Is Cisco Truly Committed to Security? Prove it!

Candid Interview with Tom Gillis, VP of the Cisco Security Business Unit

Current Job Listings

Recently, a security analyst blogged about Cisco's security efforts and questioned Cisco's commitment to the market. As you know, I am not only a Cisco Press author, but I also work as a security consulting systems engineer for the company. From my point of view, Cisco is most definitely not taking its eye off the ball in the security market. But the post did make me think about the kind of questions that readers might have. Is Cisco committed to creating best of breed products or would it rather create security systems?  Why should customers get excited about Cisco Security?

To answer these and other timely questions about Cisco security I caught up with Tom Gillis, Vice President and General Manager of the Cisco Security Technology Business Unit, for a Q&A.  I tried to pick questions that I thought were on your minds lately.  Instead of a formal interview this was more of an formal Q&A where I threw questions at Tom and he fielded them real-time.  I'm sure I probably missed a couple so please post them and I can try and follow up with Tom to get them answered.

Some feel that Cisco is taking its eye off the ball in security and instead focusing on its growth markets like collaboration/voice, DC, and now the server market. In its own right, is the security business a strategic focus for Cisco?

Security is foundational to Cisco's aspirations in all of its markets be it networking, virtualization, collaboration. Security is integrated and intrinsic to these other initiatives.  Cisco has invested more than a billion dollars in security over the last three years, substantially more than most security companies.

Cisco has announced a different direction for Cisco MARS.  Can you discuss your vision for Cisco Security Event Management going forward?

Cisco has always had the view that we are not in the traditional SIEM market.  What we do have is a powerful management suite that is designed to make our systems more effective at catching malicious traffic.  We have advanced event correlation capabilities with our MARS product.  As we continue to evolve this capability we are integrating it more tightly into our security management suite. It may be difficult to draw a line around the functionality of MARS as it becomes more and more integrated into our Cisco Security Manager it gets harder and harder to see MARS as standalone. 

For some, Cisco is not thought of as a best of breed security company.  Is Cisco Security focusing on being a best of breed point product company or a better together security solution company?  Due you feel it is necessary (or even possible) to be both?

Absolutely necessary to do both and absolutely possible.  Our focus is to be excellent at our core market point products so they can standalone as best of breed solutions.  You can line up our Web Proxy, VPN toe to toe with any competitor out there and we will win based on their merits alone. Additionally, when you have an architectural approach to building product, like we do, the solutions can interconnect in a way that solves a customer's problem more powerfully than individual point products can. [Note: As I previously blogged, Gartner recently announced that two more Cisco products were placed in its Magic Quadrants, SSLVPN and secure web gateway. A total of five Cisco products have been so named by Gartner, when you add NAC, Email Encryption and Email security.]

Management has been a struggle for Cisco Security in the past.  What can you tell us about the current state and future vision for security management of Cisco security products?

I think that one of the historical reasons that some Cisco products have struggled with management is that the devices grew up and command line devices and management was something that we added later.  Our view at Cisco is that management needs to be built into our product from the beginning.  So if you look at the ways we have developed our email gateways, our web gateways, and some of the new capabilities coming out in our FW and IPS, manageability and ease of use is designed into the product itself and not a GUI put on top of a command line device.  Thinking about a workflow and programmatic interfaces that allow scalable, reliable management systems, this is how we make our products not only the most effective but also the easiest to use in the industry.  That is our ambition.

What one or two things do you feel that most people don't know about Cisco security but should?

Cisco's VPN client is the most widely deployed piece of enterprise software in the world.  It is the foundation on which we are building these next generation security solutions.  There are more than 150 million Cisco VPN clients deployed in the enterprise globally.  That is a very powerful asset that Cisco will be using. 

As part of our global correlation and advanced anti-malware capability Cisco is building a database that keeps track of behavior of every publicly routable IP address.  Even if it is just to say, "Hey, we've never seen you before".   Even that is useful information from a security perspective because what it says is we need to inspect this traffic further.   We need to apply additional inspection so that afterwards this IP will have a reputation that is either positive or negative.   [We sample a large] volume of traffic.  Not just the protocols (email, web, IPS, etc) but also the volume.  We estimate that over 35% of the worlds email traffic is being inspected by Cisco.  We process over 5 billion Urls each day.  So we have a huge sampling of traffic to draw from to help us distinguish good traffic from bad. 

Can you share a brief glimpse into your vision for the Cisco Security Business and solutions?  Why should companies get excited about what Cisco is doing in security?

The next five years will be driven by two major factors. The first is the trend towards mobility. We have more users accessing more content from more types of devices, from more places in the network than ever before.  At the same time the trend towards cloud computing is also significant. So its not just users that are on the move but its data that’s on the move.  You have users and data that may not be behind the traditional corporate perimeter. We are thinking out how we can provide more sophisticated security policy tools to allow our customers to deal with this highly mobile, borderless network.

Is the new Cisco tag line "secure borderless networks" a new marketing campaign or more than that?

It is more than that.  It is a new approach to how we are developing our products. If you look at the way security was developed and deployed over the last 20 years, it comes down to two points for security, the endpoint (traditional AV suite) and the DMZ.  Most networks are designed to backhaul traffic to a small number of egress points (3 or 4) at which point you inject security in the form of proxy, FW, IPS, email gateways.  That is where you control contact with the Internet.  The problem with that model is in this highly distributed world it is harder to draw the perimeter. Our challenge is to build more intelligent policy based on identity, what application they are using, and most importantly what content they are accessing in that application.  We want to be able to enforce that policy not in 3 or 4 places around the world but instead 3,5,100,1000 points of presence throughout the globe.  This is what we call a borderless network security architecture.

IronPort, the company you helped found before it was acquired by Cisco, created the idea of reputation technology. Recently, Cisco added SensorBase IP reputation technology into all of its security products, why? And what is the long-term plan for SensorBase?

It is one of the foundational capabilities of any security company to be able to differentiate good traffic from bad.  Reputation is a powerful tool that allows us to do that.  We believe it is not sufficient to analyze the traffic patterns of a single device or protocol.  For example, if you are looking only at email traffic you are missing more than half the battle.  Email and web are like bonny and Clyde, they work together when it comes to Internet crime.

Having the ability to analyze email, web, IPS and Botnet traffic in a central database in the cloud is a really powerful technique that we call global threat correlation.  If we see an attack on an email system, lets say somewhere in Moscow, 30 seconds later we see a malicious website in Duluth, 2 minutes after that we see a sql injection at a corporate web server in Chicago.  Certain types of SQL injection attacks have a high false positive rate but given that we know the connection is coming from a client with a history of malicious intent we can feel confident dropping the sql connection.  The more we analyze or use this approach the more efficient our products become.  For example, in our IPS systems this has increased their effectiveness by 300%, a very substantial increase.  Our intention is to integrate our SensorBase technology into our FW, Anyconnect, and all Cisco security products that will then share their data with the cloud.

What is Cisco's plan for the Cisco ASA platform?

The ASA platform is a widely deployed security platform.Cisco continues to invest heavily and add new functionality to it.  We are integrating advanced anti-malware functionality and new forms of security policy definition to make it easier for our customers to deal with this borderless enterprise. 

How do you see the recent acquisition of ScanSafe fitting in with other solutions or will it remain a stand-alone offering?  Will Cisco be offering more SaaS services?

Our philosophy is that a customer shouldn't have to choose between an on-premise solution and a SaaS solution. The right answer often times involves both working together seamlessly.  In email, we have introduced a hybrid hosted architecture where some functions can be deployed on-prem and some functions can be deployed in the cloud or all functions can be in the cloud or all functions can be on-prem depending on what the customer needs are.  From the point of the administrator you cannot tell the difference, it looks like one seamless system.  So I might have spam and AV scanning in the cloud but more sensitive directory integration and email encryption I want done on-premise.  You can change your mind tomorrow and move those function either to the cloud or on-premise and the user can't tell the difference.   To the administrator it is also seamless.

Cloud computing is all the hype right now but many companies are taking a wait and see approach in part due to security and compliance concerns.  What is Cisco's vision for addressing cloud-computing security?

Our goal is to offer our customers choice.  There are times when cloud delivered security makes sense and there are times when on-premise security makes sense. Many of our customers are asking us to provide security for when they move their datacenter into the cloud.  Cisco has been working on a number of technologies to make that happen.  Cisco made a large investment with the 1000v virtual switch to deliver virtualization.  We view that as a powerful platform for delivering traditional network services, including security, into a virtualized world.  Cisco has also been working on technology that allows physical security devices, such as a firewall, to provide security in a virtualized infrastructure.  You will see announcements on this packet-level technology that we are developing that allow customers to fluidly move data from a traditional datacenter into a public or community cloud and still maintain the security they require.

Every security company needs to have at least one ace in the hole.  For example Checkpoint has management, Juniper has performance with their 120G FW.  What is Cisco's ace in the hole for security?

One of the things we do really, really well is the identification of malicious traffic.  For years now, Cisco has been able to block 90%+ of spam by just looking at the behavior of the sending server.  We've been able to block viruses on average 14hrs ahead of signature availability through our use of global threat correlation and IP reputation.  We've now tripled the effectiveness of our IPS systems.  At the end of the day we've been doing this for seven years.  We have the data, tools, processes, and most importantly the people to really make our anti-malware and malicious traffic detection the best in the world.  

What major changes do you foresee unfolding in the next couple years that will affect the way we think about security?

There are three main drivers that will make us rethink the way we look at security.  Two of the main drivers, which we have already talked about, are mobility and cloud computing.  The third driver is the increased use of video and advanced collaboration tools. [One example of such tools is] Cisco's Telepresence.  Today, sixty percent of Cisco's internal network traffic is comprised of video traffic. 

1 2 Page 1
Page 1 of 2
Now read: Getting grounded in IoT