September 12, 2011, 12:44 AM — AUSTIN, TEXAS -- In the ongoing battle against enterprise security threats, Cisco has amassed an army of 500 engineers, researchers and technicians deployed in 11 primary locations worldwide, whose marching orders are to analyze threats and do everything possible to mitigate those threats as quickly as possible.
The nuclei of Cisco's distributed system are its Threat Operations Centers (TOC), one of which is located in a nondescript office building outside of Austin, where Network World recently visited.
The amount of security-related data pouring into the TOC is staggering. "I never wake up in the morning and think I don't have enough access to data. I do wake up frequently in the morning and think 'what are we going to do with all this data?'" says Rush Carskadden, a product line manager in Cisco's security technology business unit.
The task that drives Carskadden and his colleagues is to put all the data in context. Providing context is critical to discovering and thwarting enterprise threats that are becoming increasingly complex and multipronged. Blended threats aren't new, but they're growing in prevalence and severity.
"We're seeing blended threats that act just as intelligently as a very good penetration tester would act," Carskadden says. Meaning, they're patient, thoughtful and persistent. "The real surprise is the degree to which and the sophistication with which these threats are automated."
IN DEPTH: 5 top social media security threats
Night Dragon is a perfect example. First publicized in February, this series of coordinated attacks targeted intellectual property from energy companies. The tools and techniques involved -- social engineering, spear phishing, Windows exploits and Active Directory compromises -- aren't incredibly sophisticated, but the attackers' methods made it difficult to link the malicious actions together and enabled the intrusions to go on for as long as four years.
"It's a very sophisticated threat in the sense that it will actually seek out the Active Directory server, compromise it, use data slurping to grab credentials, and then use those credentials to further compromise the network and gain access to sensitive information," Carskadden says. Beyond an initial SQL injection, the attack consists of activities that would not appear overtly suspicious; the attackers are operating in a manner that doesn't draw attention, surreptitiously looking for valuable information to extract. While not publicly calculated, damages from Night Dragon could potentially be in the hundreds of millions of dollars, Carskadden says.
"If you trace through how this threat works, you will find few better examples of how important it is to tie the intelligence together from the various vectors," Carskadden says.
Tying it all together
Tying together threat intelligence is essentially the mission of Cisco's Security Intelligence Operations (SIO), which provides threat information, vulnerability analysis, and mitigation solutions to enterprise customers. SIO is the command center for Cisco's security services and appliances.
Organizationally, there are three main pillars of SIO. This first is SensorBase, the data repository.
SensorBase collects raw event data from more than 700,000 sensors built into Cisco network security devices deployed worldwide, including intrusion prevention systems, firewalls and web security systems. SensorBase on average processes 2 billion web requests and 13 billion emails daily, resulting in several terabytes of new threat-related data every day.
