Cisco Blogs

Three New Security Realities That Every CSO Should Face

October 10, 2016 - 3 Comments

Anyone responsible for keeping their Enterprise information secure has to understand three events that have changed the nature of Cyber-Security forever:

1. The Perimeter has Disappeared

There used to be a strong perimeter defined by the network endpoints, which were all inside secured corporate buildings or inside highly secured corporate data centres. But over the past decade, a lot has changed. Adding Internet Gateways required firewalls, IDS/IPS, and more. Teleworking required better VPN encryption and security. Mobility – in the form of wireless access for mobile workers’ laptops and smartphones and pads, dissolved the concept of a network perimeter and required significantly greater device and data protection. And cloud services have expanded the highly secure corporate data centre into vendor data centres that provide varying (and often unknown) levels of security (and regulatory compliance). Infrastructure cyber-security has gotten so advanced that, as long as they’re kept well patched and up to date, they will stop almost all standard attacks. That’s why today most successful attacks go around the standard perimeter defenses by finding trusted people to let them (and their malware) into the network via email and cloud. (As an example, Cisco folks visit 350M websites per day – and about 2% are blocked. We avoid over 500K malware downloads a day. We also get about 4.5M emails per day from outside. Some point to infected web sites. And about 200 emails per day carry virus payload attachments.)

Cisco’s main security efforts, along with enabling the sophisticated security tools that still protect the traditional perimeter, has grown. We are now protecting end users on the Web, and on their devices – and protecting the network from trusted employees who unknowingly bring in malware via web and email. This task makes OpenDNS, and ESA and WSA and Cloud Web Services, as well as Identity Services Engine to identify & validate the trustworthiness of IAM critical to our security.

2. Everyone Has Been Hacked, is Being Hacked, is Currently Infected

You can’t give up hardening, but you have to accept that you have been successfully hacked. The only customers who think they are free of Advanced Malware Threats (AMTs) are the ones who have not started looking for them. They are there, in every business, well hidden and looking for secured information. The best strategy is to assume that there are successful AMTs already embedded within your infrastructure (usually your data centre). While you can reduce the number that get in, you have to understand that some will get through, and work to reduce the damage they can do once they get through. That means adding to your security process, in addition to “block as many malware exploits as possible” another equally important goal: “find and contain threats as quickly as possible”. Monitoring tools like Cognitive Threat Analytics, ThreatGrid (sandboxing+), Stealthwatch, and now Tetration Analytics are critical in finding them. Without this continuous monitoring, successful AMTs are only identified when they get stumbled across while doing something else. Average identification & containment time for successful AMT can be 200+ days, with identifying it taking up almost all that time. As a counter-example, Cisco IT/Infosec’s average for identification and containing AMT is 17 hours for the past 4 quarters, and getting better. So internal monitoring and analysis, beyond hardening, is critical.

3. Identifying the New AMTs Requires Global Unified Cooperation – a Widely-Cast Net with a Fine Mesh 

Cisco SourceFire/Snort pulls in and analyses info from AMP NGIPS, ASA firewall, AMP for endpoints on laptops and mobile phones/pads, Email (ESA), Web (WSA), CTA, and Threatgrid – to cast that net wide. And since the “signatures” for day-zero attacks for AMP products are updated from Talos, which pulls malware signature data from every customer’s SourceFire, every ESA/ESA/AMP Firewall and NGIPS and Threatgrid, and from OpenDNS with its 3M+ end users, everywhere in the world – that’s a wide and fine net indeed. Talos also works with other similar groups to share this information. Individual isolated firewalls cannot compete with this. So an organised, unified security architecture, is critical.

Knowing, understanding, and acting upon these three facts will enable a more prepared and more secure corporate infrastructure.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Regarding Point #1, I don’t disagree with your general statement. But I do believe you need to point out that as the various service suppliers (i.e., remote-hosted/cloud solutions) move away from on-premise solutions, as IT Leaders for our company, we must ensure that any new service supplier with a remote IT solution will still meet our company’s security requirements.

    One needs to be very aware of the internal security of any remote IT solution and whether or not that service supplier can meet your security requirements. Reducing/removing on-premise solutions carries with it the need for increased knowledge of the remote IT supplier.

    • Hi, Gary –

      I agree 100%. Not all cloud service providers deliver services that meet your (or our) security requirements for confidential (or highly confidential) information. Some do, but its very hard to tell them apart, and its not possible to trust the vendor’s own assessment of the security of their service.

      One option that helps a lot is to find a cloud service provider that has partnered with a good Cloud Access Security Broker (CASB) to provide security and other services (e.g. performance analysis) for your cloud services. But that doesn’t cover a lot of CSPs.

      Cisco IT has had to build our own internal Cloud & Application Service Provider Remediation team (CASPR), to identify the many hundreds of cloud services we use inside Cisco (an order of magnitude higher number than I’d expected), and then analyze and remediate their security limitations. Its a highly manual and time-intensive process, but its enabled us to find and help improve over 500 cloud services that are safe for Cisco employees to use.

      For more info, see

      – Rich

  2. Excellent article, Rich! I was particularly struck that Cisco IT can identify and contain AMTs in 17 hours compared to 200 hours for many companies. Regarding your point 1, here’s a nice companion article about the partnership between Cisco IT and InfoSec: