Is the product safe to use? I have been asked this question on occasion in a non-technical sense and maybe you have too. In a technical context, I could frame the question as “Are the online services and underlying technologies supporting my services safe?”  A continuous effort must go into substantiating the preferable answer (“Yes”) that we are looking for, both prior to and after releasing a product or service into the wild. Security Intelligence Operations (SIO) includes a team of network security experts that form the Security Technology Assessment Team (STAT). They provide security assessment expertise across Cisco’s product and services organizations. In this article, I elaborate on their role and how they complement product and services organizations at Cisco in helping to protect you, our customer.

In the not-so-distant past it used to be that the majority of notoriety around product security was focused more around physical aspects. For example, a manufacturer announces a product recall about a defect (i.e. vulnerability) that could cause potential physical harm or worse. Fast-forward to today where computing devices and associated Internet plumbing comprise an entirely distinct category of product security needed.  Within that category, I would also suggest that services and the underlying supporting infrastructure would also fall into this category in the ongoing quest for achieving network security.  I think that this quote from a U.S. government hearing underscores the value of that quest as well.

“When we bring in new technologies, we bring in new exposures and new vulnerabilities, things we really haven’t thought about. It takes a little while before we understand it, and after a while we begin to secure it. But our mindset needs to change. This is not the same as industrial technologies or new ways of doing aircraft or cars. These technologies are global and they expose us globally, literally within milliseconds.”

House of Representatives Hearing on Cybersecurity: Emerging Threats, vulnerabilities, and challenges in securing federal information systems

Business units and quality assurance groups at Cisco apply multi-level security processes throughout the development of products and services to ensure that security is embedded into everything that is ultimately delivered to customers. For example, Cisco’s secure development life cycle (SDL) provides a highly effective process in detecting and preventing security vulnerabilities and improving overall system quality.  Cisco SDL has several elements that include, but not limited to, source code analysis and white box testing that feed into the security posture of a product or service.  Cisco has a security advocates program, a virtual community of people who understand network security and secure product development (and testing) and who can share and evangelize that knowledge with their peers, their colleagues, and their management.

Read More »

Tags: Cisco Security, Cisco Security Intelligence Operations, cisco sio, cybersecurity, secure software, security to of mind, vulnerability

Create community. Drive cross company collaboration. Raise the corporate security consciousness. Educate! These were the major themes present at the synergistic 5^th annual Cisco SecCon held December 5-6, 2012, at Cisco’s corporate headquarters in San Jose, CA. The senior leadership team in the Security and Government Group had a clear and present message for the Cisco Engineering community: Security is the differentiator for Cisco! Building and developing our corporate security awareness and driving it into our DNA is part of what makes Cisco—a company dedicated to continuous improvement—unique as a top industry leader.

The message is clear: security must be pervasive in every aspect of every product we design, develop, and deploy. It’s what our customers expect, and SecCon is one of the major delivery vehicles for creating a unified front within the engineering community as part of Cisco’s evolution towards the Internet of Everything. The more the world becomes interconnected, the more important it is that product designers, developers, testers, and implementers are aware and educated about the importance of the security mindset. How we think about security dictates how we act. This is something the Cisco leadership team is keenly aware of, and their intent to mature security capabilities and features into our entire product line is evident as they work to bring together industry security advocates to drive change and continuous improvement at the annual SecCon conference. Read More »

Tags: cisco-seccon-2012, SecCon, secure software, security, software security

Security events, such as vulnerabilities and threats, that are detected globally continue to grow and evolve in scale, impact, diversity, and complexity. Compounded with this is the other side of the coin, the unreported or undetected events waiting in the wings, hovering below the radar in a stealthy state. With all of the security technologies at our disposal, are they sufficient enough to provide effective protection? Well, it is certainly a good start when applied correctly. At a summary level, Cisco’s Security Intelligence Operations (SIO) approach to this challenge was covered in the Network World feature article, “Inside Cisco Security Intelligence Operations.” However, one of the core human elements, which I will introduce, that deserves closer attention is the role of security analyst. In addition, this article provides those of you with career interests some additional insight into working in the IT security field.

Read More »

Tags: advisories, Cisco, cyber security, cybersecurity, exploits, intellishield, secure software, security, security management, vulnerability

In an effort to reduce costs and improve operational efficiency, organizations of all sizes have begun compressing their firewall and other security services into smaller form factors and fewer physical units. Many small and midsized companies have opted for UTMs to run all of their security on a single box. Unfortunately, UTMs have failed to deliver on their promise to deliver true multi-service security. Most UTMs do one or two things really well, but add all the other services as “checkbox” items just to say they have it. Read More »

Tags: ASA, Cisco Security, Cloud Computing, cybersecurity, data security, firewall, identity, RSA 2012, secure software, security