Over the past few years Cisco has changed the face of its security business. What was once a struggling concern is now the fastest-growing part of Cisco. How did the company do this? Part of the rebirth of Cisco security can be traced to a change in focus, away from point products to a more data-driven model. Big data, analytics and machine learning have been hot topics in IT, and Cisco has gotten religion in this area and applied it masterfully to its security business.
Today, Cisco added to that when it announced its intent to acquire privately held Observable Networks. The St. Louis-based company provides dynamic network behavior monitoring to help security teams find anomalies that could indicate a breach. The product captures data and analyzes it to gain situational awareness of all users, devices and traffic, not only on a company’s network, but also out to the cloud, with support for both Amazon Web Services and Microsoft Azure.
Observable Networks gains its insights from cloud-native machine learning techniques that can model device behavior to identify internal and external threats. Cisco will use Observable to extend the value of its Stealthwatch solution into public clouds.
The acquisition by Cisco is well-timed, since security is going through a significant shift. The bad guys are getting smarter and are no longer trying to hack through state-of-the-art, next-generation firewalls. Instead, their energies are spent finding ways to attack users and devices through email, file sharing and other cloud services. An interesting factoid from my research has found that although 90% of security spend is focused at the perimeter, only 27% of breaches happen at that point. Security professionals need to completely rethink security and move away from the notion that more point products in more places is the right approach, particularly in an era when businesses are connecting IoT endpoints at an unprecedented rate.
Also, threat actors today are using advanced techniques such as automation and machine learning, and, as they say, the best way to fight fire is with fire. Businesses can no longer protect themselves trying to look at data and interpret it manually, particularly when data sets are incomplete. The only way to protect an organization from advanced threats is to gather end-to-end data and apply machine learning to find the anomalies, and that’s what Observable brings to Cisco.
For example, with AWS, security teams are blind because the traffic is in the cloud. Observable matches AWS-provided flow logs to Amazon service assets and uses the network metadata to perform endpoint modeling to monitor AWS assets. Once the baseline is understood, any deviation from that could indicate a breach, giving the security teams a starting point. Because the solution is cloud-native, it can be set up in literally minutes, with no capital expenditure investment.
On the internal network, Observable provides a free virtual appliance that collects endpoint data, which feeds the cloud service. As it does with AWS, Observable will map out the “normal” and then look for the abnormal. Consider an IoT device, such as a connected Coke machine. Normal behavior is likely to be something such as the machine talking to Coca-Cola once a day. If the machine were trying to suddenly access the point-of-sale network, that anomaly would be discovered and the remediation process started. This is a very basic example — more advanced threats require machine learning-based inferences — but the concept is the same.
Cisco has excelled in catching market transitions to gain share in the markets it plays in. The security industry is currently undergoing a significant shift from being point product-based to machine learning-centric, and Cisco is using its massive war chest to pick up security vendors that can augment its current strategy.