Rest in Peace Cisco Security Agent

  • by Patrick Ogenstad
  • September 22, 2009

People at Cisco have told me that the staff who do internal IT at Cisco says that Cisco Security Agent is the product which has done the most to improve their overall security. Now I’m hearing that the product is being dropped.


If you’re not familiar with the product, Cisco Security Agent is a host IPS product or HIPS. Unlike Cisco’s network IPS products, CSA protects workstations and servers by intercepting operating system calls which it can deny or allow. The goal of the product is to stop threats by learning the normal behavior of the applications running on a machine, and stopping activities not in line with the expected behaviour. This way security isn’t enforced by relying on updated signatures. As an example we can control which applications can write to certain directories and files on the client such as system files.

A couple of years ago I wrote an article about jail breaking locked down Windows sessions using Microsoft Word. Cisco Security Agent wouldn’t have any problems defending against this kind of malicious activity, without even trying. This could have been done just by recording the behavior of Microsoft in a controlled environment, and enforcing that behavior.

There are a lot of options and variables which you can set and use with Cisco Security Agent. Though the above example of blocking write access to specific directories might not sound all that interesting, this is only an example. There are loads of settings, aside from just system security if you want to make sure users are following your acceptable use policy there’s a good change Cisco Security Agent can help you by creating rules and policies to make sure your users aren’t able to break those policies.

Recently while working with a client who had decided to buy CSA and install it to a new platform for their network the question of support for Windows 7 arose. While checking with Cisco I got the answer that it would be supported in the next release of CSA, however I also heard that CSA 6.0.2 would probably be the last release. After asking around at Cisco I got the confirmation that there would be no further development of the product.

Looking at this from an economical perspective I can understand that Cisco is a leading networking company and that they feel that the market for endpoint security is already crowded. As traditional antivirus vendors are beginning to release HIPS products the competition will probably tighten.

However from a security and solution perspective it seems strange when you see how CSA fits into Cisco’s self defending network strategy. It can be integrated to other products such as the network IPS with the external product interface allowing the Cisco IPS to receive information from CSA MC (Management Console) which can be use to evaluate which action to take. CSA is frequently used in Cisco’s design solutions for customers in terms of PCI compliance.

Perhaps Cisco is the wrong vendor to have this specific product in its portfolio, and perhaps someone else will buy it. But it’s a shame to see it just being dropped.