Skip Links

Inside Cisco global security operations

Automated tools handle vast majority of security threats, but it's the human element that makes the difference

By , Network World
September 12, 2011 12:00 AM ET

Page 3 of 5

The Cisco Applied Security Research (ASR) team, for instance, looks for vulnerabilities in key technology areas and provides current threat indications and analysis. Vulnerability information that's related to Cisco products and networks gets handled by Cisco's Product Security Incident Response Team (PSIRT), which investigates the vulnerabilities and does the associated public reporting.

The Cisco IPS Signature Team researches exploits and writes vulnerability- and exploit-specific signatures that are used by IPS product lines. It's challenging work that requires coding experience, security savvy and what's dubbed "field knowledge" -- which can involve fraternizing with the hackers who make and use the exploits.

When looking for a good signature writer, "I look for curiosity, a desire to solve problems," says Morgan Stonebraker, who manages the signature writing team at Cisco's Texas TOC, which is contained within a cluster of low-rise office buildings north of Austin's city center. "This is like a puzzle. Every day you come in and there's something new, something that someone pretty clever came up with. You have to figure out 'how do I block it? How do I counteract that?'"

Sometimes vendors aren't or can't be candid about a specific vulnerability, which leaves the signature developer to figure out the details. The team might be notified of a serious bug by a vendor, whose only direction is something vague like, "it's an issue with embedded JPEG dimensions." The signature developer then has to compare the patched and vulnerable versions of the products, find the differences, and then attempt to zero in on the vulnerable area by trying to put themselves in the shoes of an attacker.

The IPS signature group has some internal SLAs that govern how fast it generates new or updated signatures. For anything that's related to PSIRT or Microsoft's Patch Tuesday, the team aims to push a signature out to customers within 90 minutes of the time a threat was publicly disclosed, Stonebraker says.

For critical enterprise-level zero day threats, there's a 24-hour turnaround. "That involves a little more work -- sometimes in-depth research, reverse engineering, patch engineering," Stonebraker says. "It can get pretty complex, so we give ourselves a little more time."

On the managed services front, Cisco Remote Management Services (RMS) provides around-the-clock remote monitoring and management services for Cisco security devices deployed at customer sites. In the Texas location, the RMS team's facilities don't look much different from typical office space, except the room is very quiet and fairly dark, and there are monitors aligned below the ceiling so the team can see any trouble spots at a glance. The windows are coated with a film so that no one trying to peer in from outside the building can read anything sensitive or customer-related on any of the screens.

For the IT pros who are responsible for mitigating threats to Cisco products -- enterprise customers and partners -- there's the Applied Intelligence Team. This group provides technical training and consulting services as well as applied mitigation bulletins, tech tips, and instructions to help IT users tackle threat mitigation procedures.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News