Skip Links

Inside Cisco global security operations

Automated tools handle vast majority of security threats, but it's the human element that makes the difference

By , Network World
September 12, 2011 12:00 AM ET

Network World - AUSTIN, TEXAS -- In the ongoing battle against enterprise security threats, Cisco has amassed an army of 500 engineers, researchers and technicians deployed in 11 primary locations worldwide, whose marching orders are to analyze threats and do everything possible to mitigate those threats as quickly as possible.

The nuclei of Cisco's distributed system are its Threat Operations Centers (TOC), one of which is located in a nondescript office building outside of Austin, where Network World recently visited.

The amount of security-related data pouring into the TOC is staggering. "I never wake up in the morning and think I don't have enough access to data. I do wake up frequently in the morning and think 'what are we going to do with all this data?'" says Rush Carskadden, a product line manager in Cisco's security technology business unit.

The task that drives Carskadden and his colleagues is to put all the data in context. Providing context is critical to discovering and thwarting enterprise threats that are becoming increasingly complex and multipronged. Blended threats aren't new, but they're growing in prevalence and severity.

"We're seeing blended threats that act just as intelligently as a very good penetration tester would act," Carskadden says. Meaning, they're patient, thoughtful and persistent. "The real surprise is the degree to which and the sophistication with which these threats are automated."

IN DEPTH: 5 top social media security threats

Night Dragon is a perfect example. First publicized in February, this series of coordinated attacks targeted intellectual property from energy companies. The tools and techniques involved -- social engineering, spear phishing, Windows exploits and Active Directory compromises -- aren't incredibly sophisticated, but the attackers' methods made it difficult to link the malicious actions together and enabled the intrusions to go on for as long as four years.

"It's a very sophisticated threat in the sense that it will actually seek out the Active Directory server, compromise it, use data slurping to grab credentials, and then use those credentials to further compromise the network and gain access to sensitive information," Carskadden says. Beyond an initial SQL injection, the attack consists of activities that would not appear overtly suspicious; the attackers are operating in a manner that doesn't draw attention, surreptitiously looking for valuable information to extract. While not publicly calculated, damages from Night Dragon could potentially be in the hundreds of millions of dollars, Carskadden says.

"If you trace through how this threat works, you will find few better examples of how important it is to tie the intelligence together from the various vectors," Carskadden says.

Tying it all together

Tying together threat intelligence is essentially the mission of Cisco's Security Intelligence Operations (SIO), which provides threat information, vulnerability analysis, and mitigation solutions to enterprise customers. SIO is the command center for Cisco's security services and appliances.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News