Cisco Blogs


Cisco Blog > Security

Cisco 2014 Annual Security Report: Trust Still Has a Fighting Chance

I spent a good deal of time last week supporting the launch of the Cisco 2014 Annual Security Report. I’m one of the Cisco executive sponsors for the report, which means that while I cannot take credit for writing it, I am significantly involved in setting course, providing advice, and reviewing its findings. The report represents months of collaboration among threat researchers and other cybersecurity experts at Cisco and Sourcefire. Much of the data comes from both our own experience and what we have learned from willing customers. As promised, it provides a “warts-and-all analysis” of security news from 2013 and our perspective for the year. I also commend the writers, editors, and document producers for their hard work, clear thinking, and ability to lead a very complex project over the finish line in good order.

Our report that the cyberthreat and risk landscape has only grown stronger and more complex over the past year is not exactly a revelation, perhaps, but we can perceive some clear trends in the evolution. We now can see that because the cybercrime network has become so mature, far-reaching, well-funded, and highly effective as a business operation that very little in the cybersecurity world can—or should—be trusted without verification.

We also expect adversaries to continue designing campaigns that take advantage of users’ trust in systems, applications, and the people and businesses they know. It’s an effective strategy. How do we know? Because 100 percent of the networks analyzed by Cisco, despite the best efforts of their IT and Security teams, have traffic going to known malware threat sites. Not all traffic going to bad sites means bad things are happening, but as the old saying goes, where there’s smoke there’s usually fire.

The Cisco 2014 Annual Security Report highlights three key challenges organizations will face in the year ahead. These issues are:

  • A growing attack surface area: New ways of doing business—such as cloud computing, mobility, and rapid growth in the number of connected devices—are rapidly expanding the attack surface available to cybersecurity adversaries. Adversaries have myriad inroads to bits and pieces of useful information that pave the way to big time pay dirt. Quite often, they have a very easy path from there to the ultimate destination: the data center, where high-value information resides that can be exploited and monetized.
  • The proliferation and sophistication of the attack model: Companies have become the focus of targeted attacks that are hard to detect, remain in networks for long periods, and exploit network resources to launch attacks elsewhere. Even basic Internet infrastructure services—including web hosting servers, nameservers, and data centers—have become key targets for hackers who want to launch increasingly larger campaigns.
  • Complexity of threats and solutions: Monitoring and managing information security has never been more difficult for security teams. Solutions countering well-understood types of attacks—viruses, worms, data leaks, denial of service, etc.—long relied upon by organizations for cybersecurity, are simply inadequate in today’s complex threat environment where many attacks are not only stealthy, but also relentless.

Just to make things even more difficult, we’ve learned that counterfeit and tampered IT products are a growing security problem. The problem is more serious than phony gear masquerading as premium brand gear. Tampered and bogus goods often include hacker-friendly backdoors and other exploitable weaknesses. Like water pressing against a poorly engineered dam, bad actors will seek out and exploit any security weakness—known vulnerabilities and intentional backdoors—in the technology supply chain.

I’ve written a lot in the past year about what it takes to develop trustworthy systems: building security from the ground up, from the beginning to the end of a product’s life cycle. I’ve also explained how Cisco has invested considerable time, effort, and money in the effort to make our products robust enough for deployment as trustworthy systems. When I talk about trust, my concern goes beyond a narrow focus on our ability to trust technology. Society now depends on information technology to deliver essential services. When that technology ceases to work, or when we can’t trust the services delivered through technology, our social, economic, and cultural fabric unravels.

I wouldn’t be in the security business, however, if I thought the security situation was irrevocably hopeless. As we learn more about how our adversaries work and what they seek to achieve, we improve our ability to limit damage to socially tenable levels. While the Cisco Annual Security Report is a sobering read, it fills me with added determination to contain today’s threats and preempt tomorrow’s traps and pitfalls. I certainly hope it has the same effect on you.

Tags: , , , ,

Cloud-based ITaaS: Transforming IT from Support to Service Brokerage

Cloud computing is more mainstream today than ever before, but it’s important to note that there are still significant opportunities for IT leaders to innovate and leverage cloud delivery options to capture new business opportunities and implement new IT models.

The Evolution of ITaaS: The Convergence of Two Roads

On one hand, traditional private cloud services within customer IT services are driving different degrees of completeness depending on organizational needs. Virtualization, consolidation and on-premise shared services are some of the drivers within the private cloud space.

On the other hand, public cloud services are evolving to include Infrastructure as a Service (IaaS), Software as a Service (SaaS), and Platform as a Service (PaaS).

Today, these two tracks are intersecting to create demand for a hybrid cloud model. While the concept of the “Hybrid” cloud has developed mostly as a consequence of the availability of different cloud services, this same availability is also driving the evolution of IT as a Service.

What does this mean for business? It means that fundamentally, IT is adopting a supply chain management logic by deciding whether to make or buy a specific service based on a variety of organizational goals, market pressures, and available options.

The Ongoing IT Sourcing Strategy: Make vs. Buy 

Read More »

Tags: , , , , , , , , , , ,

A Balanced Approach to Mobile Security

Gartner recently made three interesting predictions about mobility in the workplace. While the ideas are compelling, they only offer one-side of the story, and the solution.

In this blog post, I’ll take a deeper look at each of these predictions and discuss why the future of mobility rests on IT leaders taking a balanced and strategic approach to security that focuses more on protecting the network and proprietary data and less on implementing overly broad restrictions.

Gartner Prediction #1: Twenty percent of BYOD projects will fail by 2016 due to IT’s “heavy hand.”

While the actual failure rate may be less than one-fifth, mobility efforts will fail if companies are too restrictive with MDM policies. Instead, a two-fold approach to supporting a BYOD environment from a security perspective is essential.

First, IT leaders should take a balanced approach to security that protects business-imperative network solutions and data. In most cases, blocking Angry Birds and Candy Crush is unnecessary and not scalable. With Apple and Google supporting over a million apps each (and counting), it can cost precious time and IT resources just trying to keep up with restricting non-threatening applications.

Secondly, IT leaders should be focused on encouraging users to use secure solutions. This will only grow more important as the explosion of new connections and various devices evident in today’s Internet of Everything world creates more opportunity for malicious actors to utilize even more inroads to compromise users, networks, and data. By educating employees to take an active role in the security of their device, users can be empowered to report suspicious threats and have an open dialogue with IT teams. Read More »

Tags: , , , , , , , , , , , ,

Cisco CMX @ NRF 2014

NRF1

NRF 2014 was held last week at the Javits Centre in New York City. It’s the biggest retail event of the year where vendors show off the future of the industry to all the delegates both using inspiring key notes and exciting demos on the Expo floors.

2014 and beyond:

It wasn’t too hard to identify that there were some common themes. On Tuesday afternoon I stood on the main Expo floor and just looking around I could quickly see the industry’s top of mind phrases and buzz words popping out:

“Omni channel”,”Onmianalytics”, “Predictive”, “Insights”, “Customer science and Analytics”, “Precise Location Matters”, “Analyze Decide”, “Mobilize”, “Mobility solutions”, “Big data”, “Customer engagement”, “Adaptive offers”, “Personalized customer experience”, “Customer Experience Analytics”

We certainly are entering the era where using data, analytics and personalization is no longer just an interesting notion or “nice to have” for retail – it is now the KEY thing companies MUST do.

And a big common theme is that mobile is exploding and changing things rapidly, so retailers either need to keep up or inevitably fall behind their competitors. Read More »

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Summary: Next Gen IT Predictions: 2014 and Beyond

2014 will be a year that builds on the momentum of mobile, cloud, the Internet of Things (IoT) and the Internet of Everything (IoE). How can your organization realize value from today’s new model for IT?

Here’s my take on the trends we will see over the next twelve months:

  1. Increasing urgency to manage our zettabyte-driven world.
  2. The need for hybrid cloud adoption.
  3. A revolution in software and new IoE platforms.
  4. The rise in thinking about security holistically.
  5. The Internet of Me finally arrives: real personalized, mobile, cloud-based experiences.
  6. The Internet of Everything is happening now.

If you think technology has infiltrated your life, just wait. You can feel the potential for monumental change as we begin to interconnect the physical and virtual worlds.

Read the full blog: Next Gen IT Predictions: 2014 and Beyond to learn more about each trend and discover how your organization can realize the benefits of the Internet of Everything.

Next Gen IT Predictions : 2014 and Beyond from Cisco Business Insights

 

Tags: , , , , , , , , , , , ,