Cisco Systems on Network-Level Security, Convergence and SIEM

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Fred Kost discusses network-level security solutions and convergence issues

The amount of data an enterprise can collect related to potential security (and compliance and business) issues seems nearly infinite. Yet another layer creating data, as well as offering some tools for setting security rules and managing risk, exists within network infrastructure: switches, routers, bridges, access points, etc.

To try to understand more about what data these elements offer an enterprise and how they might interact with other security platforms and tools, from SIEM and PSIM to video cameras and doors, we spoke with Fred Kost, director of security solutions marketing for Cisco Systems. He talked about adding physical location data to security monitoring systems, ways in which convergence could take advantage of network devices, and how increased workforce mobility is challenging traditional security thinking.

What follows is an abridged transcript of our conversation, edited for clarity.

***************
Sharon J. Watson: How do you go about pinpointing where something is physically located on the network? Can we start there?

Fred Kost: We can start there, and we can talk about why a business would want to do that. There are a couple different angles for how you could do that. These are things you could do today or could do with a little professional services help. One angle is using wireless to know where assets are.  When everything was wired with cable IP, addresses were nailed down, and it was easier to find device information. With wireless, we have some capabilities. In a building, I may be able to triangulate and figure out where a particular device is somewhere in the network.

That is an interesting intersection of logical security and physical security in that I know where a device is, but it is not the traditional badge reader or camera kind of physical security. We have some partnerships, such as with RSA, around our Mobility Services Engine and feeding that kind of information into a tool like enVision [an SIEM platform]. Security professionals potentially could track down a laptop that is launching an attack on my network. With that kind of service I might be able to pinpoint exactly where that person is in the building and go find them, take away the laptop with malware or a virus. That might be one use case.


It could be that a device has gone missing, someone's taken it by mistake or taken it maliciously. If it's on the network, you might be able to track down where it is very easily. So that is one example of using wireless to know where a device is on the network--again, not so much badge readers and cameras as physical device location.

The second one I want to touch on is more of a potential intersection of physical security with logical security. For instance at Cisco, when I have my laptop I can get to the network wirelessly while I'm in the building or out in the parking lot in my car. Given the range of the wireless network, I can get on it fairly easily. Granted, I have to authenticate. When I come into the building, I go through the badge reader, now I'm behind the walls of the building. So you can envision, with a combination of physical badge readers and potentially something like network admission control, which is a security technology, we can begin to fuse the two things together.

If Fred's in the parking lot, I may let him have access to the network but I may restrict the kind of access he gets. Maybe he can get to the public internet and a few applications, but not the VPN. Once I badge in to the front door, from a security perspective, you know I am on the premises so maybe you have a different level of trust: I know he is in the building, I'm going to let him access privileged resources. In the parking lot, I can't get access to those resources.

That example of [offering] different kinds of network access... is actually very near-term, it realistically could be implemented. That's a good example of fusing together IT security with physical security.

SJW: Fred, in an example like that, where would such rules reside for the network access levels?

FK: There are two kinds of events in that scenario, and we touched on the technology areas.  The first I would call the policy enablement rules--these are the things I am going to allow. For instance in our Cisco products, our network admission control, we have access policies and rules for how you can get onto the network. So Fred accesses the network in this particular way or [if he's on a] laptop, I'm going to put him on a VLAN or restrict access.

So network admission control would be a logical place for some of those enablement rules. There would have to be integration between the network admission control product and the badge reader to pass that information on but that would be where an access policy could reside.

The other kind of rule that comes to mind is the exception and logs. As Fred is coming through the door and other employees are coming through the door, the network by rule may say just let them in, but at some point I may need to go back. Say we had a physical event happen in the building, and someone either stole some information from the network logically or physically something happened--I may want to go back to those events and exceptions that happened that were out of the ordinary.

If anyone comes through the door after 11:00 PM, maybe that's an after-the-fact event that may trigger some sort of rule. Maybe I am going to monitor people who get onto the network at certain times of the day who are not behind the card reader. Those are two potential types of rules to look at.

SJW:
From a real time monitoring perspective, when events occur at the network level--the routers, in the VPNs, intrusion prevention systems--where does that event data go? Is that routed to a SIEM platform from or is there a separate product that feeds into SIEM systems?

FK: There is often a central place that information goes....There are a couple of things you might want to do with that information. One is that you might want to do real time threat analysis. You may see an event at the firewall, see an event at the intrusion prevention system, you don't know about the reputation of this person, so you may be doing some real-time threat correlation, bringing in event flow, really understanding on the fly what's happening in real time.

The other thing is you might want to archive all the events or logs so you can go back and look at them. Within that product space, some of those products sell different aspects of that.

But I think in general, customers have one monitoring tool that you try to push all of these events to, for both real-time alerting and correlation as well as after-the-fact, retaining what's happened in case you have to have to investigate that or resolve some kind of client issue. Typically they go with a SIM/SIEM kind of product.

Page:   1   2   3  Next  »

Fred Kost discusses network-level security solutions and convergence issues

The amount of data an enterprise can collect related to potential security (and compliance and business) issues seems nearly infinite. Yet another layer creating data, as well as offering some tools for setting security rules and managing risk, exists within network infrastructure: switches, routers, bridges, access points, etc.

To try to understand more about what data these elements offer an enterprise and how they might interact with other security platforms and tools, from SIEM and PSIM to video cameras and doors, we spoke with Fred Kost, director of security solutions marketing for Cisco Systems. He talked about adding physical location data to security monitoring systems, ways in which convergence could take advantage of network devices, and how increased workforce mobility is challenging traditional security thinking.

What follows is an abridged transcript of our conversation, edited for clarity.

***************
Sharon J. Watson: How do you go about pinpointing where something is physically located on the network? Can we start there?

Fred Kost: We can start there, and we can talk about why a business would want to do that. There are a couple different angles for how you could do that. These are things you could do today or could do with a little professional services help. One angle is using wireless to know where assets are.  When everything was wired with cable IP, addresses were nailed down, and it was easier to find device information. With wireless, we have some capabilities. In a building, I may be able to triangulate and figure out where a particular device is somewhere in the network.

That is an interesting intersection of logical security and physical security in that I know where a device is, but it is not the traditional badge reader or camera kind of physical security. We have some partnerships, such as with RSA, around our Mobility Services Engine and feeding that kind of information into a tool like enVision [an SIEM platform]. Security professionals potentially could track down a laptop that is launching an attack on my network. With that kind of service I might be able to pinpoint exactly where that person is in the building and go find them, take away the laptop with malware or a virus. That might be one use case.


It could be that a device has gone missing, someone's taken it by mistake or taken it maliciously. If it's on the network, you might be able to track down where it is very easily. So that is one example of using wireless to know where a device is on the network--again, not so much badge readers and cameras as physical device location.

The second one I want to touch on is more of a potential intersection of physical security with logical security. For instance at Cisco, when I have my laptop I can get to the network wirelessly while I'm in the building or out in the parking lot in my car. Given the range of the wireless network, I can get on it fairly easily. Granted, I have to authenticate. When I come into the building, I go through the badge reader, now I'm behind the walls of the building. So you can envision, with a combination of physical badge readers and potentially something like network admission control, which is a security technology, we can begin to fuse the two things together.

If Fred's in the parking lot, I may let him have access to the network but I may restrict the kind of access he gets. Maybe he can get to the public internet and a few applications, but not the VPN. Once I badge in to the front door, from a security perspective, you know I am on the premises so maybe you have a different level of trust: I know he is in the building, I'm going to let him access privileged resources. In the parking lot, I can't get access to those resources.

That example of [offering] different kinds of network access... is actually very near-term, it realistically could be implemented. That's a good example of fusing together IT security with physical security.

SJW: Fred, in an example like that, where would such rules reside for the network access levels?

FK: There are two kinds of events in that scenario, and we touched on the technology areas.  The first I would call the policy enablement rules--these are the things I am going to allow. For instance in our Cisco products, our network admission control, we have access policies and rules for how you can get onto the network. So Fred accesses the network in this particular way or [if he's on a] laptop, I'm going to put him on a VLAN or restrict access.

So network admission control would be a logical place for some of those enablement rules. There would have to be integration between the network admission control product and the badge reader to pass that information on but that would be where an access policy could reside.

The other kind of rule that comes to mind is the exception and logs. As Fred is coming through the door and other employees are coming through the door, the network by rule may say just let them in, but at some point I may need to go back. Say we had a physical event happen in the building, and someone either stole some information from the network logically or physically something happened--I may want to go back to those events and exceptions that happened that were out of the ordinary.

If anyone comes through the door after 11:00 PM, maybe that's an after-the-fact event that may trigger some sort of rule. Maybe I am going to monitor people who get onto the network at certain times of the day who are not behind the card reader. Those are two potential types of rules to look at.

SJW:
From a real time monitoring perspective, when events occur at the network level--the routers, in the VPNs, intrusion prevention systems--where does that event data go? Is that routed to a SIEM platform from or is there a separate product that feeds into SIEM systems?

FK: There is often a central place that information goes....There are a couple of things you might want to do with that information. One is that you might want to do real time threat analysis. You may see an event at the firewall, see an event at the intrusion prevention system, you don't know about the reputation of this person, so you may be doing some real-time threat correlation, bringing in event flow, really understanding on the fly what's happening in real time.

The other thing is you might want to archive all the events or logs so you can go back and look at them. Within that product space, some of those products sell different aspects of that.

But I think in general, customers have one monitoring tool that you try to push all of these events to, for both real-time alerting and correlation as well as after-the-fact, retaining what's happened in case you have to have to investigate that or resolve some kind of client issue. Typically they go with a SIM/SIEM kind of product.

<!--nextpage-->

SJW: Fred, you had talked about some kind of integration to a physical badge reader and the network admission control. Is that achieved directly or is there a layer between the two?

FK: I think that's where we envision a nice product integration that happens there so you easily plug these things together. That vision is getting closer. If you want to go to that today, it is probably a professional services project. We have got some of the linkages but in general it is not off-the-shelf where you can just plug it in and it works.

SJW: I want to be clear I understand. If there is some kind of network level event occurring and other pre-defined actions are going to occur when that pre-defined event is noticed, the rules for those are probably sitting in a SIEM platform?

FK: That's a very good question. Today we don't have everything tied together. For instance, a lot of the SIEM products today can take input and say, hey I see an event, these three things mean this. But they don't have a lot of linkages back to enforcement. We have a product that does real time direct correlation. It can say this is an attack or something is going on, either by correlation or through a role. Then we can actually go change a rule on a firewall or change settings on a device to say I want to deploy a countermeasure based on what I'm seeing.

I'd say while we have the ability to correlate a lot of the input, I am not aware it would allow you to change the policy on a door or badge and tie all those things together. I think we are in an area where we are just beginning to integrate all those things.

As I look at this through my IT security lens, those are also very different organizations. The physical security is different from the IT security. That is one challenge: you have got to bring your people together if you want to have some sort of central repository with the policy and how you handle that.

There are just totally different responses when they get an alarm. When an alarm on a door goes off, there is a very defined physical security action. In the logical or IT security world, there are several alerts--someone's pager may go off. There are totally different behaviors and how you react to the alarm.

There is not only a lot of technology integration but there is procedural and organizational integration that has to happen for the two things to really come together. It's fairly complex and there are a lot of variables at work.

SJW: Going back to this ability to bring in physical and logical location intelligence to some of these systems. I had seen on your website where ArcSight and RSA both use location intelligence from Cisco's Mobility Services Engine. I understand a little of how that works with wireless, but I'm not sure I completely understand how able an enterprise is today to pinpoint a physical location.

FK: That depends. There's the device, there's the person, there's the identity. There are several different things at work there that could either confuse or clarify whether Fred is really at [xyz location] sitting at his desk.

If you are physically plugged into the infrastructure through an Ethernet jack, there are ways we can tell you are there, through your identity, through network tools, to say, yup, Fred's logged in and is accessing the network through this particular physical port. Even wireless, within the building, there's still that control, because you can figure out which access point you're connected to, you've authenticated back to the network, so we at least know you're connected--the physical proximity in that case. In the case of the physical connection, the network jack is tied to a switch, usually that's mapped out to a physical location. So network jack 133 is office EXYZ, which is where Fred sits, so it's fairly certain if he's connected there, he is physically connected to that jack.

As you look at WiFi, and move around the building and around the campus, you can still figure out where someone is connected to the network, at least [where] their device [is] and rely on their identity. Where it gets more challenging is when they are not accessing your network from your physical infrastructure, physical being a switch or wireless access point.

I'm currently sitting in the Dallas Sheraton, I'm connected to the Sheraton network and I'm connected to all of the Cisco resources. It would be a little more challenging to find out where I am now.  As you get farther away, it becomes more of a challenge. Within the building, it's definitely possible to narrow it down.

That being said, it can still be a challenge.

SJW: Correct me if I'm wrong, but you would still need a strong authentication method at the actual device, because the port might say yes, somebody is there doing something at that computer--but it could be anybody at that computer.

FK: Yes, you're right. If you required no authentication to get on the network, if you didn't have that identity element, it could be anyone logging in.

<!--nextpage-->

SJW: When you're talking to prospects and clients, how many of them have truly centralized security operations where they can correlate physical and logical event data and get a sense for what's happening in real time as well as pulling trends and analyzing them for what might occur?

FK: I began to formulate an answer in my head before you said "IT and physical" because I think that's an area where there's still more opportunity to mature in that integration. Even we at Cisco, we have a dedicated physical security monitoring center, it's very advanced, we can watch around the globe, go to a camera in any building, look at badge readers, we can do all kinds of monitoring and analysis physically, but a lot of our IT security is done differently, it's not fully integrated.

So I think most organizations still have some room to go there, based on customers I've spoken to and my experiences. Some of that is because of the [organizational] challenges we spoke about earlier, but there is definitely opportunity there.

The other part was how many enterprises have really begun to converge their IT security. I think there's been a tremendous amount of progress made there. More and more organizations are funneling a lot of event streams, whether IT security devices, network data, a lot of information coming in either for real-time analysis and correlation or after-the-fact going back, looking at anomalies and doing investigations. I think most organizations are fairly mature there. They have some degree of aggregation and correlation and log management happening.

A lot of that was driven by the sheer number of events and amount of information the security products have created. There is so much information that it almost becomes [necessary to have] a tool or some sort of automation to help you see and identify critical events. You can look at something like the SIEM market and market penetration rates and see where that technology is to help with that.

SJW: So if some client of yours had implemented Cisco Security Manager as well as the MARS [Monitoring, Analysis & Response System] tool, would it then it makes sense to integrate data streams from those with an SIEM product or PSIM product?

FK: That's a very good question. We talked a lot about policy--what you want to do versus logging and reacting. If you think about Cisco Security Manager, it's the place I would go to define my policies. I used the badge example, which really targets physical security. Here are the rules in my firewall about how I want to allow people into the network, here is how I want to configure the [intrusion prevention system]. It's the policy configuration tool across all those devices. It very much define the rules about how things work and will happen.

MARS ventures into the SIEM space a bit but I'll talk about why it does not go the full distance. MARS does real-time analysis and correlation of threat data, IPS events, firewalls, looking at all of that in real time and saying here's something you need to look at or here's the one that's most important.

The other thing it can do is affect Cisco Security Manager and say we are seeing an attack on this part of the network and therefore I want to change a rule or policy to mitigate that risk. I can either automate or present a rule saying here's what we're seeing, based on that, we need to go change the inactive control list. So there is some interaction between what a policy should be and the kind of events I've seen on the network.

If you get those two things working, you have a dynamic ability to adjust things on the fly based on the threats you're seeing and what is happening.

Back to the physical analogy--and again, MARS does not do this today--but I see five attempts at a badge reader, don't let that person in or maybe disable the badge.

The caveat I mentioned a few moments ago: Part of what this SIEM market is looking for is very long term data retention, record stores of all the events that have happened over time so I can go back to find those, look for compliance issues. That's where we don't focus as much. MARS is an appliance-based product. It has a fair amount of storage but it's very focused on that real-time analysis and correlation, not as focused on long-term log management, keeping terabytes of data. That's really where some of the other SIEM products play and why we're able to partner with some of them because they are complementary.

SJW: While we still have a few minutes, let me throw video into the mix. If you wanted to get a video view of something that was occurring at a particular point in space and time and the network was able to find that location, how would the data streams route from the network device that knows the location to the video system to take the picture?

FK: I think that's the beauty of having an integrated system and an IP network. If my cameras are IP addressable, I've got controlled objects, it can become as simple as I have a data stream at this IP address, which might happen to be a video camera, that I want to capture and bring across the network and store. It's very easy to capture data streams and potentially have them all in one place. I can envision logical IT events being logged and then saying I want to capture video for the next five minutes in a server room. I see some anomaly, someone is trying to access servers physically in the server room, I want to turn on the camera and have a video record of the failed login attempts.

You have to put it all this data together so it's all in one place so when I want to investigate this, I see through the camera who was in the server room and I have these login attempts that were happening. So if you need to identify an employee and take action, I've got evidence to say you were here at this time, you were trying to log in. Being IP addressable makes those kinds of scenarios much, much easier.

You're getting at an interesting trend in security: security traditionally was 'put up a perimeter.' I have employees inside my building on my premises, working on my network. I want to keep outsiders out and protect my network from any action they might launch against me.

More and more organizations are becoming borderless. Just like I'm sitting here in the Sheraton completely connected to the Cisco network, some folks may be at Starbucks using their laptops or iPhone or a Blackberry, or they're sitting in a branch office. Some of the applications may be in the cloud. Some of these traditional security mechanisms that were deployed at the perimeter, more of a physical construct, are really changing and evolving and driving us to really rethink security.

To your question earlier, the physical part becomes perhaps not less relevant, but almost impossible to figure out because we are dealing with customers, partners, employees connecting globally in all kinds of different locations, accessing all different kinds of applications. Those are some of the challenges we need to address. It's not so much the intersection of physical and IT security but something that's greatly changing IT security.

The one other thing that comes into play is how does virtualization and cloud computing affect security technology. It's that borderless angle. I think with more and more applications being in the cloud, all kinds of services being accessed, that changes how I collect data and look at things from an SIEM perspective.

SIEM has been very focused on what I call local correlation. You are looking at information on your network and in your enterprise and doing analysis based on what's happening on your network. But more and more, it's really valuable to go up a level on that and look at it from a global correlation level. What is happening out across the global Internet, where are the bad sites with malware, who's launching attacks, what's happening.

More and more we are moving to data collection and analysis in global correlation to understand what are the threats but also [then] pushing that data locally to the products and people who are affected by the results of this global correlation. That's tied a little bit to the cloud. As people move around and are more dynamic, it changes how we look at the threat.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/104

Leave a comment