© 2010 Cisco Systems, Inc. All Rights Reserved. Cisco Public 1 2010 2011 2012 2013

Home , Cisco Systems

Who Moved My Cheese? Whyyyy The Security Industry

Has Been Turned Upside Down Down Upside Upside

John N. Stewart [email protected]

Vice President Chief Security Officer FIRST Conference 2010

Information Collaboration

Application Security s kk Applications and Databases

Ris Endpoint Security Mobility and Access

Perimeter Security DtDatacen ter Cen titric

5 Exabytes 21 Exabytes 56 Exabytes per month per month per month 1.4 Billion DVDs 4.8 Billion DVDs 12.8 Billion DVDs crossing the Network crossing the Network crossing the Network

Source: Cisco Visual Networking Index

Global Consumer Internet Traffic (Annual) 486 Exa by tes Video Traffic

180 Exabytes 91% ofllf all Consumer Internet Traffic will be Video 36 Exabytes in 2013

Source: Cisco Visual Networking Index

Total 500 Million Total 35 Billion Total 1 Trillion

1/10th of a Device per 5 Devices per 140 Devices per Person on Earth Person on Earth Person on Earth

Source: Forrester Research, Cisco

TOTAL iPHONE APPS MOBILE APPS APPS ALONE WORLDWIDE

Source: Apple, Windows Mobile, Cisco Analysis (Forecast of 2013 assuming consistent growth trends)

624, 000 2, 600, 000 5, 700, 000 (projected)

Source: Symantec and Cisco Analysis

© 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 12 And Beyond… PEOPLE TO PEOPLE THINGS TO THINGS High-Bandwidth Pipes Low-Bandwidth and Low-Power Rich/Real-Time Interaction Wireless Sensors Everywhere Enabling Media Experiences Non-Stop Flow of Data

“SmartGrid is the “Video is the killer app” an ch or use case”

Business Internet Consumer Internet Industrial Internet

. WdWe spend an amaz ing amount protecting, and it is trivial to circumvent

. Complexity is the enemy, and the opportunity

. Our adversaries use our practice against us, especially when it is fixed

Virus Scanning - Host & Server

Vulnerability Scan Risk Management Physical Security Alerts SitSecurity Network Intrusion Compliance Protection Validation Unintentional Virus Loss Anomaly Detection Outbreak Access Control & &Miti& Mitiga tion Theft Video Surveillance DDoS

Event Logging Endpoint Application Security Vulnerability Router/Switch Assessment One-Time Security Token Software Loss of Website Confidentiality Defacement Facility VPN Management User Transaction Firewall Security Man agem en t Application Multifunction Optimization Security Identity Application Management Security © 2010 Cisco Systems, Inc. All rights reserved. Cisco PublicEncryption Software 16 40,000 Routers on Cisco’ ssnetwork network

2,000,000

Higgyhly tuned IDS alerts per day

www.shadowserver.org/ 14 June 2010 ~10 million new hashed binaries in 2010 to date; ~70 million total seen

CSA Credent Device Security Altiris AV

Application and Audit Audit Platf orm S ecurit y Service Security XML GW XML GW

Data Security Email Encryption PGP

NtNetwor k and Logging Logging Monitoring AD LDAP System Management Logging Logging Alerting

Netw ork Servi ces Cisco Network FW IDS DLP VPN ….

. 600,000+ including: Malware downloads Browser hijacking software Unwanted advertisement software Botnet check-ins Troj(bkd)jan (backdoor) connec tions . Average response to client = 1.4 seconds . Average daily log data = 9Gb . Average a llowe d we b transac tions passe d = 500K/60 mi nu tes

Top 10 Blocked Web-based Top Malware Threats blocked Top 10 Blocked Domains Reputation Scoring

Secure

SlScale

Sec Arch 061710 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Confidential 24 © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 25 The best way to predict the future is to invent it.

--Alan Kay

Always question what you are doing – some things have declining investment and results

Stop asking for best practices – start asking “what’s effective and how effective is it?”

What can I see, what don’t I know, how will I know it when I need to?

What can I shamelessly copy from someone else?

Understanding / Strategy / Hosting Net Team SecOps Others Action Information Event / Behavior Network Analysis System Analysis Correlation Security Vendor Others

Identity Geo Proximity Homegrown Location Apps Data Sensor SCADA Others Logs

“I have a series of questions, and the data gives the answers” ~ or ~ “I don’t know the questions yet; let’s look at the data” © 2010 Cisco Systems, Inc. All rights reserved. Cisco Public 28 A Trend is Emerging…

Trusted System or Service

Trusted Platform Software Supply Chain Independent • Authentication Assurance Security Product • Trojan Prevention • Threat Modeling • Preferred Suppliers CtifitiCertification • Strong Identity • Identity Assurance • Secure Logistics • Standards-Based • Secure Storage • Safe Libraries • Mutually Recognized • Monitoring • Run-Time Defenses • Hardware Assurance • Static Analysis • Security Defect Triage and Resolution • Compliance and Vulnerability Testing

Manual Automated

Borders Everywhere

Unknown Known/Assured

Alternate “Trusted Device Identity Storage Device Security Devices” & Access Platforms

External Audit Inspection e ent Application and Personaent Mgmt Functionality Vehicles Platform c c m m m Service Security m Strong Orchestration Data Security Authentication Engines Classification ernan nage nage v Reggyulatory Data-Centricv a a a Data-Centrica Data Security Identity “Awareness” Policy Service Catalog Policy Cross-Product Library/Filters vice M ata Go Access Controlntity M Location rr

NkNetwork and ee Data/Svc

Contexting DD System Mgmnt Common Tracking Id Admin ExternalSe Framework Provisioning Cross-Product Capabilities Policy Engines

IEN Policy Network Cisco Network Data “Tagging” Capabilities Enforcement Services

• Service opportunity for BUs • STBU SAML exploration • WebEx identityyp service concept • External identity architecture • External identity SOR • Standards for identity “realms”

Data Governance

• Explore encryption gateway • SSBU DLP capabilities • PMBU policy enhancements • External compliance effort • Introduce inspection capabilities Service Management • Update policy, RFIs, SLAs, SOWs • ACS/Positron integration (policy management) • NMTG data tagging/CMS integration • Security product integration with service mgmt • Develop portfolio of “Just Good Enoughs” (JGE) • Data model enhancements • Introduce regulatory capture

• Compliance • Management • Enforcement • Remediation

Trusted layer

Managed Platform

Virtualized Environment Network Environment

. Conclusions This Phase is Different Big changes are having a profound aaectosecutyffect on security “Know thyself” - attain a high degree of situational awareness Ask the right questions to get the right answers Look to the data to point the way

Security Blog blogs.cisco.com/security 2009 Security Annual Report www.cisco.com/go/securityreport