Grow up and work together

Robert Gleichauf, Chief Technology Officer, Security Technology Group, Cisco Systems draws on this background as synthesizing anthropologist, and exhorts the IT security community to grow up.

Bob Gleichauf is responsible for the development of secure network infrastructures across Cisco’s product line. Most recently, he led the development of Cisco’s Network Admission Control (NAC) initiative.

Bob has led other security initiatives at Cisco, including overseeing the R&D for Cisco’s Intrusion Detection System (IDS) product line, and the migration of IDS technology into the Cisco Catalyst 6000 platform. The IDS Module (IDSM) for the Catalyst 6000 is the industry’s first switch-based security solution, and a key component of Cisco’s security solution. Under Gleichauf’s leadership, Cisco’s IDS Product Line has grown to provide appliance, host, and network-integrated IDS solutions. He and his team have been awarded eight patents for their work in IDS and have over 15 other applications pending approval.

Gleichauf joined Cisco with the WheelGroup acquisition in 1998, where he was the head of product engineering. Prior to WheelGroup, he was a senior engineering manager at startup IQ Software, which developed database report writing tools.

Before entering the high technology industry, Bob was pursuing a PhD (ABD) in Early Human Prehistory at the University of Michigan, where he was a Rackham Fellow and worked in East Africa with the Leakey family.

He recently spoke to Brian McKenna, Editor of Infosecurity, when passing through London.

I know you see our market segment as immature. Can you illustrate what you mean by that?

The way our industry works is that, for example, it gets over-focused on a problem like data at rest. Now, you can address that in a way that ticks boxes for an auditor but doesn’t really solve the problem. Doing that properly means working with others. Our Network Admission Control (NAC) programme is a modest step towards Cisco doing that. It is one that addresses the operational realities of networked IT.

Compare our business with the financial industry. I have friends in investment banking who say: “you IT guys are knuckleheads! Why don’t you work together more?” And that is what we are trying to do. For example, that is the way that the MARS (Monitoring, Analysis, And Response System) product we acquired with Protego works – it operates with technologies from Check Point and WatchGuard, and so on. That was a real departure for Cisco.

The NAC now has 60 plus vendors involved. What we are doing, essentially, is establishing a control plane. Now that does create a problem – that of moving parts. It does introduce complexity, but it’s the way a maturing industry like ours has to go.

What did the company of which you were head of engineering, WheelGroup, bring to Cisco in 1998?

We brought true security expertise as well as product. Cisco was then in a transition between being a company that had boxes with security features to becoming a true security company. The Wheel Group was a company of security experts as well as a company with product. And we are really proud of the fact that most of us ‘Wheelies’ are still here: of the 75 people acquired about 45 are still around.

We brought with us a body of expertise relating to the art and science of applying signature-based intrusion prevention, and the art and science of correlating the data such that it can create actionable events.

We also brought a sense of where Cisco needed to go strategically, which fed into a series of acquisitions, and a raft of definitions of market segments – such as anomaly detection and security intrusion management. Also helped in the building out of Cisco of a fine professional services arm, which is small but highly regarded. There are about 50-60 individuals in that, mostly in the US, but distributed globally. I see them in airports all over the world!

Before going into IT you were an Early Human Prehistory academic, working on a PhD. What has that original formation brought to your current role as a senior technology executive at Cisco?

The first job I got out of graduate school I got because I sold myself as a synthesizer. That’s what anthropologists do, we synthesize. We learn enough about a given field to get the information we need from the experts. That has predisposed me to work in the field I am in now.

When you are doing security you have to understand the application and business environment as much as the specific security issues. Security is not just about infrastructure and threat, it is about the applications. Not that I am going to secure the application as such, but I am going to understand, as an infrastructure vendor, what are the right things to expose to the IP or application people. So the conversations are richer and more multi-faceted as a result of that academic background.

You’ve not found it limiting not to have had a formal computer science university education?

No. I’ve never felt limited by anything! I am self taught, I cut my teeth programming with start-ups. And if I have an edge then it is because I am inquisitive.

You mentioned the professional services security capacity at Cisco. Can you say more about he role of that?

To be successful security has to be part and parcel of the infrastructure, much more. For the security professional that means that you need to know more than how to configure a firewall, or set up a router in a secure way. They need to know how that fits in with the business. Security is a risk management proposition as much as it is a nuts and bolts thing.

What would you say is special about Cisco’s intrusion detection, now prevention, business?

With the caveat that I stopped being directly involved in that four years ago, I’d say that one of the distinguishing characteristics is trying to make it so that the fidelity of the information outputted is of high quality. Now, that involves appealing to other authorities within our product portfolio, and that involved integrating it with new tools.

The challenge with monitoring is a wheat and chaff one – what is legitimate traffic, what are false positives, and so on. And when a threat or exploit is occurring being able to put it into a context that helps understand your risk profile. Just because someone is launching an IIS attack against your network, doesn’t mean you have to run around with your hair on fire — unless that service is actively running or it’s a preamble to an attack that is germane to your core business.

So, we have to work with customers to provide tools to assess things in the right operational context. For example we worked very diligently with our IPS product to make it of high quality, working closely with Trend Micro, for example.

We’ve also striven to re-establish full coverage of the traffic that makes up the business. Over the last five to ten years the traffic across corporate networks has been more driven by application security rules, and more and more it is SSL encrypted. As a result, corporations’ network edge session traffic has been somewhat compromised by encryption. The Storm Watch product that we acquired with Okena addresses that. It is a product that fits within an approach we like. It keeps systems available, acting like a prophylactic. The upshot is that the ‘Cisco Security Agent’ is attuned to operational realities, and enables the AV to play a cleaning up and forensics role with quarantined traffic.

I recently chaired a roundtable with John Roese, a CTO from one of your rivals, Enterasys Networks. Now, he argues that we are on the cusp of a massive expansion of networks due to the IP enablement of machines that have not, up to now, been so enabled (at least not to the same extent). Not conventional computers, but machines. Could you speak to that?

I won’t comment if it will be a good or bad thing. But if you look at the NAC, that does query the credentials of the device. You are starting to see significant investments here. Cisco is ‘tolerating’ things like NAC partly for that kind of reason. So, yes, we are preparing for that, but we are not shouting from the rooftops about it.

You’ve talked about the NAC as instantiating a more collaborative paradigm in IT systems security, and of your championing, with others, of that within Cisco. Who else in the industry, then, do you think is innovative?

The landscape in the security space is very dynamic right now – it’s a mixture of companies collapsing into acquisition, and also a lot of innovation around areas like data leakage and compliance. And you are getting alignment of key players into these key areas.

Cisco is now a major player in the security space now. And the Cisco brand is now recognised as a provider of credible security offerings, not just a vendor that sells gear that has security on it. That now puts us toe to toe with, for example, Symantec, and we have always had Check Point as a competitor. What remains to be seen is what the significant revenue but mid-tier vendors will do. They must align with other vendors because solutions require that, and how that dynamic will affect players of that size is yet to be seen.

As for us, it’s important to see how we are delivering on the Self-Defending Network. It’s been a marketing campaign in some ways, presenting a vision of where we are going. But you’ll need to watch how we deliver on it.