Remote Access Trojans

You’re working for a high-profile technology company, close to releasing a market-changing product to the public. It’s a highly contested space, with many competitors, both domestic and international. There’s also a lot of buzz in the media and online speculation on the scope and impact your new product will have. And it goes without question that customers are keen to know more about the upcoming game-changer.

Your goal is to keep the secrets under wraps until the public announcement. Unfortunately, your surprise is about to be spoiled. It happens sometimes, as much as we work to prevent it—from accidental embargo slips to insider leaks. But in this case, it’s arguably the worst-case scenario: Your company has been breached and information about the product was stolen.

It’s unfortunate, but such breaches are not an uncommon occurrence—it’s something security professionals are far too familiar with. They occur across sectors, yet the way the data is stolen often includes familiar patterns. There are plenty of possible suspects, and untangling their motives is difficult. But in this cybersecurity game of “Clue,” we’re less concerned if it were Mrs. Peacock or Professor Plum. We want to know what the weapon was and how to prevent future murders.

There are a variety of useful weapons in an attacker’s arsenal. Downloaders, administration tools, and infostealers all often play a part in such an attack. But the go-to tool in many scenarios like this today are remote access trojans, often referred to as a “RATs.”

The anatomy of a RAT

A RAT is a swiss army knife of sorts. Distributed through familiar vectors, such as malicious downloads and email attachments, many RATs include all the weapons mention above, and more, making it easier for an attacker to leverage each component when carrying out an attack. In short, a RAT consolidates a number of tools into one package.

There is a lot of variation from RAT to RAT. Some are generalist tools, meant to be used across a variety of attack scenarios. Others are highly tailored to a specific attack. Some RATs use predetermined proxies to help mask an attacker’s ultimate location. Other RATs may leverage command-and-control (C2) infrastructure to do the same.

While the functionality and infrastructure used by a given RAT will differ, what follows are common features found within many RATs. To illustrate an attack, let’s take it back to our tech company breach, showing how an attacker can leverage a RAT to gain access to, and steal, sensitive files on your upcoming product.

Gather system information

The attacker managed to breach the defenses in your company using a phishing email that included a link to the RAT. However, that doesn’t mean that they will immediately know where they are on the network. They’ll naturally want to learn more about the computer they compromised. Is it an administrative assistant’s desktop, a laptop belonging to finance, or a web server? Performing reconnaissance on the system helps the attacker learn how deep into an organization they have penetrated, if they need to move laterally, or if they’re reached their intended target. Some reconnaissance tools even allow an attacker to scan other systems, gathering information about them.

Steal usernames and passwords

The attacker got onto one machine, but it wasn’t the intended target. They’d compromised a computer belonging to someone in the engineering group, but the materials they were after resided on a shared server. To move laterally, they may want to try searching for login credentials on the system they’ve already compromised. Many RATs include the ability to scrape saved and cached passwords, and once the usernames and passwords are in hand, the attacker can attempt to log into the shared server.

Log keystrokes

The attacker scanned the compromised computer looking for the login credentials, but no luck. Good news? Yes, but it’s only a minor setback. Many RATs include information-stealing components like keyloggers, meaning all the attacker has to do is enable it, and wait for the user of the compromised system to log into the shared server. When they enter login credentials, the attacker can capture them, and later attempt to log into the server themselves.

Download further malware

The attacker was able to obtain login credentials; however, their attempt to log in failed. (Perhaps your company uses multi-factor authentication?) To get to that shared engineering server, the attacker is going to have to call in reinforcements. They’ve identified a vulnerability on the shared server, and they need an attack toolkit to exploit it and gain access. Given how networks vary widely, many RATS include the ability to download further tools to assist them in gaining further access. In this case, the RAT operates like a downloader, pulling down an attack toolkit that allows the attacker to progress.

Accessing and uploading files

The attacker managed to gain access to the shared server, traversed its directory structure, and located documents that outline your new product’s features. The next step is to exfiltrate those files. Most RATs contain the ability to upload files to a predetermined location. This is often done with help of a proxy or through a C2 infrastructure, thus covering the attacker’s tracks as they steal the documents in question.

Recording audio, video, and taking screenshots

There may be times that an attacker isn’t satisfied with simply stealing design docs. Perhaps they obtained a slide deck, but it lacks context in certain slides. In order to learn more, they might want to return their attention to the initially compromised computer and have the RAT to record audio and/or video. The RAT might overhear the engineer speaking to a coworker or capture a video of a presentation meeting that discusses the product. RATs can often take screenshots as well, capturing critical documents on display.

Other uses

This is just one scenario where a RAT could be used end-to-end in an attack. RATs can be used in other situations as well. For instance, what if an attacker is hoping to exfiltrate financial data? A RAT can be leveraged to scrape banking details from a compromised computer or collect credit card numbers using a keylogger.

What’s important to highlight is that most RATs provide command line access to the systems that have been compromised. If adequate administrative rights are gained on these computers, an attacker can use a RAT to do just about anything that he or she desires.

Notable RATs

RATs have been around for a long time, and many prominent RATs have come and gone. Some recent RATs that have been prevalent on the threat landscape include Orcus RAT and RevengeRAT, which have been used by a variety of threat actors. Another commonly seen RAT is ExileRAT, which has been used in attacks with possible espionage-related motives, and shares a C2 infrastructure with the LuckyCat family of threats.

Not all RATs are built from the ground up either. Some are semi-legitimate tools, repurposed or reconfigured for malicious use. Two such examples include Imminent RAT and Remcos.

There are a number of attack groups monitored by Talos Intelligence that use RATs in their malicious campaigns. The SWEED threat actor often used Agent Tesla, the Panda threat actor has been seen dropping Gh0st RAT, and the Tortoiseshell group, who was recently caught scamming veterans, uses a RAT called IvizTech.

To catch a RAT

So the attacker managed to get into your network and obtain your product plans this time. How do you prevent them from doing it next time?

Fortunately, there isn’t anything particularly special about the way a RAT gets onto a system. They’re distributed in much the same way as other types of malware: they’re sent by email, dropped by droppers, set up as the payloads for exploit kits, along with other common attack vectors. Consider the following:

• A good endpoint protection application is very useful in protecting against RATs. AMP for Endpoints blocks malware at point of entry, then detects, contains, and remediates advanced threats.
• Monitoring network traffic for unauthorized activity is also important. Cisco Stealthwatch is the most comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure.
• Many RATs encrypt their traffic, as we discussed in last month’s Threat of the Month blog, so be sure you can monitor such traffic as well. Encrypted Traffic Analytics provides insight into threats in encrypted traffic, without the need for decryption, using network analytics and machine learning.
• Being able to connect to C2 domains is vital for many RATs to function. Blocking known malicious domains can go a long way in stopping a RAT in its tracks. Cisco Umbrella uses DNS to stop threats over all ports and protocols—even direct-to-IP connections—preventing connections to attacker’s servers.
• Multi-factor authentication products can prevent an attacker from logging into a system if they manage to obtain login credentials. Verify users’ identities with applications such as Cisco Duo.
• A good email security solution, as well as a strong network perimeter, will help to ensure that RATs are blocked outright. Cisco Email Security is your best defense against such attacks via email, while Cisco’s Next-Generation Firewall can stop attacks at the network boundaries.
• A web security appliance with data loss prevention (DLP) features will also assist in cases where a RAT gets in and is attempting to steal sensitive information through the network. The Cisco and Digital Guardian DLP solution is a high-performance, comprehensive security solution for data in motion.

Continue reading

The SD-WAN Factor: Partnering for Success

Some partners resell Cisco products. Some go beyond selling and offer services. And some of them believe in the products so much, they use them internally. Such is the case with Katalyst, a certified Cisco Gold Partner and managed service provider; they do all three. I recently had a chance to speak with Jesse White, Field CTO at Katalyst, specifically about the benefits of Cisco’s SD-WAN solution, why they use it internally, how its white-label managed service offering is transforming its customers’ networks, SD-WAN Security, and more. It was a fantastic experience to learn first-hand, the power of this technology.

The “Katalyst” for Selecting Cisco SD-WAN

When Katalyst selects a new product to deploy, whether internally or at a customer site, there’s little room for error; getting it right the first time isn’t just important, it’s a must. Katalyst’s stringent decision criteria looks at a number of attributes, including management, ease of use, cost savings, programmability, stability, and more.

SD-WAN end-users realize better SaaS application performance, branch offices and acquisition sites are brought online in minutes rather than hours or even days, and businesses are seeing cost savings through the utilization of broadband links. IT teams are also seeing a huge benefit with a centralized console (vManage) that provides them with a comprehensive view of all devices and clients connected to the network. They can make configuration changes, add security policies, see the health of their links and much more directly from within vManage.

With a long history and vast experience working with Cisco ISR routers and leveraging Viptela SD-WAN, Jesse tells me it was the logical next step to deploy Cisco’s latest iteration of the solution that brings the two together. In fact, Katalyst has deployed the solution at a number of customer sites, both big and small, and across industries including financial, manufacturing, and retail. “Cisco SD-WAN has continued to be the clear winner for us,” Jesse says.

And Katalyst’s track record, together with Cisco, is able to drive change, and customers are taking notice. A recent IDC report states that, “Cisco holds the largest share of the SD-WAN infrastructure market, fueled by its extensive routing portfolio that is used in SD-WAN deployments…”

SD-WAN Tastes Pretty Good!

“Customer experience is at the center of what we do at Katalyst,” says Jesse. “There is no bigger priority for us.” To that extent, Katalyst follows the motto of ‘eating their own dog food’ or ‘sipping their own Champagne’, whatever vernacular you prefer. And that’s exactly what Katalyst did when it decided to implement SD-WAN on Cisco ISR routers across its offices in the Southeast, United States. “Our needs and applications are no different than that of our clients” says Jesse. Katalyst’s network and applications are distributed across multiple SaaS providers, with some residing on premise (they also make use of the Cisco Hyperflex HX platform) delivering on a true hybrid cloud approach.

“Cisco SD-WAN gives us the opportunity to leverage our investments and achieve our desired business outcomes,” says Jesse. “No longer do we have to discriminate against applications due to provider brownouts, our SD-WAN solution seamlessly finds the best path at the best time and orchestrates the desired outcome.” Pretty awesome if you ask me!

Simplifying SD-WAN

During our conversation, Jesse emphasized that customers are begging for simplicity and more importantly, more flexibility and control. And Katalyst has responded with a white-labeled Cisco-based SD-WAN managed service for its customers. In fact, many of Katalyst’s customers choose to deploy SD-WAN via the company’s managed service to reduce the complexities associated with in-house WAN deployments and accelerate access to cloud applications. The reasons are numerous and include cost savings, security enhancements, simplification and consolidation, lack of internal skills and or resources to manage it, expanding to multiple branches, and more.

“The commoditization the industry has experienced in the last half a decade has allowed our clients to strategically shift dollars from large private connectivity costs, into connectivity that is both smarter and closer to the final destination,” says Jesse. “This ultimately provides our own clients with a superior user and application experience.

SD-WAN Security

Lastly, we spoke about Cisco SD-WAN Security and the benefits associated with an integrated solution. The security aspects and integrations in Cisco SD-WAN are paramount for Katalyst’s customers that have highly secure environments — think financial and retail environments. “It’s a big driver for them to consume SD-WAN,” says Jesse. Integrated security features including Duo, Umbrella, Firewall, IPS, URL Filtering, AMP and more, mean Katalyst and its customers can leverage investments and integrations in protections they already have and are familiar with. This turns out to be a really big bonus for Katalyst and many of its customers.

“In our region alone,” says Jesse. “We are seeing more than 5,000 security positions going unfilled year after year, clients know they can’t compromise, and have to look for integrations and scalability.” This is where Cisco SD-WAN and Katalyst’s managed services solution really shine, by offering customers a no-compromise, scalable, and integrated solution.

Continue reading

Cisco DNA Center Template Archive/Restore

Background

I have written a number of blogs about CLI templates in Cisco DNA Center.  These templates can be used as part of the “provisioning” workflow in the UI, or programmatically directly from the API.

One question that often comes up is the ability to share templates through archive and restore.  This utility provides this capability.  This is useful when sharing templates or taking templates from one DNA Center to another (e.g. Development -> Production).

Installing

The code can be cloned from  github. I recommend you use a virtual environment, but this is optional.

git clone https://github.com/CiscoDevNet/DNAC-TemplateTool.git

python3 -m venv env3
source env3/bin/activate

There is one dependency, that is the dnacentersdk. This is contained in the requirements.txt file.

pip install -r requirements.txt

The final step is to setup the environment variables to connect to dnacenter. There is a sample in env_dnac. You will need to edit these to point to your DNA Center. You need to use the source command to make these active.

source vars_dnac

Getting Started

Once you have installed the dependencies and modified the environment variables, you can run the script. Running the script with no arguments will dump the templates in json format. You can save this to a file.

./template_archive.py > all.json

You can then use this file as the input to restore the templates.

$ ./template_archive.py --restore all.json
['Cloud DayN Templates/DMVPN Spoke for Branch Router - System Default/1', 'Cloud DayN Templates/DMVPN for Cloud Router - System Default/1', 'Cloud DayN Templates/IPsec for Branch Router - System Default/1', 'Cloud DayN Templates/IPsec for Cloud Router - System Default/1', 'Onboarding Configuration/3k-stack/1', 'Onboarding Configuration/3k-stack/2', 'Onboarding Configuration/9300-sdwan/1', 'Onboarding Configuration/DMVPN Hub for Cloud Router- System Default/1', 'Onboarding Configuration/IPsec 1 Branch for Cloud Router - System Default/1', 'Onboarding Configuration/IPsec 2 Branch for Cloud Router - System Default/1', 'adam/int-desc/1', 'adam/int-desc/2', 'adam/int-desc/3', 'adam/int-desc/4', 'adam/int-desc/5', 'adam/loop/1', 'adam/loop/2', 'adam/loop/3']
Updating template:DMVPN Spoke for Branch Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN Spoke for Branch Router - System Default, version 1.  Mismatch with existing version1
Updating template:DMVPN for Cloud Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN for Cloud Router - System Default, version 1.  Mismatch with existing version1
Updating template:IPsec for Branch Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template IPsec for Branch Router - System Default, version 1.  Mismatch with existing version1
Updating template:IPsec for Cloud Router - System Default, CurrentVesion:1, NewVersion:1
Skipping template IPsec for Cloud Router - System Default, version 1.  Mismatch with existing version1
Updating template:3k-stack, CurrentVesion:2, NewVersion:1
Skipping template 3k-stack, version 1.  Mismatch with existing version2
Updating template:3k-stack, CurrentVesion:2, NewVersion:2
Skipping template 3k-stack, version 2.  Mismatch with existing version2
Updating template:9300-sdwan, CurrentVesion:1, NewVersion:1
Skipping template 9300-sdwan, version 1.  Mismatch with existing version1
Updating template:DMVPN Hub for Cloud Router- System Default, CurrentVesion:1, NewVersion:1
Skipping template DMVPN Hub for Cloud Router- System Default, version 1.  Mismatch with existing version1

As expected, nothing happens as all of the templates are already present.  The script checks the version of the template before updating it.  If you were to remove a template, or a project, they would be restored.  Alternatively, you could restore to a different DNA Center and the templates would be added there.

Anatomy of a Template

Templates consist of the following sections, properties, variables and the template body. Each of these are stored together in a version.  The following picture shows three different versions of a template, each with a different set of properties, variables and template body.

Components of a template

An example of the template properties appears below.  There are two mandatory properties

◈ the device type, which can be as broad as a family (e.g. all switches) or as narrow as a particular model (e.g. Catalyst 9300).

◈ The operating system E.g. IOS-XE.

Template Properties

Variables are defined in a template ($hostname) is an indication of a variable.  A variable can have a type, a default value, or in some circumstances, be marked as not a variable.  This is useful for encrypted passwords, where “$” might appear as part of the configuration.

Template Variable Properties

The final part of the template is the body.  This is velocity syntax.  The following extremely simple template sets the hostname of a device.    Hostname is also a variable.

Template body

Templates are stored in projects, which you can think of like a folder in a directory structure.  The template name inside a project is unique, while different projects can contain a template with the same name.  Remember, although these templates share the same name, they are different instances as they are in different projects.  You can see an example of projects below. “Onboarding Configuration” and “Cloud DayN Templates” are two projects that are always present.

Template Projects

Continue reading

5 Key Takeaways from 2019 Stealthwatch Customer Research

At Cisco, our customers drive what we do in security. Stealthwatch provides customers around the clock visibility, and a system that keeps up with changes in their IT environments. In a survey that was sent to over 10,000 Stealthwatch customers, we were able to identify what sorts of security challenges are top of mind. Next, we examined how we could address these issues in the most helpful way. Stealthwatch provides users a comprehensive look into their security network. It reaches every port, host and every single individual threat that poses a security breach. Here is a breakdown of the most important takeaways from our research:

1. Lack of visibility was the top challenge that led our customers to Stealthwatch  

Lack of visibility, insider threats, and the inability to conduct in-depth network analysis were the top three challenges for our customers and lack of visibility led the group. Those reasons haven’t changed much over the 17 years Stealthwatch has been in the market! Stealthwatch provides visibility across the enterprise network, from on-premises to cloud deployment. Further, it applies behavioral modeling and machine learning to generate alerts like data hoarding and data exfiltration, both of which are key indicators of insider threats. Stealthwatch is also able to store network telemetry long-term so that a security team can easily investigate incidents that have occurred in the past. As a result, Stealthwatch helps customers face these challenges head on. 74% of Stealthwatch customers agreed that Stealthwatch is a must have component of their network security. This number means we are doing our job!

2. Customers want a solution that integrates into their network and security stack

Our customers love the synergy between Cisco technologies. In fact, 67% believe that this is the #1 reason to choose Stealthwatch. Integration with Cisco products ensures that customers maximize their investment and ensure optimal operation of their network. Comprehensive visibility, ability to analyze encrypted traffic without decryption, and scalability were some other reasons why customers chose Stealthwatch. Stealthwatch consumes various types of telemetry from the network, endpoint, cloud and data center, and uses advanced analytics infused with Cisco Talos threat intelligence to find hidden threats. The survey identified Encrypted Traffic Analytics and integration with Identity Services Engine (ISE) as Stealthwatch’s most important features. The new Visibility Assessment app, which provides visibility into the overall network health, was also highly rated. In addition to summarizing traffic and conditions on the network, this app allows generation of a PDF security status report for senior management who typically don’t use the Stealthwatch dashboard.

3. Multi cloud and hybrid cloud are becoming increasingly common, bringing new security challenges

More than 95% of Stealthwatch on-premises respondents have deployed or are planning to deploy one or more cloud platforms spanning across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Our SaaS (software-as-a-service) offer, Stealthwatch Cloud, can monitor all these environments by consuming native cloud telemetry such as VPC (Virtual Private Cloud) flow logs and NSG (Network Security Group) flow logs. In addition to disruption in service, cloud-related breaches can result in huge bills due to its pay-as-you-go pricing model. Customers understand that they need to secure their cloud network. Stealthwatch Cloud allows them to use a single security tool to do so. Customers identified unauthorized access, data loss, insider threats and misconfigurations as common cloud security challenges. Stealthwatch Cloud detects all these incidents.

4. Forensic analysis to determine the source and impact of the threat is one of the key use cases

Because Stealthwatch casts such a wide net on an organization’s network, it can address a number of different use cases. Interestingly, the top one mentioned by customers was the ability to investigate sources of threats through network audit trails. Stealthwatch can store network telemetry for long periods, allowing for forensic analysis related to past and current events. The intuitive flow search capability and included contextual information related to threat detections are presented within the user interface (UI), which helps accelerate incident response.

Other ways in which Stealthwatch helps our customers is the visibility it provides across users, devices and applications connecting to the network – who are they and what they are doing. Using this visibility, Stealthwatch can detect advanced threats quickly before they turn into a high-impact breach. Customers also love the fact that they can extend their existing network investments to improve security by seamlessly integrating Stealthwatch into their environment. Additionally, many customers use Stealthwatch to simplify their segmentation strategy. With the visibility it provides, Stealthwatch can help define effective security policies and trigger events when policies are violated using custom security events. Allowing customers to check assumptions related to normal network traffic is a key segmentation benefit offered by Stealthwatch.

5. Stealthwatch discovers a broad spectrum of security threats for our customers. 

Lastly, customers provided feedback on the kind of things Stealthwatch has discovered in their environments:

◈ Threats in encrypted traffic like malware/spyware (C&C) connections
◈ Cryptomining activity
◈ WannaCry campaigns
◈ Configuration changes
◈ Legacy devices that were thought to be disconnected from the network
◈ Suspicious behavior
◈ Security policy violations

Continue reading

Hit the Simple Button to Solve Complex Security Problems

The Changing Face of Cyber Security

Cyber Security is quite like an onion; it brings tears to your eyes! And we at Cisco have made it our mission to wipe those tears and put a smile back on your face.

But the onion analogy does not end there. Good Cyber Defense is architected in layers, much like the anatomy of the tear-jerking bulbous root. As the network expands beyond the traditional perimeter, so does the need to provide defense in depth. We all see the trend: The boundaries of the network are blurring, even as it is being called upon to process even larger amounts of data. To monitor the pulse of your network, you have to dig deeper to find answers to the questions such as “Who attacked us?” or “What was compromised, and when?”. Your security teams might break into a sweat dealing with this reality without help, as the attack surface continues to expand.

Gone are the days when a bouncer at the entrance of your bar (or your friend’s bar) could keep troublemakers out. Today, bad actors can seep in through other points of entry, or disguise (encrypt) themselves and walk right through the front door. They sometimes even enter in plain sight, especially if they are not on the most-wanted list (yet). How then do you protect against such elements from seeping through the cracks?

What you need, if you stay with the bar analogy just a little longer, is a ‘stealthy’ manager monitoring the behavior of all entities on your premises, so that you can get alerted when something looks amiss. This trusted aid should be armed to receive inputs from multiple sources: all points of entry, as well as from folks working the floor itself.

Jump back now to the real world of IT infrastructure (unless you actually own a bar, you should still read on), and what you need is a method to monitor all your traffic, both inbound/ outbound and lateral, using a single analytical tool. By bringing together these critical sources of telemetry, you get a unified view of your perimeter and internal threats, not by manual or point-by-point correlation, but by automated and programmatic means. In this manner, you get complete end-to-end visibility into your network, with the ability to detect threats and indicators of compromise. Now, what if this capability was available without need for authoring lengthy configurations or complex rules, while requiring minimal care and feeding? All of this may to sound like a fantasy novel, but often times facts are stranger than fiction.

Welcome to Cisco Security Analytics and Logging

Cisco Security Analytics and Logging was born in the cloud, with simplicity and ease of use as a core design tenet. It has a self-evident name, and an equally simple goal in mind: aggregation of your disparate sources of telemetry into a single data store. Automated means of analysis (statistical, M/L and behavioral modelling) can then be performed on this combined data set, treating it as a single logical input. Since every aggregation effort must have a start point, Security Analytics and Logging’s kick-off candidates are the most voluminous telemetry producers in networks today:

◈ Firewall logs, which keep track of every connection made, and well as any incidents encountered (IPS/IDS or File/ Malware), mostly at the perimeter.

◈ Internal traffic telemetry produced by connections between network elements such as endpoints, switches, wireless access points, routers, etc. on your premises.

To bring together perimeter and internal telemetry, Security Analytics and Logging integrates two avant-garde SaaS products in Cisco’s security portfolio:

◈ Cisco Defense Orchestrator, a cloud-delivered, SaaS-based solution that cuts complexity for consistent management of policies across Cisco security products.

◈ Stealthwatch Cloud, a cloud-delivered, SaaS-based solution that provides end-to-end visibility, behavioral analysis, and threat detection across your private network, public cloud, and hybrid environments.

Now, you might wonder “Why stop there”? We hear you, and you are right; we are NOT stopping here. Rather, this is just the start. Security Analytics and Logging is being built out as an aggregator of data, to provide intelligence derived from desperate points in the network, treating them as a pool for analysis. The discerning mind will differentiate this as being different from the outcomes of say a SOAR, which correlates processed data, rather than crunching raw data. In this manner, the output of Cisco Security Analytics and Logging’s analyzed outcomes become a source of input for other Incident Response (IR) tools.

Tell me why we need this:

Bringing machine-scale analysis to human-scale understanding

This is how I would explain it to my Grandmother: Information is Power. The more information I can gather, the better equipped I am to arrive at the correct conviction of a threat. While I can gather convictions from numerous trusted inspectors, I can also gather my own raw data straight from the source and build my own point of view. The disadvantage of relying on others’ convictions alone is that each of them may have a limited view of the world; perimeter only, endpoint only, content only, etc. What if I gathered all the information for myself, treating these various sources as sensors, and made my own conviction in addition? Am I better or worse off?

My smart grandmother would say, “Well, that depends on your ability to process all that information intelligently”. And she would be right; You need a best of breed analysis engine to do your intelligent tasks. It is for this reason that Security Analytics and Logging is powered by Stealthwatch Cloud’s advanced entity behavioral modeling and threat detection engine. We use a combination of behavioral modeling, multilayered machine learning, and global threat intelligence to automatically detect threats. For those amongst you who are already familiar with the magic of Stealthwatch Cloud, I know you must be eager to end the conversation with my grandmother, order Security Analytics and Logging, and head to your friend’s bar. Stay a little longer, and I promise that you will be on your way.

Visibility, Visibility, Visibility

It all starts with visibility. You cannot protect what you cannot see. Often times, you don’t even realize what it is that you should be monitoring. Therefore, when it comes to visibility, there are some more advanced questions that need to be addressed. These questions may come up in a conversation with your security budget office. We shall speak to some of those now:

Question 1 – Tell me what ‘accretive’ outcomes I achieve by sending firewall logs to Security Analytics and Logging for Analysis?

That is a great question. First of all, behavioral threat detections are based on baselining of network behavior based on established patterns. This is widely considered a more dynamic way of detecting threats than static rules or content-based inspection methods. It may come as no surprise to anyone that notwithstanding the most robust IPS/DPI inspection policies and rules, suspicious behaviors continue to be detected inside networks. The key word to understand here is ‘accretive’; it is by no means suggested that Cisco Security Analytics and Logging attempts to be or will ever replace other sensors such as firewalls. It does however certainly enhance the efficacy of the said sensors, by allowing correlation of anomalous behavior within your network, with the traffic that is associated with it. Such analysis may point to a potential data exfiltration or a compromised insider. As stated before, Security Analytics and Logging enables you to additionally monitor traffic generated between your internal network elements (endpoint to access points, between switches and routers, etc.). Your firewall may not be in the path of this traffic, so may not be able to provide the depth of visibility needed for making high-fidelity convictions.

Question 2 – Apart from Security alerts based on correlation of my firewall logs and Network traffic, does Cisco Security Analytics and Logging provide any other outcomes?

It certainly does. One of the primary use cases of storing NGFW logs is providing a historical and live view of said logs. NetSec operators love (?) sitting in front of these views and scrolling to troubleshoot based on connections that have occurred at a particular time with a particular IP address. With filters on search, Security Analytics and Logging fulfills this use case, providing real-time visibility of what is happening at your firewalls. What is more, this view is rendered within the CDO (Cisco Defense Orchestrator) user interface. Furthermore, since CDO is the curator of firewall tenants analyzed by Security Analytics and Logging, it is simpler to view logs in the portal that is used to manage those very devices.

Question 3 – If I am an existing Stealthwatch Cloud customer using my private network monitoring, what accretive value can I derive from Security Analytics and Logging?

Let’s break this down. A firewall connection log has visibility beyond what just network elements can provide. An example for this could be blocked connections, which will immediately show up in the event viewer in CDO. Filtering by all ‘blocks’, the operator can plainly see the policies that was responsible for the block. This is just one example of numerous workflows /sources that contribute to enhanced visibility that results from Security Analytics and Logging.

Better efficacy with smarter security

With our new offering, get ready to leverage effective policy management with CDO powered by Stealthwatch Cloud’s advanced behavioral analytics, for total network visibility and faster breach detection. You can now make better security policy management decisions with greater visibility and threat detection capabilities across the firewall and network. As the biggest security company in the world, Cisco has committed itself to solving platform-level challenges that span all the points in your network.

The good news is that Cisco Security Analytics and Logging, is just starting up. The intent is to foster a new security paradigm, one that reduces risk and makes compliance easier; one that fuses your business and security architecture, that frees your workforce to focus their valuable time and energy on business objectives. This will empower them to think less about threats, and more about opportunities.

Continue reading

Stand Out and Attract New Clients Using LinkedIn

As someone who sells business services, you have no doubt heard the term social selling. In fact, you are probably engaging in it to some degree.

But do you consistently see measurable results from your efforts?

Investing in a modern sales strategy is the most effective way to fill your sales pipeline in the current era of digital selling.

Whether you are selling to Fortune 500 or smaller companies, improving your social selling skills is essential for attracting today’s buyer.

The basics are no longer enough as more and more companies invest in social selling training to equip their teams with the latest digital selling strategies to stay competitive.

Many people who experience poor results with social selling usually chalk it up to the fact that it doesn’t work. But nothing can be further from the truth.

In this article, I show you how you can generate new leads and clients, actively and consistently, using LinkedIn. But first, I explain what you need to do before engaging with your ideal clients on LinkedIn.

Your profile determines whether a decision-maker will click Accept

Before you even start thinking about using LinkedIn to generate new leads, you need to assess how your potential clients see you on the platform. Having a professional, client-focused presence is essential if you want decision-makers to be clicking Accept in response to your connection requests.

First impressions matter—a lot! In fact, 80% of professionals say they cannot get past a bad first impression.

You must write your LinkedIn profile with your ideal clients in mind. This can feel counterintuitive if you believe your profile should be your professional bio or CV. That’s fine if you are looking for a job, but if you want to use your LinkedIn profile as a business building tool, you need to take a different approach. That means your profile should speak to your target audience.

Here is an eye-opening fact…

No one cares about you. No one cares about me. People care only about how we can help them! That should be the focus of your LinkedIn profile.

Here are some tips to help you create a powerful LinkedIn profile:

Have a compelling headline: Your LinkedIn headline is the MOST critical part of your profile. Ensure your headline captures your readers’ attention and makes them want to click on your profile to learn more about you.

Tell your story in the About section (formerly the Summary): The About section is the perfect place for people to learn more about you. Speak directly to your ideal clients, letting them know you understand their problems and offering your solutions.

Share your current experience: Your Current Experience section is where you describe what you’re doing right now in your current position. To make your Current Work Experience section impactful, describe your company and share the most compelling information about it. Also list your products/services and the benefits your clients receive when working with you.

Add media to make your profile more engaging: You can add multimedia to some sections of your profile, including your About and Work Experience sections. This makes your profile more interactive, providing viewers with more information about you and/or your solutions to their problems.

Generate more leads with The LINK Method™

Once you have a professional, client-focused profile, you are ready to start generating prospects and building relationships on LinkedIn.

Moving relationships with prospects along too fast or too slowly on LinkedIn can negatively impact your lead generation results.

To help you achieve this delicate balance, I am sharing with you the five essential steps for successful lead generation on LinkedIn. These five steps are part of a lead generation system—The LINK Method™—I have developed specifically for LinkedIn.

Combined, these five crucial steps turn LinkedIn into a highly predictable lead generator

Here are the five steps of The LINK Method™.

Step #1: Find prospects

LinkedIn is filled with your ideal clients, and you can find them in a number of easy ways.

LinkedIn offers you a fantastic ability to find prospects through its advanced search function. The available search filters differ depending on the level of membership you have.

For example, Sales Navigator offers the most robust set of filters, enabling you to perform highly targeted searches. You can still do searches with a free or Premium account, but fewer search filters will be available to you in the advanced search function.

You can then save your most effective searches with the Saved Searches feature to get search alerts directly from LinkedIn when new leads match those sets of search parameters. LinkedIn will then compile a list of leads and prospects for you!

Step #2: Send connection request

After you locate a prospect, you need to send them a connection request.

What you put in your connection request message will largely determine whether they accept your invite.

You must personalize your connection request message and give them a reason why they should connect with you.

To write a personalized message, start by viewing the person’s profile. Your goal is to learn what is important to them personally or professionally. To write an effective request, begin the message with something personal to create an immediate connection.

Step #3: Engage in dialogue

This step consists of establishing rapport and engaging in a conversation with your new connection.

After they accept your request, send them a thank-you message. It’ll give you a chance to keep the conversation going.

Continue building rapport with them by maintaining a light dialogue with them.

Step #4: Build relationships

Most people never communicate with their LinkedIn network, and without communication, it is impossible to build relationships.

A thank-you message alone won’t achieve that. You need to send additional messages and even provide value to your new connection to continue the momentum.

When I say provide value to them, I don’t mean pitching your solutions. This is your chance to provide them with resources they would find valuable. It must be something that speaks to their top of mind problem. At this point, ask for nothing in return.

Step #5: Move conversations offline

Finally, you need to move the conversation offline—this is where you can get to know them. Only in an offline conversation will you be able to get the information necessary to understand their company and the challenges they are currently facing.

If you have established rapport, provided value, and begun to build trust with your prospects, many of them will be willing to have an offline conversation with you.

It is offline that you get to know your prospect, understand their challenges and, when appropriate, offer your solution. It’s offline that you convert a prospect to a client.

Leverage LinkedIn for lead generation

LinkedIn is an incredibly powerful tool for lead generation because it provides ungated access to decision-makers from all over the globe. LinkedIn boasts well over half a billion registered members as well as leaders of every Fortune 1000 company.

With its features, LinkedIn allows you to find, research, connect and build relationships with your leads while building your personal brand and authority in your industry.

If generating more clients is a priority for you, take the time to create a client-focused profile and then begin implementing the steps laid out in The LINK Method™. It works!

Continue reading

Future Proof SANs with Enhanced Performance, Analytics, and Automation

Cisco introduced the MDS 9700 Switches in 2013 as the foundation for next-generation data centers transitioning to flash storage – now deployed in over 80% of our customer environments. Non-volatile memory express (NVMe) technology played a key role in this rapid adoption as it unleashed the full potential of flash storage through higher performance scales and ultra-low latency.

Today, Cisco is raising the bar for storage networking with new features that further future-proof data centers to support existing and emerging applications. These include:

◈ Investment protection for NVMe and all-Flash arrays: 64G ready director, no forklift upgrade, built for the most demanding storage environments

◈ Actionable visibility and insights: TheIndustry’s first NVMe/FC analytics for deep visibility, built for customer choice and flexibility

◈ Reduced operational complexity: Extending DevOps support for IT automation with new Ansible module, including simplified integration built for advanced SAN automation

Support for 64G Fibre Channel Performance

The high performance, flexibility and reliability of Fibre Channel is now demanding the next-gen performance standards. The 64G capabilities for the MDS 9700 platform helps customers achieve better scale, bandwidth and performance to support business data growth.

And customers can support tomorrow’s mission-critical, data-hungry applications with a new Supervisor and Fabric module available via an in-place upgrade with no downtime.

Analytics for FC-SCSI and NVMe/FC

The introduction of NVMe/FC protocols has introduced a new set of challenges brought forward by the high speed and high performance of all-flash storage devices. Multiple technologies are all vying for the use of high speed Fibre Channel fabrics.

Cisco’s in-line SAN Analytics capability now includes the NVMe/FC protocol, whether customers send SCSI or NVMe over FC. The enhanced visibility is available for all products within the Cisco 32Gbps portfolio, from 8-port all the way up to models, offering 768 ports in a single chassis, and enabling faster troubleshooting of all workloads.

Customers can leverage analytics out-of-the-box for their next-generation storage infrastructure, decreasing costly troubleshooting time for fabric wide issues.

New SAN DevOps Tools Including New Ansible Modules 

Almost 95% of network changes in traditional SANs are performed manually. More than 70% of policy violations in SANs can be attributed to human error, while 75% of OpEx are attributed to network changes and troubleshooting.

Consolidating SAN management reduces the complexity of data center networks, lowers the overall cost of operations, and frees up additional resources. Cisco is introducing Ansible modules to simplify the frequent tasks in storage networks such as VSAN, device-alias, and zoning configuration.

Additional benefits for the Ansible modules include:

◈ OpEx savings: Reduce effort in deploying storage networking infrastructure and provisioning new devices for faster storage allocation to applications

◈ Improved SLA and business agility: Elimination of human-errors in repeated efforts; ability to deploy and provision new switches and storage faster

◈ Faster problem resolution and change management: Integrate changes across multiple products/vendors as a single automated work-flow

◈ Simple integration of multiple vendors: Open-standard technology enables work across multiple vendors with minimal learning curve across different products

Continue reading

Introducing the Cisco Intersight Mobile App for Data Center Visibility on the Go

With the tremendous customer adoption of Cisco Intersight, Cisco has now extended the reach of its Management-as-a-Service (MaaS) platform with the introduction of the Cisco Intersight Mobile App. The Intersight Mobile App provides a new intuitive view of Intersight managed systems, allowing users to keep an eye on what’s going on in their data center no matter where they are or what device they use.

The iOS version of the app is available now in the Apple App Store and the Android version will be available in the Google Play Store soon.

The new app provides on-the-go Health and Inventory detail for your Intersight-managed UCS and Hyperflex environment, so if a managed system’s health degrades to a point where an alarm is generated, the app will display relevant alarm detail. In addition, a comprehensive status of any Intersight-driven request can be monitored via the “Requests” dashboard.   Below we’re going to walk you through a series of screenshots with a few examples in the new app, so you see first-hand how easy it is to monitor your data center while you’re not in the office

How does it work?

The Intersight OpenAPI provides a REST-based, programmatic interface for accessing the Intersight Management Information Model that is representative of your compute environment. The App solicits this model through the API and returns a rich set of status-related details for UCS Servers, HyperFlex Clusters, and Fabric Interconnects. These details are then displayed in an easy to understand format within the App.

A quick peek at the appropriate dashboard can reveal Server, HyperFlex Cluster, or Fabric Interconnect views for your environment. These dashboards provide high-level roll-ups showing health, inventory, model, and alarm summaries.

How are my servers doing?

This dashboard is showing that there are 54 healthy systems on the Server Dashboard, with one showing up as critical. To investigate, simply select the red “Critical” hot link. Seeing that it’s C220, you can then select that server.

In this scenario, the app is showing an alarm indicating a problem with fan 1 in server 1. The user can then take this information, turn on the locator from the app and have one of the operators go and assess the situation.

HyperFlex Storage Capacity on the Go

Taking a closer look at the HyperFlex Dashboard and the HyperFlex “Top 5 Storage Utilization” summary on the bottom of the screen, it appears HX-SJC-01 has a capacity warning. Digging deeper into the HyperFlex Cluster Details for HX-SJC-01, it appears 61.8% of 110.6 TB is in use. This information tells the app user that they’ll need to keep an eye on the situation.

The Intersight App can also be used to monitor the progress of requests initiated through Intersight. For instance, if someone kicked off an OS installation on one of their C240 servers the previous day, they can see if – and how – that finished up. In the screenshot below it appears that the task is complete, and only took 38 minutes.

Here is a complete list of my current alarms.  There are several issues being flagged with varying levels of severity.  The alarms provide a level of visibility that enables IT teams to prioritize and be proactive in managing their infrastructure.

This is just the beginning for Intersight’s Mobile App. With this introductory version of the mobile app, users get:

◈ On-the-go health and inventory detail
◈ HyperFlex capacity detail
◈ Status and monitoring of Intersight-driven requests

Continue reading

How 5G Will Accelerate Industrial IoT

2019 is shaping up to be a remarkable time in the 5G technology global roll-out. With its higher data rate, ultra-reliable and lower latency connectivity, and massive scale of machine-to-machine communication, 5G carries enormous potential.

With 5G and cellular, consumers will enjoy UHD 4K/8K video streaming, virtual reality, augmented reality, immersive entertainment, and interactive gaming – a great personal experience.

But, how will 5G boost the industrial market? Will it translate to big opportunities in the next decade across manufacturing, mining, oil and gas, utilities, transportation, and other verticals? Let’s explore how 5G will accelerate industrial IoT (IIoT).

Diversity in Industrial IoT

Industrial IoT offers lots of opportunities. The use cases span the spectrum: from indoor to outdoor, less demanding to mission-critical, data rate from dozens of bps to gbps, device motion from fixed to mobility, and power source from button battery to high voltage.

Some of the most common scenarios for IIoT include predictive maintenance, smart metering, asset tracking, and fleet management. 5G will create continued diversity and expansion for the possibilities of IIoT.

5G Inspires Untapped Frontiers

Many industrial IoT use cases mandate wide mobility, low latency, and mission-critical reliability, such as mobile robot control in production automation and autonomous vehicles in open pit mining. These use cases rely on wireless access at 50ms to 1ms latency and service reliability from 5 nines to 6 nines.

4G/LTE has attempted to address these use cases,but has often failed due to unsatisfactory performance. 5G’s combination of ultra-reliable and low latency connection will extend industrial IoT to unconquered spaces.

Managing the Enterprise 5G Network

Typically, enterprise IT is responding to the business demand from Operational Technology (OT) and mandates security, integration, visibility, control, and compatibility. In this scenario, 5G is not about “what,” but about “how.” IT needs to consider the right approach to bring 5G to the enterprise and decide whether to co-manage with the service provider (SP) or self-manage. The experience of IT in managing Industrial Ethernet and Wi-Fi may not hold when it comes to 5G. IT will likely require OT’s partnership to address complexity, security, integration, and other new challenges that 5G presents.

Multiple Access Technologies Coexisting

What are Cisco customers saying? We’re seeing an eagerness to move to 5G, but also concerns around coverage and costs. The video streaming and interactive gaming we mentioned before are going to gobble up data. And data = $$$.

While excited for the coming of 5G, customers realize that other access technologies will continue their irreplaceable roles in various capacities:

◈ Manufacturing needs strictly deterministic time synchronization for discrete automation. Industrial Ethernet is the only option today offering TSN (Time-Sensitive Networking) capability. HD video surveillance and AGV (Automated Guided Vehicle) operation around the warehouse requires higher throughput and full wireless coverage. Wi-Fi 6 is the more flexible and economical option in this case.

◈ Mining and oil/gas customers want to connect production fleets, trucks, assets, and workers at remote sites. It might make sense to use private LTE to solve for the lack of public cellular coverage.

◈ Utility advanced metering infrastructure (AMI) demands millions of electricity meters get connected at lower costs. RF-Mesh is commonly adopted by running on unlicensed ISM bands and resilient self-formed topology.

The beauty of access technologies is that they don’t – and won’t – compete with each other, but instead work together to meet the diverse requirements of IIoT from different angles. To find success, customers should marry 5G and Wi-Fi 6 to existing technologies, as driven by use cases.

Cisco is committed to helping those with secured access technologies embrace the advent of both 5G and Wi-Fi 6. We are constantly exploring use cases that support future technology development and how to achieve the best outcomes. Our latest industrial wireless portfolio, including the Cisco IR1101 Integrated Services Router Rugged, is a prime example of building for the future.

Continue reading

Five Industries for Monetizing your 5G Investment

Unless you’ve been living in a cave for the last few years, you probably know that the fifth generation of cellular network technology, 5G, is going to unleash some serious power with lower latency, higher bandwidth, greater density, and network slicing. There’s been a lot of talk about everything from self-driving cars and robots to refrigerators that can sense that you’re out of broccoli and call the store to restock your supply of cruciferous vegetables.

Although a lot of hype surrounds 5G, it clearly does have the power to transform established industries. It will affect business models and customer’s experiences and interactions across the globe.

What is 5G?

Whether it’s on the move or standing in place, everything needs to be connected. Mobility will play an increasing role in connecting everyone and everything. With the rise of interconnectivity comes a variety of new wireless technologies that are going to have to coexist. Wi-Fi 6, CBRS, and 5G are all similar in terms of what they are going to deliver. However, each of them uses different means to deliver these capabilities.

We’ve come to a major inflection point with 5G. Because of the wireless nature, it will allow us to accelerate digital disruption. At the same time, the new attributes of 5G will allow it to take on characteristics that were previously reserved for wired technologies. An added benefit is that wireless is more cost effective than wired connections.

Although 5G will primarily be used for outdoor connections, it will be able to seamlessly connect indoors as well. It will coexist with Wi-Fi 6 and CBRS, so users won’t be able to detect a hand-off.

How does this seamless experience work? A major difference in the 5G era is behind the radios. Software-defined “telco cloud” networks will be the foundation of intent-based networks. This will allow service providers to offer customers the tools and experiences they need and want.

5G for Service Providers and Enterprises

Service providers are at the center of the move to 5G, working to deliver network services. Enterprises will have to make a choice: do they want to buy from a service provider or build a 5G network themselves?

The relationship between industries and service providers will change as industries rely on providers for more applications, features, and services. Service providers can commit to new business models, cost models, and service levels. By playing a larger role, service providers can give industries the confidence to make the transition to 5G.

5G Blog Series

We want to shed some light on how service providers and enterprises across industries can fully reach their 5G potential. To do so, we’ve worked with several of our resident subject matter experts to show you some ways 5G can help companies cut costs and increase revenue. In the next five blogs, we’ll focus on two common themes: the rise of the sensor ecosystem and the impact of 5G on knowledge workers.

Cisco is at the center of the move to 5G because we provide the technologies that are going to enable the transition. We want our customers to do the disrupting before they get disrupted.

We’re going to roll out this blog series each Monday for the next five weeks. Each blog post centers on a different key industry that we expect will go through a major transformation with the advent of 5G: retail, healthcare, industrials, smart cities, and education.

We could write a blog about every industry out there because 5G will be that far-reaching. However, we’ve chosen these five industries because many people can relate to them. These industries affect people’s everyday lives, and we’ll all feel positive change when the promise of 5G evolves into a reality.

Continue reading