Do I really need additional email security when using Office 365?

This is probably the most common question I get asked today!

What customers are really asking is “Can I rely on the built-in security capabilities in Office 365 or do I still need to run a 3rd party email security solution such as a Secure Email Gateway?” And the answer — well that depends; every customer’s environment is different.

Do I have to go to the Cloud?

But first, let’s get the most common misconception out of the way. While it is more efficient to run your email security gateway in the cloud, close to your Office 365 tenancy, there is actually no technical reason why you can’t continue using your current on-premise email security appliances to also protect Office 365, during the migration and even afterwards. After all, it is just a matter of MX record addressing and routing, or in other words ensuring you have all the connections between your on-premise email security gateway which would be responsible for receiving all incoming email and Office 365 which would be hosting your users inboxes set correctly. Sure, this isn’t the most efficient method as you are tromboning or hair-pining traffic up and down and most organizations would only run in this mode for the time frame of the migration. If you already own the solution and have staff trained to support and manage it, it makes sense to see what value it adds to Office 365 first before you consider migrating to a cloud email platform, don’t change too much at the same time, let the Office 365 migration settle in first.

How to Answer the Question – For Your Environment

What a customer needs to do, whether its related to the Cisco Email Security solution or any other 3rd party solution, is to consider all the areas of Office 365 where these 3rd party solutions can supplement the base capabilities of Office 365. Don’t just ‘tick-box compare’ features. Look at all features and understand how they work. Can the Office 365 features do everything I need today and what I might need it to do tomorrow? Consider how you can address any gaps and what it means for your organization.

One example of how 3rd party email security gateways can add value to Office 365 is to consider spam quarantine management. In Office 365 there are essentially two ways that a user can get access to and manage quarantined email that have been classified as false positives. The most common method is via the Junk folder in their Outlook client, it can be difficult to search but generally works well. The second method is a web-based end-user quarantine system. Confusing, but the main issue is that there are very few categories of spam in Office 365. Either an email is categorized as spam or its not and this causes an issue on providing end-user spam management. There are very few controls about what end-users have access to and what they do not. Ideally, you’d likely rather not want your end-users making decisions around whether to release potentially malicious or inappropriate/pornographic content, you have to ensure you are providing a safe working environment for all employees.

Clearly security is the most important area of capability where we can supplement the core capabilities in Office 365. We have had many customers decide to just rely on Office 365 for email security only to come back several months later. What we have seen as a very common theme across these customers is that the first impact they see is at the help-desk which was not expected. The issue is that they have changed out one of the core security technologies that the organization had probably been using for years and become accustomed to, the spam detection engine. Most of the leading email security providers do a pretty good job today, I couldn’t tell you the last time I had a spam message in my inbox. Suddenly the new spam detection engine is letting through some spam, users can’t remember what to do with spam, so they call the help-desk, all at once! Then after that initial rush, end-users start to notice some email possibly missing and now the help-desk are doing (learning in a hurry) message tracking looking for false positives.

A perfect example of a misstep many organizations make by doing a ‘tick-box’ comparison is that a feature like a spam detection engine can have significantly different capabilities depending on the vendor. Cisco Email Security has been innovating our email security solution for over 20 years. Our world class threat intelligence is supplied by the largest non-government threat research organization in the world, Talos.

There are many other areas in email security to consider; known malware recognition, unknown or suspect attachment handling, embedded URL handling, support for external threat intelligence and active content disarm and reconstruction. All these functions make meaningful differences in keeping the bad stuff out and your inboxes safe.

Also consider how easy your system is to manage. What reports have you come to rely on in your old systems, what are your managers expecting to see? Have you tested Office 365 to see what it’s like to do message tracking? Have you created email policies?

How confident are you in the capability of the policy engine? Are you even confident that you can recreate all your current email policy in Office 365? What policies will you need in the future? In our experience, in addition to reporting, this is the other area often not tested extensively enough in initial evaluations. With the growing amount of regulatory compliance regulations, having an advanced policy engine with plenty of policy conditions and actions coupled with significant flexibility is more likely to support your efforts. While the Cisco policy engine currently has 24 conditions and 26 actions within its content filtering policy engine, it’s what those options are that make the difference. For example, full control over adding/editing header information and the ability to reroute email based on policy are a couple of options that we see organizations using for a variety of business enablement projects. Our customers are getting real business value out of their email security solution, and the options themselves; another example of how dangerous it is to box tick!

Suggested Decision Process

So now that we have some understanding of what we should be looking at, what’s the best way to go about this analysis? Below are a series of steps to consider to help you make an informed decision:

1. Your current email policy: This is a great opportunity to assess all the policies and settings that you are relying on now. Are they all needed going forward? What have you seen or tested for yourself that is supported by Microsoft?

2. Email security capabilities: How these technologies work on your email flow is what is important. There are many ways of validating this by either running different solutions in a monitoring only mode or Bcc’ing/copying email to the solution under test for analysis and then deletion. Is Office 365 by itself blocking everything you need? If it is missing some email, is that critical for your organisation? What sort of impact could result in certain types of email getting through to end-users? (Missed spam, malicious attachments, inappropriate content, malicious URL’s, advanced phishing attacks etc?).

3. Advancing Phishing detection: Phishing has been a scourge for years because it is constantly evolving. The latest iteration, BEC or Business Email Compromise, has financially impacted many organisations large and small all around the world. BEC is difficult to detect, includes no attachments or embedded URL’s and is sent in low numbers and in a very targeted way. Has your company had issues? Do you know someone who has? What could the impact be for you? Does your current solution have any specialist support for BEC? Have you measured how much that is catching and are you sure that Office 365 would be able to detect and block these even using the advanced phishing capabilities in Microsoft’s ATP optional add-on? This in particular is a great area to potentially leverage a specialist solution such as Cisco’s Advanced Phishing Protection module which can work in any email environment.

4. Management: How easy is the solution to use? Can you track a message all the way through the scanning process? Can the search engine easily find and release quarantined email? Are you using end-user spam management now? Do you want to continue to use it? Will the capability offered in Office 365 meet your HR driven employee policies and requirements?

5. Reporting: Do you have any automatic scheduled reports being sent within your organization; perhaps to senior management? Can these be replicated within just Office 365? What reporting, or compliance auditing requirements can you see being required in the short term? Are these reports supported?

6. External Domain Protection: Becoming a more common inclusion for corporate messaging teams, organizations are using DMARC and related standards to monitor which organizations are sending email using your domain. Is your brand being negatively affected by being used in phishing attacks? While Office 365 does not offer any capability here, this is another area that can be addressed or supplemented using standalone products or solutions such as Cisco Domain Protection.

Licensing & Recommendations

For the majority of our customers, the ideal combination is Office 365 E3 with Cisco Cloud Email Security. This combination includes all the core Office 365 products supplemented with an enterprise class email security solution. The ATP features for Safe Links and Safe Attachments are easily met and exceeded in Cisco’s Cloud Email Security, this is the combination that Cisco itself runs.

Moving up to the E5 licensing tier is a difficult decision, you need to look at all the inclusions you get, which are substantial and determine what value your organisation would get out of these. From an email security & management viewpoint everything is pretty much covered with the combination recommended above except for the advanced email archiving capability if you need that over the basic option in E3.

There are also of course all the collaboration/telephony services which Cisco has great solutions for as well!

Options for Proving the Value

So how can you prove the decision you are making is the right one, or at least if you have already deployed Office 365 by itself, test to see how it is performing from a security viewpoint at least?

Cisco has an analysis tool called “Threat Analyzer for Office 365” and it works by accessing a selection on your user’s inboxes (you define which ones) via the Microsoft Graph API built into Office 365. Threat Analyzer scans these inboxes using the same email security engines that we have in our commercial offerings, looking for any email that we would have detected as Spam, Gray-mail, Malicious Email (with attachment or embedded URL) or inappropriate spam. Threat Analyzer does not do anything to this email or the inbox, it just records what the Cisco email security engines would have detected and then produces a report showing these results. From this report you can get an idea of the extra value you would get from running Cisco email security together with Office 365. However, it needs to be remembered that not all the security engines can be used (Connection filtering for example) with a configuration such as this, so your final experience would be even better than the report would suggest.

There are also other options, the recommended option would be to have Cisco email security running in front of Office 365 so it is the internet facing email server for your email domains, this way 100% of the Cisco security capability can be brought to bear. You can test this by using the default policy which would detect/block & quarantine within Cisco email security, or you simply tag email for it to be then processed by Office 365 and see the combined results. We have also seen other organizations creating a BCC rule within Office 365 to copy all email that is to be delivered to end-users also copied to Cisco email security to see what would have been blocked as well, although this also limits the security engines that can be used as it is also not internet facing, the same limitation that Threat Analyzer for Office 365 has.

Continue reading

Securing Industrial IoT

It’s hard to ignore the ubiquity of the internet of things (IoT). Even if you’re one of those holdouts that doesn’t own consumer IoT devices such as a smart speaker, internet-connected thermostat, or a smart watch, industrial IoT (IIoT) devices—a subset of the IoT landscape—are already playing a part in your daily life. From the delivery of water and electricity, to manufacturing, to entertainment such as amusement park rides, IIoT devices are part of more industries than not, and have been for some time. Gartner recently estimated that there were 4.8 billion IIoT assets in the world at the end of 2019, and expects that number will grow by 21 percent in 2020.

The biggest issue faced in many operational technology (OT) environments, which host IIoT assets, isn’t just this growth, but also dealing with older industrial control systems (ICS) that have sometimes been in operation as long as 30 years. Many of these assets have been connected to the network over the years, making them susceptible to attacks. These legacy devices were often deployed on flat networks, at a time when the need for security took a back seat to other priorities, such as high availability and performance.

The discovery of vulnerabilities in these systems doesn’t always mean that patches are, or even can be, rolled out to fix them. Patching many of these IIoT assets means taking them offline—something that’s not always an option with critical infrastructure or production lines that rely on high availability. So patches are often not applied, and vulnerabilities stack up as devices age, leaving attackers with a large swath of exploits to attempt in the pursuit of compromising IIoT assets.

And the number of vulnerabilities discovered in IIoT devices is growing, as is evident in research carried out by Cisco Talos’ Security Research Team, whose mission is to discover vulnerabilities before the bad guys do. During their look back at 2019, Talos pointed out that they published 87 advisories about vulnerabilities in IoT and ICS devices—by far the largest category for the year. In fact, there were 23 percent more advisories published in this space than there were for desktop operating systems, the second largest category, and historical mainstay targeted by attackers.

This isn’t all that surprising in a field that’s growing this fast. But it’s worth considering how adding new assets into a network, as well as securely maintaining the OT network where assets reside, presents new challenges and naturally increases the attack surface.

So, if you’re using IIoT assets in your business, what sorts of threats do you need to look out for? And how do you protect your devices?

Getting in

The good news is that most IIoT assets aren’t directly exposed to the internet, meaning attackers must rely on other methods to get to them. In essence, the same techniques used in other attacks are used to get to IIoT assets.

The most common vector for compromise—email—certainly applies here. An attacker can attempt to gather information about engineers, plant managers, and developers that have access to IIoT systems and specifically target them with phishing emails. Compromising a computer owned by any of these users can be the most direct path to compromising IIoT assets.

Unpatched systems, simple or default device passwords, and relaxed remote access policies for maintenance contractors all offer attackers avenues of approach. Weaknesses in any of these can provide ways for an attacker to move laterally and gain access.

The reality is that IIoT-specific threats are not that common of an occurrence. There are threats that have attacked general IoT devices en mass, such as Mirai and VPNFilter. And there are threats like Stuxnet, which specifically targeted PLCs. Of course such highly targeted threats are cause for concern. But it’s far more likely that an IIoT device will be compromised and reconfigured by an attacker than be compromised by a trojan or a worm.

Scorching the earth

Let’s say an attacker sets their sights on bringing a particular business to its knees. He or she begins by crafting an enticing phishing email with a malicious PDF and sends it to HR in the guise of a job application. The employee responsible for monitoring job enquiries opens the PDF, effectively compromising the computer.

The attacker works his or her way laterally through the network, monitoring network traffic and scanning compromised systems, looking for logins and authentication tokens. Without multi-factor authentication enabled for access, they encounter few issues in doing so. The attacker eventually manages to compromise a domain controller, where they deploy malware using a Group Policy Object (GPO), successfully compromising the entire IT network.

Due to poor segmentation, the attacker manages to eventually work his or her way to the OT network. Once in, the attacker performs reconnaissance, flagging the IIoT assets present. The attacker identifies vulnerable services in the assets, exploits them, and knocks them offline.

Production grinds to a halt and the business is effectively shut down.

Defense with an arm behind your back

So how do you defend your IIoT assets and the OT network as a whole against attacks, especially for high-availability assets that can’t readily be brought down to patch?

Network monitoring is often the most effective step you can take. However, it’s important to passively monitor the traffic when it comes to IIoT assets. Active monitoring, where traffic is generated and sent through the network specifically to observe its behavior, can result in an increased load on the network, causing disruptions to device performance and even causing them to fail. In contrast, passive scanning listens to the traffic, fingerprinting what it sees, rather than introducing new traffic into the OT environment.

Keeping a current inventory of assets on the network is also very important in protecting the IT and OT networks. Passive monitoring can help to identify assets on the network, including errant and rogue devices. With a comprehensive list of devices, you can create policies for asset groups.

It’s also very important to segment your networks. Having a complete asset inventory and policies in place will help when figuring out how to segment your IIoT assets and the OT network. While this may not prevent a determined attacker from crossing the boundaries between different areas of the network, it can slow them down, providing more time to respond in the case of an attack. Explore implementing zones and conduits as discussed in ISA99 and IEC 62443 within your organization.

However, it’s worth noting that many IIoT assets leverage broadcast and multicast network communications, where one or more devices will send traffic to all other devices on the network. This can pose a challenge when aggressively segmenting a network. To address this, having a complete inventory of assets on the network is important. Strong dataflow mapping is also helpful when it comes to knowing which assets are talking to each other and how they interact as a whole.

Patching IIoT assets as soon as possible after a vulnerability is discovered is highly recommended. But if it isn’t possible to take a device offline to patch, then visibility becomes critical. It’s important to know what assets you have and the network layout to identify what absolutely must be patched. It may also be worth exploring IIoT redundancy within your network, allowing you to take one device down while others pick up the load during maintenance cycles.

Being able to detect IIoT traffic anomalies is also very helpful. Look for behavior that falls outside of what is expected, such as two IIoT assets talking to each other that shouldn’t be, unplanned firmware updates, unexpected configuration changes, or other anomalies.

Finally, threat hunting is a great way to look for and weed out threats within your OT environment. Proactively looking for bad actors doing bad things, building playbooks, and automating them will go a long way to improve your security posture.

Easing the burden

Protecting IIoT assets is arguably one of the more difficult tasks in security. There are a wide variety of devices, many of which operate in a very tailored manner and don’t respond well to disruption that could be caused by many security processes and procedures.

Fortunately, there are a number of Cisco Security products that can help.

◉ Cisco Cyber Vision gives OT teams and network managers full visibility into their industrial assets and application flows. Embedded in Cisco industrial network equipment, it decodes industrial protocols to map your OT network and detect process anomalies or unwanted asset modifications.

◉ Identity Services Engine leverages the asset inventory built by Cisco Cyber Vision to create dynamic security groups and automatically enforce segmentation using TrustSec.

◉ ISA3000 is a ruggedized industrial firewall appliance you can deploy in harsh environments to enforce zone segmentation, detect intrusions, and stop network threats.

◉ Stealthwatch is a security analytics solution that uses a combination of behavioral modeling, machine learning, and global threat intelligence to detect advanced threats. Integrated with Cisco Cyber Vision, this visibility extends deep within the IIoT infrastructure.

◉ AMP for Endpoints can be used to protect engineering workstations within the OT environment.

◉ Duo’s multi-factor authentication can be used to prevent an attacker from gaining access to systems on the network as a they attempt to move laterally.

◉ Cisco Email Security can detect targeted phishing emails aimed at IIoT operators and others, preventing malicious payloads from reaching their intended target.

Ultimately, a layered approach will provide the best security. For instance, Cisco Cyber Vision can automate visibility of industrial devices and secure operational processes. Integrated with Cisco’s security portfolio, it provides context for profiling of industrial devices in Stealthwatch, and maps communication patterns to define and enforce policy using granular segmentation via with ISE.

Continue reading

Happy Birthday, Threat Response: Only a year old, but boy have you seen some things!

Cisco Threat Response: For security analysts, by one of their own

The work of a security analyst is arduous and time consuming but rewarding too. I know, I spent a good part of my career sitting in a seat, investigating and responding to threats in a Security Operations Center (SOC). I spent way too many hours and weekends moving from console to console piecing together information from disparate systems to investigate a single threat. The various SOCs I was part of were made up of millions of dollars in the latest, best-of-breed technologies alongside open source components and scripts that were supposed to work together but too often didn’t.

That’s why I’ve been focused on designing and building systems to make the lives of the security analyst easier and their work more effective. It’s rewarding to see the products we’ve built have a positive impact on an analyst’s abilty to do their job effectively. A year ago, we introduced a new application for security analysts to make security investigations fast and easy. It pulls content for detection and response from across the security stack: from the cloud, network, endpoint together in a central location. We call it Cisco Threat Response.

Rapid Adoption

Since we released the first version of Threat Response a year ago, it has been used in more than 3,600 SOCs, and has even added value in organizations without full blown SOCs. The feedback has been incredible and has given us so much confidence in Cisco Threat Response, we’re giving it away at no cost to existing customers. It’s included with the license for any Cisco Security product that integrates with it. As good as our Cisco Security products perform on their own, we know that they are even more effective when they’re used together. It’s all about making your SOC operations run faster: from detection, through investigation, to remediation. How? It’s all API-driven.

API-Driven

Cisco Security products have used APIs for years. The difference now is that Cisco Threat Response pulls them together so you don’t have to. With long lists of observables to investigate, Threat Response gets you immediate answers by calling both threat intelligence and our security portfolio APIs — confirming threats and showing you exactly where you’re affected — delivering a clear view of what’s happening.

Customers are excited to learn they can also utilize these APIs to integrate Threat Response directly into their existing Security Incident and Event Management systems (SIEMs) and Security Orchestration, Automation, and Response tools (SOARs). Customers even report they see Threat Response reducing the burden on their SIEMs.

And our customers seem to love this approach. One customer wrote to us “I like quickly being able to see infections on my network and this presents them in a really nice fashion…” Another said, “You cannot hit a target you cannot see. Threat Response simplifies security analysis”

Security integrations that simplify SOC operations

Picture a typical investigation that happens many times a day in SOCs around the world: A potential Emotet malware outbreak. Maybe you’ve investigated it yourself. Emotet a well-known banking trojan that attackers love, keeps coming back in fresh, new forms. The Indicators of Compromise associated with it include a very, very long list of known file hashes, distribution domains, and command-and-control IP Addresses. Investigating these observables one at a time to see if you’re affected can take hours.

Cisco Threat Response calls threat intelligence APIs to gather the all the dispositions for each one at once. Then it calls the Cisco Security products’ APIs and learns what each one knows about every observable. Cisco AMP for Endpoints knows what systems have the malicious file hashes. Cisco Umbrella knows which devices called out to malicious domains. Integrating your Email Security Appliance (ESA) lets you know who received that attachment or phishing URL and so forth until it gathers everything necessary to show you exactly what is happening in your environment.

More than a Pretty Face

Threat Response reflects years of back-end integration work by engineering. It begins and ends with a highly integrated architecture of world-class threat intelligence coupled the integration of advanced security technologies covering the attack surface across the cloud, network and endpoint. This is critical for effective, consistent detection and response across the critical points of your architecture.

Borrowing from the earlier example, an unknown file in an Emotet variant gets analyzed by our Threat Grid Malware Analysis engine and finds malicious behavior. Our architecture allows Threat Grid to share this intelligence across the entire portfolio so this file is blocked at the endpoint, in email, on the network for every customer around the world in a matter of minutes. And Threat Response shows you exactly every place where you were targeted by that file and confirms where it was blocked or detected.

Getting the Full Picture – the Relations Graph

That clear view we provide is perhaps the most compelling technology in Cisco Threat Response. By visually depicting the relationships among the observables and dispositions, the affected systems in your environment (called Targets and shown in purple), and the other systems that are related to the outbreak, you’ll know immediately whether you’re affected and how. Skip the hours and hours of investigation time.

Plus, you can take action directly from the Relations Graph. It provides actions (called Pivot Menus) from which you can continue the investigation in the other products’ consoles (taking you there seamlessly) or call their APIs directly to take action. Those Targets shown in purple? Maybe you want to quarantine those hosts through AMP for Endpoints, which you can do with a single click. Those malicious C2 domains? Maybe you want to tell Umbrella to block, at the DNS layer, everything on your network from connecting to them, which you can with another click.

Sources of Detection

Threat Response is driven by the individual Cisco Security products and threat intelligence sources that feed into it. Cisco Talos research and Threat Grid for threat intelligence, Threat Grid for static and dynamic file analysis, AMP for Endpoints for dynamic and retrospective endpoint detection and response, Email Security (the number one vector of attack), Umbrella for internet domain intelligence and blocking, and Next Generation Firewall for network detection and blocking. Threat Response brings these products together to bring you context about the events seen in your environment allowing you to further enrich this context with your own intelligence sources.

Operationalizing Threat Intelligence

One of the most popular features is the browser plug in we’ve developed that takes unstructured data from any webpage or application, finds the observables or indicators of compromise and automatically renders a verdict on that observable (clean, malicious, unknown) based on our threat intelligence. Like that Talos blog example we used earlier: one click pulls all the observables mentioned on that page without the need to manually cut and paste each one (and there are 634 observables mentioned – I had them counted!) Moreover, you can access the Threat Response pivot menu, including domain blocking, without ever leaving the page.

The best part about Threat Response is rate of innovation within the application. The endgame is better cybersecurity through better SOC operations: faster detections, simpler investigations, and immediate responses. We love what we have released to date and even more excited about our roadmap. Our engineering teams are delivering new enhancements, including new features and product integrations every two weeks. There’s much more to say about Threat Response than I can detail in a blog. I encourage you to experience it for yourself. The work of the SOC teams is too important to be tedious and increasing their efficiency will have better security outcomes for everyone.

Continue reading

Cisco Threat Response with Email Security Integration: Harmonizing Your Security Products

Those of us who have been in security for more than 20 years are very familiar with the assertion that security is a process. For me, security has always been a process like a melody that ties in all other parts of the song.  Staying on this musical analogy, if process is the melody, and you consider Cisco’s security portfolio as different instruments, then Cisco Threat Response is leading in this beautiful orchestration of investigation. Threat Response focuses on the process aspect of security. In this blog post, I want to introduce you to its value as an incident response tool and show you how to best utilize it with the integration of the Cisco Email Security product.

What is Cisco Threat Response?

Just like how harmony is essential to a great piece of music, it’s equally a critical aspect of modern security architecture. Today’s Security Operations Centers (SOCs) are inundated with alerts to potential threats, all scattered across a discordant array of security products that don’t always like to play nice with each other. More often than not, this results in a lot of wasted labor and time. Think of Cisco Threat Response as a conductor that harmonizes the various components of your security infrastructure. And with Cisco’s open architecture, the Security portfolio of products works together like an orchestra.

Threat Response integrates threat intelligence from Cisco Talos and the various third party sources that make up your SOC to automatically research indicators of compromise (IOCs) and confirm threats quickly. By channeling threat data into a single user-friendly interface, your SOC team analysts can quickly aggregate alerts, investigate, and remediate threats lurking about your systems, network and cloud. No matter how big or small your organization may be, Threat Response is designed to scale, ensuring your cyber security programs run efficiently, effectively, and most of all harmoniously.

Cisco Email Security

Email is easily the most pervasive technology across businesses. It’s hard to imagine living without it. However, as integral as it is to day-to-day business functions, it’s also one of the most commonly exploited attack vectors. With over 90% of breaches starting via email, having an email security solution in place is no longer a luxury, but a necessity.

Cisco Email Security provides best in class efficacy and has been recognized for the third year in a row as the Top vendor in The Radicati Group’s 2018  Secure Email Gateway report. In addition, the integration of Email Security with Cisco Threat Response provides you with a more robust approach to email security. This layered defense provides industry-leading protection against malware, phishing, spoofing, ransomware and business email compromise (BEC).

Avoid Phishy Melodies

Most threat narratives have a very similar beginning. An attacker has phished their way into a network via an email and successfully socially engineered a user into disclosing their credentials. Unfortunately, this is usually followed by organizations discovering far too late that they’ve been compromised. Remember, however, that in order for the above scenario to play out, the attacker has to complete a series of phases of their attack without being detected. Luckily, as the defender, all you need to do is detect them in one phase! Even if something does get through, if you can detect that threat and respond with a countermeasure before the attacker completes that phase, you have won.

Cisco Threat Response brings your threat detection capabilities into simple focus with:

Simpler Integration: Let’s say you have a situation where AMP for Endpoints has detected a malicious file represented by a file hash (SHA) or Stealthwatch has alerted you of a user connecting to a suspicious URL. You can use Threat Response to pivot directly to Cisco’s Email Security and ask for the email messages associated with this SHA or URL and this information can be then used to stop that attack’s campaign dead in its tracks.

Simpler Data Tracking: Want to know where that malicious email or potential threat came from? Threat Response allows you to track and isolate which user received that SHA or URL and lets you block the domain of origin without needing to switch programs. Additionally, if said malicious link was shared amongst your network, you can also see when and where it was sent and prevent it from spreading further.

Simpler Workflow: Like I mentioned earlier, Cisco Threat Response is all about simplifying threat response through harmonizing the various tools you already have in place into a single resource. Furthermore, not only does this allow security analysts to reduce the number of interfaces they’re using, but Threat Response also provides them with context based graphs, telemetry charts, and even response suggestions.

Simpler Threat Hunting: As your analysts respond to threats, they can also log their threat response processes and observations into the integrated Casebook function. Since Casebooks are built on cloud API and data storage, they can also follow you from product to product, across your entire Cisco Security portfolio. In turn, this allows for faster and effective threat response and remediation efforts across your enterprise thanks to the ability for analysts to easily build and share Casebooks.

Continue reading

Layers of Security

Do you remember the movie “Die Hard”? Arguably the best Christmas movie ever. All kidding aside, this movie has a great correlation into Security best practices. Before we go into that, let’s recap. The bad guys in the movie were going to steal $640M in bearer bonds. In order to do so, they needed to break through several layers of security:

◈ Infiltrate Nakatomi Plaza and get rid of the guards
◈ Get the vault password from Mr. Takagi
◈ Have your computer guy hack through the vault locks
◈ Have the FBI cut power to the building, which in turn disables the last lock

So, how does this relate to Security? Layers. Lots and lots of layers. Utilizing a layered approach to security means that there are several hurdles that the bad guys need to overcome in order to get to your “bearer bonds” (your data, user information, etc.). The more challenging it is for someone to gain access to your resources, the less likely they are to spend their resources in getting them. While that is not always the case, if your security methodology is such that you can stop a large percentage of malicious activity early, you can focus on the more sophisticated attempts. Former Cisco CEO John Chambers said “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked. “. If you take this to heart, it will help in laying out the strategy you need to best protect your people, applications, and data.

There is not one way to accomplish setting up these layers and they are certainly not linear as attacks can come from both inside and outside of your network. Let’s take a look at some of these layers that could be considered foundational to any security plan.

Starting at the Front Door

From a technology point of view, this makes me think of the firewall. Granted, in many ways this is obvious. Limit access to/from the Internet. This is a great place to start as this is like a lock on the front door of your home. With today’s Next-Gen Firewalls, one can look at applications, provide deeper packet inspection, and ultimately more granular control. As the infrastructures change, we are now deploying firewall technology within segments of the network and now even into the Cloud.

Who? What? Where? When?

Nakatomi Plaza had locks on their doors, guards, and security cameras. Managing Whether it’s physical or network security, managing access is critical. When we understand who is accessing the network (employee, contractor, guest, CEO), how they are accessing it (corporate laptop, phone, personal tablet), where they are accessing (HQ, Branch Office, VPN), and even the time of day, decisions can be made to allow or deny access. Taking it a step further, access control today with a solution like Identity Service Engine (ISE) can take all of this into consideration to allow/deny access to specific resources on the network. For example, if a user in the Engineering group is at HQ and trying to update a critical server using their corporate issued laptop, the engineer may be able to do so. That same engineer still at HQ but on a personal laptop or tablet may be denied access. Managing access to resources is one of the most important and challenging areas of security.

You’ve Got Mail

Email is still the number one threat vector when it comes to malware and breaches. The criminals are getting smarter and when they send out a phishing attack, SPAM, or malicious email, they look completely legitimate and it’s challenging to know what is real and what is not. Email security solutions can pour through all incoming and outgoing mail. These tools can verify the sender and receiver. They can look at the content and attachments. Based on policies and information from resources such as Talos, compromised emails may never even make it to the recipient. As long as email continues to be a primary source of communication, it will continue to be a primary way to be breached.

We’re Not in Kansas (or the office) Anymore

Almost 50% of the workforce is mobile today. People are working from homes, hotels, coffee shops, and planes now. There is also the need to access data from anywhere at any time. Keeping that data secure is not the job of the cloud provider but the owner of the data. Additionally, the users accessing the data from so many not-so-secure locations are of course always using their VPNs every time, right? Wrong! In a recent survey over 80% polled admitted to not using their VPN when connecting to public networks. So, now the bad guys are through another layer of security. We need to protect the cloud users, applications, and data. CASB (Cloud Access Security Broker) is a technology that does just that. Cloudlock can detect compromised accounts, monitor and flag anomalies, and provide visibility into those cloud applications, users, and data.

As work becomes a thing we do and less of a place we go, the risk of attack gets higher. I said earlier that the number one threat vector is email. Within those emails, many of the malware is launched from clicking on a link. That means DNS is yet another method that can be used by the bad guys. In fact, around 90% of malware is DNS based. Umbrella provides not only a better Internet access, but a secure Internet access. Regardless of where you go, Umbrella can protect you.

Having all of these layers to protect your “bearer bonds” doesn’t guarantee that nothing bad will happen. The bad guys have a lot of resources and time to get what they want. This methodology will hopefully help make it so difficult for them, that they don’t want to even try. People, applications, and data. It’s a lot to protect and a lost to lose. If you do it correctly though, you get to be the hero at the end.

Continue reading

Better design for simpler, more effective security

Few will contest the notion that security is complex.

Evolving threats.  Clever, motivated attackers.   And all too often, vendor-inflicted complexity of managing security from the mismatched consoles from dozens of vendors.

In this case, not only must users jump between consoles but the actions that become familiar in one console are not at all helpful or relevant in another.  Each new console amounts to a new security management process – adding to greater complexity.

Continue reading

Secure by Design: Enhanced Interfaces Improve Email Security and Malware Analysis

In the infosec world, it’s well established that time is a precious commodity. Time to detection and time to resolution are critical concepts that can mean the difference between a minor incident and making the news. In order to be effective, security teams need to be able to quickly access data, gather insights and take the necessary actions to keep their organizations safe. To that end, we’re committed to simplifying our user interfaces and making it easier to manage security effectively across an enterprise. Cisco Email Security and Cisco Threat Grid are two prime examples.

Continue reading