As we discuss in the Cisco Midyear Security Report, cybersecurity is becoming more of a strategic risk for today’s businesses, creating a growing focus on achieving “security operations maturity.” That’s why Cisco has developed the Security Operations Maturity Model – to help organizations understand how security operations, technologies, and products must evolve to keep up with the pace of change in their environments and increasingly sophisticated attacks. The model plots a journey along a scale of controls that moves from static to human intervention to semi-automatic to dynamic and, ultimately, predictive controls.

Every day I see evidence of why we need to evolve our security capabilities. A perfect example is the Kyle and Stan malicious advertising attack that our Talos Security Intelligence and Research Group discovered and continues to analyze. Ongoing research now reveals that the attack is nine times larger than initially believed and began more than two years ago. The expansiveness and extended period of the campaign reflects the ability of this attack to continuously morph, move quickly, and erase its tracks leaving nearly indiscernible indicators of compromise. To effectively detect and protect against attacks like this, organizations need dynamic controls that see more, learn more, and adapt quickly. Relying exclusively on static controls and human intervention puts defenders at a significant disadvantage and allows attacks to run rampant.

The Security Operations Maturity Model outlines a way for organizations to flexibly move toward controls that provide greater visibility, intelligence, and automation to gain better protection.

  • Static – An environment in which critical controls exist but the visibility and intelligence needed to update them do not. Many traditional security technologies work this way and are no match for attacks like Kyle and Stan. Defenders don’t have what they need to properly assess their security posture and make adjustments in real time. For some organizations, however, these process-laden controls are intended to be static to meet regulatory compliance mandates. And while they do provide a baseline of protection, they still lack the agility to scale in a constantly changing IT environment.
  • Human intervention – Visibility and intelligence are available, but defenders still need to manually change all of the controls. Labor-intensive intervention isn’t sustainable given the pace of attacks and the cybersecurity skills shortage. Although static controls are the reality of most organizations today, more Security Operations Centers (SOC) are being built to compensate for the lack of flexibility and agility of these controls and a dearth of trained internal staff. However, over reliance on a service-heavy approach isn’t viable for most organizations in the long run, particularly with attacks that are increasingly mechanized, standardized, and process driven.
  • Semi-automatic – Defenders have visibility and intelligence, and in select cases, trust it enough to allow certain systems to automatically apply some controls. However, for the most sensitive data – given that not all data protection is created equal – they want to see system recommendations and continue to leverage human intervention. The irony is that that’s precisely the type of data that cybercriminals target. Unfortunately, practitioners lack confidence that they have the right intelligence to automate the most critical decisions. They tend to revert back to human intervention and, unwittingly, leave open a window of opportunity for attackers.
  • Dynamic – Defenders use visibility and intelligence to rapidly adapt security policies and enforcement in real time based on what is seen and learned to reduce the surface area of attack or remediate compromise. Dynamic controls are about high degrees of automation, where security systems automatically respond to threats. Security practitioners increase degrees of automation based on ‘adaptive trust’ or increased confidence in devices, users, and applications over time. With dynamic controls, the right technologies can be deployed as practitioners need them for ultimate flexibility and to meet the requirements of mobility, cloud, and the Internet of Things (IoT) and Everything (IoE).
  • Predictive – Predictive doesn’t necessarily mean seeing an attack before it happens, but leveraging machine learning and advanced analytics to learn and improve intelligence continuously, leading to the prioritization and optimization of controls, protection, and remediation. The foundations of predictive technologies exist but are in their early days. Over time they will continue to evolve and improve, allowing defenders to have ability to scale controls through a predictive, operational model.

Visibility, intelligence, and automation are critical for greater security effectiveness against faster, more stealthy, well-funded, and unrelenting adversaries. But to make this evolution practical, solutions must be built on an architecture that enables multi-layered protection in a simplified way with fewer devices, shared intelligence, and centralized management and analytics. Organizations can’t continue to pile on more complexity and fragmentation with legacy, point solutions that can’t be integrated and don’t scale.

To help customers move their security controls forward, earlier this month we announced Cisco ASA with FirePOWER Services. As the first threat-focused Next-Generation Firewall, it’s one example of how dynamic controls can be enabled on a single device that is easy to manage and deploy; integrates with existing infrastructure; and can analyze, share, and act on intelligence between security layers.

Today we are unveiling the latest version of the Cisco Identity Services Engine (ISE) that offers dynamic controls for secure access to support enterprise mobility initiatives. It provides superior user and device visibility, more context into how network resources are being accessed, and controls to simplify policy creation and enforcement and automatically remediate access violations and potential threats. Data can be shared across other Cisco security solutions and through ecosystem partner integrations to identify, mitigate, and remediate threats faster. It’s another security technology from Cisco that is designed to help achieve security operations maturity.

In today’s climate of industrialized hacking and sophisticated cybercrime gangs, static security controls and human intervention alone are no longer enough to thwart attackers. Now more than ever, organizations need to be enabled to implement more effective controls to protect themselves against threats wherever and whenever they manifest.

For more details about today’s announcement, please watch our on-demand webcast


Martin Roesch

Vice President and Chief Architect

Cisco Security Business Group