Professional Documents
Culture Documents
What
The coming Internet of Everything (IoE) will add thousands if not millions of sensors, devices, and automated systems to enterprise
networks. However, most of these endpoints will not support security capabilities, making them useful to hackers as a way to
access and attack the connected network.
This IoE security challenge is reflected in two critical questions for information security departments:
How can we protect our network, data, and applications from threats that could come from millions of endpoints, most of
which cant be secured?
How will we be able to analyze the huge volume of status and operational data generated by IoE devices for potential
attacks and risks?
Security managers will need the ability to leverage IoE data not only to identify specific threats, but also to learn about what types
of traffic or activity represent an actual risk, says Logan Wilkins, program manager, Cisco InfoSec.
The volume is large enough to validate that our data collection and processing systems will be adequate to handle the
higher data volumes generated by IoE elements.
DNS records provide an easy, fast way to find many security problems.
DNS also provides an important foundation for deeper analysis into other protocols that may be involved in a breach or
attack.
In the future, we plan to expand data collection to include NetFlow, which will help us automatically detect and handle more
security threats.
Using advanced learning algorithms to recognize with a high degree of confidence those external hosts that are likely to
have malicious intent.
Analyzing the behavior of hosts and devices on our network to discern unusual activity that would indicate malware or
unauthorized control of the device.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
May 2015
Page 1 of 3
Cisco Unified Computing System (Cisco UCS) servers for the data processing and access applications
MapR file system for data storage as well as a time-based database for events that are generated as a time series
Splunk for automated filtering and initial analysis of events, which creates more useful information for detailed assessment
by the Cisco security team
Lancope StealthWatch hardware for monitoring and ad hoc searches in the NetFlow data
Figure 1 presents a high-level architecture view of the data collection and processing system.
Figure 1.
Why
We know that defending the Cisco network as it connects more IoE sensors and devices will require the ability to quickly identify
new threats. Thats why were focusing on two critical capabilities in the security data infrastructure: scalability and automation.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
May 2015
Page 2 of 3
We also apply automated event processing with machine learning to identifying risks in outbound network traffic. For example, our
internally developed iCAM software analyzes user behavior (including outbound data transfers) and generates alerts when that
behavior violates Cisco security policies.
However, There will always be a place for human analysis because we cant know for sure in some situations whether something
is really bad or not, so we cant set up all events for automated handling, says Bollinger. We need the knowledge of our security
analysts to identify which events indicate a false positive and which indicate a true problem.
Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may have contributed to
the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED,
INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply to you.
2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
May 2015
Page 3 of 3