New network security products from Cisco Systems Inc. address zero-day exploits and advanced persistent threats (APTs) from the enterprise network to the endpoint to the cloud, the company says.
The new malware and data centre security offerings were unveiled at the Cisco Live event in San Francisco this week.
Cisco has also announced that it is buying security intelligence firm ThreatGrid. The acquisition reflects Cisco’s determination to pursue its cloud and IoT buildout. ThreatGrid’s malware products will be melded into Cisco’s AMP line in a clear extension of Cisco’s acquisition of security vendor Sourcefire last October. The deal will close by the end of Q4 this year.
The new products and enhancements are focused on – though not restricted to – Cisco’s Advanced Malware Protection (AMP) line. The AMP updates correlate Indications of Compromise (IoC) data between network and endpoint with integrated threat defence and shared intelligence. Cisco says that this correlation provides continuous and pervasive protection against the most advanced threats. AMP provides malware detection and response across the extended network, including endpoints, mobile devices, virtual systems and Web and e-mail gateways.
Cisco has added MacOSX support to AMP, along with an on-premises private cloud appliance that provides continuous analysis. The newly acquired ThreatGrid technology adds dynamic analysis on-premises and in the cloud. Working as a complement to AMP, it performs aggregation and correlation of threat data across the network and across Cisco’s portfolio of services and solutions.
Cisco also announced enhancements to its ASA firewall product family that will improve security in the data centre and into the cloud. The upgrades support software-defined networking (SDN) and Application Centric Infrastructure (ACI) environments.
New capabilities in the AMP portfolio include:
- AMP for Endpoints – AMP investigates IOCs and file behaviour, establishing response priorities. There’s a new elastic search that Cisco says helps users establish the scope of an attack, while remote file analysis adds the ability to retrieve and store files for later scoring and analysis. Cisco is also extending AMP for Endpoints to Mac OS X, which extends the solution’s footprint further into heterogeneous environments.
- AMP Private Cloud Appliance – The new cloud appliance is designed to provide high-end malware protection for enterprises where stronger privacy requirements restrict the use of the public cloud. The appliance employs big data analytics, continuous analysis, and locally stored security intelligence.
- AMP for Networks – Tailored for high-performance networks that requires accelerated time-to-detection, AMP for Networks’ Indications of Compromise resources correlate and prioritize events across a range of solutions. Dynamic Analysis utilizes a cloud-based sandbox to evaluate files to isolate and analyze unknown threats. Users can also create custom detections to block files quickly, while a new File Capture allows security to store and retrieve files for further analysis.
- New AMP FirePOWER Appliances – Cisco has announced two new dedicated AMP for Networks appliances: the FirePOWER AMP8150 with up to 2 Gbps of performance and the FirePOWER AMP7150 at up to 500 Mbps.
Cisco (Nasdaq: CSCO) also released a new version of its Secure Data Center Cisco Validated Design (CVD), which supports the secure deployment of new solutions.
The new ASAv virtual appliance has dynamic, on‐demand scalability within virtual environments, with ACI integration, without hypervisor or vSwitch limitations. Cisco says it delivers high-level performance marks in throughput and connections per second. Enhancements to the ASA 5585-X firewall support traditional, SDN and ACI data centre environments.
Jason Brvenik, principal engineer with Cisco’s Security Business Group, came to the company as part of the Sourcefire acquisition. In an advance briefing for IT World Canada, Brvenik defined the new product announcements as they fit into Cisco’s notion of an “attack continuum” – the security measures and threat assessments that need to be executed before, during and after an attack.
“In each of these phases, there are technologies that are well suited to helping you solve the specific challenges of security,” Brvenik told IT World Canada. “The before part is knowing what your assets are, what systems your users are using, who’s active – as well as enforcing policy. During the attack of course you need to do the basics – detect, interdict and block the threat. If you can’t do those things you can’t do anything else.” The follow-up phase is perhaps the most complex, involving analysis of the scope of the compromise, remediation, and reporting.
“You can’t do all this as a point technology at a single point of observation – it has to be across all the attack points,” Brvenik said. “That’s why we talk about the network, the endpoint, mobile devices, virtual devices, the cloud, everything. Enterprises need a technology that gives them that visibility, to control and protect assets. And you can’t do this at a single point in time, it needs to be a continuous process.”