Cisco Security Intelligence Operations Explained Network World PDF

Preview

Summary

Download Cisco Security Intelligence Operations Explained Network World PDF

Description

UNITED STATES 

About 

CISCO SECURITY EXPERT By Jamey Heary, Distinguished Systems Engineer, Network World DEC 31, 2010 5:38 PM PST

Jamey Heary, CCIE #7680, is a Distinguished Systems Engineer at Cisco Systems and has authored several security books.

Cisco Security Intelligence Operations Explained Cisco SIO provides IP reputation to Cisco security products

This post is a followup post from my colleague Garett Redelings, Enjoy! --- Last month I had written about Cisco's IronPort Application Visibility Controls. The information here on the Cisco SIO is a follow up based on readers comments to the previous article. You can read that article by clicking here. What is the Cisco Security Intelligence Operations? The Cisco Security Intelligence Operations or SIO operates as the telemetry hub for Cisco's email, web, and IPS services. These systems participate in a network of data analysis and that calculates threat risk ratings and reputation scores. What sets the Cisco's SIO apart from other solutions is their unique ability to leverage a well established footprint of security solutions to provide the widest range of sampling data. Cisco then uses this telemetry data to increase blocking accuracy and capture rate as well as fine-tune its signature-based systems; such as the IronPort Email Security Appliance, the IronPort Web Security Appliance, and the Cisco IPS.

MORE ON NETWORK WORLD: 6 simple tricks for protecting your passwords

Why the data matters

One of the key concepts of the Cisco SIO is that the data incorporates multiple sources. This telemetry of data drives features like Reputation Services beyond a typical signature based approach that oen fail to identify a wider range of malicious traic based on the same treat source. Multiple data feeds also support a system of crosschecking and correlation that increases accuracy as well as provide a wider spectrum of protection against malicious traic sources. Web Reputation

The concept behind Cisco's Web Reputation technology involves tracking an IP address's behavior in eort to make filtering decisions based on threat risk. Many conventional URL filtering solutions have categories for Malware or Threat URLs but there are fundamental dierences between categorizing a website as a threat V.S. tracking a

$12 for 12 weeks of Insider Pro

website's behavior dynamically and over time. For example, a typical URL filtering system will need to have seen START YOUR TRIAL

web traic from a specific source at some point in time in order to analyze and then categorize that site as being malicious. This approach works for identifying known malicious websites but will provide little to no protection from new web server IP address, uncategorized URLs, web outbreaks, and zero-day attacks.

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now oering a 10-day free trial! ]

The reputation system on the Cisco IronPort Web Security Appliance provides a scoring range from -10 (bad) to 10 (good) and the mechanism to choose when to block, when to allow, and when to scan the data for malware and viruses. This scoring system is the foundation for protecting against new threats from low scoring sites as well as bypassing scanning from high scoring sites. A system that can block without having to scan and/or bypass unnecessary scanning for trusted IP address will boost performance and capture rate provided that the scores are backed by good data. Having a lot of data is important but boiling all of that down into useful information is the key to an eective solution. SponsoredPost Sponsored by BMC Soware

Get facts on the threats, challenges & best practices that define IT security.

Web Reputation and Telemetry The Cisco IronPort Web Security Appliance utilizes data from the SIO in its Web Reputation technology. This data has been distilled from specific web threats in addition to that of email security, IPS, and Cisco's Threat Operations Center comprising research and additional data feeds. During a process called Global Correlation, information about a particular web server is associated with any previous activity from that IP address, weather it be email traic, attack history, web content, or forensic information. The SIO telemetry data can then be used not only to block a user's browser from going to this malicious site but could also block emails from this IP address as well as assign additional risk ratings to IPS signatures. For web security, the telemetry information from multiple sources in the SIO is what gives the solution an advantage over simple URL categorization or reputation scores based solely on web traic. Consider a new web outbreak event or the uncategorized URL/IP address that begins hosting malware. Perhaps no signature is available to identify the malicious data on a newly registered site but this same system has been a spamming server for months and then suddenly starting hosting malicious web content. Cisco's SIO had been tracking and analyzing the spam traic from this IP address and correlating it with additional information such as domain registration within a block of IP$12 addresses known to be botnet for 12 weeks ofserving Insider Procommand and control. The email and START YOUR TRIAL

botnet data in this example along with additional IPS signature samples (based on attack history) gathered by the Cisco SIO are combined to produce a web reputation score than can then be used to block traic to this site even before it is categorized or has its first victim visit the site. With the coming of the Security Intelligence Operations, Cisco is attempting boost the eectiveness of its IronPort Web, IronPort Email, and Intrusion Prevention Systems. By using data telemetry, Cisco is gathering and processing huge amounts of data and then concentrating that into information that it's security appliances can utilize. In the future we may see additional Cisco devices take advantage of SIO information and this would make quite an impact in the security realm. Until then, the Cisco SIO continues to provide a unique advantage for its email, web, and IPS solutions. SponsoredPost Sponsored by Logicalis

Can your data center support you everywhere and any way you need?

For more information on the Cisco SIO, click here. Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind. Copyright © 2010 IDG Communications, Inc.

▻ IT Salary Survey: The results are in

SPONSORED STORIES

Clogged Gutters? We Have The Solution For Your Home! leaffilterguards.com

$12 for 12 weeks of Insider Pro START YOUR TRIAL

Plastic Surgeon Tells: “Doing This Every Morning Can Snap Back Sagging Skin (No Creams

10 Tips for Coping With Chemotherapy

Try Not To Chuckle At These Windshield Notes

Healthgrades

Post Fun

What is the internet backbone and how it works

Cisco, Microsoft team to control growing IoT networks

UK startup tests Wi-Fi for autonomous vehicles with Cisco

Homepage

Homepage

Homepage

Beverly Hills MD

Chiropractors Baffled: Simple Stretch Relieves Years of Back Pain (Watch)

Read This Before You Renew Amazon Prime Again Wikibuy

healthbenefits.vip

$12 for 12 weeks of Insider Pro START YOUR TRIAL

Private cloud reimagined as equal partner in multi-cloud

Cisco moves WiFi roaming technology to wireless

COVID-19 vs. Raspberry Pi: Researchers bring IoT

Homepage

Homepage

Homepage

One Thing All Liars Have in Common, Brace Yourself

Student loan debt? Here’s some great news. NerdWallet

TruthFinder



SPONSORED LINKS Transform Your Data Center with Seamless Visibility Accelerate Digital Transformation With Visibility Without Borders See What Others Can't. Take control And Solve Problems Faster With NETSCOUT dtSearch® instantly searches terabytes of files, emails, databases, web data. See site for hundreds of reviews; enterprise & developer evaluations

Copyright © 2020 IDG Communications, Inc.

$12 for 12 weeks of Insider Pro START YOUR TRIAL /...