Cisco Mobility Express and Cisco Umbrella – Security Simplified!

We’ve had a few busy months with our Cisco Mobility Express solution. How busy? Following in this trend of new innovations, I am excited to share another key enhancement to the Mobility Express solution: Cisco Umbrella integration with Mobility Express via the latest AireOS 8.8.111.0 release.

With today’s digital consumers, providing Wi-Fi in your business is a necessity rather than simply a luxury. On top of that there is increasing complexity caused by the proliferation of smartphones, tablets, wearables and IoT end points that are beyond IT’s direct control. According to Cisco Visual Networking Index (VNI), 49% of global traffic in 2020 will be Wi-Fi based. With this explosive Wi-Fi growth in the network, providing a safe and secure connection is of paramount importance. Threats continue to increase in sophistication and have reached exponential levels, increasing in speed with every passing year.

So how do you secure your wireless network if you’re a small to medium-sized organization with a lean or nonexistent IT department? How will you keep pace with your competitors while successfully deploying, managing, and securing your network?

Enter Mobility Express and Umbrella.

Limited budget? No problem. IT team of one? That’s okay too. With these integrated solutions, it’s easier than ever to quickly deploy and secure an on-premise wireless network. Mobility Express offers industry-leading wireless LAN technology with a built-in virtual controller, and Umbrella provides the first line of defense against threats on the internet wherever users go. And you don’t have to sacrifice enterprise-class performance and reliability.

Umbrella is a cloud-delivered security platform that protects against threats like malware, ransomware, and phishing. With Umbrella, you gain visibility and enforcement at the DNS layer, so you can block requests to malicious domains and IPs before a connection is ever made. The Umbrella integration across the Cisco wireless LAN controller (WLC) portfolio – including Mobility Express, WLC 3504, 5520 and 8540 – provides comprehensive security coverage that is simple to deploy and manage.

Deploy and Protect in Minutes 

You can quickly and easily enable Umbrella policies per SSID in three easy and intuitive steps from the Cisco Mobility Express WebUI itself. The ability to map granular policies on a per-SSID basis allows the network to evolve rapidly to your changing business needs. All of this added protection is enforced without any additional latency, so the end user experience is not impacted.

Step1: Enable Umbrella and enter the Umbrella API Token

Step 2: Create profile and register the profile with Umbrella

Step 3: Apply the profile to the WLAN

Licensing & ordering Umbrella with Mobility Express

With AireOS 8.8.111.0 release, this feature is available to all customers and there is no additional license on Mobility Express to enable this feature. However, customers who wish to use Umbrella with Mobility Express will need an Umbrella license and account.

With the amount of Mobility Express innovations coming from Cisco, make sure to bookmark this blog page so that you’re always up-to-date.

Continue reading

Hybrid Chat for Cisco Journey Solutions

Cisco Customer Care, now Cisco Customer Journey Solutions (CJS), is by definition the best architecture to ride and support the current highest priority in large enterprises – Customer Experience sales innovation, the #1 priority for 71% of the business leaders (2017 Global CX Benchmarking Report).  CJS, very often considered a cost center in the past, is now seen by enterprises as a driver of revenue, able to increase customer loyalty, retention rate, and important financial metrics such as the Annual Renewal Rate (ARR).

Today, 65% of customers prefer Chats versus traditional voice calls to customer care (BT Global services-Cisco-Davies Hickman Partners 2017). Thus, to consider these changes of users habit, a modern CJS has to offer a selection of contact methods, called Omnichannel, and at the same time offer the possibility to move seamlessly between interaction channels bringing the context along.

Conversational self service powered by artificial intelligence

Customers also expect a near instant response time and quick resolution of their needs – both being key business metrics proven to drive customer retention and loyalty. One third of the time it needs two or more interactions to resolve the issue, causing customer dissatisfaction and 40% of them eventually leaving to find a new provider (ICMI, 451 Research). This business ask is setting another mandatory need for a modern CJS: it has to offer Conversational Self Service solutions powered by Artificial Intelligence that are efficient, productive and cost effective.

The four major business needs addressed by the “Hybrid Chat, Artificial Intelligence solution for Cisco CCE/CCX/HCS”

The next picture describes the architecture of the solution developed by Bucher & Suter and Expertflow, a Cisco Ecosystem partner. The architecture is constituted of several building blocks able to interact, dialogue, and orchestrate through OPEN API’s to allow easy customization of the end customer solution:

◈ DIGITAL TOOLS (any sort of present and future type of CHAT tools used by end users)

◈ ARTIFICIAL INTELLIGENCE services and vendors

◈ Cisco CJS architecture: CCX, CCE, PCCE, HCS and CJP

◈ A CONVERSATIONAL ENGINE developed by the ECOSYSTEM partner, being the broker, the orchestrator between digital tools, CJS APIs, AI vendors and NLP services, and offering the integration of both end users and agents front ends.

Let’s see the way it works, beginning with a description of its hybrid approach

When implementing a chat bot in a digital CJS you always need a hand-off strategy for all those cases where the BOT isn’t confident enough to answer and thus needs a human agent. This means that in a standard solution a chat is always managed either by a BOT or by an agent, which very often results in very low productivity of the CJS, especially if the chat bot is not powered with AI.

The solution presented in this article features a different innovative approach where the agent, the BOT, and the user are always engaged in a Continuous Chat Conference, and the agent can monitor multiple chats and leverage the BOT during the entire conversation, thereby reducing the workload and response time. After a hand-off to an agent, the BOT remains in the conversation and works as an agent assistant so upon every customer utterance query, the Hybrid Chat presents the most appropriate answers identified by the BOT to the agent.

A colored icon signals the agent which chats demand an intervention (RED), the conversations where the BOT can run independently (GREEN), and those where the BOT has multiple options (including a “strike probability view”) but it is not 100% sure so best would be having the agent picking the right one or overwriting (YELLOW). The agent can let the BOT auto-answer with the highest-scoring answer, intervene and select one among those that the BOT suggests, or even draft a new response to the customer.

A timer displayed with a colored circle around the chat icons indicates timeouts upon which certain configurable actions are taken.

The BOT uses a model created with Machine Learning powered by Google Dialogflow to answers chats, but the solution is quite innovative also because the messages tagged and validated by the agents can be used as new training data to the BOT in order to improve future recognition rates (Natural Language Understanding) and answers (Dialogue Engine).

The chatbot is constantly learning through conversations from person-to-person (clients and agents) making the whole solution self-tuning on the job, where the performances of the BOT are continuously improving in a specific contest further reducing engagement of the agents and therefore raising productivity and lowering costs. The interplay between customer, agents, and the BOT also reduces the response time, increasing the quality of the service delivered and enabling higher customer satisfaction and loyalty.

Let’s now analyze the way this solution interacts and integrates with a Cisco CCX/CCE or HCS CJS.

edia (SMS is slower than FB Chat). Based on such analysis, it assigns multiple chats in parallel to agents interacting with Cisco CJS through Open APIs (CTI and UQ API), ensuring that each agent has the same work volume. If an agent is fully charged, the Conversational engine makes a new synchronous media routing request to the CJS to reserve the next full-time agent. Conversely, if a chat session requires a full-time collaboration session (escalation to audio and/or video and screen sharing), all other ongoing chats are given back to the general chat pool and distributed to other agents and that agent is reserved for the full-time session.

The solution presented in this article is showing the incredible potential of combining together the Cisco architectures with Google artificial intelligence to design custom solutions targeting the modern business needs of large, medium, and small enterprises: Customer Experience, customer loyalty, customer retention, increased renewal revenue, decreased costs.

Continue reading

Cognitive Intelligence: Empowering Security Analysts, Defeating Polymorphic Malware

In psychology, the term “cognition” refers to a human function that is involved in gaining knowledge and intelligence. It helps describe how people process information and how the treatment of this information may lead to various decisions and actions. Individuals use cognition every day. Examples as simple as the formation of concepts, reasoning through logic, making judgments, problem-solving, and achieving goals all fall under the purview of this term.

In cybersecurity, applying the principles of cognition helps us turn individual observed threat events into actionable alerts full of rich investigative detail. This process improves over time through continuous learning. The goal is to boost discovery of novel or morphing threats and streamlining of the cybersecurity incident response. The work of the security operations teams can be vastly optimized by delivering prioritized actionable alerts with rich investigative context.

Enhancing Incident Response

Let’s take a moment to think of the tasks that a security team performs on a day-to-day basis:

◈ Looking through ever-increasing numbers of suspicious events coming from a myriad of security tools.
◈ Conducting initial assessments to determine whether each particular anomaly requires more investigation time or should be ignored.
◈ Triaging and assigning priorities.

All of these actions are based on the processes, technology, and knowledge of any particular security team. This initial decision-making process by itself is crucial. If a mistake is made, a valid security event could be ignored. Or, too much time could be spent to investigate what ends up being a false positive. These challenges, coupled with the limited resources that organizations typically have, as well as complexities associated with attack attribution, may be daunting.

That’s why security teams should embrace automation. At Cisco, we’re committed to helping organizations step up their game through the use of our Cognitive Intelligence. This technology allows correlating telemetry from various sources (Cisco and 3rdparty web proxy logs, Netflow telemetry, SHA256 hash values and file behaviors from AMP and Threat Grid) to produce accurate context-rich threat knowledge specific to a particular organization. This data, combined with the Global Risk Map of domains on the Internet, allows organizations to confidently identify variants of memory-resident malware, polymorphic malware with diversified binaries, and in general any innovative malware, that attempts to avoid detection by an in-line blocking engine.

As a result of automation like this, less time needs to be spent on detailed threat investigations to confirm the presence of a breach, identify the scope and begin triage. And that will in turn dramatically help mitigate the shortage of skilled security personnel by increasing the effectiveness of each analyst.

Example of a Confirmed Threat Campaign

In a sense, Cognitive Intelligence algorithms mimic the threat hunting process for observed suspicious events. It identifies combinations of features that are indicative of malware activity, in a similar fashion that an incident responder would do, starting with relatively strong indicators from one dataset and pivoting through the other datasets at its disposal. The pivot point may lead to more evidence, such as behavioral anomalies that help reinforce the infection hypothesis. Alternatively, the breach presumption may fade away and can either be terminated very quickly or re-started when new data becomes available. These algorithms are similar to incident response playbooks used by Cisco CSIRT and other incident response teams, but operate on a much larger scale.

What’s New in 2018: Probabilistic Threat Propagation

One of the example algorithms that we call Probabilistic Threat Propagation (PTP) is designed to scale up the number of retrospectively convicted malware samples (threat actor weapon), as well as the number of malicious domains (threat actor infrastructure) across the Cisco AMP, Threat Grid, and Cognitive knowledge bases.

Probabilistic Threat Propagation in a Nutshell

PTP algorithm monitors network communications from individual hashes to hosts on the Internet and constructs a graph based on the observed connections. The goal is to accurately identify polymorphic malware families and yet unknown malicious domains, based on the partial knowledge of some of the already convicted hashes and domains. The key here is that malware authors often reuse the same command-and-control (C2) infrastructure. Hence the C2 domains often remain the same across polymorphic malware variants. At the same time, these domains are usually not accessed for benign purposes.

For example, if an unknown file connects to a confirmed malicious domain, there’s a certain probability that this sample is malicious. Likewise, if a malicious file establishes a connection to an unknown domain, there’s a probability for this domain to be harmful. To confirm such assumptions, Cisco leverages statistical data surrounding the domain to determine how frequently it’s accessed, by which files and so on.

Graph built by Probabilistic Threat Propagation Algorithm

The capability that we have introduced helps security analysts track and detect new versions of malware, including polymorphic and memory-resident malware, given the fact that C2 infrastructure remains intact. Similarly, this method is capable of tracking migrations of attacker’s C2 infrastructure, given the knowledge of malicious binaries which belong to the same malicious family. Cognitive Intelligence helps leverage specific telemetry from a stack of security products (file hashes from AMP, file behaviours from Threat Grid, anomalous traffic statistics and threat campaigns from Cognitive). That allows Cisco to model threat actor behaviors across both the endpoint and the network to be able to better protect its customers.

Probabilistic Threat Propagation algorithm also provides additional sensitivity to file-less malware (that doesn’t have file footprint on the disk of the system) and process injections. Such infections can be detected when a legitimate process or a business application starts communicating with domains associated with C2 infrastructure, that other malicious binaries predominantly contacted.

The beauty of this capability is that it runs offline in the Cisco cloud infrastructure, and therefore does not require any additional computational resources from customers’ endpoints or infrastructure. It simply works to provide better protection and the increased count of retrospective detections for novel variants of known malware.

Measuring Results

This blog entry wouldn’t be complete if we didn’t speak about the initial results, that just this single algorithm delivers. From a single malicious binary, Probabilistic Threat Propagation algorithm is able to identify tens if not hundreds of additional binaries that are a part of the same threat family and that also get convicted as a part of this analysis. Similarly, with this new mechanism of tackling polymorphism, we will generally be able to identify tens of additional infected hosts affected by a polymorphic variant of a particular threat. That is especially rewarding when it comes to measuring the positive impact on Cisco customers.

Scaling threat detection efficacy with Probabilistic Threat Propagation

Cisco AMP for Endpoints and other AMP-enabled integrations (AMP for Email Security, AMP for WSA, AMP for Networks, AMP for Umbrella) leverage AMP cloud intelligence to provide improved threat detection capabilities boosted by the PTP algorithm.

Continue reading

A Hybrid Cloud Solution to Improve Service Provider Revenue

Media and Telecom service providers serve millions of customers, and it is a challenge to monitor and assure that customers have a satisfactory experience with the services. Service providers incur high operation costs through customer support and truck rolls. Reactive customer support often causes customer dissatisfaction resulting in churn and revenue loss. Large volume and variety of data (network, CPE, billing, customer issues etc.) is maintained across multiple systems but is underutilized to add value to business. Different business units work in silos and non-availability of integrated customer profile leads to half-matured marketing efforts, unsatisfactory customer experience and loss of business opportunities. Common roadblocks for business improvement include:

◈ Lack of consolidated data & accurate insights
◈ Extended cycle time to process data and delay in access to insights
◈ Dependency on legacy systems to process data

Barriers to business improvement

A container-based, hybrid cloud solution

A container-based hybrid cloud analytics solution that will help service providers to understand their customers better. It will provide a unified view about end customers and help improve the services and grow their business.

Inputs to gain customer insights

POC scope

Customer churn analysis and prediction

Aggregate data from different data sources (billing, customer support, service usage, CPE telemetry etc.), create an integrated view of customer data and analyze churn

Implement a simple churn prediction model using hybrid cloud service

Tools and services used

Cisco Container Platform for CI/CD and management of micro services

GCP Pub/Sub for data aggregation

GCP Datalab for data exploration

GCP Dataflow for stream and batch processing of data

GCP BigQuery for analysis and BigQuery ML for churn prediction

Solutions architecture

Solution diagram

Model training and serving with Google Cloud Platform:

Model Prediction Data Flow

Overview of steps involved to develop the POC

1. Preliminary analysis on data consolidated across all (US) regions is performed, for example, Customer Sentiment analysis. Once this data is ready with all the feature labeling, etc, Cisco Container Platform (CCP) and Google Cloud Platform (GCP) are leveraged for gaining meaningful insights about this data.

2. Service catalogue is installed on the master node of the CCP cluster. It will provision and bind service instances using registered service broker. Custom application will leverage these service bindings and enable true hybrid cloud use cases.

3. In the CCP platform, using the Pub/Sub application, Media telecom customer data gets posted to GCP Pub/Sub.

4. Once data gets published to GCP Pub/Sub topics from periodical batch program, published data object will be consumed through Cloud data flow Job

5. Cloud Dataflow allows user to create and run a job by choosing google predefined dynamic template Pub/Sub to big query dynamic templates which initialize pipeline implicitly to consume data from topics and ingest into appropriate Big Query data set configured while creating Dataflow.

6. Once Dataflow predefined template Job gets started, it begins consumption of data object from input topics which get ingested into BigQuery table dynamically as a pipeline. This table data is then explored using Datalab, and required data pre-processing steps — such as removing null values, scaling features, finding correlation among features, and so on — are performed (please see the Model prediction data flow diagram above). This data is then returned back to BigQuery for ML modeling.

7. ML model built using BigQuery will be used for prediction of Customer churn for subsequent data received.

8. This processed churn data is retrieved using service broker to CCP and later consumed by UI

Dashboard

1. From the Solution dashboard (see sample screen shot shown below) service providers can view the forecasted churn based on region, service, and reason. Customer reported issues, and the services currently being used by the customers can also be visualized.

2. Solution dashboard allows service providers to take quick action. For instance, improving the wireless service or 4K streaming service, thereby preventing customer churn.

Customer Insights Dashboard

Solution Demo Video

Continue reading

Transforming Enterprise Applications with 25G Ethernet SMF

Bandwidth Drivers for 25G

Bandwidth requirements in today’s Enterprise networks are now being driven by dramatic increases in video conferencing by such systems as Cisco’s Telepresence and other real-time applications such as Augmented Reality, Mixed Reality and Virtual Reality. These are taxing the limits of traditional 10G infrastructure. Whether it’s IEEE802.1ax WiFi Access Points or direct wired equipment with copper/fiber ports that require 1G/2.5G/5G/10G backhaul interfaces, new enterprisenetworks are being built with high speed equipment that now requires 25G ethernet interfaces.

Figure 1. Cisco Telepresence and new applications demanding high bandwidth.

Cisco’s new SFP-10/25G-LR-S transceiver provides Single Mode Fiber (SMF) interfacing for Cisco’s newest platforms with 25G interfaces, including the new Catalyst 9500/9400/9300/9200’s, other new switches, new routers, and new servers / NICs (Network Interface Cards).

Figure 2. Cisco’s SFP-10/25G-LR-S transceiver .

What is “LR”?

For SFP (Small form Factor Pluggable) transceiver technology “LR” stands for Long Reach that traditionally refers to a reach of 10km. The 25G SFP form factor, called SFP28 (28 Gb/s to account for encoding overhead) has been standardized and the LR specifications are available in IEEE P802.3cc™ – 2017 Amendment 11: Physical Layer and Management Parameters for Serial 25 Gb/s Ethernet Operation Over Single-Mode Fiber.

The 25G transceiver is similar to the 10G transceiver in that it uses a simple NRZ (Non-Return-to-Zero) modulation but it has higher bandwidth transmitter and receiver for 25G communication. It also includes a CDR (Clock Data Recovery) circuit to clean up the signals. The 25G transceiver also requires that the host ports support RS-FEC (Reed Solomon – Forward Error Correction), which is not required for 10G.

Cisco’s newest 25G products, including the Catalyst Enterprise switches 9500/9400/9300/9200’s, have advanced ASICs that implement RS-FEC for 25G communication so that transmission error rate can be improved from a BER (Bit Error Rate) of 5×10-5 to 1×10-12. A BER of 1×10-12 is traditionally considered to be “error free” and is associated with other ethernet rates where upper layer protocols can deal with infrequent transmission errors.

Inter-building and Intra-building applications for SFP-10/25G-LR

Figure 3. Inter-building and Intra-building applications for 25G.

25G-LR SMF transceivers are now being used for both inter-building and intra-building campus applications to provide high speed connectivity.

Inter-building applications: In large campus environments 25G is used to connect from the building’s distribution switches to a core switch(es) in another campus building. Because of the 25G-LR’s reach of 10km (~6.2 miles) the transceiver provides an excellent low-cost solution for relatively large campus environments such as hospitals, medical offices, college campuses, and business parks. The core switch typically connects to the service provider’s metro/core network with 40/100G links, but those links may also use 25G LR technology.

Intra-building applications: In many situations SMF is used (or has been used) to connect wiring closet switches for distribution. In these applications, network builders and architects go beyond the limits of the traditional 300m over OM3 (or 400m over OM4) MMF (Multi Mode Fiber) by using SMF for large spans found in mega shopping malls, huge airports, and large manufacturing buildings. Now with Cisco’s SFP-10/25G-LR, networks can communicate at 25G without changing the SMF fiber infrastructure.

Migration from 10G to 25G

The new SFP-10/25G-LR transceiver has dual-rate capability that enables interoperability with 10G-LR SMF transceivers. This allows the network to be incrementally upgraded at either the end of the fiber. For example, Figure 4 shows how a Catalyst distribution switch is replaced with a new switch equipped with a SFP-10/25G-LR, but still communicates with the legacy 10G Catalyst wiring closet switch using 10G. Then when the wiring closet switch is replaced with a new 25G Catalyst switch, it communicates with the distribution switch at 25G without changing the transceiver at the latter end.

Figure 4. Migration to 10G from 25G.

Interoperability with 40G and 100G

In some circumstances, the distribution switch (or far end switch) may only have QSFP interfaces. The new SFP-10/25G-LR it can interoperate with Cisco’s QSFP-100G-PSM-S transceiver or with Cisco’s QSFP-4X10G-LR-S transceiver via fiber breakout cables or cassettes, thereby connecting QSFP ports with SFP ports. 25G mode requires the use of RS-FEC (Forward Error Correction) on both hosts, which is available on Cisco 100G and 25G ports.

Figure 5. SFP-10/25G interoperates with 25G and 10G.

Continue reading

Cisco Complete Visual Network Index (VNI) Forecast and what it means for Service Providers in Asia Pacific

This quarter, I’m excited to announce we released our annual Cisco Complete Visual Network Index (VNI) Forecast, which covers global, regional, and country-level projections and trends associated with fixed and mobile networks. It’s a must-read for every Asia Pacific service provider seeking to optimize network investments and performance. The report is a treasure trove of insightful findings covering everything from devices/connections growth, Internet of Things (IoT) advances by industry verticals, IPv6 adoption, traffic growth by application (video, AR/VR, gaming, etc.), traffic patterns (peak vs. average), network transformation at the edge, cord cutting implications, a 5G mobile preview, Wi-Fi hotspots and broadband network performance to security issues.

But what does this mean for a service provider in the Asia Pacific region? We’ve distilled the latest VNI report data through this lens, and came up with four key regional trends for the next five years.

Trend 1: Adapt to shifts in device usage

Devices and connections are growing faster than the population and internet users. According to the latest Cisco Complete VNI Forecast, there will be an increase in devices and connections from 8.6 billion in 2017 to 13.1 billion in 2022. 86% of Asia Pacific IP traffic will be due to non-PC devices like smartphones and tablets. In comparison, PCs will account for 14% of Internet traffic in 2022, down from 45% in 2017. On top of that, video devices will have a multiplier effect on traffic. By 2022, nearly two-thirds (62%) of connected flat panel TVs will support 4K, and Ultra high-definition (UHD) IP video will account for 19% of Asia Pacific IP video traffic by 2022.

Due to the proliferation of smart mobile devices and connections, the surge in traffic will exert tremendous pressure on service providers to maintain an optimal user experience on their networks.  Moving forward, service providers will need to ensure their systems are ready to handle traffic growth and support new and emerging technologies. Failure to do so could have dire consequences.

Trend 2: A future-ready network is key to growth

The IoT is no longer a phenomenon and will shortly become mainstream as more people, processes, data and things connect to IoT. By 2022, M2M connections will be nearly half of total connections in Asia Pacific. Connected homes will represent the largest amount of M2M connections, and connected cars will experience the fastest growth.

With content providers moving towards IPv6 adoption and enablement in the Asia Pacific region, this will allow for more unique TCP/IP address identities to be created, enabling IoT connectivity. And service providers that are able to not only enable IoT connectivity, but also manage and secure IoT traffic, will be in a solid position to unlock more opportunities to drive new customer experiences, revenue streams and a competitive advantage.

Trend 3: Meet the increasing demand for video

Building on the “cord cutting” phenomenon, more families today are turning towards internet video, with cord-cutting households generating 141GB per month in 2017 as compared to 82 GB generated by an average household.

Not only that, we are seeing a trend in which the growth in digital television service that denotes television viewing across all digital platforms (cable, IPTV, satellite, etc.) is growing much more slowly relative to mobile video. Also, mobile video growth rates are even higher in emerging regions because these areas are bypassing fixed connectivity.

This will mean increase in internet traffic per user and average household. Average traffic per user per month will increase from 20GB in 2017 to 69 GB in 2022, as well as average traffic per household per month from 60GB in 2017 to 205GB in 2022. There’ll also be a huge opportunity for content delivery networks, which is set to deliver 72% of Internet traffic by 2022 globally.

Content is and will continue to be king. And with a bulk of mobile network traffic coming from video content over the next five years, the question is whether you’ll be able to meet this demand.

Trend 4: Make security a priority

The last several years have certainly been the most eventful from a security threat perspective, with breaches like WannaCry and NotPetya making headlines around the world.

Peak attack size increased 174% Y/Y. In fact, Distributed-Denial-of-Service (DDoS) attacks can represent up to 25% of a country’s total Internet traffic while they are occurring. Average DDoS attack size between 1-2 Gbps increased 37% Y/Y which is faster than Internet traffic at 33% Y/Y. Also, across industries, 864 total breaches were observed, and 34.2 million records were exposed, with an average of 39,554 records exposed per breach. And the bad news is that security threats are only going to accelerate as 5G networks become a reality.

Based on the latest projections, attacks will double to 14.5 million by 2022 globally. That said, cybersecurity can longer be treated as a mere IT issue, but a top business priority. In the coming years, users will be looking for service providers who can improve their organization’s security posture.

Continue reading

How Stealthwatch Cloud protects against the most critical Kubernetes vulnerability to-date, CVE-2018-1002105

The increasing popularity of traditional cloud computing technologies such as server-less, on-demand compute and containerized environments has made technologies like Kubernetes part of our daily vernacular as it relates to running our applications and workloads.

Kubernetes solves many of the problems with managing containers at-scale. Automation, orchestration, elasticity are a few of the major draws for organizations to leverage Kubernetes, either in the cloud, on premises, or hybrid. Kubernetes creates a network abstraction layer around the siloed containers that allows for this facilitation. Think of it as a wide open highway that allows you to route throughout the many containers that are actually performing your workloads.  From web servers to database servers, these containers are the flexible, scalable workhorses for an organization.

With great accessibility comes a drawback, however. Should an attacker gain access to a pod, a node or an internal Kubernetes service, then part or all of that cluster is at risk of compromise. Couple that with the fact that in many instances Docker containers are actually running scaled down Linux operating systems like CoreOS or Alpine Linux. Should one of those containers become exposed to the Internet (and many workloads require access to the Internet), you now have an exposed attack surface that expands along with the exposed workloads themselves.

Last week the most severe Kubernetes vulnerability discovered to-date was announced, CVE-2018-1002105. It scored a 9.8 out of a possible 10.0 on the CVSS severity score…which is unprecedented.  In a nutshell this vulnerability allows an attacker to send an unauthenticated API request to the Kubernetes API service. Despite being unauthenticated, the access request leaves a remaining TCP connection open for the API backend server. This connection then allows an attacker to exploit the connection to run commands that would grant them complete access to do anything they desire on the cluster.  Scary stuff!

This vulnerability underscores the fact that organizations need to have both the visibility to see such traffic and also the analytics to know if the traffic represents a risk or compromise. Suppose you unknowingly expose a group of Apache Kubernetes pods to the Internet to perform their intended web services and a new vulnerability is exploited on that pod, like Struts. The attacker would then have root access on the pod to perform recon, install necessary tools and pivot around the cluster. And, if they are aware of the API vulnerability, then it’s a walk in the park for them to take full control of your cluster in a matter of minutes.

Not a good day for an organization if – and more likely when – this occurs. Data theft, compute theft, skyrocketing bills….just to name a few, are immediate side effects to a takeover of this magnitude.  So how can Stealthwatch Cloud help in this scenario and similar potential exploits?

How Stealthwatch Cloud Protects Kubernetes Environments 

Stealthwatch Cloud deploys into a Kubernetes cluster via an agentless sensor that leverages Kubernetes itself to automatically deploy, expand and contract across a cluster. No user interaction is required. The solution deploys instantly to every node in a cluster and exposes every pod and the communication with those pods between internal nodes and clusters, as well as externally. This allows for an unprecedented level of visibility into everything a cluster is doing, from pods communicating to the internet to worker nodes communicating internally with the master node. We then add entity modeling which compares new behavior to previous behavior and machine learning based anomaly detection to alert on IOC’s throughout the Kill Chain to alert on over 60 indicators of suspicious activity across a cluster.

Hypothetically speaking, if one of your Kubernetes clusters were compromised, Stealthwatch Cloud would send alerts in real-time on various aforementioned activities. The tool would alert on the initial pod reconnaissance, and on connection activity once the pod was exploited. If the attacker moved towards the API server, Stealthwatch Cloud would alert on internal reconnaissance, suspicious connections to the API server itself, further data staging, data exfiltration and a variety of other alerts that would indicate a change from known good behavior across every component of a Kubernetes cluster…all in an agentless, automated, scalable solution.

Continue reading