Cisco Blogs
Share

Government, Trust, & Technology Services, Cisco SourceFire, and Contextual Network Awareness: A Proactive Approach to Security

- August 3, 2015 - 0 Comments

One of the hardest things for a company to do is to embrace new technology and manage it in line with company policy. At most organizations, users are generally told not to access certain company data on certain devices, but they go around security controls because efficiency and convenience outweigh the risk. Rather than preventing new technology from emerging in the environment, embrace it and understand it, but do so prudently.

Technologies are evolving and users want to use their devices to access company data outside the network. We have the capability to write policy into the data flows on the network, and that is a true benefit.

“By not embracing that technology, you’re exposing yourself to new vulnerabilities. It really comes down to the policy. Enforce those policies, make them real,” says Mark Frye, senior manager of Cisco Security and Trust organization. “Look at what is happening in the marketplace and think of how your data center fares against global trends in user activity and mobility. You have to incorporate these technologies, you have to move forward.” That is something we’re doing at Cisco.

Protecting Cisco is a complex task. Over the years, Cisco Security has evolved with not only the threat landscape, but with the changes around the handling of sensitive data and application hosting too. Some information has regulatory requirements and that is what initially drove us to the segregation of our security infrastructure. Recently, our Security and Trust organization pivoted our mission to include Government, Trust, and Technology Services (GTTS) IT to enable us to gather data about threats in our network.

GTTS is comprised of three pillars, including threat intelligence, security operations, and product assurance. We run segregated infrastructures to manage sensitive data handling and application hosting. For example, there are regulatory requirements such as the international traffic in arms agreement, export control regulation, classified information handling regulations, that we have to handle in a very special way, and segregated infrastructures help us to comply. Today, we focus on gathering data about threats through our users’ behavior and activities via web hosting services and security services. Some of the data collected is hosted in the Threat Intelligence Platform (TIP), and can be leveraged by products and customers to help manage, identify, and mitigate some of the threats in the cyber arena.

One of the biggest challenges we face today is gaining full visibility across our data center stacks. Traditional data centers are siloed, in that there are many teams including applications teams, database engineers, network engineers, platform engineers, and server administrators.

“The GTTS-dedicated data center is unique because it has all those components, but runs them as a single team,” explains Frye. “We have a singular focus on security across the board.” Tying together disparate technologies into a single view helps the team understand how the network flows. For network awareness, we use Cisco SourceFire Next-Gen IPS.

Cisco SourceFire Next-Gen IPS, an advanced network intrusion prevention system, is integrated into GTTS and was one of the first Cisco on Cisco installations. Some of the critical elements including full stack visibility, application awareness, and contextual awareness, enable GTTS to gain better intelligence in the threat landscape, and mitigate intrusions more efficiently.

GTTS had Cisco Intrusion Detection Services (IDS) running in its data center, and worked with the Computer Security Incidence Response Team (CSIRT) to monitor and manage devices. When we integrated SourceFire IPS, we chose to use an inline deployment mode, so the sensors sit at the perimeter of our data center. They pick up information as information flows through and offers an additional level of protection.

By putting four sensors at the perimeter of the small network environment, we’re able to correlate flows to users but also to restrict those flows and to restrict the data that comes and goes from our data center. In the future, we will scale to have hundreds of sensors. Where we operate our security perimeter is deeper in the data center, closer to the applications.

The implementation of the Cisco SourceFire Next-Gen IPS devices enables a more granular view of the environment. We’re able to monitor flows, signatures, and traffic into and out of the data center. In addition, we can implement controls at our side of the boundary, rather than just at the application boundary, which gives us more depth of security.

SourceFire appliances have a great classification engine that helps in identifying threats more holistically. The IPS environment is context-aware, meaning it looks deeper into applications and recognizes signatures and traffic flowing into and out of the data center. We gain a higher level of control over that traffic, preventing it from ever reaching the application layer of a more traditional IP-based firewalling environment.

Whereas IPS layers on the network, FireAmp layers on the device itself so that the client is installed on the device. We’re able to look into applications running the client and correlate the data with potential malware signatures, and that means we can catch infections sooner than traditional antivirus. We’re hoping to leverage the capabilities of SourceFire, the cloud and fingerprinting those different types of malware and reporting anything new. It’s in infancy right now, but it’s promising.

SourceFire is a leader in security because it enables security teams to be more proactive rather than reactive to threats. Gaining more visibility into the environment from a malware perspective and tying everything together is the difference between catching things that have already happened on the network and shutting down an infection at the host before it reaches the network. FireAmp is the next evolution of anti-virus and can look at an environment, send information automatically from the device, and quarantine it in the process. “It’s a proactive approach and it’s something unique in the industry today,” says Frye.

GTTS has a separate defense data center and can focus on the entire stack in the data center as well as deliver next-generation technology more quickly. We are good at organizing and mobilizing solutions such as SourceFire and Cisco Application-Centric Infrastructure (ACI) because the scale of the GTTS defense data center is small. We depend on organizations to scale up.

As with all new things, running SourceFire is not without its challenges, but at the same time, we feel more secure with the appliances online because of their scope. We have a better view into our data center and we’re working with our SourceFire counterparts on a continuous basis to refine the application classification engine.

The partnership is a great example of how a product development team and a practitioner team are working together to make the product better. Because of that partnership and transparency between the teams, when the HeartBleed security bug was identified in the OpenSSL cryptography library (widely used in Transport Layer Security (TLS) protocol), we were able to put SourceFire code at the perimeter of our data center and stop the HeartBleed vulnerability immediately at the perimeter. That’s one of the benefits of the classification engine.

Another benefit of that level of visibility is that we can map an infection through the network as well as detect insider threats. Sometimes the insider threat means that it’s not an intentional threat, but the data center is always considered a protected environment. Sometimes people inadvertently bring infected endpoints into the network and SourceFire helps home in on that because we can track where that potential virus has spread quicker than ever before. That means remediation is quicker too.

Take a chance, but with caution. In using features of Cisco SourceFire and other emerging technologies, you can enable both what your end users want as well as secure, manage, and operate in an efficient manner.

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.