Cisco: Net Net on Security

9:00 AM -- SAN FRANCISCO -- RSA Conference -- When all you have is a hammer, then everything looks like a nail.

That old phrase kept coming back to me on Monday as I spent the day with Cisco's security folks here in the land of cable cars and suspension bridges. Along with a few other journalists and analysts, I spent the day talking to Cisco's security executives and users, and it was both enlightening and revealing. (See Cisco to Integrate Security Tools.)

Among enterprise vendors, Cisco's security message is compelling. For all practical purposes, the vendor owns the network in most businesses, and it has built a suite of network security solutions that are tightly integrated and comprehensive. The idea is simple but effective: Secure the network, and you've effectively prevented the bad guys from reaching any of your assets.

As I listened to all of the discussion, however, I couldn't help noticing the things that I didn't hear in Cisco's enterprise security pitch. None of these comes as a surprise, because Cisco is still a networking company at its core. But it bears noting, because like all other vendors' "enterprise security" stories, Cisco's has a decided slant.

One of the greatest omissions was the discussion of data security. Cisco didn't have much to say about encryption of data, particularly stored data at rest. We didn't talk about database security, or how to prevent insiders from pulling unauthorized information from those databases.

We also didn't talk about laptop security, or how to prevent end users from making off with large amounts of sensitive data -- or bringing in malware -- via USB drives and other portable storage media. Cisco actually tells a pretty good story on the integration of physical and logical security in the building, but these portable devices don't seem to be in its sights yet.

I didn't hear much about security research or threat analysis, which is a staple of any conversation with an antivirus vendor such as McAfee or Symantec. Again, Cisco has some compelling solutions for eliminating malware, but vendors like Sophos and VeriSign benefit from having separate research labs that do nothing but analyze vulnerabilities and exploits all day.

There wasn't much said about applications security, although Cisco certainly now can claim a strong solution for messaging security with its acquisition of IronPort, and it can distinguish applications traffic in the network. We also didn't hear much about multi-factor authentication, such as biometrics or tokens, although the company does address these issues in its Network Admission Control strategy.

The takeaway, I think, is that no single tool vendor comes at security without a bias. You can hardly blame Cisco from approaching security at the network level, just as Microsoft approaches it from the desktop level. When you listen to vendors talk about "enterprise security," then, it pays to read between the lines. Sometimes what they don't say is as important as what they say.

— Tim Wilson, Site Editor, Dark Reading