Cisco Blogs

Cisco Blog > Retail

Security Steps to Take in the Holiday Season – and Beyond

Retail companies face a landscape filled with growing and increasingly complex threats. And the financial impact of these breaches is soaring.

There are obvious financial incentives for attacking retailers because they typically don’t spend as much on security as financial institutions or government organizations, so they’ve become easy targets in recent years. According to Gartner, retailers spend about four percent of their IT budgets on cybersecurity, while financial services and health organizations spend 5.5% and 5.6% respectively. This is critical as the number of shoppers on Black Friday and throughout the holiday season continues to grow through different omnichannel opportunities. We have to be concerned and diligent because:

  • Financial organizations spent as much as $2,500 per employee on cybersecurity in 2014, while retailers only spent about $400 per employee.
  • AppRiver Global Security Report shows that 10 of the top 20 data breaches in 2015 were retailers.
  • According to research conducted by the Ponemon Institute in partnership with IBM, the average cost for each lost or stolen record has also increased. According to the study, the cost per record increased by more than 9%, from $136 per record in 2013, to $145 per record in 2014; and those numbers are still higher in the U.S., where the average cost for each lost or stolen record is $201.

Read More »

Tags: , , , , , , , ,

Snort your way to PCI compliance

When organizations look to secure their retail stores, branches, or points-of-sale, meeting the required mandates for Payment Card Industry (PCI) security compliance quickly becomes the number one prioritized focus area.  In fact, the 2015 Verizon PCI compliance report demonstrates this when it states that the number of companies that fully complied with the payment card industry (PCI) security standards during 2014 rose to 20 percent from about 11% in 2013. While this standalone increase in compliance is great, Verizon also notes that less than a third of the companies were fully compliant a year later after successful validation. The major takeaway here is that it is unfortunately easy to fall out of compliance if organizations don’t take the appropriate steps to maintain their security.  With 69% of consumers admitting that they will be less inclined to do business with a breached company, it is increasingly important for reaching and maintaining PCI compliance to be one of the highest priorities for organizations.

PCI Requirement 11 demands that organizations have a sustainable network and application vulnerability management program and that evaluates the overall effectiveness of security measures in place across the organization.  In a very telling sign, most organizations that suffered a breach were not compliant with Requirement 11.  Intrusion detection and prevention systems (hereafter, “IPS”) technology play a critical role in helping meet PCI compliance by monitoring all traffic in the cardholder data environment and issuing timely alerts to suspected compromises. Of course, simply having the technology is not enough.  Considering many organizations fall out of compliance due to maintenance, it is absolutely critical that IPS engines are updated with new signatures and rule sets to ensure that new threats are stopped.


Here, at Cisco, we’re happy to announce that our Cisco Integrated Services Router (ISR) 4000 Series  now come equipped with Snort IPS to help customers meet these PCI-compliance requirements at the branch. Read More »

Tags: , , ,

CCIE : ITD and RISE in CCIE Data Center

ITD and RISE are now part of CCIE Data Center:

Intelligent Traffic Director (ITD) is a hardware based multi-terabit layer 4 load-balancing, traffic steering and services insertion solution on the Nexus 5k/6k/7k/9k series of switches.

Domain Written Exam (%) Lab Exam (%)  
1.0 Cisco Data Center L2/L3 Technologies 24% 27% Show Details
2.0 Cisco Data Center Network Services 12% 13% Hide Details
2.1 Design, Implement and Troubleshoot Service Insertion and Redirection

  • 2.1.a Design, Implement and Troubleshoot Service Insertion and Redirection for example LB, vPATH, ITD, RISE

2.2 Design, Implement and Troubleshoot network services

  • 2.2.a Design, Implement and Troubleshoot network services for example policy drivenL4-L7 services
3.0 Data Center Storage Networking and Compute 23% 26% Show Details
4.0 Data Center Automation and Orchestration 13% 14% Show Details
5.0 Data Center Fabric Infrastructure 18% 14% Show Details
6.0 Evolving Technologies 10% N/A Show Details


To learn about RISE (Remote Integrated Services Engine), please see:

To learn about ITD (Intelligent Traffic Director), please see:


Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Server Load balancing with NAT, using Nexus switches: ITD

Server load balancer (SLB) has become very common in network deployments, as the data & video traffic are expanding at rapid rate. There are various modes of SLB deployments today. Application load balancing with network address translation (NAT) has become a necessity for various benefits.

Cisco Intelligent Traffic Director (ITD) is a hardware based multi-terabit layer 4 load-balancing and traffic steering solution on the Nexus 5k/6k/7k/9k series of switches.

With our latest NX-OS Software 7.2(1)D1(1) (also known as Gibraltar MR), ITD supports SLB NAT on Nexus 7k series of switches.

In SLB-NAT deployment, client can send traffic to a virtual IP address, and need not know about the IP of the underlying servers. NAT provides additional security in hiding the real server IP from the outside world. In the case of Virtualized server environments, this NAT capability provides increased flexibility in moving the real servers across the different server pools with out being noticed by the their clients. With respect health monitoring and traffic reassignment, SLB NAT helps applications to work seamlessly without client being aware of any IP change.

ITD won the Best of Interop 2015 in Data Center Category.


ITD provides :

  1. Zero latency load-balancing.
  2. CAPEX savings : No service module or external L3/L4 load-balancer needed. Every Nexus port can be used as load-balancer.
  3. IP-stickiness
  4. Resilient (like resilient ECMP), Consistent hash
  5. Bi-directional flow-coherency. Traffic from A–>B and B–>A goes to same node.
  6. Monitoring the health of servers/appliances.
  7. Handles unlimited number of flows.

Documentation, slides, videos:

Email Query or

Connect on twitter: @samar4

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Anomaly vs Vulnerability Detection Using Cisco IPS

The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment. Read More »

Tags: , ,