Cisco's Security Intelligence Operations (SIO) uses a global network of sensors and security researchers to detect threats. The SIO detects threats through analyzing data from over 1.6 million globally deployed devices and 75 terabytes of data received daily. It maintains a database called SensorBase that contains threat intelligence and telemetry data to provide context around potential threats. The SIO can then issue dynamic updates to security policies and signatures across Cisco's product line to block emerging threats in real-time.

1. Cisco Innovation
Security Intelligence Operations
(SIO)
Chris Young, SVP, Security & Government
Lee Jones, Principal Engineer, Security Applications
Technical Editors Day
May 24, 2012
1 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

2. | |
1st Router Integrated 1st Dual-Mode VPN Launch SecureX
Security Client Strategy
1st Switch
Security Blade SaaS Leader
Cybercriminals Capitalize on Disaster
1990 2000 2010
Reputation Identity Services
Pioneer Engine
NAC Pioneer
2 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

3. COLLABORATION
MOBILITY CLOUD
THE NETWORK
SECURITY
THREAT LANDSCAPE
3 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

4. 4 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

5. 5 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

6. 6 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

7. 7 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

8. Secure Unified Threat Application Virtualization
Access Defense Visibility & Control & Cloud
Enabling Protecting Authorizing Securing
Endpoint Network Content Cloud
Transformation Edges Usage Transition
Threat Intelligence (Visibility)
Contextual Policy
Management
Network (Enforcement)
Services (TS, AS, Partner)
Ecosystem (Partners & Providers)
Compliance (GRC)
8 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

9. Detect Protect Adapt
Accurately Holistically Continuously
9 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

10. SensorBase Threat Operations Center Dynamic Updates
10 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

11. 75 TB
DATA RECEIVED PER DAY
1.6M
GLOBALLY DEPLOYED DEVICES
13B
WEB REQUESTS
150M
GLOBALLY DEPLOYED ENDPOINTS
35%
WORLDWIDE EMAIL TRAFFIC
SensorBase Threat Operations Center Dynamic Updates
11 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

12. $100M
SPENT IN DYNAMIC RESEARCH
24x7x365
OPERATIONS
AND DEVELOPMENT
600
ENGINEERS, TECHNICIANS
40+
LANGUAGES
80+
Ph.D.s, CCIE, CISSPs, MSCEs
AND RESEARCHERS
Threat Operations Center
12 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

13. 3 to 5
MIN UTE UPDATES
5,500+
IPS SIGNATURES PRODUCED
70
PUBLICATIONS PRODUCED
200
PARAMETERS TRACKED
8M
RULES per DAY
Dynamic Updates
13 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

14. Spam with Malware Directed
Malicious Attachment Distributing Site Attack
SensorBase Threat Operations Center Dynamic Updates
14 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

15. Competitors
Content Only
9:25am 9:45am 10:30am
Content + Context
Cisco SIO
15 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

16. SIO
Content
Security
(WSA/ESA)
Network
Security
Phishing
(IPS/ASA)
Email Users
16 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

17. Internal & 3rd Party Feeds
• Best of the threat intelligence
ecosystem:
• Visibility into criminal
networks
• Leading AV Scanners Haiti Spear Phishing
• ISPs, Hosting Providers,
Registrars, etc.
Same infrastructure was
used for other attacks
17 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

18. Depth of SensorBase
• Visibility into the widest threat
telemetry database in the industry
• Sensors in network security
infrastructure and endpoints
• History of domain registration Haiti Spear Phishing
• Information across web, email
and IPS/ASA
Spike in spear phishing volume
and malicious web traffic
18 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

19. Reputation
• Determine risk of zero-day threats
through a web of connections
• Global data correlation across:
• Source IP
Haiti Spear Phishing
• Hosts
• Registrars and more
Reputation filters tripped early,
preventing the mutating threat from
gaining traction
19 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

20. Change is constant: Blended attacks
Signatures Multiple vectors
Domains Sophisticated
Hosts Persistent
Registrars Evolving
Content
Block at the connection level with content
and context.
No matter when an attack comes in through
any avenue
20 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

21. SensorBase Threat Operations Center Dynamic Updates
21 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

22. 22 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

23. Header
AV Scanners
scan the file.
Based on Body of Objects
industry-leading
signatures, it is a
clean file
Cross-Ref Table
Trailer
23 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

24. After inspection
we find
• Security Feeds
• Geolocation
• Registrant Info
• Registrar
• Traffic Volume
and Age
• Sensor Info
24 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.