Enterprise security is being stretched and pulled apart from three different forces, and right now the attackers are winning.
The proliferation of mobile devices, work from home, and the inclusion of an increasing number of IP-using things on the network (store sensors, etc.) opens up the user end. The back end, with the increased use of cloud services, creates exposures as each supplier has their own security stack implemented.
At the same time, threats are getting ever more sophisticated Cisco Systems Inc. officials told a group of international reporters on a video conference call Wednesday.
Ahmed Etman, vice-president of Cisco Canada’s Systems Inc.’s borderless networks division, noted that trouble-makers can buy directed denial of service attacks (DDOS) by the hour and location. Spoofing of printers and other known devices to attack are becoming routine, he added, while firewalls and other perimeter defences fail to pick up sophisticated infections as mobile devices move in and out of the controlled zone.
According to Bret Hartman, Cisco’s vice-president and chief technology officer for security and government, the network — as the only aspect that connects all devices, all application services, all data stores that make up the enterprise’s asset pool — must be both intelligent enough to defend against attacks, but to discover new types of attack and remediate their effect.
Adding content awareness (knowledge of what apps exist, how many instantiations there should be, what data they use) and context awareness (knowledge of the personal user, their likely locations, and the device’s purposes, to catch spoofing of addresses) makes it more likely more threats will be detected early, and new forms of malware discovered and remediated because of the pattern changes.
The officials said Cisco is working with other vendors to produce shared open standards any supplier can use to implement an opening up of the management, control and transport layers in their network routers, switches, and servers.
For new threat detection and pattern recognition, Cisco is working with a cloud-based model that accumulates patterns across multiple enterprises (without transferring enterprise data), thus speeding up the identification and remediation.
At the heart of what Cisco is bringing to market today , they said, is the Identity Services Engine (ISE). This is the tool that recognizes that a certain MAC address belongs to a device at a known fixed location (a photocopier/printer, for instance): if that address suddenly appears “elsewhere”, it should be shut down. An administrative assistant who suddenly connects with their known smartphone from, say, Shenzhen, China, would likewise be denied service. Cloud-based applications would come from known ranges of IP addresses: a move would be suspect.
ISE also would be used to check the configuration of new devices in a “bring your own device” (BYOD) world. Improperly-configured units (rooted phones, for instance) would be denied access. Cisco is partnering with most major device management vendors to augment the ability to define and control “correct configurations”.
Threat detection implies building profiles of usage patterns (for example, this user travels frequently but only to two trans-ocean cities; this one stays within a province when accessing services; this person never uses systems between midnight and five am) to identify and deny service when abnormal patterns are detected. Policy defining classes of access is augmented by patterns obtained through usage to refine control. This is why Cisco [Nasdaq: CSCO] recently acquired Cognitive Security, which gives them increased self-learning and revision resistance capabilities in ISE.
The notion of a network driven by software rather than black box hardware is key to the future in Cisco’s view. This will allow the network, in time, to be a true participant in the stack that connects users to useful information, and will be essential, in their view, to managing an Internet of Things where the typical enterprise will see its network connections grow by three orders of magnitude or more. In an era of “call home” espionage threats, software detection of pattern changes is key.
Cisco’s next challenge is to evolve the metadata required to provide deeper contextual knowledge of the network and its participants, and to bring other vendors on side with supporting the open framework required to implement it in all network devices.
Hartman made it clear that nothing less than “disrupting the whole current security model” would do, as “attackers only need to win once; defenders must win every time”. Given that security is quickly becoming a Board-level issue in enterprises, Cisco’s efforts are timely and security teams should begin building profiles of expected usage patterns ahead of time to understand better where their exposures are concentrated.