Cisco Blogs

Cisco Blog > Security

A Thief Inside of Cisco? SecCon 2013 San Jose

A thief on the loose you say, at Cisco Systems, in San Jose? Turns out he was invited. Apollo Robbins was one of the headliners for Cisco SecCon in San Jose during the first week of December. Mr. Robbins taught us an important lesson about security: seeing is not always believing. Apollo demonstrated the art of “social engineering” using techniques he perfected working on a pickpocket show in Las Vegas. Apollo taught us to expand our thinking, to look behind the curtain of what motivates people. This helped us to better understand the trust people put in each other and in our products. Bruce Schneier was the second headliner, and spoke to us about the idea of trust. Bruce’s talk was not heavily focused on technology, but instead approached trust from the human perspective. He answered questions such as why people trust, and how trust is passed amongst groups of people. This is beneficial because Cisco strives to be trustworthy to our customers, corporately, as individuals, and with our products.

IMG_0912-300x199 - 1

SecCon is our annual internal security conference where the security community at Cisco gathers together to network and learn. 2013 represented SecCon’s sixth year. Our goal is to strengthen the security community and employee knowledge of how to build products that are more secure. This experience is not limited to those in San Jose. SecCon links remote sites such as Research Triangle Park (Raleigh), NC and Boxborough, MA with the speakers in San Jose. The remote sites also host local speakers, all in the name of growing the security community at Cisco.

IMG_1034-300x199 - 2

A Cisco Executive kicked off each morning. SVP Chris Young provided an overview of our security product strategy and spoke of the new technologies incorporated into Cisco from Sourcefire. SVP John Stewart continued his impassioned plea for engineers at Cisco to be “all in” with our approach to product security and Cisco Secure Development Lifecycle (SDL) adoption. Cisco VP Sumeet Arora spoke of how his organization is adopting Cisco SDL and how everyone must be trained in awareness of product security. One specific quote from Sumeet is, “Cisco SDL is like brushing your teeth.” That stuck with me, as a member of the core Cisco SDL team at Cisco. Cisco SDL is expected as a part of our daily routine. From all of the executive keynotes, a few messages were clear: Cisco SDL is mandatory for Cisco products, and product security awareness is a key driver for our success. We launched our product security awareness program last year at SecCon, and we saw it grow exponentially this year. This awareness program is so popular that it received plugs from each keynote as well as many times during the employee talks.

In the fifty talks given by employees, we were shown methods that some teams have used to build security in to their products. We saw reverse engineering displays and examples of historic vulnerabilities in Cisco products, all so that the people gathered can learn about the problems of the past. This builds a solid foundation for us, as a community, to minimize these problems in the future.

SecCon 2013 offered eleven security-based, bootcamp-style training classes that employees had an opportunity to attend. These classes are “boot camps” because they are in depth and demanding. The classes include lecture, but primarily each student works through interactive exercises and applies the security knowledge as they learn.

The boot camp courses were divided into three high-level categories: fundamentals of product security, hacking, and network defense. The fundamentals of product security lay a foundation for our engineers in some basic topics of security, including secure coding in C / C++, IPv6, and web application security testing. The hacking category included a basic course on the tools and techniques of hackers, understanding and hacking secure protocols, reverse engineering, and mobile application hacking. Network defense taught our students to properly configure and monitor networks. This category included “Network Threat Defense, Countermeasures, and Controls” and “Advanced IPv6 Security with Pen Testing”.

IMG_1149-300x144 - 3

This year was another great conference. You only had to listen to the quality of any talk to gain an appreciation for the depth of security knowledge and talent that exists within Cisco. With this base, we all learned that trust is so important to Cisco. Trust is the foundation of how our customers perceive Cisco and our products. It was clear through each of the presentations that trust is something that we must constantly earn. After this SecCon experience, I am even more aware of Cisco’s commitment to continue to strive to be the trustworthy IT vendor, working hard to identify and defend again the “thief” be they inside or outside our domain.

For more information on SecCon, please visit the SecCon page on Photos by Bill Thomson.

Tags: , ,

Big Data in Security – Part V: Anti-Phishing in the Cloud

TRACIn the last chapter of our five part Big Data in Security series, expert Data Scientists Brennan Evans and Mahdi Namazifar join me to discuss their work on a cloud anti-phishing solution.

Phishing is a well-known historical threat. Essentially, it’s social engineering via email and it continues to be effective and potent. What is TRAC currently doing in this space to protect Cisco customers?

Brennan: One of the ways that we have traditionally confronted this threat is through third-party intelligence in the form of data feeds. The problem is that these social engineering attacks have a high time dependency. If we solely rely on feeds, we risk delivering data to our customers that may be stale so that solution isn’t terribly attractive.  This complicates another issue with common approaches with a lot of the data sources out there:  many attempt to enumerate the solution by listing compromised hosts and  in practice each vendor seems to see just a small slice of the problem space, and as I just said, oftentimes it’s too late.

We have invested a lot of time in looking at how to avoid the problem of essentially being an intelligence redistributor and instead look at the problem firsthand using our own rich data sources – both external and internal – and really develop a system that is more flexible, timely, and robust in the types of attacks it can address.

Mahdi: In principle, we have designed and built prototypes around Cisco’s next generation phishing detection solution.  To address the requirements for both an effective and efficient phishing detection solution, our design is based on Big Data and machine learning.  The Big Data technology allows us to dig into a tremendous amount of data that we have for this problem and extract predictive signals for the phishing problem. Machine learning algorithms, on the other hand, provide the means for using the predictive signals, captured from historical data, to build mathematical models for predicting the probability of a URL or other content being phishing.


Read More »

Tags: , , , , , , , , , , , ,

Big Data in Security – Part IV: Email Auto Rule Scoring on Hadoop

TRACFollowing part three of our Big Data in Security series on graph analytics, I’m joined by expert data scientists Dazhuo Li and Jisheng Wang to talk about their work in developing an intelligent anti-spam solution using modern machine learning approaches on Hadoop.

What is ARS and what problem is it trying to solve?

Dazhuo: From a high-level view, Auto Rule Scoring (ARS) is the machine learning system for our anti-spam system. The system receives a lot of email and classifies whether it’s spam or not spam. From a more detailed view, the system has hundreds of millions of sample email messages and each one is tagged with a label. ARS extracts features or rules from these messages, builds a classification model, and predicts whether new messages are spam or not spam. The more variety of spam and ham (non-spam) that we receive the better our system works.

Jisheng: ARS is also a more general large-scale supervised learning use case. Assume you have tens (or hundreds) of thousands of features and hundreds of millions (or even billions) of labeled samples, and you need them to train a classification model which can be used to classify new data in real time.


Read More »

Tags: , , , , , , , , , , , , , , , ,

Big Data in Security – Part III: Graph Analytics

TRACFollowing part two of our Big Data in Security series on University of California, Berkeley’s AMPLab stack, I caught up with talented data scientists Michael Howe and Preetham Raghunanda to discuss their exciting graph analytics work.

Where did graph databases originate and what problems are they trying to solve?

Michael: Disparate data types have a lot of connections between them and not just the types of connections that have been well represented in relational databases. The actual graph database technology is fairly nascent, really becoming prominent in the last decade. It’s been driven by the cheaper costs of storage and computational capacity and especially the rise of Big Data.

There have been a number of players driving development in this market, specifically research communities and businesses like Google, Facebook, and Twitter. These organizations are looking at large volumes of data with lots of inter-related attributes from multiple sources. They need to be able to view their data in a much cleaner fashion so that the people analyzing it don’t need to have in-depth knowledge of the storage technology or every particular aspect of the data. There are a number of open source and proprietary graph database solutions to address these growing needs and the field continues to grow.

Graph Read More »

Tags: , , , , , , , , , , , , ,

Big Data in Security – Part II: The AMPLab Stack


Following part one of our Big Data in Security series on TRAC tools, I caught up with talented data scientist Mahdi Namazifar to discuss TRAC’s work with the Berkeley AMPLab Big Data stack.

Researchers at University of California, Berkeley AMPLab built this open source Berkeley Data Analytics Stack (BDAS), starting at the bottom what is Mesos?

AMPLab is looking at the big data problem from a slightly different perspective, a novel perspective that includes a number of different components. When you look at the stack at the lowest level, you see Mesos, which is a resource management tool for cluster computing. Suppose you have a cluster that you are using for running Hadoop Map Reduce jobs, MPI jobs, and multi-threaded jobs. Mesos manages the available computing resources and assigns them to different kinds of jobs running on the cluster in an efficient way. In a traditional Hadoop cluster, only one Map-Reduce job is running at any given time and that job blocks all the cluster resources.  Mesos on the other hand, sits on top of a cluster and manages the resources for all the different types of computation that might be running on the cluster. Mesos is similar to Apache YARN, which is another cluster resource management tool. TRAC doesn’t currently use Mesos.


AMPLab Stack

The AMPLab Statck

Read More »

Tags: , , , , , , , , , , , , , , , , , , ,