Last year was in many ways a crux year for information security, and I can vividly remember myriad conversations with colleagues from Cisco and other companies at RSA 2011 about the then recent spate of compromises and incidents. Although the intense media focus on high-profile compromises arguably seems to have abated somewhat in early 2012, that doesn’t mean that the threat landscape has changed for the better – if anything, it has become even more complex, a fact highlighted in Cisco’s 2011 Annual Security Report and 2Q11 Global Threat Report, both available from www.cisco.com/security.
As the manager of Cisco’s Security Posture Assessment (SPA) team, I have seen an overall improvement in our customers’ security postures over the past year as organizations have been forced to adapt to this threat landscape, but that doesn’t mean that we can become complacent. As our customers’ postures improve, so do the attackers’ techniques, and the information security arms race continues… Read More »
In an effort to reduce costs and improve operational efficiency, organizations of all sizes have begun compressing their firewall and other security services into smaller form factors and fewer physical units. Many small and midsized companies have opted for UTMs to run all of their security on a single box. Unfortunately, UTMs have failed to deliver on their promise to deliver true multi-service security. Most UTMs do one or two things really well, but add all the other services as “checkbox” items just to say they have it. Read More »
I have a confession: I’m a technology late-adopter. On Rogers’ Innovation Adoption bell curve, I probably fall somewhere in the ‘late majority’ — I like the tried and true.
But with a few years and many advances, I’m back on Facebook (my short experience with it left me with privacy paranoia), and if you can believe it, I’m now an iPhone user. I appreciate not lugging around my iPod, and having a camera ready whenever I need it, but it’s not only the extra bells on the integrated device that has impressed me -- it’s the realization that I don’t have to compromise functionality to have it all.
One of the most commonly used – yet misunderstood – terms in all of network security is the “next generation firewall”. When we look under the covers, we see that most “next generation” firewalls are still relatively limited, providing only application and user ID awareness. Visibility into how the network is being used might produce a report that may make for a curious read. But there’s so much more going on in your network, app and ID just don’t go far enough to help administrators with actionable security enforcement. For example, knowing which interns are the heaviest Facebook users is one thing; knowing that the majority of their network traffic is due to video uploads to Facebook – and having the ability to disallow those uploads – is quite another.
Think of it this way. In scenarios that require additional context beyond what can be provided by a classic firewall, current next generation firewalls still lack the level of visibility required for administrators to make intelligent security decisions. I liken it to a knock at your door at midnight, and the porch light is out. How many of us would open the door anyway, without knowing who or what is on the other side? Of course, the safest thing to do is to keep the door closed and locked, rather than opening it to a potential threat. That’s exactly what so many firewall administrators are doing today – in fear of opening the network to unknown attacks, they say “no” to users, applications, devices, and new use cases that can tremendously improve the efficiency of the organization.
Unfortunately, the behavior with “next generation” firewalls isn’t much different. Though our porch light may be on now, it’s dim and we can’t see much out of the peephole in the door. What’s more, we only have two options – either completely open the door or leave it completely closed. This is because next generation firewalls don’t offer the level of granularity required, so entire applications must be allowed or denied. Think of a complex application with an array of micro-applications such as Facebook; current next generation firewalls on provide administrators with the capability to “allow” or “deny”, without the additional granularity to “Allow Facebook, but deny Farmville”.
As a result, we still have to be weary of opening the door, since we can’t truly know who or what is out there. Bottom line, unless we’re sure, it’s still safer to say “no”. That means saying no to the growing number and types of devices that are being used to access the corporate network, including iPhones, iPads, and Android devices; it also means locking down applications such as Facebook and Twitter, which have legitimate business uses. So not only is having to always say “no” a dark, lonely place to be – it also puts an artificial cap on corporate productivity!
Going back to our example of a knock at our door, ASA CX is like looking through a picture window at noontime, rather than the peephole at midnight. While the firewall itself is powerful, what really makes ASA CX so exceptional compared with current “next generation” firewalls is its capability to gather extraordinary amounts of intelligence from throughout the local and global network, including deep application visibility; identity of users, as well as the devices they are using to access the network; and proactive, reputation-based threat protection backed by global correlation. It makes this intelligence available in a simple, intuitive interface. This, in turn, enables administrators to truly understand what’s happening throughout the network, so that they can make more informed security decisions and write more effective policies. As a result, they can strike a real balance between flexibility and control!
So now that we know what true visibility really is, who would still settle for making decisions based on looking through the peephole at midnight?
The Global Certification Team is proud to have a presence at RSA 2012 at the Moscone Center in San Francisco!
We will be taking part in several talks and presentations, including the following:
The CC Forum Interim Steering Committee -- This time will be used for both the Terms of Reference working group and the Governance working group.
Open Group Trusted Technology Forum (O-TTF). The O-TTF is developing a set of best practice requirements and recommendations for Supply Chain Security, that when practically applied, create a business benefit in terms of reduced risk of acquiring tainted or counterfeit products for the technology acquirer.
“Lock it down or Free it Up” -- Special keynote address by Christopher Young, Senior Vice President, Security and Government Group, Cisco -- Wednesday February 29, 3:10 p.m.
Be sure to check out this link for the live stream of the Keynote addresses.
We are looking forward to meeting with our peers from around the globe. If you are attending any of the above workshops or talks, look for us!