Security for the Real World: a Practitioners View

Cisco IT Insights

What
Like most enterprises, Cisco faces an ever-evolving, proliferating security threat landscape. The dilution of perimeter-based
security, new targeted threats, the growth of cloud computing, content virtualization, the consumerization of endpoints, and a rise in
hacktivism are pushing not only security technologies to advance, but also enterprises to adapt their security, governance, and
policy strategies accordingly. Companies cannot afford to focus their security spend and resources on preventative measures
alone.
That is why Cisco InfoSec is taking a more holistic approach to security and focusing on shaping policies and practices that help
protect Cisco assets, data, and intellectual property both proactively and reactively. While technology is a large part of Ciscos
security architecture, a watchful eye on trends within the business environment and the impact on users are also important to
Ciscos comprehensive plan.
To apply technology to the problem in the best possible way, we consider the user experience, how that experience impacts
people, and what processes need to be implemented for the technology to be successful, says Sujata Ramamoorthy, InfoSec
director at Cisco. We then work closely with IT to deploy these technologies and processes. We also work with users and our
vendor community.

Why
InfoSec is currently focusing on securing the mobile cloud in the enterprise. The mobile-cloud trend is at the core of the Internet of
Things (IoT), a network of physical objects through the Internet. Every time we make a leap in technology, it creates tension in
security which enables us to solve security problems, says Ramamoorthy.
Security Policies
In a mobile and borderless IoT environment, protecting Ciscos resources requires dynamic context-driven policies, including:

Differentiated policies based on the trust level of the devices, and

Policies to secure the enterprise resources.

InfoSec drives the implementation of policies using Cisco products such as Identity Services Engine (ISE) and Application Centric
Infrastructure (Cisco ACI) to achieve our context-driven policy vision. As new mobile devices are brought into the corporate
network by Cisco users, ISE will allow policy-based, differentiated access according to the device posture. Devices that do not
meet the minimum standards will only be able to access Internet-Only Networking, which is our guest networking solution.
Applications can use the context from ISE to enable certain functionality in the application. For example, devices with no encryption
may not be allowed to download sensitive data. InfoSec also drives user education and awareness to ensure that users are
adequately notified of our policy implications and to help them take steps to protect personal and business data.
In the data center, where traditional resources reside, ACI will allow contextual policies via the Cisco Application Policy
Infrastructure Controller (Cisco APIC), enabling policies to move with the resources. From a network security perspective, ACI
offers automated programmable application updates as rules are added, moved, or removed. In traditional network security without
ACI, it is common for security controls to go out of sync with applications. For example, setting up a firewall rule to protect a set of

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

October 2014

Page 1 of 4

hosts. As those hosts are replaced over time, the possibility would open that a new host for that group would not be placed behind
the same firewall and thus not be protected by it. ACI is the next step in transforming network security.
While technological leaps such as mobile cloud and IoT bring new challenges, they can also offer great opportunities to drive endto-end security solutions forward. Technologies such as Cisco ISE and ACI allow us to better manage the risks to our environment
with context-based dynamic policies.
Threat Intelligence and Analytics
Intelligence is one of the most important techniques a company can use to protect its resources. InfoSec monitors and analyzes
data from several sources including Cisco intrusion detection system (IDS) and intrusion prevention system (IPS), DNS logs, and
NetFlow data to detect malicious activities in the network, the source of threats, and the tools used to carry out intrusions.
We have such a large footprint with our network and security products that this full spectrum of insight is a huge benefit, says
Ramamoorthy.
In collaboration with employees from Cisco acquisitions such as SourceFire and other enterprises in network security, InfoSec
uses research and analytics from monitoring feeds to detect anomalies and patterns that help prevent and mitigate threats to data
and identity security. This intelligence is also used to strengthen Cisco products, services, and the enterprise as a whole.
Cisco is in a unique position security-wise. Like many large enterprises, Cisco is targeted by continuous threats, but Cisco also has
the opportunity to identify potential threats to both the security community and customers. As trusted advisors in the security
sphere, InfoSec establishes policies and governance based on intelligence and analytics.
Were open to sharing, says Ramamoorthy, and were comfortable talking about security. Companies need to be comfortable
talking about security to keep up with the threat landscape.
Cisco researches and shares findings in the Cisco Annual Security Report as well as at industry conferences. Cisco Security
Intelligence Operations (SIO) provides early-warning intelligence, threat, and vulnerability analysis. One component of SIO is Cisco
SensorBase, which captures global threat telemetry data into a centralized location from an exhaustive footprint of Cisco devices
and services. After the information is analyzed, it is made available to customers. This level of transparency increases Ciscos
visibility and equips the larger security community with the information to help companies adapt their security strategies.
Collaboration with Business Units
As the business and technology landscape evolves, being able to communicate and collaborate within Cisco is integral for InfoSec
to successfully protect people, process, and technology. One of the key differentiators of InfoSec is its active involvement with
several key organizations within the company, including IT, human resources, finance, and employee services. InfoSec partners
with these business units as a trusted advisor on security practices and guidelines. Maintaining solid communication with the
organization allows InfoSec to drive new capabilities and accountability within business functions. Some of the proactive ways in
which InfoSec advises on policies for people, processes, and technology include:

Pervasive Security Accelerator (PSA)

Product development process consulting

Customer briefings, presenting at conferences

The PSA is a CIO-led initiative to develop broad-ranging security capabilities - people, process, and technology - to address the
security needs of the enterprise. Staff roles including Security Primes and Partner Security Architects have been established with
commensurate training programs to develop the security skillset in IT. Paired with metrics programs, we gain the visibility and
accountability to address security in all IT services.
The human element is always integral to achieving security. Two themes have arisen in the network security field when mitigating
targeted threats: compromised endpoints through malware and compromised user credentials.
2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

October 2014

Page 2 of 4

The trend of going after endpoints and then compromising user credentials is rising because its an easy way to bypass traditional
perimeter security controls, says Dave Jones, InfoSec architect at Cisco. We need to enable the human shield to allow users to
be more aware of what they should or shouldnt click on, and then easily report it.
As part of the PSA, proactive education and awareness campaigns have been introduced. The exploitation of trust is a common
mode of operation for online attackers and other malicious actors, and Cisco has been successfully educating employees about
certain behaviors to protect their Cisco credentials. For example, at the beginning of July 2013, InfoSec launched an employee
awareness campaign that simulated a series of phishing emails. The campaign was done in collaboration with corporate
communications, IT enterprise messaging, the IT desktop organization, and the global help desk.
Initially, phishing emails were sent to a few small target groups in IT. Over time, InfoSec has expanded the campaign companywide to more than 138,000 users. The campaign educates and creates awareness about the threats that phishing emails pose to
the company and to employees.
Part of this process includes immediate education if a user clicks on a suspect link, says Dave Vander Meer, InfoSec program
manager at Cisco. They are directed to an awareness webpage that specifically identifies what parts of the suspect email should
indicate it as a phishing email. Weve built a baseline of awareness and worked from there over time.
Additionally, InfoSec partners with employee services and other internal organizations to offer email guidelines that enable
legitimate communications to reach users. Its an effective campaign in generating awareness, says Jones.
With a seat at the product development table, InfoSecs main objective is to consider past and present security models and
correlate them with current security requirements.
Weve given early feedback in product development, and were working with the IT infrastructure organization in the design
phase, says Ramamoorthy. We find a balance and really understand what sort of change we can drive that improves security yet
balances the needs of the business and users.
By working with Ciscos services organizations and product business units, Cisco is able to position its products and services to
help customers and protect data. Combined with intelligence, InfoSec is using core competencies including threat detection,
mitigation, and business and technology architecture, to not only help the business, but to inform and protect customers as well.
Forward-Thinking Security
Dynamic policies based on context (user, devices, location), content (data sensitivity), and threats will pave the way forward in
adaptive and intelligent security. Enabled for both on-premises and cloud-based services, technologies such as ISE and ACI are
setting the foundation to evolve our security for the future. To achieve this level of understanding and keep aligned, InfoSec relies
on partnerships with different business units within Cisco, including IT.
Collaboration and transparency allow InfoSec to capture the intelligence required to monitor and protect not only the infrastructure,
but the data within that infrastructure, through a blend of practice, policy, process, architecture, and technology.
Developing a security mindset within business units like the one we have with IT is one of many ways we will drive change and
better security, says Ramamoorthy.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

October 2014

Page 3 of 4

For More Information

To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
Cisco Annual Security Reports: http://www.cisco.com/c/en/us/products/security/annual_security_report.html

Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.

2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.

October 2014

Page 4 of 4