Optical/IP Networks

Cisco Buys Psionic

Cisco Systems Inc. (Nasdaq: CSCO) got its Christmas shopping out of the way a day early this year, completing its acquisition of privately held security software designer Psionic Technologies Inc. yesterday (see Cisco Completes Psionic Acquisition).

Cisco announced the agreement in October, saying that it would exchange up to $12 million worth of Cisco stock for all outstanding shares in the Texas-based software company (see Cisco Buys Psionic). In yesterday’s announcement, however, Cisco did not specify how much it had paid for Psionic, nor how much of a charge it will take in connection with the acquisition. Psionic did not return calls by press time, and Cisco declined to comment further on the news.

While the financial details of the deal are still a bit blurry, the reasoning behind the acquisition seems clear. Psionic’s technology aims to increase the efficiency of traditional intrusion detection system (IDS) products by reducing the number of false alarms and quickly validating potential security breeches. As such, it fits into Cisco’s overall security scheme of mastering a large range of security technologies and embedding them throughout the network.

“This is consistent with their desire to create a more unified security story,” says Zeus Karravala, an analyst with the Yankee Group. “This is an area [Cisco] didn’t really have a product for... They’re plugging holes with small companies.”

“Intrusion detection has become a checklist item,” says David Newman of Network Test Inc., a testing house. "It’s a must-have for any vendor that wants to have a credible security story.”

Cisco does, in fact, already have several IDS products in its portfolio, but like most traditional IDS products, they are riddled with problems, according to industry observers.

Data overload is the main problem facing companies using IDS technologies in their network. While IDS is supposed to sound an alarm when it detects anomalies in the network, it often mistakes legitimate traffic for questionable traffic, leading to a huge number of false alarms. It becomes impossible to check every alarm, and systems administrators often decide to simply shut off IDS altogether. This helps shut out the noise – but of course it also utterly defeats the purpose, opening the network up to vulnerabilities.

“The perfect intrusion detection system is one that sends an alarm every time a packet goes by,” Newman says. “This is the crux of the problem that all intrusion detection products face.”

“This is a very good acknowledgement by [Cisco] that they have a problem in their portfolio,” says Yankee Group analyst Matthew Kovar. “Obviously corporations need a way to become more operationally efficient and address the alerts they’re getting... They’re overwhelmed.”

In addition to the sheer amount of noise that IDS technologies typically generate, analysts point out that the products also tend to perform poorly and miss attacks in the face of large amounts of traffic. They are also still very difficult to manage, demanding a lot of expertise on the part of the user. These are all problems Psionic aims to address, according to the company’s Website.

“Cisco believes that Psionic Software has an excellent combination of talent and technology,” Richard Palmer, VP and GM of Cisco’s VPN and Security Services Business Unit, said in a Q&A posted on Cisco’s Website in October. “Psionic develops security software that increases the efficiency of IDS by reducing false alarms by up to 95%. Psionic's software will provide Cisco security customers with increased productivity and lower total cost of ownership associated with network-based IDS by enabling customers to focus manpower and attention on validated attacks against their networks.”

On the other hand, Nir Zuk, the CTO of NetScreen Technologies Inc. (Nasdaq: NSCN), one of Cisco’s biggest competitors in the security arena, is not convinced that Psionic has chosen the right approach to solving IDS’s inherent problems. “For me,” he says, "Psionic is like a band-aid. It’s like taking a huge shotgun wound and putting a band-aid on it.”

Zuk joined NetScreen from OneSecure, the intrusion detection company NetScreen acquired in August (see NetScreen Acquires OneSecure). He insists that OneSecure’s technology not only detects intrusions, but is capable of preventing them as well.

NetScreen is doing better at addressing the IDS problem, Zuk says, because among other things it takes a network-based, rather than host-based, approach. “We can protect tens of thousands of hosts from one gateway,” he says.

Network Test's Newman, however, points out that the OneSecure technology might be difficult to sell, since it is located at the choke-point of the network, where the switch is.

No matter who has the best approach to solving the IDS dilemma today, Newman says it’s way too early to tell who will be the long-term winner in the space. What really ramped up sales of IDS’s predecessors, firewalls and VPNs, was the development of easy-use appliances, he says. “That hasn’t happened yet in intrusion detection.”

— Eugénie Larson, Reporter, Light Reading
BobbyMax 12/4/2012 | 9:07:37 PM
re: Cisco Buys Psionic The security software should be a part of the operating system otherwise a lot of things that should be recorded and an audit trail created and archived becomes very hard. It appears that the Psionic software runs on a different box with a different operating systems than the network nodes. A company that needs security software should create a list of requirements on the security breach of its system and match its requirements against the feature.

Many security software do not meet the detection, monitoring and prevention requirements.
teng100 12/4/2012 | 9:07:35 PM
re: Cisco Buys Psionic The IP connectionless model was famous for
its convenience and any to any connectivity.
On the other side, it open to anyone to your
resources and inherently with no security.
beowulf888 12/4/2012 | 9:07:32 PM
re: Cisco Buys Psionic Heh, heh. BoobyMax *has* to be an LR bot that's gotten out of control.

Well, for the non-bots monitoring this list, there's good reasons an IDS should be kept separate from the OS being monitored -- viz. if the OS gets compromised you don't want a cracker corrupting the audit trail. Read the "Cuckoo's Egg" by Cliff Stoll.


MHA 12/4/2012 | 9:07:28 PM
re: Cisco Buys Psionic Is Cisco working on Intrusion Protection System? Lot of startups inclunding TippingPoint, Intruvert and iPolicy are offerring IPS (intrusion protectioin systems) that block attacks instead of jst generating alerts.
opticalweenie 12/4/2012 | 9:07:27 PM
re: Cisco Buys Psionic He's not a bot!!! Look at the timing of his
post - He's Santa Claus (claws?).
nbwaite 12/4/2012 | 9:07:22 PM
re: Cisco Buys Psionic The article had


"The perfect intrusion detection system is one that sends an
alarm every time a packet goes by," Newman says. "This is the
crux of the problem that all intrusion detection products


Really? The article has already indicated that we can have
(1) false alarms and (2) real problems. So, let me propose
that a 'perfect' detector would give an alarm for each real
problem and give no false alarms. Or, the detection rate
would be 100% and the false alarm rate would be 0%. Since the
detection rate was 100%, we could also say that the rate of
missed detections would be 0%.

Here we would be considering a simple detector: For more, we
might want an alarm only for the first detection of the
problem and dispense with later alarms about the same problem.
Also, we would like to receive one alarm for the real cause of
the problem and to dispense with alarms from secondary
problems after the original cause. Since these considerations
are a bit advanced, here let's stay with just simple

In our important computer and communications systems, we
should take rates of false alarms (false positives) and missed
detections (false negatives) seriously: If our dear daughter
has a tummy ache, we take her to a physician, he performs a
test, then he may be able to tell us the rates of false
positives and false negatives for that test, and we will
understand quickly. This may be the case even if we just take
our dear daughter's dear kitty cat to a veterinarian. For our
important computer and communications systems, we should also
be able to understand rates of false positives and negatives.

A low false alarm is easy: Just turn off the detectors. And
a low rate of missed detections is easy: Just sound the alarm
all the time. It appears that essentially we did the first on
9/10 and the second on 9/12.

The rate of false alarms is easy to control: E.g., if the
false alarm rate is 10 times higher than we want, then we can
just discard 9 out of each 10 alarms. Done.

But this method of reducing false alarm rate by a factor of 10
will also reduce the detection rate by a factor of 10, and
generally we believe that this is too large a reduction in the
detection rate for the factor of 10 reduction in false alarm

Given our choice of detectors, if we had the cost of a false
alarm and the cost of a missed detection, then in principle we
could select the detector that gave us the least total cost.

A good detector will give us a knob we can turn to select
false alarm rate; lowering the false alarm rate by some factor
will lower the detection rate by a smaller factor; at the
selected false alarm rate we will get a relatively high
detection rate.

The article mentioned


They are also still very difficult to manage, demanding a lot
of expertise on the part of the user.


Yes, user expertise is an issue. One approach was to use
'expert systems' where we encode the knowledge of an expert
once and let the results be used many times.

More details on such things are in, say,


R. A. Chekaluk, A. J. Finkel, E. M. Hufziger, K. R. Milliken,
N. B. Waite, "Expert Operator: Deploying YES/MVS II", in
Innovative Applications of Artificial Intelligence, edited by
H. Schorr and A. Rappaport, The MIT Press, Menlo Park, 1989,
pages 303-316.


Alas, there are difficulties in doing the encoding, and we
still do not get a handle on rates of false alarms and missed

Broadly there are two approaches to detection: First, we can
have in mind the specific problems we want to detect and
design detectors for those specific problems. We might just
have one detector per problem; in this case, detection is also
progress on diagnosis which is usually the next step in the
work. Second, we can have detectors that look for any or all
problems, whether we have seen them before or not.

Broadly the expert system detectors where of the first kind.

For progress on detectors of the second kind, that is, for any
or all problems, seen before or not, there is


N. B. Waite, "A Real-Time System-Adapted Anomaly Detector",
Information Sciences, volume 115, April, 1999, pages 221-259.


Here we get a knob we can turn to select nearly any desired
false alarm rate over a wide range, and lowering false alarm
by some factor lowers detection rate by a smaller factor.

For more on detection rate, the paper draws on the classic
result of S. Ulam that Le Cam called 'tightness'.

For more on detection rate but obtained after the paper, in a
special but useful sense, at any selected false alarm rate,
the detection rate we get is the largest for any means of
processing the data. This result looks too good to be true,
and in simple terms it cannot be true: It is easy to show
that there can be no one detector with uniformly the highest
detection rate on all problems. Thus we need the
qualification "in a special but useful sense". In addition,
we need a continuity assumption, and the result is asymptotic.
Asymptotic results tend to be cleaner and are still quite
relevant, especially as we do tend to have quite a lot of
data. These results were from after the paper was published.

Also of importance is the input data we use. Thanks to SNMP,
etc., typically we are awash in input data.

A common situation is that, at points in time, typically
ranging from several second to several seconds, we receive
numerical values on each of several variables.

A common approach is to split apart the data on these several
variables and to treat the data on each variable separately.
At least intuitively, it is easy to see that this splitting
apart destroys information and hurts the quality of our
detection (lowers detection rate for each selected false alarm
rate). It is also possible to see essentially the same quite

Thus, really we should look to doing our best to process data
on several variables at once. Thus, our work should be

Our consideration of 'rates' of false positives and negatives
essentially force us to be probabilistic. Although some
proponents of 'artificial intelligence' will object, the
context of probability is too close to this problem and has
too much to offer to set it aside easily. When the AI people
can do better, fine. One way for artificial intelligence to
compete with probability is for that intelligence to be smart
enough to understand probability, and we are far from that
now. In the meanwhile, we should exploit probability.

So, the paper above is both multidimensional and
probabilistic. That said, in this context, our chances of
precise descriptions of multidimensional probability
distributions are not good. Thus, the work is
'distribution-free' which means that the work assumes that
there is a probability distribution but assumes nothing about

Being multidimensional and distribution-free can help with the
issue mentioned in the article


They are also still very difficult to manage, demanding a lot
of expertise on the part of the user.


Further, the methods are 'adaptive' to the system being
monitored and, thus, are essentially 'self learning'.

Thus relatively wide nearly automatic deployment should be

In the paper, the core of the ideas are some uses of symmetry.
The practical world is awash in various cases of symmetry, and
more exploitations should be possible.

Norman B. Waite

Network Architectonics

Wappingers Falls, NY 12590

[email protected]

Sign In