On June 11, Cisco announced end-of-life and end-of-sale of the Cisco Security Agent (CSA) ending months of speculation. Cisco will continue to support CSA for three years but without product enhancements. CSA is a host intrusion prevention product for endpoints and servers made originally by Okena and which was acquired by Cisco in 2003.
Cisco CSA has a fair number of customers as it was often bundled in with larger deals and sometimes included with switch/router upgrades. These customers are now stranded and in search of alternative solutions. “We expect that customers will want to do their own due diligence in choosing a replacement product that best meets their needs” Cisco said in its end of life notice.
A few niche vendors with limited endpoint offerings have jumped at the chance to lure Cisco’s customers, announcing aggressive migration promotion plans. The problem with this approach is that CSA included many security features that are unlikely to be delivered in a single product from another vendor.
For example, the goal of CSA was to protect workstations and servers by intercepting operating system calls which it can deny or allow, similar in part to McAfee Host Intrusion Prevention (that has provided so many customers with proactive zero-day protection and patch management relief). CSA also offered broad policy enforcement capabilities including the ability to block read/write capabilities, partly aligned to McAfee Application Control capabilities. Note that additionally, McAfee Application Control offers dynamic whitelisting, a tiny-RAM-footprint, less than 1% CPU utilization, and near-zero bandwidth requirements (no DAT or sigset updates).
CSA users should seek a replacement vendor that offers a well-managed defense-in-depth security program with multiple layers of malware defense and policy enforcement to shore up endpoint and server security. CSA users should consider McAfee.