Unifying Cyber Defenses: How Hybrid Mesh Firewalls Shape Modern Security

The traditional castle-and-moat model of cybersecurity is outdated due to the evolving perimeter caused by remote work and fluid data access. Organizations must integrate security at every touchpoint. The proliferation of IoT devices increases entry points for cybercriminals, necessitating a unified approach to endpoint security.

Advanced technologies like AI and quantum computing are transforming cybersecurity, making threats more sophisticated and encryption standards vulnerable. The convergence of technologies, such as networked sensors and big data, expands the attack surface while improving AI capabilities for both attackers and defenders. The increasing sophistication of cyberattacks, as seen in incidents like the SolarWinds hack and Colonial Pipeline attack, highlights the need for proactive, integrated security strategies.

Critical infrastructure vulnerability, regulatory considerations, and the necessity of collaborative security practices underscore the importance of a Unified Security Platform to provide adaptive defenses and foster a security-conscious culture within organizations. The Hybrid Mesh Firewall emerges as a vital component in this landscape, offering the flexibility and comprehensive protection required to meet modern cybersecurity challenges. Before we delve into “What is Hybrid Mesh Firewall”, let us discuss a few customer problems:

Key problem areas for customers

1. Misconfigurations and vulnerability exploitation

One of the most significant issues plaguing organizations is the prevalence of misconfigurations and the exploitation of these vulnerabilities. Despite having multiple security products in place, the risk of human error and the complexity of managing these systems can lead to critical security gaps.

2. Rapid attack execution

The speed at which cyber-attacks can be executed has increased dramatically. This necessitates even faster defense responses, which many traditional security setups struggle to provide. Organizations need solutions that can respond in real-time to threats, minimizing potential damage.

3. Hybrid environments

The modern workforce is distributed, with employees working from various locations and using multiple devices. This hybrid environment requires robust protection that is enforced as close to the user or device as possible. The conventional approach of backhauling remote user traffic to a central data center for inspection is no longer viable due to performance, scalability, and availability constraints.

The emergence of SASE has transformed how network and security solutions are designed, providing connectivity and protection for a remote workforce. However, the shift to distributed controls has become inevitable, presenting its own set of challenges. Many customers deploy best-of-breed security products from different vendors, hoping to cover all bases. Unfortunately, this often results in a complex, multi-vendor environment that is difficult to manage.

4. Siloed security management

Managing security across different silos, with multiple teams and solutions, adds to the complexity. Each system must operate effectively within the principles of Zero Trust, but ensuring consistent performance across all products is challenging. Security systems need to work cohesively, but disparate tools rarely interact seamlessly, making it hard to measure and manage risks comprehensively.

The hybrid mesh firewall solution

Hybrid mesh firewall platforms enable security policy enforcement between workloads and users across any network, especially in on-premises-first organizations. They offer control and management planes to connect multiple enforcement points and are delivered as a mix of hardware, virtual, cloud-native, and cloud-delivered services, integrating with other technologies to share security context signals.

By unifying various firewall architectures, Hybrid Mesh Firewalls ensure consistency and coherence, proactively identifying gaps and suggesting remediations for a holistic approach to network security.

Benefits of hybrid mesh firewalls

1. Unified security management: By consolidating various security functions into a single platform, Hybrid Mesh Firewalls simplify management and reduce the likelihood of misconfigurations. Administrators can oversee and configure all aspects of network security from one place, ensuring that no critical security gaps are overlooked.
2. Proactive threat identification and remediation: The platform continuously monitors the network for vulnerabilities and misconfigurations, such as when a team managing the Secure Service Edge (SSE) solution inadvertently allows direct access to a risky file-sharing site. In such cases, the firewall promptly alerts the admin and provides a remediation flow, ensuring only low-risk apps access the internet directly while other traffic is securely tunneled. This proactive approach prevents incidents before they occur, safeguarding the network from potential threats like data exfiltration or malware infiltration.
3. Real-time response: With the capability to respond in real-time to threats, Hybrid Mesh Firewalls ensure that security measures keep pace with the speed of attacks. This rapid response capability is crucial for minimizing damage and maintaining business continuity.
4. Zero trust enforcement: Each component of the security system operates independently but within the overarching principle of Zero Trust. This means that the endpoint protection software on a remote user’s device functions correctly, regardless of the firewall configuration at the data center, and vice versa. Every element of the security infrastructure works to ensure that trust is never assumed and always verified.

Beyond remote work: Securing workloads everywhere

The need for robust security extends beyond the realm of remote work. Modern organizations are leveraging a mix of private and public cloud environments to run their workloads. Whether it’s a private data center, a public cloud provider like AWS or Azure, or even multiple public clouds, the security landscape becomes increasingly complex.

Hybrid Mesh Firewalls are designed to secure workloads regardless of their location. This approach ensures that security policies are consistently applied across all environments, whether on-premises, in a single public cloud, or across multiple cloud providers.

Securing hybrid workloads:

1. Consistent policy enforcement: By providing a unified platform, Hybrid Mesh Firewalls ensure that security policies are consistently enforced across all environments. This eliminates the risk of discrepancies that can arise from using different security products in different locations.
2. Integrated visibility and control: With integrated visibility into all network traffic, Hybrid Mesh Firewalls allow administrators to monitor and control security policies from a single interface. Centralized management is crucial for identifying and mitigating risks across diverse environments.
3. Scalability and flexibility: As organizations grow and their infrastructure evolves, Hybrid Mesh Firewalls offer the scalability and flexibility needed to adapt to new requirements. Whether adding new cloud environments or scaling up existing ones, the firewall platform can grow with the organization.

Conclusion

The need for Hybrid Mesh Firewalls has never been more critical. As organizations navigate the complexities of a distributed workforce, hybrid environments, and the ever-evolving threat landscape, a unified, proactive, and real-time approach to network security is essential. Hybrid Mesh Firewalls offer the consistency, control, and comprehensive protection needed to secure modern hybrid environments effectively. By addressing the key problem areas of misconfigurations, rapid attack execution, and siloed security management, they provide a robust solution that meets the demands of today’s cybersecurity challenges and beyond.

Source: cisco.com

Continue reading

Security, the cloud, and AI: building powerful outcomes while simplifying your experience

Over the past year, I’ve spoken with hundreds of professionals about what they expect from their network security. This question is mostly met with equal parts enthusiasm and angst. As we wrap up another successful Cisco Live, I’m eager to share the deep insights I’ve gathered from these extensive conversations and how Cisco is actively addressing your security needs.

As organizations navigate application transformations and grapple with the intricacies of defending increasingly complex networks, they’re also confronting a new wave of technological advancements.

Naturally, these advancements can be a double-edged sword. While they offer the potential for enhanced security measures, they also empower threat actors, who can now exploit vulnerabilities with alarming speed and efficiency.

The overwhelming message is twofold: Organizations need help bolstering their security, but also in streamlining their processes. Integrating too many security tools alone has become its own source of complexity, diluting the focus on threats and stretching resources too thin.

This point was poignantly made during a recent conversation with a Chief Information Security Officer (CISO), who expressed a sentiment all too common in the industry. Faced with the prospect of integrating yet another security solution, the CISO lamented, “I can’t ask my team to adopt the 212th tool in our portfolio!”

The CISO’s frustration illustrates a critical challenge for security leaders: They must balance the adoption of necessary security measures with the practical limitations of their teams’ capacity and the potential for tool sprawl.

In response to this complexity, organizations are hungry for a more streamlined approach to security, one that prioritizes the consolidation of tools and the simplification of security policies without compromising the efficacy of defense mechanisms.

Meanwhile, cybersecurity organizations must deliver solutions that are not just robust and cutting-edge, but also manageable and user-friendly. This way we can empower security teams to effectively combat the threats of tomorrow while keeping their operational sanity today.

Vendors, point products, and a transition to the cloud 

For many professionals, buying a specialized security product leads to something called “the Ferrari problem”. Like that expensive sports car, you’re purchasing something costly and specialized. The product may indeed do the specialized task very well. But security is not done in isolation—some level of integration will inevitability be required.

Thus, the expensive, specialized product opens the door to even more costly integrations (or, in the case of the car, costly repairs).

This doesn’t even count the disjointed security of working with different vendor solutions or the radical complexity of deploying a configuration or security policy across hundreds or thousands of branch offices.

There’s a reason many security professionals avoid updating their tools. With all this complexity, they’re afraid it will disrupt the business or the customer experience.

How Cisco is redefining effective, simplified security for the cloud  

It’s no secret that Cisco built the backbone of switching and routing across the globe for our one million+ customers and partner ecosystem. And we’re currently responsible for facilitating 85% of the world’s internet traffic.

Now, we’ve taken another giant leap by launching Cisco Security Cloud Control.

Cisco Security Cloud Control is designed to unify management for the Cisco Security Cloud, starting with a network security fabric.

Security Cloud Control delivers an AI-native approach to proactively surface actionable insights and automate resolution across hybrid environments. It is designed to help teams get the most of out their Cisco Security investment—saving time and benefiting from simpler and streamlined policies

Building robust security for complicated, ever-shifting cloud environments  

With too many tools and too much complexity to manage, the only answer is a security system that seamlessly ties everything together. We’ve answered the call, building a platform that blends Cisco Hypershield, multi-cloud defenses, advanced firewalls, and microsegmentation technologies.

This platform can collect information across the system and explain what it finds in reports, and via a natural language interface, show the risks to sensitive business assets like PCI databases. You can even ask the system about its own insights and next steps.

But at its heart is the promise of comprehensive visibility and complete detection across every facet of the network, whether it’s ingress/egress at a cloud edge, data center edge, campus, or branch, all the way down to every process and connection from your applications and workloads.

The level of visibility and management from Security Cloud Control helps leaders focus on delivering the outcomes their teams need. From taking intent-based policies in one place and translating them throughout all the control points in your network to streamlining, troubleshooting and recommending policies that span multiple solutions, Cisco Security Cloud Control helps with it all.

And Security Cloud Control’s ability to translate the complex language of cybersecurity delivers an added benefit: the ability to explain and articulate what’s happening–and what you need– to decision-makers. The simplicity and clarity of reports can help you keep leadership informed and engaged in your cybersecurity work.

At the core of this is, yes, AI technology but not just a prompt-based assistant—this is one driving proactive insights and sections across your network and will transform how you engage across the platform.

In essence, what we’ve built stands as a testament to the future of cybersecurity—a single platform that not only anticipates and neutralizes threats, it also empowers organizations to develop a more sophisticated, responsive, and resilient approach to protecting their digital assets.

It’s not just a powerful solution; it’s a strategic enabler for any enterprise looking to secure its future in an unpredictable cyber world, across network requirements that are only destined to become even more complex.

Source: cisco.com

Continue reading

Strengthen Your Security Operations: MITRE ATT&CK Mapping in Cisco XDR

In the intricate dance between cyber attackers and defenders, understanding adversary behavior is the difference between keeping up with sophisticated attacks or falling behind the evolving threat landscape. For security teams, this often feels like trying to navigate a maze blindfolded since adversaries typically have greater insights into defender strategies than defenders have into adversarial attacks. This lack of visibility can lead to reactive cybersecurity with ineffective security operations, poor incident response, and a weak security posture.

However, there’s another approach to cybersecurity that empowers security teams to strengthen their security operations and proactively protect their environments.

Move from Reactive to Proactive Security

Enter MITRE ATT&CK coverage mapping – a groundbreaking capability coming soon to Cisco XDR that enables security teams to turn their reactive operations into a holistic cybersecurity strategy by taking a proactive approach to threats. MITRE ATT&CK coverage mapping uses an interactive heatmap to connect adversary behaviors to detections from Cisco XDR and other integrated security solutions (see Figure 1).

Figure 1: MITRE ATT&CK Coverage Map Dashboard

This helps visualize how your security tools cover every attacker tactic, technique, and procedure (TTP) from the MITRE ATT&CK framework to give you a comprehensive understanding of threats across your entire security environment. You can use the automated MITRE ATT&CK coverage map to strengthen your security operations by enhancing threat detection, identifying and closing gaps in your defenses, and improving incident response.

The MITRE ATT&CK coverage map enhances detection of sophisticated threats across your environment. Understanding the tactics and techniques used by adversaries allows you to improve your security by taking stronger preventative measures. Moreover, it simplifies analysis of potential threats while fostering a proactive cybersecurity mindset that helps your security teams increase alignment with attacker motives and methods. It helps you prioritize incidents based on the impact and relevance of specific adversary behaviors.

Visualizing and mapping attacker TTPs also helps your security teams expose gaps in threat detection. They can use the MITRE ATT&CK coverage map to gain complete visibility into how your current security tools cover the full spectrum of threats. This allows your analysts to spot holes in your security infrastructure and prioritize resources across the most critical gaps. Furthermore, identifying weaknesses in your defenses enables you to deploy new security tools to close coverage gaps and strengthen your overall security posture.

Finally, MITRE ATT&CK coverage mapping improves incident response with a standardized language for your security operations. The MITRE ATT&CK framework provides a common language that makes it easier for security teams to communicate and collaborate on incidents. When combined with a heatmap of product coverage, you can streamline the incident analysis process while reducing the burden on your security team to identify patterns across alerts. This speeds detection and investigation to reduce both mean time to detection (MTTD) and mean time to response (MTTR) for your security operations.

Bolster Your Defenses

MITRE ATT&CK coverage mapping in Cisco XDR provides comprehensive visibility into adversary TTPs, giving you a quick and complete understanding of attackers. These actionable insights empower your analysts to hunt for threats with targeted hypotheses based on MITRE ATT&CK techniques for a proactive approach to security. Your analysts can also use these insights to strengthen your overall security posture and enhance your defenses by identifying, prioritizing, and closing gaps across your security stack.

In the ever-changing world of cybersecurity, staying ahead of adversaries is imperative. With MITRE ATT&CK coverage mapping in Cisco XDR, you can enable proactive security operations, bolster your defenses, and navigate the cyber threat landscape with greater confidence.

Source: cisco.com

Continue reading

Hiding in Plain Sight: How Subdomain Attacks Use Your Email Authentication Against You

For years, analysts, security specialists, and security architects alike have been encouraging organizations to become DMARC compliant. This involves deploying email authentication to ensure their legitimate email has the best chance of getting to the intended recipients, and for domain owners to be quickly notified of any unauthorized usage of their domains. While together we are making progress thanks to DMARC adoption and reporting services such as Cisco’s OnDMARC offering, there’s an opportunity to do better particularly with on-going monitoring to address new and emerging threats, such as this Subdo campaign.

What’s happened?

Recently a totally new attack type has been seen that takes advantage of the complacency that an organization may have when they approached their DMARC rollout with a ‘ticked the box’ mindset.

The SubdoMailing (Subdo) campaign has been ongoing for about two years now. It sends malicious mail – that is typically authenticated – from domains and subdomains that have been compromised through domain takeover and dangling DNS issues.

These attacks were initially reported by Guardio Labs who reported the discovery of 8,000 domains and 13,000 subdomains being used for these types of attacks since 2022.

Several weeks before that, Cisco’s new DMARC partner, Red Sift, discovered what they initially thought was an isolated incident of bad senders passing SPF checks and sending emails fraudulently on behalf of one of their customers. In the customer’s instance of Red Sift OnDMARC, they noticed email was coming from a sender with a poor reputation and a subdomain that appeared unrelated to their customer’s main domain. But these emails had fully passed SPF checks with the customer’s current SPF record. Upon alerting the customer who then investigated all the ‘includes’ in their SPF record, several outdated CNAME addresses were found that had been taken over by attackers, which is what caused the issue.

What should I look out for?

The bad actors in this campaign are capitalizing on stale, forgotten or misconfigured records that were wrongfully included in DNS to send unauthorized emails. The attackers then send phishing emails as images to avoid text-based spam detection.

It is this oversight that has seen many notable organizations be impacted by these new subdomain attacks in the last few months, solely because they have not been actively monitoring in the right areas.

Proactive steps to start today:

1. Don’t let your domain names expire – these are what provide fraudsters the opportunity to carry out the attack.

2. Keep your DNS clean – Remove resource records from your DNS that are no longer in use and remove third-party dependencies from your DNS when they become redundant.

3. Use a trusted email protection provider – It makes sense to use a vendor for DMARC, DKIM and SPF requirements but be sure to use a trusted vendor with the capability to proactively identify problems, such as when part of a SPF policy is void or insecure.

4. Check for dangling DNS records – Have an inventory of hostnames that are monitored continuously for dangling resource records and third-party services. When identified, remove them immediately from your DNS.

5. Monitor what sources are sending from owned domains – If the domain or subdomain is taken over for sending, then it is important to know if mail is being sent from it as quickly as possible.

What else should I do?

If you are wondering if you have been impacted by SubdoMailing, the best place to start is Red Sift Investigate, this will provide you with a review of your domain such as can be seen below:

Should this valuable tool reveal any ‘SubdoMailers’ – also known as poisoned includes – the Red Sift SPF Checker allows you to visualize them in a dynamic ‘SPF tree’, allowing you to quickly pinpoint where they are and speed up remediation efforts, an example of a dynamic SPF tree can be seen below: –

The OnDMARC Adoption and Reporting Solution that Cisco partners with Red Sift on has already been updated to uncover exactly these issues directly within the tool to ensure our customers are protected.

If you’d like to learn more then sign up for a free SubDo vulnerability scan to get in-depth insight into your current threat landscape, covering email and domain security, and uncover any potential DNS vulnerabilities.

If you’re a Cisco Secure Email customer, find out how you can quickly add Red Sift domain protection to your security suite and better detect that image-based spam.

Source: cisco.com

Continue reading

Complexity drives more than security risk. Secure Access can help with that too.

Modern networks are complex, often involving hybrid work models and a mix of first- and third-party applications and infrastructure. In response, organizations have adopted security service edge (SSE) solutions, such as Cisco Secure Access, to protect users regardless of where they are located or what they are accessing.

This reliance on third-party infrastructure doesn’t only drive security risk, it also increases the likelihood of performance outages and disruptions. Oftentimes, these disruptions are the result of service outages and slowdowns in third-party infrastructure, which make it difficult for IT teams to detect and remediate the problem. Experience Insights, a component of Cisco Secure Access, allows administrators to maintain a positive end user experience by detecting and responding to connectivity problems as soon as they occur, all from the same dashboard they use to manage security capabilities and access policies.

Cisco Secure Access is our flagship Security Service Edge (SSE) product, which provides all the tools you need to enable remote and branch users to securely connect to the Internet, software-as-a-service (SaaS) applications, and private apps. While much of these capabilities are focused on security, it is also important to monitor network performance, ensuring a strong digital experience with minimal outages and connectivity problems.

Experience Insights is powered by Cisco ThousandEyes technology, which enables rapid root cause identification and resolution from device to application and every network in between. According to the Forrester Total Economic Impact report for ThousandEyes, the technology’s end user monitoring capabilities resulted in a 50% productivity boost for IT and network operations and a 50-80% reduction in the time it took to identify intermittent or degraded performance, whether it was global or localized.

Provide a strong user experience and troubleshoot performance issues

Performance problems can originate in many sources, including:

• Devices, such as laptops
• Wi-Fi networks
• Internet service providers
• Corporate resources, such as VPNs or security tools
• Applications

For many organizations, it can be a challenge to simply detect these problems, let alone mitigate them. This results in ongoing, undetected connectivity problems, causing a loss of productivity and end user frustration.

Experience insights is a digital experience monitoring (DEM) solution that provides a comprehensive view of endpoint, application, and network performance, making it easier to identify and troubleshoot performance problems as they arise. Ultimately, these capabilities result in a reduced mean time to resolution (MTTR) for performance incidents.

This includes a variety of metrics related to:

• Device – detailed user and system information, including CPU and memory utilization and Wi-Fi signal strength.
• Internet and network paths – key metrics regarding the network path from the device to the Secure Access gateway, including latency, packet loss, and jitter.
• Collaboration applications – automatic performance tests for key collaboration tools, such as Cisco Webex, Microsoft Teams, and Zoom.
• SaaS applications – insight into the most popular SaaS applications, including the overall health status and details such as HTTP response times and status codes.

Single-dashboard, single-agent

One of the primary benefits of Cisco Secure Access is a single-dashboard experience. The solution combines 12 different technologies and provides unified management, configuration, and troubleshooting capabilities. Experience insights is a core component of Secure Access, which means all its data and alerts are provided in the same management portal as the rest of Secure Access’ capabilities. This prevents administrators from being forced to juggle numerous technologies and management portals, streamlining operations and reducing frustration.

In addition, all Secure Access capabilities, including Experience Insights, rely on the Cisco Secure Client, a single agent on the end-user’s machine. This simplifies administration and deployment while optimizing workflows.

All at no extra cost

We recognize how important it is to be able to identify and troubleshoot connectivity problems in an SSE solution, which is why we are including it in the base Secure Access license at no extra cost. In addition, customers can purchase a full license for Cisco ThousandEyes for more advanced capabilities and broader coverage across their network.

Experience insights is just one capability of an incredible solution

While experience insights is our latest announcement, Secure Access includes many capabilities, including a secure web gateway, cloud access security broker with data loss prevention, firewall-as-a-service, and zero trust network access. It is an all-encompassing solution for securely connecting remote and branch users to the Internet, SaaS applications, and private apps.

Source: cisco.com

Continue reading

Secure Network Analytics 7.5.0 Launch

Secure Network Analytics (SNA) Release 7.5.0 is generally available as of January 22, 2024. All current customers are eligible to upgrade and should look at the release notes to better understand the upgrade process and any additional considerations.

SNA is Cisco’s Network Detection and Response solution.  SNA provides enterprise-wide network visibility to detect and respond to threats in real- time. The solution continuously analyzes network activities to create a baseline of normal network behavior. It then uses this baseline, along with non–signature-based advanced analytics that include behavioral modeling and machine learning algorithms, as well as global threat intelligence to identify anomalies and detect and respond to threats in real- time. Secure Network Analytics can quickly and with high confidence detect threats such as Command-and-Control (C&C) attacks, ransomware, Distributed-Denial-of-Service (DDoS) attacks, illicit cryptomining, unknown malware, and insider threats. With an agentless solution, you get comprehensive threat monitoring across the entire network traffic, even if it’s encrypted.

Read More: 300-735: Automating and Programming Cisco Security Solutions (SAUTO)

This release delivers the innovation and usability that customers expect from the platform. By directly integrating firewall logs, improving response management, and updating the platform to meet the latest certification mandates, release 7.5.0 combines essential platform development with new features and enhancements.

Firewall Logs Generate Events in Secure Network Analytics

Given their location at the edge of the network, firewalls see a vast amount of traffic and behaviors that may be indicative of an attack. In this release, Secure Network Analytics can take logs directly from Cisco Firewall Management Center (FMC), Firewall Threat Defense (FTD) and ASA. These logs are converted into a format that looks like NetFlow but does not count against your flows per second (FPS) license. Enabling this configuration gives further insight into your traffic patterns, risks, and the scope of an attack.

New Response Management Actions

Automated responses improve the workflow for Security Operations Center (SOC) analysts and are a core component of our Network Detection and Response solution. By providing flexibility for multiple response actions, SOC analysts can ensure proper action is taken based on a specific alert type. This release adds Central Analytics detections to Response Management workflows, including the ability to deliver email, syslog, threat response, or webhook.

Data Enrichment from Secure Network Analytics to Cisco XDR

With the 7.5.0 release, security events contribute directly into XDR investigations. Also, XDR response actions can now be applied to alerts.

Other Enhancements

Additionally, this release provides improvements to the overall security and usability of the platform. Secure Network Analytics can achieve the certifications required by customers, including DODIN-APL, FIPS 140-3, Level 1, Common Criteria, USGv6, and IPv6 ready Logo. Some of these enhancements include:

• TLS 1.3: TLS 1.3 is now supported, and TLS 1.2 is still supported. These protocols should be used for inter-appliance and external TLS connections, and can be configured in SystemConfig to be TLS 1.3 only or both TLS 1.2 and 1.3
• Root access restriction: Root access has been removed. TAC will have access for troubleshooting purposes using the Cisco Consent Token mechanism via SystemConfig.
• New SystemConfig workflows: New workflows added that non root user sysadmin can action, including Diag Packs, License Reservation, Data Store operations, and more.
• MongoDB upgrade: Moved to a version that uses an already available package rather than a custom-built version.

In addition to these enhancements –we have improved certificate rotation and management, IPv6 support, and support for M4, M5, and M6 appliances.

By simplifying workflows, increasing compliance, and expanding detections, Secure Network Analytics Release 7.5.0 continues to prove its value as a central component of your SOC. We encourage you to review the release notes and speak with your local Cisco provider to begin planning your upgrade.

Source: cisco.com

Continue reading

Secure Multicloud Infrastructure with Cisco Multicloud Defense

It’s a multicloud world!

Today applications are no longer restricted to the boundaries of a data center; applications are deployed everywhere – this change brings a need for a solution that can provide end-to-end visibility, control, policy management, and ease of management.

Market Trend

Organizations are embracing the power of the public cloud because it provides agile, resilient, and scalable infrastructure, enabling them to maximize business velocity. A recent study shows that 82% of IT leaders have adopted hybrid cloud solutions, combining private and public clouds. Additionally, 58% of these organizations are using between two and three public clouds1, indicating a growing trend towards multicloud environments. As organizations lean further into multicloud deployments, security teams find they are playing catch up, tirelessly attempting to build a security stack that can keep up with the agility and scale of their cloud infrastructure. Teams also face a lack of unified security controls across their environments. By definition, cloud service provider security solutions are not designed to achieve end-to-end visibility and control in the multicloud world, hardening silos and creating greater security gaps. Organizations need a cloud-agnostic solution that unifies security controls across all environments while securing workloads at cloud speed and scale.

Cisco Multicloud Defense is a highly scalable, on-demand “as-a-Service” solution that provides agile, scalable, and flexible security to your multicloud infrastructure. It unifies security controls across cloud environments, protects workloads from every direction, and drives operational efficiency by leveraging secure cloud networking.

Secure cloud networking can be broken down into three pillars:

• Security: Provides a full suite of security capabilities for workload protection
• Cloud: Integrates with cloud constructs, enabling auto-scale and agility
• Networking: Seamlessly and accurately inserts scalable security across clouds without manual intervention

One of the key benefits of Cisco Multicloud Defense is not only its ability to unify security controls across environments but enforce those policies dynamically. With dynamic multicloud policy management, you can:

• Keep policies up to date in near-real time as your environment changes.
• Connect continuous visibility and control to discover new cloud assets and changes, associate tag-based business context, and automatically apply the appropriate policy to ensure security compliance.
• Power and protect your cloud infrastructure with security that runs in the background via automation, getting out of the way of your cloud teams.
• Mitigate security gaps and ensure your organization stays secure and resilient.

Another key benefit of Multicloud Defense is how it adds enforcement points (PaaS) in both distributed and centralized architectures.

Cisco Multicloud Defense Overview

Cisco Multicloud Defense uses a common principle in public clouds and software-defined networking (SDN) which decouples the control and data plane, translating to the Multicloud Defense Controller and the Multicloud Defense Gateways.

The Multicloud Defense Gateway(s) are delivered as Platform-as-a-Service (PaaS) in AWS, Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). These gateways are delivered, managed, and orchestrated by a SaaS-based Multicloud Defense Controller.

Figure 1: Cisco Multicloud Defense Overview

• Multicloud Defense Controller (Software-as-a-Service): The Multicloud Defense Controller is a highly reliable and scalable centralized controller (control plane) that automates, orchestrates, and secures multicloud infrastructure. It runs as a Software-as-a-Service (SaaS) and is fully managed by Cisco. Customers can access a web portal to utilize the Multicloud Defense Controller, or they may choose to use Terraform to instantiate security into the DevOps/DevSecOps processes.
• Multicloud Defense Gateway (Platform-as-a-Service): The Multicloud Defense Gateway is an auto-scaling fleet of security software with a patented flexible, single-pass pipelined architecture. These gateways are deployed as Platform-as-a-Service (PaaS) into the customer’s public cloud account(s) by the Multicloud Defense Controller, providing advanced, inline security protections to defend against external attacks, block egress data exfiltration, and prevent the lateral movement of attacks.

Multicloud Defense Gateways

In the Cisco Multicloud Defense solution, organizations can use the controller to deploy highly scalable and resilient Egress Gateways or Ingress Gateways into their public cloud account(s).

Egress Gateway: Protect outbound and east-west traffic. The egress gateway provides security capabilities like FQDN filtering, URL filtering, data loss prevention (DLP), IPS/IDS, antivirus, forward proxy, and TLS decryption.

Ingress Gateway: Protects inbound traffic and provides security capabilities like web application firewall (WAF), IDS/IPS, Layer-7 protection, DoS protection, antivirus, reverse proxy, and TLS decryption.

Note: Multicloud Defense Gateways are an auto-scaling fleet of instances across two or more availability zones, providing agility, scalability, and resiliency.

Figure 2 shows security capabilities of the ingress and egress Multicloud Defense Gateway.

Figure 2: Cisco Multicloud Defense Gateway

The gateway uses a single pass architecture to provide:

• High throughput and low latency
• Reverse proxy, forward proxy, and forwarding mode
• Flexibility in selecting relevant advanced network security inspection engines, including TLS decryption and re-encryption, WAF (HTTPS and web sockets), IDS/IPS, antivirus/anti-malware, FQDN and URL filtering, DLP

Security Models

This solution provides a flexible way for security insertion in the customer’s infrastructure using three highly scalable and automated deployment models (centralized, distributed, and combined).

Centralized security model

In the centralized security model, the Multicloud Defense Controller seamlessly adds gateways in the centralized security VPC/VNet/VCN. In this architecture, ingress and egress traffic is sent to a centralized security VPC/VNet/VCN for inspection before it is sent to the destination. This architecture ensures scalability, resiliency, and agility using cloud deployment best practices.

Figure 3 shows egress and ingress gateways in a security VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled instances are deployed in multi-availability zones.

Figure 3: Centralized Security Model

In a centralized security model, gateways are deployed in a hub inside the customer’s cloud account. However, customers can choose to have multiple hubs across accounts/subscriptions.

Distributed security model

In the distributed security model, the Multicloud Defense Controller seamlessly adds gateways in each VPC/VNet/VCN. In this architecture, ingress, and egress traffic stays local in the VPC/VNet/VCN.

Based on direction, traffic flow is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility using cloud deployment best practices.

Figure 4 shows egress and ingress gateways in each VPC/VNet/VCN.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled instances are deployed in multi-availability zones.

Figure 4: Distributed Security Model

Combined security model (Centralized + Distributed)

This security model uses centralized and distributed models. In this case, some flows are protected by gateways deployed in the security VPC/VNet/VCN, and some flows are protected by gateways in the VPC/VNet/VCN.

Based on the traffic flow, traffic is inspected by egress or ingress gateways. This deployment ensures scalability, resiliency, and agility using cloud deployment best practices.

Figure 5 shows egress and ingress gateways in a centralized security VPC/VNet/VCN in addition to gateways deployed in the application VCPs/VNets/VCNs.

• For scalability, autoscaling is supported.
• For resiliency, auto-scaled instances are deployed in multi-availability zones.

Figure 5: Centralized + Distributed Security Model

Use-cases

Egress security

Figure 6 shows egress traffic protection in a centralized and distributed security model.

• In the centralized security model, traffic is inspected by gateways deployed in the security VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ aware.
• In the distributed security model, traffic is inspected by gateways deployed in the application VPC/VNet/VCN.

Figure 6: Egress traffic flow

Ingress security

Figure 7 shows ingress traffic protection in a centralized and distributed security model.

• In the centralized security model, traffic is inspected by gateways deployed in the security VPC/VNet/VCN.
• In the distributed security model, traffic is inspected by gateways deployed in the application VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ aware.

Figure 7: Ingress traffic flow

Segmentation (east-west)

Figure 8 shows intra and inter-VPC/VNet/VCN traffic protection in a centralized and distributed security model.

• In the centralized security model, intra and inter-VPC/VNet/VCN traffic is inspected by gateways deployed in the security VPC/VNet/VCN.
• In the distributed security model, intra-VPC/VNet/VCN traffic is inspected by gateways deployed in the application VPC/VNet/VCN.
• Gateways are auto-scale and multi-AZ aware.

Figure 8: Segmentation (East-West) traffic flow

URL & FQDN filtering for egress traffic

URL & FQDN filtering prevents exfiltration and attacks that use command-and-control. The Multicloud Defense Gateway enforces URL & FQDN-based filtering in a centralized or distributed deployment model.

• URL filtering requires TLS decryption on the gateway.
• FQDN-based filtering can be enforced on encrypted traffic flows.

Figure 8: URL & FQDN filtering for cloud egress

Coming soon: Multicloud Networking use cases

In our upcoming release (2HCY23), we are adding a set of Multicloud Cloud Networking use cases that enable secure connectivity — bringing all cloud networks together.

Multicloud Networking: Cloud-to-Cloud Networking

An egress gateway with VPN capability provides a secure connection to other cloud infrastructures. The egress gateway is delivered as-a-Service and provides resiliency and autoscaling. This architecture requires deploying the egress gateways with VPN capability “ON.” These gateways use IPsec connectivity for a secure interconnection.

Figure 9: Cloud-to-Cloud Networking (IPsec)

Multicloud Networking: Site-to-Cloud Networking

An egress gateway with VPN capability provides a secure connection to on-premises infrastructure. This architecture requires deploying the egress gateways with VPN capability “ON” in security VPC/VNet/VCN and a device at the data center edge for IPsec termination.

Figure 10: Site-to-Cloud Networking (IPsec)

Conclusion

It is a multicloud world we live in, and organizations need a cloud-agnostic solution that unifies security controls across all environments while securing workloads at cloud speed and scale. With Cisco Multicloud Defense, organizations can leverage a simplified and unified security experience helping them navigate their multicloud future with confidence.

Source: cisco.com

Continue reading

Expanding data security around the globe

In an ongoing effort to prioritize data security and privacy for Secure Email Threat Defense customers, we’re excited to announce the opening of two data centers in the Asia Pacific region: one in Australia and one in India.

There are now 4 Secure Email Threat Defense locations, with existing regions in the US and Europe. These new sites will have all the security features present in our existing locations and will receive feature enhancements at the same cadence as the existing locations.

Acknowledging the escalating demand for our product and the imperative to accommodate customers in varied geographical locations, we have meticulously designated Australia and India as our upcoming deployment regions. Our expansion into Australia and India not only broadens our global footprint but also reinforces our dedication to meeting the unique needs of customers in these regions. By localizing our product, users in the new region can expect faster response times and reduced latency, resulting in a more seamless and efficient user experience.

This expansion not only showcases our dedication to meeting the unique requirements of customers in different regions but also highlights our ability to swiftly deliver deployments. We are excited to bring the benefits of our product to Australia and India, enabling businesses in these regions to thrive in a secure and compliant manner.

These environments are built to the same high-level security, service resiliency, and data management practice standards we exhibit across all our global regions. They, too, will meet SOC2 and ISO 27001 standards and will be supported by our Data Privacy policy.

As we look to further expand our data security footprint, our next location is expected to be in the United Arab Emirates. Coverage in these new geographies is a clear indicator of our commitment to, and investment in, the data security of our customers around the globe.

Source: cisco.com

Continue reading

Finally – IPsec On A Catalyst Switch

The new Cisco Catalyst 9000X with IPsec support is finally a reality. I will quickly cover three use cases that are relevant to branch deployments.

Cisco introduced the Catalyst 9000X series, which includes the C9300X, C9400X, C9500X, and C9600X. I will mostly focus on the C9300X which supports IPsec today as of IOS-XE 17.6.2 with Advantage licensing. The C9400X will support IPsec soon.

Figure 1. Catalyst 9300X Industry first 100G Hardware Encryption and 1 Tbps stacking

 

The C9300X comes with a new enhanced Unified Access Data Plane (UADP) ASIC called the UADPsec.  This new ASIC allows for industry-first capabilities that allow the switch to perform up to 100G of Layer 3 hardware encryption and up to 1 Tbps of stacking.  It also helps enhance support for the application hosting capabilities common to all Catalyst platforms.

Figure 2. C9300X IPSec capabilities with IOS-XE 17.6.2

 

The good news is that the C9300X supports standards-based IPv4/IPv6 IPsec (up to 128) tunnels. It also has support for NAT Traversal, Multicast routing, Layer 3 Segmentation over IPsec, Layer 2 extension over IPsec, and even EVPN over the tunnel. 

Figure 3. C9300X IPSec Site-to-SIG, Site-to-Cloud, Site-to-Site

 

So, why is this needed? If you are an SD-WAN customer, then you already have an architecture in place. The Catalyst 9300X is not meant to be an SD-WAN replacement and it is an independent solution. It is meant for customers with the intention of reducing the number of devices at the branch office. For example, removing a router and/or firewall while creating a secure tunnel connection. If so, then look no further. The Catalyst 9300X can help you achieve it.

The Catalyst 9300X can help set up multiple secure tunnels. There are three common use cases. The first is Site-to-SIG. The Secure Internet Gateway (SIG) support can be to Umbrella, Zscaler, or any other third-party provider. The second is Site-to-Cloud, which can establish a secure tunnel to your Cloud provider of choice. The third use case is Site-to-Site. The C9300X can establish a secure tunnel to your Data Center firewall, router, or even another C9300X switch. These are at least three reasons why this platform is right for you.

Source: cisco.com

Continue reading

People: A cornerstone for fostering security resilience

Security resilience isn’t something that happens overnight. It’s something that grows with every challenge, pivot and plot change. While organizations can invest in solid technology and efficient processes, one thing is critical in making sure it translates into effective security: people.

What impact do people have on security resilience? Does the number of security employees in an organization affect its ability to foster resilience? Can a lower headcount be supplemented by automation?

In a world where uncertainty is certain, we recently explored how people can contribute to five dimensions of security resilience, helping businesses weather the storm.

Through the lens of our latest Security Outcomes Study – a double-blind survey of over 5,100 IT and security professionals – we looked at how people in SecOps teams can influence organizational resilience.

Strong people = successful security programs  

SecOps programs built on strong people, processes and technology see a 3.5X performance boost over those with weaker resources, according to our study. We know that good people are important to any organization, and they are fundamental to developing capable incident response and threat detection programs.

Why are detection and response capabilities important to look at? Because they are key drivers of security resilience. In the study, we calculated a ratio of SecOps staff to overall employees for all organizations. Then, we compared that ratio to the reported strength of detection and response capabilities.

Effect of security staffing ratio on threat detection and incident response capabilities

What we can clearly see is that organizations with the highest security staffing ratios are over 20% more likely to report better threat detection and incident response than those with the lowest. However, the overall average highlights that organizations not on the extreme ends of the spectrum are more likely to report roughly equal levels of success with SecOps — indicating that headcount alone isn’t a sure indicator of an effective program or resilient organization. It can be inferred that experience and skills also play a pivotal role.

Automation can help fill in the gaps

But what about when an organization is faced with a “people gap,” either in terms of headcount or skills? Does automating certain things help build security resilience? According to our study, automation more than doubles the performance of less experienced people.

Effect of staffing and automation strength on threat detection and incident response capabilities

In the graph above, the lines compare two different types of SecOp programs: One without strong people resources, and one with strong staff. In both scenarios, moving to the right shows the positive impact that increasing automation has on threat detection and incident response.

Out of the survey respondents, only about a third of organizations that lack strong security staff, and don’t automate processes, report sound detection and response.

When one of three security process areas (threat monitoring, event analysis, or incident response) is automated, we see a significant jump in capability among organizations that say their tech staff isn’t up to par. Automating two or three of these processes continues to increase strength in detection and response.

Why does this matter? Because over 78% of organizations that say they don’t have adequate SecOps staffing resources still report that they are able to achieve robust capabilities through high levels of automation.

A holistic approach to security resilience

When it comes to security resilience, however, we have to look at the whole picture. While automation seems to increase detection and response performance, we can’t count people out. After all, over 95% of organizations that have a strong team AND advanced automation report SecOps success. Organizations need to have the right blend of people and automation to lay the foundation for organization-wide security resilience.

As your business continues to look towards building a successful and resilient SecOps program, figuring out how to utilize your strongest staff, and where to best employ automation, will be a step in the right direction.

Source: cisco.com

Continue reading

Security Resilience in EMEA

What makes a successful cybersecurity program and how can organizations improve their resilience in a world that seems increasingly unpredictable? How do we know what actually works and what doesn’t in order to maximize success?

These are the types of burning questions guiding Cisco’s Security Outcomes Study series. In the second edition of the study, Cisco conducted an independent, double-blind survey of over 5,100 IT professionals in 27 countries. This article highlights data from the latest volume to focus on security resilience in the region spanning Europe, Middle East and Africa (EMEA).

The study focuses on a dozen outcomes that contribute to overall security program success. Four of them in particular are crucial for building resilience:

◉ Keeping up with the business (Security should enable, not impede)

◉ Avoiding major incidents (…And their business impacts)

◉ Maintaining business continuity (…Even when disaster strikes)

◉ Retaining talented personnel (You can’t stay on top when top staff won’t stay)

Assessing Security Resilience in EMEA

We calculated an overall resilience score for each surveyed organization based on their ratings for the outcomes listed above. The chart below compares that score across the three global regions. Organizations in the Americas scored a scant 1.7% better than the global average, while EMEA organizations landed about 2% below that mark. And the width of the gray error bars further diminishes those differences. Overall, we simply don’t see huge discrepancies in security resilience at the regional level.

Regional comparison of mean security resilience score

When examining resilience at the country level, however, differences begin to emerge. The next chart shows the proportion of organizations in each country reportedly “excelling” in each of the four outcomes related to security resilience. In other words, about 48% of firms in Saudi Arabia say their security program is doing a great job keeping up with the business. About 37% excel at maintaining business continuity, and so on. So, pick your country of interest and trace its success level across each outcome.

Country-level comparison of reported success levels for security resilience outcomes

Interested in comparing countries in the EMEA region across all 12 security outcomes beyond those shown here for resilience? Download the EMEA spinoff of the Security Outcomes Study, Volume 1.

Perhaps the most interesting aspect of this chart is the comparison it provides among countries. The reported success rates by security professionals in the countries at the top are roughly twice that of those on the bottom. And for the most part, each country maintains its relative position across all outcomes.

The obvious question here is what lies behind these apparent differences in security resilience among countries? Is Saudi Arabia really that much more resilient than Germany? Might German organizations have a more realistic grasp of what it means to be resilient and know there’s a lot of work left to do? Perhaps it’s somewhere between those possibilities or something else altogether.

Whatever the reason, the key takeaway here is that success rates for all countries indicate that organizations aren’t as successful as they’d like to be in the area of security resilience.

Improving Security Resilience in EMEA

How can organizations in the EMEA region improve those outcomes, thereby making their firms more resilient? That’s an excellent question and one we were eager to explore in the Security Outcomes Study. The study revealed five security practices—affectionately referred to as the Fab Five—that boost security program success more than any others. If you’d like a lot more information about the Fab Five and how to maximize their effectiveness, the latest edition of the Security Outcomes Study is the place to go.

The Fab Five: Highly effective practices for achieving security program outcomes

Before we examine how these practices improve resilience, let’s first check how well each country has implemented each of the Fab Five. The chart below mimics the one above for outcomes and is interpreted similarly. Once again, we see Saudi Arabia reporting the strongest implementation of these practices and Germany reporting the lowest. Countries shift around quite a bit beyond that.

Country-level comparison of reported success levels for five leading security practices

As with the outcomes chart, reasons behind these country-level differences are difficult to pinpoint. We suspect there’s a mix of maturity, cultural, and organizational factors at play. But hey, if you have thoughts, we’d love to hear them. Use #SecurityOutcomes on LinkedIn or Twitter to get our attention.

Remember that security resilience score we shared above for the regions? Great, because it’s coming back into play in this next chart. We wanted to test whether practicing the Fab Five actually improved resilience among EMEA organizations participating in our study. As seen in the chart below, that’s a definitive “Yes!”

Organizations that don’t do any of these practices well ranked in the bottom 25% for resilience, whereas those strong in all five reversed that standing and rose into the top 25%!

Effect of implementing five leading security practices on overall resilience score

Resilience has always been critical for cybersecurity. However, the last several years have really driven home the point that organizational defenders must be ready for anything. We hope this analysis demonstrates two things: 1) Organizations in the EMEA region have room for improving security resilience, and 2) It is actually possible to do so.

Source: cisco.com

Continue reading