Architects of Change: Perspectives

Security: Don’t just keep up, keep house - a blog from the Cisco Partner Summit 2016

Written by Chris Gabriel | Nov 2, 2016 12:30:04 PM

Chris Gabriel explains why CIOs are worried about threats from Ransomware to Ghostware put Network Security Investment as their #1 Priority – and why Cisco research shows they also need to keep existing networks patched and up to date.

Security continues to head the list of priorities for customers around the world, with the recent Logicalis Global CIO Survey finding that CIOs are all too aware of the growing diversity of security threats facing their businesses.

It’s not surprising that awareness is on the increase. You would be hard pressed to find coverage of data breaches 10 years ago; now they make front page national and international news, cost corporations hundreds of thousands of pounds if not millions to fix, and damage corporate and personal reputations.

Network security comes first

What’s apparent though is that however much we look to the hundreds of new security vendors in the market to protect our digital assets, most CIOs are firmly locked onto the networking investments they believe will help them manage security risk and provide their organisation with the highest levels of cyber protection.

In the same Logicalis survey, 70% of CIOs said their core network would be the #1 investment priority for 2017, that’s 1.5 times the percentage citing investment in identity and access management and twice as high as those focused on security analytics.

Perhaps this shouldn’t be a surprise. The network is after all the one constant in the world of digital and IT. Everything connects to it and passes through it; it is the first line of attack and the first point of defence - the place where everything is centred but the asset which can be used to monitor and respond to threats.

Don’t forget security housekeeping

It makes absolute sense that this multi-tentacle all seeing and all-knowing digital infrastructure should be where CIOs look to invest in heightened cyber defences. But recent research from Cisco[1] shows the CIO and the IT department mustn’t forget that good practice in life cycle network management is also vital in the fight against cyber criminals.

Every year Cisco reports on the state of the security threat facing organisations and uses a massive sample of data, gathered from around the world by its threat intelligence unit, to detail the volume and types of attacks that are being carried out.

Cisco highlights known vulnerabilities

On top of this Cisco looked at its own installed base of products to see how many were being kept up to date and patched to reduce the risk of device vulnerability and compromise.

In 2015, Cisco analysed 115,000 Cisco devices on the Internet, many across customer environments. In a time of heightened awareness around cyber security the findings were surprising:

  • 106,000 of the 115,000 Cisco devices, 92 percent, had known vulnerabilities in the software they were running
  • The sample included 103,121 Cisco devices with known common vulnerabilities dating from 2002–2016
  • Each device was running, on average, 28 known vulneabilities
  • Devices in the sample had been running known vulnerabilities for an average of 5.6 years
  • More than 23 percent of these devices had vulnerabilities dating back to 2011
  • Nearly 16 percent had vulnerabilities that were first published in 2009
  • Almost 10 percent had known vulnerabilities older than 10 years.

Open to attack

So, whilst the network is the #1 Investment priority, too many networks devices are being left open to attack via vulnerabilities that simply should not be there.

We should applaud Cisco for its sensible attitude to the security market – on the one hand urging organisations to focus their security investments on Cisco’s Industry Leading Security Architectures, and on the other being open about the risks that emerge when CIOs and IT departments leave existing CISCO products open to cyber breach.

Cisco would clearly love CIOs to invest but they are also urging them to do the day-to-day basics that prevent the kind of breaches we have seen in recent times. Sensible and sound advice, which is refreshing in a market where the next hot product comes off the production line every day or two.

The graphic above shows the % of devices running known vulnerabilities by region around the world. Some regions are clearly better than others at keeping up to date, but in all cases a percentage of devices present a weakness.

Keep house

What their report clearly highlights is that security isn't just about buying the latest product or service. Rather, it is an on-going process in which best practice means keeping products up to date and managing an estate for end of life - not just monitoring attacks but also monitoring the underlying health and state of the tens of thousands of previously implemented devices

In security we all talk about protecting customers assets - but the management of existing assets like switches, routers, and gateways clearly presents customers with a significant problem. This is an issue we must pay attention to and help them resolve; whether through installed base upgrades, asset managed services, more proactive patch management offerings, or by working to cover the customer’s entire estate through Cisco's new software licensing models (ELA/ONE).

Overall, the report covers a wide range of security risks that our customers are facing now and will face in the future. The vast majority represent serious threats to our customers and, while I cannot pretend to understand them all, one thing is clear: As we try to help customers defend against the next threat, we must not forget that keeping their installed base healthy and up to date is a basic and fundamental part of improving our customers’ defences.

[1] http://www.cisco.com/c/m/en_us/offers/sc04/2016-midyear-cybersecurity-report/index.html