I ended part one with a number of questions around Cisco, the death of CSA and what is the general direction of security. It would be fair to next focus on the many possible reasons CSA was canned. For starters, it was a bitch. It took myself many years knee deep in CSA to eventually develop a solid, repeatable and efficient deployment methodology. Virtually every installation had massive administrative overhead on the front end, primarily due to the very high level of application behavior tuning, and typically a constant low to mid level administrative overhead to monitor, maintain and improve. It was an amazingly complex application itself, which, when implemented properly, worked like a champ. Implementing it properly, however, ended up being a huge challenge for both Cisco VARs and clients alike. And this challenge left many a Cisco customer with a fierce dislike of the product.
Some of the reasons there was such a large knowledge gap with both vendors and clients are pretty obvious in hindsight, and not at all limited to Cisco as an organization. The product was from an acquisition and most Cisco Account Managers I encountered really did not know the extent of its capabilities and therefore how to sell it effectively. Cisco is a hardware company and the software sale wasn't at the time the norm, especially security software. The result was a number of companies hearing lofty sales pitches about the product, purchasing it and trying to implement it themselves with no real concept of how complex the application actually was and never getting past any initial test or audit-mode pilots. On the VAR side, a similar lack of experience with the product was the typical cause of project failure. Like any policy based application, you need to have the policies and standards in place before you can effectively and tactically enforce said policies. At least in a perfect world. In the real world, what percentage of all companies actually have well defined policies for such areas as data classification, role/responsibility/access or even application white and blacklists?
The resulting mayhem no doubt resulted in negative reviews, comments and opinions around the product which most likely directly lead to poor numbers - one of the reasons Cisco supposedly killed the product. But there were also a smaller population of clients and VARs who completely understood and loved the product and its capabilities in all of its complexity. It died nonetheless, and there was nothing on the market to replace all of the functionality CSA provided on an apples to apples basis, leaving many dedicated CSA customers left with a daunting task of finding a number of individual tools to replace all that CSA provided them.
Another probable reason Cisco dumped CSA was the increasing cost to develop a host client on an ever increasing number of platforms, especially now as the the tablets, pads and phones have become the next generation of corporate data access. Cisco was having trouble keeping up with and supporting Windows releases, let alone getting to the "supported" linux and solaris versions. Mac? Not a chance. Then the onslaught of mobile devices ensued with iphones, blackberries, ipads, androids, etc., and the future indeed was dim for CSA support on all of these disparate systems. But the collective brain trust at Cisco felt they were prepared for this with a very strong, industry supported strategy - the cloud.
Why concentrate on protecting all of the various endpoint operating systems when you can, as the 800 pound network gorilla, move everyone into the cloud. It is the industry direction at this point in time. And once everyone is in the cloud, a large percentage of the malicious activities that HIPS is supposed to prevent can be addressed in transit before it gets to the endpoint. Cisco's Ironport reputation technology and Sensorbase is perfect for that scenario and in fact does a spectacular job. And it should come as no surprise that after Cisco's acquisition of Ironport that Ironport founder and CEO Scott Weiss became VP of Cisco's Security Technology business unit, and the writing was on the wall for CSA.
So the theory was that CSA was being replaced with the Ironport technology for both cloud and in transit intrusion prevention. And that indeed was the message occasionally coming out of Cisco when pressed. Which is an absolutely sound solution if everything is already in the cloud. Which clearly isn't the case. In fact, for all intents and purposes we are several years away from that suspected reality, which again means CSA die hards have a tough road ahead of them. And when pressed further about this now major hole in host based protection, clients were told that they could migrate to Trend AV. Really? Static AV signature protection and the inherent flaws of those systems were some of the primary reasons people wanted CSA in the first place.
Here is where I feel Cisco really sucker punched a dedicated clientbase with the following executive decisions, hence earning the title "Smartest Men in the Network":
- Zero client communication on why CSA had been killed
- Very little client communication on preparing for the death of CSA
- No viable replacement path (Trend AV - whatever)
- Not selling the technology to someone else (yeah, right)
- Trying to convince people that the Ironport technology could replace CSA's functionality in transit
I will reiterate that I am a big fan of the Ironport tech and preach its effectiveness to my own clients. However, here is a short list of what it can't do, which CSA could, all in one application:
- User/group access controls for file, registry and network resources
- System state controls to determine and enforce policy (e.g. I am not connected to my corporate wireless SSID, I better enforce VPN connectivity back to my firewall)
- Removable media controls to prevent data leakage and theft
- "Long Tail" threat protection (I've posted on this before, read ReL1K's article here.
To that last point, persistent attackers will find ways to subvert controls. A new and niche piece of malware launched from an IP address with a good reputation will likely subvert reputation controls. And to be fair, it is not feasible to truly be able to protect against that type of targeted and persistent threat.
So what does it all mean? My take is this. Cisco has the right idea for long term protections when everyone is using virtual desktops in the cloud. It makes a lot of sense given the growing number of mobile operating systems that need to be protected, but that's a long way off. Static signature based anti-X protections haven't been a relevant security solution since the 90s, yet they keep making money. And until the day comes where we are all logging into our cloud desktop, the host still needs to be protected from things we don't yet know about and preventing data loss from removable media and other sources. Which presents a big hill to climb for those who believe in the cause, and that hill is development of host-based intrusion prevention solutions on many of these new mobile platforms. Despite those hurdles, HIPS is continuing to morph and improve. Bit9's Parity is a good example, performing whitelisting of applications. Instead of looking for bad behavior Parity only allows known good things to occur and has rapidly become my choice for CSA replacement. Regardless, HIDS/HIPS, at least in the traditional sense, aren't dead yet, but they look to be running a race that ends with a proverbial IT cliff.
