This post is a followup post from my colleague Garett Redelings, Enjoy!
Last month I had written about Cisco's IronPort Application Visibility Controls. The information here on the Cisco SIO is a follow up based on readers comments to the previous article. You can read that article by clicking here.
What is the Cisco Security Intelligence Operations?
The Cisco Security Intelligence Operations or SIO operates as the telemetry hub for Cisco's email, web, and IPS services. These systems participate in a network of data analysis and that calculates threat risk ratings and reputation scores. What sets the Cisco's SIO apart from other solutions is their unique ability to leverage a well established footprint of security solutions to provide the widest range of sampling data. Cisco then uses this telemetry data to increase blocking accuracy and capture rate as well as fine-tune its signature-based systems; such as the IronPort Email Security Appliance, the IronPort Web Security Appliance, and the Cisco IPS.
Why the data matters
One of the key concepts of the Cisco SIO is that the data incorporates multiple sources. This telemetry of data drives features like Reputation Services beyond a typical signature based approach that often fail to identify a wider range of malicious traffic based on the same treat source. Multiple data feeds also support a system of crosschecking and correlation that increases accuracy as well as provide a wider spectrum of protection against malicious traffic sources.
The concept behind Cisco's Web Reputation technology involves tracking an IP address's behavior in effort to make filtering decisions based on threat risk. Many conventional URL filtering solutions have categories for Malware or Threat URLs but there are fundamental differences between categorizing a website as a threat V.S. tracking a website's behavior dynamically and over time. For example, a typical URL filtering system will need to have seen web traffic from a specific source at some point in time in order to analyze and then categorize that site as being malicious. This approach works for identifying known malicious websites but will provide little to no protection from new web server IP address, uncategorized URLs, web outbreaks, and zero-day attacks.
The reputation system on the Cisco IronPort Web Security Appliance provides a scoring range from -10 (bad) to 10 (good) and the mechanism to choose when to block, when to allow, and when to scan the data for malware and viruses. This scoring system is the foundation for protecting against new threats from low scoring sites as well as bypassing scanning from high scoring sites. A system that can block without having to scan and/or bypass unnecessary scanning for trusted IP address will boost performance and capture rate provided that the scores are backed by good data. Having a lot of data is important but boiling all of that down into useful information is the key to an effective solution.
Web Reputation and Telemetry
The Cisco IronPort Web Security Appliance utilizes data from the SIO in its Web Reputation technology. This data has been distilled from specific web threats in addition to that of email security, IPS, and Cisco's Threat Operations Center comprising research and additional data feeds. During a process called Global Correlation, information about a particular web server is associated with any previous activity from that IP address, weather it be email traffic, attack history, web content, or forensic information. The SIO telemetry data can then be used not only to block a user's browser from going to this malicious site but could also block emails from this IP address as well as assign additional risk ratings to IPS signatures. For web security, the telemetry information from multiple sources in the SIO is what gives the solution an advantage over simple URL categorization or reputation scores based solely on web traffic.
Consider a new web outbreak event or the uncategorized URL/IP address that begins hosting malware. Perhaps no signature is available to identify the malicious data on a newly registered site but this same system has been a spamming server for months and then suddenly starting hosting malicious web content. Cisco's SIO had been tracking and analyzing the spam traffic from this IP address and correlating it with additional information such as domain registration within a block of IP addresses known to be serving botnet command and control. The email and botnet data in this example along with additional IPS signature samples (based on attack history) gathered by the Cisco SIO are combined to produce a web reputation score than can then be used to block traffic to this site even before it is categorized or has its first victim visit the site.
With the coming of the Security Intelligence Operations, Cisco is attempting boost the effectiveness of its IronPort Web, IronPort Email, and Intrusion Prevention Systems. By using data telemetry, Cisco is gathering and processing huge amounts of data and then concentrating that into information that it's security appliances can utilize. In the future we may see additional Cisco devices take advantage of SIO information and this would make quite an impact in the security realm. Until then, the Cisco SIO continues to provide a unique advantage for its email, web, and IPS solutions.
For more information on the Cisco SIO, click here.