SAN FRANCISCO -- If the significance of Cisco Systems Inc.'s new security products and strategy could be distilled into a single, exasperated line, it would be the one uttered by its chief security officer, John N. Stewart.
"It's different," Stewart said, "and it's about time something is different."
In a press event on the eve of the 2014 RSA Conference, Stewart and fellow security executives Christopher Young and Martin Roesch set out to strike a different tone for their business unit. For several years the Cisco security strategy had been in perpetual limbo, but on Monday the executives announced not only the first products borne from the networking giant's 2013 acquisition of Sourcefire, but also a simplified strategic message focusing on products that help enterprises manage security functions before, during and after cyberattacks.
Cisco announced that it has added Sourcefire's Advanced Malware Protection (AMP) technology to its line of Web, email and cloud content gateway products. AMP is a data-mining engine that seeks to identify malicious files by extracting metadata about them to determine the risk they pose, based not on signatures but on behavior.
Roesch, Sourcefire's founder and chief technology officer, and now vice president and chief architect, of Cisco's security group, called AMP "the coolest thing we've got right now." He said AMP is unique in the way it reevaluates information. If new data shows known-good files actually aren't good or have turned bad, AMP re-mines its data set and automatically transmits notifications to customers to trigger remediation.
Young, senior vice president of Cisco's security group, said adding AMP to Cisco's content security gateways, including for existing customers, is part of the vendor's updated strategy; it is shedding amorphous perimeter- and device-focused messaging in favor of a more pragmatic take that supplements Cisco's traditional strength of pre-attack discovery, policy enforcement and endpoint hardening with Sourcefire's attack detection and blocking, as well as post-attack scoping, containment and remediation.
"Our estimation is that [more than 70%] of the spending in the security industry is all about the 'before,'" Young said, "but a major spending shift will happen in the security industry, on tools and services, to move into the 'during' and 'after' phases of the attack continuum, because the attacks are at a level of sophistication that will force companies to do so."
Separately, Cisco announced a new generation of 8300 series FirePOWER multifunction network security appliances. Cisco said they represent a 50% increase in inspected throughput, and in a quad-stackable format offer up to 120 Gbps of throughput.
And in a nod to Sourcefire's legacy of open source products such as Snort and ClamAV, Cisco announced OpenAppID, a new set of open source application-identification capabilities for Snort that enable users of the venerable open source intrusion detection system to turn it into an application firewall.
Roesch said OpenAppID represents the first time enterprises can get their hands on application detection and control technology beyond traditional commercial products. Using more than 1,000 OpenAppID detectors -- essentially signatures for specific applications -- or ones that organizations create themselves, enterprises can use Snort to enact policies that ban or limit applications like Facebook or Farmville, or trigger certain actions based on conditions, such as allowing access to Gmail only if two-factor authentication is enabled.
Admitting that Cisco hasn't traditionally been a strong supporter of open source technology, Roesch said Sourcefire's success, specifically Snort's growth from a few lines of code into the world's most-used intrusion detection system in less than two years, proved that open source technology offers powerful credibility.
"People knew who we were, that they could trust us and that we were pushing the envelope on what the products could do," Roesch said, also highlighting the benefits of collaborating with users. "Collaboration presents more powerful solutions, and I can drive trust as well."
Stewart acknowledged that the confluence of several security trends -- including the growth of Web malware, BYOD and the Internet of Things -- makes threat detection and management an increasingly difficult and frustrating problem. He said Cisco's new products and strategy address the reality of the threat landscape and that amid a shortage of qualified information security professionals, security technology must improve to compensate for that shortfall.
"When it comes to the human capital problem, I don't know how many more people I can find to hire … and it's not so clear people could analyze all the data in the end anyway," Stewart said. "The best place to address that is the network, which is Cisco's core business."