Cisco’s Tom Gillis On Building The ‘Security Cloud’ And New Feature Updates

The former head of VMware’s security business, Gillis joined Cisco in January and tells CRN that the company has a unique opportunity to provide the security layer for the multi-cloud and hybrid cloud world.

Building The Security Cloud

Cisco is just about ready for blast-off with its unified platform for modern cybersecurity, the Cisco Security Cloud. Tom Gillis, senior vice president and general manager of the Cisco Security Business Group, told CRN that the first examples of its Security Cloud vision will debut this spring starting with the RSA Conference in late April, and will kick off a “steady drumbeat” of new feature rollouts for the platform. Gillis, the former head of VMware’s networking and security business, joined Cisco in January.

[Related: Cisco Security Cloud Could Satisfy ‘Lacking,’ Cohesive Security Portfolio]

As the world’s IT infrastructure turns into “four big computers” — AWS, Microsoft, Google Cloud and on-premises data centers — Cisco believes it’s perfectly positioned to provide the “security layer that sits up on top of those four separate pieces of infrastructure,” Gillis said in an interview. “The same way that Kubernetes became this ubiquitous layer across all different forms of infrastructure, we think we can do something similar” for securing multi-cloud and hybrid cloud environments, he said.

On Tuesday, in connection with Cisco Live 2023 Amsterdam, the company unveiled a handful of product updates that inch the company closer to its Security Cloud vision. The product announcements span across Cisco’s offerings in multifactor authentication (MFA), application security and secure access service edge (SASE). For MFA, a key capability in Cisco’s Duo Security offering known as “number-matching” is now fully available for all customers. Rather than having users push a button on their phone as a second verification factor — which attackers have been exploiting lately in order to thwart MFA — users are asked to input a code into their phone. The number-matching feature in the Duo product is referred to as Verified Push by Cisco.

Other Duo MFA updates announced Tuesday include the debut of features known as Remembered Devices and Wi-Fi Fingerprint, which enable users to stay logged in when they’re using familiar apps, networks and devices. In application security, Cisco unveiled its Business Risk Observability solution for the company’s Full-Stack Observability offering in AppDynamics. The solution leverages capabilities from Cisco’s acquisition of Kenna Security to assess and prioritize application vulnerabilities, using AI to determine which vulnerabilities are the most pressing to deal with.

Meanwhile, on SASE — which is focused on enabling secure access to corporate applications resources for distributed workforces — Cisco said it’s extending support to additional parts of its portfolio. While Cisco’s single-vendor SASE platform, Cisco Plus Secure Connect, had already been available with support for Meraki SD-WAN, it’s now available with support for the Cisco SD-WAN (Viptela) solution.

In December, Gillis left VMware after five years with the company, one of three general managers to leave VMware at the time amid Broadcom’s potential takeover of the tech giant. He previously worked at Cisco from 2007 and 2011 after the company acquired IronPort Systems, where he was a member of the founding team.

Gillis spoke with CRN about the Cisco Security Cloud vision, what makes Cisco unique in the cybersecurity industry and the latest security product updates being announced by the company.

What are you focused on with this new role at Cisco?

What I’m excited about at Cisco is, I think there are few if any companies in the world that have the breadth of offering in security, and then also the breadth overall, that Cisco does. What gets really interesting is when we come up with a capability that Cisco can do uniquely. That’s when we win. So what are the things that Cisco can do uniquely? Well, nobody understands the network like Cisco. We literally touch 80 percent of the world’s network traffic. It’s just a massive, massive footprint. As we gather telemetry from that and an understanding of that telemetry, that creates really unique insights.

There’s many lesser-known things. Cisco has an enormous presence on the endpoint. Not necessarily the traditional antivirus, but things like AnyConnect have tens of millions or hundreds of million enterprise customers out there running it. We see more DNS traffic than any other security company in the world. And near and dear to my heart, I was part of the founding team of a company called IronPort that Cisco acquired back in 2007, that’s how I came to Cisco the first time. And that product is still alive and doing wonderfully well. And so we have very high visibility into email traffic and can identify anomalies. When you stitch these things together, it’s a very, very powerful platform that allows us to see lateral movement of an attack.

What I think is particularly interesting for [the partner] audience is that as we build this vision of what we call our Security Cloud, we need partners that are going to sit on top of that cloud and turn it into a solution for customers. So the managed parts — if you think of the MDR, managed detection and response, the ability to deliver managed services on top of our platform is core and fundamental to our strategy. Absolutely essential. I’ve only been at Cisco a month, and the very first thing I did is engage with our top partners. And we’re going to go out and I’m going to spend time with them and get out and share with them some of the stuff that we’re thinking about, and get feedback from them on what’s working and what’s not working, and how we continue to accelerate together. Because we can’t win without our partners, especially in security gate. The customers are looking to the partners to turn this stuff into a solution.

What is the idea behind the Cisco Security Cloud? And if it’s a vision, then what stage is it at?

My job is to put teeth into that vision. Here’s the vision, and it’s actually quite simple. So if you kind of blur your eyes and say, the world is turning into four big computers: Amazon, Google, Azure and your own private data center. There are security controls that are embedded in each one of them. And it’s not that one is better or worse than the other, it’s that they’re different. And so, we think that there’s a desire for a security layer that sits up on top of those four separate pieces of infrastructure, provides consistent controls, integrated visibility and can look broadly across multiple different domains.

The same way that Kubernetes became this ubiquitous layer across all different forms of infrastructure, we think we can do something similar. So how does that manifest? We’re building a single place where you log in — one login, one common set of interfaces, one common management policy. And most importantly, one data lake on the backend. So when we gather telemetry from those email boxes, or from those endpoints, or from that network data, or from things like ThousandEyes, where we’re measuring network performance — we can pull all these things together. And then that gives us a fairly comprehensive view into that lateral movement of attackers. And that’s the Cisco Security Cloud.

How close do you feel like Cisco is at this point to making that a reality?

We’ll be showing really the first examples of this at RSA. So a lot of this stuff is code complete. And I see it and use it and touch it. When you’re building a system, there’s a bunch of work to do to build the infrastructure pieces, the plumbing to get it all to work. Once that’s done — which it is — our ability to rapidly introduce new features is very high because you don’t have to reinvent a login service, a logging service, the policy creation, the UX — all that stuff is already in place. So I think you’ll see from us a steady drumbeat. So at RSA, we’ve got some big news, and then at Cisco Live in Vegas, which is a month after RSA, [we’ll have] more big news. All this is going to be around the Cisco Security Cloud.

How are your latest feature announcements related to the Security Cloud vision?

One of the things we’re announcing is that we have taken the security intelligence we have with an acquisition we did two years ago called Kenna. Kenna allows us to assess all the vulnerabilities in a particular application and say, here’s the ones you care about. So it does prioritization using AI on the backend, to say these are the ones that are relevant, and it ranks them in terms of their priority. We’ve integrated that in to AppDynamics, so we’re creating what we call a Business Risk Observability [solution]. So we can take the technical bits and bytes and turn that into, “This has high business impact, this is medium, this is low.” So it allows our customers to focus their energy on the high-impact things. That’s an example of this integration across the portfolio.

So the idea with the unified platform is that everything within security can be managed from one place?

Right. And to be perfectly clear, there’s some things that just don’t fit into that. So a firewall management console — if you want to manage your firewalls, with a premise-based [system], that is the way you’ll do it. But we have the policy management, which is a cloud-delivered service that will come out of this unified framework. And that gives you the ability to set policies on firewalls that are running in a hardware device on-prem, but also running in a VM on the cloud. So one place to do physical and virtual firewall management, like out in the branch office or in the in the home office. So it’s not a complete retooling of everything. It’s an integration where the integration makes sense.

Are there other steps Cisco has taken toward achieving this unified platform?

Yes — [and] I think our partners will really appreciate understand [that] we’ve integrated web security controls into our Cisco Meraki solution. And so that’s something our partners have enjoyed huge success with — taking that very deeply in our market. And so it’s super easy to add URL filtering, anti-malware capability, all from that Meraki dashboard, where it’s just easy to deploy this stuff, easy to consume … If you’re a Meraki customer, it’s just in your Meraki dashboard. If you’re a Viptela customer, you’ll get the same capability that’s cross-launched into your Viptela dashboard.

What do you see as Cisco’s major advantages on SASE?

I think the real big differentiator with the current offering is the ease of use. It’s just super easy to set this up and it’s all one framework, and you don’t have to mess around with, “Oh, is the user remote, or are they on campus?” For all of that, you just turn it on and it works. The core capabilities that we have are, I would say, industry standard — URL filtering has been around for a long time. We maybe have slight advantages with our DNS-based security controls. But the magic, the thing that makes it stand out, is that ease of use and integration. Now, in the future, we have some things we’re working on that I think are highly differentiated, and so you’ll be hearing more from us on that in the Cisco Live timeframe.

So you’re saying the security and the networking sides both work together more seamlessly with your SASE platform than with platforms from other vendors?

There are vendors that do the web security that are independent of any networking device. And then there’s vendors that that have both, but they’re not as tightly integrated as ours. A lot of these customers — especially in the middle of the market — they just want it to work. So our partners are enabling that. And we make it much easier than trying to pull the other two different vendors in to get this thing to work. We have one tightly integrated solution that’s very, very easy to operationalize.

What are some other product capabilities that you’re looking at for the future?

We’re going to be talking at RSA about our XDR [extended detection and response] capability. So the ability to span all these domains and tie it together. And then we’ve got big announcements coming at Cisco Live, which is a month after.