Cisco's Internal Approach to Cyber Security

According to industry statistics, ninety-five percent of cyber security attacks are launched from outside an organization's network, sixty-nine percent incorporate some sort of malware in the attack, and fully eighty-five percent of attacks go unnoticed for two or more weeks. These are the sorts of statistics that illustrate the growing trend in the kind of low-profile, targeted, and sophisticated attacks that pose some of the greatest challenges to ICT security operations

When it comes to cyber security threats, Cisco has a pretty big attack surface. Cisco is a 46 billion dollar company, employing over 65,000 employees, with over 600 office buildings spread across 95 countries. Cisco has a culture of open collaboration, implements a BYOD program, leverages a mix of community and public cloud services, integrates with partner and supplier networks, and, like many organizations, Cisco is under constant threat from cyber-attacks

When it comes to cyber security threats, Cisco has a pretty big attack surface. Cisco is a 46 billion dollar company, employing over 65,000 employees, with over 600 office buildings spread across 95 countries. Cisco has a culture of open collaboration, implements a BYOD program, leverages a mix of community and public cloud services, integrates with partner and supplier networks, and, like many organizations, Cisco is under constant threat from cyber-attacks

In fact, Cisco sees over 2.6 trillion events every day. A lot of these events are indicators of normal activity, some suspicious behavior, some attacks, and some the kind of advanced, campaign-based threats that pose the greatest danger to our business. Cisco is certainly not alone in seeing numbers like this. Similar to other organizations, the challenge is not just finding a needle in a hay stack, but finding a needle in a needle-stack; being able to divine which threats are the ones Cisco really needs to worry about.

The Cisco Security Incident Response Team, known as CSIRT, is responsible for protecting Cisco's global ICT infrastructure. CSIRT operations are organized around three pillars: detecting, analyzing, and preventing attacks

In order to detect attacks and threats, the CSIRT monitors Cisco's ICT infrastructure on a 24x7 basis. In addition to responding to attacks, the operations and analysis staff conduct triage, risk assessment, and forensic investigations. The output of this work feeds into continual improvement of Cisco's security posture and monitoring capabilities. Nothing here is terribly unusual or different from many security operations.

But the key capability that makes Cisco's security operations effective is intelligence. Intelligence, in a computer security sense, is the ability to mitigate future attacks based on knowledge of the threat. That's not my definition, but I think it's a good one.

From a CSIRT perspective, we divide intelligence into three, general categories: Native, Commercial, and Collaborative.

Native intelligence is contextualized information derived from Cisco's own, internal environment and infrastructure. For example, we use metadata from the traffic flowing through our network to detect anomalous patterns of behavior. These anomalous patterns are correlated with a user’s identity, role, and access rights in order to understand not just if there is a threat, but the potential impact of that threat.

Commercial intelligence is the information we buy from external sources. This includes things like big lists of bad addresses, domain reputations, attack signatures, and the like. We get information from many sources, including those companies considered competitors on the sales side.

Collaborative intelligence is the information we exchange on a human-to-human level by engaging regularly with relevant companies and industries, government agencies, and security forums and organizations. These engagements are where we share information about the nature of the attacks we are collectively seeing. For example, we've had a long-standing relationship with Microsoft. Analysts from our respective companies get together on a regular basis to discuss the details of threat indicators. We also meet with government agencies like the FBI and Department of Homeland Security.

Native, commercial, and collaborative intelligence represent valuable and important sources of information. However, none of it would be terribly useful if we didn't harness it in our security operations. It's good to have information, but it's only useful when it’s built it into a security practice. That means establishing the right organizational structures, implementing intelligence-driven operations, and training staff how to properly interpret and use intelligence information. Intelligence is a capability that needs to be woven into every relevant aspect of security.

When it comes to native and commercial intelligence, the biggest advantage is that it helps filter out the known bad stuff, reducing the amount of threats our analysts have to sift through. That is, it enables a level of automation in our security systems to separate the wheat from the chaff. So things like firewalls, intrusion protection sensors, anti-virus software, etc. are all important. But they represent a baseline detection and enforcement capability that frees up analysts to focus on the truly hard problems.

Collaborative intelligence is what enables our security operations, at the level of human analysis, to more effectively address the truly hard problems. Exchanging information with like-minded organizations gives our analysts clues and insight as to what strings to tug on in order to begin pulling apart the Gordian knot of sophisticated, campaign based attacks. It also improves the tools we have at our disposal. It's not always about buying new tools, but about making better use of the ones we have. Collaborative intelligence helps our analysts point the tools in the right places and better interpret and contextualize the information they get out.

Modern threats from criminal behavior and advanced, campaign-based attacks pose enormous challenges. But there's no magic box when it comes to security. We find that the products out there today do a better job of catching known threats and enforcing security policy. They enable us to better adopt capabilities like BYOD and cloud. But at the same time, these capabilities open up new vulnerabilities and opportunities for attack - and so the goal post keeps moving.

Our experience shows that effective security, no matter how good the products get, requires an intelligence-led approach to security operations. So my message to you is to build collaborative relationships with relevant companies in your industry, engage the security organizations at companies like Cisco, and focus on building security operations that value and use intelligence as a strategic capability.

 Sincerely,