Managing your SAP Digital Transformation Journey

Digital Transformation.

We’ve heard the words, but have you wondered what it is all about? Digital Transformation is a strategic directive to redefine your business practices and processes to gain competitive advantage. It is all about making the inevitable tide of change work for you, rather than against you. It is also a disruptive force.

Digital Transformation requires a Plan

Amid all the talk of digital transformation, we lose sight that the process of change must be purposeful to have impact. Digitizing marketing content, hiring social media marketing millennials or modernizing your ERP applications is not digital transformation and will fail to yield any measurable advantage without a strategic vision, direction and careful planning.

You need to address where the beating heart of change resides – the data center. The data center is a critical component that factors into making any digital transformation plan successful.

Digital Transformation Requires a Next Generation Data Center

The classic architecture of the data center was primarily silos of design, implementation and operation. There were networking organizations, compute organizations, storage organizations, security organizations, and procurement organizations. The list goes on. And each of these silos was responsible for the operation and interaction with the other silos. This has proved to be very inefficient and created extra lag in the system. In fact, most early cloud adoption happened because data centers took too long to respond to new application demand or new data sources. Cloud adoption was an operational imperative, not a strategic directive for many organizations.

So, to drive digital transformation, the next generation data center has to be all about the Data, and the functionality that will move the data center anywhere the data is.

It’s all about the Data

Traditionally, data centers were built like bastions to protect the crown jewel data assets of the corporation. Security protected the storage vault and the data was replicated across multiple systems for different reporting and analytic purposes. Integrating new data or non-IP data with those crown jewels required a herculean effort. The result was an under performing application delivered far to late to be remotely advantageous. What has become clear is that data center designs based on siloed architectures and 4-walled bastions of data management will no longer work.

A new data center model is needed as executive visionaries drive new business practices. Data will be coming from everywhere and it won’t be curated. It will be public. It will be messy. And there will be a lot of it. Data gravity may shift from the core of the data center to multiple locations forcing a hybrid data center solution.

Accelerated change will force a new generation of application development running concurrent with operations. These applications will be distributed to run closer to their data sources and will be part of a network of applications spread across multiple locations.

Cisco can help you on your Digital Transformation Journey

Cisco is designing the next generation data center for SAP applications. Cisco Validated Designs are focusing on aspects of programmability, automation, operational insights, application performance and security in depth. Each of these aspects will be covered in a series of blogs to help understand the technology and the competitive advantage available to Cisco data center customers.

Hopefully it is becoming evident that gaining competitive advantage for your business is this area requires a plan. It requires comprehensive alignment across all departments in your business, inbound and outbound marketing aligning with product design, manufacturing and supply chain partnerships with greater flexibility and visibility to operations, and finance and accounting systems delivering a competitive advantage where only cost centers existed.

Embrace change. It is inevitable. And Cisco is building the bridge between data and business advantage to help you succeed in your digital transformation journey.

Continue reading

Cybersecurity for Federal Networks: It All Starts with Visibility

A configuration mistake or purposeful mis-configuration is no joke. But it does illustrate how a misconfigured network can quickly become a security event (or it may already be one and your team does not know it). But how do you distinguish normal network activity from abnormal? Without visibility into every corner of the network (including the virtual world of the data center), and some ability to compare current vs. baseline, it can be extremely difficult and there may be many “little events” that remain hidden to you.

Deeper network visibility enabled

This story does raise the question, how do you enable the benefits of deeper network visibility? That capability is provided by Cisco Stealthwatch. It enables you to strategically analyze the collective telemetry from NetFlow and IP Flow Information Export (IPFIX), two protocols every network device can export (see figure 1).

Figure 1. Stealthwatch collects NetFlow and IPFIX from every network device for Visibility.

You can also add value to your data center through Cisco Tetration. It provides unmatched visibility into behavioral deviations, whether terrestrial or cloud-based. While “behavioral visibility” is a bit different than the visibility discussion so far, it is critical to the protection and operation of the modern data center. A good example is one we saw recently with one of our customers, where a seemingly insignificant and otherwise undetected data stream out of the data center turned out to be a command and control channel. Thankfully for the customer, Tetration uncovered the threat in less than 30 seconds.

Deeper visibility + identity = attribution

Visibility in modern IT networks must go beyond the mere identification of packet flows. User identity should also be linked to packet flows wherever possible. Look at it this way, if you want to reach max visibility, think:

Visibility + Identity = Attribution

With attribution, you can see unexpected or undesired network behavior, plus you can link that behavior back to individual actors on your network. It is no longer just “some machine that did something weird.” Instead it is a concrete action with a concrete identity: such as “RedGuy” at “3:20pm” reached out to a “Command and Control” site (whether he meant to or not), becoming patient zero for your next computer epidemic.

The power of deeper visibility into your network

To help illustrate the power of deeper visibility on your network, consider another actual event we can all relate to. A contractor (let’s call him BlueGuy) goes to work. It’s Saturday and the office is empty. In the quiet loneliness all around, he begins downloading terabytes of data from another site. This continues, with downloads sprinkled throughout the day. Some may consider this suspicious behavior.

On most networks this might go unnoticed. But as Stealthwatch observes network activity in its entirety, it understands this behavior is not normal, based on previous baselines. As a result, this behavior is considered excessive. As Stealthwatch constantly monitors all the network transactions, it detects BlueGuy’s activity and it reports on it. In its communication with the Cisco Identity Services Engine (ISE), individual identity is assigned to the network data flows, and attribution is achieved. BlueGuy is busted.

Initially, it may seem that no good can come of this type of network activity. But upon further investigation, it turns out that BlueGuy uses the office on weekends to study for his Cisco CCNA. While he does this on his own time, he must do so from the office network because the courseware is on a corporate network at another site (this explains the enormous data exchanges). So it is revealed as a harmless event, rather than a massive data breach. Yet the entire episode would have remained unknown without complete network visibility. What if it had been a breach? Would your network have seen it?

SGTs, NetFlow, IPFIX and the world of packet flow

In this latest example, the two primary tools used are Cisco Stealthwatch and Cisco ISE. ISE adds attribution to the NetFlow/IPFIX packet flow collected by Stealthwatch. With Scalable Group Tags (SGTs), ISE tags all packets as they enter the network. SGTs can be used for both identification and enforcement anywhere in the network.

Of course, Stealthwatch sees all packet flows via NetFlow/IPFIX and performs analysis based on all network data, including the SGTs. Individual attribution is achieved via pxGrid communications between Stealthwatch and ISE. These results can then be presented to an administrator for disposition, including quarantine (see Figure 2).

Figure 2 – ISE adds Attribution to the Visibility story.

What about firewalls?

You may have noticed in both Figures 1 and 2 there are far more network devices than there are security devices. This is typical in any network. However, both visibility and attribution must rely on the entire network fabric to assist with the goal of complete visibility.

As you can see in the diagrams, putting your faith in security devices alone for visibility can fail (or certainly fall short). While the deployment of additional firewalls (or other assorted security devices) may add more points of visibility, no number of firewalls can achieve what you can by using the entire network as a sensor.

The Zero Trust wasteland

When it comes to securing Federal government networks, a few Zero Trust models have emerged recently, along with the thought that a network should be viewed as an untrusted wasteland of packet freeways where all security should focus on data. But it would be unwise to simply dismiss the incredible power of identity and visibility combined (attribution).

For IT leaders, the track record is clear: controlling entry and monitoring activity of users in the corporate/government network is the best way to track offensive behavior or bad actors. This approach can give you the capability to control, or even eliminate, threats before they reach your data.

Or, to relate it in everyday language, when we let strangers into our homes, we don’t pause and quickly weld the refrigerator door shut and disable the WiFi. Instead, we use common sense: screening them before they enter, watching their behavior as they do so and ensuring their actions inside our home are acceptable. If they do take a peek into our fridge, we may trust (thanks to attribution) that they are not necessarily going after the last of the cupcakes. But if they do, we’ll be ready.

Continue reading

5 Types of Talk Triggers for Your B2B Strategy

Customer experience is simple, right? Well, theoretically, the delivery of great customer experience is rooted in an easy-to-understand formula: Great customer experience happens when you exceed customer expectations.

Every time you interact with a business of any type, you have an idea or an inkling of how that interaction will go. That’s the expectation. If the business exceeds your expectation in a noticeable way, you have a great experience. If the business falls short of your expectation, you think the opposite.

The best companies in the world, don’t do a lot of marketing. Do you know why? They operationalize something about their business that motivates their customers to become volunteer marketers on their behalf.

Word of mouth is more important than ever. We trust each other twice as much as we trust brands. It’s the most powerful and persuasive form of marketing.

Everybody thinks word of mouth is important. Between 50 and 91% of all purchases are influenced by word of mouth, but very few companies have a strategy for it. We assume our customers will talk about us, but will they? The biggest mistake we make is assuming that competency creates conversation, that being a good business is enough to get people to tell the story. But all your competitors are also good. Good enough is not enough.

A talk trigger is a strategic, operational differentiator that compels word of mouth. It causes your customers to involuntarily talk about your business. A Talk Trigger isn’t a surprise-and-delight social media tactic, nor is it a gimmick. It doesn’t involve Drake, Rhianna or Cardi B. Oftentimes, it’s something quite ordinary, like a business card, company hold music, or a pre-meeting phone call, that you choose to make different.

A Talk Trigger can also help you exceed customer expectations. Why? Because your customers aren’t expecting it. There are the five distinct types of Talk Triggers. These are the conversational levers you can pull:

You can be more human than your customers expect.

You can be more useful than your customers expect.

You can be more generous than your customers expect.

You can be more responsive than your customers expect.

You can be more playful than your customers expect.

Each of these types of Talk Triggers is talkable. One isn’t more advantageous than the other. However, one might be a better fit for your business or for your brand, and that’s a key ingredient of creating a Talk Trigger that will have word of mouth success. Let’s take a look at each one.

Be More Human Than Your Customers Expect

These days, empathy from business is in short supply for two main reasons. The first is empathy requires inconsistency and listening. It requires interacting with customers as individuals. This approach, by definition, drives up the per-interaction cost every time a business intersects with the customer. The second reason is that empathetic interactions means that employees must have permission to work outside of a script. For many companies, the concern of risk involved is too great.

This is why, when businesses choose the opposite approach, being empathetic and human can have a massive word of mouth impact.

Be More Useful Than Your Customers Expect

Not all businesses and organizations have the heart to be disproportionately empathetic, and that’s OK. For those companies, it may make more sense create a word of mouth engine that is more logical and useful. In 2013, I wrote Youtility: Why Smart Marketing is About Help, Not Hype that showed businesses how to attract customers by providing online content that informs and educates. This idea can work as a Talk Trigger, too.

This Talk Trigger archetype is most-likely to be noticed in an industry or business-setting that is not known for being helpful or making customers’ lives easier. Being different than what’s expected creates a Talk Trigger and helps your business solve the customer experience formula.

Be More Generous Than Your Customers Expect

Consumers are besieged by companies giving them less for the same price, or worse, for a higher price. We are surrounded by this phenomenon, also known as “shrinkflation.” According to a study by the National Statistics in the United Kingdom, 2,529 products decreased in size between 2012 and 2017. The ubiquity of shrinkflation is why showing your customers the opposite, showing generosity, can be an effective Talk Trigger.

Generosity creates conversation because customers are stunned that, as a business, you’ve decided to give something away… for free.

Be More Responsive Than Your Customers Expect

Forty-one percent of consumers say that when they contact a business, getting their issue quickly is the most important element of that customer service interaction. Nine out of ten American consumers refuse to wait on hold for more than five minutes when they’ve called a business.

Speed matters, but it’s also a moving target. What was considered “fast” in 2000 is now slow. What was considered “fast” in 2010 is table stakes for most businesses in 2019. This relentlessness of the changing pace and expectations around speed and responsiveness means there’s an exceptionally high standard for a company to make this a Talk Trigger.

It is operationally difficult for a company to create a speed-based Talk Trigger, but when one does (and many have), there’s an extraordinary payoff.

Be More Playful Than Your Customers Expect

When asked to describe a business, most customers don’t think to mention the word “fun” or “amusing.” Most businesses are difficult to describe because there are a limited number of synonyms for the word “fine.”

Like the other Talk Trigger archetypes on this list, this fact presents an opportunity for businesses. The expectation is that your business will be vanilla, which means adding a little flair will create chatter.

Whichever Talk Trigger archetype is right for your business, we’re trying to do the same thing. We’re creating a circumstance where your customers say these words, “You won’t believe what happened to me when [FILL IN THE BLANK]…”

Your customer experience is what fills in that blank.

Continue reading

New Perspectives on Software-Defined WAN

The integration of Software-Defined Wide Area Networking (SD-WAN) with cloud management functionality into the Cisco family of routers in 2018 excited many of our customers. Instantly over a million installed Cisco ISR and ASR routers could be upgraded to become SD-WAN capable, improving application performance for a distributed workforce, store outlets, and branch offices. SD-WAN lowers the cost of branch connectivity to not only the enterprise data center but also IaaS and SaaS application platforms. Later in 2018, we addressed the evolving Cloud Edge—the intersection between security, networking, and the cloud—by adding full-stack security to Cisco SD-WAN. This brings flexible, secure connectivity to distributed organizations with multicloud environments by making every WAN device software-defined and secure.

In short, SD-WAN has arrived and organizations are deploying it worldwide. So what can we look forward to as this technology enters its next phase? Let me preview some of the ways we are working to bring even more control, functionality, and flexibility to SD-WAN.

Turning the Internet into a Manageable and Secure WAN

One of the key features of SD-WAN is the ability to use multiple connectivity options simultaneously to always have the most reliable or appropriate connection for application Quality of Experience. Specifically, you can choose among the options available for the location: MPLS, Ethernet, internet, leased lines, DSL, LTE networks, and soon 5G. It’s this flexibility to choose the most cost-effective and best-performing connectivity option available to provide the ideal application experience for each location of a distributed workforce. For example, need to ensure that Office 365 Cloud is performing as needed at branch offices? Instead of relying on an expensive MPLS connection backhauling to headquarters for connections to multicloud applications, use a secure Direct Internet connection to the Microsoft Cloud, which is continuously monitored by SD-WAN to meet performance SLAs.

What’s next? The ability to manage end-to-end connectivity from enterprise to 5G endpoints and back will bring greater levels of control over data traffic and application performance. The key to extending intent-based networking controls from enterprise to 5G cellular endpoints is network slicing in the 5G channels in conjunction with micro-segmentation in the enterprise. 5G slicing enables the carrier to separate traffic into unique partitions, keeping sensitive data separate from normal traffic. The technique enables 5G providers to maintain the necessary service level agreements for low-latency traffic, and create an end-to-end virtual network encompassing compute and storage functions.

Wired and wireless Enterprise networks are already segmented to channel traffic according to type (sensitive/video/IoT), priority, and latency. Today with 4G LTE, the enterprise segmented traffic destined for a cellular endpoint would move onto the cellular network with few controls over how the data is segmented and managed. The new 5G networks can be sliced to match the security and performance requirements of the segments in the enterprise, thus maintaining the original policies from end-to-end. A security policy, for example, that is established in the enterprise network will follow a person’s device as it transitions from the enterprise to a 5G network slice. Cisco SD-WAN will be able to take full advantage of network slicing in 5G to meet the security and segmentation needs of enterprise networks.

Virtualizing Network Functions for the SD-Branch

Bringing the focus back to ensuring robust branch connectivity, we are enhancing the functions that run on the local edge routers and appliances along with the core SD-WAN software suite. Virtualizing network functions (VNF) increases local performance and minimizes backhaul traffic to corporate data centers DMZs or cloud platforms. Many functions are being virtualized on edge routers and appliances—such as optimization and intelligent caching, application-aware firewalls, intrusion detection, and URL filtering. And, of course, SD-WAN’s full security stack supports compliance, direct internet access, direct cloud access, and guest access.

Virtualizing critical functions and running them at the cloud edge—in the branch office, store, or clinic—improves both the efficiency and cost-effectiveness of distributed computing and a remote workforce. VNFs can also be run on cloud platforms and colocation facilities to spread the functionality over multiple remote locations. For example, by consolidating VNFs on a provider’s IaaS platform—a virtual network hub—IT can reduce management costs while being able to spin up or down new virtual machines as needed to accommodate workloads and connectivity for a group of regional branches. More on this in a future blog post.

Improving Application Quality of Experience with WAN Optimization

WAN optimization techniques have been around since the early days of frame relay and MPLS. The main goal of dedicated optimization appliances was to maximize the throughput on these relatively expensive circuits. As new technologies such as VoIP and video became critical to business, optimizing the circuits to provide the necessary Quality of Service grew in importance. But as direct internet connections became the rule rather than the exception for accessing popular SaaS and cloud apps, a much more granular, flexible, and automated WAN optimization process is required. Thus SD-WAN was designed to meet the new application QoE demands.

There are several optimization methods that Cisco SD-WAN currently employs to improve the QoE for cloud and SaaS applications accessed by the distributed workforce. Currently, Cisco SD-WAN monitors the available links for latency, packet loss, and jitter that affect throughput and performance. By dynamically measuring these characteristics and comparing them with service levels that specific applications require, the SD-WAN can automatically decide which circuits to use for individual applications. VoIP and video are two applications that require specific levels of latency and low jitter to perform correctly. While a SaaS application may be more tolerant of jitter, it still requires a guaranteed level of throughput to provide satisfactory performance. SD-WAN automates the monitoring and selection of appropriate paths to maintain expected QoE for each type of application.

Supplementing these existing performance attributes of SD-WAN are new controls for TCP optimization, forwarding correction, and packet duplication. SD-WAN provides metrics that aid in fine tuning the optimal TCP congestion algorithm to improve application performance. For example, the Cisco SD-WAN TCP optimization engine, a new layer in the Cisco SD-WAN stack, helps maintain superior application performance in high latency networks such as satellite, transcontinental, and other types of circuits prone to high-loss and high-latency.

To better tackle lossy networks, even for non-TCP applications, the Cisco SD-WAN optimization stack includes a Forward Error Correction (FEC) mechanism. FEC improves application experience by using additional parity packets to protect against loss. In situations when the loss percentage is very high, the Cisco SD-WAN optimization stack maintains performance by deploying a Packet Duplication feature. These optimization features help mitigate packet loss over noisy channels, thereby maintaining high application QoE for voice and video in particular. They are being integrated into the Cisco SD-WAN stack in upcoming IOS-XE releases. All three optimization techniques are managed via Cisco vManage and vSmart virtual network functions.

Edge-to-Cloud Protection with Integrated SD-WAN Security Stack

Securing branch to cloud to data center traffic, in all its permutations, is a key strength of SD-WAN. Last year Cisco added a virtualized security stack to provide multiple levels of protection at the cloud edge that includes:

• Application-Aware Enterprise Firewall with the ability to identify, permit, or block over 1400 applications.
• Intrusion Protection System (IPS) using Snort, the most widely deployed IPS engine in the world, to deliver real-time network defense against malware intrusions.
• URL-Filtering with advanced reporting on over 80 URL categories, providing IT with greater visibility and reducing risk with usage policies customized to an organization’s unique needs.
• DNS/web-layer security with integrated connections to Cisco Umbrella to prevent enterprise branch users, guests and mobile users from accessing inappropriate internet content and known malicious sites that might contain malware and other security risks.

Cisco SD-WAN Security Today

Coming soon to a Cisco edge router near you is Cisco Advanced Malware Protection (AMP) Threat Grid operating as a virtual network function (VNF). The additional AMP-focused layer includes a context-aware knowledgebase of known malware infectious agents. Cisco AMP Threat Grid identifies and alerts IT staff of discovered infections, and provides information on the malware method of attack, a measure of the threat it poses, and how to defend against it. Operating at the branch edge, with the SD-WAN VNF security stack, AMP Threat Grid provides a layer of malware protection, examining all incoming and outgoing traffic, ensuring that malware originating from direct internet connections can’t infect branch devices. Similarly, malware originating from the branch can’t hide in traffic outbound to the enterprise network or cloud applications.

Threat insights exposed with AMP Threat Grid are viewable through the Cisco vManage Portal where administrators can also initiate protective actions such as segmenting infected devices from the rest of the network. The vManage Portal gives network admins a view across the entire WAN, displaying all suspected infections, malware type, and paths of infection through the network. To augment security threat intelligence, the VNF instances of AMP Threat Grid working at the local edges are continuously connected to both AMP Cloud and Threat Grid Cloud, both managed by Cisco Talos Security.

AMP Cloud and Threat Grid Cloud collect malware and suspicious file data from Cisco installations around the world, maintaining a Malicious File Hash catalogue of suspected infections and keeping the information up to date on all Cisco routers as well as third-party security tools via an open API. For example, API integration of AMP Cloud and Threat Grid Cloud with application-aware, threat-focused firewalls provides rapid identification of suspected malware files with automated sandboxing of unknown files in the Threat Grid Cloud for additional analysis.

SD-WAN Continues to Improve Branch Connectivity, Application QoE, and Security

Cisco SD-WAN is foundational for a new software-defined network architecture. As organizations become more distributed, the workforce needs new ways to connect edge to cloud, data center to branch, while ensuring a high Quality of Experience for cloud and SaaS applications wherever they are needed. Cisco is at the forefront of this new wave of distributed connectivity, continuously refining our SD-WAN software and security stack to meet the needs of the digital enterprise.

Continue reading

New Cisco FindIT 2.0 Network Manager and Probe

The Cisco Small Business and the Cisco FindIT Product Teams are very pleased to announce the release of version 2.0 of the Cisco FindIT Network Manager and Probe. Some of the improvements mean that some use cases are now in play especially with larger scale scenarios. We think you all will be impressed by what the team has been able to accomplish!

This is a major update to Cisco FindIT and brings a couple of big improvements:

◈ A completely revised interaction model that greatly improves your ability to perform multi-site management. You can view, report and act on devices across multiple sites at the same time, and configuration profiles can now also be applied across multiple sites.

◈ Managed Services Providers will like the introduction of organizations. These allow you to group your customers’ networks together and filter your view to a single customer.  You can also limit individual users to being able to view and manage only a single organization or a subset of organizations.  This means you can even give your customers direct access to FindIT so they can see their networks without having any concerns that they will see the networks of any other customer.

◈ In-house IT Organizations will also love the new improvements of the multi-site, multi-tenancy as well the ability to manage separate sites easier, quicker and with greater efficiency. This allows organizations to do more with less.

In addition to these big changes, there are a number of smaller enhancements, including:

◈ Wireless reports are now more flexible and interactive, and keep a greatly extended history; up to two years’ worth of network data

◈ The FindIT Monitoring Dashboard has been reworked to allow it to be customized more easily and intuitively

◈ Cisco FindIT Network Manager now scales more flexibly than before. Previously, the limitation was by the number of sites, now this limitation is by the total number of devices under management

◈ Privacy controls have been added so you can explicitly control how and when any data gets shared with Cisco

◈ The installer packages and virtual machine images have been cryptographically signed to give you confidence that the software has not been modified or tampered with in any way

◈ In addition, numerous other enhancements and improvements have been made throughout the application.

Finally, for those of you who are interested in using our Cisco FindIT 2.0 Network Plug and Play for doing zero-touch deployments (No need to pre-configure or pre-stage) of your network hardware, we have put together the Network Plug and Play Solution Guide for SMB that goes through everything that you need to get the zero-touch process up and running. This is a big improvement!

Our team is very excited by this release, and we hope you think so too. For existing users, you should already have been notified about the update through the FindIT Manager user interface. For new users, go to https://www.cisco.com/go/findit-sw to download the software and try it out, or search for ‘Cisco FindIT’ in the AWS Marketplace. Remember, you may download and try FindIT for up to 90 days without any obligation.

Continue reading

Happy Birthday, Threat Response: Only a year old, but boy have you seen some things!

Cisco Threat Response: For security analysts, by one of their own

The work of a security analyst is arduous and time consuming but rewarding too. I know, I spent a good part of my career sitting in a seat, investigating and responding to threats in a Security Operations Center (SOC). I spent way too many hours and weekends moving from console to console piecing together information from disparate systems to investigate a single threat. The various SOCs I was part of were made up of millions of dollars in the latest, best-of-breed technologies alongside open source components and scripts that were supposed to work together but too often didn’t.

That’s why I’ve been focused on designing and building systems to make the lives of the security analyst easier and their work more effective. It’s rewarding to see the products we’ve built have a positive impact on an analyst’s abilty to do their job effectively. A year ago, we introduced a new application for security analysts to make security investigations fast and easy. It pulls content for detection and response from across the security stack: from the cloud, network, endpoint together in a central location. We call it Cisco Threat Response.

Rapid Adoption

Since we released the first version of Threat Response a year ago, it has been used in more than 3,600 SOCs, and has even added value in organizations without full blown SOCs. The feedback has been incredible and has given us so much confidence in Cisco Threat Response, we’re giving it away at no cost to existing customers. It’s included with the license for any Cisco Security product that integrates with it. As good as our Cisco Security products perform on their own, we know that they are even more effective when they’re used together. It’s all about making your SOC operations run faster: from detection, through investigation, to remediation. How? It’s all API-driven.

API-Driven

Cisco Security products have used APIs for years. The difference now is that Cisco Threat Response pulls them together so you don’t have to. With long lists of observables to investigate, Threat Response gets you immediate answers by calling both threat intelligence and our security portfolio APIs — confirming threats and showing you exactly where you’re affected — delivering a clear view of what’s happening.

Customers are excited to learn they can also utilize these APIs to integrate Threat Response directly into their existing Security Incident and Event Management systems (SIEMs) and Security Orchestration, Automation, and Response tools (SOARs). Customers even report they see Threat Response reducing the burden on their SIEMs.

And our customers seem to love this approach. One customer wrote to us “I like quickly being able to see infections on my network and this presents them in a really nice fashion…” Another said, “You cannot hit a target you cannot see. Threat Response simplifies security analysis”

Security integrations that simplify SOC operations

Picture a typical investigation that happens many times a day in SOCs around the world: A potential Emotet malware outbreak. Maybe you’ve investigated it yourself. Emotet a well-known banking trojan that attackers love, keeps coming back in fresh, new forms. The Indicators of Compromise associated with it include a very, very long list of known file hashes, distribution domains, and command-and-control IP Addresses. Investigating these observables one at a time to see if you’re affected can take hours.

Cisco Threat Response calls threat intelligence APIs to gather the all the dispositions for each one at once. Then it calls the Cisco Security products’ APIs and learns what each one knows about every observable. Cisco AMP for Endpoints knows what systems have the malicious file hashes. Cisco Umbrella knows which devices called out to malicious domains. Integrating your Email Security Appliance (ESA) lets you know who received that attachment or phishing URL and so forth until it gathers everything necessary to show you exactly what is happening in your environment.

More than a Pretty Face

Threat Response reflects years of back-end integration work by engineering. It begins and ends with a highly integrated architecture of world-class threat intelligence coupled the integration of advanced security technologies covering the attack surface across the cloud, network and endpoint. This is critical for effective, consistent detection and response across the critical points of your architecture.

Borrowing from the earlier example, an unknown file in an Emotet variant gets analyzed by our Threat Grid Malware Analysis engine and finds malicious behavior. Our architecture allows Threat Grid to share this intelligence across the entire portfolio so this file is blocked at the endpoint, in email, on the network for every customer around the world in a matter of minutes. And Threat Response shows you exactly every place where you were targeted by that file and confirms where it was blocked or detected.

Getting the Full Picture – the Relations Graph

That clear view we provide is perhaps the most compelling technology in Cisco Threat Response. By visually depicting the relationships among the observables and dispositions, the affected systems in your environment (called Targets and shown in purple), and the other systems that are related to the outbreak, you’ll know immediately whether you’re affected and how. Skip the hours and hours of investigation time.

Plus, you can take action directly from the Relations Graph. It provides actions (called Pivot Menus) from which you can continue the investigation in the other products’ consoles (taking you there seamlessly) or call their APIs directly to take action. Those Targets shown in purple? Maybe you want to quarantine those hosts through AMP for Endpoints, which you can do with a single click. Those malicious C2 domains? Maybe you want to tell Umbrella to block, at the DNS layer, everything on your network from connecting to them, which you can with another click.

Sources of Detection

Threat Response is driven by the individual Cisco Security products and threat intelligence sources that feed into it. Cisco Talos research and Threat Grid for threat intelligence, Threat Grid for static and dynamic file analysis, AMP for Endpoints for dynamic and retrospective endpoint detection and response, Email Security (the number one vector of attack), Umbrella for internet domain intelligence and blocking, and Next Generation Firewall for network detection and blocking. Threat Response brings these products together to bring you context about the events seen in your environment allowing you to further enrich this context with your own intelligence sources.

Operationalizing Threat Intelligence

One of the most popular features is the browser plug in we’ve developed that takes unstructured data from any webpage or application, finds the observables or indicators of compromise and automatically renders a verdict on that observable (clean, malicious, unknown) based on our threat intelligence. Like that Talos blog example we used earlier: one click pulls all the observables mentioned on that page without the need to manually cut and paste each one (and there are 634 observables mentioned – I had them counted!) Moreover, you can access the Threat Response pivot menu, including domain blocking, without ever leaving the page.

The best part about Threat Response is rate of innovation within the application. The endgame is better cybersecurity through better SOC operations: faster detections, simpler investigations, and immediate responses. We love what we have released to date and even more excited about our roadmap. Our engineering teams are delivering new enhancements, including new features and product integrations every two weeks. There’s much more to say about Threat Response than I can detail in a blog. I encourage you to experience it for yourself. The work of the SOC teams is too important to be tedious and increasing their efficiency will have better security outcomes for everyone.

Continue reading

When you request a .jpg and get ransomware

Security Operations Center at RSAC APJ 2019

For the 3rd year, RSAConference 2019 APJ created an educational exhibit, sponsored by RSA, Cisco and M.Tech, to monitor the RSA Conference public Wi-Fi network provided by the Marina Bay Sands (MBS). This exhibit was created in the form of the RSA Conference Security Operations Center (SOC). RSA and Cisco provided technology and staffing to monitor the network for threats, but also to educate attendees on the risks of free Wi-Fi.

What is the difference between a SOC and a NOC?

Network Operations Center

The NOC is usually responsible for monitoring and maintaining the overall network infrastructure—its primary function is to ensure uninterrupted network service

Security Operations Center

The SOC is responsible for protecting networks, as well as web sites, applications, databases, servers and data centers and other technologies

RSA and Cisco provided the SOC. The NOC was provided by the MBS.

The mission of the RSAC SOC was to ensure the conference Wi-Fi is not attacked (denial of service, laterally spreading malware, etc.). We did not block malicious DNS traffic, downloads or attachments; as this was a learning and demonstration environment. We make sure that network is protected from attackers. We locate (when we can) and advise users when they are at risk.

What technology is in the RSAC SOC?

MBS provided the RSAC SOC a span of all network traffic from the .RSACONFERENCE network, which was passed through the Cisco Next Generation Firewall / ISP and then split the traffic to NetWitness Packets NetWitness Packets and the Cisco Stealthwatch teams.

RSA used NetWitness Packets to collect and investigate all traffic on the Wi-Fi network, from the firewall; to detect deviations from normal behavior and create a probability-weighted risk score for alerts based on these results. NetWitness inspects every network packet session for threat indicators at time of collection and enriches this data with threat intelligence and business context. At the end of the conference, all of this data was wiped from NetWitness.

For suspicious files that might be malicious, NetWitness Packets checks a community AV lookup, some static analysis and its own network intelligence. Then NetWitness Malware Analysis sends the files to Cisco Threat Grid for dynamic malware analysis.

Threat Grid combines advanced sandboxing with threat intelligence into one unified solution to protect organizations from malware. Threat Grid analyzes the behavior of a file against millions of samples and billions of malware artifacts. The SOC team had a global and historical view of the malware, what it’s doing and how large a threat it posed to the RSAC network.

Threat Grid identifies key behavioral indicators of malware and their associated campaigns. The SOC team was able to save time by quickly prioritizing attacks with the biggest potential impact. We used tools like Glovebox, to safely interact with samples and observe malware behavior directly. In addition, we used Cisco Umbrella to have visibility in all DNS activity. We also used the Threat Intelligence of Cisco Threat Response and Talos Intelligence.

When the Cisco team found a potential threat, they handed it off to the RSA team for further investigation. In summary, the technology stack was:

◈ Firewall – Cisco Next Generation Firewall with IPS

◈ Full Packet Capture and Investigation – RSA NetWitness Packets

◈ Dynamic File Analysis – Cisco Threat Grid

◈ DNS / IP Intelligence – Cisco Umbrella / Cisco Umbrella Investigate

◈ Encrypted Traffic Analytics – Cisco Stealthwatch

◈ Threat Intelligence – Cisco Threat Response / Talos Intelligence

Perimeter Defences: Stopping Threats That Matter

Cisco’s Next-Generation Firewall running Firepower Threat Defence (FTD) software was set up as the perimeter security device. The firewall inspected all wireless guest traffic from event attendees, configured in monitor-only mode. FTD offers breach detection, threat discovery and security automation. Rich contextual information (such as Applications, Operating Systems, Vulnerabilities, Intrusions, and Transferred Files) served the SOC to help uncover threats lurking in the environment.

Discovered Applications

Discovered Files

Intrusion Information

During the conference, several intrusion events were recorded by FTD. Automated event analysis correlated threat events with contextual endpoint data, to identify IPS events that require immediate investigation. Whenever a working exploit targeted a vulnerable host on the guest network, an Impact 1 event was raised. For the SOC, that helped cut through the noise and focus attention to save previous time.

Multiple events were categorized as high priority.

One of the Impact Flag 1 events shown below, signalling about suspicious .bit query going over DNS, and associated with a Network Trojan.

The FTD would drop this communication, if it were in a production environment and configured in the active blocking mode. Reviewing the host profile, we confirmed that the target host had a large number of high-severity vulnerabilities associated with unpatched software versions. It may have been infected by malware attempting to control it remotely.

When you request a .jpg and get ransomware

On the first day of the Conference, the SOC team observed a .JPG file served to a conference attendee who connected to a website. The .JPG file was extracted by NetWitness and found to actually have a file header of MZ, used for executables.

Since it was an executable, it was automatically sent for analysis. The static analysis had a score of 0 and 50 from the RSA Malware Analysis Community lookup, meaning it had never been detected by dozens of AV vendors.

The Dynamic Analysis/Sandbox score from Threat Grid was 100, meaning confirmed malicious based on behavior. The team went into action to assess the threat.

The supposed .JPG file was assigned a Threat Score of 100 for the Behavior of Troldesh Ransomware Detected. Troldesh, also known as Shade, is a Russian-targeted Ransomware variant written in Visual Basic. It will encrypt user files and request a ransom to be delivered after contacting a supplied e-mail address. All encrypted files will have an .xtbl extension appended to them.

We also noted the sample attempted to hide itself as a Windows system file, opened up a Personal VPN – Proxy/Anonymizer and wrote files to a USB drive.

We pivoted to Threat Response to learn more and determine if it had been seen before.

With Threat Response we were able to have a global view of the file, that it was first seen November 2018. In a production environment, this threat intelligence would have blocked the file on all integrated Cisco Security platforms.

The NetWitness team investigated the machine that requested the .jpg and confirmed it downloaded other suspicious files.

One of those was titled Memorandum of Sale, but also was an executable that attempts to steal Firefox passwords.

Phishing attack

We also saw a phishing attack, masquerading as a banking email. NetWitness reconstructed the email and sent the attachments to Threat Grid for analysis.

The Payment Advice attachment was actually the LokiBot malware.

Standing up a malicious domain for 24 hours

On the first day of the conference, we noticed some suspicious DNS traffic in Umbrella to a newly created domain. The requests happened throughout the day.

We moved to Umbrella Investigate to learn more and confirmed the sudden malicious activity of 0 DNS requests to over 120,000 global requests.

The requests spiked to 151,000 over the 24-hour period and then they stopped, globally.

We could see the domain was registered in Russia and the distribution of the requesters.

Looking at the NetWitness logs, we could see all requests from RSAC came from Android devices.

Outbound traffic for hostname rousema[.]com [208.67.220.220] we can see 13 sessions from 10:50 AM - 16:50 PM SGT Tues 16th/Jul.

service type UDP DNS & HTTPS

This is originating from 3 IPs

10.10.1.143 Android 9 Samsung Phone sm-g955f running dalvik/2.1.0, Samsung M1client daylite/3.0.05.9 & x86_64 Linux - 11:06 AM SGT - 15:23 PM - (All traffic from IP from 10:31 AM - 16:59 PM)

10.10.5.9 Android 7.0 Phone trt-l21a running dalvik/2.1.0 & Android 2.2 - 10:50 AM SGT - 17:06 PM - (All traffic from IP from 10:51 AM - 23:19 PM)

10.10.2.31 x86_64 Linux & Android 9 Samsung Phone sm-n950f running dalvik/2.1.0(13:12 AM SGT - 13:12 PM - (All traffic from IP from 10:31 AM - 14:16 PM)

Dalvik is the discontinued process Virtual Machine in Android 4.4 and earlier

It was a textbook example of a temporary domain infrastructure that would be blocked in a production environment.

Overall, we saw over 5m DNS requests during RSAC APJ. A couple of thousand would have been blocked in a production environment.

We were also able to have visibility in the 2,001 apps that had DNS activity during the conference.

Stealthwatch brings additional network visibility

Stealthwatch detected insider threat activities like Command & Control activity and Data Exfiltration just over the baseline period of two days, indicating potential threats on the network.

The solution with its unique ability to look at encrypted traffic without decryption, also detected users with unknown TLS version.

Now we can extend this comprehensive visibility to cloud networks as well with an offering called Stealthwatch Cloud.

Continue reading