Calling in Webex Teams Now Powered by Cisco BroadCloud

A proven calling platform that brings cloud innovation to the mid-market and large enterprise.

Today Cisco announced a new enterprise-class, native cloud solution – Webex Calling. It’s powered by bringing together the best of the proven Cisco BroadCloud platform as well as Cisco Webex. This brings Cisco’s total business cloud calling users to over 29 million worldwide. By combining a full enterprise PBX feature set with the rich team collaboration capabilities of Webex Teams, Webex Calling delivers the complete, integrated collaboration experience business users need. It will be sold under the Cisco Collaboration Flex Plan by Cisco VAR channel partners. Availability begins in the U.S. on March 31, 2019 and will expand to more than 35 countries across North America, Europe, Australia/New Zealand, and Japan by the end of the year.

We are already seeing a great fit in the market from our early partner engagements.

“The release of Webex Calling is timed perfectly with a phone refresh Presidio is doing for an important retail customer. The customer recognized immediately that they could configure, deploy, and manage over 2,500 handsets across 500 locations in nearly a plug-and-play fashion utilizing a lean IT team while saving hundreds of thousands of dollars in telecom costs,” said Vinu Thomas, CTO of Presidio. “The flexibility of adding and removing phones, the access to the full suite of Webex’s collaboration offerings, and the ease of automatic updates and patching are just a few of the reasons Webex Calling is a tremendous opportunity for Cisco partners and their customers.”

Superior alternative

Mid-market and enterprise business leaders have been reluctant to move to the cloud, due to concerns about scalability, feature functionality, reliability, and security. That’s why we only see a current cloud calling market penetration estimate of 8% for businesses with 100+ users, while the cloud penetration for the under 100 user segment is more than 25%, based on market analyst estimates.

Webex Calling eliminates these former barriers and gives business leaders the freedom to replace their aging PBX infrastructure with a superior cloud PBX alternative. With cloud delivery from a series of geo-redundant data centers in seven countries, operated by experienced Tier 4 operators, Cisco is able to deliver a multi-tenant cloud service that is more reliable, scalable, and secure than any on-premises option. And with a cloud service that counts release cycles in weeks, rather than years, Webex Calling is always up to date, delivering a more intelligent user experience.

Complete solution

Now Cisco can take users from their smartphone in their car, to the devices they use in their office, home, or meeting room with easy device handovers and rich business calling features at every step. With Webex Teams included, we’re making it simple to keep organizations connected and productive from wherever work gets done.

Here’s what you get with Webex Calling:

◈ A proven, enterprise-class cloud PBX
◈ Bundled with Webex Teams, for advanced collaboration
◈ Optional Cisco multiplatform (MPP) IP phones, headsets, and video devices
◈ Option to add Webex Meetings
◈ Simplified packaged pricing
◈ Investment protection through Cisco Collaboration Flex Plan purchasing
◈ Sales and service support from a qualified Cisco VAR channel partner
◈ Global availability expanding throughout 2019 to 35+ countries and 7 languages

Smooth transition

In most cases, larger businesses need more time to transition over to the cloud. In some industries, like financial services, they may not ever move completely to the cloud. That makes the time and process in this transition zone a key gating factor for these business leaders.

One of the most important advantages we see with Webex Calling is the flexibility it offers for customers looking to transition to the cloud in phases, rather than all at once. Cisco customers now have the freedom to move any site, or group of users to the cloud, while maintaining a common network dial plan and directory access for users across all cloud and on-premises PBX sites.

Powerful channels

Webex Calling will be sold primarily by Cisco value-added reseller partners (VARs) that are trusted by enterprises worldwide. So now mid-market and enterprise customers can get the performance, reliability, and security of a Cisco cloud calling solution from the Cisco channel partner they prefer, or are currently doing business with.

Early excitement and momentum with our VAR partners is building. Here’s what Joe Berger, Practice Director, Collaboration and End User Computing for World Wide Technology had to say. “As the UCaaS market continues to mature, we’re excited to have Webex Calling in our portfolio. The Cisco BroadCloud powered solution now gives us more options for those customers who are looking to move their collaboration workloads to the cloud . . . backed by the enterprise requirements that many businesses already expect from Cisco. When combined with Webex Meetings and Webex Teams, this truly becomes a next generation collaboration platform.”

We now have 19 U.S.-based partners already signed up to introduce Webex Calling to their business customers. Talk to one of these Cisco partners about Webex Calling:

◈ CDW
◈ CompuNet
◈ ConvergeOne, Inc.
◈ Core BTS
◈ Data Strategy, a Trace3 company
◈ Dimension Data
◈ ePlus
◈ Insight
◈ Iron Bow Technologies
◈ Logicalis
◈ LookingPoint
◈ PCM, Inc.
◈ Pivot Technology Solutions
◈ Presidio
◈ Sentinel Technologies
◈ ShoreGroup Solutions
◈ Sirius Computer Solutions
◈ Software House International
◈ World Wide Technology

Continue reading

Why download the exploit, when you can carry it with you?

For the 2nd year, RSA Conference 2018 APJ created an educational exhibit, sponsored by RSA and Cisco, to monitor the RSA Conference public Wi-Fi network provided by the Marina Bay Sands (MBS). This exhibit was created in the form of the RSA Conference Security Operations Center (SOC). RSA and Cisco provided technology and staffing to monitor the network for threats, but also to educate attendees on the risks of free Wi-Fi.

What is the difference between a SOC and a NOC?

Network Operations Center

The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service

Security Operations Center

The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers and other technologies

RSA and Cisco provided the SOC. The NOC was provided by the MBS.

The mission of the RSAC SOC was to ensure the conference Wi-Fi is not attacked (denial of service, laterally spreading malware, etc.). We did not block malicious DNS traffic, downloads or attachments; as this was a learning and demonstration environment. We make sure that network is protected from attackers. We locate (when we can) and advise users when they are at risk.

What technology is in the RSAC SOC?

MBS provided the RSAC SOC a span of all network traffic from the .RSAConference network, which was passed through the Cisco Next Generation Firewall / ISP and then split the traffic to NetWitness Packets NetWitness Packets and the Cisco Stealthwatch teams.

RSA used NetWitness Packets to collect and investigate all traffic on the Wi-Fi network, from the firewall; to detect deviations from normal behavior and create a probability-weighted risk score for alerts based on these results. NetWitness inspects every network packet session for threat indicators at time of collection and enriches this data with threat intelligence and business context. At the end of the conference, all of this data was wiped from NetWitness.

For suspicious files that might be malicious, NetWitness Packets checks a community AV lookup, some static analysis and its own network intelligence. Then the NetWitness Orchestrator sends the files to Cisco Threat Grid for dynamic malware analysis.

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. Threat Grid analyzes the behavior of a file against millions of samples and billions of malware artifacts. The SOC team had a global and historical view of the malware, what it’s doing and how large a threat it posed to the RSAC network.

Threat Grid identifies key behavioral indicators of malware and their associated campaigns. The SOC team was able to save time by quickly prioritizing attacks with the biggest potential impact. We used tools like Glovebox, to safely interact with samples and observe malware behavior directly. In addition, we used Cisco Umbrella to have visibility in all DNS activity. We also used the Threat Intelligence of Cisco Visibility and Talos Intelligence.

When the Cisco team found a potential threat, they handed it off to the RSA team for further investigation. In summary, the technology stack was:

◈ Firewall – Cisco Next Generation Firewall with IPS
◈ Full Packet Capture and Investigation – RSA NetWitness Packets
◈ Orchestration – RSA NetWitness Orchestrator, powered by Demisto
◈ Dynamic File Analysis – Cisco Threat Grid
◈ DNS / IP Intelligence – Cisco Umbrella / Cisco Umbrella Investigate
◈ Encrypted Traffic Analytics – Cisco Stealthwatch and Cognitive Threat Analytics
◈ Threat Intelligence – Cisco Visibility

Identifying endpoint vulnerabilities without an agent

Cisco’s Next Generation Firewall was set up as the perimeter Firewall for the wireless connection of the RSA APJ event. All traffic to and from wireless guests went through the Firepower Threat Defense (FTD). FTD not only detected threats, but also discovered what was running on the network endpoints; such as Operating Systems, Ports, Applications and Files.

Discovered Applications

Discovered Files

Geolocation Information

During the conference, several threats were detected, and we were able to see the total Connections and Bytes connecting to known bad IP Addresses.

We were also able to see the Total Intrusion Events detected per Classification.

FTD automatically correlated threat events with the contextual information discovered to identify which IPS events to prioritize for further investigation. This was reflected via Impact Flag 1 events. Data showed that there were 31 events to be prioritized.

Impact Flag 1 events shown below.

Checking the Rule documentation of the BMP overflow IPS event, it shows that it is applicable only for traffic coming from external network to internal network.

And, applicable if the target host has this vulnerability, with cve.mitre.org documentation included.

Checking on the event we confirmed that the event is coming from the Internet going inside the network. IPS Event Details below.

Checking on the host profile, we confirmed the target host had this specific vulnerability.

Vulnerability list of the target host based on the discovered Operating System and Applications.

Why download the exploit, when you can carry it with you?

On the 2nd day of the Conference, the SOC team observed a .DOC file sent to a conference attendee in a plain text email, along with several PDFs. The .DOC file was extracted by NetWitness and had a score of 0 from the RSA Malware Analysis Community lookup, meaning it had never been detected by an AV vendor. The Static Analysis score was 80, making it worth a review, and the Dynamic Analysis/Sandbox score from Threat Grid was 100, meaning confirmed malicious based on behavior. The team went into action to assess the threat.

The .DOC file was assigned a Threat Score of 100 for the Behaviors of launching Powershell and creating an Executable File.

We were able to see the code in the document to create and launch the eng.exe file.

After the creation of the executable, the malware dropped some artifacts on disk that are known to be used by remote access Trojans and opened communication with a domain on the Umbrella block list for Malicious.

We pivoted to Umbrella Investigate to learn more. If we had AMP for Endpoints deployed on the endpoints in the network, we would have instantly been able to see affected endpoints and remediate.

In Umbrella Investigate, we learned more about the domain, including the global requests for the campaign.

Most affected computers from the United States.

We found the hosted IP address 5[.]79[.]72[.]163 (link to the Investigate report) and then went into Cisco Visibility to access the global Cisco threat intelligence and to see if there were more associated IPs.

With this intelligence, we were able to go to the Firewall and NetWitness teams and check if there was any outbound communication to those three IP addresses. There were none, indicated the person who received the email did not open it on a vulnerable endpoint at the conference.

Everything an attacker needs for spear phishing lures

Threat Grid currently supports the following file types for analysis:

For RSAC SOC, the NetWitness team focused on submitting the following file types, with the distribution in parenthesis:

◈ .PDF (93%)

◈ .EXE (4%)

◈ .DLL (2%)

◈ .DOC/X (<1%)

◈ .XLS/X (<1%)

We saw many invoices, billing statements and confidential business proposals as attachments to emails sent with unsecure protocols, such as POP3 and HTTP. Each could be used by an attacker, sniffing the public network; to craft a custom spear phishing lure, as they had legitimate business and financial information; such as the email addresses of the sender/receiver, account information, billing address and the types of products/services the email recipient expected to receive.

Cryptomining

At Black Hat Asia 2018 in March, we saw a massive increase in cryptocurrency mining. Also, with the Black Hat training courses, there were 20 times as many domains of concern for roughly the same amount of DNS requests, around 5 million for each of the conferences in Singapore.

There was much less Cryptomining at RSAC; however, several common sites were active:

◈ widgetsbitcoin[.]com (links to the Umbrella Investigate report)

◈ api.hitbtc[.]com

◈ ws022.coinhive[.]com

◈ coinhive[.]com

◈ cdn.mngepvra[.]com

◈ authedmine[.]com

◈ coin-hive[.]com

◈ coinone.co[.]kr

When we saw the cryptocurrency mining activity based on Umbrella DNS request, Stealthwatch provided the visibility into endpoint without an agent/connector. Below is the dashboard of Cognitive Cloud Analytics (CTA). Together with Cisco Stealthwatch Enterprise, CTA is part of Cisco Encrypted Traffic Analytics. This solution can detect malware hiding in encrypted traffic without decrypting the data.

Upon investigate into “High Risk” and “Confirmed” event. There were three endpoints identified to have cryptocurrency mining activity at the time of investigation.

Below is the snapshot of the endpoint activities related to cryptocurrency mining.

Together with Umbrella, we could identify endpoint with initial cryptocurrency mining DNS request and detail HTTPS request to the server with Stealthwatch Enterprise and CTA.

Continue reading