Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Cisco security chief: How to beat back security system complexity

Tim Greene | March 9, 2016
Cisco’s David Goeckeler Software on how upgrades can reduce the proliferation of security point products.

By the way, if you deploy those boxes, they don’t talk to each other so you find something in one little corner of your network and then what do you do with it? You have to have people that go apply policy everywhere else in your network. All of that is automated. We literally, versus the point product, our advanced malware is twice as effective at half the cost.

I’m wondering about reducing complexity and how much of your answer requires people to toss out point products they already have versus being able to integrate them.

Think really hard about this because security is a market where everybody is not supposed to be going and toss out everything they have. What we’re doing is bringing the security architecture across all of those networking points of presence as well. That’s where their users are, that’s where the data is. I talked about AMP. You can add an AMP software upgrade on top of an ISR router which is the most ubiquitously deployed edge router out there for campus branch type of thing.

What other acquisitions do you point to?

We acquired OpenDNS about five months ago now. If you look at OpenDNS, security from the cloud, pure SaaS model, nothing for the users to deploy. What could be easier? I mean you change your DNS address to point to our cloud and you now have a world class layer of very effective security. Global coverage. It doesn’t matter which device you’re on, what port, what protocol, you’re getting coverage.

We’re also able to tie that AMP franchise I just talked about with OpenDNS. Now on my advanced malware franchise, anything that I find in the enterprise that’s indicators of compromise or malware or IP addresses that I don’t want my users going to, simply pass that by an API to OpenDNS and now that customer has world-wide coverage against that threat. They can literally take everything they’re finding in their enterprise environment automatically through an API and have global coverage instantaneous.

When we acquired Sourcefire about a year and a half ago, we delivered ASA [firewalls] with Firepower services, which was the ability to take the entire Sourcefire asset and [offer it as a] software upgrade in ASA. That’s a pretty incredible position about again bringing more capability to our customers and reducing complexity, not asking them to put another box behind their firewall to do all the most sophisticated threat features but just upgrade the platform you already have.

What about minimizing damage when breaches occur?

The segmentation we can drive with an architecture like Network as an Enforcer, which is our TrustSec architecture, where you can really use the network fabric to enforce policy. As users come on the network you assign them a certain policy and then the network fabric enforces that policy so if a user is not supposed to go to a certain part of the network, the actual switching infrastructure supports that. That limits lateral movement. [W]hen somebody gets in your network you want to find them as quickly as possible but you also want to limit where they can go.

 

Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.