• COMPONENTS OF SIO
• DIFFERENT REPUTATION FILTERS
• HOW SIO IMPLEMENTED
• WHERE SIO INCORPORATED
Cisco SIO is composed of three
Cisco SensorBase™, a comprehensive threat database;
Threat Operations Center with 500 security analysts and
constant dynamic updates fed to Cisco security devices.
Sensor Base includes:
• More than 700,000 (and growing) globally deployed Cisco intrusion
prevention system (IPS), email security, web security, firewall devices
• Cisco IntelliShield, a historical threat database of 40,000 vulnerabilities
and 3300 tuned IPS signatures
• More than 600 third-party threat intelligence sources, which track over
500 thirdparty data feeds and 100 security news feeds around the clock
More than 1000 threat collection servers process 500 GB of data a day.
The Cisco Threat Operations Center processes this global, real-time threat
intelligence and incorporates it into the security services available on Cisco
Email Reputation Filtering
• Cisco email security appliances retrieve reputation information in real time, as
incoming messages arrive.
• These Cisco devices query DNS text records in SensorBase and retrieve a
reputation score associated with the IP address of the sending server.
•The score can range from –10.0 for the worst email senders to +10.0 for the best.
The reputation score is based on more than 200 aggregated and weighted
Email Reputation Filtering
• Cisco email security appliances reject email from servers with low
scores (below –3.0.) and rate-limit senders that have medium to low
• They can also white-list high reputation senders, such as IP
addresses with +9.0 scores from Fortune 1000 organizations.
• Because spam is so prevalent, most of our customers report that our
default settings block more than 90 percent of incoming message
Web Reputation Filtering
• Cisco web security appliances connect to Cisco SIO every five minutes for
database updates. These rulesets contain lists of compromised web hosts as well
as information about infected URLs and pages.
• Rapid, granular scanning of each object on a requested webpage, rather than just
URLs and initial HTML requests, significantly reduces the chance of infection.
• The appliances dynamically calculate the risk of each web request and response
using reputation data to block high-risk transactions and safeguard users from
attacks such as IFrame and cross-site scripting.
•Web reputation filtering is used in conjunction with signature and behavior-based
scanners to provide much faster and stronger multi-layered web protection.
IPS Reputation Filtering
• Cisco intrusion prevention systems connect to Cisco SIO every 30 minutes and
retrieve updated reputation data based on parameters such as whether the IP
address is a Dynamic Host Configuration Protocol (DHCP) address, whether the IP
address has a Domain Name System (DNS) entry, and how often that information
• For example, the IPS sensor may detect an event that is often but not always
associated with malicious activity. Without Global Correlation, the sensor will send
an alert about the activity, but no action is taken on the network traffic.
• With Global Correlation, however, the sensor can access a wealth of historical
data on the source of the traffic. If the reputation is low, the sensor can take direct
action and thwart the potential attack without the risk of blocking valid traffic.
• The sensor can also use reputation data to pre-filter traffic from sources with
extremely low reputations, saving processing power for additional inspection
Layer 4 Traffic Monitor
• Cisco Web Security Appliances include a Layer 4 Traffic Monitor, in addition to web reputation
filters and multiple malware scanning engines, which detect website malware activity.
• It scans all ports at wire speed, detecting and blocking spyware phone-home activity. By
tracking all 65,535 network ports at the network data center, the Layer 4 Traffic Monitor
effectively stops malware that attempts to proliferate through the network.
• In addition, the Layer 4 Traffic Monitor can dynamically add IP addresses of known malware
domains to its list of ports and IP addresses to detect and block.
• Using this dynamic discovery capability, the Layer 4 Traffic Monitor can monitor the movement
of malware in real time—even as the malware host tries to avoid detection by migrating from
one IP address to another.
• Cisco SIO produces reputation scores for various traffic sources (networks) and
then downloads the scores to Cisco IPS sensors that have been configured to
receive them. These scores form the basis of the Cisco IPS Global Correlation
Thus, bad traffic denied by a Cisco IPS sensor falls into three categories:
• Global Correlation Reputation Filtering: Based on reputation alone. Flow is not
passed to the traditional inspection engines.
• Global Correlation Inspection: Based on a combination of traditional inspection
and network reputation information. The risk rating mechanism combines the two
• Traditional IPS Detection: Based on traditional inspection techniques, including
protocol decoding engines, signature based inspection, and anomaly detection via
statistical analysis of network traffic. In this case, network reputation information for
the traffic flow is not available or does not have an effect on the flow.
•Rather than collecting data from network security devices, Sensor Base also collect
raw data from 600 third party news and data feeds, this collected information are like
DNS registry information, global public blacklist/white list etc.
Threat Operations Center
• The operations arm of Cisco SIO is a combination of people and automated
algorithms that process Cisco Sensor Base data in real time. These teams create
machine generated and manually generated rules for protection against new and
•creating 95% of rules that Cisco’s network security devices use. Rules are
published to Cisco products in form of automated rules and signatures, also these
rules are published to customers through alerts and bulletin.
Threat Operation Center is consist of :
• Applied Security Research (ASR): ASR’s main work is to look for vulnerability in
key technology area and provide threat indication and analysis to the customers.
• Cisco IPS Signature team: Its main work is to research on exploits and writing
vulnerability signatures for IPS products.
Threat Operations Center
• Cisco IronPort Email and Web Threat Research Teams: Provide the latest
protection for SMTP and Web-based attacks.
• Cisco Malware Research Lab: A centralized malware lab focused on researching
the latest malicious activity.
• Intrusion Protection Signature Team: Researches and develops vulnerability and
exploit-specific signatures that are used by IPS product lines.
• Cisco Product Security Incident Response Team (PSIRT): Evaluates and works
across Cisco to mitigate vulnerabilities reported in Cisco products.
•Strategic Assessment Technology Team (STAT): Advanced, area-specific security
research and product vulnerability testing.
Threat Operations Center
• Infrastructure Security Research & Development (ISRD): A research-oriented,
business enablement function that maintains strong expertise in the area of security
and creates security solutions for customers engaged in emerging industries and
• Remote Management Services (RMS): Provides 24x7x365 remote monitoring and
management of Cisco security devices that are deployed on your network.
•IntelliShield Security Analysts: Collect, research, and provide information about
security events that have the potential for widespread impact on customer networks,
applications, and devices.
Cisco SIO’s dynamic updates deliver current and complete security information to
Cisco customers and devices.
Threat mitigation data is provided through:
• Automatic rule updates for Cisco products, such as firewall, web, IPS, or email
devices delivered every 3 to 5 minutes
• Cisco IntelliShield Alert Manager Service
• Security best-practice recommendations and community outreach services
• It is a communication hub responsible for streaming updates to Cisco devices
and customers. There are two major part involved in Dynamic update,
• one is to generate real time updates which are automatically delivered to security
•other is to helping customers to track and analyse threat to improve their overall
Examples of the other forms of Cisco security intelligence include:
• Cisco IntelliShield Alerts, including Malicious Code Alerts, Security Activity
Bulletins, Security Issue Alerts, Threat Outbreak Alerts, and Geopolitical
• Cisco Annual Security Reports
• Cisco PSIRT Security Advisories and Security Responses
• Applied Mitigation Bulletins
• Cyber Risk Reports
• Security Intelligence Best Practices
• Service Provider Security Best Practices
• Cisco IPS Active Update Bulletins
• IntelliShield Event Responses
• Annual Security Report
• Cisco IronPort Virus Outbreak Reports
Advanced Cisco SIO protection is available on the following Cisco
• Cisco IronPort EmailSecurity Appliances, Hosted Email Security, and Hybrid
Hosted Email Security
• Cisco IronPortWebSecurity Appliances
• Cisco IntrusionPreventionSystems
• Cisco IntegratedServices Modules
• Cisco IntelliShieldAlertServices
These devices and hosted services are licensed with one or more security
filters that are powered by Cisco SIO, including:
• Cisco IronPortVirusOutbreak Filters
• Cisco IronPortAnti-Spam
• Cisco IronPort EmailReputation Filters
• Cisco IronPortWebReputation Filters
• Cisco IPS Reputation and Signature Filters
• Cisco FirewallBotnet Traffic Filters