© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. March 2015 Page 1 of 5

Cisco IT Case Study

Intellectual Property Asset Protection

EXECUTIVE SUMMARY

CHALLENGE

● Automate monitoring of intellectual property assets for improper access, storage, and distribution

● Obtain information to improve protection of data and intellectual property

SOLUTION

● Internally developed iCAM software to analyze behavior and generate alerts when defined rules are violated

● Context information provided by Cisco Identity Services Engine to better target behavior analysis

RESULTS

● 40+ billion files protected

● 60 percent of alerts generated without intervention by security experts

● Managers see details that help them educate users about risks

● Cisco gains information to improve protection of sensitive files, documents, and data

LESSONS LEARNED

● Educate managers about using alerts appropriately

● Define behavior rules carefully

● Plan for scalability

● Context is very important to help managers evaluate risks

NEXT STEPS

● Extend iCAM to monitor data in cloud services

● Support up to 10+ billion events per day

● Develop predictive analytics for proactive risk reduction

How Cisco Automates Protection of Intellectual Property

Alerts based on behavior and context analysis of user actions reduce risk of data loss.

Challenge

Like any business, Cisco has a huge amount of intellectual

property such as customer information, financial data, product

source code, and development plans. If accessed by unauthorized

people, that intellectual property could be used to damage the

company’s operations and network security, revenues, competitive

advantage, customer relationships, and reputation.

We maintain a strong physical and network security infrastructure

to protect those assets, which are stored on systems in Cisco

facilities around the world. However, this infrastructure is largely

focused on stopping threats from external sources. We needed

capabilities to detect abnormal internal activity in order to identify

risky user behavior, whether intentional or not. Behaviors of

concern include:

● Transfers of highly sensitive files, documents, and data to

an employee’s personal computer or mobile device,

especially just before the employee leaves the

company.

● Data transfers that are authorized, but sent over

unencrypted channels.

● Distributing highly confidential documents to a large

group of internal users or posting restricted data for

open access.

● Storing confidential information on unsecured servers,

file-sharing sites, or unauthorized cloud services.

● Allowing access to a virtual desktop session by an unauthorized person.

Although the Cisco® Computer Security Incident Response Team (CSIRT) was responsible for monitoring user

behavior risks, they needed an automated tool to keep up with the growing amount of data and activity.

Additionally, the increased use of cloud services for certain business applications and communications present

another avenue for inadvertent file sharing or information disclosure.

Improved access monitoring had to align with Cisco’s policies for data protection and intellectual property access,

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. March 2015 Page 2 of 5

as well as regulatory requirements and the Cisco Code of Business Conduct.

“It’s not practical to have only CSIRT monitor what data is at risk,” says Melvin Tu, manager and architect, Cisco

IT. “As our policies state, protecting Cisco’s intellectual property is the responsibility of every employee.”

Solution

Cisco IT developed the Intelligent Context and Content Aware Monitoring (iCAM) software to analyze abnormal

user behavior, generate alerts, and apply machine learning technologies to improve the monitoring over time

(see Figure 1).

Figure 1. iCAM Process for Analyzing Behavior and Context and Generating Alerts

To assess a user’s behavior, iCAM incorporates a Hadoop-based analytics tool. This tool combines event data

from an application or system with context information about the

associated user, data, device, and network.

The context is drawn from a mix of external and internal sources. For

example, the Cisco Identity Services Engine (Cisco ISE) provides critical

information about the device involved in an event, such as when a different

username is assigned to the device or when it does not have the operating

system version necessary for secure data storage.

The Cisco ISE and the iCAM software run on Cisco Unified Computing System™

(Cisco UCS®) servers, which

support the scalability necessary to monitor more intellectual property assets in more of our locations.

When a user violates a behavior rule, iCAM sends an alert to the user or the user’s manager, according to the

action defined in the rule. For users, the alerts provide education about potentially risky behavior. For managers,

the alerts present the information they need to appropriately manage employee activity. The manager can also

elevate high-risk alerts to the Cisco Computer Security Incident Response team for investigation.

PRODUCT LIST

Servers - Unified Computing

● Cisco Unified Computing System

Security

● Cisco Identity Services Engine

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. March 2015 Page 3 of 5

“iCAM is designed on the principle of ‘trust but verify’ for detecting if someone abuses their access privileges,” says

Cheng Pan, program manager, Cisco IT. “The behavior and contextual analysis provides in clear language the

who, when, where, and how details that a manager can use to identify the corrective action that is needed.” The in-

depth alert information also helps us improve governance and methods for protecting Cisco’s proprietary,

confidential, and sensitive data.

However, there are times when a user’s behavior may be unusual, but in fact it is authorized. In this case, the

manager can provide feedback to adjust the behavior rules in iCAM to allow that activity, which means repeated

“false positive” alerts will not be issued in the future.

“The iCAM team works with development groups and data owners to define the behavior rules according to their

work practices and business needs,” says Tu. “This helps iCAM raise alerts only when we have a real problem.”

The business rules also reflect the requirements of Cisco’s corporate policies for classifying data and protecting

intellectual property.

Results

iCAM started as a security monitoring engine to protect source code for our research and development centers.

Today, iCAM also monitors Cisco’s global data centers to control access to and prevent leakage of many types of

confidential and proprietary information. Table 1 shows the current scope of iCAM monitoring activity.

Table 1. iCAM Activity Scope

Monitoring Activity Data Sources Examples of Monitored Activities

40+ billion files protected 130,000+ user profiles File sharing and transfers

3+ billion events collected from 14,000+ servers daily

200,000+ device profiles Searches on sensitive topics and keywords

200+ Cisco product profiles Accessing source code repositories and restricted databases

700+ policy rules File system scanning

For the alerts generated by iCAM, 60 percent are “zero touch,” meaning a risky behavior is detected without any

manual action by anyone in Cisco IT or CSIRT. This capability allows faster notification and resolution of improper

information access or file sharing.

By using the data, device, and network profiles, iCAM also detects abnormal events that are generated by a device

or application that is not associated with an individual Cisco user. This capability provides an added measure of

protection for our intellectual property assets.

The evolution of iCAM will bring additional benefits to Cisco. “As the machine learning capabilities in iCAM improve

the ability to detect risky behavior, we will be able to create predictive analytics for proactively monitoring and

detecting when an unauthorized action might occur,” says David Corsano, director, Cisco IT. “The ultimate goal

with iCAM is to predict and prevent a disclosure before it happens.”

Lessons Learned

We have learned several lessons from our experience in developing iCAM and expanding its deployment.

Educate managers. To be effective, managers need to respond to iCAM alerts promptly and appropriately. For

example, a user may unintentionally do something that violates policy and causes iCAM to issue an alert.

Managers can use the alert to help employees understand risky behavior or to identify needed changes in data

classifications or access authorization. The manager should also know how to forward alerts to the corporate

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. March 2015 Page 4 of 5

security department when a clear security threat is present.

Define behavior rules carefully. Understanding the risks and regulatory requirements of your business, as well as

the sensitivity of your information and potential user actions, will help create effective rules for monitoring user

behavior. Also identify behaviors that might be considered risky but in fact are routine and acceptable, such as

sharing certain types of order information with an authorized partner. This type of context information is important

in helping managers understand the actual risk present in an alert.

Plan for scalability. As we move toward the Internet of Everything, an asset protection solution will need to

monitor more information types, devices, and applications.

Next Steps

Because iCAM was designed to deliver protection monitoring as a service, it is very easy and cost effective for us

to use it with new applications or environments. Cisco IT plans to extend iCAM to monitor additional data and

document systems, with a particular focus on unstructured data in cloud services. We will also scale the iCAM

deployment to support analysis of as many as 10 billion events per day.

For More Information

Read about the Cisco Identity Services Engine and the Cisco Enterprise Policy Manager.

The Cisco Code of Business Conduct presents an overview of the practices that Cisco employees must follow for

protecting intellectual property.

To read additional Cisco IT case studies about a variety of business solutions, visit Cisco on Cisco: Inside Cisco IT.

To view Cisco IT webinars and events about related topics, visit Cisco on Cisco Webinars & Events.

Note

This publication describes how Cisco has benefited from the deployment of its own products. Many factors may

have contributed to the results and benefits described. Cisco does not guarantee comparable results elsewhere.

CISCO PROVIDES THIS PUBLICATION AS IS WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR

IMPLIED, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A

PARTICULAR PURPOSE.

Some jurisdictions do not allow disclaimer of express or implied warranties; therefore, this disclaimer may not apply

to you.

“The ultimate goal with iCAM is to predict and prevent a disclosure

before it happens.” — David Corsano, Director, Cisco IT

© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public. March 2015 Page 5 of 5