Announcing Risk-Based Endpoint Security with Cisco Secure Endpoint and Kenna Security

With a tidal wave of vulnerabilities out there and brand-new vulnerabilities coming out daily, security teams have a lot to handle. Addressing every single vulnerability is nearly impossible and prioritizing them is no easy task either since it’s difficult to effectively focus on the small number of vulnerabilities that matter most to your organization. Moreover, the shift to hybrid work makes it harder to assess and prioritize your vulnerabilities across your endpoints with traditional vulnerability scanners.

Kenna Security maps out the vulnerabilities in your environment and prioritizes the order in which you should address them based on a risk score. We’re excited to announce that after Cisco acquired Kenna Security last year, we have recently launched an integration between Kenna and Cisco Secure Endpoint to add valuable vulnerability context into the endpoint.

With this initial integration, Secure Endpoint customers can now perform risk-based endpoint security. It enables customers to prioritize endpoint protection and enhances threat investigation to accelerate incident response with three main use cases:

1. Scannerless vulnerability visibility: In a hybrid work environment, it’s increasingly difficult for traditional vulnerability scanners to account for all devices being used. Instead of relying on IP address scanning to identify vulnerabilities in an environment, you can now use the existing Secure Endpoint agent to get a complete picture of the vulnerabilities you need to triage.

2. Risk-based vulnerability context: During incident response, customers now have an additional data point in the form of a Kenna risk score. For example, if a compromised endpoint has a risk score of 95+, there is a high likelihood that the attack vector relates to a vulnerability that Kenna has identified. This can dramatically speed up incident response by helping the responder focus on the right data.

3.Accurate, actionable risk scores: Organizations often struggle to prioritize the right vulnerabilities since most risk scores such as Common Vulnerability Scoring System (CVSS) are static and lack important context. In contrast, the Kenna Risk Score is dynamic with rich context since it uses advanced data science techniques such as predictive modeling and machine learning to consider real-world threats. This enables you to understand the actual level of risk in your environment and allows you effectively prioritize and remediate the most important vulnerabilities first.

How does the Kenna integration work?

The Kenna integration brings Kenna Risk Scores directly into your Secure Endpoint console. As an example of this integration, the computer in the screenshot below (Figure 1) has been assigned a Kenna Risk Score of 100.

Figure 1: Kenna Risk Score in the Secure Endpoint console

Risk scores can be anywhere from 0 (lowest risk) to 100 (highest risk). The score is inferred based on the reported OS version, build, and revision update information, combined with threat intelligence on vulnerabilities from Kenna.

Clicking on the actual numeric score itself brings you to a page with a detailed listing of all vulnerabilities present on the endpoint (see Figure 2 below).

Figure 2: List of all vulnerabilities on an endpoint

Each vulnerability has a risk score, an identifier, and a description that includes icons with additional details based on vulnerability intelligence from Kenna:

Active Internet Breach: This vulnerability is being exploited across active breaches on the Internet

Easily Exploitable: This vulnerability is easy to exploit with proof-of-concept code being potentially available

Malware Exploitable: There is known malware exploiting this vulnerability

All of this information is extremely valuable context during an incident investigation. Exploiting vulnerabilities is one of the most common ways malicious actors carry out attacks, so by quickly understanding which vulnerabilities are present in the environment, incident responders have a much easier time honing in on how an attacker got into their organization.

Additionally, for vulnerabilities that currently have fixes available, clicking on the green “Fix Available” button on each vulnerability displays a box with links to the applicable patches, knowledge base articles, and other relevant information (see Figure 3 below). This gives analysts the information they need to efficiently act on an endpoint.

Figure 3: Recommended fixes for each vulnerability

Who can access the Kenna integration?

Vulnerability information and Risk Scores from Kenna Security are now available in the Cisco Secure Endpoint console for:

◉ Windows 10 computers running Secure Endpoint Windows Connector version 7.5.3 and newer

◉ Customers with a Secure Endpoint Advantage or Premier tier license, including Secure Endpoint Pro

Most vulnerabilities in our customer base occur on Windows 10 workstations, so we decided to release first with Windows 10 to deliver this integration faster. We plan on adding support for other Windows versions and operating systems such as Windows 11, Windows Server 2016, 2019, and 2022 in the near future.

We hope that you find this integration useful! This is the first of many steps that we are taking to incorporate vulnerability information from Kenna Security into Secure Endpoint, and we are excited to see what other use cases we can enable for our customers.

The Cisco Secure Choice Enterprise Agreement is a great way to adopt and experience the complete Secure Endpoint and Kenna technology stack.  It provides instant cost savings, the freedom to grow, and you only pay for what you need.

Source: cisco.com

Continue reading

Intelligent alert management

The challenge

In cyber security, we all know what alert fatigue is, and we know there is no silver bullet to get out of it. In our previous incarnation, our product was guilty as well. Who wants to go through 20,000 alerts one by one? And this was just from one product.

Building a detection engine

This article is part of a series in which we will explore several features, principles, and the background behind what we consider to be the building blocks of a security detection engine within an extended detection and response (XDR) product.

In this first article, we’ll start with alert fatigue and how we avoid it through the creation of intelligent alerts.

To manage alert fatigue, we are aware of several traditional approaches. “We only pay attention to High and Critical alerts,” some have said. That certainly helps, but at the expense of bringing more problems aboard. Apart from missing a large chunk of the sometimes-notable message that the security product is trying to convey, the “inbox” of the product becomes a dump of unclosed alerts.

“In your next release, could you add elaborate filters and checkboxes so that I can mass close those alerts?” some have asked. We tried this way, but we found ourselves amidst views containing tables within tables, a very baroque system with the delicacy and simplicity on par with the space shuttle.

“We gave up and got a SIEM and a SOAR!” we heard from others. That is all fine, when one wishes to move their SOC staff from security specialist roles to engineering integrators.

To sum up, we observed that in any case, we were really trading one issue for another. Rather than trying to manage the alert fatigue problem, we switched our approach to avoiding it in the first place. We introduced Alert Fusion.

Alert Fusion

In the Alert Fusion system, the basic unit of work is the alert. Rather than having one alert per each security event, we build the alerts intelligently, to mimic the unit of work of the security analyst.

Here is an example of such a unit of work. It covers two assets, having detected an identical set of threats on both. It’s easy to see that WannaCry, SMB service discovery, and Excessive communication likely go together. While remediating these infections, one might want to have a look at the Emotet infection as well. Altogether, neglecting this this unit of work is considered a critical risk, so it easily makes it to the top of the alert list.

The second example has a single ArcadeYum Threat spanning a larger base of 78 assets. It is one of those pesky browser-altering, additional software promoting things that one might want to eradicate en masse, rather than one by one. Admittedly, it isn’t as problematic as WannaCry though, so it is considered a medium risk.

Altogether, these two alerts cover nearly a hundred significant security events and many more contextual ones. Apart from removing the need for manual correlation, we can immediately discern the nature, the breadth, and the depth of the risks presented.

To sum up, an alert serves to collate findings that the analyst might want to solve in ensemble, either by working on it as an incident or getting rid of it due to reasons of his choosing. To prioritize their work, an alert has a risk, and the alerts are ordered using this value.

The risk, as well as the grouping, are determined automatically by the system using what it knows about the detections. Now, let’s dive deeper into the basic ingredients in the cookbook: the threats and the assets.

Threats

A threat is anything we can name as a security risk. In this example, we feature Shlayer. It is important to note that we express threats in the language of threat intelligence and risk management – “what” has been detected as opposed to the technical language of detection means – “why” was it detected. We’ll cover the exact means of detection in a later article. For now, let’s assume that we somehow detected it.

A threat has a severity, in this example it is critical, which serves as a basis for the risk calculation. Threats come with factory default severities which be changed freely to suit the threat model of each customer. For example, some customers may not care as much about crypto mining on their assets when compared to other customers.

We realize that detection methods are not infallible, especially in the world of machine learning. So, we assign a confidence value when a threat is detected. Currently, it can be either high or medium. The latter means the detector is not quite sure of the detection, so the risk is dialed down.

Assets

Similarly, we organize assets into Asset Groups that bear a business value. The organization is up to the customer and their threat model. Some customers have more diverse needs, while others have more of a flat structure. Where possible, we offer an educated guess of the default value for an Asset Group.  For example, servers get a high value, while guests get a low value. In any case, the values can be changed freely. The medium business value has no impact on the risk, while others will either increase or decrease it accordingly.

Reactive system

In summary, we see that Alert Fusion presents alerts which act as units of work and are prioritized by their risk, calculated from customer-applied settings such as threat severity and asset value.

It wouldn’t be realistic to expect that all configuration, if any, was done to the system upfront. For example, a detection on a guest network might make one realize that the business value of this asset group might need to be lowered.  So, we provide the option to tweak alerts on the fly. We support a reactive workflow model.

The existing alerts may be reorganized at any time by turning a few knobs, namely the threat severity and asset value. This gives the option to explore safely. When not satisfied with the change, simply turn them back, rinse, and repeat.

Wrap-up

So, have we tackled alert fatigue successfully? As the saying goes, time will tell. It is already beginning to do so.

Since this system was introduced in 2020, we have seen a significant reduction in alerts per customer, usually in a few orders of magnitude. Our UI does not have to work as hard, in terms of checkboxes, pagination, and filtering. Consequently, more customers reach the nice-to-be-in place of a zero-alert inbox, where 100% of the alerts have been viewed and interacted with.

Source: cisco.com

Continue reading

Cisco Secure Cloud Insights is your Eye in the Sky

In the world of cybersecurity where information holds the keys to the kingdom, there is no shortage of data generated by numerous security tools. However, there arguably remains a lack of information. Security professionals often refer to information as ‘Actionable Intelligence’ or ‘Context’. Those engaged in the trenches of cyber warfare would appreciate a more nuanced view which states that Context is the catalyst that converts Data into Intelligence. Context helps answer important questions such as How, What, Where, When and Who, but even more advanced questions such as So What and What Next, to get to the root cause and aid remediation. While context may be an easy concept to grasp, execution remains challenging.

With that context (pun intended) I am pleased to announce the launch of Cisco Secure Cloud Insights in partnership with JupiterOne. Secure Cloud Insights brings fresh and powerful capabilities to the SecureX portfolio, including comprehensive public cloud inventory and insights, relationship mapping to navigate cloud-based entities and access rights, and security compliance reporting. This new offering extends beyond traditional cloud security posture management and will enable Cisco’s security customers to effectively manage risk and reduce the attack surface of their cloud-native processes and applications.

Cisco has witnessed organizations on their digital transformation journeys grappling with IT sprawl and struggling to gain visibility into their cyber universe. Cloud Insights addresses this very pain-point by tracking and normalizing data across multi-cloud and hybrid environments. Cloud Insights provides a knowledge graph of consolidated metadata pertaining to configurations, access policies, settings, tags, rules, and more that govern interaction between entities. Entities encompass users, roles, groups, policies, databases, datastores, devices, code repositories, storage buckets (eg. AWS S3), cloud compute instances (eg. AWS EC2), containers, functions, etc. APIs ingest this data from approximately fifty pre-defined integrations covering public cloud environments, vulnerability scanners, endpoint protection and network security tools, development and code repositories, identity providers, and more. Custom integrations are also supported using SDKs and webhooks.

Figure 1: Visualization of the graph database

While the graph database of mapped interactions is one of the key pillars of Cloud Insights, the other pillar is the ease with which this rich data can be queried. A simple plain language search maps to over 550 pre-built queries, with the option to create custom queries. Queries, singly or in combination, form the basis of all outcomes, be they alerts, summary dashboards, or compliance reports. By querying against this comprehensive relationship graph, tremendous opportunities and use cases become available. Cloud Insights uses this rich context to determine an organization’s security posture, including Cloud Security Posture Management, and reduces exposure by reporting compliance gaps, thereby promoting effective cyber governance and attack surface management.

With this introduction to Secure Cloud Insights, let us examine how the service fits in an organization’s security apparatus. We are experiencing a coming together of security outcomes that serve various stakeholders, be it Security Operations, Development Operations, Application Security, Cloud Architects, or Identity and Data protection processes.

Figure 2: Interaction between various cloud-native security functions

While SecOps starts on the left with security posture and attack surface management as its entry point, DevOps start at the far right with continuous integration and continuous delivery (CI/CD) pipeline and application/API security as their main care about. As SecOps moves right and begins to influence the other stakeholders within a mature organization, DevOps shifts left to include pre-deploy checks by using runtime security inputs. Due to this evolution in operations, tooling is needed to provide end-to-end coverage, no matter who the buying center or user is in an organization. Cloud Insights is thus positioned to provide contextual visibility that encompasses and enhances observability across the entire organization.

It is for this reason that we have integrated Cloud Insights with Cisco’s security platform SecureX and intend to have it play a bigger role as a context wrapper for numerous other Cisco security services. Early research suggests force multiplier effects through interactions with SecureX’s Device Insights, and a symbiotic relationship with Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud). While Secure Cloud Insights connects the dots, Secure Cloud Analytics baselines behavior by analyzing traffic flowing between those dots. Integrated together, they can surface relationship-based and anomaly-based threat vectors. Early interest has also been evinced by the market of this powerful duo’s interaction with other Cisco Secure properties such as Portshift and Kenna. With this partnership, Cisco has strengthened its position to serve our customers’ cloud native and hybrid IT security needs. It has also strengthened the Cloud component in Cisco’s SecureX Platform, as seen in the figure below.

Figure 3: Inclusion of Cloud Insights to Cisco SecureX

Source: cisco.com

Continue reading

Mitigating Dynamic Application Risks with Secure Firewall Application Detectors

As part of our strategy to enhance application awareness for SecOps practitioners, our new Secure Firewall Application Detectors portal, https://appid.cisco.com, provides the latest and most comprehensive application risk information available in the cybersecurity space. This advance is important because today’s applications are not static.

Read More: 500-450: Implementing and Supporting Cisco Unified Contact Center Enterprise (UCCEIS)

In fact, applications are continuously evolving as new technologies and services emerge. This dynamic space creates new cybersecurity challenges like continuous changes to application relationships and hierarchies. This unstoppable dynamic creates blind spots that often increases risk.

Secure Firewall users are entitled with their base license to Application Visibility & Control for:

◉ Network traffic discovery with application-level insight

◉ Analyzing and report on application usage

◉ Classify and manage application sessions (including web browsing, multimedia streaming, and peer-to-peer applications)

◉ Monitor application usages and anomalies

◉ Build reporting for capacity planning and compliance

◉ Enforce quality-of-service (QoS) policies and service guarantees for latency-sensitive applications (such as voice over IP [VoIP] and interactive gaming)

◉ Implement fair-use policies and manage network congestion by optimizing application-level traffic

The unique capabilities available in Secure Firewall Application Detectors provide insight into application protocols such as:

◉ HTTP and SSH, which represent communications between hosts.

◉ Clients, like web browsers and email applications, which run on endpoints.

◉ Web applications, including MPEG video and social media, which comprise content or requested URLs for HTTP traffic.

In addition, you can leverage the relevant application data available within the portal to write and tune effective security policies based on specific application identification fields. For each application listed, the user can find the following details distributed across six fields:

◉ Application Name

◉ Description – A brief description of the application.

◉ Categories – A general classification for the application that describes its most essential function. Example categories include web services provider, e-commerce, ad portal, and social networking.

◉ Tags – Predefined tags that provide additional information about the application. Example tags include webmail, SSL protocol, file sharing/transfer, and displays ads. An application can have zero, one, or more tags.

◉ Risk – The likelihood that the application is used for purposes that might be against your organization’s security policy. The risk levels are Very High, High, Medium, Low, and Very Low.

◉ Business Relevance – The likelihood that the application is used within the context of your organization’s business operations, as opposed to recreationally. The relevance levels are Very High, High, Medium, Low, and Very Low

Furthermore, the new Secure Firewall Application Detectors website offers web application sorting capabilities, providing insight on relationship/hierarchy between applications and an intuitive advanced searching engine using any of these existing fields, or the simplicity and flexibility provided by keyword searching.

The new site is publicly available from any device with internet browsing capabilities, and assists users with rapid identification of web applications as key artifacts leveraged for security operations use cases such as:

◉ Detection of malicious or abusive use of applications, protocols, ports.

◉ Ability to research across applications using similar protocols, ports, or behaviors.

◉ Initial layer for a defense in depth strategy providing protection for web applications (XSS, CSRF, etc) based on network artifacts.

◉ Securing vulnerable applications whose source codes are not reviewed properly or are unpatched and may leave an open door for communication exploits.

◉ Applying hot fixes for newly discovered vulnerabilities in applications that are using unexpected communication ports, protocols.

Cisco Secure Firewall Application Visibility and Control is constantly adding application detectors through the Cisco Vulnerability Database (VDB). VDB is a central repository of known vulnerabilities, as well as fingerprints for operating systems, clients, and applications. The Secure Firewall Application Detectors website is powered by VDB and assists users in quickly determining if a particular application increases the risk of compromise.

The accuracy and maintenance of VBD is advanced by the new portal, as users can easily submit new application detector requests and add customized applications into the database, or even dispute the risk categorization of already registered applications. The submission request is easily accessible from the website.

Continue reading

Complete and continuous remote worker visibility with Network Visibility Module data as a primary telemetry source

Navigating the new normal

Organizations are currently facing new challenges related to monitoring and securing their remote workforces. Many users don’t always use their VPNs while working remotely – this creates gaps in visibility that increase organizational risks. In the past, many organizations viewed these occasional gaps in visibility as negligible risks due to low overall volumes of non-VPN-connected remote work. However, today, that’s no longer the case, as organizations and workers have been thrust into a new “work from home (WFH) era.”. This not only led to an explosion in the need for remote access from anywhere and on anything – effectively expanding threat surfaces and concurrently increasing opportunities for attackers – but – as if that weren’t enough – organizations were also hit with a wide-ranging and prolonged employee activity visibility blackout. This left security teams scrambling to adapt as this sudden “visibility blackout” further exacerbated overall organizational security risk levels.

Read More: 300-410: Implementing Cisco Enterprise Advanced Routing and Services (ENARSI)

Nostalgically remembering the good old days…

Back in olden times, circa late 2019 – back in the heydays of employee-activity visibility via on-premises network monitoring, and way, way back when people’s work-week routines involved commuting to the office, clocking in, logging onto the corporate network, and doing work in between water cooler breaks – organizations using Secure Network Analytics had absolute, total visibility into everything that their employees were doing. Back then, before the WFH era – security teams could instantly glean deep insights into practically everything that was being hosted within, interacting with, and connecting to their corporate networks. And despite these being simpler times, security teams still had to be incredibly agile, up to speed with rapidly changing and evolving technologies, and always ready to react to security incident-related fire drills at a moment’s notice.

Amidst the arms race that is network security, SecOps professionals must always be comfortable with high-pressure situations and fast-paced environments. It just comes with the territory. Plain and simple. It’s a job that requires a thick skin and continuous adaptation. I have always been impressed with security professionals’ ability to embrace such complexity and ambiguity, remain calm and collected, and just focus on the task at hand and execute. And I especially admire the ones that are naturally energized by their work and thrive on it. However, last year’s abrupt exodus away from corporate offices marked a paradigm shift that left even the best security teams in the dark and effectively lent a whole new meaning to the age-old adage, “the only constant is change”.

New WFH blind spots

To illustrate, in today’s new WFH era, whenever remote workers don’t use their VPNs, organizations are 100% blind to what their employees are doing. This prevents security teams from successfully establishing baselines of normal worker behavior and continuously monitoring them, concomitantly preventing them from being able to alert on anomalous activity and hindering their ability to detect certain types of threats. As a result, SecOps teams have been left in the dark and have been finding themselves asking questions like, have any of our users visited malicious URLs? Is anyone exfiltrating sensitive proprietary data? Have any users’ devices been unintentionally compromised and are now demonstrating command and control (C&C) activity? Are we facing compliance-related and broader organizational risks due to employees running outdated and vulnerable operating systems that need to be patched?

Obtaining complete and continuous remote worker visibility with NVM data

To adapt to this modern conundrum, Secure Network Analytics recent release 7.3.1 began to address this whole “WFH visibility blackout conundrum” by making endpoint Network Visibility Module (NVM) data a primary telemetry source to provide organizations with continuity in remote worker monitoring and visibility without requiring NetFlow telemetry to be present. But that was just phase 1 – now, with release 7.3.2, we’ve further extended this capability with the Data Store now supporting all NVM telemetry record collection to offer 100%-complete and continuous remote worker visibility. So now, whenever a user either works on-network or remotely – be it at home or a local coffee shop – and thus off-network without tunneling through a VPN, or if they are optimizing their remote work experience through split tunneling, all their activity is stored locally. With Network Visibility Module data being a primary telemetry source, whenever workers do eventually turn their AnyConnect VPNs back on, the NVM module phones home and sends logs of all their user activities back to Secure Network Analytics.

This gives security practitioners the continuity in visibility that they need by allowing them to monitor remote worker activities through the collection and storage of NVM endpoint records. Security teams can now gain visibility into activities that they were previously blind to, such as:

◉ Downloading and hoarding of large amounts of sensitive company data

◉ Data exfiltration or the sharing of sensitive company data to an external source

◉ Visiting malicious IP addresses and/or inadvertently installing trojans or other malicious processes

◉ Running older operating system versions with vulnerabilities that need patching

Et cetera. The list of potentially suspicious activities goes on, regardless of whether they are unintentional or motivated by an insider that has gone rogue.

Additionally, with Release 7.3.2, customers that are using NVM data along with a Data Store deployment are also gaining the following benefits:

◉ NVM telemetry records can be collected, stored, and queried in the Data Store

◉ New NVM reports that are now available in the Report Builder application

◉ The ability to define customized security events based on NVM data-specific criteria

◉ All Endpoint Concentrator functions are now fully managed by the Flow Collector

Figure 1. A Secure Network Analytics deployment enabled with both the AnyConnect Secure Mobility Client and the Data Store. User endpoints generate NVM data with rich and granular device context – such as IP addresses, host and usernames, machine types and models, which operating systems and versions are running, the processes that launched network connectivity, MAC addresses, hash information, and more – that is all collected and stored in the Data Store.

Extend the zero-trust workplace to anywhere on any device

In fact, not only does deploying the NVM module software meet the challenges outlined above by extending visibility beyond the walls of the enterprise network to enable more efficient remote worker monitoring, but it also extends the zero trust workplace to anywhere globally and on any device by providing security practitioners with visibility into who is online and what they’re doing by capturing additional granular user device context such as IP addresses, host/user names, machine types and models, which operating system and version is running, the processes that launched network connectivity, MAC addresses, hash information in case potentially harmful files are being shared and traversing the network, and more.

Drastically comprehensive and context-rich visibility is simply table stakes in our “new normal”

Despite efforts to begin transitioning back to the office, with some organizations embracing hybrid models going forward, a significant paradigm shift has already occurred – WFH is here to stay. Having pervasive visibility into remote worker activities is no longer a negligible risk that could be ignored. Nor should any NDR solution portray it as a “nice to have” rather than a “need to have” capability. Now, in today’s “new normal,” with users capable of connecting to the enterprise network from literally anywhere and on literally any device, the need for continuity in visibility across all remote activity has never been more pronounced.

Modern problems require modern solutions. Nowadays, organizations need NDR solutions that offer an unparalleled breadth and depth of visibility across their modern, distributed networks. Secure Network Analytics delivers the most comprehensive, granular, and continuous visibility into remote worker activities through the Network Visibility Module, as well as best-in-breed and industry-leading behavioral analytics to alert on suspicious and anomalous network activity.

Source: cisco.com

Continue reading