Cisco Concocting Zero-Day Malware Catchers

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

One of the big boys looks to catch up with younger innovators in the security market

Cisco is working on technology to better catch unknown threats, better known as zero-day malware, as it looks to take on start-ups innovating in the area, TechWeekEurope has learned.

The signature-based world of blocking malware is over, many believe,  given that traditional antivirus can only stop around 30 percent of modern threats getting through to IT systems, and it seems that Cisco is moving with the new consensus. The signature-based approach shares patterns relating to known malware amongst anti-virus systems, so they can block it. But being able to block only known threats is no longer good enough.

Young vendors such as FireEye and M86 Security, which was recently acquired by Trustwave, have sought to stop unknown pieces of malicious software sneaking through, by using virtual machines or sandboxes, along with reputation and behavioural analysis, to figure out if something is nasty or nice. This publication recently reported on the case of construction materials supplier Travis Perkins, which looked to FireEye for help after traditional protections failed and almost caused carnage for the company.

Thinking inside the sandbox

Now Cisco wants a piece of the pie, according to Chris Young (pictured), global senior vice president of Cisco’s security and government division, who told TechWeekEurope that it was in the incipient stages of creating something similar to what the likes of FireEye offer.

“We haven’t gone as far as doing sandboxing … but we have started to partner with smaller players to figure out how can we leverage some of the traffic we have access to and some of the capture that we are doing today, to deliver some more sandboxing and hence be able to actually spot and act on some of the zero-day malware that does get delivered,” he said.

“We are early days on that. Today, we’re more focused on the behavioural component of it than the malware capturing.

“We’re moving towards a world where every attack is effectively zero-day… having a signatured piece of malware, that shouldn’t be the foundation on which any security model works.” Young had already talked about how mobile antivirus was not the way forward for protecting business smartphone deployments.

The move would make sense for Cisco, given how much threat information it can leverage from its global network, and how much companies are after better perimeter defences than the ones currently being offered by the old guard of the industry.

When asked to explain more about what Cisco’s offerings would look like, Young declined to go into more detail. But he did talk about why Cisco, which uses security as one of its main selling points, did not produce something sooner. It was down to scale, according to Young.

“There are a lot of great ways to capture malware, but it’s at very limited scale. Cisco has to strike a balance between being able to scale broad security solutions for customers and managing the ability to find latest and greatest threats,” he added.

“When you talk about 320Gbps throughput configuration on the firewall, those companies [such as FireEye and M86] can’t even think in those terms.”

Meanwhile, Cisco has been forced into making some security improvements across its software portfolio. It has just released nine security advisories, eight of which offer patches for its IOS operating system.

Are you a security guru? Try our quiz!