Interview

A tenth of security alerts that should be taken seriously are ignored: John Maynard, Cisco

From evolving threats to DNS attacks and IoT security, John Maynard, Global Security Officer at Cisco brings to light present-day security challenges the enterprise needs to brace up to.

John_Maynard_Vice_President_Global_Security_Sales_Cisco_pic_2.jpg

India ranks third on the list of countries most targeted by hackers and cyber-criminals. So it’s not a question of if, dear CISO, but when your organization will be attacked.

With organizations merrily hopping on to the multi-cloud bandwagon and with the proliferation of IoT, the challenging cybersecurity space has just gotten harder.

Cisco, although a little late to join the party, is here to change the game in security and to help customers move from a fragmented, disjointed place, to a high-visibility zone.

In an exclusive interaction with John Maynard, global security officer at Cisco, he walks us through the current challenges in enterprise security, and how Cisco braces itself to ride the wave.

Edited excerpts:

John, what have been your observations around the evolving threat landscape and what new challenges are enterprises facing?

Security is interesting because we have a constantly-evolving threat adversary. We see the need for a high level of visibility and the ability to look across different threat vectors. You no longer see one attack on a threat vector – you see multiple threats, multiple threat vectors, and the adversary is changing their behavior and becoming much more sophisticated and collaborative between various factions and various groups.

As a security organization, we found that our customers need a partner that has a good understanding of the tools, techniques and procedures, TTPs, and the adversaries used. A lot of customers we speak to have up to 100 different vendors in their security environment. And adversaries are evolving by laying multi-staged, multi-vector attacks – by leveraging the lack of visibility organizations face in a fragmented environment.

You had shared earlier that multiple security vendors create vulnerabilities in itself.  Why do you think there is a reason for an increased chance of vulnerability and how can organizations actually mitigate those vulnerabilities?

If you think about the kill chain within security, you have activities that happen before, during, and after an attack. Adversaries are essentially exploiting weaknesses that target each of those three stages.

The lack of visibility is a core driver and is the result of a fragmented security environment; CSOs do not know what is happening in the environment because they cannot see across all the vendors.

The ability to respond quickly and remediate is a big challenge across a fragmented security landscape, especially in cases of multi-vector and multi-stage attacks. It is imperative to figure out how an attack has been carried out before taking remedial action. It’s also important to bear in mind that the last thing you want to do is to spook an adversary, as you may lose them in your environment.

Our annual security report reveals that 50 percent of alerts are missed. What’s even more alarming is that 10 percent of alerts that should have been looked at is missed. So effectively, 10 percent of your environment is ignored due to this flooding of information coming from so many different tools, thereby overwhelming the security analyst who cannot get to the bottom of everything.

At Cisco, we are trying to automate the process by integrating the technologies together effectively, thereby reducing the number of alerts analysts have to review and investigate.   

Today, a lot of organizations and security companies are turning towards AI to combat emerging threats, but then, so are hackers. This is resulting in an AI versus AI kind of warfare in the industry. So how do you ensure that your AI algorithms are better trained or better equipped?

... A lot of customers we speak to have up to 100 different vendors in their security environment. And adversaries are evolving by laying multi-staged, multi-vector attacks – by leveraging the lack of visibility organizations face in a fragmented environment.
John Maynard
Global Security Officer, Cisco

AI or machine learning is not a silver bullet for security. Security needs an in-depth strategy. There are multiple layers of protection and detection that should be put in place.

Technology is important, and so is providing automation, orchestration, AI and ML as part of that armory. While technology is important, having mature processes is critical.

StealthWatch is a great example of incorporating AI and ML. However, we want to ensure that it is deployed in an environment that could be supported from the people and process perspective.

A lot of security experts are saying that humans are still the weakest link in the entire cycle, but there are others who believe that endpoints are the weakest link. So what is the weakest link in your opinion?

The fact is that the user is still the weakest link and so 80-90 percent of all breaches still leverage weaknesses in passwords. That is why Cisco recently acquired a company called Duo Security to offer the best protection through multi-factor authentication.

You can have the best endpoint protection, EDR-type capabilities and the best of technologies, but if I steal your password and I am still a legitimate user, then I can access the resources that I have access to under the security policy of that company. Endpoint capabilities or other tools could detect that I am not you if I use your password through anomaly detection and behavior analytics. But the reality is I can still pretend to be you by leveraging your credentials to access resources.

The fundamental issue in security is still user awareness and user hygiene. Our investment in Duo Security helped build a holistic strategy that makes it possible to link a trusted user to a trusted device and to a trusted application.

10 percent of alerts that should have been looked at is missed. So effectively, 10 percent of your environment is ignored due to this flooding of information coming from so many different tools, thereby overwhelming the security analyst who cannot get to the bottom of everything.

John Maynard

Global Security Officer, Cisco

John, could you walk us through what’s cooking in Cisco labs, specifically in Talos?

Our security organization has around 300 strong threat researchers within Talos. They are constantly looking at the next threat and the next threat factors. An example of this would be the disclosure of the VPN filter hack – a coordinated attack on routers that was revealed by Talos.

We had collaborated with the FBI and other law enforcement agencies to not just discover the threat, but also take down the adversary. We also look for vulnerabilities across the vendor landscapes and work with technology providers to ensure that these vulnerabilities are addressed in a coordinated manner. Most of this is proactive research for hunting down the next threat in VPN filter.

A Cisco finding reveals that 91.3 percent of malware uses DNS attacks. Do you think that is a trend that we are going to see again throughout 2019 and if so, how is Cisco planning to tackle this issue?

We see that almost every single communication with the internet uses DNS as the translation layer. We believe that across our cloud security strategy – right from the cloud edge, to SaaS applications, to infrastructure services, to plain vanilla internet access, DNS is the foundational layer.

Our whole strategy for cloud security is built DNS-up and is fundamentally changing the discussion around what the network needs to look like to enable direct internet access from the branch.

Cisco has deployed an umbrella or DNS protection globally across a whole environment in about four hours.  It is a very quick first line of defense, wherein we build incremental security capability in the cloud on top of baseline protection.

With the proliferation of IoT and IIoT, you have multiple endpoints which are now subjected to a lot of threats and attacks. What is Cisco’s solution around IoT and IIoT devices?

The problem with IoT is that we, as an industry, are repeating the sins of the past. So essentially, there are now many more insecure connected devices.

In the past, organizations have failed to secure by design – by building security from the outside. So, security controls were strapped on to something that was effectively an insecure system. Defining access policies of connected devices is absolutely critical.