Cisco Security Agent Overview

Proven Best In Class Security Delivers Best In Class Security ROI

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 1

Customers Need Endpoint Security to:

• Mitigate new and evolving • CSA behavioral rules protect against Zero-
threats on desktops and Day virii, worms, spyware etc. ‘sight
servers unseen’

• Reduce the ‘update • CSA behavioral rules protect vulnerable

burden’ on distributed applications reduces the patching load
endpoints

• Enforce ‘Acceptable Use’ • CSA behavioral rules can control

policy on corporate assets application and device use according to
policy

• Enforce admission policy • CSA integration into Cisco NAC provides

on networked endpoints communication integrity, extended
posture decisions and dynamic policy
CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. changes 2
Day Zero Protection

• Cisco defines Host-Based Intrusion Prevention as

the ability to stop day zero malicious code without reconfiguration
or update.
• CSA has the industry’s best record of stopping Zero Day exploits,
worms, and viruses over past 4 years:
2001 – Code Red, Nimda (all 5 exploits), Pentagone (Gonner)
2002 – Sircam, Debploit, SQL Snake, Bugbear,
2003 – SQL Slammer, So Big, Blaster/Welchia, Fizzer
2004 – MyDoom, Bagle, Sasser, JPEG browser exploit (MS04-028), RPC-DCOM exploit
(MS03-039), Buffer Overflow in Workstation service (MS03-049)
2005 – Internet Explorer Command Execution Vulnerability

• No reconfiguration of the CSA default configuration, or update to

the CSA binaries were required

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 3

 The Patch Testing Burden
• 4,200 new vulnerabilities reported by CERT in
2002 – each has a patch
• Patches sometimes break what they were
supposed to fix
"There have been plenty of patches that
actually create more problems, and they just
shift you from one vulnerability cycle to
another." – Bob Wynn, CISO of the State of
Georgia, CSO Magazine August 2003
• Gartner estimates the cost/patch at $300 per
server – Information Week, Feb 3 2003
"Something has to happen. There's going
to be a backlash if it doesn't improve. I'd
suggest that this patching problem is the
responsibility of the vendors, and the costs
are being taken on by the customers." –
Mykolas Rambus, CIO of financial services
company WP Carey

http://www.csoonline.com/read/080103/patch.html
CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 4
Patch Relief from CSA “Day Zero” Protection
"Last summer, Chamberlain installed intrusion-prevention software from
Okena Inc. [since acquired by Cisco], which he says has stopped several
attacks against the university's servers and desktop computers. When
Slammer hit, the Okena security software prevented the worm from
infecting unpatched systems in the university's network. "It worked again,"
he says.”
Information Week, Attacks Averted, Feb 3, 2003

• Proven effective over 4 years – gives customers

confidence to defer patching:
Customer may wait for ‘roll-ups’ and Service Packs,
which come better qualified from vendor
Testing and implementation of updates can be
scheduled without undue change control
interruption
• Fewer updates reduces the cost of ownership
CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 5
“Acceptable Use” Policy Control

• Some types of behavior are not malicious, but are undesired

because they violate Acceptable Use policy
Music sharing via Peer-to-Peer (p2p) applications
Instant messaging using non-corporate IM servers
Protecting sensitive organizational data
Configuration lockdown during end of year reporting period
Which devices cannot be used (USB memory, multimedia devices)
Use of unauthorized applications, or unauthorized versions of apps
• CSA policy control modules include
Data Theft Prevention policy
Instant Messenger Control policy
Music Download Prevention policy
Network Lockdown policy
• Provide application, user, and system audit to demonstrate
compliance
CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 6
Enforcing Admission Policy on Endpoints

• Endpoint Protection – CSA

Reduces patching and signature update pressure with behavior-based
protection technology
• Network Admission Control
Preserves enterprise resilience by auditing and enforcing adherence to
corporate endpoint security policies when endpoint accesses the
network
• Network Infection Containment
Limit the severity of infections by reducing the response time spent
identifying and isolating infected systems, and cleansing traffic

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 7

Comprehensive Protection with fewer Agents

• To protect a server, you might consider:

An agent to check OS binary files for unauthorized changes
An agent to collect and centrally correlate audit log events
Protection against packet attacks (DDoS)
• To protect a desktop, you might consider:
A Personal Firewall (or Personal Intrusion Prevention)
An agent to block spyware
An agent to collect data on which applications are installed
and used
• CSA provides all these capabilities in one agent for
servers and desktops

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 8

Cisco Security Agent Consolidates Multiple
Endpoint Products
CSA Desktop Protection:
• Distributed Firewall
• Spyware Protection
 Only one agent • Day Zero Virus/Worm Protection
to purchase • Personal Intrusion Prevention
• Sensitive Data Protection
 Only one agent • Application inventory
to deploy
CSA Server Protection:
 Only one agent • Host-based Intrusion Prevention
to manage • Buffer Overflow Protection
• Day Zero Virus/Worm Protection
 No signatures to • Operating System Hardening
test and deploy • Web Server Protection
• Security for other applications

Single Agent Protection = Increased ROI

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 9
CSA Market-Leadership Validation

Winner, 2004 - http://www.nwc.com/showitem.jhtml?docid=1509wcasec3

Winner, 2003 - http://www.nwc.com/1408/1408wcasec22.html

Editor’s Choice, “Server Shields”, Network Computing, April 2004

http://www.networkcomputing.com/showitem.jhtml?docid=1508f2
Editor’s Choice, “HIP Check”, Network Computing, October 2002
http://www.networkcomputing.com/1322/1322f2.html

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 10

Why is CSA different?

• Mitigate new and evolving • CSA stops known and unknown attacks
threats on desktops and without requiring reconfigurations or
servers updates on endpoints

• Reduce the ‘update • CSA has been proven over 4 years of

burden’ on distributed successfully stopping unseen attacks –
endpoints Code Red, Nimda, Slammer, Blaster, …

• Enforce ‘usage’ policy on • CSA behavioral rules can enforce fine-

corporate assets grained Acceptable Use policy controls

• CSA integration into Cisco NAC provides

• Enforce admission policy infrastructure integrity, extended posture
on networked endpoints decisions and dynamic policy changes

CSA-BDM © 2004, Cisco Systems, Inc. All rights reserved. 11

CSA-BDM ©©2004,
2002,Cisco
CiscoSystems,
Systems, Inc.
Inc. All rights
rightsreserved.
reserved. 12