Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

How Cisco Automates Protection of Intellectual Property Challenge

advertisement 
Cisco IT Case Study
Intellectual Property Asset Protection
How Cisco Automates Protection of Intellectual
Property
Alerts based on behavior and context analysis of user actions reduce risk of data loss.
Challenge
EXECUTIVE SUMMARY
CHALLENGE
● Automate monitoring of intellectual property assets
for improper access, storage, and distribution
● Obtain information to improve protection of data
and intellectual property
SOLUTION
● Internally developed iCAM software to analyze
behavior and generate alerts when defined rules
are violated
● Context information provided by Cisco Identity
Services Engine to better target behavior analysis
RESULTS
● 40+ billion files protected
● 60 percent of alerts generated without intervention
by security experts
● Managers see details that help them educate users
about risks
● Cisco gains information to improve protection
of sensitive files, documents, and data
Like any business, Cisco has a huge amount of intellectual
property such as customer information, financial data, product
source code, and development plans. If accessed by unauthorized
people, that intellectual property could be used to damage the
company’s operations and network security, revenues, competitive
advantage, customer relationships, and reputation.
We maintain a strong physical and network security infrastructure
to protect those assets, which are stored on systems in Cisco
facilities around the world. However, this infrastructure is largely
focused on stopping threats from external sources. We needed
capabilities to detect abnormal internal activity in order to identify
risky user behavior, whether intentional or not. Behaviors of
concern include:
●
LESSONS LEARNED
● Educate managers about using alerts appropriately
an employee’s personal computer or mobile device,
especially just before the employee leaves the
● Define behavior rules carefully
● Plan for scalability
● Context is very important to help managers
evaluate risks
NEXT STEPS
● Extend iCAM to monitor data in cloud services
Transfers of highly sensitive files, documents, and data to
company.
●
Data transfers that are authorized, but sent over
unencrypted channels.
●
● Support up to 10+ billion events per day
● Develop predictive analytics for proactive risk
reduction
Distributing highly confidential documents to a large
group of internal users or posting restricted data for
open access.
●
Storing confidential information on unsecured servers,
file-sharing sites, or unauthorized cloud services.
●
Allowing access to a virtual desktop session by an unauthorized person.
Although the Cisco® Computer Security Incident Response Team (CSIRT) was responsible for monitoring user
behavior risks, they needed an automated tool to keep up with the growing amount of data and activity.
Additionally, the increased use of cloud services for certain business applications and communications present
another avenue for inadvertent file sharing or information disclosure.
Improved access monitoring had to align with Cisco’s policies for data protection and intellectual property access,
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
March 2015
Page 1 of 5
as well as regulatory requirements and the Cisco Code of Business Conduct.
“It’s not practical to have only CSIRT monitor what data is at risk,” says Melvin Tu, manager and architect, Cisco
IT. “As our policies state, protecting Cisco’s intellectual property is the responsibility of every employee.”
Solution
Cisco IT developed the Intelligent Context and Content Aware Monitoring (iCAM) software to analyze abnormal
user behavior, generate alerts, and apply machine learning technologies to improve the monitoring over time
(see Figure 1).
Figure 1.
iCAM Process for Analyzing Behavior and Context and Generating Alerts
To assess a user’s behavior, iCAM incorporates a Hadoop-based analytics tool. This tool combines event data
from an application or system with context information about the
PRODUCT LIST
Servers - Unified Computing
● Cisco Unified Computing System
Security
● Cisco Identity Services Engine
associated user, data, device, and network.
The context is drawn from a mix of external and internal sources. For
example, the Cisco Identity Services Engine (Cisco ISE) provides critical
information about the device involved in an event, such as when a different
username is assigned to the device or when it does not have the operating
system version necessary for secure data storage.
The Cisco ISE and the iCAM software run on Cisco Unified Computing System™ (Cisco UCS®) servers, which
support the scalability necessary to monitor more intellectual property assets in more of our locations.
When a user violates a behavior rule, iCAM sends an alert to the user or the user’s manager, according to the
action defined in the rule. For users, the alerts provide education about potentially risky behavior. For managers,
the alerts present the information they need to appropriately manage employee activity. The manager can also
elevate high-risk alerts to the Cisco Computer Security Incident Response team for investigation.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
March 2015
Page 2 of 5
“iCAM is designed on the principle of ‘trust but verify’ for detecting if someone abuses their access privileges,” says
Cheng Pan, program manager, Cisco IT. “The behavior and contextual analysis provides in clear language the
who, when, where, and how details that a manager can use to identify the corrective action that is needed.” The indepth alert information also helps us improve governance and methods for protecting Cisco’s proprietary,
confidential, and sensitive data.
However, there are times when a user’s behavior may be unusual, but in fact it is authorized. In this case, the
manager can provide feedback to adjust the behavior rules in iCAM to allow that activity, which means repeated
“false positive” alerts will not be issued in the future.
“The iCAM team works with development groups and data owners to define the behavior rules according to their
work practices and business needs,” says Tu. “This helps iCAM raise alerts only when we have a real problem.”
The business rules also reflect the requirements of Cisco’s corporate policies for classifying data and protecting
intellectual property.
Results
iCAM started as a security monitoring engine to protect source code for our research and development centers.
Today, iCAM also monitors Cisco’s global data centers to control access to and prevent leakage of many types of
confidential and proprietary information. Table 1 shows the current scope of iCAM monitoring activity.
Table 1.
iCAM Activity Scope
Monitoring Activity
Data Sources
Examples of Monitored Activities
40+ billion files protected
130,000+ user profiles
File sharing and transfers
3+ billion events collected from 14,000+
servers daily
200,000+ device profiles
Searches on sensitive topics and keywords
200+ Cisco product profiles
Accessing source code repositories and
restricted databases
700+ policy rules
File system scanning
For the alerts generated by iCAM, 60 percent are “zero touch,” meaning a risky behavior is detected without any
manual action by anyone in Cisco IT or CSIRT. This capability allows faster notification and resolution of improper
information access or file sharing.
By using the data, device, and network profiles, iCAM also detects abnormal events that are generated by a device
or application that is not associated with an individual Cisco user. This capability provides an added measure of
protection for our intellectual property assets.
The evolution of iCAM will bring additional benefits to Cisco. “As the machine learning capabilities in iCAM improve
the ability to detect risky behavior, we will be able to create predictive analytics for proactively monitoring and
detecting when an unauthorized action might occur,” says David Corsano, director, Cisco IT. “The ultimate goal
with iCAM is to predict and prevent a disclosure before it happens.”
Lessons Learned
We have learned several lessons from our experience in developing iCAM and expanding its deployment.
Educate managers. To be effective, managers need to respond to iCAM alerts promptly and appropriately. For
example, a user may unintentionally do something that violates policy and causes iCAM to issue an alert.
Managers can use the alert to help employees understand risky behavior or to identify needed changes in data
classifications or access authorization. The manager should also know how to forward alerts to the corporate
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
March 2015
Page 3 of 5
security department when a clear security threat is present.
Define behavior rules carefully. Understanding the risks and regulatory requirements of your business, as well as
the sensitivity of your information and potential user actions, will help create effective rules for monitoring user
behavior. Also identify behaviors that might be considered risky but in fact are routine and acceptable, such as
sharing certain types of order information with an authorized partner. This type of context information is important
in helping managers understand the actual risk present in an alert.
Plan for scalability. As we move toward the Internet of Everything, an asset protection solution will need to
monitor more information types, devices, and applications.
“The ultimate goal with iCAM is to predict and prevent a disclosure
before it happens.”
— David Corsano, Director, Cisco IT
Next Steps
Because iCAM was designed to deliver protection monitoring as a service, it is very easy and cost effective for us
to use it with new applications or environments. Cisco IT plans to extend iCAM to monitor additional data and
document systems, with a particular focus on unstructured data in cloud services. We will also scale the iCAM
deployment to support analysis of as many as 10 billion events per day.
For More Information
Read about the Cisco Identity Services Engine and the Cisco Enterprise Policy Manager.
The Cisco Code of Business Conduct presents an overview of the practices that Cisco employees must follow for
protecting intellectual property.
To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.
To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.
Note
This publication describes how Cisco has benefited from the deployment of its own products. Many factors may
have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.
CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE.
Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply
to you.
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
March 2015
Page 4 of 5
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public.
March 2015
Page 5 of 5
Related documents
WWW+Internet+networking - Edulink
WWW+Internet+networking - Edulink
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
Cisco Customer Outcome Enablement Program Terms Pilot Phase Updated: 10/05/2015
10_2_1_2 Worksheet - Answer Security Policy Questions
10_2_1_2 Worksheet - Answer Security Policy Questions
Download
advertisement