Threat intelligence has become a nice-to-have for many vendors seeking to improve their security offerings, but for the executives leading Cisco’s Security Business Group it’s just the framework for a product-development process that is focused on maintaining a consistent, end-to-end network security architecture while supporting all manner of front-facing customer innovation.
The consistency of that architecture was a message that Shawn Henry, vice president and general manager of Cisco’s security business group, emphasised in addressing attendees at the Cybersecurity Innovation Day at the Cisco Live! conference in Melbourne.
When designing new products, Henry explained, the networking and security giant’s product team always started with a common core designed around the principle of delivering the right data to the right people.
This was based around five core controls including the use of “best in class” controls; “always” using integrated threat intelligence from Cisco-owned threat-intelligence firm Talos; deep visibility; orchestration and automation capabilities to facilitate everyday management and configuration; and open APIs for integration between elements of the Cisco environment, as well as with third-party services and applications.
This type of open architecture was antithetical to the closed environments that many vendors pursued in the past but it had, Henry said, become crucial for keeping up with the changing cybersecurity climate.
“For customers and partners it allows them to evolve the product for things that I can’t keep up with on the roadmap,” he explained. “Customers don’t want them to be tied to my delivery schedule and I don’t want them to be tied to my delivery schedule.”
“I get requests all the time, and because we have open APIs [other parties] can do that outside the product and integrate it. We can scale the offering without scaling up the complexity, because we have a programmatic interface.”
That programmatic interface “allows us to scale out our products and management plane in a realistic but aggressive way,” Henry said, while supporting the application of “consistent policies across the top”.
By removing hard-to-manage functional and integration discrepancies between foundational elements of the Cisco DNA Center-based environment, Cisco has been able to refocus its efforts on challenges such as maintaining the ability to inspect encrypted traffic for threat indicators even as encryption technologies improve.
Viewing encrypted traffic “gets harder and harder because the technology is doing its job of keeping traffic encrypted,” he said. “One of our research fellows figured out that we can apply some maths that looks at the encrypted traffic flow so you don’t need to decrypt it, and can detect known attacks in there.”
Similarly, the company had been able to rapidly design and deliver its Cisco Threat Response security-operations platform much faster by building on the core Cisco DNA Center capability: “we were able to put it together quickly because we had built to that specification” and were able to quickly link the system to automate interactions across a range of Cisco security products.
Henry credits Cisco’s platform design strategy for enabling the rapid adoption of new technologies from companies acquired by the networking giant. It has also helped Cisco address new customer requirements through products such as its Cloud Defence Orchestrator cloud management interface, and its on-premises Firepower Management Center.
“We are now logically separating the device from the management capabilities to realise this vision of orchestrate everywhere,” he said. “As a leader who builds things, I want to be able to build the right management plane for the right use case, market segment, scale, and performance. It’s something you interact differently with, but the device has to do the same thing – so you logically separate the two.”
That automation had also proven critical in helping companies like Rackspace build out automated commissioning systems, which use templates to generate thousands of secure customer environments including specific configurations, firewall configurations, load balancers, and so on.
“Because everything they do is tight integration to the back office where they manage customers, they know it’s safe and it’s going to work,” Henry explained. “When the customer has a change request, they push it through the API, so Rackspace can record the change request in the change management system.”
Despite the rapid pace of change in cybersecurity attacks, careful coordination between the various internal product-development teams had ensured the use of common semantics around policy creation and handoff.
This approach had also allowed the company to “drive consistency through the user experience and the interfaces,” Henry said. “Consistency in this case drives safety, and that is really important.”