Freelance writer Susan Perschke recently sat down with Cisco Vice President and Chief Security Officer John N. Stewart for an in-depth discussion of the state of enterprise security.
Stewart leads Cisco's security operations, product security, and government security functions. He is also responsible for overseeing security for Cisco.com, the infrastructure supporting Cisco's $40-plus billion business, WebEx, the collaboration service providing 73 million online meetings per year, among other Cisco functions. Stewart holds a Master of Science degree in computer and information science with honors from Syracuse University, Syracuse, N.Y.
In this wide-ranging discussion, Stewart describes the most troubling threats facing enterprises today, and talks about how companies can protect themselves by deploying what he calls "composite security." He delivers specific advice and gets into areas like mobility, identity management, and the need for companies to begin planning for IPv6.
With network security threats continuing to evolve, what are Cisco customers reporting as their top security challenge?
To give you a little bit of history, I've been in the computer security industry for almost 25 years, and the responsibilities I hold are the traditional corporate information security functions. I also co-chair the products security board and am involved in a significant portion of the way we do government work around the globe, with implementation for military intelligence and public sector customers. So I end up having three views of the security challenges we face. My observations and what we hear most from customers, at least circa 2012, is that their challenges breaking down essentially into a "triad of triads," with one of those aspects most often causing them the most significant fits.
IN THE WORKS: Cisco's project 'Futurama' targets consumerization of IT
The first triad essentially dissects the attacking community, if you will, into three main sets of perpetrators. We have individuals that are working on their own behalf for any number of reasons, trying to get into corporations or businesses, or to affect online services. We have organized groups that, more often than not, are funded, and that could be a traditional crime-based group, it also could be a country, and I'm trying to objectify or abstract those groups as ones that are organized, and well-funded and with purpose. Then there's a third group, that emerged in 2011 that I don't think was easily predictable, and it's this thinking, "I'm not financially motivated, I'm not working as an individual, I'm just going to group together at a moment's notice and have a purpose and attack motive." So I put that in the first part of that tri-graph, which means that we have quite a collision of accelerated threats with different purposes. One could be curiosity, one could be monetary or disruptive, and the third could be just purely "I have a political purpose against you." So all of our customers, for all intents and purposes, are very worried about each of them, and they're not precisely in educated or equal quantities as to which they should go after first, or protect against, or understand next. So that triad is the externalization of those threats and who is doing them.
The second triad -- and this is the one that's giving most of our customers fits -- is that we now have a fairly rapid pace in which three major technology platforms have shifted, essentially within the same two-year period. Those three shifts are collaboration, mobility and virtualization. So our customers share with us that this technology acceleration has now managed to make a significant amount of what they've done very difficult to implement and it morphs into a fear of collaboration. We hear, "I have collaboration information outside my company, it's being exchanged on a regular basis with other companies, people, customers, and so forth, and I'm worried about protecting it." On the mobility side, it's the "bring your own device (BYOD)" challenge. For virtualization, I have a broad definition that happens to include cloud, which to me is just a delivery form for virtual systems and often renders itself as, "What do I do about cloud providers?"But virtualization at large comes down to, "How do I protect against hypervisor attacks? How can I be confident that data center operations are sound?" and so forth. So that's the second triad -- this significant technology shift on three different axes.
The third triad that our customers tell us, and I feel this, too, is for any number of economic reasons, including quality-of-service-delivery-to-your-customers, IT's criticality is high and to the right. It can be the differentiation of your business, it can be the intimacy with your customer, and it can be the public delivery of what you're doing ... you name it, it's now critical. You just can't live without your network, your systems, your data center, etc., because you're fully reliant upon them to run a business. It's not only a great time to be in IT, it's also a very scary time to be in IT. And you find yourself in the position of having an accelerated threat of three different actor types, three different significant technology shifts happening concurrently, and having to deal with systems that better not go down because they are imperative to our lives. So that's what I've observed, and I can't singularly answer what our customers report as their No. 1 security challenge, except for managing that triad of triads.
Client-side and mobile device software security tends to get short-shrift compared to OS and perimeter systems, even though unprotected client and mobile systems could potentially pose a greater threat to network security. Should network managers refocus their priorities to make sure both network and client-side security receive equal attention?
This is highly contextual to what the given operations are, so the best way I would respond to this is that the network itself is a lot like the power grid of yesterday -- if you had power it was great, but if it broke down, nobody was surprised. Over time, you expected power to be up and running, and you changed your perspective about it. Now, with the exception of rural areas, which are prepared to lose power during certain seasonal cycles, you know it's going to be there when you need it.
The networking community did the same thing. During the early days, if the network was up it was astonishing, and we didn't really mind if it went down. Then it became, "I'm largely expecting the network to be up, except at certain times of the day"; and now it's like, "What the heck do you mean, it's down?" So my observation is that you could work all you want on application server systems at the high-order bits, but make sure you're on solid, concrete ground with the network infrastructure. There's a tendency to lean on the concept that, "if it's not broke, don't fix it," when, in fact, nothing could be further from the truth: The network needs care.
I tend to believe that the multiplicity of devices means that we are now moving or shifting toward network-based vs. endpoint-based security solutions. This is true, if for no other reason than the exploding number and heterogeneity of vendors, both on what we use as consumers or employees, and the "personless" devices, such as the touch panels that I have in my house, which are just as capable of sending a DDoS (distributed denial-of-service attack) across my LAN as my computer.
It seems that the attack surfaces are expanding exponentially.
Yes, they are, especially when it comes to the number of vendors. If you're working on an endpoint-based security solution, it's getting more complicated because of its nature. For all intents and purposes, you're facing a situation where you can't manage every vendor because there are just too many of them. And then there's the combination of the vendor plus the operating system. If it was just Solaris, Linux and Microsoft Windows, I think we would have a more manageable scenario, but that's just not the case anymore.
So perhaps the network becomes more critical again because it has a greater force effect, protecting everything that touches it, and it has the highest capability of seeing everything that's on it.
What is the best defense strategy during the inevitable migration to IPv6? How great is the threat posed by older, non-IPv6-aware routers and switches?
The challenge with IPv4-only switch routing platforms is that they can become "blind" and juxtaposed with the point I just made a moment ago, which was that the network itself may be the most logical place to protect now that you can't use the endpoint. If a switch or a router is blind, then it really can't help you much. So IPv6 tunneling inside IPv4 essentially makes it just a hop, and that means it's going to pass along both good and bad, with no real succinct ability to determine what to do. That's where the risk becomes evident to me. Any thoughts on that yourself?
What really struck home for me after I wrote my second article about IPv6, were the comments with people saying essentially, "Since no one's using it (IPv6), and I don't have any v6 equipment yet, and my upstream provider doesn't support v6, why should I be concerned?" But my answer to that is, "So what -- you need to be concerned, because you are still vulnerable to the attacks that can come through v4."
Absolutely. That's an interesting observation because the adoption of v6 is actually gently moving, if not significantly moving up, for a couple of reasons. If you think about the quad-A day we did back in June, it was one of the initial forays toward demonstrating that you can run v6 networks, advertise, etc., but most of the search providers have already enabled v6 in some capacity, especially on phones. And just like my Mac operating system is v6-enabled instantly, even if I'm not using v6 on the network -- default "on."
IN THE NEWS: Leading ISPs, websites commit to June 6 start for IPv6
Exactly. Everybody has it even if they're not aware.
Yeah, exactly.
And I would imagine it gets to the point of the economics of it where IT goes to management and management wonders why they need to worry about IPv6 -- it's just one more layer of expense.
True, though to your point just a moment ago, just because you don't think you're using it doesn't mean that no one's using it. Plus, certainly in my mind there is an argument that can be made if you're going to look at the future and embrace it, you better not ignore v6, because it's an inevitability that might take a few years to get ready for, and I'd rather not have to learn it the moment I need it. IPv6 is here, whether we want to acknowledge it or not, and the idea that all v4 thinking applies to v6 is a fallacy. It's probably a 90% Venn diagram, but that's about it, and then you have 10% that's going to be highly unique to IPv6.
There used to be a rather finite space that you could search to reverse trace an attack, and now with IPv6 multiple billions of addresses, that goes away.
Right, and you just hit on a point. Some of the uniqueness of v6 is that you're not going to run sweeps -- you can't run a scan to find your vulnerabilities. So why not learn this now, before it becomes something you need to resolve, but are not ready for. This is how we learned v4, too, and I find it sort of ironic that there's a sense in the community that, "No, we don't really need to learn it because we're not using it." We weren't using v4 either, but we then started using it intra-data center, then intra-LAN, then remote access, and then ubiquitously. I'd rather learn in the beginning, than learn in the middle.
What is the practical advice for organizations? Can you start doing something at the perimeter at least to start capturing malware that might be packaged inside v4?
There are two practical things you can begin to do. It's almost like using DLP (data loss prevention) for this purpose; you're essentially looking for encapsulated packets. Now that's not a precise science yet either, since you're dealing with packaging and encryption, and other obfuscation techniques, and you won't see it. The second thing you can do intra-organizationally is just put up v6-enabled devices and see what "pings" them, not a literal ping, but you know what I mean ... You'll then find out if there's v6 traffic, even though you might not think there is. And that's because you're going to see the v6 devices broadcast and look for neighbors, do router advertisements, do network neighbor address requests, multi-cast sweep data with v6 in it. It just gives you some awareness that, "Hey, I have to think about this," and I think that's very practical.
The last part I would offer that's important is to just play with IPv6, especially now when it's not really, really bad. It's a good time to learn.
With even the most secure defenses vulnerable (example: successful hacking of RSA digital keys), is there a new paradigm for network identity and access?