People at Cisco have told me that the staff who do internal IT at Cisco says that Cisco Security Agent is the product which has done the most to improve their overall security. Now I’m hearing that the product is being dropped.
If you’re not familiar with the product, Cisco Security Agent is a host IPS product or HIPS. Unlike Cisco’s network IPS products, CSA protects workstations and servers by intercepting operating system calls which it can deny or allow. The goal of the product is to stop threats by learning the normal behavior of the applications running on a machine, and stopping activities not in line with the expected behaviour. This way security isn’t enforced by relying on updated signatures. As an example we can control which applications can write to certain directories and files on the client such as system files.
A couple of years ago I wrote an article about jail breaking locked down Windows sessions using Microsoft Word. Cisco Security Agent wouldn’t have any problems defending against this kind of malicious activity, without even trying. This could have been done just by recording the behavior of Microsoft in a controlled environment, and enforcing that behavior.
There are a lot of options and variables which you can set and use with Cisco Security Agent. Though the above example of blocking write access to specific directories might not sound all that interesting, this is only an example. There are loads of settings, aside from just system security if you want to make sure users are following your acceptable use policy there’s a good change Cisco Security Agent can help you by creating rules and policies to make sure your users aren’t able to break those policies.
Recently while working with a client who had decided to buy CSA and install it to a new platform for their network the question of support for Windows 7 arose. While checking with Cisco I got the answer that it would be supported in the next release of CSA, however I also heard that CSA 6.0.2 would probably be the last release. After asking around at Cisco I got the confirmation that there would be no further development of the product.
Looking at this from an economical perspective I can understand that Cisco is a leading networking company and that they feel that the market for endpoint security is already crowded. As traditional antivirus vendors are beginning to release HIPS products the competition will probably tighten.
However from a security and solution perspective it seems strange when you see how CSA fits into Cisco’s self defending network strategy. It can be integrated to other products such as the network IPS with the external product interface allowing the Cisco IPS to receive information from CSA MC (Management Console) which can be use to evaluate which action to take. CSA is frequently used in Cisco’s design solutions for customers in terms of PCI compliance.
Perhaps Cisco is the wrong vendor to have this specific product in its portfolio, and perhaps someone else will buy it. But it’s a shame to see it just being dropped.
{ 2 trackbacks }
{ 15 comments… read them below or add one }
These features are now available in endpoint security products. Most of the offerings on the market today happen to be Frankensteinian clugery (McAfee, Checkpoint etc.) that combine various individual software slammed together under a new label. From a development standpoint they’re not very well-designed and a PITA to manage. Just ask any user…
Cisco, in this case, may be throwing in the towel with the idea of buying someone to fill the void. There are solutions out there that do a great job, much better than CSA.
Have heard the same
Personally I had a feeling this was going to happen. It’s sad to see this happen to an incomparable product like CSA.
The impression that I always got from the Cisco sales reps is that they were totally clueless on how to sell CSA and generate sales.
The Cisco sales reps were always focused on selling hardware that has a high sales margin and a lifecycle purposefully designed-in-shelf-life. There was little incentive or knowledge on how to sell CSA. They had no clue on what CSA could really do… and for the reps, it was easier to sell boxes.
I guess I was one of the exceptional or lucky customers that had hired Cisco Professional Services to help with our CSA deployment… and lucky enough to get one of the authors that wrote the Cisco Press Cisco Security Agent book to personally teach us.
CSA, was a complex tool, unfortunately most network engineers found it to complex and were unable or unwilling to comprehend what it could do. CSA was killer in effectively enforcing policy. We were able to use it to perform live forensics and used some of the advanced capabilities to trace the first instances on how the Adobe Acrobat exploits were being injected. We used CSA to audit company laptops out on the internet and made sure that company policy was enforced. We used it to pull in the NT event logs from company laptops on the internet w/o their knowledge. And we used it to shutdown and totally disable rogue laptops from employees that were RIF’d that never returned or turned in their laptops.
I have to agree that CSA had a very sharp learning curve; but once you were able to comprehend what it could do… it was killer, and had more functionality than any HIPS product out there…
I could tie an Active Directory Mailing list Group to a set of rules that only turned on for those people that were in that specific mailing list. For example, in the Legal department, I used their mail distribution list which was an AD Group to trigger a set of rules that allowed Outlook to run their special application which archived off their mail automatically. We had configured CSA to lock down Outlook so that it couldn’t spawn off shells or call other applications it normally wouldn’t.
I also used CSA to enact rules based on the location of where a laptop was connected… if the laptop couldn’t see our internal DNS Servers, it would enact additional firewall rules and lock down mechanisms. We even made USB read only rules tied to a set of active directory groups, and USB R/W rules tied to another active directory group.
I can go on and on… but I guess what I am really trying to say is that CSA is and was an exceptional product, very comprehensive, very complex and a product that can be used for policy enforcement, including stopping zero day exploits and performing live forensics.
Unfortunately, the Cisco SE’s and Sales reps have not been educated enough on what CSA can really do. I just wish there was some type of outreach from Cisco to their more advanced customers on how are using CSA. I think they might be surprised.
CSA has been the only product that really stopped the Acrobat exploit, and our forensics engineers really liked seeing the buffer exploit code which CSA shows in the alert details.
I would just like to see Cisco spin off the CSA product and get some knowledgeable Sales People to sell it.
But I have a feeling that they are just going to kill the product because they are too focused on selling the high margin boxes that have a 2 year shelf life.
Again, it sad to see it go… but with the knowledge that I gained from managing a high end CSA environment, it has sparked my interest into live forensics tools… which I think is going to be the next highly sought after job in the field of computer security.
All I can say is that I am thankful for CSA because it has made me intimately aware of the value of a good HIPS tool.
The best of luck…. And don’t get pwnd!
-dt
SANS just posted a whitepaper related to CSA… this goes into more detail on what CSA can do…
http://www.sans.org/reading_room/whitepapers/incident/cisco_security_agent_and_incident_handling_33203
Great Article and very insight comments by dt. That comment shows how cool a tool CSA really was.
I’m sorry, you make it sound like it’s official that the product will dissapear. I work with CSA pretty much every day in customer implementations, and i have had no indication from Cisco that 6.0.2 will be the last CSA version, there might be some changes coming (which i can’t really discuss), but CSA functionality is an integral part of many Cisco security designs, so i doubt it will be gone in the near future, and as for other products doing a better job than CSA, i have yet to see them from any AV vendors at least.
Jan – I didn’t mean that the product will disappear. Even when the next version comes Cisco will have to support it for years to come. However I have been told (the last time today) that 6.0.2 will be the last version and that Cisco instead will focus on their other products.
As for other products from AV vendors doing a better jobb I agree with what you say. What I meant was that the AV vendors might have an easier time selling a HIPS product compared to Cisco as the AV vendors already have a large install base on end nodes.
It is sad to see the product die on the vine and I sure hope someone buy’s it from Cisco. Being a security professional in the Investment Banking Industry, it is the single product that allows me to sleep at night.
Nitan
I’m so excited about cisco’s self defending network.
Perhaps they will port csa into their any connect solution?
I’ve been waiting for some time for a complete solution from the vendor market and this is a step in the right direction.
Actually it can also make specific restrictions on NAC posture so it is really connected to SDN.
Im sorry but the Cisco’s web site does not support your claim of “Rest in Peace”. You state that there is no supprt for Windows 7 but on their web iste it seems quite different.
“Newly Supported Operating Systems
You can now install Cisco Security Agents on these platforms:
•Windows 7 (Professional and Enterprise) 32-bit platform
•Windows 7 (Professional and Enterprise) 64-bit platform
•Windows Server 2008 (Standard, Enterprise, and Web Edition) 32-bit
•Windows Server 2008 (Standard, Enterprise, and Web Edition) 64-bit
•VMware WS 6.x (workstation)”
http://www.cisco.com/en/US/docs/security/csa/csa602/release_notes/CSA602RN.html
dfkosek – When I wrote the article 6.0.2 hadn’t been released, when I wrote the article CSA wouldn’t run on Windows 7. What Cisco has told me was that 6.0.2 would be the last major release of CSA, i.e. the release you point to in your link. I am not going to recommend CSA to any of my customers until I hear that Cisco has changed their mind concerning CSA.
Csa was simply amazing. There was nothing out like it. I’ve been running a 5 year old demo client forever and still no antivirus or antispyware has ever gotten on my machine even with default settings. Maybe they can make it open source and let the code go. It would be a shame to lose it.
Cisco announces the end-of-sale and end-of life dates for the Cisco Security Agent. The last day to order the affected product(s) is December 10, 2010.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5739/ps2330/end_of_life_c51-602579.html
Any advice as to a replacement for CSA? Thank you for what turned out to be a prophetic article.