Brad Boston Talks Network Security

April 28, 2004

Brad Boston should know what CIOs are thinking about. After all, he is one. As Cisco Systems' chief information officer, Boston oversees the corporate network and information systems for one of the highest profile technology companies in the world. As part of his duties, Boston dedicates a quarter of his time to meeting with other CIOs, sharing his insights about best networking practices and listening to their concerns to help Cisco better understand its customers' needs. And top of mind for CIOs these days is network security. CIOs are staying awake at nights worrying about how to counter growing security threats while developing manageable defense systems.

News@Cisco recently asked Boston about current networking security challenges and how CIOs are responding to them. Boston will also be sharing his understanding of network security at the second annual Information Technology Security Conference, presented by Cisco in partnership with The California State University and The University of California, held at the San Francisco Hyatt Regency April 27-30.

What are the biggest networking security issues CIOs face these days?

Brad Boston: The first concern for CIOs is that security threats are constantly changing. It's hard enough to set up good protection against one type of threat, but now there's always something new just around the corner. So even a conscientious CIO can never rest. They can't simply install some security measures and then relax thinking that everything will be fine. It's like the flu. You can inoculate yourself against one strain but another one is sure to come along. In addition to that issue, CIOs and network administrators now have much less time to respond to a threat. As we've seen, the new breed of viruses and worms can burn through a network in a matter of minutes, spreading across the world in hours. Since they are moving at computer speed, it is very ineffectual to try to stop them manually. CIOs need an automated way to react to and isolate threats so they can halt them before they spread too far. Because of these challenges, the cost of security is rising faster than the costs associated with the damage created by security breeches. Whole-scale manual intervention is becoming untenable. Remediation of a virus attack is requiring more and more man-hours since these software programs can do so much damage in such a short time. Also, many popular security requirements, such as patching upgrades, are happening constantly and consuming much of the resources of IT departments, drawing them away from developing new applications and productivity-enhancing processes. To compound the difficulty of dealing with these challenges, CIOs are having a hard time finding quality security professionals, since the skill is relatively new and the demand for such people has really spiked recently.

How are CIOs and their companies responding to the new security threats?

Brad Boston: I'm finding a wide range of readiness among companies. On the positive end of things, there are companies that are very proactive and doing everything in their power, both in terms of deploying technology and establishing rigorous policies, to fend off attacks. At the other end of the spectrum, there are companies, some rather large with plenty of resources, that are not prepared at all and don't know where to start. These companies are even getting hit by year-old viruses, which definitely is something that should not be happening.

In terms of technology, what kind of help are they telling you they would like?

Brad Boston: CIOs are definitely expressing an urgency for new tools. As I mentioned before, they have to devote incredible effort into maintaining good network security, which is pulling them away from the tasks of creating a better network to increase productivity, lower costs, etc. So any tool that reduces the overhead of maintaining security is welcome. One of the themes we are hearing quite often is that CIOs would like the security tools they now have, as well as any new tools, to work together better. They view such integration as a great way to lower their overhead, since instead of managing, say, five different devices independently, they can manage all five through one console. Also, by having management centralized, that will help them use their tools in unison for more cohesive protection. A threat defense system, for example, can alert a quarantining system about isolating some suspicious activity.

What tools is Cisco developing to help CIOs address their current security challenges?

Brad Boston: As we have publicized widely, Cisco has undertaken the Self-Defending Network security strategy, which aims to address the same concerns we hear from CIOs. The Self-Defending Network will help customers identify, prevent and adapt to security threats. First of all, we're developing new tools to not only improve security but also greatly reduce costs associated with networking systems security. Secondly, we are designing these tools to work together to further reduce costs and improve security. Some examples of steps we are taking include our recent announcement to acquire Riverhead Networks, which has developed excellent technology for protecting against distributed denial of service (DDoS) attacks. We have also deployed the Cisco Security Agent, which can protect against known and unknown attacks. By looking for the behavior patterns common in viruses, the Cisco Security Agent can proactively detect and stop new viruses as well as manual attacks. This will help buy CIOs more time to deploy anti-virus software updates and operating system patches. Finally, and most significantly, Cisco has launched the Network Admission Control (NAC) program, one of the first formal stages of Cisco's Self-Defending Network. Working with anti-virus vendors, including Symantec, Network Associates, and Trend Micro, NAC will let network administrators detect the security state of a computer connecting to the network. The administrator can set policies, for example, that only allows computers with up-to-date anti-virus protection and OS patches to connect. If a device doesn't meet security policy parameters, NAC can restrict its access until it meets the policy requirements.

What advice do you have for CIOs as they plan for network security?

Brad Boston: First, you can never assume your network is perfectly secure. With that pragmatic approach in mind, you need to create multiple lines of defense and have a containment program in place so that when-not if-something breaks your network's defenses, you can control it as quickly as possible and limit damage. Though current threats are bad enough, CIOs must expect that attacks are only going to get worse as hackers become more sophisticated, networks become more interconnected, and technology becomes more powerful.