Wednesday, 15 August 2018

Promote Cloud Adoption in Education without Exposing Students to Risk

Cloud based collaboration is being adopted rapidly by organizations in all verticals, and education is no exception. Access to collaborative tools can’t be as simple as an on/off switch. School administrators need visibility to prevent the loss of sensitive data and to ensure that students aren’t engaging in inappropriate communication. On-premise policies must be equally enforced as students leverage cloud-based tools.

Cisco Guides, Cisco Study Material, Cisco Tutorial and Material, Cisco Certification

Allowing Only the Correct External Communications


Schools are quick to welcome collaborative platforms like Google Drive, Microsoft’s Office 365, and Dropbox. Cloudlock, an important piece of the Cisco Security portfolio, enables educators to enforce policies across these platforms to ensure that only the appropriate personnel are logging in. Cloudlock can detect logins from questionable locations and report on multiple failed logins to applications.

Umbrella, a cloud-based extra layer of security, can recognize requests made from an organization to dangerous domains. Policies can block security categories like malware, cryptomining, and command and control. Behavior policies can be leverage to prevent requests to inappropriate sites like gambling, alcohol, and adult themes.

Cisco Guides, Cisco Study Material, Cisco Tutorial and Material, Cisco Certification

Addressing Behaviors and Communications


Once students and personnel log in, policies can be enabled and enforced around communication. These pre-defined policies include categories like aggressive behavior, discrimination and cyberbullying. If students are engaging in these behaviors on collaboration platforms, administrators can be warned about incidents that violate these policies.

Additionally, pre-defined policies include language associated with self-harm, which would be present in shows like Netflix’s TV series 13 Reasons Why. School systems reacted to this show in varying ways including banning it, recommending that parents watch it with their children, and providing lists of resources designed to identify depression. The self-harm template provides an additional degree of visibility for educators and counselors into students’ interactions.

Cisco Guides, Cisco Study Material, Cisco Tutorial and Material, Cisco Certification

Protecting Access to Data for Compliance


School systems have compliance requirements also. One example is data included under the Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99). This data is related to the transfer of students and access to it is restricted to the school systems involved, accrediting organizations and judicial parties overseeing these cases. Cloudlock contains templates that look for the sensitive “directory” information.

Finally, educational organizations look to ensure that only sanctioned cloud-based applications are installed and used on devices. Umbrella provides a cloud services report to identify applications that are requesting access to cloud services. This report can provide visibility into unsanctioned applications, allowing admins to restrict access to only applications sanctioned by the organization.

Cisco Guides, Cisco Study Material, Cisco Tutorial and Material, Cisco Certification

Sunday, 12 August 2018

Meeting enterprise demands with dual rate 10/25G Ethernet

Enterprise networks are now being stressed by video conferencing and other demanding video applications that push beyond the speed limits of traditional 10G infrastructure.  Whether it’s IEEE802.11ax WiFi Access Points, that require 1G/2.5G/5G/10G backhaul interfaces or 1G/2.5G/5G/10G direct copper/fiber Ethernet to the desktop, new enterprises are being built for high speed that now requires 25G interfaces.

Using Cisco’s new enterprise Catalyst 9000 Family Switches and Cisco’s new SFP-10/25G-CSR-S transceivers, customers can connect Wiring Closet Switches to Aggregation Switches with 25G over MultiMode Fiber (MMF).

Cisco Guides, Cisco Certification, Cisco Study Materials, Cisco Tutorial and Materials

What is “CSR”?


“CSR” stands for Cisco Short Reach.  Using advanced optical technology, Cisco is able to provide 25Gbps bandwidth at distances up to 300/400m* over OM3/4 MMF. While providing these extended reaches, the new SFP-10/25G-CSR-S transceiver is fully interoperable with traditional IEEE 802.3by 25G transceivers that only provide 25Gbps at distances up to 70/100m over OM3/4 MMF.

Why is 300/400m over OM3/4 MMF important?


Traditional 10G networks are being built (or have been built) based upon IEEE802.3 specifications (10GBASE-SR) that allow 300/400m distances over OM3/4 MMF.   These distances are well established by network installers which has resulted in Wiring Closets being located up 300 (or 400m) from Computer Rooms/Data Centers.

Cisco’s new SFP-10/25G-CSR transceiver enables 25G over MMF at the same distance as 10GBASE-SR, which means that if the fiber infrastructure worked at 10G, it will also work with SFP-10/25G-CSR. This is not the case with IEEE 25GBASE-SR because its reach is shorter.

Cisco Guides, Cisco Certification, Cisco Study Materials, Cisco Tutorial and Materials

Interoperability with 10G


The new SFP-10/25G-CSR transceiver has dual rate capability that allows interoperability with both 25GBASE-SR and 10GBASE-SR MMF transceivers**. This allows the network to be incrementally upgraded at either the end of the fiber.

Interoperability with 40G and 100G


The new SFP-10/25G-CSR can also interoperate with 100GBASE-SR4 and 40GBASE-SR4 transceivers using 3rd party MMF breakout cables. For 100G interoperability, 25G requires the use of RS-FEC (Forward Error Correction), which is available on Cisco’s 100G ports.

Cisco Guides, Cisco Certification, Cisco Study Materials, Cisco Tutorial and Materials

See this video for further information

Friday, 10 August 2018

Delivering 1 Gbps over DSL with Cisco’s ISR 1000

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Materials
I still remember the day I first got ADSL at home in 2000. The top speed was only 2 Mbps, but I was purely fascinated by everything I could do at home, especially playing video games. Not before long, ADSL was replaced with VDSL, which changed my use of the internet from playing games to downloading video and music files in bulk, thanks to Napster and Torrent.

Putting memories aside, the general landscape of the internet has completely changed over the last decade. No longer are the days of one desktop serving an entire family, instead each family member has at least one smartphone and possibly a laptop which are used constantly for streaming videos, music and more. Businesses have an immense scale of data to process and share over the internet. What this means is that bandwidth is the key to keeping families happy and businesses running.

DSL innovation has been relentless when it comes to meeting the growing demand for higher bandwidth in the market. The latest form of DSL that has been introduced is G.fast, which is expanding aggressively in the UK and Switzerland. G.fast is a DSL technology that has stretched its frequency spectrum up to 106 MHz with the additional capability to increase up to 212 MHz. Compared to the common VDSL2 deployment with 17 MHz, G.fast at 106MHz is capable of offering throughput up to 1 Gbps. In addition to its high bandwidth, G.fast is a more affordable option compared to fiber, since it is deployed over copper wires.

Today’s internet landscape has also played a major role in propelling local governments and service providers to work hand-in-hand to provide faster internet services to the general public. For example, the EU has launched an initiative to support access to internet connections with 1 Gbps by 2025 for all schools, transport hubs and main providers of public services, as well as digitally intensive enterprises. In order to support this initiative, it is no surprise that G.fast is highly favored by many service providers in Europe. British Telecom and Swisscom are at the forefront in leading their services with G.fast.

G.fast in Detail


G.fast is a DSL technology, but it sets itself apart in a few aspects from its predecessors, such as VDSL. First, the frequency spectrum used in G.fast is far wider compared to most profiles in VDSL2. The latest VDSL2 profile, deployed in Italy and Germany, is only at 35MHz, offering a throughput of 300 Mbps. Early G.fast deployments used a frequency spectrum of 22-106MHz to avoid interference from the range used by VDSL, which resulted in approximately 100 Mbps less throughput compared to using the full spectrum from 2 MHz. To increase the throughput on G.fast, the current frequency spectrum is being evaluated for an extension down to 2 MHz and up to 212 MHz. Particularly, 212MHz promises a peak aggregate throughput of 2 Gbps, which will enable 1Gbps for both downstream and upstream.

Another technical difference that makes G.fast unique is Time Domain Duplex (TDD). ADSL and VDSL have traditionally used Frequency Domain Duplex (FDD), where downstream and upstream had one frequency band for each to communicate. Since the frequency band for each direction of traffic was fixed, it was difficult to dynamically adjust the throughput per direction depending on need.

TDD enables both downstream and upstream to use the same frequency band, which allows G.fast to make throughput adjustments flexibly for both directions. The benefit of using TDD for G.fast is huge for service providers who have more flexibility to design different classes of service offerings on the same link.

G.fast Deployment


DSL, by design, is vulnerable to attenuation occurring on copper wires, which means that throughput varies depending on the distance from the CPE to DSLAM. G.fast is no exception to attenuation. Though it is able to reach 1Gbps in theory, in a very short loop length, it is impossible to maintain such short loop length in an actual deployment. Different studies would show different throughput results over distance, but the throughput range between the distance of 200 to 400 meters falls between 500 Mbps to 200 Mbps. For this reason, current G.fast deployments in the UK and Switzerland are designed for the distance between 200 – 300 meters with a target throughput between 200 Mbps to 500 Mbps. With the introduction of 212 MHz in the future, the serviceable areas with G.fast will be extended with higher levels of throughput.

Cisco’s Solution


Cisco never shied away from accommodating new changes in the market and meeting the most challenging demands from the customers. Cisco’s flagship product family, the Integrated Services Router Series, has evolved ever since its inception to stay competitive and relevant in the market by adding new routers with the latest innovations.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Materials
Cisco introduced the ISR 1000 Series routers in late 2017. It was the latest addition to the Integrated Services Routers family. The routers perform at an unmatched level to meet today’s growing demand for high throughput while offering a diverse set of WAN connectivity options including LTE Advanced, VDSL, Ethernet and Fiber.

In July 2018, G.fast was added to the list of supported WAN options on the 8 LAN port ISR 1000 Series routers with the creation of new models: C1112 and C1113. G.fast on the C1112 and C1113 will be supported over both POTS and ISDN to serve a wider list of countries. In addition to G.fast, both models will support ADSL and VDSL, including Profile 35b, to provide customers with flexible DSL deployment options. As early as November 2018, C1112 and C1113 will also be integrated with Cisco SD-WAN.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Materials

C1112 and C1113 are the only enterprise-grade routers in the market to provide secure and reliable connection with the ability to provide the high bandwidth required by today’s G.fast deployments. Both routers will not only enable customers to expand their service offerings with G.fast, but help them to protect their investment in the existing infrastructure.

Wednesday, 8 August 2018

Shining a Light on Shadow IT

But there is another ecosystem of applications and hardware besides IoT devices to manage in the realm of Shadow IT. From the old days of departments buying OTS packaged software for special projects, to today’s BYOD to work, organizations struggle with un-vetted and unauthorized information technology accessing sensitive personal and business data. IT SecOps deploys a wide range of security processes to gain some control over these proliferating endpoints in enterprise networks—often with limited success. The proof of that, unfortunately, is in the growing number of successful malware infections and data breaches that use these unregulated endpoints as gateways to the network crown jewels.

Cisco Guides, Cisco Learning, Cisco Certification, Cisco Study Materials

Cisco recognizes that security is foundational to the network itself. When you apply identity and security policies consistently throughout the network fabric, Shadow IT devices and applications become part of the managed ecosystem, and not outliers operating under their own security parameters. So when the Finance department, for example, decides to purchase and use only iPad tablets to access SaaS financial applications, only iPads tagged as part of the “Finance” network have access to the apps. Meanwhile, HR’s Surface tablets are assigned policies to send and receive data from SaaS HR apps, not financial data. These policies enforce network intentions.

Policies are codified network intentions that manage and automatically configure access privileges for devices and their associated applications. By assigning policies at the device level, or groups of devices, the network automatically adapts to changes, such as location, ownership, and signs of infection. Let’s look at how intent-based networking simplifies the management of Shadow IT devices and applications—and everything else.

Detecting and Identifying Shadow IT Devices 


Cisco Guides, Cisco Learning, Cisco Certification, Cisco Study Materials
Control of Shadow IT begins with locating and identifying devices and applications as they connect to the network. Cisco Identity Services Engine (ISE) scans the network, cataloging in DNA Center all devices or services operating on the wireless and wired network segments. ISE automatically tags rogue devices with policies that limit their access and connectivity until their legitimacy is verified and appropriate security policies applied. In essence, ISE prevents Shadow IT from accessing sensitive data sources without the knowledge of IT.

Providing Persistent Security with Software-Defined Segmentation


After shadow IT devices are identified and tagged by the ISE and cataloged in DNA Center, the concept of micro-segmentation comes into play with Cisco SD-Access. The goal is to apply policies to devices that follow them around the network—campus, wireless, WAN, mobile—virtually segmenting them according to the defined network intentions. The security for any device is therefore persistent, no matter where the device may roam.

For example, the tablets purchased by the finance department can join the network anywhere in a wireless campus environment, yet are constrained to specific data sources to which they can connect. The policies attached to tablets in a virtual segment can also maintain a higher quality of service with priority for traffic to the SaaS financial applications, versus a lower level of service for streaming video from the internet. Devices that have internet exposure are monitored for malware, with policies that automatically isolate an infected device from the rest of the network. This capability is especially critical with Shadow IT devices which may not have up-to-date security patches.

Cisco Guides, Cisco Learning, Cisco Certification, Cisco Study Materials
Cisco provides several technologies to manage virtual software-defined segmentation, all working under the umbrella of DNA Center. Tagging individual or groups of devices to create software-defined segments with security policies is automated with Cisco Trustsec, which works in conjunction with ISE. A department’s Shadow IT devices can be tagged as one group and security policies applied consistently no matter where the device connects to the network. Security tagging plays a critical role in compliance too, by ensuring, for example, that payment card data touches only specific groups of devices. Cisco Stealthwatch is a third component working with ISE and Trustsec that is critical to managing Shadow IT. Once devices are cordoned into software-defined segments, Stealthwatch monitors their health to detect any infections such as zero-day malware or ransomware and quarantines the offending devices and connections.

Managing Shadow IT in the Multi-Cloud


The growing use of public and hybrid clouds are another reason to better manage Shadow IT. Recent IT surveys show that the average organization uses over 1,427 different cloud services. When a department decides to use a file-sharing platform, subscribe to a SaaS CRM application, or run apps on AWS, they are doing so to improve efficiency and ease of use. Doing so, of course, opens up connections between sensitive enterprise data and third-party clouds, the security of which are beyond SecOp’s immediate control. With the capability to apply security and access policies, an intent-based network plays a critical role in controlling data inside and outside the enterprise.

Cisco Guides, Cisco Learning, Cisco Certification, Cisco Study Materials
For enterprises that have multi-cloud projects—whether officially condoned or emerging from the shadows—the Cisco DNA Center open cloud management platform provides granular control of how devices connect to cloud resources and defines how data flows among data center, public and private clouds, and SaaS platforms. Assigning traffic segmentation policies for public and private clouds creates end-to-end segregation with device and application-aware topologies that select the best paths to achieve desired SLAs and optimum application experience for both sanctioned and shadow technology.

Take Back Control by Integrating Shadow IT into the Network Ecosystem


Shadow IT projects will continue to take root and proliferate throughout enterprise networks. With the ubiquitous availability of cloud apps, mobile devices, and freemium services, employees will find ways to make their work life more efficient, easier, and indeed fun. Instead of fighting rogue devices and applications, IT can exert control over shadow IT by integrating the devices and services into the network ecosystem. With intent-based networking, IT can automate the application of policies to keep data secure while expanding the choices of devices and applications that employees and departments can use.

Sunday, 5 August 2018

Why download the exploit, when you can carry it with you?

For the 2nd year, RSA Conference 2018 APJ created an educational exhibit, sponsored by RSA and Cisco, to monitor the RSA Conference public Wi-Fi network provided by the Marina Bay Sands (MBS). This exhibit was created in the form of the RSA Conference Security Operations Center (SOC). RSA and Cisco provided technology and staffing to monitor the network for threats, but also to educate attendees on the risks of free Wi-Fi.

What is the difference between a SOC and a NOC?


Network Operations Center

The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service

Security Operations Center

The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers and other technologies

RSA and Cisco provided the SOC. The NOC was provided by the MBS.

The mission of the RSAC SOC was to ensure the conference Wi-Fi is not attacked (denial of service, laterally spreading malware, etc.). We did not block malicious DNS traffic, downloads or attachments; as this was a learning and demonstration environment. We make sure that network is protected from attackers. We locate (when we can) and advise users when they are at risk.

What technology is in the RSAC SOC?


MBS provided the RSAC SOC a span of all network traffic from the .RSAConference network, which was passed through the Cisco Next Generation Firewall / ISP and then split the traffic to NetWitness Packets NetWitness Packets and the Cisco Stealthwatch teams.

RSA used NetWitness Packets to collect and investigate all traffic on the Wi-Fi network, from the firewall; to detect deviations from normal behavior and create a probability-weighted risk score for alerts based on these results. NetWitness inspects every network packet session for threat indicators at time of collection and enriches this data with threat intelligence and business context. At the end of the conference, all of this data was wiped from NetWitness.

For suspicious files that might be malicious, NetWitness Packets checks a community AV lookup, some static analysis and its own network intelligence. Then the NetWitness Orchestrator sends the files to Cisco Threat Grid for dynamic malware analysis.

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. Threat Grid analyzes the behavior of a file against millions of samples and billions of malware artifacts. The SOC team had a global and historical view of the malware, what it’s doing and how large a threat it posed to the RSAC network.

Threat Grid identifies key behavioral indicators of malware and their associated campaigns. The SOC team was able to save time by quickly prioritizing attacks with the biggest potential impact. We used tools like Glovebox, to safely interact with samples and observe malware behavior directly. In addition, we used Cisco Umbrella to have visibility in all DNS activity. We also used the Threat Intelligence of Cisco Visibility and Talos Intelligence.

When the Cisco team found a potential threat, they handed it off to the RSA team for further investigation. In summary, the technology stack was:

◈ Firewall – Cisco Next Generation Firewall with IPS
◈ Full Packet Capture and Investigation – RSA NetWitness Packets
◈ Orchestration – RSA NetWitness Orchestrator, powered by Demisto
◈ Dynamic File Analysis – Cisco Threat Grid
◈ DNS / IP Intelligence – Cisco Umbrella / Cisco Umbrella Investigate
◈ Encrypted Traffic Analytics – Cisco Stealthwatch and Cognitive Threat Analytics
◈ Threat Intelligence – Cisco Visibility

Identifying endpoint vulnerabilities without an agent

Cisco’s Next Generation Firewall was set up as the perimeter Firewall for the wireless connection of the RSA APJ event. All traffic to and from wireless guests went through the Firepower Threat Defense (FTD). FTD not only detected threats, but also discovered what was running on the network endpoints; such as Operating Systems, Ports, Applications and Files.

Discovered Applications

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Discovered Files

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Geolocation Information

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

During the conference, several threats were detected, and we were able to see the total Connections and Bytes connecting to known bad IP Addresses.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

We were also able to see the Total Intrusion Events detected per Classification.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

FTD automatically correlated threat events with the contextual information discovered to identify which IPS events to prioritize for further investigation. This was reflected via Impact Flag 1 events. Data showed that there were 31 events to be prioritized.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Impact Flag 1 events shown below.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Checking the Rule documentation of the BMP overflow IPS event, it shows that it is applicable only for traffic coming from external network to internal network.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

And, applicable if the target host has this vulnerability, with cve.mitre.org documentation included.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Checking on the event we confirmed that the event is coming from the Internet going inside the network. IPS Event Details below.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Checking on the host profile, we confirmed the target host had this specific vulnerability.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Vulnerability list of the target host based on the discovered Operating System and Applications.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Why download the exploit, when you can carry it with you?

On the 2nd day of the Conference, the SOC team observed a .DOC file sent to a conference attendee in a plain text email, along with several PDFs. The .DOC file was extracted by NetWitness and had a score of 0 from the RSA Malware Analysis Community lookup, meaning it had never been detected by an AV vendor. The Static Analysis score was 80, making it worth a review, and the Dynamic Analysis/Sandbox score from Threat Grid was 100, meaning confirmed malicious based on behavior. The team went into action to assess the threat.

The .DOC file was assigned a Threat Score of 100 for the Behaviors of launching Powershell and creating an Executable File.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

We were able to see the code in the document to create and launch the eng.exe file.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

After the creation of the executable, the malware dropped some artifacts on disk that are known to be used by remote access Trojans and opened communication with a domain on the Umbrella block list for Malicious.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

We pivoted to Umbrella Investigate to learn more. If we had AMP for Endpoints deployed on the endpoints in the network, we would have instantly been able to see affected endpoints and remediate.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

In Umbrella Investigate, we learned more about the domain, including the global requests for the campaign.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Most affected computers from the United States.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

We found the hosted IP address 5[.]79[.]72[.]163 (link to the Investigate report) and then went into Cisco Visibility to access the global Cisco threat intelligence and to see if there were more associated IPs.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

With this intelligence, we were able to go to the Firewall and NetWitness teams and check if there was any outbound communication to those three IP addresses. There were none, indicated the person who received the email did not open it on a vulnerable endpoint at the conference.

Everything an attacker needs for spear phishing lures

Threat Grid currently supports the following file types for analysis:

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

For RSAC SOC, the NetWitness team focused on submitting the following file types, with the distribution in parenthesis:

◈ .PDF (93%)
◈ .EXE (4%)
◈ .DLL (2%)
◈ .DOC/X (<1%)
◈ .XLS/X (<1%)

We saw many invoices, billing statements and confidential business proposals as attachments to emails sent with unsecure protocols, such as POP3 and HTTP. Each could be used by an attacker, sniffing the public network; to craft a custom spear phishing lure, as they had legitimate business and financial information; such as the email addresses of the sender/receiver, account information, billing address and the types of products/services the email recipient expected to receive.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Cryptomining

At Black Hat Asia 2018 in March, we saw a massive increase in cryptocurrency mining. Also, with the Black Hat training courses, there were 20 times as many domains of concern for roughly the same amount of DNS requests, around 5 million for each of the conferences in Singapore.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

There was much less Cryptomining at RSAC; however, several common sites were active:

◈ widgetsbitcoin[.]com (links to the Umbrella Investigate report)
◈ api.hitbtc[.]com
◈ ws022.coinhive[.]com
◈ coinhive[.]com
◈ cdn.mngepvra[.]com
◈ authedmine[.]com
◈ coin-hive[.]com
◈ coinone.co[.]kr

When we saw the cryptocurrency mining activity based on Umbrella DNS request, Stealthwatch provided the visibility into endpoint without an agent/connector. Below is the dashboard of Cognitive Cloud Analytics (CTA). Together with Cisco Stealthwatch Enterprise, CTA is part of Cisco Encrypted Traffic Analytics. This solution can detect malware hiding in encrypted traffic without decrypting the data.

Upon investigate into “High Risk” and “Confirmed” event. There were three endpoints identified to have cryptocurrency mining activity at the time of investigation.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Below is the snapshot of the endpoint activities related to cryptocurrency mining.

Cisco Guides, Cisco Learning, Cisco Tutorial and Material, Cisco Study Material

Together with Umbrella, we could identify endpoint with initial cryptocurrency mining DNS request and detail HTTPS request to the server with Stealthwatch Enterprise and CTA.

Friday, 3 August 2018

Open vRAN Update: NETCONF/YANG Comes to 5G RAN!

One of the key principles of the Open vRAN ecosystem that Cisco and its ecosystem partners announced earlier this year, is to establish open, standard interfaces and management for vRAN. Recently the xRAN Forum has defined the use of IETF’s NETCONF/YANG standard for programmatically configuring and managing its lower layer split RAN architecture.

We are proud to have taken a lead role, working closely with top tier operators and other vendors (including ecosystem partner Mavenir), in helping the xRAN Forum define the use of NETCONF/YANG by the 5G Radio Unit. We are excited about this for many reasons. Not only will the use of native YANG models ensure the easiest route to full multi-vendor interoperability in the future disaggregated RAN, but it should also ease the integration of the management for the lower layer split deployment into existing systems.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials

Let’s break down what this means. YANG (RFC 7950) is a modelling language that is used by xRAN to model the configuration and operational state of its 5G Radio Unit, together with defining remote procedure calls (RPCs) for supporting tasks like software management, and notifications for indicating xRAN defined alarms. Because YANG defines syntax, relationships and constraints between the data, it enables operators of xRAN’s lower layer split to validate configuration data against the model before committing the configuration of the xRAN Radio Units.

The use of augmented IETF standard YANG models, together with xRAN specific models, lays the foundation for cross-domain orchestration of the RAN with other domains that have already adopted NETCONF/YANG. Recognizing that xRAN Radio Unit suppliers need to be able to support vendor differentiation, the YANG models are extensible, allowing them to be augmented to support enhanced vendor-specific functionality, while simultaneously ensuring baseline multi-vendor interoperability of the standardized functionality defined by xRAN.

With the results of xRAN’s work now public, all Open vRAN Ecosystem members have endorsed these early deliverables as an important first step towards the evolution of a truly open and virtualised RAN.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials

Wednesday, 1 August 2018

5 Reasons Cloud UC and BroadSoft Are Top of Mind

There, my Cisco colleague Andy Johnston and I shared an overview of the cloud unified communications market to a standing-room‑only audience. We described how the combined strength of the Cisco and BroadSoft calling portfolios are helping you accelerate transitioning to cloud.

I’d like to highlight five key reasons why I think our overview resonated so well.

1. Customer cloud UC perceptions have changed


We recently conducted a survey with over 1,000 IT decision makers from seven countries. In it, we learned that cloud UC is a key priority of their digital transformation strategies. 74% of respondents said they will choose a cloud provider in the next 24 months.

Cisco Certification, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials, Cisco Study Materials

2. SMBs need native mobile


Mobile working has many benefits. Many small businesses are ditching their on-premises solution and going mobile first for both cost and efficiency reasons. One of our portfolio’s most unique and innovative differentiators is our ability to deeply integrate communications within the core mobile network. This allows our mobile carrier partners like Verizon, Vodafone, Telstra, Deutsche Telekom, and Rogers to deliver a fixed-mobile converged experience that helps SMBs become more agile and productive, and appear bigger and stronger.

3. Mid-market needs enterprise-grade features without cost and complexity


Mid-market organizations need enterprise-grade features and a way to seamlessly and reliably network their PBX and cloud applications. This includes:

◈ a common network dialing plan
◈ a consistent collaboration experience across locations
◈ centralized and local administration capabilities

In addition, they need simplicity, on-demand scalability, global scale, and reliable communications for remote and mobile employees.

Cisco Certification, Cisco Guides, Cisco Learning, Cisco Tutorial and Materials, Cisco Study Materials

4. Flexible and smooth transition to cloud


Transitioning to the cloud will take some time for mid-sized and large enterprises that have large investments they simply cannot replace overnight. A 2017 study by global research firm Nemertes suggests that more than 70% of enterprises are still running TDM to at least half of their endpoints. You need solutions that both maximize the life of in-place investments and allow you to network with cloud solutions via SIP trunking for new locations, expansions, branch offices, contact centers, and mobile workers.

5. Cloud UC offers a better total cost of ownership


Cloud is a natural and more economical solution for new sites, site expansions, and smaller branch offices. In our survey:

◈ 68% of respondents believe their current on-premises systems are too expensive to maintain
◈ 70% believe cloud will reduce their IT staff efforts
◈ 69% say their current systems don’t have the advanced features they need

For many, cloud contact centers will offer more capabilities, on-demand flexibility, and superior multisite and remote-agent support. In fact, 88% of premises-based contact center users are considering moving to CCaaS, with 68% in active evaluation.

The Transition Zone


For all these reasons, we’ve developed a thoughtful technology plan that provides a smooth network transition from on-prem to cloud. A hybrid model that ensures user adoption helps you realize value more quickly and move at a pace that makes sense for your organization.

Flexible and affordable migration strategies with hybrid configuration support allow you to implement a cap-and-grow strategy. You maintain your in-place investments until they reach the end of their natural life-cycle, then transition to cloud when the time is right.

The Cisco Collaboration Flex Plan decouples the purchasing and deployment so that you can choose on-premises, hosted, or cloud options. You can move your organization, specific users, specific sites, or individual applications when it suits you in a flexible, phased approach that addresses all your needs.

This level of flexibility is available today. As you look to make your cloud transition, consider a vendor that can provide a complete solution that looks not only at your PBX requirements, but addresses your mobility and voice conferencing needs as well.

Cisco and BroadSoft are in a prime position to help you make the transition and migrate while leveraging your existing investments.