2016 Asia-Pacific Stevie Awards Gold Winner – Cisco Systems iCAM
Company: Cisco Systems, Shanghai, China
Category: Award for the Innovative Use of Technology in Customer Service > Computer Industries
Entry Title: Security solution in protecting Customer Data in Customer Services – iCAM
iCAM (Intelligent Context Aware Monitoring) is an enterprise data monitoring solution that collects end-user events from various applications, analyzes and raises alerts on abnormal behaviors. It provides management team the visibility on what Cisco intellectual property or customer data is at risk, and give the data owners the mechanism to take proper action and make policy decisions to protect data. iCAM has been successfully applied into several Cisco customer service applications to monitor customer data access and reduce customer data leakage.
What is innovative about iCAM?
• Real-time Monitoring and Alert Generation
iCAM event streaming process allows events been analyzed in real-time. Using the big data technology, such as Hadoop, Storm, Kafka and Elastic search, iCAM is able to process massive data in parallel, and perform behavior analysis in real-time. Using machine learning technology, iCAM trained the system to identify the high ranked alerts and generate notification.
• Self-service Alert handling process
iCAM is designed to operate alert in a self-service manner. iCAM not only provides comprehensive information for user to understand the alert, but also provides recommended corrective actions to for user to eliminate the risk. The alerts can be addressed faster.
iCAM also provides capability to automatically take corrective actions when certain violation occurred. For example, when iCAM detects a policy violation that a sensitive file is uploaded to cloud application, iCAM can automatically quarantine the file when the upload occurs. The automated corrective action greatly reduce the risk exposure, an incident can be mitigated in seconds.
The self-service model is crucial for fast resolution of iCAM alerts. It also keeps the operational cost down. With the volume iCAM is handling today (approx. 5 billion events per day), iCAM only have 1-2 operational people, much lower than a regular incident response team of the similar size. The user-to-ops ratio is about 100,000:1.
• Accurate Incident Generation
By integrating with various data sources, iCAM is able to connect the dots and provide enriched contextual information of "who, when, where, what, how" about the abnormal behaviors. This data enrichment process enables iCAM with more accuracy in alert detection and better policy configuration.
iCAM policies include:
- Static policy Rules: pre-configured policy rules defined by InfoSec or data owner. For example, violate policy if highly confidential file is uploaded to cloud application.
- Dynamic policy rules: Dynamically calculated threshold based on historical data. For example, detect if users made too many case search queries comparing to their own historical behavior or comparing with his peers.
These policy rules are not configured once and done, it evolves based on the user’s responses, and data analytics. The continuous feedback loop keeps iCAM policy up to date and improve the alert accuracy.
What business value iCAM brings?
iCAM has effectively monitored the customer case management applications to detect abnormal case view/access and customer data downloads. iCAM is also applied to customer data search tool to detect any abnormal customer data queries. iCAM is in the process to monitor more customer service applications within Cisco.
iCAM protects Cisco Intellectual properties and customer data at large scale. It handles 5+ billion daily events collected from 16,000+ servers, and protects 40+ billion files today.
iCAM is a realtime monitoring and alert handling system. It’s able to detect an anomaly in 10 seconds. Provided with the comprehensive details of a given alert and the simple alert handling process, the impacted personnel (end users, managers, or infosec team) is able to eliminate the risk in 24 hours.
iCAM is able to provide cost saving improve the efficiency of security monitoring. With machine learning capabilities built in, 90% of alerts can be handled automatically. There are 1.5 operators support 16,000+ engineering data center servers + 2 cloud service with 170,000+ user in total.