Friday, 17 May 2019

Practical Ways to Reduce Ransomware Impact: Actions You Can Take Today

During the past year, Cisco Security Incident Response Services has provided emergency incident response services for many customers dealing with incidents that sometimes become a ransomware event. In many cases, we were engaged by the company at the first sign of trouble and were able to help contain the initial incident and reduce the ability of the attacker to shift to a ransomware phase. In other incidents, we were asked to help long after the attackers were in the environment and the systems were already encrypted.

In this blog post, I will share some practical tips that our team use with our customers to help mitigate the risk of ransomware causing a significant business outage.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

Figure 1: Phases of an attack.

If we follow the standard attack lifecycle (Figure 1), the first step that we need to consider is how we would address the initial attack vector. For this blog post, let us assume the initial access vector is email (which we have observed is often the case).

Initial Attack


The first thing to consider is intelligence-based email monitoring and filtering. An example of this would be the Cisco Email Security Appliance (ESA) product which integrates Cisco Talos threat intelligence into an active email inspection platform.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

ESA should be deployed to examine email, both inbound and outbound, from the organization. This filtering should be tied to an intelligence feed that dynamically adds new known malicious domains, IP addresses, behavioral indicators, signatures, etc.

By itself, this will not fully protect an organization but without this, you expose your users and your environment to preventable email-based attacks. This control should create log events into the security monitoring system. These events should be reviewed regularly by a member of the monitoring team and if possible correlated with other events (involving the same time, internal hosts, external IP/Domain, and any malware detected). The capability of being able to also review email historically for suspicious attachments or previously unidentified malicious files is helpful for scoping and understanding the scale of the incident and can be used for hunting if the initial detection somehow fails.

User Actions


Subsequent to the initial malicious email entering an environment, the next obvious question is “did the user open it” or “did the user click the link”? To answer these questions, we require some specific log telemetry from within the environment.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

DNS logs such as those available by using Cisco Umbrella, can be invaluable to identify if a user/IP address/device made a request that is related to a known suspicious domain or IP address. If there is an active incident, these logs should be examined for any requests associated with the incident. These DNS logs should be part of the overall logging environment and the events should also be used to block and track requests to known malicious domains. Again, this should be correlated into events of interest for the monitoring team to consider. This helps us understand if the domain was requested, but does not by itself indicate what the interaction was between the user and the destination.

To gather information on the interaction between the user and the destination, we require logs from a deployed web proxy system that captures the outbound web requests and the responses. Cisco Web Security Appliance (WSA) is an example of an active web proxy/filtering system, powered by Cisco Talos threat intelligence. These systems can often block or filter known malicious sites (based again on intelligence) and also retain the http transaction between the user’s web browser and the destination. This can help us to answer the question of what was done on the site, or what the site sent as a response.

To address the question of “did the user open the file” we recommend the implementation of the Windows SysInternals System Monitor (Sysmon) which can help to answer the question of user behavior and activity. Alternatively, many endpoint security tools may also be able to answer this question. Be sure to test your tools before an incident, so you know what normal activity looks like before you get into an incident and have to try to parse the alerts.

Account Compromise


Following the attack life-cycle, the next phase is account compromise:  did the user either provide their credentials (e.g., if they were prompted to enter their password to access what appeared to be a legitimate company web page) or did the malware gather local cached account data from the system? This is where we recommend multi-factor authentication (MFA) as the standard for all environments.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

We frequently recommended multi-factor for “high risk” accounts, or for “all externally facing services”, but with the current attack patterns we recommend multi-factor for all Active Directory environments. There can be technical limitations on implementing MFA for some legacy systems, legacy access types, etc. Those exceptions should be identified and very closely monitored for unexpected activity, or isolated into separate Organizational Units or Groups. This may allow early detection of misuse and may limit the impact of these systems or credentials, should they become compromised.

Another key consideration is to monitor the system used to manage the multi-factor authentication. We have seen attackers attempt to bring these systems offline, to attempt to access these systems, or to successfully access these systems and either create one-time use passcodes or create a new account that was allowed to bypass the multi-factor requirement. These systems must be closely monitored for all access and modifications to the users, groups, or creation of one-time use codes.

Privilege Escalation


The next phase is privilege escalation.  In this phase, we recommend a multi-pronged approach as there are multiple risks to address. The first risk is if the environment has a shared local administrator password across multiple devices. This is still a very common practice in many environments due to a number of factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

A solution that can assist with this is implementing the Microsoft Local Administrator Password Solution (LAPS). This provides a better method to manage local accounts. The second risk is an attacker compromising one of the privileged accounts in the environment. If multi-factor authentication is required on these accounts, this should be unlikely, but these accounts must still be monitored for mis-use. Additionally these privileged groups should be monitored for modification (adding/deleting or users, or change to the group roles). These are also events that should trigger alerts that are evaluated by the monitoring team.

Lateral Movement


Lateral movement occurs next. To detect and thwart this, we need to reduce the ability for a user account to move freely within the environment without being validated or having authorization.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

This can be started by reducing the internal network access from the standard user segments and VPN devices. Network segmentation can be complex to implement across the entire environment, but it is often achievable to make some small restrictions using virtual LANs (VLANs) to reduce which networks can access critical segments. Privileged activity or Administrator activity should always originate from an approved “jump box” that is hardened and monitored, and has specific access restrictions for only users that require this access. Role-based access should also be enforced, not everyone should have access to production, not everyone should have access to the code base, or sensitive data. Access (successful and failed) should be logged and correlated. Reducing the number and type of ports and protocols within the environment may also help to reduce the spread of malware or lateral movement that is expecting specific capabilities, such as the Server Message Block (SMB) protocol, for example.

Encryption of Data


The ultimate risk of a ransomware attack is in the final phase. This is when the attacker is able to encrypt critical business systems or services, causing a business outage. The impact of this outage varies based on the function of your business, your tolerance (or your customers’ tolerance) for downtime, and many other factors.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

For environments that have critical services that impact life and safety of people, we strongly recommend partnering with the disaster recovery and business continuity teams to test existing plans and update them accordingly with steps that cover full data center loss via ransomware. Other questions that should be considered: Are your backups offline and secure from the possible ransomware? Does your online backup system use the same credentials as your Active Directory environment? Has your organization practiced what a data restore would look like and how long it would take? Is the necessary hardware (or virtual space) available to be able to restore your environment? Is there an understanding of dependencies and other tactical considerations?

Take Action Today


These recommendations will help you improve your ability to detect attacks in the earlier (pre-ransomware) stages and will reduce the overall impact of a ransomware incident. You must take key preventative steps, while also readying your team to act when it strikes. If you feel you need hands-on, expert assistance, consider contacting our team – our incident responders can help you prepare your own team with proactive services and we can work alongside your team during active incidents.

Thursday, 16 May 2019

Ansible: Powered by Cisco DNA Center

We have all seen the segmentation of people and technologies into what we lovingly refer to as ‘silos.’ Initially, these silos were formed to group together teams with common skill sets, ownership, accountability, etc. The effect that we see from this division into functional groups typically manifests as some level of communication hindrance that limits full cooperation between the groups to obtain a higher level objective.

If you look at the technology industry, the same sort of logical grouping is prevalent. For example, we have technology silos like Campus Networking, Data Center Infrastructure, Security, and Storage.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

In these technology domains, we see managers, or controllers, that are responsible to provide that Software Defined Controller role and act as the provisioner for that area. Similar to the challenge faced with people in organizations, this division can be a hindrance when trying to automate across multiple functional areas.

Ansible for Higher Level Automation


What we need to help drive a cohesive strategy for management across each of these domains is a common interface to act as the glue between them. This “higher layer” can interface with each technology domain using whatever interface is exposed by the manager or by reaching the devices directly.

Ansible is a fantastic solution to act as this glue. There are over 2000 modules to provide that communication mechanism into each domain. The coverage is broad enough to span the entire gamete.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

Campus Networking


Cisco Campus networking has seen significant growth in maturity with the DNA Center solution. DNA Center provides GUI driven workflows that greatly simplify complex deployments allowing the technologist to focus on what they want the network to do rather than the specific configurations.

The Assurance engine is without a parallel in the industry. Assurance provides unprecedented visibility into the health of your networks, end users, and applications.

Cisco has released the concept of DNA Center as a Platform and provides access to the APIs that drive the DNA Center solution.

Ansible Modules for DNA Center


That brings us to the point of this write up…with Ansible acting as the glue between your various technical domains combined with your newly deployed Cisco DNA Center you will need some new modules to drive the configurations of DNA Center from Ansible.

World Wide Technology has developed several new Ansible modules for DNA Center. These initial modules provide the ability to deploy configuration of the design workflows including Site Hierarchy, Common settings (DHCP Server, DNS Server, Syslog, etc), IP Pools, Create Discoveries and more.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

These initial modules are just the start. We will continue to develop and refine with the help of the broader, open source community as additional features and APIs are exposed.

The figure below is a snippet of YAML from a sample playbook illustrating the configuration of the DNA Center settings and sites.

Network Automation, Cisco DNA Center, Cisco Certifications, Cisco Learning, Cisco Study Materials

Tuesday, 14 May 2019

Cisco Drives Intent-Based Networking Forward with Multi-Level Segmentation

Why network segmentation matters in the enterprise of today


Network Segmentation easily gets lost in a conversation as it is a heavily used term in the industry. Everyone claims to support it when in reality most vendors support the bare minimum to simply claim compliance in an RFP (Request for Proposal) or RFI (Request for Information).

Network segmentation is a critical requirement to address the growing scale, complexity and security demands of today’s campus and branch networks. That’s because segmentation allows customers to protect their data. Segmentation divides an infrastructure into individual components and builds connection points between the relevant components based on the understanding of applications, users, consumers, and devices

The days of managing secure networks with VLANs and ACLs are ways of the old. Customers require a campus infrastructure capable to support a software defined approach for network segmentation. Networks today need to be purpose built for commencing the journey of intent-based networking. Network segmentation is a key pillar supporting the foundation of Cisco’s powerful Software-Defined Access (SD-Access) architecture.

Raising the stakes with multi-level network segmentation


Traditionally, when a customer was required to isolate a given network, VLANS and ACLs (Access Control Lists) were configured to achieve network separation. A simple use case to enforce policies for users, devices, and things were challenging to implement and complex to manage as new users and devices were added to the network. Cisco has addressed these challenges and raised the stakes for network segmentation offering a new approach to multi-level segmentation for the enterprise campus.

So, what is multi-level segmentation? As it’s called, Multi-level segmentation provides two-levels of segmentation using layer 3 virtual networks (VNs) and scalable group tags (SGTs).

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications
Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Comparing vendors


Comparing the segmentation capabilities of Cisco, Aruba and Huawei, several key takeaways can be learned from the independent Miercom report. In the Miercom comparison the bottom line is there is a clear benefit with the automated, single touch point approach of Cisco compared to the manual – multi-touch point approaches of HPE-Aruba and Huawei.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

Aruba

Aruba’s segmentation offering is highly dependent on its mobility controller. With only a small amount of traffic, Aruba’s Mobility controller was exposed as a choke point.

Regardless of how many access layer switches and network uplinks are added, the limitation is still present until an additional Aruba Mobility controller can be purchased and added to the network. The network administrator using the Aruba architecture will constantly need to monitor the load of the segmentation service. This is because the mobility controller responsible for wireless association/ termination will become unresponsive when the data plane performance is reached.

Aruba positions their Dynamic Segmentation for Unified Policy for wired and wireless. Aruba launched this back in 2014 and are still positioning this architecture as Next-Gen. The flaws then are still present now.

Is the Aruba solution line-rate? Can it be proved via independent test reports? Can they change policy between users, whatever their respective VLAN is?

Huawei

Huawei’s Free Mobility was basic segmentation at best. Several touchpoints and dashboards are required to get the basics to work.  It’s definitely not easy to use, and requires many repetitive steps to create groups and create policy.

Huawei presents its Free Mobility solution to its customers for segmentation using group-based policy. Free Mobility is an add-on to its policy server the Agile Controller 1.0. Huawei does not offer a simple way to offer policy-based automation.  In all cases Huawei requires multiple touch points and manual based configurations via CLI and countless clicks on their Agile Controller for policy.

The 3rd party test vendor configured Huawei’s Free Mobility solution to discover that it was not as easy as expected.

Multiple steps are required to create a security group – 12 to be exact. To create a single policy between a configured pair of security groups takes 16 steps.

The key takeaway was Huawei’s inability to provide an easy to use offering for multi-level segmentation.

At best, the segmentation was basic and the network administrator was left to log back into the additional devices to enable port isolation for east-west segmentation.

Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Certifications

As you can imagine traditionally there are many touch points when trying to configure various levels of segmentation.

Cisco


With Cisco Digital Network Architecture (DNA) Center, the creation of virtual networks and management of scalable groups is possible and can be done via a single unified dashboard. Cisco DNA Center and SD-Access outshines and outperforms the competition. Cisco SD-Access is built using a campus fabric with built-in mechanisms to support two levels of segmentation. Other network vendors can only offer segmentation based on simple network separation.

The Cisco Catalyst Family embeds VNs and SGTs in its hardware using the Cisco UADP (Unified Access Data Plane) ASIC. This facilitates building a robust foundation based on a powerful hardware that allows customers to enable a network segmentation service without a compromise on performance. Other network vendors use older architectures which are bottleneck designs with limited data plane performance of only 10Gbps.

Our 3rd party tests, compare and assess the network segmentation offerings of each networking vendor. It can be seen from the report, with the other vendors customers will continue down the path of configuring named VLANs and mapping out the size of the subnet per VLAN preparing for deployment. Customers using either vendor will be required to configure a VLAN for wired employees, a VLAN for wireless employees, a  VLAN for wired guests, a VLAN for wireless guests, etc.

As stated, those are ways of the past …however this is how the competition will design a campus network. They don’t offer a controller based network to provide automation and the ability to deliver true software defined networking.

Cisco SD-Access not only profiles users, devices, and things but also onboards clients to a fabric. It provides customers with capabilities to move devices in a virtual network (macro segmentation) and provide flexibility to support role-based groups (micro segmentation) and control communication based on network contracts.

With Cisco’s DNA Center, the policy application allows customers to create VNs and groups using the “drag and drop” method. Once configured, network connectivity and access were tested to verify segmentation.

Segmentation doesn’t stop in the campus


Cisco also supports the ability to keep the policy intact from the Campus User to the Data Center application with SGT to EPG (endpoint group) mapping. Cisco is the only vendor capable to offer Intent-Based Networking across the Campus and Data Center.

Monday, 13 May 2019

AI in Cisco IT Operations: Finding Golden Needles in Ever Larger Haystacks

Customers often ask us whether artificial intelligence (AI) will be the kind of game changer that analysts are predicting. From what I’m seeing, the answer is an unconditional yes.

The trick is figuring out the right use cases. While any computer can calculate pi to a million places faster than I can sneeze, it takes an AI compute space to sort through billions of pieces of data to answer a single question. One drawback:  AI doesn’t, by itself, know what questions to ask and what to do with the answers. But if you can frame the question the right way, AI can devour planet loads of information and find significant patterns. Think of it this way: AI can winnow through huge haystacks to find a needle—but first a human needs to define a needle.

Cisco IT began our journey to AI through many disconnected teams. Through the grapevine I’d heard about more than 40 projects, each funded by the group that’s using it (e.g., marketing, InfoSec, contact center). Different teams in Cisco – in IT, in Engineering, in Marketing – have already centralized their AI efforts to increase their scope.

Here are some of the ways we’re putting AI to work today.

Security


Detecting Day Zero malware

Malware detection was our first foray into AI. We acquired Stealthwatch technology in 2015. It sifts through billions of data points about how traffic moves through our network to detect anomalous behavior that could indicate Day Zero malware. The hard part is teaching the AI engine what’s normal and what’s not. Here’s an analogy:  if you have a dinner party with millions of guests (it’s a large house), how can you spot the potential thieves?  Most security defenses look for signatures – in this case, mug-shots of known criminals as they come through the door.  But to catch the thieves who are still unknown, you have to look at their behavior.  it’s normal for a party guest to wander through your house, chatting with guests and hovering around the bar; but it’s not normal for them to go immediately to the locked room containing the safe and start looking behind the pictures. When the equivalent of that happens on our network, Stealthwatch raises an alarm or takes action to isolate the threat. We regularly find Day Zero attacks in this way.  To do this, we have to ask Stealthwatch to sift through over 28 billion Netflow records every day, and continue to update it on what’s normal, acceptable behavior and what behavior is characteristic of malware attacks.  But it enables us to see things that no other tool can.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

iscovering malware in encrypted traffic

More than 50% of network traffic is now encrypted, and malware hidden in encrypted traffic can sneak through traditional defenses. But encrypted traffic is so tough to crack (pun intended) that you also need machine learning—telling the AI program to find malware without telling it how. Using an AI program called Encrypted Traffic Analytics, a new Stealthwatch upgrade, we’ve learned some of the clues, such as packet lengths, arrival times, and initial handshake data packets that signify malware even when the stream remains encrypted.. ETA has found malware in encrypted streams that would have slipped right by signature analysis or even AI-based behavior analysis.

WAN optimization


Routing traffic over the best circuit based on predicted performance

Our midsize offices get two circuits: MPLS and VPN-over-Internet. Instead of leaving the secondary circuit idle most of the time, last year we started using Cisco Software Defined-WAN (SD-WAN) to intelligently provision secure WAN links and route application-specific traffic to the circuit that’s best for the job. The decision depends on the type of the traffic (voice, video, email, etc.) and current network conditions. Now we’re making the decision even better by using AI to predict future circuit behavior. Say we’re about a broadcast a live 60-minute webinar. If the MPLS circuit is performing great right now but signs indicate it might degrade in 30 seconds (or 17 minutes), it’s smarter to have the SD-WAN Manager route traffic to the backup circuit.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

LAN Troubleshooting


Identifying problems and recommending solutions before they’re noticed

Cisco Software-Defined Access (SD-A) includes an AI-driven data collection and analysis platform.  Cisco IT has already deployed three main Cisco DNA-Center (DNA-C) clusters, one in each of the three global regions (Americas, Europe, Asia). These AI clusters are collecting large amounts of information regarding switch traffic and performance, tracking traffic from each application and user.  (This has required us to migrate several thousand switches to Catalyst 9000 models, which act as sensors to stream telemetry data to the Cisco DNA-C for analysis.) Like any AI tool, Cisco DNA-C benchmarks normal behavior and performance.  It identifies when performance is degrading and consults over a hundred common Cisco IT network issues. If it finds the right pattern, it will alert a network engineer, point out exactly where in the network path there is a problem, and recommend a solution based on that pattern.  The central Cisco DNA-Controller can then automatically make recommended changes to all relevant network devices.

We’ve found the Wireless Assurance part of Cisco DNA-C to be extremely helpful.  It can stitch together the path of a person walking across the building floor, connecting from one Access Point to the next, and see exactly where and when their voice or video session starts to run into problems, as well as identifying where in the client device, access point or wired network the problem root cause might be.  If it matches one of the hundred-plus common issues, it will recommend a fix and walk the network engineer through that fix.

Data Center Management


Identifying change management problems before they happen, and recommending solutions 

AI tools similar to the networking tools described for WAN and LAN are also at work in the far more complex environment of the data center.  With thousands of different sets of application performance and security policies in place, enforced by the virtual overlay fabrics across ACI, it’s not easy to deploy new application policies without issues.  Cisco Network Automation Engine (CNAE), a new AI tool, will automatically check for new policy conflicts among the millions of different potential connections to see where issues might arise, and recommends different policies to achieve the desired outcome.  This keeps application security and performance at a maximum, with minimal provisioning delay due to misconfiguration anywhere in the data center.  Cisco IT is running CNAE in the largest of our 3 ACI-fabric data centers today.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Study Materials, Cisco Tutorials and Materials

Marketing


Identifying the “next best action” for customers who visit our website

Our small and medium business customers generally do their product research on cisco.com. Over the years we’ve experimented with various ways to follow up with web visitors. Email or phone follow up isn’t particularly effective and can seem like spam.

Now we’re using AI to discover the next best action based on the customer’s business need and previous interactions. Working with our Marketing Analytics team, we built a platform that collects and analyzes information from cisco.com and Salesforce to find out how customers were contacted, what content they were given, and whether the action successfully moved the customer up the sales chain (for example, inspiring them to reach out to us, watch a product video, place an order, etc.) As a result, we now know which customers are likely to respond to certain types of contacts, and at what point in the purchase decision. Preliminary results from 25 pilots in 7 countries are very strong: 4 times better customer response rate, 7-10 times fewer outbound communications that don’t result in a response, and lower costs. Even better, we’ve seen that the longer we tune the data, the better the response rates over time.

Contact center


Improving the customer journey

Our contact center is one of the most prolific users of AI. A few examples:

◉ Self-service for callers and agents. Cisco IT worked with the contact center team to build Cisco Answers, an AI-driven knowledge tool.

◉ Intelligent routing: When customers contact us via voice, email, or chat. we use AI to predict what they need, and then connect them to the best available agent with the right expertise. First-call resolution and customer satisfaction have both improved.

◉ Business insights from recorded customer calls. Like a lot of companies, we record contact center interactions for agent training. These recordings are also a gold mine of information for marketing, product development, and more. With close to 100,000 of calls/day, a human couldn’t keep up—but AI can. We’ve started using Verint speech analytics to discover trends in our recorded contact center interactions. For example, if we see a spike in the phrase “software defined” in communications with people in a certain region, we might step up our marketing programs for Software Defined Networking in that region.

Supply chain


Optimizing inventory stores by predicting demand

Other grassroots AI projects are cropping up all over Cisco—in sales, marketing, supply chain, and others. Take supply chain. The Cisco server you order today probably isn’t built yet because we use just-in-time (JIT) manufacturing. To make it work, we need the right components on hand, just when we need them. The more accurately we can predict demand a month or two out, the less risk that we’ll under order something like chips, delaying shipment—or over order, tying up capital and creating the risk of loss or damage. It’s looking like AI will help us reduce inventory requirements for UCS server memory chips by a factor of ten.

Saturday, 11 May 2019

Cisco and F5 Team Up to Address Continuous Deployment Integration Challenge

Lori MacVittie is a subject matter expert on emerging technology responsible for outbound evangelism across F5’s entire product suite. MacVittie has extensive development and technical architecture experience in both high-tech and enterprise organizations, in addition to network and systems administration expertise. Prior to joining F5, MacVittie was an award-winning technology editor at Network Computing Magazine, where she evaluated and tested application-focused technologies including app security and encryption-related solutions. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University, and is an O’Reilly author. MacVittie is an Advisory Board Member for CloudNOW.

Most of us are familiar with Newton’s Laws of Motion. The Third Law is about actions and reactions. The Second Law provides the mathematical formula for determining force. And the First Law describes motion and forces acting upon it.

But most are unlikely to know Newton’s First Law of DevOps. That’s probably because I made it up. Regardless, it holds true and is based on solid Newtonian physics.

Cisco Certifications, Cisco Guides, Cisco Study Materials, Cisco Learning

The unbalanced forces acting upon application deployments are processes in the continuous deployment pipeline. The disparity in continuous deployment efforts can be seen in the varying degrees to which organizations have automated processes across the core IT concerns of security, network, application services, and app infrastructure. There are several sources of this stop and go, manual and automated mixture of deployments in the enterprise.

One of these unbalanced forces is the siloed nature of enterprise IT. Nearly half of all IT (46%) is still operating in single-function style teams. This includes smaller silos inside of larger silos with each team responsible for focused areas of IT. Security, for example, might be siloed into smaller teams that focus individually on firewalls, application security, and compliance issues. Automation and orchestration of specific services might be available within some areas, but not others.

This causes delays when teams encounter manual processes that require human interaction.

Some of these delays are caused not by manual processes, but by lack of integration across toolsets. Deployment of security services might be automated, deployment of load balancing might be automated, but the tools through which those processes are automated might not be integrated, leaving gaps in the continuous pipeline. That challenge is frustrating, as it causes a delay while a manual handoff occurs between automated systems. More than one-third (36%) of respondents to our annual State of Application Services report noted lack of integration across vendor toolsets as the most frustrating or challenging aspect of network automation. That lack of integration makes it cumbersome to orchestrate an end-to-end continuous deployment.

The good news is that integrations are continuing to evolve to address that obstacle thanks to solutions like Cisco ACI App Center.

Cisco ACI App Center


Cisco ACI App Center, if you aren’t familiar, is an open and programmable infrastructure sporting an open API. It enables deployment of a wide range of services and acts, as a sort of infrastructure deployment app store for the enterprise. Partners, customers, and community solutions are available.

And now it includes the F5 ACI ServiceCenter. Through a supported integration, we’ve teamed up with Cisco to provide L4-L7 (application services) capabilities within Cisco’s APIC environment. This gives joint customers the ability to deploy a full complement of application services, such as Advanced WAF and DDoS protection, as well as supporting network stitching, and enabling full-stack visibility.

Cisco Certifications, Cisco Guides, Cisco Study Materials, Cisco Learning

F5 ACI ServiceCenter will make it faster and simpler for customers to deploy and consume F5 application services. We’ve moved to a declarative interface that reduces the time and effort required to automate deployment pipelines, but that doesn’t mean we’ve reduced capabilities. F5 ACI ServiceCenter still enables the same programmable extensibility that customers have come to rely on from F5 to optimize and secure their applications.

Multi-Cloud Challenges Addressed


One of the reasons we continue to partner with Cisco, is the vision we share of supporting any app, anywhere. Because security, application services, and app infrastructure all depend on those networks, integration with the tools Cisco provides to simplify and speed deployments is one of the best ways to help our joint customers succeed. These integrations address the unbalanced forces that can occur when trying to onboard and provision application services across disparate networks. Being able to automatically configure network-specific characteristics means less delay.

For the enterprise, that means being able to easily deploy application services in a more intuitive, user-friendly experience across multiple environments. Yes, that means public and private cloud as well as on-premises or remote data centers. However, since each environment is unique – with its own network characteristics – integrating with Cisco will improve the onboarding and deployment of application services dependent on those networks. In essence, we’re eliminating an unbalanced force that can put an abrupt stop to a deployment in progress.

Cisco Certifications, Cisco Guides, Cisco Study Materials, Cisco Learning

It’s also important to enable visibility from the network to the application, from L2 to L7. This integration offers just that and enables customers to address one of their top multi-cloud challenges: visibility. Visibility is an integral component of every other capability – from security to availability to performance. Enabling full-stack visibility is a boon to all operational concerns and developers alike. It aids in troubleshooting, shutting down attacks, and optimizing performance.

Continuing to Advance Automation Together


We’re excited to continue to be a part of the Cisco ACI ecosystem, and to bring to customers this new way to deploy and operate F5 application services as a part of the Cisco APIC environment. We plan to expand the availability of F5 application services through the F5 ACI ServiceCenter integration to ensure customers can take advantage of our robust portfolio to ensure the scale, speed, and security of any app, anywhere.

Source: cisco.com

Friday, 10 May 2019

Enabling AMP in Cisco SD-WAN

Advanced Malware Protection (AMP) for Networks is now available in Cisco SD-WAN.

Cisco SD-WAN, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials
That means you’ll be able to sandbox and block standard, polymorphic and file-less malware across the WAN, all from the Cisco SD-WAN console.

As the world’s largest networking and cybersecurity vendor, Cisco combines the most advanced SD-WAN with its industry-leading security portfolio for your campus and branch office needs. In addition, Cisco SD-WAN platforms, such as the 1000 and 4000 Series Integrated Services Routers (ISR 1K and ISR 4K) are purpose-built and enhanced with proprietary, embedded defenses to provide the most comprehensive SD-WAN connectivity and protection.

Cisco SD-WAN, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials
Deploying AMP in Cisco SD-WAN is easy: simply click a tab and activate the security services you need.

Robust SD-WAN Security


With the software release of Cisco IOS-XE SD-WAN 16.11, Cisco SD-WAN customers using ISR platforms gain access to the most advanced security services backed with Cisco Talos threat intelligence. These services include:

◉ NEW: Malware defense and sandboxing with Cisco AMP and AMP Threat Grid
◉ Enterprise firewalling with application awareness
◉ URL filtering and Umbrella DNS security
◉ Snort Intrusion Prevention (IPS)
◉ End-to-end segmentation across the WAN
◉ Embedded platform security, including the Cisco Trust Anchor module

Building on the Cisco SD-WAN Security Stack


Cisco SD-WAN, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials
Cisco SD-WAN makes managing WAN operations simple, including security deployments such as AMP

SD-WAN presents unique challenges for your network management and security teams. Branch offices transmit sensitive data like their core and campus location counterparts, yet modest branch office size and scattered geography make them difficult to secure with multiple point products. When branch locations begin using direct internet access (DIA) for cloud applications, enterprise risk increases further. Adding malware protection in these environments is critical.

Cisco SD-WAN allows enterprise IT teams the ability to layer security including malware protection at branches and core locations across the WAN with a few clicks. These capabilities help WAN locations identify, defend against and remediate a wide variety of threats.

AMP Understands Malicious Behavior


Modern malware has evolved.

Cisco SD-WAN, Cisco Study Materials, Cisco Guides, Cisco Learning, Cisco Tutorials and Materials

Without the appropriate protections, detection and remediation in an SD-WAN environment is unlikely, exposing branch offices and the WAN to advanced threats such as data exfiltration and unauthorized encryption.

For network, security and IT operations teams, that means taking time to work across departments, correlating disparate tools to fumble through threats in hopes of preventing their expansion into other sensitive network areas.

That’s why AMP for Networks in Cisco SD-WAN uses integrated preventative engines, exploit prevention and the most intelligent signature-based antivirus to stop malicious attachment and fileless malware before they execute.

AMP understands malware. Together with Cisco Talos, AMP imbues your SD-WAN branch, core and campuses locations with threat intelligence from millions of worldwide users, honeypots, sandboxes, and extensive industry partnerships. In total, AMP identifies more than 1.1 million unique malware samples a day. At the first sign of malicious behavior in your core location or branch, AMP in Cisco SD-WAN automatically blocks the threat and protects users across your entire WAN.

Thursday, 9 May 2019

The State of Machine Learning in 2019

Here we are, almost four whole months into 2019 and machine learning and artificial intelligence are still hot topics in the security world. Or at least that was the impression I had. Our 2019 CISO Benchmark Report however, found that between 2018 and 2019, CISO interest in machine learning dropped from 77% to 67%. Similarly, interest in artificial intelligence also dropped from 74% to 66%.

Now there are a number of reasons why these values could have dropped over a year. Maybe there’s a greater lack of certainty or confidence when it comes to implanting ML. Or perhaps widespread adoption and integration into more organizations has made it less of a standout issue for CISOs. Or maybe the market for ML has finally matured to the point where we can start talking about the outcomes from ML and AI and not the tools themselves.

No matter where you stand on ML and AI, there’s still plenty to talk about when it comes to how we as an industry are currently making use of them. With that in mind, I’d like to share some thoughts on ways we need to view machine learning and artificial intelligence as well as how we need to shift the conversation around them.

More effective = less obvious


I’m still amazed by how machine learning is still a hot topic. That’s not to say it does not deserve to be an area of interest though. I am saying however, that what we should be talking about are the outcomes and capabilities it delivers. Some of you may remember when XML was such a big deal, and everyone could not stop talking about it. Fast forward to today and no one advertises that they use XML since that would just be obvious and users care more about the functionality it enables. Machine Learning will follow along the same path. In time, it will become an essential aspect of the way we approach security and become simply another background process. Once that happens, we can focus on talking about the analytical outcomes it enables.

An ensemble cast featuring machine learning


Anyone who has built an effective security analytics pipeline knows that job one is to ensure that it is resilient to active evasion. Threat actors know as much or more than you do about the detection methods within the environments they wish to penetrate and persist. The job of security analytics is to find the most stealthy and evasive threat actor activity in the network and to do this, you cannot just rely on a single technique. In order for that detection to happen, you need a diverse set of techniques all of which complement one another. While a threat actor will be able to evade one or two of them simultaneously, they don’t stand a chance against hundreds of them! Detection in diversity!

To explain this, I would like to use the analogy of a modern bank vault. Vaults employ a diverse set of detection techniques like motion, thermal, laser arrays, and on some physical dimension, an alarm will be tripped, and the appropriate response will ensue. We do the same in the digital world where machine learning helps us model timing or volumetric aspects of the behavior that are statistically normal and we can signal on outliers. This can be done all the way down at the protocol level where models are deterministic or all the way up to the application or users’ behavior which can sometimes be less deterministic. We have had years to refine these analytical techniques and have published well over 50 papers on the topic in the past 12 years.

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Study Materials

The precision and scale of ML


So why then can’t we just keep using lists of bad things and lists of good things? Why do we need machine learning in security analytics and what unique value does it bring us? The first thing I want to say here is that we are not religious about machine learning or AI. To us, it is just another tool in the larger analytics pipeline. In fact, the most helpful analytics comes from using a bit of everything.

If you hand me a list and say, “If you ever see these patterns, let me know about it immediately!” I’m good with that. I can do that all day long and at very high speeds. But what if we are looking for something that cannot be known prior to the list making act? What if what we are looking for cannot be seen but only inferred? The shadows of the objects but never the objects if you will. What if we are not really sure what something is or the role it plays in the larger system (i.e., categorization and classification)? All these questions is where machine learning has contributed a great deal to security analytics. Let’s point to a few examples.

The essence of Encrypted Traffic Analytics


Encryption has made what was observable in the network impossible to observe. You can argue with me on this, but mathematics is not on your side, so let’s just accept the fact that deep packet inspection is a thing of the past. We need a new strategy and that strategy is the power of inference. Encrypted Traffic Analytics is an invention at Cisco whereby we leverage the fact that all encrypted sessions begin unencrypted and that the routers and switches can send us an “Observable Derivative.” This metadata coming from the network is a mathematical shadow of the payloads we cannot inspect directly because it is encrypted. Machine learning helps us train on these observable derivatives so that if its shape and size overtime is the same as some malicious behavior, we can bring this to your attention all without having to deal with decryption.

Why is this printer browsing Netflix?


Sometimes we are lucky enough to know the identity and role of a user, application, or device as it interacts with systems across the network. The reality is, most days we are far from 100% on this, so machine learning can help us cluster network activity to make an assertion like, “based on the behavior and interactions of this thing, we can call it a printer!”. When you are dealing with thousands upon thousands of computers interacting with one another across your digital business, even if you had a list at some point in time – it is likely not up to date. The value to this labeling is not just so that you have objects with the most accurate labels, but so you can infer suspicious behavior based on its trusted role. For example, if a network device is labeled a printer, it is expected to act like a printer – future behavior can be expected from this device. If one day it starts to browse Netflix or checks out some code from a repository, our software Stealthwatch generates an alert to your attention. With machine learning, you can infer from behavior what something is or if you already know what something is, you can predict its “normal” behavior and flag any behavior “not normal.”

Cisco Certifications, Cisco Guides, Cisco Learning, Cisco Study Materials

Pattern matching versus behavioral analytics


Lists are great! Hand me a high-fidelity list and I will hand you back high-fidelity alerts generated from that list. Hand me a noisy or low fidelity list and I will hand you back noise. The definition of machine learning by Arthur Samuels in 1959 is “Field of study that gives computers the ability to learn without being explicitly programmed.” In security analytics, we can use it for just this and have analytical processes that implicitly program a list for you given the activity it observes (the telemetry it is presented). Machine learning helps us implicitly put together a list that could not have been known a priori. In security, we complement what we know with what we can infer through negation. A simple example would be “if these are my sanctioned DNS servers and activities, then what is this other thing here?!” Logically, instead of saying something is A (or a member of set A), we are saying not-A but that only is practical if we have already closed off the world to {A, B} – not-A is B if the set is closed. If, however we did not close off the world to a fixed set of members, not-A could be anything in the universe which is not helpful.

Useful info for your day-to-day tasks


I had gone my entire career measuring humans as if they were machines, and not I am measuring humans as humans. We cannot forget that no matter how fancy we get with the data science, if a human in the end will need to understand and possibly act on this information, they ultimately need to understand it. I had gone my entire career thinking that the data science could explain the results and while this is academically accurate, it is not helpful to the person who needs to understand the analytical outcome. The sense-making of the data is square in the domain of human understanding and this is why the only question we want to ask is “Was this alert helpful?” Yes or no. And that’s exactly what we do with Stealthwatch. At the end of the day, we want to make sure that the person behind the console understands why an alert was triggered and if that helped them. If the “yeses” we’ve received scoring in the mid 90%’s quarter after quarter is any indication, then we’ve been able to help a lot of users make sense of the alerts they’re receiving and use their time more efficiently.