Cisco Blogs


Cisco Blog > Security

Advantage: Defense, or Several Ways to Level the Playing Field Against Cyber Security Adversaries

I recently contributed a chapter titled “Advanced Technologies/Tactics Techniques, Procedures (TTPs): Closing the Attack Window, and Thresholds for Reporting and Containment” that was published in an anthology Best Practices in Computer Network Defense: Incident Detection and Response, published by the IOS press. In the chapter, I recommend a number of TTPs that can move the cybersecurity balance of power away from adversaries to infrastructure defenders. Acting on the TTPs I propose—including focusing hard work and clear thinking on network security basics—will pay maximum dividends for the cybersecurity defender.

The book’s publishers have graciously granted me permission to reproduce the chapter on the Cisco website, and you are welcome to read it here. Please take a moment to read it and let me know what you think in the form of comments on this blog post.

Thanks in advance for your thoughts and reasonably well considered opinions!

Tags: , , ,

Securing Cloud Transformation through Cisco Domain Ten Framework v2.0

Businesses of all sizes are looking for Cloud solutions to solve some of their biggest business and technology challenges—reducing costs, creating new levels of efficiency, transform to create agile environment and facilitate innovative business models. Along with the promise of Cloud comes top concern for Security. With rise of applications, transactions and data in the Cloud, business are losing control and have less visibility on who and what is moving in and out of the business boundaries. 

Any  transformation initiative with Cloud, whether a private, hybrid or public, with early focus on security from architecture, governance, risks, threats and compliance perspective can enable the business with a compelling return on investment with a faster time to business value – regardless of geographic, industry vertical, operational diversity or regulatory needs.

Here, I would like to bring to your attention on Cisco Domain Ten framework v2.0 and my blog on What’s New in Cisco Domain Ten Framework 2.0 that is born from Cisco’s hard won experience of deploying both private, hybrid and public Cloud environments, Cisco has developed the Cisco Domain Ten framework and capabilities to help customers accelerate IT transformation.

The Cisco Domain Ten does not prescribe that customers must build each domain into their strategy – rather it provides guidance on what aspects should be considered, what impacts should be identified, and what relationships exist between domains.  Cisco Domain Ten framework 2.0, we can establish the foundation of a true IT transformation and the factors you need to consider for success. Key is to identify, establish and track strategic, operational and technological outcomes for IT transformation initiates. A major thrust of the Cisco Domain Ten is to help customers strategize for transformation vision, standardize their technology components and operational procedures, and automate their management challenges, to deliver on the potential of IT Transformation– covering Internet, Branch, Campus and Data Center environments.

Security consistently tops CIO’s list of cloud concerns. The security domain highlights identification of security and compliance requirements, along with an assessment of current vulnerabilities and deviations from security best practices for multisite, multitenant physical and virtual environments for one’s IT transformation vision.

Security should be a major consideration in any IT transformation strategy. The architecture should be designed and developed with security for applications, network, mobile devices, data, and transactions across on-premise and off-premise solutions. Moreover, security considerations for people, process, tools, and compliance needs should be assessed by experts who understand how to incorporate security and compliance safeguards into complex IT transformation initiatives.

Security is an integral part of the Cisco Domain Ten framework, applies to all ten domains, and provides guidance to customers on all security aspects that they needs. Our Senior Architect from Security Practice – Ahmed Abro articulates well in Figure – 1 Cisco Domain Ten Framework with Security Overlay that there are security considerations for all ten domains for Cloud solutions.

 d10secoverlay

Figure – 1 Cisco Domain Ten with Security Overlay

Now that we understand how Cisco’s Domain Ten Overlay approach that helps one to discuss security for each domain of Cisco Domain Ten Framework, let’s now talk about the how Cisco Domain Ten aligns with Cloud Security Alliance’s (CSA) Cloud Control Matrix to discuss the completeness and depth of the approach.

CSA Cloud Control Matrix Alignment with Cisco Domain Ten

Application & Interface Security

  • D-8 – Application

Audit Assurance & Compliance

  • D-10 – Organization, Governance, processes

Business Continuity Mgmt & Op Resilience

  • D10 – Organization, Governance, processes

Change Control & Configuration Management

  • D10 – Organization, Governance, processes and
  • D-3 – Automation

Data Security & Information Lifecycle Mgmt

  • D-9 – Security and Compliance

Datacenter Security Encryption & Key Management

  • D-9 – Security and Compliance and
  • D-1 – Infrastructure

Governance & Risk Management

  • D10 – Organization, Governance, processes

Human Resources Security

  • D10 – Organization, Governance, processes

Identity & Access Management

  • D-4 -- Customer Interface

Infrastructure & Virtualization

  • D-1 – Infrastructure and Environment and
  • D-2 – Abstraction and Virtualization

Interoperability & Portability

  • D-7 – Platform and
  • D-8 – Application

Mobile Security

  • D-8 – Application and
  • D-1 – Infrastructure and Environment

Sec. Incident Mgmt , E-Disc & Cloud Forensics

  • D-9 – Security and Compliance and
  • D10 – Organization, Governance, processes

Supply Chain Mgmt, Transparency & Accountability

  • D10 – Organization, Governance, processes
Threat & Vulnerability Management
  • D-9 – Security and Compliance

 Table – 1 CSA Cloud Control Matrix Alignment

with Cisco Domain Ten Framework

From above table, one can see that Cloud Security Alliance Cloud Control Matrix and Cisco Domain Ten aligns well and it also highlights key facts that many areas such as Mobile security requires one to focus on Application and Infrastructure (network, virtual servers), etc to address security needs. One should also note that Cisco Domain Ten’s focus on Catalog (Domain 5) & Financials (Domain 6) that highlights security specific SLA and assurance discussions for security controls.

Now that that we discussed, Cisco Domain Ten approach for Security, In the next blog, I would try to discuss how Cisco Service’s focus on the strategy, structure, people, process, and system requirements for Security can help business address an increasingly hostile threat environment and help successful migration to Secure Cloud based transformation. We will also discuss current questions in business asks or should ask to understand security and privacy in the vendor’s agreements.

 

Tags: , , , , , , , , , , , , , , , , , , , , , ,

Embracing IoT? Security Must Be at the Core

November 25, 2013 at 6:00 am PST

Last month I attended a summit of subject matter experts on securing the Internet of Things (IoT). At first, I thought I had the wrong room, because it seemed that everybody other than me was an architect or engineer working for a device manufacturer, and as a result the conversation was dominated by placing security controls into the devices, themselves. In contrast, I tend to approach the issue from the perspective of protecting the core of the network. But just when I was beginning to think I had wasted an hour-long drive and was going to be bored out of my skull all day, a few of us started debating the issue and the conversation began to evolve.  Before long, we had found common ground in the fact that security controls are all about trust relationships -- ‘I trust you, therefore I will allow you to do that’.

Now trust is a funny thing, because by its very nature it can neither be one-sided nor one-dimensional. Instead, it must be built into every aspect of the transaction; a sort of “digital handshake” to ensure all is well before doing business. In other words, each of our pre-conceived perspectives was correct, yet we were all being stubborn and short-sighted! Read More »

Tags: , , , , , , ,

Cisco’s onePK Part 2: Reaching out to a Network Element

Exordium

In the previous installment of the onePK series, you received a crash course on Cisco’s onePK. In this article, you’ll take the next step with a fun little exposé on onePK’s C API. You will learn how to write a simple program to reach out and connect to a network element. This is staple onePK functionality and is the foundation upon which most onePK applications are built.

Preambling Details

The following short program “ophw” (onePK Hello World), is a fully functional onePK application that will connect to a network element, query its system description, and then disconnect. It doesn’t do anything beyond that, but it does highlight some lynchpin onePK code: network element connection and session handle instantiation. This is the foundational stuff every onePK application needs before useful work can get done. Read More »

Tags: , , , , , , , , , , ,

5 Areas of ROI on Data Center Security

As data center operations managers and business owners analyze their budgets to uncover economic headwinds, the importance of deriving ROI from each purchase and initiative is considered.
To better understand the costs and benefits of the Cisco Secure Data Center Solution, we engaged with analyst firm Forrester to interview and study one of our customer’s data center security implementation. Here are five areas of ROI that were uncovered in this study:

20% reduction in security threats
The customer noted the reduction in port scanning attacks, denial of service attacks, SQL inception attacks and others. The security team can now spend much more time keeping business systems at optimal performance levels versus reacting to security issues post incident.

25% less time spent mitigating each issue
With automated firewall rules sets, the security team now spends far less time reacting to individual issues and manually updating policies.

50% reduction in help desk calls
A smooth implementation allowed the customer to install additional security without impacting end users.

25% in hardware cost savings
With the ability to cluster multiple modules on a single hardware blade, the customers expects to avoid having to make additional hardware purchases for up to three years. Additional savings stem from having a highly efficient datacenter footprint that will be realized in terms of energy and backspace savings.

Upgrading tasks 50% faster
Built in security means that the network topology does not have to be retrofitted to accommodate security. The customer can now complete installation, expansion and upgrade tasks 50% faster, meaning that IT security teams can concentrate on more strategic functions instead.

Many times as InfoSec professionals, it can be difficult to associate security investments with ROI, but in today’s world the savvy professional will see that by doing so, it will help to gain funding for other parts of the business you have been dying to invest in.

We’ve created an infographic that illustrates these issues that datacenters face today and how a comprehensive security system can help: Additionally, for more news and discussions, head over to @SecDatacenter or Secure Data Center Trends

Tags: , ,