Like most enterprises, Cisco faces an ever-evolving, proliferating security threat landscape. The dilution of perimeter-based security, new targeted threats, the growth of cloud computing, content virtualization, the consumerization of endpoints, and a rise in hacktivism are pushing not only security technologies to advance, but also enterprises to adapt their security, governance, and policy strategies accordingly. Companies cannot afford to focus their security spend and resources on preventative measures alone.
That is why Cisco® InfoSec is taking a more holistic approach to security and focusing on shaping policies and practices that help protect Cisco assets, data, and intellectual property both proactively and reactively. While technology is a large part of Cisco’s security architecture, a watchful eye on trends within the business environment and the impact on users are also important to Cisco’s comprehensive plan.
“To apply technology to the problem in the best possible way, we consider the user experience, how that experience impacts people, and what processes need to be implemented for the technology to be successful,” says Sujata Ramamoorthy, InfoSec director at Cisco. “We then work closely with IT to deploy these technologies and processes. We also work with users and our vendor community.”
InfoSec is currently focusing on securing the mobile cloud in the enterprise. The mobile-cloud trend is at the core of the Internet of Things (IoT), a network of physical objects through the Internet. “Every time we make a leap in technology, it creates tension in security which enables us to solve security problems,” says Ramamoorthy.
In a mobile and borderless IoT environment, protecting Cisco’s resources requires dynamic context-driven policies, including:
● Differentiated policies based on the trust level of the devices, and
● Policies to secure the enterprise resources.
InfoSec drives the implementation of policies using Cisco products such as Identity Services Engine (ISE) and Application Centric Infrastructure (Cisco ACI™) to achieve our context-driven policy vision. As new mobile devices are brought into the corporate network by Cisco users, ISE will allow policy-based, differentiated access according to the device posture. Devices that do not meet the minimum standards will only be able to access Internet-Only Networking, which is our guest networking solution. Applications can use the context from ISE to enable certain functionality in the application. For example, devices with no encryption may not be allowed to download sensitive data. InfoSec also drives user education and awareness to ensure that users are adequately notified of our policy implications and to help them take steps to protect personal and business data.
In the data center, where traditional resources reside, ACI will allow contextual policies via the Cisco Application Policy Infrastructure Controller (Cisco APIC), enabling policies to move with the resources. From a network security perspective, ACI offers automated programmable application updates as rules are added, moved, or removed. In traditional network security without ACI, it is common for security controls to go out of sync with applications. For example, setting up a firewall rule to protect a set of hosts. As those hosts are replaced over time, the possibility would open that a new host for that group would not be placed behind the same firewall and thus not be protected by it. ACI is the next step in transforming network security.
While technological leaps such as mobile cloud and IoT bring new challenges, they can also offer great opportunities to drive end-to-end security solutions forward. Technologies such as Cisco ISE and ACI allow us to better manage the risks to our environment with context-based dynamic policies.
Threat Intelligence and Analytics
Intelligence is one of the most important techniques a company can use to protect its resources. InfoSec monitors and analyzes data from several sources including Cisco intrusion detection system (IDS) and intrusion prevention system (IPS), DNS logs, and NetFlow data to detect malicious activities in the network, the source of threats, and the tools used to carry out intrusions.
“We have such a large footprint with our network and security products that this full spectrum of insight is a huge benefit,” says Ramamoorthy.
In collaboration with employees from Cisco acquisitions such as SourceFire and other enterprises in network security, InfoSec uses research and analytics from monitoring feeds to detect anomalies and patterns that help prevent and mitigate threats to data and identity security. This intelligence is also used to strengthen Cisco products, services, and the enterprise as a whole.
Cisco is in a unique position security-wise. Like many large enterprises, Cisco is targeted by continuous threats, but Cisco also has the opportunity to identify potential threats to both the security community and customers. As trusted advisors in the security sphere, InfoSec establishes policies and governance based on intelligence and analytics.
“We’re open to sharing,” says Ramamoorthy, “and we’re comfortable talking about security. Companies need to be comfortable talking about security to keep up with the threat landscape.”
Cisco researches and shares findings in the Cisco Annual Security Report as well as at industry conferences. Cisco Security Intelligence Operations (SIO) provides early-warning intelligence, threat, and vulnerability analysis. One component of SIO is Cisco SensorBase, which captures global threat telemetry data into a centralized location from an exhaustive footprint of Cisco devices and services. After the information is analyzed, it is made available to customers. This level of transparency increases Cisco’s visibility and equips the larger security community with the information to help companies adapt their security strategies.
Collaboration with Business Units
As the business and technology landscape evolves, being able to communicate and collaborate within Cisco is integral for InfoSec to successfully protect people, process, and technology. One of the key differentiators of InfoSec is its active involvement with several key organizations within the company, including IT, human resources, finance, and employee services. InfoSec partners with these business units as a trusted advisor on security practices and guidelines. Maintaining solid communication with the organization allows InfoSec to drive new capabilities and accountability within business functions. Some of the proactive ways in which InfoSec advises on policies for people, processes, and technology include:
● Pervasive Security Accelerator (PSA)
● Product development process consulting
● Customer briefings, presenting at conferences
The PSA is a CIO-led initiative to develop broad-ranging security capabilities - people, process, and technology - to address the security needs of the enterprise. Staff roles including Security Primes and Partner Security Architects have been established with commensurate training programs to develop the security skillset in IT. Paired with metrics programs, we gain the visibility and accountability to address security in all IT services.
The human element is always integral to achieving security. Two themes have arisen in the network security field when mitigating targeted threats: compromised endpoints through malware and compromised user credentials.
“The trend of going after endpoints and then compromising user credentials is rising because it’s an easy way to bypass traditional perimeter security controls,” says Dave Jones, InfoSec architect at Cisco. “We need to enable the human shield to allow users to be more aware of what they should or shouldn’t click on, and then easily report it.”
As part of the PSA, proactive education and awareness campaigns have been introduced. The exploitation of trust is a common mode of operation for online attackers and other malicious actors, and Cisco has been successfully educating employees about certain behaviors to protect their Cisco credentials. For example, at the beginning of July 2013, InfoSec launched an employee awareness campaign that simulated a series of phishing emails. The campaign was done in collaboration with corporate communications, IT enterprise messaging, the IT desktop organization, and the global help desk.
Initially, phishing emails were sent to a few small target groups in IT. Over time, InfoSec has expanded the campaign company-wide to more than 138,000 users. The campaign educates and creates awareness about the threats that phishing emails pose to the company and to employees.
“Part of this process includes immediate education if a user clicks on a suspect link,” says Dave Vander Meer, InfoSec program manager at Cisco. “They are directed to an awareness webpage that specifically identifies what parts of the suspect email should indicate it as a phishing email. We’ve built a baseline of awareness and worked from there over time.”
Additionally, InfoSec partners with employee services and other internal organizations to offer email guidelines that enable legitimate communications to reach users. “It’s an effective campaign in generating awareness,” says Jones.
With a seat at the product development table, InfoSec’s main objective is to consider past and present security models and correlate them with current security requirements.
“We’ve given early feedback in product development, and we’re working with the IT infrastructure organization in the design phase,” says Ramamoorthy. “We find a balance and really understand what sort of change we can drive that improves security yet balances the needs of the business and users.”
By working with Cisco’s services organizations and product business units, Cisco is able to position its products and services to help customers and protect data. Combined with intelligence, InfoSec is using core competencies including threat detection, mitigation, and business and technology architecture, to not only help the business, but to inform and protect customers as well.
Dynamic policies based on context (user, devices, location), content (data sensitivity), and threats will pave the way forward in adaptive and intelligent security. Enabled for both on-premises and cloud-based services, technologies such as ISE and ACI are setting the foundation to evolve our security for the future. To achieve this level of understanding and keep aligned, InfoSec relies on partnerships with different business units within Cisco, including IT.
Collaboration and transparency allow InfoSec to capture the intelligence required to monitor and protect not only the infrastructure, but the data within that infrastructure, through a blend of practice, policy, process, architecture, and technology.
“Developing a security mindset within business units like the one we have with IT is one of many ways we will drive change and better security,” says Ramamoorthy.
For More Information
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
Cisco Annual Security Reports: http://www.cisco.com/c/en/us/products/security/annual_security_report.html
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.