News

Black Hat: CSO Said Cisco Security Is Growing Ip

John Stewart doesn't talk like your typical corporate executive. He said that his company, Cisco Systems, has been lucky when it comes to security and that his company's Self-Defending Network marketing push has painted "a big bull's-eye" on its products

By Robert McMillan, IDG News Service (San Francisco Bureau)

Page 2

This is why I personally sponsored Black Hat at the platinum level ever since. Because I think we had some atonement to do and go, "Look, our bad. That was not the way to do that one."

IDGNS: Why do you think the Cisco research dried up like it did?
Stewart: There are a couple of reasons. The first is, a lot of this is not remote exploitation, and a lot of what the research is about in any community is, "How do you do it remotely?" IRM's [Information Risk Management's] research, Sebastian's [Muniz, a researcher with Core Security Technologies] research, and to a certain degree, Michael Lynn's research, although it had a slight remote variant, it's not stable remote. And that's where the real game is.

You have got to figure out a way to get it in without being on the console. And that's what most of the development's been around: how do you do it on the console -- at least for Cisco, anyway.

And the second thing is, you want it to work. You're not trying to knock it out because you need the network up so you can get to the end point. So I think we sort of get a pass because no one wants to monkey with the infrastructure that they're using. It's like screwing up the freeway while you're trying to go to a different city. That's kind of a goofy thing to do.

IDGNS: Microsoft has been very public about how they changed the company to make security a priority. What's the story at Cisco? How did the security program get built?
Stewart: We were probably in the same space. Many companies, including our own, started with building stuff first that solved communications problems and then thinking about the safety of communications afterwards.

About five years ago, we were fighting the company, my team. Mostly in the information security business. We were the "no" organization, the ivory tower. That's a dangerous place to be because my take is we ought to be a consultative fulfilment arm, not an adjudicator.

So we changed a lot of it and we started injecting things, like "You're going to have expertise in your team. We're not going to be even in the middle, so that way you can invest the expertise for what you need and we're not holding you up or bringing you into a slower position."

The second thing -- that can't be underestimated -- is we were getting ready in 2002 to launch self-defending networks, which -- like it or hate it as a slogan -- effectively is a big bull's-eye on our forehead.