Cisco’s Security Operations Centre in Krakow is on the front line in the against security breaches. Security Advisor Middle East toured the facility for an overview how the services work and an insider look at some of the latest threats.
The Cisco Security Operations Center (SOC) in Krakow provides a broad range of managed security services for organisations operating on a global and regional scale in vertical markets such as finance, insurance, retail, healthcare, education and consulting. These services range from security device monitoring and management to comprehensive threat analytics and hosted security. The SOC in Krakow is one of three Security Operations Centres worldwide. The other two are located in the United States and Japan.
This structure enables Cisco to provide a 24×7 service for customers, regardless of their time zone in a ‘follow the sun’ model. This means that as one SOC comes to the end of its working day, another SOC comes online to provide customers an uninterrupted service.
“The role of the SOC is to enable our customers to address cyber threats. The Krakow SOC operates the Cisco Active Threat Analytics (ATA) managed security service. It rapidly detects and responds to security threats by analysing customer network traffic, evaluating security telemetry and overlaying global intelligence received from Cisco’s Talos Security Intelligence and Research Group,” said Adam Philpott, Director of EMEAR, Cyber Security, Cisco.
The SOC engineers provide both expert cyber threat monitoring and remote operations for security devices. Most organisations do not have the methodology or budgets needed to build, staff, and maintain sophisticated threat-monitoring and defense capabilities. This is where services like the ones offered by Cisco SOC come into play.
The Cisco ATA service is also a ‘threat hunting’ service. It uses the network as a sensor to hunt down threats. It is constantly analysing what is happening on the network to spot anomalies. For example, if a server suddenly becomes four times more active than usual it could be a cybercriminal stealing data.
The challenge of false positives
Cybercriminals find safety in numbers. In other words the more they can create things that could represent a threat, the harder they make it to find the threats that will do the real damage. To put this challenge in perspective, Cisco says the average large enterprise will experience 70,000 security events per week. Each of these needs to be checked out by a human being to decide if it resulted in a genuine breach. Some of these events are called False Positives because they don’t constitute a real threat. One Cisco customer for example, produced 5,000,000 security events in a year but these only resulted in 500 confirmed breaches. The cost to an organisation of checking False Positives can be significant. The Ponemon Institute estimates that this costs on average $1.3 million per annum in time lost. By combining the threat intelligence from Talos with advanced network analytics, it becomes much easier for Cisco experts to distinguish a breach from a false positive.
Philpott says cybersecurity has now become a boardroom concern, and lack of security hinders the innovation potential of digitisation. “Organisations all over the world see digital transformation as a route to future success. However, according to a Cisco study, 71% of senior executives say cybersecurity risks and threats are hindering innovation in their organisation.”
The multiple trends that contribute to the barriers to innovation include highly motivated and organised cybercriminals, and an explosion in the size of the threat landscape ensuring from technology trends such as IoT, mobility and the cloud.
Philpott says point products for every point of weakness, from an increasing number of vendors, is also creating a complex security environment that is harder and more costly to manage and more prone to produce points of weakness.
Because of all the issues that limit the ability to enable digital transformation securely, Cisco believes it is time to adopt a new, holistic model for cybersecurity.
Cisco’s goal is to create a ‘self-defending’ network that operates on the basis of a ‘see it once and protect it everywhere’ model. Cisco says its unique value is its visibility in the network on a global scale and its ability to tie it all together – people, process, data and technology. The extended network connects everything and is the only place that can see everything, including networks, data centres, virtual environments, the cloud, mobile devices and endpoints.
“If you can see everything then you have a chance of securing it. You cannot defend against that which you cannot see. The network is the only place that provides the visibility for leaders to take security, data protection and privacy decisions in the context of the needs of their core business. As a result, it is fair to say that the network is critical in providing a holistic response to cyber threats. It is also fair to say that Cisco – as the world’s largest networking company – has the best visibility of the threat landscape,” says Philpott.