What are you missing when you don’t enable global threat alerts?

Network telemetry is a reservoir of data that, if tapped, can shed light on users’ behavioral patterns, weak spots in security, potentially malicious tools installed in enterprise environments, and even malware itself.

Global threat alerts (formerly Cognitive Threat Analytics known as CTA) is great at taking an enterprise’s network telemetry and running it through a pipeline of state-of-the-art machine learning and graph algorithms. After processing the traffic data in batch in a matter of hours, global threat alerts correlates all the user behaviors, assigns priorities, and groups detections intelligently, to give security analysts clarity into what the most important threats are in their network.

Smart alerts

All detections are presented in a context-rich manner, which gives users the ability to drill into the specific security events that support the threat detections grouped eventually into alerts. This is useful because just detecting potentially malicious traffic in your infrastructure isn’t enough; analysts need to build an understanding of each threat detection. This is where global threat alerts saves you time, investigating alerts and accelerating resolution.

Figure 1: Extensive context helps security analysts understand why an alert was triggered and the reasons behind the conviction.

As depicted below in Figure 2, users can both change the severity levels of threats and rank high-priority asset groups from within the global threat alerts portal. This enables users to customize their settings to only alert them to the types of threats that their organizations are most concerned about, as well as to indicate which resources are most valuable. These settings allow the users to set proper context for threat alerts in their business environment.

Figure 2: You change the priority of threats and asset groups from within the global threat alerts portal.

Global threat alerts are also presented in a more intuitive manner, with multiple threat detections grouped into one alert based on the following parameters:​

◉ Concurrent threats: Different threats that are occurring together.​

◉ Asset groups value: Group of threats occurring on endpoints that belong to asset groups with similar business value.

Figure 3: Different threats that have been grouped together in one single alert, because they are all happening concurrently on the same assets.

Rich detection portfolio

Global threat alerts is continuously tracking and evolving hundreds of threat detections across various malware families, attack patterns, and tools used by malicious actors.

All these outcomes and detections are available for Encrypted Traffic Analytics telemetry (ETA) as well, which allows users to find threats in encrypted traffic without the need to decrypt that traffic. Moreover, because ETA telemetry contains more information than traditional NetFlow, the global threat alerts’ research team has also developed specific classifiers that are capable of finding additional threats in this data, such as with algorithms that are focused on detecting malicious patterns in the path and the query of a URL.

The global threat alerts’ research team is continuously engaged in dissecting new security threats and implementing the associated threat intelligence findings into hundreds of specialized classifiers. These classifiers are targeted at revealing campaigns that attackers are using on a global scale. Examples of these campaigns include the Maze ransomware and the njRAT remote access trojan. Numerous algorithms are also designed to capture generic malicious tactics like command-and-control traffic, command-injections, or lateral network movements.

Risk map of the internet

There are numerous algorithms focused on uncovering threat infrastructure in the network. These models are continuously discovering relationships between known malicious servers and new servers that have not yet been defined as malicious, but either share patterns or client bases with the known malicious servers. These models also constantly exchange newly identified threat intelligence with other Cisco security products and groups, such as Talos.

Figure 4: Analyzing common users of known malicious infrastructure and unclassified servers, global threat alerts can uncover new malicious servers.

This complex approach of threat detection consists of multiple layers of machine learning algorithms to provide high-fidelity detections that are always up-to-date and relevant, as researchers are updating the machine models constantly. Additionally, all this computation is done in the cloud and utilizes only network telemetry data to derive new findings. The findings and alerts are presented to users in Secure Network Analytics and Secure Endpoint.

Global threat alerts uses state-of-the-art algorithms to provide high-fidelity, unique threat detections for north-south network traffic, Smart Alerts to help prioritize and accelerate resolutions, and a risk map to provide greater context and understanding of how threats span across the network.

Continue reading

Cisco and IBM: Solving Customer Challenges through the Power of Partnerships

Complexity is one of the top challenges our customers face today. CISOs not only want to enable their teams to detect and respond to threats faster, they want to simplify workflows and streamline operations at the same time. In our annual CISO surveys, we’ve been seeing a trend toward vendor consolidation, which tells us CISOs are looking for ways to make their solutions simpler.

Vendors typically work in siloes to solve these kinds of challenges. But at Cisco, we believe we can achieve more through collaboration. That’s why we’ve been working in partnership with IBM Security to provide joint customers an in-depth, end-to-end defense strategy while simplifying their vendor relationships.

The average organization juggles 45 different security vendors. Leveraging the breadth of Cisco and IBM’s security portfolios allows our customers to drastically reduce that number of vendors while still using best-in-class products. The reduction in vendor surface creates more than just technical efficiencies. By consolidating vendor relationships, customers can maximize their buying power through vehicles like Enterprise Agreements, as well as simplify contract management and support cases.

Leveraging Cisco and IBM strengths

At Cisco, we believe we have excellent technologies to help customers prevent threats to their businesses, and with products like Cisco Threat Response, we even speed up various elements of the technical response. With IBM, we have focused our initial integrations on QRadar and Resilient product lines to help customers further prioritize threats and better assist with their response both at a technical and business level.

Let’s say you had an insider attack. The Cisco/IBM integrated solutions enable faster investigations of suspicious behaviors that could compromise credentials or systems. For example:

◉ Cisco Stealthwatch looks for behavioral indicators of compromise in activity traversing the network, including encrypted traffic without the need to decrypt the data. IBM QRadar builds on that detection, as well as other Cisco solutions like Firepower Threat Defense, to correlate events from network traffic and logs to help security teams quickly prioritize threats.

◉ Cisco Identity Services Engine helps you associate malicious activity with specific user credentials, and you can quarantine the user and lock down network access right from QRadar.

Responding to the attack is not just about gathering the information. You also need to understand how the business responds to the threat — is this something that needs public release of information, do you need to involve law enforcement, will this result in employee termination, and so on. To help operationalize incident response, you can use investigation results from all the integrated solutions to create a report in Resilient.

Innovative solutions to address customer needs

Many of the Cisco/IBM collaborative solutions are unique for the industry, and they’re based on lessons Cisco and IBM have learned from our extensive customer bases and our threat intelligence teams, Cisco Talos and IBM X-Force.

To make breach response more efficient, earlier this year we integrated Cisco Advanced Malware Protection (AMP) for Endpoints with QRadar and IBM Resilient SOAR. These integrations enable security teams to do things like:

◉ Receive AMP for Endpoints telemetry directly in QRadar for a consolidated view of events across endpoints and ability to search, analyze, and correlate them.

◉ Pull AMP for Endpoints data into Resilient to investigate events, automatically bring the results into an incident, and get more details on detected threats, then quarantine detected malicious files.

Since threats evolve quickly, defenses can’t rely on one mechanism alone. We work together in various other ways to help you detect unknown threats like ransomware or speed up response time. For instance:

◉ Resilient customers can submit suspicious malware samples to Cisco Threat Grid to get detonated, with the hashes sent back to Resilient. This can stop malware or ransomware before it ever reaches the end user.

◉ IBM Resilient users can query Cisco Umbrella for a list of blocked domains, save them to a data table, and delete or add new ones — preventing end users from accessing risky internet connections.

We’re listening to your feedback

Because we’re invested in the results that this collaboration can produce for our customers, we’re continuously expanding and improving our integrated solutions based on your feedback. The latest examples are enhancements made to the Firepower Threat Defense and QRadar SIEM integration, which accelerate threat investigation and remediation by correlating events across network, applications, and users.

Our customers wanted to dig deeper than the top-level summaries previously available. We listened — and the new, enhanced Firepower app that we’re releasing provides a higher level of detail in the integrated dashboard.

With Firepower Threat Defense and QRadar, you can answer questions like:

◉ Which hosts in my network are potentially compromised?

◉ Which hosts are known to be compromised?

◉ What malware is most often observed in my network?

◉ Which hosts have sent the most malware?

This is just one of the new enhancements and expansions we’ve been making as part of our alliance, and more are on the roadmap. By reducing complexities, increasing visibility, and improving threat defenses, our collaboration is improving outcomes in areas that are top of mind for our customers.

Continue reading

CMS Brute Force Attacks Are Still a Threat

Brute force attacks have existed long before the Internet. As a cryptanalytic attack, it started being used as an attempt to access encrypted data when there were no other options available. With the rise of the Internet, this type of attack was quickly adopted. In a nutshell, a brute force attack consists of systematically trying different credentials until the correct combination is found. It’s like trying to open a combination lock by going through all possible combinations: eventually, it will pop open.

Continue reading