In October, we were delighted to announce the completion of our acquisition of Sourcefire. With Sourcefire on board, Cisco provides one of the industry’s most comprehensive advanced threat protection portfolios, as well as a broad set of enforcement and remediation options that are integrated, pervasive, continuous, and open.
Within three weeks of the acquisition closing, we completed the first deployment into a highly secure data center and we are quite impressed with the results, to say the least! Within the first hour, we began seeing some interesting things from our network. The implementation was already giving us insights into our data center that we never had before!
We’ve also gained more visibility into the various versions of host operating systems connecting to the data center as well as applications on the network designated as having low business relevance or personal uses. We now have the ability to look beyond a signature and correlate an individual data flow with a specific host and user in order to understand the vulnerabilities associated with that connection. We also now have the ability to refine and implement our security policy from an enforcement standpoint.
As we move forward, it will be interesting to see what we can consider “normal” and how it will affect the security policy for our data center.
With this enhanced depth of visibility, we can better understand what is happening on our network and effectively take action based on this new information. At the end of the day, better visibility allows for better protection, and that is the goal. We’re excited to explore some of the more advanced tracking features of Sourcefire over the coming weeks—we’ll keep you posted!
For more information on Sourcefire, please visit: http://www.cisco.com/web/about/ac49/ac0/ac1/ac259/sourcefire.html
Great blog John – glad to hear of the success with Sourcefire! Are you deploying it for inline protection, or passively? Also, would enjoy hearing about economies (labor savings) you derive from correlating events with host vulnerabilities and user identities and automating impact assessment, tuning, and triage.
dastuart:
For our first step, our InfoSec team deployed two pair of Sourcefire IPS inline (to cover both Internet and intranet traffic) to the highly secure data center John mentioned in this post. We’ll enable blocking of select, high-fidelity signatures next Thursday. Building on the stability and efficacy we’re already seeing, we believe the added features of automated vulnerability and user correlation will further speed our incident detection. No hard metrics for you yet, but so far things are looking very good.
-Martin
I’m interested to learn more about Sourcefire, but outside of the press release, there does not appear to be much information up yet. The ASA -X has IPS now, but I’m not sure if that is a separate development track or not. Need. More. Information. 🙂
Hi John,
Cisco continuously strives to maximize the efficacy of our solutions and products. This acquisition allows us to combine the complementary strengths of Cisco and Sourcefire to provide the most effective threat prevention capabilities across our entire security portfolio.
Cisco is committed to driving both the FirePOWER and ASA platforms roadmaps forward and will share more information on any specific points of integration in the coming months.
-Scott
Does Chris White plan to work with the NSA like he did at RSA to establish addition crypto back doors in Cisco products like Sourcefire? It would sure make it easier to monitor US and foreign communications.
Bob,
Thanks for the reply and apologies for the delay (the holiday season got me a bit backlogged).
I’m not sure who you mean by Chris White so will just focus on the real issue: this is about who Cisco is and what we stand for.
Plainly stated, we have a strict Cisco wide policy on backdoors. We do not knowingly enable them in our products, we do not deliberately build them into our products, and we do not work with any organization or government to
implement them in our products.
We also make this explicit publicly so all interested parties (you, our customers, shareholders) know our position, and there will be no ambiguity:
http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html#psi
And, given crypto is a huge topic these days as you note, I can recommend this October 2013 blog to you about how we choose and implement crypto, written by Anthony Grieco (great guy, works in my team, super smart):
http://blogs.cisco.com/security/a-crypto-conversation-how-we-choose-algorithms
–jns
So what will be the future plan in regarding with current IPS?
Will new NGIPS fits on current IPS Modules like SSP-20/40/60?
Will the clients be able to make that route?
So when TLS decrypt will be available on IPS module?