Cisco Blogs

Cisco Blog > Security

Cisco 2014 Annual Security Report: Trust Still Has a Fighting Chance

I spent a good deal of time last week supporting the launch of the Cisco 2014 Annual Security Report. I’m one of the Cisco executive sponsors for the report, which means that while I cannot take credit for writing it, I am significantly involved in setting course, providing advice, and reviewing its findings. The report represents months of collaboration among threat researchers and other cybersecurity experts at Cisco and Sourcefire. Much of the data comes from both our own experience and what we have learned from willing customers. As promised, it provides a “warts-and-all analysis” of security news from 2013 and our perspective for the year. I also commend the writers, editors, and document producers for their hard work, clear thinking, and ability to lead a very complex project over the finish line in good order.

Our report that the cyberthreat and risk landscape has only grown stronger and more complex over the past year is not exactly a revelation, perhaps, but we can perceive some clear trends in the evolution. We now can see that because the cybercrime network has become so mature, far-reaching, well-funded, and highly effective as a business operation that very little in the cybersecurity world can—or should—be trusted without verification.

We also expect adversaries to continue designing campaigns that take advantage of users’ trust in systems, applications, and the people and businesses they know. It’s an effective strategy. How do we know? Because 100 percent of the networks analyzed by Cisco, despite the best efforts of their IT and Security teams, have traffic going to known malware threat sites. Not all traffic going to bad sites means bad things are happening, but as the old saying goes, where there’s smoke there’s usually fire.

The Cisco 2014 Annual Security Report highlights three key challenges organizations will face in the year ahead. These issues are:

  • A growing attack surface area: New ways of doing business—such as cloud computing, mobility, and rapid growth in the number of connected devices—are rapidly expanding the attack surface available to cybersecurity adversaries. Adversaries have myriad inroads to bits and pieces of useful information that pave the way to big time pay dirt. Quite often, they have a very easy path from there to the ultimate destination: the data center, where high-value information resides that can be exploited and monetized.
  • The proliferation and sophistication of the attack model: Companies have become the focus of targeted attacks that are hard to detect, remain in networks for long periods, and exploit network resources to launch attacks elsewhere. Even basic Internet infrastructure services—including web hosting servers, nameservers, and data centers—have become key targets for hackers who want to launch increasingly larger campaigns.
  • Complexity of threats and solutions: Monitoring and managing information security has never been more difficult for security teams. Solutions countering well-understood types of attacks—viruses, worms, data leaks, denial of service, etc.—long relied upon by organizations for cybersecurity, are simply inadequate in today’s complex threat environment where many attacks are not only stealthy, but also relentless.

Just to make things even more difficult, we’ve learned that counterfeit and tampered IT products are a growing security problem. The problem is more serious than phony gear masquerading as premium brand gear. Tampered and bogus goods often include hacker-friendly backdoors and other exploitable weaknesses. Like water pressing against a poorly engineered dam, bad actors will seek out and exploit any security weakness—known vulnerabilities and intentional backdoors—in the technology supply chain.

I’ve written a lot in the past year about what it takes to develop trustworthy systems: building security from the ground up, from the beginning to the end of a product’s life cycle. I’ve also explained how Cisco has invested considerable time, effort, and money in the effort to make our products robust enough for deployment as trustworthy systems. When I talk about trust, my concern goes beyond a narrow focus on our ability to trust technology. Society now depends on information technology to deliver essential services. When that technology ceases to work, or when we can’t trust the services delivered through technology, our social, economic, and cultural fabric unravels.

I wouldn’t be in the security business, however, if I thought the security situation was irrevocably hopeless. As we learn more about how our adversaries work and what they seek to achieve, we improve our ability to limit damage to socially tenable levels. While the Cisco Annual Security Report is a sobering read, it fills me with added determination to contain today’s threats and preempt tomorrow’s traps and pitfalls. I certainly hope it has the same effect on you.

Tags: , , , ,

A Balanced Approach to Mobile Security

Gartner recently made three interesting predictions about mobility in the workplace. While the ideas are compelling, they only offer one-side of the story, and the solution.

In this blog post, I’ll take a deeper look at each of these predictions and discuss why the future of mobility rests on IT leaders taking a balanced and strategic approach to security that focuses more on protecting the network and proprietary data and less on implementing overly broad restrictions.

Gartner Prediction #1: Twenty percent of BYOD projects will fail by 2016 due to IT’s “heavy hand.”

While the actual failure rate may be less than one-fifth, mobility efforts will fail if companies are too restrictive with MDM policies. Instead, a two-fold approach to supporting a BYOD environment from a security perspective is essential.

First, IT leaders should take a balanced approach to security that protects business-imperative network solutions and data. In most cases, blocking Angry Birds and Candy Crush is unnecessary and not scalable. With Apple and Google supporting over a million apps each (and counting), it can cost precious time and IT resources just trying to keep up with restricting non-threatening applications.

Secondly, IT leaders should be focused on encouraging users to use secure solutions. This will only grow more important as the explosion of new connections and various devices evident in today’s Internet of Everything world creates more opportunity for malicious actors to utilize even more inroads to compromise users, networks, and data. By educating employees to take an active role in the security of their device, users can be empowered to report suspicious threats and have an open dialogue with IT teams. Read More »

Tags: , , , , , , , , , , , ,

Security Realities of IoT (Internet of Things)

Are you a security professional or IT professional just resolving the security issues with BYOD (bring-your-own-device)? Watch out, BYOD was a precursor or warm up exercise to the tsunami just hitting your shores now.

The SANS Institute just completed a survey on the security viewpoints on IoT, predominantly with security and IT professionals.

78% of respondents were unsure of the capabilities for basic visibility and management of Things they will need to secure or lack the capability to secure them.

It seems that, like BYOD, IoT is driven with minimal IT consultation. And it happens with security as an afterthought, with 46% who do not have a policy to drive the visibility and management of IoT devices.

The top security controls used today for securing IoT were 68% authentication/authorization, 65% system monitoring, and 49% segmentation. That translates into Cisco Secure Access solutions that offer superior visibility, robust intelligent platform of critical context, and highly effective unified secure access control. More importantly, this will also help the 74% that rely on manual processes for discovery and inventory of connected device (from previous SANS research).

Over half (67%) are using SIEM (security information and event management) to monitor and collect data to secure IoT. Cisco ISE (Identity Services Engine) integrates with SIEM to bring together a network-wide view of security events supplemented with relevant identity and device context. This provides security analysts the context they need to quickly assess the significance of security events. More details on the ISE and SIEM integration may be found in this new white paper: Cisco ISE Plus SIEM and Threat Defense: Strengthen Security with Context

The research rightfully points out that, of the many categories of Things, the newest category of single-purpose devices typically connected by wireless (and more likely embedded) software will be the most problematic for security. Due to this difficulty, the SANS community (61%) would like the Thing manufacturers to take more responsibility for providing security. While this is a reasonable request, the question is whether they have the expertise to do this when their focus is on the exciting new IoT market opportunities. Weigh in and tell us your outlook on securing this next wave of Things connecting to your network!

The paper on the SANS survey results is in the SANS reading room.

Tags: , , , , , , , ,

Cisco 2014 Annual Security Report: Why the Before/During/After Approach to Security Offers Better Protection from Threats

The number and variety of threats that can infiltrate corporate networks and disable critical infrastructure are sobering. Take a look at our findings and analysis in the new Cisco 2014 Annual Security Report, and you’ll see that malicious actors are innovating just as fast as security professionals do. As threats proliferate, so do the solutions for responding. It’s a confusing, fragmented market. That’s why Cisco believes it’s time for a new security model: a model that’s threat-centric, providing better visibility across the entire attack continuum and across all attack vectors, so that your organization stands a better chance of stopping attacks, or minimizing the damage they cause.

As we explain in the Cisco 2014 Annual Security Report, today’s advanced attacks are too complex and sophisticated to be addressed by traditional technologies that only perform their analysis once at a specific point in time, versus technologies that work continuously. At the same time, the data protection needs of organizations have become incredibly multifaceted. Mobile users and reliance on the cloud have complicated the ways business networks need to be protected. There is no “silver bullet” to solve every security problem.

Our recommendation for meeting today’s security challenge is to move away from point-in-time solutions, to an any time, all the time, continuous approach:

  • Before an attack: You can’t protect what you can’t see. Know what’s on your network—devices, operating systems, services, applications, users, and more. With this knowledge you can set up access controls, enforce security policies, and block applications and overall access to critical assets. This will help reduce the surface area of attack. But keep in mind that there will still be gaps attackers can exploit to achieve their objectives.
  • During an attack: Deploy solutions that can address a broad range of attack vectors by operating everywhere a threat can turn up—networks, endpoints, mobile devices, and virtual environments, for example.
  • After an attack: As much as we want to stop all attacks, it’s a given that on some occasions, intruders will succeed. Prepare for this eventuality with capabilities to determine the scope of the damage, contain the event, remediate, and bring business operations back to normal as quickly as possible.

The before/during/after approach to security avoids the problems associated with fragmented security solutions, such as lack of visibility and inconsistent enforcement. The Cisco 2014 Annual Security Report details today’s top security concerns and the value of this strategy.

Tags: , , , ,

My Top 7 Predictions for Open Source in 2014

My 2014 predictions are finally complete.  If Open Source equals collaboration or credibility, 2013 has been nothing short of spectacular.  As an eternal optimist, I believe 2014 will be even better:

  1. Big data’s biggest play will be in meatspace, not cyberspace.  There is just so much data we produce and give away, great opportunity for analytics in the real world.
  2. Privacy and security will become ever more important, particularly using Open Source, not closed. Paradoxically, this is actually good news as Open Source shows us again, transparency wins and just as we see in biological systems, the most robust mechanisms do so with fewer secrets than we think.
  3. The rise of “fog” computing as a consequence of the Internet of Things (IoT) will unfortunately be driven by fashion for now (wearable computers), it will make us think again what have we done to give up our data and start reading #1 and #2 above with a different and more open mind. Again!
  4. Virtualization will enter the biggest year yet in networking.  Just like the hypervisor rode Moore’s Law in server virtualization and found a neat application in #2 above, a different breed of projects like OpenDaylight will emerge. But the drama is a bit more challenging because the network scales very differently than CPU and memory, it is a much more challenging problem. Thus, networking vendors embracing Open Source may fare well.
  5. Those that didn’t quite “get” Open Source as the ultimate development model will re-discover it as Inner Source (ACM, April 1999), as the only long-term viable development model.  Or so they think, as the glamor of new-style Open Source projects (OpenStack, OpenDaylight, AllSeen) with big budgets, big marketing, big drama, may in fact be too seductive.  Only those that truly understand the two key things that make an Open Source project successful will endure.
  6. AI recently morphed will make a comeback, not just robotics, but something different AI did not anticipate a generation ago, something one calls cognitive computing, perhaps indeed the third era in computing!  The story of Watson going beyond obliterating Jeopardy contestants, looking to open up and find commercial applications, is a truly remarkable thing to observe in our lifespan.  This may in fact be a much more noble use of big data analytics (and other key Open Source projects) than #1 above. But can it exist without it?
  7. Finally, Gen Z developers discover Open Source and embrace it just like their Millennials (Gen Y) predecessors. The level of sophistication and interaction rises and projects ranging from Bitcoin to qCraft become intriguing, presenting a different kind of challenge.  More importantly, the previous generation can now begin to relax knowing the gap is closing, the ultimate development model is in good hands, and can begin to give back more than ever before. Ah, the beauty of Open Source…

Tags: , , , , , , , , , , , , , , , , , , , , , , ,