Cisco enters the crowded AV and DLP client market

Cisco is jumping into the Anti-virus and Data Leakage Prevention (DLP) client market with their recent release of Cisco Security Agent 6.0 (CSA). CSA has been around for quite a while now but was focused mainly on addressing the HIPS, PFW, and 0 day protection market. CSA 6.0 broadens that scope by adding AV, DLP, and some way overdue ease of use/deployment features to the product line. Cisco CSA is a security client that runs on windows, linux, and solaris systems, both servers and desktops, to protect them from malicious harassment. I’ve always considered CSA to be the most effective security product that Cisco has in its portfolio. However, CSA has never been able to capture that valuable desktop and server footprint like Mcafee, Symantec, etc. have. By moving CSA simultaneously into both the hot DLP market and the capital rich AV market Cisco hopes to change that. The devil is always in the details so let’s walk through some of what’s new. First Anti-virus; Cisco has embedded the open source ClamAV product into CSA 6.0. Clam is a free AV client that has a big footprint but mostly on Linux systems, especially email gateways. The embedded ClamAV is managed and updated using the centralized CSA management center (CSAMC) so it doesn’t require a separate management station. ClamAV doesn’t really add any new protections to CSA’s behavioral malware detection but it does allow for the naming of that malware and allows for on-demand or periodic scans of the system. It also will detect and stop non-malicious, but otherwise annoying, adware type apps from installing; something that CSA alone would not do in the past. By embedding AV functionality into CSA companies are now able to comply with regulations, like PCI, that require AV to be installed on hosts without forcing them to use another AV agent. This was not possible before CSA 6.0. Given that AV is a heavily commoditized product with little variance in protection from vendor to vendor this prospect could become attractive to companies. Now on to DLP in CSA 6.0. CSA has traditionally had the ability to control what data can be written to external devices like USB, Bluetooth, CD-R, etc but CSA 6.0 takes it one step further. Now CSA can tag files on the system that contain sensitive information, like credit card number, SSNs, etc. and allow you to write data protection policies based on those tags. These policies can limit things like writing tagged files to external devices, printing, copying to clipboard, etc. CSA even allows you to control what applications can access this data, change your personal firewall rule sets dynamically when you open and close a sensitive doc, and limit your ability to connect to a non-secure wireless network. It can also force users that are offsite and possess sensitive data to always initiate a VPN back to head quarters when they try and use the network. This allows you to gain additional protection from your security appliances at HQ, for example IPS, mail and URL filters. CSA 6.0’s DLP features extend to allowing you to monitor, report, and track sensitive data throughout your enterprise. You will be able to see, real-time, what hosts contain sensitive data, how that data has been accessed, shared, printed, or external saved/moved. DLP policies can be written such that if a user tries to perform a suspect action with sensitive data like say print it CSA can pop up a dialog box that displays the security policy around this action and allows the user to type in a justification for an override. CSA also allows you to pop up an Acceptable Usage Policy that users must accept to perform a given action on sensitive data. The final noticeable improvement in CSA is the new management GUI. It has been enhanced with the sole purpose of making it easier to use. The default CSA security policies have been rewritten so they produce less false positives, a brand new reporting and monitoring section has been added, PCI templates have been added along with a bunch of new wizards like the tuning wizard. Cisco has added an interactive quick start tutorial to bring new admins up to speed quickly. The CSAMC homepage has been replaced with a slick new dashboard with all sorts of new views. [img][/img]

A new default view called simple mode allows new admins to use wizards and point and click simplicity to configure their policies. Much of the configuration has been reduced to wizards and checkboxes instead of the previous versions complex rules configuration screens. The more complex screens are still available for advanced users by switching to advanced mode. Cisco’s CSA 6.0 looks to be a big release for the company putting it squarely in the sites of incumbent powerhouses like Mcafee and Symantec. Do you think Cisco is up to the challenge? For more information see CSA 6.0 Configuration Guide Whitepaper on CSA’s embedded AV features. Datasheet on CSA’s DLP features. To download a free 30 day evaluation go here

The opinions and information presented here are my personal views and not those of my employer.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.