The 135 Spanish Steps are perhaps one of the most popular tourist attractions in Rome—and this in a city where your alternatives include stunning options like visiting the Vatican, the Colosseum or the Trevi Fountain. And yet, a visitor to the Spanish Steps today is first—and ahead of any chance to delve into the rich history or architectural heritage of this monumental stairway—forewarned of the dangers of the omnipresent pickpockets that frequent the area! I bring this up because while European vacations may not always be part of our quotidian routine, our daily lives do involve shopping online, visiting our neighborhood retailer or posting updates on social media. And none of these places post enough warning signs urging us to be wary of the virtual pickpockets, waiting to steal and profit from personal, financial and business information that traverses across thousands of transactions at places we visit in person or on our browsers every single day.

As consumers we may even squeeze by with a bit of a lax attitude, but businesses are only painfully aware of the speed, ferocity and variety with which attackers move to try and gain access to critical business data. Our customers tell us that their cybersecurity teams work tirelessly—but often in reactive mode—to fight against breaches and constantly assess ways to eliminate vulnerable links. Today, we are thrilled to share that we’re stepping up to provide our customers and partners with enhanced capabilities to combat the changing nature of threats. Cisco ASA with FirePOWER Services integrates the proven Cisco ASA 5500 Series firewall with application control, and the industry-leading Next-Generation Intrusion Prevention Systems (NGIPS) and Advanced Malware Protection (AMP) from Sourcefire in a single device, providing integrated threat defense across the entire attack continuum—before, during and after an attack.

By providing a reduced network footprint (fewer security devices to manage and deploy) and arming you with some of the most sophisticated threat protection technologies available in the market today, we continue to work hard to be your trusted security advisor and partner in the middle of the evolving threat landscape.

Some IT teams may understandably hesitate to rapidly migrate to these newer technologies. In today’s dynamic threat environment, the slightest disruption to the security infrastructure increases vulnerability, leaving room for attackers to make their move. And then of course, with “everything else” that is going on (always, no?) it never feels like a good time to migrate. So, how do you move quickly and take advantage of new security solutions while minimizing potential disruption to both your security and business goals?

I took this question to our Cisco Security Services engineering team. This is a crew that doesn’t shy away from complex challenges—they have managed thousands (yes, thousands) of network and security migrations and I figured that their observations (distilled to three simple principles) can probably help provide perspective, if not a blueprint for a successful migration project.

1.       See the forest. And the trees.

Any action in the network (including an upgrade) impacts everything connected to that network, including various technology components and the policies and procedures that they enforce. Those are the trees, and your team is probably pretty good at tracking all the trees. But can they see the forest?

A migration plan requires that you understand how the migration fits into the “big picture”:

  • What is the business reason you are migrating ?
  • How does this upgrade fit into your overall information security strategy?
  • What is your technical objective of this migration?

Understanding the answers to these questions will help you prioritize the order in which new capabilities are deployed in the migration, and an outcome that meets the business and technical objectives you have signed up for

But all those trees matter too, so a detailed migration plan should include a complete map of the environment that will impacted, including these best practices:

  • Identification of tools to use in migration of applicable configurations
  • A “fallback” path—the ability to go back to the original configurations if the migration doesn’t work
  • A “phase-in” plan for new features:  try a new feature (or two) to validate that it works as planned.  Then add the next feature (or two). Validate. Rinse. Repeat.

2.  Practice makes perfect

Eat right and exercise. Measure twice, cut once. Practice makes perfect. Yup, the good stuff is all out there. Yet, our engineers say that you often tend to cut short time in the lab and thus seriously undermine the success of any upgrade. The best migrations have multiple pilots and dry runs before going into full production:

  • Include multiple lab locations: Even if your IT department specifies a standard configuration for all company locations, variations exist.  You’ll have a better chance of testing your new solution against those variations if you run your tests in a lab and conduct pilots in several different locations.
  • Create a real-world environment: Simulate the actual environment as much as possible.  Some of our retail customers create a “mock store” that is set up exactly like a real store including the routing, switching, mobile and other infrastructure like payment processing.

Running a pilot is when you’ll typically move beyond planning and get hands-on with the new equipment for the first time.  But the most successful upgrades never stop planning – pilots are your opportunity to:

  • Refine the end-user experience: will the migration introduce new interfaces (maybe a new secure login screen?)—if so, how will the user be informed? Or maybe a security splash screen will be introduced that an end-user hasn’t seen before (such as the introduction of a new URL filter). Thinking about the end-user experience during pilots will ensure there are no surprises when you roll out your upgraded solution to your production environment.
  • Create documentation: Develop step-by-step instructions as you execute the pilot. Use lots of screen shots in the documentation—don’t worry about how lengthy the documentation gets. Use video to document procedures. It’s important that nothing is left to creative interpretation!

3.  Get ahead by keeping it tuned

Once a migration project is complete, it’s a great idea to continuously revisit your deployment and confirm that it is operating at peak performance. Your network is continuously evolving, and so are the threats against it. If you perform regular audits on the configuration and rules (say, deleting  old rules or policies no longer required) you’ll keep your deployment “clean” and always ready to take advantage of the latest tools and innovation.

The Cisco Security Services team constantly renews and refreshes best practices so that we are always prepared to help you quickly deploy the right technology solution. We work with you to assess, recommend, design and implement solutions based on your unique requirements. And together with our partners, we offer a complete set of security services and solutions, leveraging the intellectual property of the industry’s top security R&D and engineering teams.

While new technology brings exciting opportunities and the latest in threat defense, migration projects do sometimes give reason to pause. But you can rarely afford to wait—the attackers certainly don’t! Share your own best practices with us via the comments below, and join us to chat live with two of our experts in an online webinar, “Best Practices for Upgrading Your Network Security Beyond Traditional Defenses,” at 11 a.m. Pacific Time Thursday, September 25.


Rashesh Jethi

Cisco Services