With the recent launch of FirePower Threat Defense on Cisco 4000 Series Integrated Services Routers, I would like to spend some time talking about enterprise branch security and what are the requirements to keep in mind to secure your branch office. Let’s start out by examining your branch environment.
What’s happening at the branch today?
Cloud is redefining application delivery. Mobility is redefining network architecture. Next generation applications like Ultra High Definition videos, Web, and SaaS applications put increased pressure on bandwidth availability.
Organizations may be considering Direct Internet Access (DIA) at the branch to leverage local internet path for public cloud and internet access. Leveraging the local internet path at the branch reduces IT spending (freeing up costly WAN bandwidth for mission critical applications) and ensures better application experience, for example for applications hosted in the public cloud (less latency) but it may come with a cost since now the branch may be exposed to security threats. Read More »
Tags: branch office, Cisco FirePOWER, Cisco ISR, guest wi-fi, security, threat defense, threat protection
Ponemon Institute called 2014 the year of the “Mega Breaches,” which will be remembered for its series of mega security breaches and attacks. These “Mega Breaches” are perfect examples of what is commonly known as Advanced Persistent Threats (APTs). The Ponemon Institute survey asked, among many questions, “When was the breach discovered?” Surprisingly, the results revealed that ONLY 2% of the respondents in the survey discovered their breach within one week of after the incident and a staggering 90% were six months or longer, if at all.
Read More »
Tags: data breach, design guide, Lancope, NGIPS, threat defense
Two weeks ago, a leading global medical device manufacturer came to Cisco for advice. In an effort to streamline IT operations and reduce operating costs, the customer had recently migrated from their internal Microsoft Exchange 2010 environment to Office365, Microsoft’s hosted online service.
The migration was initially done for the headquarter users and the feedback was more positive than they expected. However, when they migrated their branch and remote office users, the WAN bandwidth usage almost immediately spiked and user experience suffered as a result.
This customer is certainly not the only company looking to embrace Cloud applications for greater agility, reduced costs and complexity, and increased productivity. Or has had to deal with BYOD issues and the increasing impact of video has on their bandwidth. However, what our customer and those other companies have found is that the current method of backhauling the traffic to the data center is no longer a viable way to handle the increased consumption when faced with a flat or even a declining IT budget. Therefore, many of today’s distributed enterprises are looking to use direct Internet access pathways in an effort to improve the user experience while reducing IT costs.
However, enabling direct Internet access (DIA) at branch offices also forfeits the inherent threat protection that traffic routed through the data center provides. The enterprise-level risks that branch offices face with BYOD issues, compliance requirements, and advanced persistent threats require enterprise-level security. According to Gartner’s “Bring Branch Office Network Security Up to the Enterprise Standard”, “By 2016, 30% of advanced targeted threats — up from less than 5% today — will specifically target branch offices as an entry point.”
Cisco FirePOWER Threat Defense for ISR addresses these issues by extending their industry-leading FirePOWER threat protection beyond its traditional network edge and data center deployments out to individual Cisco ISR routers. Read More »
Tags: byod, Cisco FirePOWER, cloud, Direct Internet Access, ISR, security, threat defense
Cisco Live Orlando, June 23-27, 2013, is quickly approaching and registration is open. The Security track this year includes 72 breakout sessions, 74 hours of labs and seminars, and 3 Product Solution Overview sessions, accounting for about 15 percent of all the content delivered at Cisco Live. New for this year we will have several talks aimed at the network engineer in the role of a data analyst, helping them to better utilize and understand the data that comes from their networks (BRKSEC-2001, BRKSEC-2006, BRKSEC-2011, BRKSEC-2062, BRKSEC-3031, and BRKSEC-3062).
Read More »
Tags: byod, cisco live, Cisco Live 2013 Orlando, Cisco Live US, IPv6, Network Threat Defense, security, SSL VPN, threat defense, training
Last week at the RSA Conference in San Francisco, I had the pleasure of speaking to thousands of security professionals about the opportunities and risks associated with using Software Defined Networking (SDN) for security, which will be the underlying fabric of our next generation data centers and networks. SDN-enabled security will provide a better way to secure our most valuable applications, users and data, now and in the future.
Each vendor has a different definition of how the network is changing, and there are many different terms being used, such as software defined data center and software defined storage. Cisco calls this Application Centric Networking, for example, because we are introducing programmable APIs with a focus on distributed control plane intelligence so that applications can get value directly from the network.
It’s obvious why the networking industry is embracing SDN: lower operational costs and the ability to deploy applications and network services in a quicker, more scalable manner. Cloud bursting, which is about flexible compute in the cloud, is another SDN benefit that gives us the ability for applications to interact directly with the network in ways that do not happen today. For example, applications will be able to query the network for location of users to manage Quality of Service and deliver highly targeted content.
So why should the security industry care about SDN? As the threat landscape evolves, the opportunity is to make Security a key application for SDN. We can use SDN to build a Network-based Threat Defense System. I see three key elements to this system:
Read More »
Tags: Chris Young, network security, SDN, security, software defined networking, software defined networks, threat defense