Cisco Security Advisory Council Recap

On the 15th and 16th of June I had the privilege to join 思科 in Berlin for their Security Partner Advisory Council. Why have I taken almost a month to post an update?... well there is this thing called the puppy dog effect. When you see something new and shiny you get excited, so if you wait a week or two you can then settle down and provide a real opinion..... It was a great event organised by Yves Mertens , Lothar Renner , Brian J. Feeney Oliver Cheal , Rick Kramer , Frank Lento , Sheena Petts , Justin Buchanan , and the rest of the security focussed leadership team at Cisco. It was also a pleasure to hear from Tom Gillis and Raj Chopra virtually joining us from their hotel rooms around the world. *we did think they were in the same room at one point :-)

Before I continue, if you are hoping to get non-public information from this point please stop as this was a highly sensitive NDA based event, but what I can give you is my sentiment and public available content.

I went into the sessions hoping to understand the Cisco Security roadmap and how they would like to shape the market moving forwards. And I got just that.. and then some!

Cisco is accelerating and leaning into its strengths and looking to reshape the way people are consuming and using Security tooling. Two straplines that stuck in my mind from the event were:

The company that brought you the VPN is killing the VPN as we know it

The 2nd mouse gets the cheese....You don't always have to be the first.. Tesla did not create the first electric vehicle, Apple didn't invent the MP3 player, Spotify wasn't the first music streaming service.

I believe its fair to say with the explosion of the Cyber Security market there are now 100s/1000s of products and platforms that can help you lower risk and improve your security posture, as scarily shown by a slightly out of date cyberscape image:

With this explosion of products and platforms we have intrinsically seen an increase in spend as well as an increase in breaches which means a new approach is needed. From CDW, we believe that you must be delivering People, Process and the Technology to improve your capability. If a single one of these is failing then you are not denting your risk and response profile.

The Cisco Secure portfolio is now starting to contain a broad set of technologies that work as a team, providing seamless interoperability with your security infrastructure including third-party technologies. The key word here in my opinion is "team", products working in harmony whether it is Cisco through and through or 3rd party integrated.

Here is an image of the partners and Cisco teams that attended the event sharing real feedback.

The following sections share snippets on the three core update areas, Secure Firewall, XDR and Secure Access from the Cisco Security portfolio.

SECURE FIREWALL

Justin Buchanan hosted this session. Cisco secure firewall vision is to centralise operations and visibility across the firewall and identity estate.

Here are my summary notes:

General:

• Customer challenges - Apps everywhere, Everything is encrypted, throughput in some cases is lacking
• Cisco have gone away and reviewed their software development framework and processes to aid in cleansing and fixing some of the past experiences on stable software releases. Initial sentiment and feedback is that this has resolved and decreased the number of TAC cases.

Cisco Live Updates:

• Simplified branch routing
• Zero trust app access supporting clientless access
• Encrypted visibility 2.0 - More visibility and control on encrypted traffic
• Secure firewall 4200 - Same architecture as 3100 with crypto accelerator. Better price to performance.
• Multi cloud defense - Rebranded Valtix platform providing continuous visibility, single policy for private and public clouds, Dynamic policy management, real-time tag-based policy management, Can look at netflow in AWS and understand how applications are communicating and allow you to protect. Can export to terraform scripts if you want to use that instead of the UI.

Software:

• Cisco Secure Firewall Threat Defense: Firmware7.2.4 is ready for you! 7.2.4 introduces 300+ features, usability improvements and software optimisations - this release fixes 85% of open TAC cases with known bugs.. Now is the time to upgrade.
• 7.2.4 brings further enhancements for TLS1.3 as well as integration for the encrypted visibility engine to work with QUIC traffic
• Full 7.2.4 release notes here: Cisco Secure Firewall Threat Defense Release Notes, Version 7.2 - Features and Functionality [Cisco Secure Firewall Threat Defense] - Cisco
• Cisco Defense Orchestrator: allows you to manage up to 1000 firewalls within a single SaaS tenant. Note: some limitations to 750 do apply if managing large on-prem FMC environments. For clarity... FMC manages Firepower images?(FTD or Firepower module Services). CDO is able to centrally manage your ASAs, FTD, Meraki security policies and AWS VPC security policies.
• Clustering support on all models up to 16nodes

Hardware:

• Cisco 4200 - Clustering support on all models up to 16 nodes, Targeting 70-140gbps for NGFW profiles, 90-200gbps for ASA traffic, Network modules spanning 10/25/40/100/200/400GE, Can support multi instances, up to 32 per firewall
• Hardware portfolio - 3100, 4200, 1010 for small branch, 11xx for branch and small campus, 9300 for service provider
• Cisco Secure Firewall 4200 Series - Cisco

XDR

Albert Salazar hosted this session. Security teams are under more pressure than ever to defend an ever-expanding attack surface. The right XDR approach simplifies threat detection and response to increase resilience. Cisco are launching their flavour of XDR.

Note: Expected to be generally available end of July 2023 [2].

General:

• Defining XDR - collection of telemetry, applied analytics to source, response and remediate capabilities. Focussing on turning false positives into validated incidents, prioritisation of incidents based on risk, with a view of enabling lesser experienced analysts to tackle more.
• XDR should simplify, provide visibility, efficiently accelerate remediation.
• No on-premise option for Cisco XDR. It is a SaaS delivered solution only.
• Cisco XDR is focussing on Clear prioritisation, Threat correlation, Guided incident response,?Advanced automation, Infused threat intelligence.
• Why Cisco XDR? - cloud-first automated detect and response solution for SOC, simplified implementation.
• Cisco XDR is open and extensible, enabling you to deliver on your strategy even if its not Cisco through and through.
• Cisco believe endpoint detect response is foundational, and we need to make NDR as equal as EDR.
• Cisco are making it simple to consume with standardised buying models (more to come on this when the product is launched)

• What is correlation to Cisco? - Identify source of incident on network, feed from east west info, pull feed from EDR. Uses secure analytics to provide correlation
• Out of the box Cisco integration sources:?User endpoint?(Secure endpoint, Orbital, Email threat defense),?Application identity?(Duo),?Cloud?(Umbrella, Secure cloud insights),?Network?(Secure network analytics,?Secure firewall,?Meraki, ISE,?Defense orchestrator),?Malware analysis?(Secure malware analysis)
• How will Cisco play nicely with others? Support from day 1 of launch:?Cloud?(AWS, Google, Microsoft, Oracle),?Firewall?(Checkpoint, Palo Alto),?Network?(Dark trace, Extra hop),?Email?(Microsoft, Proofpoint),?Endpoint?(Crowdstrike, Cybereason, Microsoft, Palo Alto, Sentinel One, Trend) [3]
• How much does it cost? - Well it is not launched yet but i have seen the current per user per year price points that can be consumed a-la-carte and within enterprise agreements. Knowing other platforms in the market, I believe it will be "competitive".
• You will be able to buy it in bundles : Essentials (Cisco platform), Advantage (allows integrations withy 3rd parties), Premier (managed service)
• What will i get as standard in each tier? - Well some of that has not been announced yet therefore feel free to reach out and we can have a chat on what may be coming.
• What is a user within Cisco XDR? - A knowledge user. A secure content user. For comparison to people who price per device then its roughly 2-2.5 devices basically what you get on a per user approach.
• As this is a SaaS platform your data will be stored in a Cisco managed data lake. Each customer will have their own "bucket" providing segmentation. You will be able to host the data outside of the US also for sovereignty requirements. It is also worth noting this cannot be used towards your EDP draw down/cloud commitments as it is owned and managed by Cisco.

I am excited to see how this platform plays out and competes.

SECURE ACCESS

Rick Kramer hosted this session with Oliver Cheal . It was very humbling to hear that Cisco is late to the market with this. BUT the team were adamant that the new product due to be generally available in?October 2023 [1] is going to show why sometimes being first is not always the best. Google wasn’t the first search engine, Tesla wasn’t the first electric vehicle company, Apple didn’t invent the mp3 player,?Spotify wasn’t the first music streaming service, the 2nd mouse gets the cheese.

Cisco believe they are starting with a position of strength. Private app access.... they have been doing this for years. And this is one of the areas customers are struggling to manage alongside their cloud applications.

In the Cisco delight program (think of this as the test group). The feedback from Asia and Americas have been:

1. See the upgrade of Cisco tech being more seamless within this offering
2. Will be making sure the customers get the right financial package and access. Ensuring they get credits for the things they have already purchased.
3. Looking forward to VPN as a service
4. Like single agent approach
5. No more point of presence selection
6. New protocols sound great for legacy apps, systems and services

What is SSE from Cisco? Simply put?SD-WAN + CASB + FWaaS + ZTNA + SWG

What Cisco have built is a wide platform building on what some of the gen1 providers have brought to market. Providing visibility & control, simplified remote access, segmentation and Zero Trust. Zero trust projects and initiatives die with policy! If you cannot follow least privilege then you will fail!

With the integration of QUIC, and people moving towards MASQUE relays i can see this being something that Cisco take advantage of. FOr anyone that does not know what network relays, MASQUE relays etc is... here is a nice video that simply explains it .

The key differentiator for me is having the capability to embed digital experience monitoring into the solution by ultimately integrating thousandeyes. FOr managing the user experience which is critical in secure remote access this will unlock the data for IT admins to reduce time to resolution and set clear expectations with service consumers. I am excited to see how this platform plays out and competes.

Again to simplify the procurement of a platform, Cisco have created bundles for procurement. These bundles are Essentials and Advantage . By clicking the Essentials and advantage link you can get a breakdown of what exactly is included and some functionality information.

Final note from me.... have you taken the SSE maturity assessment ? Its worth a go :)

Note: Product expected to be generally available in?October 2023 [1]

QUESTIONS TO ASK YOURSELF

Cisco may not be the answer to all your requirements, but at least reflecting on how you are assessing your capability is key.

Secure Firewall:

1. Do you have true visibility of your potential risk profile? How are you tracking and managing risk?
2. How are your users finding their access experience? Can you see the positive and negative impacts on productivity?
3. Do you have a complicated remote working solution that is not application or service centric?
4. Single pane of glass is almost impossible with so many available products and platforms. How are you gaining consistent visibility and remediation capability?
5. Are your security analysts swamped in alerts and event notifications and don't know where to start or to prioritise?
6. Do you know what to do and who to contact in the event of a breach? Are your playbooks well documented and tested?
7. Are you finding it hard to find "great" Cyber Security skills? What are you doing to combat this?
8. Are you running a Cisco firewall today? Have you upgraded to 7.2.4?

XDR:

1. How many of your existing investments can your XDR platform leverage?
2. Can\is your XDR platform compatible with your solutions, regardless of vendor?
3. Does your XDR currently have out-of-the-box integrations with other platforms?
4. What kind of threats does your current solution help detect? Does it map alerts to the MITRE ATT&CK framework?
5. How does your current solution provide visibility across all your environments (endpoints, devices, network)?
6. How does your current solution deliver insights? Does your solution provide prioritized telemetry?
7. How does your current solution prioritise threats based on business impact and risk?
8. What type of threat intelligence is currently feeding your detection? Where does that intelligence come from?
9. What response actions does your current product provide?
10. How does your current solution accelerate remediation?
11. From threat alert to remediation, what’s the response time (ex: for a phishing attack)?
12. How does your current solution integrate with existing security technologies such as SOAR and SIEM solutions?
13. Can you currently use XDR to understand the impact of a threat, discover the scope of the breach, and take single-click actions from one interface?
14. When working with third-party integrations, do vendors’ API changes break your automation scripts today?

Secure Access:

1. How are you delivering access to your services? does it accomodate private apps, cloud, SaaS, etc?
2. How intuitive is the access method? Do users have to make a choice?
3. Do you understand and have the metrics to show the user experience being delivered?
4. How are you providing secure access for OT and IoT?
5. Can you manage this from a centralised policy?
6. Have you taken a SSE maturity assessment ?
7. What level of experience data do you have access to?

REFERENCES

[1] Cisco Shows Breakthrough Innovation Towards AI-First Security Cloud

[2] Cisco Unveils New Solution to Rapidly Detect Advanced Cyber Threats and Automate Response