Cisco presents a vision of the future in the Cisco 2015 Midyear Security Report that we expect many—particularly in the security industry—might find a little controversial. We suggest that over the next five years, there will be a continued wave of industry consolidation—driven less by financially motivated M&A and more by the need for capable solutions—that brings together niche innovators and long-standing players for the greater cause of protecting organizations.

And then what? This consolidation will lead to the development of an integrated threat defense architecture that will help to reduce time to detection and remediation of both known and emerging threats. This architecture will bring unprecedented visibility into the threat landscape, and provide control, global intelligence, and context across many solutions.

While disruptive, this change is necessary. Right now, as an industry, we’re just not doing an effective job helping all end users defend themselves from the highly sophisticated and ever-changing tactics of today’s threat actors.

As noted in the Cisco 2015 Midyear Security Report, the current industry estimate for time to detection (TTD) is 100 to 200 days. We examined our data and systems to enrich this conversation and better assess where we are and where we think we can go with TTD. While there are varying views on TTD, we define it in the report as the window of time between the first observation of a file having bypassed all security technologies to make it to an endpoint, and the detection of a threat associated with that file. The current industry estimate of 100 to 200 days is clearly an unacceptable time frame, given how rapidly today’s malware authors are able to innovate.

In the report, we also share a use case analysis conducted for the first half of the year that highlights our success in reducing TTD to less than two days (see the chart below). Over the first half of the year we have observed a varying TTD of 41 to 50 hours and we believe that even that’s not good enough.


Given that Cisco is achieving a median TTD of 46 hours today, imagine if the security industry had a detection-and-response framework—a visibility platform—that all vendors could operate on and contribute to, and where information exchange occurred automatically and in real time so that more vendors could achieve this TTD to protect their customers? Just imagine how nimble we would become.

Of course, industry consolidation alone is not enough to develop the integrated threat defense architecture described here. It also will require cooperation, dialogue, and coordinated action among all security vendors. We will need to share our expertise and combine innovations, and exchange information proactively and actionably to help end users better defend themselves. One proposed approach is to form alliances and keep small groups of insiders informed – this is absolutely not the right approach. Openness and inclusiveness is the only way forward, sharing with all defenders, and taking action on that intelligence together, is the future.

While there is a role for alliances, it is not in creating closed groups of insiders and should be focused on establishing the interfaces and methods for an automated exchange of actionable information. Closed alliances create a negative impact on the ability to achieve a timely exchange of meaningful and actionable intelligence, they are simply too slow to share and even slower to act. We see attackers pivoting and changing tactics in a matter of hours, and as an industry we need to do better than hours to maintain an effective defensive posture.

Integrated threat defense is the future, but it will require commitment to achieve. For those who aren’t convinced that this is the right direction for the industry, or the right time for change, give me an alternative that helps us collectively reduce the time to detection to minutes for all customers. Until then, we are headed there and I want you to come with us.

And so, the security industry must move faster—together. Otherwise, the end users that rely on our products will never have the visibility and control that’s necessary to deliver better protection across more threat vectors and to swiftly neutralize more attacks in a timescale that matters.

To learn more, download the Cisco 2015 Midyear Security Report.


Jason Brvenik

Principal Engineer

CIsco Security Business Group