Cisco IT Case Study

Intellectual Property Asset Protection

How Cisco Automates Protection of Intellectual

Property
Alerts based on behavior and context analysis of user actions reduce risk of data loss.
Challenge
EXECUTIVE SUMMARY
CHALLENGE
Automate monitoring of intellectual property assets
for improper access, storage, and distribution
Obtain information to improve protection of data
and intellectual property
SOLUTION
Internally developed iCAM software to analyze
behavior and generate alerts when defined rules
are violated
Context information provided by Cisco Identity
Services Engine to better target behavior analysis
RESULTS
40+ billion files protected
60 percent of alerts generated without intervention
by security experts
Managers see details that help them educate users
about risks
Cisco gains information to improve protection
of sensitive files, documents, and data

Like any business, Cisco has a huge amount of intellectual

property such as customer information, financial data, product
source code, and development plans. If accessed by unauthorized
people, that intellectual property could be used to damage the
companys operations and network security, revenues, competitive
advantage, customer relationships, and reputation.
We maintain a strong physical and network security infrastructure
to protect those assets, which are stored on systems in Cisco
facilities around the world. However, this infrastructure is largely
focused on stopping threats from external sources. We needed
capabilities to detect abnormal internal activity in order to identify
risky user behavior, whether intentional or not. Behaviors of
concern include:

LESSONS LEARNED
Educate managers about using alerts appropriately

an employees personal computer or mobile device,

especially just before the employee leaves the

Define behavior rules carefully

Plan for scalability
Context is very important to help managers
evaluate risks
NEXT STEPS
Extend iCAM to monitor data in cloud services

Transfers of highly sensitive files, documents, and data to

company.

Data transfers that are authorized, but sent over

unencrypted channels.

Support up to 10+ billion events per day

Develop predictive analytics for proactive risk
reduction

Distributing highly confidential documents to a large

group of internal users or posting restricted data for
open access.

Storing confidential information on unsecured servers,

file-sharing sites, or unauthorized cloud services.

Allowing access to a virtual desktop session by an unauthorized person.

Although the Cisco Computer Security Incident Response Team (CSIRT) was responsible for monitoring user
behavior risks, they needed an automated tool to keep up with the growing amount of data and activity.
Additionally, the increased use of cloud services for certain business applications and communications present
another avenue for inadvertent file sharing or information disclosure.
Improved access monitoring had to align with Ciscos policies for data protection and intellectual property access,
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

March 2015

Page 1 of 5

as well as regulatory requirements and the Cisco Code of Business Conduct.

Its not practical to have only CSIRT monitor what data is at risk, says Melvin Tu, manager and architect, Cisco
IT. As our policies state, protecting Ciscos intellectual property is the responsibility of every employee.

Solution
Cisco IT developed the Intelligent Context and Content Aware Monitoring (iCAM) software to analyze abnormal
user behavior, generate alerts, and apply machine learning technologies to improve the monitoring over time
(see Figure 1).
Figure 1.

iCAM Process for Analyzing Behavior and Context and Generating Alerts

To assess a users behavior, iCAM incorporates a Hadoop-based analytics tool. This tool combines event data
from an application or system with context information about the

PRODUCT LIST
Servers - Unified Computing
Cisco Unified Computing System
Security
Cisco Identity Services Engine

associated user, data, device, and network.

The context is drawn from a mix of external and internal sources. For
example, the Cisco Identity Services Engine (Cisco ISE) provides critical
information about the device involved in an event, such as when a different
username is assigned to the device or when it does not have the operating

system version necessary for secure data storage.

The Cisco ISE and the iCAM software run on Cisco Unified Computing System (Cisco UCS) servers, which
support the scalability necessary to monitor more intellectual property assets in more of our locations.
When a user violates a behavior rule, iCAM sends an alert to the user or the users manager, according to the
action defined in the rule. For users, the alerts provide education about potentially risky behavior. For managers,
the alerts present the information they need to appropriately manage employee activity. The manager can also
elevate high-risk alerts to the Cisco Computer Security Incident Response team for investigation.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

March 2015

Page 2 of 5

iCAM is designed on the principle of trust but verify for detecting if someone abuses their access privileges, says
Cheng Pan, program manager, Cisco IT. The behavior and contextual analysis provides in clear language the
who, when, where, and how details that a manager can use to identify the corrective action that is needed. The indepth alert information also helps us improve governance and methods for protecting Ciscos proprietary,
confidential, and sensitive data.
However, there are times when a users behavior may be unusual, but in fact it is authorized. In this case, the
manager can provide feedback to adjust the behavior rules in iCAM to allow that activity, which means repeated
false positive alerts will not be issued in the future.
The iCAM team works with development groups and data owners to define the behavior rules according to their
work practices and business needs, says Tu. This helps iCAM raise alerts only when we have a real problem.
The business rules also reflect the requirements of Ciscos corporate policies for classifying data and protecting
intellectual property.

Results
iCAM started as a security monitoring engine to protect source code for our research and development centers.
Today, iCAM also monitors Ciscos global data centers to control access to and prevent leakage of many types of
confidential and proprietary information. Table 1 shows the current scope of iCAM monitoring activity.
Table 1.

iCAM Activity Scope

Monitoring Activity

Data Sources

Examples of Monitored Activities

40+ billion files protected

130,000+ user profiles

File sharing and transfers

3+ billion events collected from 14,000+

servers daily

200,000+ device profiles

Searches on sensitive topics and keywords

200+ Cisco product profiles

Accessing source code repositories and

restricted databases

700+ policy rules

File system scanning

For the alerts generated by iCAM, 60 percent are zero touch, meaning a risky behavior is detected without any
manual action by anyone in Cisco IT or CSIRT. This capability allows faster notification and resolution of improper
information access or file sharing.
By using the data, device, and network profiles, iCAM also detects abnormal events that are generated by a device
or application that is not associated with an individual Cisco user. This capability provides an added measure of
protection for our intellectual property assets.
The evolution of iCAM will bring additional benefits to Cisco. As the machine learning capabilities in iCAM improve
the ability to detect risky behavior, we will be able to create predictive analytics for proactively monitoring and
detecting when an unauthorized action might occur, says David Corsano, director, Cisco IT. The ultimate goal
with iCAM is to predict and prevent a disclosure before it happens.

Lessons Learned
We have learned several lessons from our experience in developing iCAM and expanding its deployment.
Educate managers. To be effective, managers need to respond to iCAM alerts promptly and appropriately. For
example, a user may unintentionally do something that violates policy and causes iCAM to issue an alert.
Managers can use the alert to help employees understand risky behavior or to identify needed changes in data
classifications or access authorization. The manager should also know how to forward alerts to the corporate

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

March 2015

Page 3 of 5

security department when a clear security threat is present.

Define behavior rules carefully. Understanding the risks and regulatory requirements of your business, as well as
the sensitivity of your information and potential user actions, will help create effective rules for monitoring user
behavior. Also identify behaviors that might be considered risky but in fact are routine and acceptable, such as
sharing certain types of order information with an authorized partner. This type of context information is important
in helping managers understand the actual risk present in an alert.
Plan for scalability. As we move toward the Internet of Everything, an asset protection solution will need to
monitor more information types, devices, and applications.

The ultimate goal with iCAM is to predict and prevent a disclosure

before it happens.
David Corsano, Director, Cisco IT

Next Steps
Because iCAM was designed to deliver protection monitoring as a service, it is very easy and cost effective for us
to use it with new applications or environments. Cisco IT plans to extend iCAM to monitor additional data and
document systems, with a particular focus on unstructured data in cloud services. We will also scale the iCAM
deployment to support analysis of as many as 10 billion events per day.

For More Information

Read about the Cisco Identity Services Engine and the Cisco Enterprise Policy Manager.
The Cisco Code of Business Conduct presents an overview of the practices that Cisco employees must follow for
protecting intellectual property.
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.

Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may
have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply
to you.

2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

March 2015

Page 4 of 5

 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

March 2015

Page 5 of 5