Many organizations have a computer security incident response team (CSIRT) that swoops into action to battle malware outbreaks, other types of cyberattacks and possible insider threats, and at networking giant Cisco, that CSIRT team is made up of about 60 people trying to protect a business with about 75,000 employees.
"We're tasked with monitoring for and investigating policy violations against Cisco," says Matthew Valites, Cisco's CSIRT manager for information security investigations. That means protecting corporate IT assets used directly by employees or the business for processing purposes so that sensitive information isn't compromised. However, since Cisco has embraced a "bring your own device" (BYOD) strategy, policy enforcement matters for Cisco's CSIRT have become more complicated.
"With user-owned devices, enforcement has become an issue," acknowledges Valites, in the course of discussing some of Cisco's security incident response practices. "BYOD is a real problem." In what's regarded as a cost-saving move, Cisco typically doesn't supply smartphones to any employee anymore, expecting them to use their own, unless their job falls under government regulatory restrictions where it's plainly spelled out an employee must be using a corporate-issued device. "This is a really big problem for my team," acknowledges Valites.
Above and beyond the BYOD conundrum, the Cisco CSIRT group each day faces the prospect of stopping desktop malware outbreaks, monitoring for unauthorized traffic on the network and guarding against stealthy online attacks from attackers going after key assets. There's also the inevitable spate of things like faulty log-ins but CSIRT's hard job is trying to ascertain unauthorized access.
This all has to be done within the framework for regulatory compliance. "We have a healthcare center in San Jose on premises with nurses and doctors," points out Valites, saying making healthcare professionals available on site is seen as a benefit for employees. And this means that security and privacy policies related to any data associated with it must adhere to federal HIPAA rules, he notes.
Valites says high-level executives at Cisco, not surprisingly, get special attention in terms of whatever computer or network they use since these executives are recognized as being valuable targets for cyber-espionage and the like. In comparison to other employees, "we pay more attention to their assets," says Valites.
And then there are whole groups at Cisco, such as an entire lab, that are known to all too frequently be getting into trouble, breaking with usage policies and their computers erupting with malware. "The labs are a little like the Wild West," acknowledges Valites. With repeat offenders there, Cisco CSIRT has no choice but to clamp down with additional controls, such a blackholing an entire lab on the network so they can't get online or shutting off network segments so they're restricted to an internal LAN.
But the main day-to-day challenge is in getting visibility into security events of any type and quickly deciding when and how to escalate the response. Cisco designed its own incident-response tracking system, where trouble of any type is recorded and pushed toward closure.
When an incident arises, the first task is to associate the computer device in question with its specific owner, says Valites. "We need the asset owners to provide that information to us," and in a large organization of global scope, that can be a challenge. Although lots of technical tools for antivirus, VPN, Web application control, intrusion detection and the like are in use, in the end much often rides on communication between people to share information accurately and quickly.
The CSIRT division also has to be mindful that there's the potential for an insider threat as there would be in any organization. That's the rogue employee or contractor with access to the network willing to steal data or do other damage. It's a prickly situation where escalation would mean reaching out to human resources and legal.
"We have good partnerships there," says Valites, noting that at Cisco, the legal counsel has made it clear about their role in incident response investigation and they want to be involved in the potential investigations into things such as leaks of sensitive information. Investigations of all sorts could require computer forensics, and Cisco's CSIRT is equipped to do that.
As Cisco is a global company, there is the need to coordinate the CSIRT across time zones and continents spanning North America to the Asia-Pacific region. "It's a follow-the-sun model," says Valites, adding that Cisco would benefit from physical security operations centers (SOCs). He says Cisco is now undertaking to construct two such SOCs -- one in San Jose, Calif., and the other in India -- that will make use of technologies of many types, including Cisco's own dedicated TelePresence systems for collaboration.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email: firstname.lastname@example.org.