Cisco Blogs


Cisco Blog > Security

The Cisco Security Dojo

Over the past three years, Cisco has invested in the creation of an application security awareness program. The program helps the good citizens of this company understand, apply, and act upon a strategy to build more trustworthy products. We launched the existence of the program to the world at the RSA Conference 2015. I am sharing this with you because we’ve created something unique to the industry, and we want to encourage other companies to pursue the creation of an application security awareness program.

When you think about security awareness, do you envision phishing e-mails, Nigerian princes, and tailgating cyber criminals? Security vulnerabilities are a fact of life, but we can help our organizations develop a greater level of understanding and a desire to put security first in their development efforts. At Cisco, we believe that security awareness training should feature traditional training about crazy links you should not click under any circumstances and how to stop strangers from entering your buildings, as well as application security awareness. Application security awareness, when done well, can drive security culture change to make a company and its products and solutions safer. Moving an organization to focus on security is possible, because we have done it.

Enough talking about it, please take a sneak peek at how we do it here in this video.

Read More »

Tags: , ,

ESG Survey of IT Security Professionals Provides Insight to Data Center Security Issues

Yesterday, I reported on Cisco’s new ACI security announcements and an overview of our secure data center strategy. Today, I wanted to share some interesting market insights that we pulled from a survey conducted by Enterprise Strategy Group (ESG) that Cisco commissioned, and that validates some key data center security trends and requirements that support our product strategy. Some of the key conclusions and data collected were shared in press coverage of the product announcement. The full survey results are here, and below are some summary graphics we prepared for our launch event.

Project Overview

Cisco commissioned the survey (conducted by ESG) to learn more about the challenges and issues IT professionals face when planning and implementing data center security.

Demographics

  • The survey sampled 154 IT security professionals in North America responsible for network security requirements and operations. All respondent organizations had to be using physical firewalls (or virtual firewalls) and access control lists (ACLs).
  • Most respondents represented large midmarket organizations (defined as organizations with 500 to 999 employees) and enterprise organizations (organizations with 1,000 up to 10,000 employees). 71 percent operated from three up to 20 data centers worldwide.
  • The study included broad representation from industry verticals: financial, manufacturing, health care, government, retail and business services.
  • The survey was conducted in April 2015.

Top Survey Findings

The people problem:  Implementing network security controls is tedious and time-consuming.

  • 69 percent of organizations reported it takes from one man-hour up to four man-hours on average to convert a single new application network requirement into a network device or firewall configuration (before they even implement the new configuration, test it, etc.)
  • 74 percent say that it takes days or weeks to implement security device updates from request all the way through to production implementation. (See InstaGraphic below)

Solution: Just like SDN revolutionized the data center by automating network configuration changes, ACI is accelerating security changes by automating device updates and configuring how security services are inserted into application networks, helping to ensure greater accuracy and allowing IT to keep up with business requirements.

ACL changes days or weeks

Read More »

Tags: , ,

Enhance Data Center Security and Automation with New Cisco ACI Features and Partners

We’ve been talking for a while about Cisco ACI’s leadership in SDN security features (like here), and in the design of our fine-grained security policy enforcement between individual workloads, sometimes called microsegmentation. Today, here at Interop, Las Vegas, Cisco is reaffirming its thought leadership in data center security and SDN automation with a couple of announcements, including the integration of Cisco FirePOWER next generation intrusion prevention system (NGIPS) into the ACI security framework. In other news, another ACI ecosystem security partner was announced last week at the RSA Security Conference: Fortinet, who will be integrating their Fortigate firewall platform with ACI.

The Cisco ACI + FirePOWER solution enables real-time detection, mitigation and remediation for advanced security threats inside the data center by combining granular application visibility and control, threat detection, advanced malware protection (AMP) capabilities of FirePOWER NGIPS with ACI microsegmentation, advanced security service insertion, and L4-7 policy automation. To quickly summarize how this all comes together and a sample use case for ACI security, we created the following video:

Available in June, 2015, new ACI advanced security works to protect data centers before, during, and after attacks, dynamically detecting threats and automating incident responses. The Cisco FirePOWER family of security appliances consists of industry-leading NGFW, NGIPS appliances offering best-in-class threat effectiveness, superior visibility and global threat intelligence.

Attack Continuum

FirePOWER + ACI = Automated Security with Advanced Protection Across Attack Continuum for Physical and Virtual

Read More »

Tags: , , , , , ,

The Rise in Healthcare Cybercrime

Cybercrime1January this year witnessed the largest healthcare breach to date in which the personal records of 80 million individuals were compromised. It also marked an apparent change in focus from attacks on delivery organizations to healthcare payers. Last week two additional health insurers reported that they too had been hacked, resulting in the possible compromise of a further 11.25 million personal records. In a period of less than 3 months, the US has seen over 91 million records and personal identities stolen from healthcare insurers alone.

The health insurers appear to have been the target of highly sophisticated cyber attacks perpetrated from China, which involved the use of advanced persistent threats (APTs) and spear phishing. This allowed them to gain administrative credentials that were used to exfiltrate stolen data via the use of common cloud data services.

Read More »

Tags: , ,

Oil and the Smart Pipe – Article on The Network, Cisco, by Scott Gurvey

Scott Gurvey (the famous New York bureau chief and senior correspondent of the PBS broadcast Nightly Business Report for more than 20 years) has written a thought-provoking piece on “The Network” (Cisco’s Technology News Site).

Safety is the key in the Oil and Gas industry. Whether it’s people, infrastructure, or the environment, the industry is grappling with sometimes controversial issues.

Scott talks about the Keystone XL Oil Pipeline, new technology and the relative safety of different oil transport methods. He quotes James Stafford, the editor of Oilprice.com, as saying that even though moving oil through pipelines is generally considered safer than the alternatives of rail or truck transport, the number of pipeline accidents reported each year remains “unacceptable”

That’s where the new technologies of the Internet of Things comes in. The Operational Technologies (OT) requirements have been different to the IT needs in the past. In my view that’s because of several reasons. The different technologies used for each area gave rise to concern that folks have had about security between networks is one.

Read the latest Thought Leadership for Oil and Gas

Read the latest Thought Leadership for Oil and Gas

Another is that there was also a lack of visibility, and it was difficult for parts of an organization to collaborate with another to sense problems in real time and deliver the right resources to solve them. That’s changing as IT and OT converge. Probably not fast enough for most people’s liking, but that’s owing to the cultural changes needed.

Back to Scott’s article. I’m not going to steal his thunder on ‘Pigs’ (well, Smart Pigs, but still not the kind in your hot dog!), drones (the peaceful kind), or the Analytics challenge the industry faces today. You’ll have to read his article for that.

But I do want to give a plug for the recent thought leadership in the oil industry that Cisco recently conducted (A New Reality for Oil & Gas: Complex Market Dynamics Create Urgent Need for Digital Transformation), which I was proud to contribute to. In it the analytics issue comes to the forefront and IT/OT convergence and Collaboration are seen as essential catalysts for change, with an overarching emphasis on ensuring end-to-end cybersecurity. Read it to see the details. Some might surprise you.

As always, you can learn more about Cisco in Oil and gas here: www.cisco.com/go/oilandgas, and read the latest Secure Industrial Networks with Cisco White Paper (don’t worry, it’s only 3 pages!), by clicking on this link: Secure Industrial Networks with Cisco.

And I almost forgot – if you’re interested in Cisco’s relevance to oil pipelines and that part of the industry, here’s something to whet your appetite: Cisco Connected Pipelines At-a-Glance.

Happy reading! And remember, stay safe out there!

Tags: , , , , , , , , , , , , ,