Threat Landscape Trends: Endpoint Security, Part 1

Part 1: Critical severity threats and MITRE ATT&CK tactics

In the ongoing battle to defend your organization, deciding where to dedicate resources is vital. To do so efficiently, you need to have a solid understanding of your local network topology, cloud implementations, software and hardware assets, and the security policies in place. On top of that, you need to have an understanding of what’s traveling through and residing in your environment, and how to respond when something is found that shouldn’t be there.

This is why threat intelligence is so vital. Not only can threat intelligence help to defend what you have, it can tell you where you’re potentially vulnerable, as well as where you’ve been attacked in the past. It can ultimately help inform where to dedicate your security resources.

What threat intelligence can’t tell you is exactly where you’ll be attacked next. The fact is that  there’s no perfect way to predict an attacker’s next move. The closest you can come is knowing what’s happening out in the larger threat landscape—how attackers are targeting organizations across the board. From there it’s possible to make those critical, informed decisions based on the data at hand.

This is the purpose of this new blog series, Threat Landscape Trends. In it, we’ll be taking a look at activity in the threat landscape and sharing the latest trends we see. By doing so, we hope to shed light on areas where you can quickly have an impact defending your assets, especially if dealing with limited security resources.

To do this, we’ll dive into various Cisco Security technologies that monitor, alert, and block suspected malicious activity. Each release will focus on a different product, given the unique view of activity each can provide, informing you on different aspects of the threat landscape.

Beginning at the endpoint

To kick off the series, we’ll begin with Cisco’s Endpoint Security solution. Over the course of two blog posts we’ll examine what sort of activity we’ve seen on the endpoint in the first half of 2020. In the first, we’ll look at critical severity threats and the MITRE ATT&CK framework. In part two, to be published in the coming weeks, we’ll dive deeper into the data, providing more technical detail on threat types and the tools used by attackers.

To protect an endpoint, Cisco’s Endpoint Security solution leverages a protection lattice comprised of several technologies that work together. We’ll drill down into telemetry from one of these technologies here: the Cloud Indication of Compromise (IoC) feature, which can detect suspicious behaviors observed on endpoints and look for patterns related to malicious activity.

In terms of methodology for the analysis that follows, the data is similar to alerts you would see within the dashboard of Cisco’s Endpoint Security solution, only aggregated across organizations to get the percentage of organizations that have encountered particular IoCs as a baseline. The data set covers the first half of 2020, from January 1st through June 30th. We’ll cover this in more detail in the Methodology section at the end of this post, but for now, let’s dive into the data.

Threat severity

When using Cisco’s Endpoint Security solution, one of the first things you’ll notice in the dashboards is that alerts are sorted into four threat severity categories: low, medium, high, and critical. Here is a breakdown of these severity categories in terms of the frequency that organizations encountered IoC alerts:

Percentage of low, medium, high, and critical severity IoCs

As you might expect, the vast majority of alerts fall into the low and medium categories. There’s a wide variety of IoCs within these severities. How serious a threat the activity leading to these alerts pose depends on a number of factors, which we’ll look at more broadly in part two of this blog series.

For now, let’s start with the most serious IoCs that Cisco’s Endpoint Security solution will alert on: the critical severity IoCs. While these make up a small portion of the overall IoC alerts, they’re arguably the most destructive, requiring immediate attention if seen.

Critical severity IoCs

Sorting the critical IoCs into similar groups, the most common threat category seen was fileless malware. These IoCs indicate the presence of fileless threats—malicious code that runs in memory after initial infection, rather than through files stored on the hard drive. Here, Cisco’s Endpoint Security solution detects activity such as suspicious process injections and registry activity. Some threats often seen here include Kovter, Poweliks, Divergent, and LemonDuck.

Coming in second are dual-use tools leveraged for both exploitation and post-exploitation tasks. PowerShell Empire, CobaltStrike, Powersploit, and Metasploit are four such tools currently seen here. While these tools can very well be used for non-malicious activity, such as penetration testing, bad actors frequently utilize them. If you receive such an alert, and do not have any such active cybersecurity exercises in play, an immediate investigation is in order.

The third–most frequently seen IoC group is another category of dual-used tools. Credential dumping is the process used by malicious actors to scrape login credentials from a compromised computer. The most commonly seen of these tools in the first half of 2020 is Mimikatz, which Cisco’s Endpoint Security solution caught dumping credentials from memory.

All told, these first three categories comprise 75 percent of the critical severity IoCs seen. The remaining 25 percent contains a mix of behaviors known to be carried out by well-known threat types:

• Ransomware threats like Ryuk, Maze, BitPaymer, and others
• Worms such as Ramnit and Qakbot
• Remote access trojans like Corebot and Glupteba
• Banking trojans like Cridex, Dyre, Astaroth, and Azorult
• …and finally, a mix of downloaders, wipers, and rootkits

MITRE ATT&CK tactics

Another way to look at the IoC data is by using the tactic categories laid out in the MITRE ATT&CK framework. Within Cisco’s Endpoint Security solution, each IoC includes information about the MITRE ATT&CK tactics employed. These tactics can provide context on the objectives of different parts of an attack, such as moving laterally through a network or exfiltrating confidential information.

Multiple tactics can also apply to a single IoC. For example, an IoC that covers a dual-use tool such as PowerShell Empire covers three tactics:

• Defense Evasion: It can hide its activities from being detected.
• Execution: It can run further modules to carry out malicious tasks.
• Credential Access: It can load modules that steal credentials.

With this overlap in mind, let’s look at each tactic as a percentage of all IoCs seen:

IoCs grouped by MITRE ATT&CK tactics

By far the most common tactic, Defensive Evasion appears in 57 percent of IoC alerts seen. This isn’t surprising, as actively attempting to avoid detection is a key component of most modern attacks.

Execution also appears frequently, at 41 percent, as bad actors often launch further malicious code during multi-stage attacks. For example, an attacker that has established persistence using a dual-use tool may follow up by downloading and executing a credential dumping tool or ransomware on the compromised computer.

Two tactics commonly used to gain a foothold, Initial Access and Persistence, come in third and fourth, showing up 11 and 12 percent of the time, respectively. Communication through Command and Control rounds out the top 5 tactics, appearing in 10 percent of the IoCs seen.

Critical tactics

While this paints an interesting picture of the threat landscape, things become even more interesting when combining MITRE ATT&CK tactics with IoCs of a critical severity.

Critical severity IoCs grouped by MITRE ATT&CK tactics

For starters, two of the tactics were not seen in the critical severity IoCs at all, and two more registered less than one percent. This effectively removes a third of the tactics from focus.

What’s also interesting is how the frequency has been shuffled around. The top three remains the same, but Execution is more common amongst critical severity IoCs than Defense Evasion. Other significant moves when filtering by critical severity include:

• Persistence appears in 38 percent of critical IoCs, as opposed to 12 percent of IoCs overall.
• Lateral Movement jumps from 4 percent of IoCs seen to 22 percent.
• Credential Access moves up three spots, increasing from 4 percent to 21 percent.
• The Impact and Collections tactics both see modest increases.
• Privilege Escalation plummets from 8 percent to 0.3 percent.
• Initial Access drops off the list entirely, previously appearing fourth.

Defending against the critical

This wraps up our high-level rundown of the IoC data. So armed with this information about the common threat categories and tactics, what can you do to defend your endpoints? Here are a few suggestions about things to look at:

Limit execution of unknown files

If malicious files can’t be executed, they can’t carry out malicious activity. Use group policies and/or “allow lists” for applications that are permitted to run on endpoints in your environment. That’s not to say that every control available should be leveraged in order to completely lock an endpoint down—limiting end-user permissions too severely can create entirely different usability problems.

If your organization utilizes dual-use tools for activities like remote management, do severely limit the number of accounts that are permitted to run the tools, only granting temporary access when the tools are needed.

Monitor processes and the registry

Registry modification and process injection are two primary techniques used by fileless malware to hide its activity. Monitoring the registry for unusual changes and looking for strange process injection attempts will go a long way towards preventing such threats from gaining a foothold.

Monitor connections between endpoints

Keep an eye on the connections between different endpoints, as well as connections to servers within the environment. Investigate if two machines are connecting that shouldn’t, or an endpoint is talking to a server in a way that it doesn’t normally. This could be a sign that bad actors are attempting to move laterally across a network.

Continue reading

Cisco Secure Remote Worker Architecture for Azure

Today companies are investing in empowering their workforce to have a secure connection to the resources hosted in the Cloud. Cisco provides a secure remote worker solution that uses the Cisco AnyConnect Secure Mobility Client, Cisco Duo, Cisco Umbrella, and Cisco Advanced Malware Protection (AMP) for Endpoints.

◉ Cisco AnyConnect Secure Mobility Client: Cisco AnyConnect Secure Mobility Client empowers remote workers with frictionless, highly secure access to the enterprise network from any device, at any time, in any location while protecting the organization. It provides a consistent user experience across devices, both on and off-premises, without creating a headache for your IT teams. Simplify management with a single agent.

◉ Cisco Duo: Cisco Duo is a user-friendly, scalable way to keep business ahead of ever-changing security threats by implementing the Zero Trust security model. Multi-factor authentication from Duo protects the network by using a second source of validation, like a phone or token, to verify user identity before granting access. Cisco Duo is engineered to provide a simple, streamlined login experience for every remote user. As a cloud-based solution, it integrates easily with your existing technology and provides administrative, visibility, and monitoring.

◉ Cisco Umbrella Roaming Security Module: Cisco Umbrella Roaming Security module for Cisco AnyConnect provides always-on security on any network, anywhere, any time — both on and off your corporate VPN. The Roaming Security module enforces security at the DNS layer to block malware, phishing, and command and control callbacks over any port. Umbrella provides real-time visibility into all internet activity per hostname both on and off your network or VPN.

◉ Cisco Advanced Malware Protection (AMP) Enabler: Cisco AnyConnect AMP Enabler module is used as a medium for deploying Advanced Malware Protection (AMP) for Endpoints. It pushes the AMP for Endpoints software to a subset of endpoints from a server hosted locally within the enterprise and installs AMP services to its existing user base. This approach provides AnyConnect user base administrators with an additional security agent that detects potential malware threats in the network, removes those threats, and protects the enterprise from compromise. It saves bandwidth and time taken to download, requires no changes on the portal side, and can be done without authentication credentials being sent to the endpoint. AnyConnect AMP Enabler protects the user both on and off the network or VPN.

Figure 1 – Components of the Cisco secure remote worker solution

Cisco Secure Remote Worker Architecture for Azure

Today organizations are consuming services, workloads, and applications hosted in Azure (Public Cloud). Azure provides a wide range of services that offer ease of usability, orchestration, and management. Customers are embracing these services, but this resource consumption model opens another attack surface. Using Cisco Security controls, customers can provide a secure connection to the Azure cloud infrastructure. This remote access VPN architecture protects multi-VNet, multi-AZ (availability zone) by extending the Cisco Secure Remote Worker solution. This Architecture brings together Cisco Security and Azure Infrastructure-as-a-service (IaaS) and extends remote access VPN capabilities with Duo, Umbrella, and AMP Enabler.

Figure 2 – Secure Remote Worker architecture for multi-VNet, multi-AZ

The above network design has the following components and services:

◉ Cisco ASAv or Cisco NGFWv for Remote access VPN termination (TLS or DTLS)

◉ Cisco Secure AnyConnect Mobility Client on the endpoints

◉ Microsoft Windows 2019 Active Directory for LDAP

◉ Cisco Duo for Multi-Factor Authentication

◉ Umbrella Security Roaming Module for DNS Layer Security

◉ AMP Enabler for protection against Malware

This Architecture is designed on the bases of the Hub and Spoke model, the hub-vnet has firewalls for VPN termination. The Hub-VNet is connected to spoke-VNets using VNet peering. VNet peering uses the Azure backbone network and the Azure backbone network provides higher throughput.

◉ Remote Access VPN sessions are load balanced by Azure Traffic Manager

◉ Azure Internal Load Balancer (Standard) is used for non-VPN traffic load balancing (East/West)

◉ Azure External/Public Load Balancer is used for non-VPN traffic load balancing (North/South)

Traffic Flow 

Remote Access VPN: Azure blocks layer-2 visibility required for native HA and VPN load balancing to work. To enable resiliency and VPN load balancing, one must rely on the native cloud services such as Azure Traffic Manager (ATM), DNS, and UDR. In this architecture, VPN users send VPN traffic to the Azure Traffic Manager. ATM tracks all the firewalls using probes, and it load-balances VPN connection endpoints (Cisco Firewalls).

◉ Each Firewall has a separate VPN pool

◉ Azure User Defined Route (UDR) forwards traffic back to the correct firewall

◉ Azure Traffic Manager load balances the RAVPN traffic

Figure 3 – Secure Remote Worker architecture for multi-VNet, multi-AZ (RA VPN Traffic Flow)

Non-VPN (East/West): Firewalls in the HubvNET inspects east-west traffic, each subnet in the spoke VNet has a route-table that has a user-defined route (UDR) pointing to Azure ILB “virtual-IP address”. Traffic lands on ILB and ILB forward it to the firewall. The firewall inspects the traffic; if traffic is allowed, it is sent to the destination VNet using VNet peer. Return traffic is forwarded back to the ILB because of the similar UDR is applied on destination VNet also. ILB maintains the state and sends traffic back to the same firewall that processed the initial packet flow.

Figure 4 – Non-VPN East/West Traffic Flow

Non-VPN (North/South)

◉ Outbound Traffic Flow: Each spoke subnet has a route-table associated with it. UDR controls traffic routing, and it has a default route that points to ILB’s virtual IP (VIP). HubvNET has ILB, and ILB points to firewalls for internet connectivity. Internet traffic is load-balanced on the perimeter firewall, and traffic is SNATed to the outside interface IP address. Outbound traffic does not hit the external load balancer because a public IP mapped to the outside interface of the firewall and UDR on the outside subnet used 10.82.1.1 as a default gateway. Azure ILB used in this architecture is a standard SKU that requires explicit Azure NSG to allow traffic on firewalls (backend devices). There is an azure NSG applied to inside and outside interfaces of firewalls; this NSG has allow-all rule applied, but you can restrict traffic according to your Infosec policy.

Figure 5 – Non-VPN North/South (Outbound Traffic Flow)

◉ Inbound Traffic Flow: External users would access frontend IP on the Azure public load balancer (ELB), ELB has external interfaces in the backend pool. ELB is responsible for load balancing incoming non-VPN traffic, ELB sends traffic to the firewall if allowed traffic is SNATed to inside interface to maintain traffic symmetry.

Figure 6 – Non-VPN North/South (Inbound Traffic Flow)

Continue reading

Securing Industrial IoT

It’s hard to ignore the ubiquity of the internet of things (IoT). Even if you’re one of those holdouts that doesn’t own consumer IoT devices such as a smart speaker, internet-connected thermostat, or a smart watch, industrial IoT (IIoT) devices—a subset of the IoT landscape—are already playing a part in your daily life. From the delivery of water and electricity, to manufacturing, to entertainment such as amusement park rides, IIoT devices are part of more industries than not, and have been for some time. Gartner recently estimated that there were 4.8 billion IIoT assets in the world at the end of 2019, and expects that number will grow by 21 percent in 2020.

The biggest issue faced in many operational technology (OT) environments, which host IIoT assets, isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation as long as 30 years. Many of these assets have been connected to the network over the years, making them susceptible to attacks. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.

The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT assets means taking them offline—something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large swath of exploits to attempt in the pursuit of compromising IIoT assets.

And the number of vulnerabilities discovered in IIoT devices is growing, as is evident in research carried out by Cisco Talos’ Security Research Team, whose mission is to discover vulnerabilities before the bad guys do. During their look back at 2019, Talos pointed out that they published 87 advisories about vulnerabilities in IoT and ICS devices—by far the largest category for the year. In fact, there were 23 percent more advisories published in this space than there were for desktop operating systems, the second largest category, and historical mainstay targeted by attackers.

This isn’t all that surprising in a field that’s growing this fast. But it’s worth considering how adding new assets into a network, as well as securely maintaining the OT network where assets reside, presents new challenges and naturally increases the attack surface.

So, if you’re using IIoT assets in your business, what sorts of threats do you need to look out for? And how do you protect your devices?

Getting in

The good news is that most IIoT assets aren’t directly exposed to the internet, meaning attackers must rely on other methods to get to them. In essence, the same techniques used in other attacks are used to get to IIoT assets.

The most common vector for compromise—email—certainly applies here. An attacker can attempt to gather information about engineers, plant managers, and developers that have access to IIoT systems and specifically target them with phishing emails. Compromising a computer owned by any of these users can be the most direct path to compromising IIoT assets.

Unpatched systems, simple or default device passwords, and relaxed remote access policies for maintenance contractors all offer attackers avenues of approach. Weaknesses in any of these can provide ways for an attacker to move laterally and gain access.

The reality is that IIoT-specific threats are not that common of an occurrence. There are threats that have attacked general IoT devices en mass, such as Mirai and VPNFilter. And there are threats like Stuxnet, which specifically targeted PLCs. Of course such highly targeted threats are cause for concern. But it’s far more likely that an IIoT device will be compromised and reconfigured by an attacker than be compromised by a trojan or a worm.

Scorching the earth

Let’s say an attacker sets their sights on bringing a particular business to its knees. He or she begins by crafting an enticing phishing email with a malicious PDF and sends it to HR in the guise of a job application. The employee responsible for monitoring job enquiries opens the PDF, effectively compromising the computer.

The attacker works his or her way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. Without multi-factor authentication enabled for access, they encounter few issues in doing so. The attacker eventually manages to compromise a domain controller, where they deploy malware using a Group Policy Object (GPO), successfully compromising the entire IT network.

Due to poor segmentation, the attacker manages to eventually work his or her way to the OT network. Once in, the attacker performs reconnaissance, flagging the IIoT assets present. The attacker identifies vulnerable services in the assets, exploits them, and knocks them offline.

Production grinds to a halt and the business is effectively shut down.

Defense with an arm behind your back

So how do you defend your IIoT assets and the OT network as a whole against attacks, especially for high-availability assets that can’t readily be brought down to patch?

Network monitoring is often the most effective step you can take. However, it’s important to passively monitor the traffic when it comes to IIoT assets. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to the traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment.

Keeping a current inventory of assets on the network is also very important in protecting the IT and OT networks. Passive monitoring can help to identify assets on the network, including errant and rogue devices. With a comprehensive list of devices, you can create policies for asset groups.

It’s also very important to segment your networks. Having a complete asset inventory and policies in place will help when figuring out how to segment your IIoT assets and the OT network. While this may not prevent a determined attacker from crossing the boundaries between different areas of the network, it can slow them down, providing more time to respond in the case of an attack. Explore implementing zones and conduits as discussed in ISA99 and IEC 62443 within your organization.

However, it’s worth noting that many IIoT assets leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having a complete inventory of assets on the network is important. Strong dataflow mapping is also helpful when it comes to knowing which assets are talking to each other and how they interact as a whole.

Patching IIoT assets as soon as possible after a vulnerability is discovered is highly recommended. But if it isn’t possible to take a device offline to patch, then visibility becomes critical. It’s important to know what assets you have and the network layout to identify what absolutely must be patched. It may also be worth exploring IIoT redundancy within your network, allowing you to take one device down while others pick up the load during maintenance cycles.

Being able to detect IIoT traffic anomalies is also very helpful. Look for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned firmware updates, unexpected configuration changes, or other anomalies.

Finally, threat hunting is a great way to look for and weed out threats within your OT environment. Proactively looking for bad actors doing bad things, building playbooks, and automating them will go a long way to improve your security posture.

Easing the burden

Protecting IIoT assets is arguably one of the more difficult tasks in security. There are a wide variety of devices, many of which operate in a very tailored manner and don’t respond well to disruption that could be caused by many security processes and procedures.

Fortunately, there are a number of Cisco Security products that can help.

◉ Cisco Cyber Vision gives OT teams and network managers full visibility into their industrial assets and application flows. Embedded in Cisco industrial network equipment, it decodes industrial protocols to map your OT network and detect process anomalies or unwanted asset modifications.

◉ Identity Services Engine leverages the asset inventory built by Cisco Cyber Vision to create dynamic security groups and automatically enforce segmentation using TrustSec.

◉ ISA3000 is a ruggedized industrial firewall appliance you can deploy in harsh environments to enforce zone segmentation, detect intrusions, and stop network threats.

◉ Stealthwatch is a security analytics solution that uses a combination of behavioral modeling, machine learning, and global threat intelligence to detect advanced threats. Integrated with Cisco Cyber Vision, this visibility extends deep within the IIoT infrastructure.

◉ AMP for Endpoints can be used to protect engineering workstations within the OT environment.

◉ Duo’s multi-factor authentication can be used to prevent an attacker from gaining access to systems on the network as a they attempt to move laterally.

◉ Cisco Email Security can detect targeted phishing emails aimed at IIoT operators and others, preventing malicious payloads from reaching their intended target.

Ultimately, a layered approach will provide the best security. For instance, Cisco Cyber Vision can automate visibility of industrial devices and secure operational processes. Integrated with Cisco’s security portfolio, it provides context for profiling of industrial devices in Stealthwatch, and maps communication patterns to define and enforce policy using granular segmentation via with ISE.

Continue reading

New Threat Grid App for IBM QRadar SIEM

Two years ago, Cisco and IBM Security announced a strategic alliance to address the growing threat of cybercrime. This collaboration builds on each organization’s strengths and complementary offerings to provide integrated solutions, managed services and shared threat intelligence to drive more effective security for our joint customers. We continue to develop new applications for IBM’s QRadar security analytics platform and the Cisco Threat Grid app for QRadar with DSM was just released.

Cisco’s Threat Grid App integrates with IBM’s QRadar SIEM, enabling analysts to quickly identify, understand and respond to system threats rapidly through the QRadar dashboard. Downloadable via the IBM Security App Exchange, this powerful app combines advanced sandboxing, malware analysis and threat intelligence in one unified solution.

Threat Grid + QRadar enables analysts to quickly determine the behavior of possible malicious files, which have been submitted to Threat Grid, and rapidly drill down from QRadar into the Threat Grid unified malware analysis and threat intelligence platform, for deeper insight. This integration expedites the threat investigation process, with a dashboard view into the highest priority threats, delivered directly through QRadar versus having to pivot on disparate tools and interfaces.

Detailed results from the sandbox analysis of Threat Grid can be aggregated by QRadar to determine whether the potential threats within the organization are malicious or benign. Malware samples are then assigned a Threat Score, and displayed by hash value and the user which submitted the sample.

This information displayed on the Threat Grid dashboard can be used to quickly resolve threats detected by QRadar. This results in improved efficiency and optimization for security analysts, by quickly identifying the top priorities for threat investigation.

With the QRadar DSM capabilities, you can see the analysis results over time.

Also, under Log Activity, for suspicious IP addresses, you can use the right-click to see instant contextual threat intelligence from Threat Grid.

Threat Grid also integrates with IBM Resilient Incident Response Platform (IRP) for automated response and X-Force Exchange for even greater threat intelligence enrichment. For example, analysts in the IRP can look up Indicators of Compromise (IoC) with Cisco Threat Grid’s threat intelligence, or detonate suspected malware with its sandbox technology. This empowers security teams to gain valuable incident data in the moment of response.

These technology integrations between Cisco Security and IBM Security enables a more extensive security architecture for greater speed and efficiency in identifying, investigating, and remediating threats. Together, we deliver the intelligence, automation and analytics required to provide data and insights that today’s security practitioners require.

Continue reading

New Perspectives on Software-Defined WAN

The integration of Software-Defined Wide Area Networking (SD-WAN) with cloud management functionality into the Cisco family of routers in 2018 excited many of our customers. Instantly over a million installed Cisco ISR and ASR routers could be upgraded to become SD-WAN capable, improving application performance for a distributed workforce, store outlets, and branch offices. SD-WAN lowers the cost of branch connectivity to not only the enterprise data center but also IaaS and SaaS application platforms. Later in 2018, we addressed the evolving Cloud Edge—the intersection between security, networking, and the cloud—by adding full-stack security to Cisco SD-WAN. This brings flexible, secure connectivity to distributed organizations with multicloud environments by making every WAN device software-defined and secure.

In short, SD-WAN has arrived and organizations are deploying it worldwide. So what can we look forward to as this technology enters its next phase? Let me preview some of the ways we are working to bring even more control, functionality, and flexibility to SD-WAN.

Turning the Internet into a Manageable and Secure WAN

One of the key features of SD-WAN is the ability to use multiple connectivity options simultaneously to always have the most reliable or appropriate connection for application Quality of Experience. Specifically, you can choose among the options available for the location: MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. It’s this flexibility to choose the most cost-effective and best-performing connectivity option available to provide the ideal application experience for each location of a distributed workforce. For example, need to ensure that Office 365 Cloud is performing as needed at branch offices? Instead of relying on an expensive MPLS connection backhauling to headquarters for connections to multicloud applications, use a secure Direct Internet connection to the Microsoft Cloud, which is continuously monitored by SD-WAN to meet performance SLAs.

What’s next? The ability to manage end-to-end connectivity from enterprise to 5G endpoints and back will bring greater levels of control over data traffic and application performance. The key to extending intent-based networking controls from enterprise to 5G cellular endpoints is network slicing in the 5G channels in conjunction with micro-segmentation in the enterprise. 5G slicing enables the carrier to separate traffic into unique partitions, keeping sensitive data separate from normal traffic. The technique enables 5G providers to maintain the necessary service level agreements for low-latency traffic, and create an end-to-end virtual network encompassing compute and storage functions.

Wired and wireless Enterprise networks are already segmented to channel traffic according to type (sensitive/video/IoT), priority, and latency. Today with 4G LTE, the enterprise segmented traffic destined for a cellular endpoint would move onto the cellular network with few controls over how the data is segmented and managed. The new 5G networks can be sliced to match the security and performance requirements of the segments in the enterprise, thus maintaining the original policies from end-to-end. A security policy, for example, that is established in the enterprise network will follow a person’s device as it transitions from the enterprise to a 5G network slice. Cisco SD-WAN will be able to take full advantage of network slicing in 5G to meet the security and segmentation needs of enterprise networks.

Virtualizing Network Functions for the SD-Branch

Bringing the focus back to ensuring robust branch connectivity, we are enhancing the functions that run on the local edge routers and appliances along with the core SD-WAN software suite. Virtualizing network functions (VNF) increases local performance and minimizes backhaul traffic to corporate data centers DMZs or cloud platforms. Many functions are being virtualized on edge routers and appliances—such as optimization and intelligent caching, application-aware firewalls, intrusion detection, and URL filtering. And, of course, SD-WAN’s full security stack supports compliance, direct internet access, direct cloud access, and guest access.

Virtualizing critical functions and running them at the cloud edge—in the branch office, store, or clinic—improves both the efficiency and cost-effectiveness of distributed computing and a remote workforce. VNFs can also be run on cloud platforms and colocation facilities to spread the functionality over multiple remote locations. For example, by consolidating VNFs on a provider’s IaaS platform—a virtual network hub—IT can reduce management costs while being able to spin up or down new virtual machines as needed to accommodate workloads and connectivity for a group of regional branches. More on this in a future blog post.

Improving Application Quality of Experience with WAN Optimization

WAN optimization techniques have been around since the early days of frame relay and MPLS. The main goal of dedicated optimization appliances was to maximize the throughput on these relatively expensive circuits. As new technologies such as VoIP and video became critical to business, optimizing the circuits to provide the necessary Quality of Service grew in importance. But as direct internet connections became the rule rather than the exception for accessing popular SaaS and cloud apps, a much more granular, flexible, and automated WAN optimization process is required. Thus SD-WAN was designed to meet the new application QoE demands.

There are several optimization methods that Cisco SD-WAN currently employs to improve the QoE for cloud and SaaS applications accessed by the distributed workforce. Currently, Cisco SD-WAN monitors the available links for latency, packet loss, and jitter that affect throughput and performance. By dynamically measuring these characteristics and comparing them with service levels that specific applications require, the SD-WAN can automatically decide which circuits to use for individual applications. VoIP and video are two applications that require specific levels of latency and low jitter to perform correctly. While a SaaS application may be more tolerant of jitter, it still requires a guaranteed level of throughput to provide satisfactory performance. SD-WAN automates the monitoring and selection of appropriate paths to maintain expected QoE for each type of application.

Supplementing these existing performance attributes of SD-WAN are new controls for TCP optimization, forwarding correction, and packet duplication. SD-WAN provides metrics that aid in fine tuning the optimal TCP congestion algorithm to improve application performance. For example, the Cisco SD-WAN TCP optimization engine, a new layer in the Cisco SD-WAN stack, helps maintain superior application performance in high latency networks such as satellite, transcontinental, and other types of circuits prone to high-loss and high-latency.

To better tackle lossy networks, even for non-TCP applications, the Cisco SD-WAN optimization stack includes a Forward Error Correction (FEC) mechanism. FEC improves application experience by using additional parity packets to protect against loss. In situations when the loss percentage is very high, the Cisco SD-WAN optimization stack maintains performance by deploying a Packet Duplication feature. These optimization features help mitigate packet loss over noisy channels, thereby maintaining high application QoE for voice and video in particular. They are being integrated into the Cisco SD-WAN stack in upcoming IOS-XE releases. All three optimization techniques are managed via Cisco vManage and vSmart virtual network functions.

Edge-to-Cloud Protection with Integrated SD-WAN Security Stack

Securing branch to cloud to data center traffic, in all its permutations, is a key strength of SD-WAN. Last year Cisco added a virtualized security stack to provide multiple levels of protection at the cloud edge that includes:

• Application-Aware Enterprise Firewall with the ability to identify, permit, or block over 1400 applications.
• Intrusion Protection System (IPS) using Snort, the most widely deployed IPS engine in the world, to deliver real-time network defense against malware intrusions.
• URL-Filtering with advanced reporting on over 80 URL categories, providing IT with greater visibility and reducing risk with usage policies customized to an organization’s unique needs.
• DNS/web-layer security with integrated connections to Cisco Umbrella to prevent enterprise branch users, guests and mobile users from accessing inappropriate internet content and known malicious sites that might contain malware and other security risks.

Cisco SD-WAN Security Today

Coming soon to a Cisco edge router near you is Cisco Advanced Malware Protection (AMP) Threat Grid operating as a virtual network function (VNF). The additional AMP-focused layer includes a context-aware knowledgebase of known malware infectious agents. Cisco AMP Threat Grid identifies and alerts IT staff of discovered infections, and provides information on the malware method of attack, a measure of the threat it poses, and how to defend against it. Operating at the branch edge, with the SD-WAN VNF security stack, AMP Threat Grid provides a layer of malware protection, examining all incoming and outgoing traffic, ensuring that malware originating from direct internet connections can’t infect branch devices. Similarly, malware originating from the branch can’t hide in traffic outbound to the enterprise network or cloud applications.

Threat insights exposed with AMP Threat Grid are viewable through the Cisco vManage Portal where administrators can also initiate protective actions such as segmenting infected devices from the rest of the network. The vManage Portal gives network admins a view across the entire WAN, displaying all suspected infections, malware type, and paths of infection through the network. To augment security threat intelligence, the VNF instances of AMP Threat Grid working at the local edges are continuously connected to both AMP Cloud and Threat Grid Cloud, both managed by Cisco Talos Security.

AMP Cloud and Threat Grid Cloud collect malware and suspicious file data from Cisco installations around the world, maintaining a Malicious File Hash catalogue of suspected infections and keeping the information up to date on all Cisco routers as well as third-party security tools via an open API. For example, API integration of AMP Cloud and Threat Grid Cloud with application-aware, threat-focused firewalls provides rapid identification of suspected malware files with automated sandboxing of unknown files in the Threat Grid Cloud for additional analysis.

SD-WAN Continues to Improve Branch Connectivity, Application QoE, and Security

Cisco SD-WAN is foundational for a new software-defined network architecture. As organizations become more distributed, the workforce needs new ways to connect edge to cloud, data center to branch, while ensuring a high Quality of Experience for cloud and SaaS applications wherever they are needed. Cisco is at the forefront of this new wave of distributed connectivity, continuously refining our SD-WAN software and security stack to meet the needs of the digital enterprise.

Continue reading

Rapid Evolution of Cisco SD-WAN is a Revolution for Enterprises with a Cloud-First Strategy

Just a few years ago, software-defined wide area networking (SD-WAN) was a “new” technology just breaking into the awareness of the IT market. It arrived at the time when enterprises were changing from moving applications and data to “a” cloud platform, to expanding to multiple clouds. SaaS application providers for CRM, HR, finance, and supply chain were firmly established as critical business resources that need to be accessible from anywhere via direct internet connections.

These were all positive changes, but not without a certain amount of pain. In particular, the traditional WANs were struggling with these new demands. The WAN architecture worked well when all connections from branches and a distributed workforce flowed back to a central data center through MPLS lines, where security policies were also applied. But the hub and spoke WAN architecture broke down as more direct internet connections were needed to access multi-cloud resources and SaaS applications. Continuing to backhaul all traffic to data centers before routing to internet cloud applications results in increasing MPLS costs, bandwidth inefficiencies, increased latency, and poor application quality of experience. In addition, WANs were often composed of components from multiple vendors, limiting the visibility and control over performance and troubleshooting.

SD-WAN was designed to answer these challenges. The technology provides methods to prioritize critical business traffic and take advantage of internet broadband connections—previously used for backup and redundancy—to connect directly to multicloud resources. SD-WAN simplifies the management of the wide area network fabric with a controller-first overlay that is independent of transport layers—MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. SD-WAN controllers intelligently choose among the available transport mediums to deliver the best application performance as defined by IT service level agreements (SLA).

The Evolution of Cisco SD-WAN

In the early stages of SD-WAN, engineers at Viptela developed a flexible SD-WAN architecture based on cloud management and controllers (vManage and vSmart) and virtualized network function edge routers (vEdge). Their version of SD-WAN followed the same software-defined architecture as Cisco’s Digital Network Architecture (DNA), separating the Data, Control, and Management Planes for maximum flexibility. Viptela’s architecture made it a natural extension to Cisco’s Intent-Based Networking vision. Viptela’s visionary team and technology were acquired by Cisco two years ago this week—August 1st to be precise. Rapid innovations and integrations have been ongoing ever since.

Many of the innovations we’ve added come from listening to our enterprise customers who are seeking a solution to unite multi-domain cloud resources across a distributed organization. We hear that they need ways to simplify the interconnection of the domains with unified access and security policies applied across campus, branch, and cloud. Let’s look at the capabilities we’ve added to make Cisco SD-WAN powered by Viptela an enterprise-class platform that meets these needs and more.

Looking Deep Inside SD-WAN Operations

Networks are becoming much more complex as organizations tie data centers, remote branches, and a distributed workforce with multi-cloud applications using connectivity options like direct internet and LTE that are outside the direct control of IT. Therefore, it’s important to be able to see inside the WAN to monitor, measure, and adjust the parameters affecting performance. That’s why one of the first capabilities Cisco added to the SD-WAN stack was Cisco vAnalytics, a cloud-based tool for monitoring and analyzing SD-WAN performance via the vManage portal. vAnalytics provides specific information that enables IT to readily monitor bandwidth usage, application performance, and detect anomalies based on baseline application usage. Going forward, vAnalytics will incorporate more artificial intelligence and machine reasoning, as was recently introduced in Cisco AI Network Analytics.

Expanding SD-WAN to Cisco ISR/ASR Edge Routers

When considering a new technology, IT leaders prefer to avoid the need to “rip and replace”. Cisco alleviates that concern by making SD-WAN available to run on over a million ISR/ASR routers that are already serving branches and campus networks worldwide. Cisco IOS XE, released a year ago, provides an instant upgrade path for creating cloud-controlled SD-WAN fabrics to connect distributed offices, people, devices, and applications operating on the installed base of ISR/ASR routers. At the same time, we added the ability to run SD-WAN as virtualized network functions in a cloud provider’s IaaS platform, providing even more flexibility to quickly extend SD-WAN to the cloud.

SD-WAN Full Stack Security Protects Branch Data and Cloud Applications

When using the internet to connect branches and remote employees with cloud applications, sensitive data could pass over multiple networks outside of the control of IT, increasing security risks. Protecting the data while making it available on-demand to the workforce presents a series of technical and enforcement challenges.

To allay those concerns, Cisco, one of the top worldwide providers of network security solutions, integrated full-stack security into SD-WAN running on edge routers. Cisco SD-WAN Security is built-in, not composed of separate bolted-on components from a disparate variety of vendors, making security easy to manage via the vManage cloud portal. By integrating an application-aware firewall, intrusion detection and prevention, advanced malware protection, and Cisco Umbrella DNS cloud security layer, data security is easily and consistently maintained across branches.

In addition to securing branch and distributed workforce connections, IT wants to holistically address security concerns across multiple domains. That means setting access and security policies once and having them permeate the enterprise across data center, campus, and branch, to the cloud edge where IoT devices increasingly need to do local processing. Because Cisco designs security using an end-to-end perspective, creating cross-domain policies is not only possible, but a necessary capability as applications, data, and devices become more distributed and the workforce more mobile. Cisco is enabling unified policy management by linking ACI in the data center with SD-Access in the campus and SD-WAN for branches so that segmentation and security are applied consistently all the way from people and devices to the application hosting cloud platforms.

SD-WAN Cloud OnRamp for CoLocation Consolidates Regional Branch Connectivity

With SD-WAN making it simpler to configure and manage connections from branches to cloud resources, it’s just one more step to consolidate many regional branches under a common colocation facility. Creating an onramp connection from each of many branches to a colocation facility hosting a virtualized SD-WAN reduces the need for edge routers at each location and centralizes the management while providing all the same security and transport layer options.

In many cases, the target cloud providers and SaaS applications reside in the same colocation facility, thus shortening the paths and reducing latency to further improve application performance for potentially dozens to hundreds of branches. Additional virtualized SD-WAN instances in the colocations can also be quickly spun up to connect new branches as quickly as needed. SD-WAN Cloud OnRamp for CoLocation joins Cisco’s Cloud OnRamp for IaaS and SaaS to extend connectivity management from branches to multiple cloud platforms to provide granular control over application quality of experience via vManage.

Evolution of SD-WAN Continues for Revolutionary Results

All these innovations integrated into Cisco SD-WAN powered by Viptela are fundamental to building an Intent-Based Network. Built-in network intelligence translates business intents into network actions that provide consistent access policies, security for devices and data, and a high-quality application experience for a distributed workforce. Integrating multicloud compute resources with cross-domain access drives a revolution in business as enterprises strive to connect information to people anywhere at any time to improve employee productivity and customer experience.

National Instruments, an international leader in test and measurement systems, implemented SD-WAN to solve a number of IT and business problems. Like many organizations with a globally distributed workforce, the network supports communication services, software distribution, and access to applications and data resources among worldwide sites. The existing WAN greatly constrained video conferencing, slowed large software transfers, and couldn’t provide acceptable application performance. Implementing SD-WAN turned those issues around by:

◈ Reducing MPLS spending by 25% while increasing bandwidth by 3,075%.

◈ Categorizing traffic by function and type, sending backup traffic over the Internet under an SLA, eliminating bandwidth bottleneck on MPLS circuits.

◈ Reducing the time for software updates to replicate across the network from 8 hours to 10 minutes.

◈ Adding new internet-based services used to take months, with the agility of SD-WAN new services can be deployed in the cloud immediately.

◈ Eliminating the need for call admission controls and limiting video quality for conferencing

Enterprises are gaining advantages such as these by upgrading their aging WAN technology to SD-WAN. It’s not just cost savings by supplementing or replacing MPLS with direct internet connections that is motivating the transition to software-defined WAN architecture. It’s also about gaining flexibility and stability with intelligent, continuously monitored connections to multicloud resources and SaaS applications that are fueling the transition. In a software-defined world, people, devices, applications, and data are all securely connected to ensure organizations run efficiently as they tackle digital transformation projects. How will you use SD-WAN to support your digital revolution?

Continue reading

The ISR Family Expands SD-WAN Security and LTE Support

By now you most likely already know the benefits of implementing a software-defined WAN (SD-WAN). It’s no wonder 95% of enterprises surveyed by IDC expect to use SD-WAN within 24 months.

Cost of WAN Operations over 5 years. IDC: Business Value of Software-Defined Networking Infographic

Did you know, however, that SD-WAN could help lower your WAN costs by 38% over 5 years? Recent IDC customer interviews of mid to large enterprises found that respondents reported 38% lower 5-year cost of operations, 45% reduced app latency, and 33% more efficient WAN management when deploying Cisco SD-WAN solutions2.

So, if you’re considering an upgrade to SD-WAN, you’ll be happy to know that Cisco is continuing to expand platform support for Cisco SD-WAN powered by Viptela with new ISR models. We’re excited to introduce the new ISR 1120 and ISR 1160 models to the ISR 1000 Series. Both models will support the full suite of Cisco SD-WAN features including a full stack of security capabilities.

Why do you need the latest ISR 1000 models?

◈ Better user experience – The ISR 1160 is the highest performing router of the ISR 1000 series yet, featuring increased throughput and a 25% faster processor. Faster performance plus application optimization with Cisco SD-WAN equals happier employees and guests.

◈ Any location, any transport – Last year we introduced pluggable LTE technology with the ISR 1101 and 1109 models, and now we’re happy to introduce the same technology with the new ISR 1120 and 1160 models. This allows you to plug-in a CAT4 or CAT6 module for advanced LTE connectivity and with the fast paced growth of LTE technology, you’ll be able to upgrade to future LTE band support, like 5G, with ease.

◈ Right security, right place – Now you can protect users and devices and deploy embedded or cloud security faster using SD-WAN Security. The new ISR models feature 8GB of memory so you can run the full-stack of security, including application firewall, IPS, URL-Filtering and AMP directly into your ISR and manage it remotely via Cisco vManage.

Don’t forget that Cisco provides support, fulfillment and hardware replacement across the globe. With all the best features of the ISR 1000 Series and cost savings of Cisco SD-WAN, now available with the new ISR 1120 and 1160 models, it’ll be hard to find a reason not to deploy a software-defined network.

Continue reading

Cognitive Intelligence: Empowering Security Analysts, Defeating Polymorphic Malware

In psychology, the term “cognition” refers to a human function that is involved in gaining knowledge and intelligence. It helps describe how people process information and how the treatment of this information may lead to various decisions and actions. Individuals use cognition every day. Examples as simple as the formation of concepts, reasoning through logic, making judgments, problem-solving, and achieving goals all fall under the purview of this term.

In cybersecurity, applying the principles of cognition helps us turn individual observed threat events into actionable alerts full of rich investigative detail. This process improves over time through continuous learning. The goal is to boost discovery of novel or morphing threats and streamlining of the cybersecurity incident response. The work of the security operations teams can be vastly optimized by delivering prioritized actionable alerts with rich investigative context.

Enhancing Incident Response

Let’s take a moment to think of the tasks that a security team performs on a day-to-day basis:

◈ Looking through ever-increasing numbers of suspicious events coming from a myriad of security tools.
◈ Conducting initial assessments to determine whether each particular anomaly requires more investigation time or should be ignored.
◈ Triaging and assigning priorities.

All of these actions are based on the processes, technology, and knowledge of any particular security team. This initial decision-making process by itself is crucial. If a mistake is made, a valid security event could be ignored. Or, too much time could be spent to investigate what ends up being a false positive. These challenges, coupled with the limited resources that organizations typically have, as well as complexities associated with attack attribution, may be daunting.

That’s why security teams should embrace automation. At Cisco, we’re committed to helping organizations step up their game through the use of our Cognitive Intelligence. This technology allows correlating telemetry from various sources (Cisco and 3rdparty web proxy logs, Netflow telemetry, SHA256 hash values and file behaviors from AMP and Threat Grid) to produce accurate context-rich threat knowledge specific to a particular organization. This data, combined with the Global Risk Map of domains on the Internet, allows organizations to confidently identify variants of memory-resident malware, polymorphic malware with diversified binaries, and in general any innovative malware, that attempts to avoid detection by an in-line blocking engine.

As a result of automation like this, less time needs to be spent on detailed threat investigations to confirm the presence of a breach, identify the scope and begin triage. And that will in turn dramatically help mitigate the shortage of skilled security personnel by increasing the effectiveness of each analyst.

Example of a Confirmed Threat Campaign

In a sense, Cognitive Intelligence algorithms mimic the threat hunting process for observed suspicious events. It identifies combinations of features that are indicative of malware activity, in a similar fashion that an incident responder would do, starting with relatively strong indicators from one dataset and pivoting through the other datasets at its disposal. The pivot point may lead to more evidence, such as behavioral anomalies that help reinforce the infection hypothesis. Alternatively, the breach presumption may fade away and can either be terminated very quickly or re-started when new data becomes available. These algorithms are similar to incident response playbooks used by Cisco CSIRT and other incident response teams, but operate on a much larger scale.

What’s New in 2018: Probabilistic Threat Propagation

One of the example algorithms that we call Probabilistic Threat Propagation (PTP) is designed to scale up the number of retrospectively convicted malware samples (threat actor weapon), as well as the number of malicious domains (threat actor infrastructure) across the Cisco AMP, Threat Grid, and Cognitive knowledge bases.

Probabilistic Threat Propagation in a Nutshell

PTP algorithm monitors network communications from individual hashes to hosts on the Internet and constructs a graph based on the observed connections. The goal is to accurately identify polymorphic malware families and yet unknown malicious domains, based on the partial knowledge of some of the already convicted hashes and domains. The key here is that malware authors often reuse the same command-and-control (C2) infrastructure. Hence the C2 domains often remain the same across polymorphic malware variants. At the same time, these domains are usually not accessed for benign purposes.

For example, if an unknown file connects to a confirmed malicious domain, there’s a certain probability that this sample is malicious. Likewise, if a malicious file establishes a connection to an unknown domain, there’s a probability for this domain to be harmful. To confirm such assumptions, Cisco leverages statistical data surrounding the domain to determine how frequently it’s accessed, by which files and so on.

Graph built by Probabilistic Threat Propagation Algorithm

The capability that we have introduced helps security analysts track and detect new versions of malware, including polymorphic and memory-resident malware, given the fact that C2 infrastructure remains intact. Similarly, this method is capable of tracking migrations of attacker’s C2 infrastructure, given the knowledge of malicious binaries which belong to the same malicious family. Cognitive Intelligence helps leverage specific telemetry from a stack of security products (file hashes from AMP, file behaviours from Threat Grid, anomalous traffic statistics and threat campaigns from Cognitive). That allows Cisco to model threat actor behaviors across both the endpoint and the network to be able to better protect its customers.

Probabilistic Threat Propagation algorithm also provides additional sensitivity to file-less malware (that doesn’t have file footprint on the disk of the system) and process injections. Such infections can be detected when a legitimate process or a business application starts communicating with domains associated with C2 infrastructure, that other malicious binaries predominantly contacted.

The beauty of this capability is that it runs offline in the Cisco cloud infrastructure, and therefore does not require any additional computational resources from customers’ endpoints or infrastructure. It simply works to provide better protection and the increased count of retrospective detections for novel variants of known malware.

Measuring Results

This blog entry wouldn’t be complete if we didn’t speak about the initial results, that just this single algorithm delivers. From a single malicious binary, Probabilistic Threat Propagation algorithm is able to identify tens if not hundreds of additional binaries that are a part of the same threat family and that also get convicted as a part of this analysis. Similarly, with this new mechanism of tackling polymorphism, we will generally be able to identify tens of additional infected hosts affected by a polymorphic variant of a particular threat. That is especially rewarding when it comes to measuring the positive impact on Cisco customers.

Scaling threat detection efficacy with Probabilistic Threat Propagation

Cisco AMP for Endpoints and other AMP-enabled integrations (AMP for Email Security, AMP for WSA, AMP for Networks, AMP for Umbrella) leverage AMP cloud intelligence to provide improved threat detection capabilities boosted by the PTP algorithm.

Continue reading

Cisco Firepower NGFW Delivers Unparalleled Threat Defense in NSS Labs Testing

Real-World Testing to Inform Your NGFW Buying Decision

We’re excited to share with you the latest NSS Labs NGFW test results. In the most rigorous independent NGFW testing to date, Cisco outperformed eight competitors in security effectiveness, blocking 100% of evasions and surpassing four vendors by over 50 points. You can download the reports to get the details. For the fourth year in a row, Cisco Firepower NGFW earned a “Recommended” rating from NSS Labs.

Continue reading

Cisco achieves 100% detection in Breach test

And why 100% detection is grossly misleading

It is with great pride that we received the latest Breach Detection Report from NSS Labs, in which Cisco achieved a 100% detection rate – we simply couldn’t be more pleased to have our products so well-represented and validated in the market, and we truly believe we have the best, most effective security products available today. You can get your complementary copy of the NSS Labs report here.

Continue reading