to be automatically updated. A simple example could be an IoT sensor device that usually delivers telemetry to a controller, but is suddenly communicating with other endpoints, indicating the device may be compromised. AI/ML Analytics detects that it is not behaving as per its normal traffic pattern and raises an alert for IT to examine or quarantine the device as needed to secure the network.

So, what is Cisco doing to expand this technology? The solution offering that combines these multiple technologies is called Cisco AI Endpoint Analytics, which is destined to be the single pane of glass for understanding endpoint identity and trust. It is currently being offered as an application on Cisco DNA Center. We are also extending the technology to other Cisco solutions, such as Cisco Identity Services Engine (ISE), to enhance and automate endpoint profiling.

Cisco AI Endpoint Analytics on Cisco DNA Center
Figure 1. Cisco AI Endpoint Analytics on Cisco DNA Center

Join Cisco in Making IT More Secure

So how can you help? What we discussed here is just the beginning of development activities for reliably determining endpoint identity and behavioral monitoring. It is an evolving area that needs a lot of attention and exploration to continuously improve the techniques employed. In fact, many of us consider endpoint protection as Job #1. It’s an exciting area to work in, knowing the impact you can have on helping to secure our ever-more interconnected world.

If you were to join Cisco, what is there to do to make your mark in this space? A lot! We are working on four key areas in AI Endpoint Analytics: Endpoint Identity, Endpoint Behavior, Enforcement, and Endpoint Data Analytics.

So, would you like to be part of the Cisco AI Endpoint Analytics journey and proudly tell others that you help protect endpoints everywhere? Because without secure, defended endpoints, there is no network!


Read how working at Cisco can advance your career in network engineering!

Continuous Learning at Cisco Leads to Career Advancement,

Best-in-Class Networking Solutions

by Ravi Chandrasekaran, SVP of Enterprise Engineering

Learn more about Cisco AI Endpoint Analytics.


Rohan Pandit

Engineering Leader

Security Policy Access