Cisco this week announced a plan to embed security throughout the network -- from the datacentre out to endpoints, branch offices, and the Cloud -- in an effort to avoid pervasive threats.
Cisco says the strategy, announced at this week's Cisco Live conference, will give customers the ability to gain threat-centric security required for the digitised business and the Internet of Everything. The company sees IoE as a $US19 trillion opportunity over the next decade while cybercrime is itself a $US450 billion to $US1 trillion business.
To combat that, Cisco says it is adding more sensors to network devices to increase visibility, more control points to strengthen enforcement, and pervasive threat protection to reduce time-to-detection and time-to-response. The plan includes:
- Endpoints: Customers using the Cisco AnyConnect 4.1 VPN client now can deploy threat protection to VPN-enabled endpoints to guard against advanced malware
- Campus and Branch: FirePOWER Services solutions for Cisco Integrated Services Routers (ISR) provides centrally managed intrusion prevention systemand advanced malware protectionat the branch office where dedicated security appliances may not be feasible
- Network as a Sensor and Enforcer: Cisco says it has embedded multiple security technologies into the network infrastructure to provide threat visibility to identify users and devices associated with anomalies, threats and misuse of networks and applications. New capabilities include broader integration between Cisco's Identity Services Engine (ISE) and Lancope StealthWatch to allow enterprises to identify threat vectors based on ISE's context of who, what, where, when and how users and devices are connected and access network resources.
StealthWatch can also now block suspicious network devices by initiating segmentation changes in response to identified malicious activity. ISE can then modify access policies for Cisco routers, switches, and wireless LAN controllers embedded with Cisco's TrustSec role-based technology.
Cisco has also added NetFlow monitoring to its UCS servers give customers greater visibility into network traffic flow patterns and threat intelligence information in the data center.
Other aspects of the plan include Hosted Identity Services, which is designed toprovide a cloud-delivered service for the Cisco Identity Services Engine security policy platform. The new hosted service provides role-based, context-aware identity enforcement of users and devices permitted on the network, Cisco says.
Cisco security chief, David Goeckeler, says embedding security everywhere is part of a larger integrated threat defense architecture Cisco wants to develop for its customers.
"We'll integrate this more and more," Goeckeler, senior vice president and general manager of Cisco's Security Business Group, said. "You can deploy it independently (with individual products) as an option. But we'll integrate it as an architecture as more are deployed.
"How do we build the best, most effective protection possible?" he asked. "How do we shrink the time to detect and remediate threats?"
The strategy also includes a pxGrid ecosystem of 11 new partners that plan to develop products for cloud security and network/application performance management for Cisco's pxGrid security context information exchange fabric. The fabric enables security platforms to share information to better detect and mitigate threats.
Cisco says it is also expanding threat protection for service provider programmable networks. The Cisco Firepower 9300 Integrated Security Platformis purpose-built for service providers designed to scale security for increased data flows due to accelerated service demands and carrier-class requirements.
The company is also investing heavily in integrating its ASA firewalls with its Application Centric Infrastructure SDN, Goeckeler says. This will aid in automating the deployment of the integrated threat defense architecture, he said.
Cisco also says features such as secure containers will accommodate future security services and are currently supported, with additional capabilities planned for the second half of 2015.