Cisco's internal security team fights to corral BYOD, malware and Wild West environment

Many organizations have a computer security incident response team (CSIRT) that swoops into action to battle malware outbreaks, other types of cyberattacks and possible insider threats, and at networking giant Cisco, that CSIRT team is made up of about 60 people trying to protect a business with about 75,000 employees.

"We're tasked with monitoring for and investigating policy violations against Cisco," says Matthew Valites, Cisco's CSIRT manager for information security investigations. That means protecting corporate IT assets used directly by employees or the business for processing purposes so that sensitive information isn't compromised. However, since Cisco has embraced a "bring your own device" (BYOD) strategy, policy enforcement matters for Cisco's CSIRT have become more complicated.

IN THE NEWS: Alcatel-Lucent to take on Cisco, VMware in crowding SDN field

"With user-owned devices, enforcement has become an issue," acknowledges Valites, in the course of discussing some of Cisco's security incident response practices. "BYOD is a real problem." In what's regarded as a cost-saving move, Cisco typically doesn't supply smartphones to any employee anymore, expecting them to use their own, unless their job falls under government regulatory restrictions where it's plainly spelled out an employee must be using a corporate-issued device. "This is a really big problem for my team," acknowledges Valites.

Above and beyond the BYOD conundrum, the Cisco CSIRT group each day faces the prospect of stopping desktop malware outbreaks, monitoring for unauthorized traffic on the network and guarding against stealthy online attacks from attackers going after key assets. There's also the inevitable spate of things like faulty log-ins but CSIRT's hard job is trying to ascertain unauthorized access.

This all has to be done within the framework for regulatory compliance. "We have a healthcare center in San Jose on premises with nurses and doctors," points out Valites, saying making healthcare professionals available on site is seen as a benefit for employees. And this means that security and privacy policies related to any data associated with it must adhere to federal HIPAA rules, he notes.

Valites says high-level executives at Cisco, not surprisingly, get special attention in terms of whatever computer or network they use since these executives are recognized as being valuable targets for cyber-espionage and the like. In comparison to other employees, "we pay more attention to their assets," says Valites.

And then there are whole groups at Cisco, such as an entire lab, that are known to all too frequently be getting into trouble, breaking with usage policies and their computers erupting with malware. "The labs are a little like the Wild West," acknowledges Valites. With repeat offenders there, Cisco CSIRT has no choice but to clamp down with additional controls, such a blackholing an entire lab on the network so they can't get online or shutting off network segments so they're restricted to an internal LAN.

But the main day-to-day challenge is in getting visibility into security events of any type and quickly deciding when and how to escalate the response. Cisco designed its own incident-response tracking system, where trouble of any type is recorded and pushed toward closure.

When an incident arises, the first task is to associate the computer device in question with its specific owner, says Valites. "We need the asset owners to provide that information to us," and in a large organization of global scope, that can be a challenge. Although lots of technical tools for antivirus, VPN, Web application control, intrusion detection and the like are in use, in the end much often rides on communication between people to share information accurately and quickly.

The CSIRT division also has to be mindful that there's the potential for an insider threat as there would be in any organization. That's the rogue employee or contractor with access to the network willing to steal data or do other damage. It's a prickly situation where escalation would mean reaching out to human resources and legal.

"We have good partnerships there," says Valites, noting that at Cisco, the legal counsel has made it clear about their role in incident response investigation and they want to be involved in the potential investigations into things such as leaks of sensitive information. Investigations of all sorts could require computer forensics, and Cisco's CSIRT is equipped to do that.

As Cisco is a global company, there is the need to coordinate the CSIRT across time zones and continents spanning North America to the Asia-Pacific region. "It's a follow-the-sun model," says Valites, adding that Cisco would benefit from physical security operations centers (SOCs). He says Cisco is now undertaking to construct two such SOCs -- one in San Jose, Calif., and the other in India -- that will make use of technologies of many types, including Cisco's own dedicated TelePresence systems for collaboration.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: @MessmerE. Email:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Incident responsealcatel-lucentsecurityinsider threatVMwareCISCO CSIRT

More about Alcatel-LucentCiscoIDGLANLucentVMware AustraliaWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place