Cisco Blogs

Cisco Blog > Security

Anomaly vs Vulnerability Detection Using Cisco IPS

The Cisco IPS network based intrusion prevention system (NIPS) uses signatures to detect network-based attacks. Signatures can be created in a variety of engines based on the type of network traffic being inspected. Cisco signatures have very flexible configurations. In this blog post, I will discuss the trade-offs between two basic approaches for signature configuration: anomaly detection and vulnerability detection.

With Cisco IPS, anomaly detection is a broad approach of detecting malicious network activity. Signatures written to detect broad categories of anomalous activity will catch many different attack vectors, but at a cost. The parameters of a signature designed to detect an anomaly will often put a strain on the system running Cisco IPS in the form of memory or CPU usage, limiting the number of signatures that may be enabled. They also carry a high false positive risk due to their broad approach.

Vulnerability based signatures are targeted and require less overhead. These signatures normally target one or more attack vectors associated with a specific CVE. Their engine parameters typically use less memory and impact the CPU performance less on the IPS device, permitting more signatures to be active. They also allow the user to finely tune the configuration based on the types of vulnerable systems in a user’s network. False positive risk is low if the active signature set is tuned for a user’s network environment. Read More »

Tags: , ,

Cognitive Threat Analytics – Transparency in Advanced Threat Research

Cisco Cognitive Threat Analytics is a security analytics product that discovers breaches in Cisco customer’s networks by means of advanced statistical analysis, machine learning and global correlation in Cisco security cloud. Attached to Cloud Web Security (CWS) and Web Security Appliances (WSA), it is also capable of integrating the non-Cisco data sources in order to help the broadest possible set of clients.

Our team discovers tens of thousands of ongoing malware infections (aka breaches) per day. These findings are delivered in a customer-specific report or directly into customer’s SIEM system. The customers can easily identify and re-mediate breaches, get to the root cause and apply policy changes that minimize the risk of further infections in the future. Read More »

Tags: , ,

Trust Me: Cisco Hearts Video


I was recently talking to an industry colleague about how incredibly focused we are, as a company, on the video marketplace. I meant it, so I was surprised to see the eyebrow-spiked reaction and their response: “How can you say that, when you just unloaded your CPE including set-top boxes, modems, etc.?”

It kind of floored me, because to me it was obvious. But I realize this is a question many may be asking. My response is this: The decision to sell our set-top, gateway, and overall CPE line to Technicolor wasn’t a separation from video. It was Cisco recognizing that for that part of our business to be at its healthiest and most productive, it was better off in an environment focused on building CPE hardware at scale – which is what Technicolor does.

Watching Video


Cisco is laser focused on three core tenets: Read More »

Tags: , , , , , , , , , ,

ITD: Load Balancing, Traffic Steering & Clustering using Nexus 5k/6k/7k/9k

Cisco Intelligent Traffic Director (ITD) is an innovative solution to bridge the performance gap between a multi-terabit switch and gigabit servers and appliances. It is a hardware based multi-terabit layer 4 load-balancing, traffic steering and clustering solution on the Nexus 5k/6k/7k/9k series of switches.

It allows customers to deploy servers and appliances from any vendor with no network or topology changes. With a few simple configuration steps on a Cisco Nexus switch, customers can create an appliance or server cluster and deploy multiple devices to scale service capacity with ease. The servers or appliances do not have to be directly connected to the Cisco Nexus switch.

ITD won the Best of Interop 2015 in Data Center Category.

With our patent pending innovative algorithms, ITD (Intelligent Traffic Director) supports IP-stickiness, resiliency, consistent hash, exclude access-list, NAT (EFT), VIP, health monitoring, sophisticated failure handling policies, N+M redundancy, IPv4, IPv6, VRF, weighted load-balancing, bi-directional flow-coherency, and IPSLA probes including DNS. There is no service module or external appliance needed. ITD provides order of magnitude CAPEX and OPEX savings for the customers. ITD is much superior than legacy solutions like PBR, WCCP, ECMP, port-channel, layer-4 load-balancer appliances.

ITD provides :

  1. Hardware based multi-terabit/s L3/L4 load-balancing at wire-speed.
  2. Zero latency load-balancing.
  3. CAPEX savings : No service module or external L3/L4 load-balancer needed. Every Nexus port can be used as load-balancer.
  4. Redirect line-rate traffic to any devices, for example web cache engines, Web Accelerator Engines (WAE), video-caches, etc.
  5. Capability to create clusters of devices, for example, Firewalls, Intrusion Prevention System (IPS), or Web Application Firewall (WAF), Hadoop cluster
  6. IP-stickiness
  7. Resilient (like resilient ECMP), Consistent hash
  8. VIP based L4 load-balancing
  9. NAT (available for EFT/PoC). Allows non-DSR deployments.
  10. Weighted load-balancing
  11. Load-balances to large number of devices/servers
  12. ACL along with redirection and load balancing simultaneously.
  13. Bi-directional flow-coherency. Traffic from A–>B and B–>A goes to same node.
  14. Order of magnitude OPEX savings : reduction in configuration, and ease of deployment
  15. Order of magnitude CAPEX savings : Wiring, Power, Rackspace and Cost savings
  16. The servers/appliances don’t have to be directly connected to Nexus switch
  17. Monitoring the health of servers/appliances.
  18. N + M redundancy.
  19. Automatic failure handling of servers/appliances.
  20. VRF support, vPC support, VDC support
  21. Supported on all linecards of Nexus 9k/7k/6k/5k series.
  22. Supports both IPv4 and IPv6
  23. Cisco Prime DCNM Support
  24. exclude access-list
  25. No certification, integration, or qualification needed between the devices and the Cisco NX-OS switch.
  26. The feature does not add any load to the supervisor CPU.
  27. ITD uses orders of magnitude less hardware TCAM resources than WCCP.
  28. Handles unlimited number of flows.

For example,

  • Load-balance traffic to 256 servers of 10Gbps each.
  • Load-balance to cluster of Firewalls. ITD is much superior than PBR.
  • Scale IPS, IDS and WAF by load-balancing to standalone devices.
  • Scale the NFV solution by load-balancing to low cost VM/container based NFV.
  • Scale the WAAS / WAE solution.
  • Scale the VDS-TC (video-caching) solution.
  • Scale the Layer-7 load-balancer, by distributing traffic to L7 LBs.
  • ECMP/Port-channel cause re-hashing of flows. ITD is resilient, and doesn’t cause re-hashing on node add/delete/failure.

Documentation, slides, videos:

Email Query or

Please note that ITD is not a replacement for Layer-7 load-balancer (URL, cookies, SSL, etc). Please email: for further questions.

Connect on twitter: @samar4

Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Security Beyond the Sandbox

A few years ago sandboxing technology really came of age in the security industry. The ability to emulate an environment, detonate a file without risk of infection, and analyze its behavior became quite a handy research tool. Since then, sandboxes have become relatively popular (not nearly on the same scale as anti-virus or firewalls) and can be found in larger organizations. You may even have purchased a sandbox a few years ago, but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine.

It’s time to go beyond using sandboxing as a standalone capability in order to get the most out of it. You need a more robust malware analysis tool that fits seamlessly into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.

There are three typical ways that organizations purchase and deploy sandbox technology.

  1. A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
  2. A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
  3. Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.

But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers a better ROI, better integration, and more visibility into what is happening in your environment. Don’t take my word for it, though. The Center for Internet Security recently described how they are using it to analyze malware samples from more than 19,000 state, local, tribal, and territorial governments.

AMP Threat Grid is available as an on-premises standalone malware analysis solution and as a cloud-based SaaS solution that provides a REST API to automate sample submissions from a wide range of technologies you have already invested in, including:

  • Firewalls and Unified Threat Management (UTM) devices from the most popular vendors, including, of course, Cisco ASA
  • Gateways for both Email and Web traffic
  • Proxy Servers
  • Security Information and Event Management (SIEM) systems
  • Governance, Risk, and Compliance (GRC) tools
  • And numerous others

Cisco has already integrated AMP Threat Grid’s malware analysis capabilities into AMP for Endpoints. This provides advanced malware analysis as part of AMP’s powerful continuous analysis and retrospective security capabilities. AMP Threat Grid is also integrated into Cisco Email and Web security solutions, providing more eyes in more places. Watch this video to hear how ADP have integrated AMP Threat Grid into their business to become an intelligence-led security organization

Each of these solutions eliminates cost and complexity while offering the ability to analyze a broad range of suspicious objects automatically, including executables, libraries (DLLs), Java, PDF, MS Office documents, XML, Flash, and URLs. Most submissions are analyzed in an average of 7.5 minutes. Not only does AMP Threat Grid analyze a broad range of objects, but it also provides deep analytics capabilities wrapped with robust context. With over 450 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before.

All samples are given a threat score based on severity and confidence that provides a quick and easy way for junior security analysts to prioritize actions and make better decisions. The threat score is on a 0-100 range, with 100 being known malware and the rest ranging from suspicious to benign because malware is not a yes or no answer.

Perhaps even most importantly, AMP Threat Grid knows its audience; it has no instrumentation within the virtual environment ensuring that even the most sophisticated environment-aware malware is caught. It’s an essential way to rise to the challenge of advanced attackers.

To hear more about how your organization to move beyond the sandbox, watch this webinar featuring experts from Forrester Research, ADP, and Cisco.

Tags: , , ,