washingtonpost.com: Welcome to the Third Part of The Conversations with Cisco. Today we have with us John Stewart, Vice President and Chief Security Officer, for a candid conversation on IT Security. Welcome John.

John N. Stewart, Cisco: Thank you, I'm glad to be here.

_______________________

Washington, D.C.: What are the benefits for industries in partnering with the public sector?

John N. Stewart, Cisco: Public-private partnerships are valuable in a number of ways. They help companies gain insights into the unique security needs of the public sector. As you can imagine, the use of security technology in nuclear power plants is very different than the use of technology on a financial floor in New York. Partnerships also help companies discover ways of adapting their own technologies to meet public infrastructure needs and, hence, open new lines of business.

_______________________

Raleigh, N.C.: What approach should organizations take when planning for security?

John N. Stewart, Cisco: First, don't put off planning for security, because it's not worth the risk to wait until next quarter or the one after that. More companies are treating security as a risk category, asking how much do I have at risk, how much do I want to counter that risk, how much risk do I want to take? There is no one default answer, because it is situational.

A philosophy at Cisco is to plan for something going wrong, and then work hard to make sure it doesn't. Because inevitably, at some point, it will. Many companies have learned to be prepared to respond to threats, and not avoid them. This is absolutely the crux of crisis management—to relate back to the plan for a crisis once you're in it.

_______________________

Boston, Mass.: How does security influence business strategy?

John N. Stewart, Cisco: At Cisco, we take a holistic approach, so that security becomes engrained in the culture. I talk with many of my colleagues and we discuss our roadmaps. The roadmaps may differ, where an area of risk for one of my peers will be different from mine or the next person's. But the fact that we are marching steadily down our path, handling certain risks in a certain time frame, shows that we incrementally demonstrate the progress of mitigating the risk. This is invaluable. I hope we are getting to the point where security is becoming a natural part of our culture.

_______________________

Arlington, VA: What do you think of data leak protection tools that are popping up everywhere to make sure sensitive data doesn't leave your enterprise?

John N. Stewart, Cisco: We've got a variety of issues around unstructured data leakage. It is a nascent and important market. I've watched this space for a while because, in the data center, for example, if you know that a structured set of data is supposed to leave, it is a great place to set a perimeter and protect. Similarly... Connections between companies where you have a vehicle by which you feel confident what data is supposed to go between you and a partner, are a great place to determine it is only that data going between them.

Unstructured data is the single biggest risk to companies, bar none, and it's because it leaves in unorthodox ways. It leaves on USB keys, PDAs, iPods, CD writers, in electronic mails where you accidentally type the first couple of letters and then, oops, it gets sent it off to the wrong place.

_______________________

Arlington, VA: And the solution to it is still to be determined?

John N. Stewart, Cisco: It's still to be determined and different companies can approach it different ways. One company might go back to the mainframe era where all data is in a controlled environment. Another company will look at it and say that data needs to be moved and manipulated, and assert that only the data can move in certain criteria.

_______________________

Boston, Mass.: You said things have gotten quiet on the security threat front, and that’s a bad thing?

John N. Stewart, Cisco: The world has wrapped around its head the idea that just because there is no news, life is good. In fact, it's ironic because in a sense it was good that threats used to be a mainstream topic. It brought attention and reminded everybody that it is a considerable issue. But now, botnets are off the charts, and low and slow is the attacker's approach. Not trying to generate massive amounts of spam, massive amounts of control chain that would be signaled, means that you've got a whole new layer of aggression.

_______________________

Boston, Mass.: You're talking about targeted attacks that go below the radar?

John N. Stewart, Cisco: Targeted or untargeted, but below the radars. One is just obvious, clearly aimed at one organization. The other one is just as deadly. It is the very slow, quiet one, where the infection vector probably still is traditional, but not causing a computer to display any ill characteristics immediately. It'll go quiescent for a given period of time, it will just quietly send information out, as opposed to spiking the CPU, ripping the hard drive as fast as possible and propagating as fast as possible. That's because the intent is not to be found, the intent is to get the information, but avoid detection. Frankly, the sophistication is getting significant.

_______________________

Boston, Mass.: That's what the pundits say. Consumers are hit by botnets, but businesses are targeted by attacks aimed at stealing trade secrets. Is that true? Are bots not a problem at Cisco?

John N. Stewart, Cisco: We've got the same problem consumers have, but we've got signaling mechanisms that can pick up control channels faster than any consumer network can. We've also got a network that will protect us, versus the free and open Internet. Corporations have a dedicated team. We've got IT professionals.

_______________________

Atlanta, GA: So, you don't have a botnet problem inside Cisco?

John N. Stewart, Cisco: That's a leap I don't want to take. It is a manageable one. If a bot picks up, typically we will see it. It doesn't mean we will never get a bot, it just means that we will pick it up fast and we will shut it off. That's different in the consumer space.

_______________________

Atlanta, GA: If the botnets are under control, what things are worrying you? These targeted attacks? How do you deal with those, or do you find out when it's too late?

John N. Stewart, Cisco: At the moment, I'd say that there aren't enough ways to see this type of attack. The security industry has mostly given us a number of abilities to pinpoint problems, but not a correlation between them all. If you can get collaboration between disparate types of systems, then you will see the problems faster.

What also doesn't let me sleep very well is changing targets. Operating system vendors have always been the target. They are getting better and, as a result, the attackers are going after the application space. Applications are where the data is, where it's being stored, where it's being downloaded, where it's unstructured.

_______________________

San Diego, Calif.: Are security threats getting worse, and if so, what are you most concerned about?

John N. Stewart, Cisco: Attacks are getting more sophisticated. We grew used to the idea that a virus or worm was the metric of how good or bad our information security was. That was the old age of 'how fast can I write a virus that spreads, doesn't do any material damage, per se, but gets out there and is reported in the newspaper.' These were not necessarily fatal—they were designed to be seen. And it worked, because virus and worm threats got everyone's attention.

Today, we have moved into an era where stealth and target attacks are the greater problem. It's a focused adversary in electronic espionage and insider threats. These aren't new, but they are taking a different form. We are seeing targeted attacks directed at particular companies, almost tailored to their infrastructure, designed for their people or processes—and it is happening because so much about that company is public. These attacks are designed to infect and stay quietly under the radar, then at some given time, take valuable information out of a company. There is far more malicious intent than what we have dealt with in the past.

_______________________

Houston, Tex.: Are you worried about all these zero-day flaws in Office applications?

John N. Stewart, Cisco: I worry about that. I would worry about all the other third-party software that's bundled when you buy a computer. PDF flaws, the instant-messaging worms. This is an order of magnitude more complex than dealing with operating system flaws. There is also an infrastructure side of this problem, all the Web developers that have thrown application after application on the Web storing your data.

_______________________

Arlington, VA: What security practices do you recommend for enterprises, and why are these important?

John N. Stewart, Cisco: I believe that every security program has to start with awareness and education. You have to start by training people. Especially with cyber security, it is a constant learning process. You have to be ready for business changes from a security standpoint. For example, there are more people requiring remote access than ever before, which means you have to take the right steps to protect your organization. It is vital that organizations improve education and make their teams aware of new security issues and risks.

At Cisco, we talk about what happens, about real-life scenarios, how we protect information that is sensitive, and then review what's happened in the last 90 days and 180 days. Every Friday morning, more than 30 executives at Cisco get a voicemail briefing about what happened in the last seven days—it lets everyone know if there is an area of concern that we need to address. Executives become the biggest advocates in making sure that we do whatever is necessary to fine tune our best practices. It is something they embrace. It is also important to make security a top priority for all employees in the organization.

_______________________

Washington, D.C.: Is your job ever going to change from being the fireman and putting out fires to building fire hydrants or sprinkler systems to prevent fires from occurring?

John N. Stewart, Cisco: I think it already has. We're still putting out fires, but three years ago where you never knew what was going to happen next, I was fighting the stomp and crush of finding the latest infected computer, finding whatever idiot did it, and shutting it down. That's firefighting; that's not my problem today.

Now I'm getting the sophisticated fires, not flash fires, not forest fires. I'm dealing with the sparkles, the ones that are designed to get at very sensitive data, and I'm not handling the massive outbreak, and I'm not even worried about the massive outbreak. So I don't feel like a firefighter.

_______________________

Seatte, Wash.: Do you believe in things like whitelisting or blacklisting applications on desktops?

John N. Stewart, Cisco: To me, whitelisting is more important than blacklisting. Whitelisting is where you have a confidence factor..., not wholeheartedly, that the application is safe, but that you have a reasonable assertion that it was installed by somebody or something that is known, and that it came from a known vendor you look to if there is any issue.

Blacklisting, on the other hand, automatically shuns an application that subsequently never recovers from blacklisting. And I'd rather focus on an unknown application that is an anomaly--it can still be good, it can still be bad, but we scrutinize it differently.

_______________________

Seatte, Wash.: Do you use any whitelisting tools or blacklisting tools?

John N. Stewart, Cisco: In some respects, Cisco Security Agent is a little bit like a whitelisting tool. It says that there are a certain number of actions and a certain number of applications that have received those actions that are allowed.

_______________________

Washington, D.C.: If you could have one wish granted in terms of the security space and work that you do, what wish would that be?

John N. Stewart, Cisco: I would love to have an open standard, universally adopted data tagging mechanism. That mechanism could assert criteria about data as it's moving. Once that's done, every signaling system can look for those tags and you would know if data is in the wrong spot, you know how it is moving and you can redirect the data if it is going to the wrong place. You could, for example, assert on an endpoint that it can't get the data it's trying to get. You could have networks actually watch data in flight and watch not so much that data's contents, but its classification.

_______________________

Washington, D.C.: Does any of that exist at all?

John N. Stewart, Cisco: At a very basic level. The Microsoft team, the Adobe team, the Open Office guys, they've all worked at ideas, but they still haven't managed to make basic parts of this actually an open standard.

_______________________

washingtonpost.com: What are some of the most critical threats that you see facing the nation/companies today and in the future?

John N. Stewart, Cisco: The primary threats of today are in some ways no different than they were before. As an industry, we just haven’t spent enough time on those that can be the most damaging, such as trusted insiders. One would hope that everyone is trustworthy and does the right thing. But, in truth, either accidentally or intentionally, a trusted insider can directly affect the safety of an organization with access to its information and systems. As we focused on viruses and worms and the like, this industry simply could not pay as close attention to the trusted insider. But it’s absolutely a key consideration in today’s information security age.

This threat is getting exacerbated by the fact that technology is moving so quickly and changing so much. Because of complexity and by the amount of change, it’s getting easier to make a mistake. The classic example is the mail client that tries to assist you as you type those first couple of characters, targeted at who you think you want to send it to, and it ends up sending the e-mail to the wrong person.

An evolving threat that will continue into the future is a result of our becoming such a mobile society. More and more, we are carrying and storing our business and private information on PDAs, cell phones and other heavily connected mobile devices. And while it’s no different than say, laptops are — it’s just a smaller form factor — it is where we are starting to see viruses and the equivalent of spam and attacks against those infrastructures.

I expect we’ll also see a continuing maturation of threats that do not present themselves obviously. The viruses and worms of yesterday were “flash-in-the-pan,” how fast can they spread, and very visible. What we now know is that there are threats directed at companies that are quietly trying to infiltrate, residing on a computer or system, staying there as long as possible and existing undetected.
_______________________

washingtonpost.com: It looks like we were just about out of time here. John, thank you for your time and answering our questions.

John N. Stewart, Cisco: Thanks, Joe. I appreciate you having me on today.

_______________________