Threat Intelligence in SecureX: Fast, Free, or Easy (pick any three)

SecureX is Cisco’s free, acronym-defying security platform. (“Is it XDR? Is it SOAR? Does it solve the same problems as a SIEM? As a TIP?” “Yes.”) From the very beginning, one of the pillars of SecureX was the ability to consume and operationalize your local security context alongside global threat intelligence.

And to that end, SecureX includes, by default, a few very respectable threat intelligence providers:

➥ The Cisco Secure Endpoint File Reputation database (formerly AMP FileDB) composed of reputation ratings for billions of file hashes collected from multiple sources including Talos, Cisco Malware Analysis and Secure Endpoint

➥ The AMP Global Intelligence database, aka SecureX Public Intelligence, curated from several internal and open source thereat intelligence sources

➥ And, of course, the TALOS intelligence database, full of all manner of information discovered by the global TALOS research team and their advanced and often custom tooling

Also included is the Private Intelligence repository, which allow you to upload or create your own intelligence for inclusion in SecureX investigations.

But, there is a lot more to the world of threat intelligence than those three sources alone. Every research organization, whether free or paid, open or private, has their own area of focus, their own methods, their own guidelines and policies and practices, and their own view on any given threat. While it’s not true that more automatically equals better, a more complete and holistic view is often more valuable than a narrower view. That is, in fact, one of the primary design considerations for, and motivating reasons for the very existence of, SecureX itself.

And, many of our customers are already using additional sources – we knew that on day one, several years ago now, when we incorporated support for Virus Total into the first version of what would become SecureX threat response.

That was also a driving reason behind the roll out the remote relay modules last summer, that allow users to tie in arbitrary data sources. This design allows SecureX users to “roll their own” modules, deploy the code in their environments, and thereby leverage whatever they want as a resource in investigations.

Then we wrote and published a number of relays that were for specific well-known threat intelligence sources for users to deploy.

Recently, we have internalized these relays and are hosting them ourselves to simplify the way our customers incorporate them into their own SecureX environment. For Cisco-provided 3rd party relays, there is no longer a need to download, configure, and stand up a relay service.

What this does, is drastically decrease the investment in time and effort required in order to benefit from a multitude of available tools. Some of these tools are on-premises and are security controls or detection tools, but many are global threat intelligence providers – and many of those, are free to use.

As I was setting up a few of them myself, I realized how easy and fast this was – a click, perhaps a paste of an API key, another click, and it was done. Then I saw how many more there were. And I wondered… how long would it take to get 10 of these added, and how much would it change the nature of an investigation?

For this experiment, I used the following, chosen somewhat arbitrarily and listed purely in alphabetical order:

➥ APIvoid

➥ abuse IPdb

➥ CyberCrime Tracker

➥ FarSight DNSDB

➥ Google SafeBrowsing

➥ Pulsedive

➥ Shodan

➥ ThreatScore

➥ io

➥ VirusTotal

Several additional providers of threat intelligence options are available, and several of those are also free or at very low cost (literally under $5/mo in one case).

So, how fast can 10 completely free threat intel sources be added into SecureX, and how does it enhance the scope of that investigation? You can see the video detailing the results, here:

Source: cisco.com

Continue reading

Cisco Secure Firewall insertion using Cisco cAPIC in Azure

In today’s world, enterprises are undergoing a transition to innovate rapidly, keep up with the competition, and increase application agility to meet ever-changing customer demands. To achieve these goals, they often choose the hybrid cloud infrastructure approach, choosing different infrastructure environments to deploy different types of applications. Some applications are best suited for hosting on-premises, whereas others are better suited for hosting in public cloud. Thus, hybrid cloud is the new normal for many organizations. However, in a hybrid cloud environment, the challenge is to maintain a uniform enterprise operational model, comply with corporate security policies, and gain visibility across the hybrid environments.

Read More: 300-710: Securing Networks with Cisco Firepower (SNCF)

Cisco Cloud Application Centric Infrastructure (Cisco Cloud ACI) is a comprehensive solution that provides:

◉ simplified operations

◉ consistent security policy management

◉ visibility across multiple on-premises data centers and public clouds or hybrid cloud environments

◉ unified security policy for the hybrid cloud

◉ extends on-premises layer-7 security to public cloud

In an on-premises Cisco ACI data center, Cisco Application Policy Infrastructure Controller (APIC) is the single point of policy configuration and management for all the Cisco ACI switches deployed in the data center. Cisco ACI multi-site orchestrator (MSO) provides a seamless way to interconnect multiple cisco ACI data centers. MSO is a software solution representing a single point of policy orchestration and visibility across multiple geographically dispersed ACI sites.

Cisco Cloud APIC runs natively on supported public clouds to provide automated connectivity, policy translation, and enhanced visibility of workloads in the public cloud. Cisco Cloud APIC translates all the policies received from MSO and programs them into cloud-native constructs such as VNets (Virtual Network), application security groups, network security groups, outbound rules, inbound rules, etc. This new solution brings a suite of capabilities to extend on-premises data centers into true hybrid cloud architectures, helping drive policy and operational consistency regardless of where your applications reside. Also, it provides a single point of policy orchestration across hybrid environments, operational consistency, and visibility across clouds.

Figure 1: Cisco ACI architecture for hybrid cloud

Figure 1 above shows the overall high-level architecture of Cisco Cloud ACI with Cisco ACI Multi-Site Orchestrator acting as a central policy controller, managing policies across on-premises Cisco ACI data centers, as well as Azure environment with each cloud site being abstracted by its own Cloud APICs.

Traditional firewall integration in on-prem Data Centers

To enable scalable and manageable network security in larger data center networks, on-prem Cisco Secure Firewalls (ASA and FTD) are integrated as “unmanaged” firewall (Cisco ASAv and FTDv/NGFWv) devices into existing ACI deployments. While existing ACI contracts can be easily leveraged for enforcing security policies within a single network security zone, insertion of ASA/FTD firewalls allows for segmented workload security for inter-zone traffic, thus reducing the load on leaf ACI switches.

Hybrid Cloud

The modern data center is a hybrid ecosystem, where some applications reside in classic on-prem environments, others are hosted in public cloud environments, or are co-located in both. Cisco cloud ACI provides a uniform mechanism for data center operations, policy management, and visibility in a similar data center environment spanning multiple on-prem, cloud, and hybrid infrastructure components. To seamlessly navigate between ACI-aware data centers and cloud-native environments like AWS or Azure, the Cisco cloud application policy infrastructure controller (cAPIC) functions as a universal translator that maps ACI-specific constructs (like service graphs or contracts) into CSP-specific language (like end-point groups or VPCs).

End-point groups (EPGs) represent applications running in the cloud, on-prem or hybrid environments. Service graphs represent L4-L7 devices inserted between EPGs, with ACI contracts and filtering rules defining inter-EPG communication scope and boundaries. cAPIC avails user-defined routing (UDR) to automatically obtain network or application-centric security rules based on the specific policy configuration and contracts that apply to different EPGs. While cAPIC automatically configures the network needs of most elements in a service graph, cloud-native firewalls (like on-prem firewalls in a traditional ACI-aware data center) are considered as unmanaged entities with firewall configuration managed outside of cAPIC.

NOTE: Granular and accurate mapping between these two network policy models is crucial to ensure the correct deployment of network policies across Cisco ACI and Microsoft Azure. Figure 2 below shows how Cloud APIC handles this policy mapping.

Figure 2: Cisco ACI Policy Model to Microsoft Azure Policy Model mapping

Securing Azure with virtual ASA and FTD solutions

Cisco validated architecture for ASAv and NGFWv insertion in Azure using Cisco cAPIC L7 insertion. The following deployment scenarios have been validated as part of this effort.

◉ Multi-node (NGFWv LB sandwich)

◉ North/South and East/West traffic flow

     ◉ Spoke to Internet (N/S)

     ◉ Spoke to Spoke (E/W)

     ◉ Inter-region Spoke to Spoke (E/W)

     ◉ Internet to Spoke (N/S)

     ◉ Multi-AZ and Multi-Hub Architecture

Use case 1: Spoke to Internet (N/S traffic flows)

Test Scenario: Traffic from the workload destined to the internet is forwarded to Azure internal load balancer (ILB). ILB load balances traffic from the consumer EPGs to the internet through multiple Cisco Secure Firewalls (NGFWv).

Figure 3: Spoke to Internet (N/S traffic flows)

The above network topology depicts Cisco Secure Firewall in the hub VNET (overlay 2) in Azure. We have a service graph with ILB redirect to Cisco Secure Firewalls.

Traffic Flow

◉ The consumer sends traffic to ILB.

◉ ILB receives traffic and forwards traffic to the firewall

Firewall receives traffic, applies security policy, and sends it out via outside interface. Outbound traffic is SNAT on the firewall.

Consumer —— > NLB [redir ] + FTD[SNAT ] ———- > Internet

Use case 2: Spoke to spoke multi-node inter-VPC, intra-region traffic flow enablement

Test scenario: Traffic from consumer EPG to provider EPS is load-balanced through multiple Cisco Secure Firewalls.

Figure 4: Spoke to spoke multi-node inter-VPC, intra-region traffic flow enablement

The above network topology depicts Cisco Secure Firewall in the hub VNET (overlay 2) in Azure. We use service graph with Network load balancer redirect, Cisco Secure Firewall and Application load balancer.

Traffic flow

◉ The consumer sends traffic to ILB.

◉ ILB receives traffic and forwards traffic to the firewall

◉ Firewall receives traffic, applies security policy, and sends it to ALB

◉ ALB then sends it to provide (workloads).

Consumer —— > NLB [redir ] + FTD [SNAT] ———- > [ ALB —- > Multiple Provider]

Source: cisco.com

Continue reading

Balancing Safety and Security During a Year of Remote Working

I have not been inside an office building for 12 months. A sentence I did not imagine writing anytime soon. Last February, everything changed. And when we pause to reflect, we have to consider that, of the many dramatic impacts to our lives, to society, and the world, in the realm of the professional, one of the most impactful changes has been the fact that many of us no longer commute to an office to perform our jobs.

It’s been a year, give or take, since organizations had to provision extraordinary numbers of employees to work remotely as a result of the pandemic. Some companies may consider reopening traditional offices again, but the new work-from-home paradigm has many people contemplating a hybrid model (remote-first seems to be a popular option). In a recent Cisco study, not only were many people currently working remotely, but a substantial percentage of organizations also said that more than half of their employees would still work remotely once pandemic restrictions are lifted.

Source: Cisco Future of Secure Remote Work Report

The pandemic brings new security challenges

In security, we lament about how new initiatives are often instituted with threat protection as an afterthought. This is somewhat true as well of this rush to remote working, especially for companies that had not previously entertained the concept of remote work.

Security cannot remain a secondary thought, and it was quickly understood that remote working led to new security challenges. The concept of “Bring Your Own Device” was in full bloom – maybe “Use Your Own Device” is more accurate given that no one has been bringing anything anywhere. 

While we were working to secure this new environment, there was a dark side brewing; the world of cybercrime saw an opportunity to capitalize on the haste to preserve life, and we saw a rise in cyberattacks. In one analysis by Cisco Talos, pandemic-themed phishing scams emerged over the course of just a few months.

Percent of observed emails tracked by Talos containing pandemic themes

Source: Cisco, “Defending Against Critical Threats, A 12 Month Roundup”

While the pandemic raged on, and cybercrime targeted our fears, there was no slowdown in the everyday threats that carried on with broader targets, as shown in this timeline from a recent Cisco report.

Source: Cisco, “Defending Against Critical Threats, A 12 Month Roundup”

Cisco technology for secure, remote work

At the start of the pandemic, Cisco quickly took action to help our customers securely provision for remote workers. Some of the offerings included extended free licenses and expanded usage counts for Cisco Webex, as well as several technologies for securing remote access and endpoints.

We all know that the pandemic will not last forever, but as mentioned previously, remote work is a viable way to run many businesses. What are some of the best ways to protect your company’s workforce? Cisco has developed the Secure Remote Worker solution, which incorporates many security components needed to embrace this new work setting.

With Cisco, New Castle Hotels and Resorts was able to secure its remote workforce within hours. According to Alan Zaccario, Vice President of IT and Cybersecurity for New Castle:

“Cisco security has definitely proven to be the correct choice, because Cisco enables a strong security posture for remote work. When the rapid move to remote work happened, my biggest concern was helping people configure local printers and scanners, not scrambling to secure the enterprise.”

One thing that we can all agree on is that sitting alone in your room, working remotely, can be a lonely undertaking. That’s why collaboration tools are key to not only keeping the business on track, but also keeping us connected. However, collaboration can sometimes add more complexity, and that is why we have enhanced our Cisco Secure Remote Worker offering by coupling security with collaboration tools that make remote work more secure.

Finally, the Cisco SecureX platform brings all of our security technology (plus third-party technologies) together to protect users and devices wherever they are. SecureX is built into every Cisco product. It is a cloud-native platform that connects our integrated security portfolio and customers’ security infrastructure to provide simplicity, visibility, and efficiency.

SecureX delivers a unified view of customers’ environments, so they no longer have to jump between multiple dashboards to investigate and remediate threats. It also gives customers the ability to automate common workflows across security products from Cisco and third parties to handle tasks such as threat hunting and identifying device vulnerabilities.

“We really can’t afford a misfire with our security spend,” added Zaccario of New Castle. “We understand the Cisco security integrations, and how Cisco’s platform approach protects our investment.”

The tragedies of the pandemic have taught us many important lessons. From a technology perspective, as we all scrambled to create a fully remote workforce, it is nice to know that the capabilities to do so securely have kept pace with the need to protect the health of our most valuable assets, our co-workers.

Source: cisco.com

Continue reading

Introducing Stealthwatch product updates for enhanced network detection and response

We are very excited to announce new features of Cisco Stealthwatch! With release 7.3.0, we are announcing significant enhancements for the Stealthwatch Administrator and the Security Analyst to detect and respond to threats faster and manage the tool more efficiently.

Automated Response updates

Release 7.3, introduces automated response capabilities to Stealthwatch, giving you new methods to share and respond to alarms through improvements to the Response Management module, and through SecureX threat response integration enhancements.

New methods for sharing and responding to alarms

Stealthwatch’s Response Management module has been moved to the web-based UI and modernized to facilitate data-sharing with 3rd party event gathering and ticketing systems. Streamline remediation operations and accelerate containment through numerous new ways to share and respond to alarms through a range of customizable action and rule options. New response actions include:

◉ Webhooks to enhance data-sharing with third-party tools that will provide unparalleled response management flexibility and save time

◉ The ability to specify which malware detections to send to SecureX threat response as well as associated response actions to accelerate incident investigation and remediation efforts

◉ The ability to automate limiting a compromised device’s network access when a detection occurs through customizable quarantine policies that leverage Cisco’s Identity Services Engine (ISE) and Adaptive Network Control (ANC)

Figure 1. Modernized Response Management module with new response action options

SecureX threat response integration enhancements

Get granular and be specific with flexible rule configurations that provide the ability to:

◉ Define which alarms from Stealthwatch are shared with SecureX threat response

◉ Base shared alarms off multiple parameters, such as alarm severity, alarm type, and host group

◉ Share alarms from mission critical services with the ability to define incident confidence levels, how target objects are formed, and rule conditions based off targets created for internal or external hosts

Figure 2. Customize which alarms are sent to SecureX threat response by severity

SecureX platform integration enhancements

Cisco’s SecureX platform unifies visibility, centralizes alerts, and enables automation across your entire security infrastructure on a single dashboard. Maximize operational efficiency, eliminate repetitive tasks, simplify business processes, and reduce human errors by:

1. Automating responses with pre-built workflows through SecureX’s orchestration capabilities

2. Creating playbooks with all your integrated security tools through SecureX’s intuitive interface

Figure 3. SecureX’s pre-built workflows and customizable playbooks

Enhanced security analytics

As threats continue to evolve, so do the analytical capabilities of Stealthwatch to deliver fast and high-fidelity threat detections. The cloud-based machine learning engine (Cognitive Intelligence) has been updated to include:

◉ New confirmed detections

◉ New machine learning classifiers for anomalous TLS fingerprint, URL superforest, and content spoofing detections

◉ Smart alert fusion in the new user interface (currently available in beta)

◉ New Stealthwatch use cases including Remote Access Trojan and Emotet malware detections

Figure 4. An example of the new content spoofing detector classifier in action.

Figure 5. Stealthwatch’s new GUI with smart alert fusion.

Easier management

Web UI improvements

Don’t let the setup process slow you down! Optimize installation with web UI enhancements that reduce deployment time and support full configuration of (both?) the appliance and vital services before the first reboot to save time.

Flow Sensor versatility and visibility enhancements

Get visibility into more places than ever before through ERSPAN (Encapsulated Remote Switch Port Analyzer) support now added to Flow Sensors. Benefits include:

◉ Visibility improvements through the ability to see within VMware’s NSX-T data centers to facilitate Flow Sensor deployment and network configuration

◉ Removed requirement of direct physical connectivity

◉ ACI traffic monitoring from Spine and Leaf nodes

Continue reading

The Transformation of Software Testing

Traditional development and testing cycles have been a limiting factor for increasing the speed of creating and releasing new functionality as well as improving the quality of final releases. When much of a development team’s time is taken up with the looping, iterative cycle of design-develop-test-debug, a lot of creativity gets squeezed out of processes and people. Longer development cycles prevent new features—especially those specifically requested by customers—from being released on a timely basis. When customers have limited insight into how those features are being designed and implemented, they can be reluctant to implement them without extensive and time-consuming testing.

A trickier legacy issue to address is that IT buyers have lost trust in existing software development processes to deliver high quality code in dot zero releases. Instead they wait by default for future point deliveries, expecting more acceptable quality before even considering testing a release. Resolving this trust issue is a root driver of the transformation of testing.

We discussed the necessary shift in mindset required to digitize software development by making every person a developer and democratizing the entire process. We also touched on the value of integrating testing developers into the early design and develop stages. In this second post, we will examine in more detail this shift in testing to understand how it transforms the entire development cycle to the benefit of customers as well as developers.

Our goal in the Cisco platform independent group, which provides routing and control plane protocols and DevOps tools to the XE, XR and NX software development teams, is to digitize and transform processes and skillsets to create a hyper-efficient development organization. In particular, we are integrating the development of unit, integration, feature, system, and solution tests into the early stages of the development cycle with real-world use cases based on diverse customer network hardware and software configurations and topologies. How do we capture this detailed customer information? We listen. We share. We communicate.

Bidirectional Communication with Customers Critical in Early Development Stage

We are engaging customers much earlier in the development lifecycle with a goal to build a bidirectional communications channel between Cisco development and customers. First, we listen to understand customer requirements, topologies, and traffic patterns and feed those parameters into our design documents. We request customers’ device configuration files so we can prepare test plans incorporating an appropriate mix of “live in the field” hardware and software environments. We then verify with customer IT teams our design specifications to ensure a mutual understanding of goals. By providing insights into feature functionality and sharing test plans, customers can better prepare for implementation before the final release. Customers can also share their proposed test plans with our teams so that special use cases can be incorporated into our test plans as well.

Cisco customers have been eager to participate in early engagement opportunities to provide real-time feedback on specific feature designs and implementations. A participating customer related to our teams that the recent collaboration with Cisco Engineering “…was fruitful as it ensured that Cisco’s implementation of a specific feature was matching our expectations. Early engagement helps us understand new features so we can create successful design documents as well as train our certification teams. This early collaborative process also helps our team avoid ‘working as designed’ surprises during our testing.”

These collaborations among Cisco development teams and customers result in a reimagining of test design and procedures that permeate the development lifecycle.

Reimagining Testing Throughout Development

As we’ve previously discussed, within our platform-independent teams, everyone is a developer—from solution architects and designers to coders and testers. Each role plays a hand in ensuring the solutions and tools we build meet our customers’ requirements—whether internal teams or external enterprise IT organizations.

One key method of transforming testing efficiency and completeness is to integrate developers into the process who have in-depth experience with customer implementations, configurations, and troubleshooting. They participate upfront in the design stage to ensure that new features will work in real-world brownfield as well as greenfield environments. This change makes it possible to evolve from thinking primarily in terms of individual features that are designed, developed, and tested in isolation, to a customer-oriented solution approach. While each feature is coded with specific functionality by design, each must also be implemented as part of a complete networking ecosystem. Applying this philosophy not only helps identify unintended feature interactions, but also moves defect discovery to much earlier in the development cycle, in effect flattening the curve of found defects throughout the development cycle—a primary goal of testing transformation.

New features are not the only testing points to emphasize during the design phase. Since the main “users” of networking software are highly-trained technical professionals, serviceability is key to keeping them productive. For example, interfaces providing data such as telemetry and error codes, as well as CLI formats, are designed from the technical users’ point of view. In design documents, we consider how to expose sufficient debug information to enable faster problem resolutions, but without overwhelming technicians with irrelevant details. Here we are applying machine reasoning to assist in triaging issues. Ease of configuration of network devices and Day 2 management are also critical considerations for testing usability and serviceability. Training and automated checklists ensure that developers are abiding by serviceability guidelines and applying serviceability measurement to code during development.

New software releases are also scrutinized to minimize any unexpected changes in default behaviors. From release to release, behavior testing ensures that:

◉ Software doesn’t consume more memory or processing capacity than in a previous release unless a new feature requires it and is thoroughly documented to prepare the customer.

◉ New releases are backward compatible with supported hardware and software.

◉ Scale and performance do not degrade but stay consistent or improve.

Ultimately our goal in reimagining testing is to build a lasting bridge to quality to ensure our customers have trust in each and every release. While we have always performed intensive feature testing to validate functionality, integration, scalability, and usability, we are emphasizing a significant focus on solution level testing to ensure high levels of performance, interoperability, reliability, security, and conformance. Combined, these layers of testing will provide greater assurance that releases will perform as expected in a multitude of customer environments. We are building this bridge to quality with a unified development infrastructure for testing.

Unified Development Infrastructure Increases Automation and Consistency

Software in the process of being coded is often tested in virtual testbeds that can be quickly modified. This usually works fine for unit and integration testing. However, the further along the development cycle, the more complex the testing and interactions with the environment. Virtualized testing may not uncover all the issues that will be discovered in real-world configurations.

To address this gap, we are building flexible testbeds based on real hardware—routers, switches, servers, access points and software—that mimic real network deployments and operations. Since testbeds are based on a common infrastructure and environment, they enable reuse, code sharing, and complimentary software testing. Unifying topologies and infrastructure in development and testing improves efficiency by uncovering issues earlier in the cycle.

The next phase, already in progress, is to create “topology on demand” testbeds that enable developers to design tests based on a variety of environments and have them automatically configured, based on network devices customers are actually using. We are also creating new tools to automate whole testing processes with reusable Test Blocks. These will enable developers to pick and choose from a library of pre-constructed tests. In turn, the tests are run with automation tools that perform the processing and recording of results. The testing process becomes more of an intellectual design exercise compared to manually assembling and running test after test with slight variations—a boon for developers working on tight timelines.

Transformation of Software Testing Benefits Developers and Customers

Reimagining and transforming the development testing cycle is paying off at Cisco in multiple ways. Internally, new tools for automating testing processes are making work more efficient and more engaging for developers at every stage of the software cycle. As we involve customer teams earlier in the development cycles, they are regaining trust in software release readiness and are willing to deploy new solutions sooner after release with more confidence.

Continue reading

Umbrella with SecureX built-in: Coordinated Protection

Cybercriminals have been refining their strategies and tactics for over twenty years and attacks have been getting more sophisticated. A successful cyberattack often involves a multi-step, coordinated effort. Research on successful breaches shows that hackers are very thorough with the information they collect and the comprehensive plans they execute to understand the environment, gain access, infect, move laterally, escalate privileges and steal data.

An attack typically includes at least some of the following steps:

◉ reconnaissance activities to find attractive targets
◉ scanning for weaknesses that present a good entry point
◉ stealing credentials
◉ gaining access and privileges within the environment
◉ accessing and exfiltrating data
◉ hiding past actions and ongoing presence

This whole process is sometime called the “attack lifecycle” or “kill chain” and a successful attack requires a coordinated effort throughout the process. The steps above involve many different elements across the IT infrastructure including email, networks, authentication, endpoints, SaaS instances, multiple databases and applications. The attacker has the ability to plan in advance and use multiple tactics along the way to get to the next step.

Security teams have been busy over the past couple of decades as well.  They have been building a robust security practice consisting of tools and processes to track activities, provide alerts and help with the investigation of incidents.  This environment was built over time and new tools were added as different attack methods were developed. However, at the same time, the number of users, applications, infrastructure types, and devices has increased in quantity and diversity.  Networks have become decentralized as more applications and data have moved to the cloud. In most instances, the security environment now includes over 25 separate tools spanning on-prem and cloud deployments. Under these conditions, it’s difficult to coordinate all of the activities necessary to block threats and quickly identify and stop active attacks.

As a consequence, organizations are struggling to get the visibility they need across their IT environment and to maintain their expected level of effectiveness. They are spending too much time integrating separate products and trying to share data and not enough time quickly responding to business, infrastructure, and attacker changes.  The time has come for a more coordinated security approach that reduces the number of separate security tools and simplifies the process of protecting a modern IT environment.

Cisco Umbrella with SecureX can make your security processes more efficient by blocking more threats early in the attack process and simplifying the investigation and remediation steps. Umbrella handles over 200 billion internet requests per day and uses fine-tuned models to detect and block millions of threats. This “first-layer” of defense is critical because it minimizes the volume of malicious activity that makes its way deeper into your environment.  By doing this, Umbrella reduces the stress on your downstream security tools and your scarce security talent.  Umbrella includes DNS Security, a secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality. But no one solution is going to stop all threats or provide the quickly adapting environment described above. You need to aggregate data from multiple security resources to get a coordinated view of what’s going on in your environment but can’t sink all your operating expenses into simply establishing and maintaining the integrations themselves.

That’s where Cisco SecureX comes in. Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including Umbrella– and your other security tools for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. Let’s explore some of the capabilities of SecureX, the Cisco security platform and discuss what they mean in the context of strengthening breach defense.

◉ Visibility: Our SecureX platform provides visibility with one consolidated view of your entire security environment. The SecureX dashboard can be customized to view operational metrics alongside your threat activity feed and the latest threat intelligence. This allows you to save time that was otherwise spent switching consoles. With the Secure threat response feature, you can accelerate threat investigation and take corrective action in under two clicks.

◉ Automation: You can increase the efficiency and precision of your existing security workflows via automation to advance your security maturity and stay ahead of an ever-changing threat landscape. SecureX pre-built, customizable playbooks enable you to automate workflows for phishing and threat hunting use cases. SecureX automation allows you to build your own workflows including collaboration and approval workflow elements to more effectively operate as a team.   It enables your teams to share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes.

◉ Integration: With SecureX, you can advance your security maturity by connecting your existing security infrastructure via out-of-the-box interoperability with third party solutions. In addition to the solution-level integrations we’ve already made available; new, broad, platform-level integrations have also been and continue to be developed. In short, you’re getting more functionality out of the box so that you can multiply your use cases and realize stronger outcomes.

Pre-built playbooks focus on common security use cases, and you can easily build your own using an intuitive, drag-and-drop interface. One example of the coordination between Umbrella and SecureX is in the area of phishing protection and investigation. Umbrella provides protection against a wide range of phishing attacks by blocking connections to known bad domains and URLs. SecureX extends this protection with a phishing investigation workflow that allows your users to forward suspicious email messages from their inbox. In addition, a dedicated inspection mailbox starts an automated investigation and enrichment process. This includes data from multiple solutions including Umbrella, email security, endpoint protection, threat response and malware analysis tools. Suspicious email messages are scraped for various artifacts and inspected in the Threat Grid sandbox. If malicious artifacts are identified, a coordinated response action, including approvals, is carried out automatically, in alignment with your regular operations process.

The SecureX platform is included with Cisco security solutions to advance the value of your investment. It connects Cisco’s integrated security portfolio, your other security tools and existing security infrastructure with out-of-the-box interoperability for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications.

Continue reading

Secure and Compliant Collaboration with Webex Teams

Easy, Secure Collaboration

In today’s modern and digital workplaces, teamwork transcends organizational and functional boundaries. Effective, secure, and compliant collaboration with your stakeholders, partners and customers is paramount to improving productivity.

Compliance, administration security controls and policies vary greatly across organizations and industry verticals. For any modern collaboration platform, it’s critical to have the flexibility to facilitate communications with external participants outside of the user’s organization – coupled with security controls that minimize friction for users. Webex Teams has a rich set of features spanning compliance, administrative controls and visibility – giving you a secure collaboration experience.

Webex Teams is the easiest messaging platform to set up for cross company collaboration

By default, Webex Teams is an open platform allowing users to communicate with others both inside and outside the organization – while still maintaining end to end encryption and control.

Compliance

Organizations need to comply with internal and external rules and regulations. Companies in regulated industries have to meet regulatory mandates in addition to their own compliance and data loss prevention policies. Cisco Webex Teams allows organizations to ensure compliance around data loss prevention through integration with leading CASB solutions like Cisco Cloudlock. These integrations allow visibility into all user generated content with immediate detection and remediation of user actions and posts that violate your compliance policies.

In addition, Cisco Webex Teams also supports “legal hold” to help organizations with data retention requirements to support legal investigations for compliance. During a litigation proceeding, organizations may be required to preserve data for a period that may be longer than their normal retention policy. In this case, legal hold can be enabled to ensure that relevant information is not purged, but instead retained until the litigation or investigation is complete.

Control

Under certain circumstances and regulatory environments, it may be necessary to block communication with external users who belong to a different organization. Administrators can enforce this policy and block external communications easily with native controls built in Webex Teams. When configured appropriately, users in the organization will no longer be able to message users outside their organization. We are enhancing this capability to allow limited communication to users only in approved domains via a Whitelist created and maintained by admins.

Visibility

Communications with users outside an Organization represents a fairly significant surface area of risk and exposure. With some messaging solutions, administrators and compliance teams have no visibility when users communicate with people outside their organization. Webex Teams enables users from multiple companies to create cross-company channels and allows administrators or compliance officers from both companies to have visibility into all communications generated by users who belong to their respective organizations.

The built in ediscovery search tool provides Compliance officers the ability to search and extract content generated by specific custodians (users) across a time range of interest.

Additionally, many enterprises have invested in enterprise content management (ECM) solutions. Webex Teams allows integration with ECM solutions, such as Microsoft OneDrive and Sharepoint Online, and ensures that only files permitted by the ECM solution can be shared via Webex Teams. Access control policies and permissions configured in the content management system extend to users of Webex Teams in a seamless fashion without the need for any replication.

The setup has zero deployment cost, requiring just a simple toggle in Webex Control Hub. Additionally, it requires no change to an organization’s existing data loss prevention (DLP) policies, or the need to buy additional licenses. Moreover, Webex Teams also provides IT administrators with full control, so they can decide which SharePoint Online and OneDrive domains or Office 365 Tenant they want to use. This means that only IT-approved domains are available to users, thus minimizing the risk of data leakage while providing greater protection against malware threats.

Webex Teams also allows IT managers to disable storage of user documents in the Webex cloud without impacting user workflows. All user files are stored only in IT’s selected file storage system- including file previews. Content Management settings are very easy to configure as shown below.

Continue reading

Threats with Escalating Impact: Announcing the Cisco 2017 Midyear Cybersecurity Report

It’s time again for our Midyear Cybersecurity Report (MCR), which offers updates on the security research and insights revealed in the recent Annual Cybersecurity Report. The unsettling news at this halfway point in the year is that the bad actors are adding new and sophisticated spins to their exploits. Their aim is not just to attack, but to destroy in a way that prevents defenders from restoring systems and data. We’ve coined a name for adversaries’ new goal: destruction of service (DeOS).

Continue reading

Miercom Report: Secured Network Infrastructure

Everyday networks are being hammered with multiple types of threats, coming from a variety of sources. To make matters worse, these threats often use sophisticated techniques to be undetected by traditional security methods. Proliferation of IoT devices increase these risks as most IoT devices often use non-standard protocols, non-standard stacks and limited or no support for supplicants.

Continue reading

The 5 Critical Components of a Secure Store

We discussed how the Cisco SAFE methodology can help you to implement a reliable security solution for your store. This approach can help you define and address each threat to the retail branch with corresponding security capabilities, architectures, and designs – guiding you to a complete security solution against everything from worms to ransomware attacks.

Continue reading