Secure Network Analytics (Stealthwatch): Then, Now, and Beyond

Secure Network Analytics (formerly Stealthwatch) was recently recognized as the industry leader in Network Detection and Response (NDR). This product journey began in 2001, and through the years, we have had to innovate to remain a leader. Yes, I said 2001. A time when we were still imaging machines from optical drives, Windows XP had just shipped, before the social media boom and maybe even before some of you readers were born. In so many ways, things are different today than they were back then but the product’s primary objective has never changed;  “To analyze network behavior in order to identify threats and malicious activity and direct it to the most effective response.”

It all began in 2000 where a Georgia Institute of Technology professor, Dr. John Copeland founded a company called Lancope. It was his vision that would inspire others and ultimately lead to where we are today. Along the way, there were some significant battles we had to fight and hold our ground.  Some of these were strategic bets that would later pay off.

Dr. Copeland founded Lancope upon the discovery of “probing” on his home computer through odd bursts of data in the fall of 1999. Recognizing that these data bursts had malicious intent and could traverse a firewall, Dr. Copeland invented “Flow-based Analysis” to derive the probability that a conversation between two hosts was malicious. The clever thing about Flow-based analysis is that it involves the statistical analysis of counts built from packet headers alone. At the time, this meant the solution could operate at higher packet rates that IDP/IPS alternatives of the day.

Using Flow-based analysis was a natural fit for NetFlow, and it allowed us to scale across the entire network to provided unprecedented breadth of security visibility. However, one argument we needed to address was “Why are we using NetFlow? NetFlow was not meant to be used for security!”  NetFlow was introduced by Cisco in 1996 and was superseded by Internet Protocol Flow Information eXport (IPFIX) in 2008 (rfc5101/rfc5102).  We trained our analytics on it because we knew that if we were right, instead of having visibility where we could deploy sensors, the network itself would become our sensor!

The next argument we needed to overcome was “You can’t do real network security detection without Deep Packet Inspection!” Because we did not depend on Deep Packet Inspection, industry experts would argue that we cannot detect threats with NetFlow/IPFIX alone. To understand the validity of this argument, you needed to go back to a time where network encryption was used sparingly. Most of the network was largely operating in the clear – I know it sounds insane, but these were simpler times. The use of SSL and TLS was not widespread and setting up a site-to-site VPN took a network genius. We knew that it would be only a matter of time before Deep Packet Inspection would become a thing of the past. Today, even if you were to capture all the packets, well over 90% of it would be encrypted and opaque to direct inspection. Let me be clear, if DPI was available, we would use it, but we did not depend on it for our security analytical outcomes. This put us in a very strong position because our machine learning algorithms would not be affected by the pervasive use of network encryption. So once again, we made a very important strategic bet for the reality of today.

As Lancope became more and more successful within the larger global 2000 enterprises, we quickly learned that we needed to add integrations that would allow us to perform analytics from multiple centricities. We felt that there might be cases where customers want to view the results by device, or by application, or by user. A device-centric question would be “What has this device communicated with in the past 30 days?” A user-centric question would be “What has the user alice01 done on my network in the past 30 days?” To add in this user-centricity, we needed to integrate with an authoritative source for that data.  At the time, Cisco offered the “Identity Services Engine” or ISE for short. Integrating Secure Network Analytics with ISE meant that we could now offer device and user-centric analytics when it came to the behavior we observed across a customer’s network. ISE would also lay the groundwork for safe and secure automated responses.  If a threat actor was active on a part of the network, Secure Network Analytics could signal to ISE to isolate that device or user. All of this functionality back 10+ years ago would begin to define what is now the extended detection and response (XDR) market today.

With 10 years in market with Secure Network Analytics, Lancope and Cisco established a strong partnership. The two companies were a match made in heaven due to the fact that Secure Network Analytics did network behavioral analysis and the network is where computers behave. Secure Network Analytics is now an essential part of the “Network as a Sensor” concept and customers consider it a pivotal part of their security program. Up until 2011, threat actors were breaking into your networks and thus the appropriate detection was in place, but something was changing.  Attackers weren’t breaking in anymore, they were simply logging in and operating in your network as someone you trusted! Those traditional detection methods were no longer effective because no alarm bells would be triggered. It was now all about detecting when an application, device, or user started to behave in a way that was suspect and Secure Network Analytics was in the right place at the right time.

Source: cisco.com

Continue reading

Take SecureX wherever you go – introducing the new ribbon browser extension

2020 has been a doozy of a year, and it can be an especially challenging time to keep your organization running smoothly in an already complex and ever-evolving security environment. Security analysts juggle an overwhelming number of alerts siloed across multiple consoles in order to counter attacks, protect against breaches, and stay compliant – and many are doing this while working from home for most of this year. This balancing act reminds me of my own personal experiences that you might be able to relate to.

Figure 1. With the SecureX ribbon browser extension, extract observables from third-party tools such as Splunk and take response actions.

For many of us this year, we’ve been juggling more than we would’ve ever anticipated. My typical day while working from home also consists of preschool drop-offs, ordering grocery deliveries, IT support for my son’s remote learning classes, and scheduling virtual medical appointments. It can be overwhelming to keep track of everything and everyone without outsourcing services like I might’ve done in the past. I have a secret weapon that has helped me navigate this “new normal” — a digital assistant. Before this year, the primary uses of my Google Nest Hubs’ were to (expensively) tell time and set cooking timers. However, during this global pandemic, it’s been put on overdrive to help simplify the chaos of a complicated 2020 for our household. This system keeps my life running smoothly: important appointment reminders, notifications via Family Bell for my son’s class schedule, broadcasting to my family that dinner is ready, and smart home automation throughout the day such as a turn-down schedule for the thermostat.

So just as a global pandemic waits for no one, neither does the critical work of a security operations team whose goal is keeping threat dwell time down and compliance up. That engine must keep running to stay ahead of the ever-evolving threat landscape. Something like a Google Nest Hub (or Amazon Echo Show, if that’s the ecosystem you’re partial to), could help you work more efficiently and effectively. Specifically, not only could you connect your security tools together in one place, even from third-party vendors, but also easily access these tools wherever you go and take just a minute to get started. Enter the SecureX ribbon, now available through a browser extension.

The SecureX platform debuted in June to simplify your security experiences by connecting Cisco Secure products and your existing infrastructure. One of the most powerful SecureX capabilities is the ribbon, which shares and maintains context on cases and incidents in one persistent location at the bottom of SecureX and Cisco Secure product consoles. It provides this cross-product functionality for more efficient threat hunting, incident management, as well as unified visibility and response actions – all across each of your consoles. As such, you can also launch these product consoles from the ribbon. The ribbon apps that enrich investigations are brokered by SecureX– available not only in SecureX but also Cisco Secure products.

Figure 2. The persistent ribbon within SecureX and Cisco Secure product consoles.

Now, SecureX takes it to the next level – the same ribbon functionality is now available through an extension for Firefox, Chrome, and Edge browsers. Similar to the Google Nest Hub, the SecureX ribbon is accessible through your endpoint security, network devices, and now any webpage or browser-based console — so customers can:

◉ Easily connect with your third-party tools. Make better use of your existing security tools, Cisco or otherwise, without a complex integration process. With the ribbon browser extension, you can extract observables or endpoint IPs into the ribbon app from your third-party tools and pivot into an investigation.

◉ Start investigating from your browser in one minute. That’s how long it takes to deploy the extension, and then you can kick off investigations immediately. Let’s say you start your day scanning the blogs by our industry-leading Cisco Talos or perhaps an ISAC from your industry. From either of those intel sources, you can quickly query endpoints, and take response actions without pivoting into another console.

◉ Collaborate across your security team better than ever before. With the extension, you can create or add to a case – directly from the browser – and share with team members. The unified experience is now even more accessible, and elevates cross-functional collaboration.

Continue reading

Revolutionize how you manage application resources across any environment

The business, application and infrastructure landscape has been changing rapidly over the last few years and even faster this year. Gone are the days where a handful of monolithic applications were running in a single datacenter fully managed by a central team – simpler days.  IT teams are now required to use a diverse set of environments, distributed technologies, architectures, platforms and tools to manage the critical IT resources required to keep their apps running no matter where they reside.

The job of managing all this complexity around how user experiences are delivered through applications is now beyond human scale and has big implications for IT teams and businesses including; application performance issues, time wasted in war rooms and fighting fires, underutilized infrastructure, public cloud overprovisioning, and cost overruns.

According to an Insight IT Modernization survey conducted by IDG, more and more organizations are dealing with similar challenges and realizing  the need for simplifying and streamlining their IT operations to be successful. 67% of survey respondents believe that business transformation efforts cannot proceed effectively without IT modernization.

In order to confront this complexity and ensure success in this new world, organizations are focusing on IT modernization projects in terms of quality of service, cost efficiency, availability, customer experience and more time for innovation

Source: IDG Insight IT Modernization 2020 Survey

But how can this be achieved?

IT modernization means optimizing operating models

To streamline processes and efficiently balance application performance and cost, the only choice is to automate resource management and decisions for workload placement and optimization.  But deciding what workloads to run on which platform, making real-time changes as required to ensure optimal performance and cost across any environment, monitoring and troubleshooting with minimum disruption, are all tasks that take time and resources. And as complexity increases, more and more human resources are required.

This is where AIOps comes in.

To optimize an environment end-to-end, you need access to a constant stream of telemetry data from dozens, hundreds, perhaps thousands of sources. Correlating and continuously analyzing all this data with an intelligent real-time decision engine to understand how everything fits together now and in the future is the way forward. A new generation of open tooling is required to connect all the dots and offer the insights and automated actions to stay ahead of demand, stay ahead of problems, and respond to new projects with confidence.

Rethink Cloud Operations

Recognizing these challenges, Cisco unveiled a new vision for the evolution of Cisco Intersight last month, detailed in a blog by Kaustubh Das, VP/GM of Cisco’s Cloud & Compute group. Cisco Intersight is a modular cloud operations platform that brings together IT teams, tools, infrastructure, and apps and helps operations personnel visualize, optimize, and orchestrate apps and infrastructure, wherever they are.  Delivering on this vision, we are happy to announce that we have released Cisco Intersight Workload Optimizer, the first in a series of powerful new Intersight solutions designed to simplify cloud operations.

Intersight Workload Optimizer (IWO) radically simplifies application resource management at scale to prevent application performance issues while reducing cost. It continuously optimizes critical resources resulting in efficient use of infrastructure whether on premises or in public clouds. It removes the guesswork from ongoing operations and planning for growth.

Turning data into action

IWO accomplishes all this through its AI-enabled decision engine that proactively matches workloads to the resources they need in real-time, using a process of data abstraction, analysis, and automation across the stack. It understands workload interdependencies, resource consumption, and costs from infrastructure to applications.  It leverages telemetry data from a broad third-party ecosystem across a range of endpoints including hypervisors, compute platforms (including Cisco UCS and Cisco HyperFlex), container platforms, public clouds, applications and more, to deliver intelligent recommendations for where to place and how to size and scale resources.

As a result, Intersight Workload Optimizer establishes a common control plane for resources across hybrid cloud environments, helping IT teams to navigate and automate the dynamic resource trade-offs and relevant decisions needed to balance application performance and cost.

After the metrics from registered endpoints have been collected in a common database and normalized into an abstracted model, AI-assisted analysis is done on an ongoing basis in real-time to provide proactive recommendations to right-size resources and recommend or automatically take action as required. This enables smooth operations and ensures a good digital experience for the consumers of any application.

Optimize hybrid cloud deployments

With distributed, multicloud applications becoming a common use case, IWO takes away the pain of having to monitor and manage individual cloud platforms with cloud-specific tools. IWO can provide recommendations on workload placement as well as on types of instances including “spot” or Reserved Instances (RI’s), databases, storage, and other application components. It can also recommend and take actions such as dynamically scaling or shutting down workloads, always optimizing based on performance and cost.

Manage Kubernetes at scale

Kubernetes has become the de facto standard for container orchestration. However, for IT teams, Kubernetes has introduced an additional layer of complexity with a new environment that needs configuring and monitoring on top of existing infrastructure platforms. Intersight Workload Optimizer complements and augments existing Kubernetes capabilities for ongoing day 1 and day 2 operations with the ability to do container right-sizing, pod “move”/rescheduling, cluster scaling, and scenario planning for Kubernetes deployments.

Integration with APM tools

Intersight Workload Optimizer has enhanced integrations with 3rd party Application Performance Management (APM) solutions, including Cisco AppDynamics. The result is deeper visibility, insight and actions based on the relationship between apps and associated infrastructure, leading to even smarter resourcing decisions that are tied back to the actual application user experience. The integration provides a single source of truth for application and infrastructure teams to work together more effectively, avoiding finger pointing and late-night war rooms.

A “Hands-off” Operational Model

By applying the same set of abstraction-analysis-automation principles for any technology in IWO’s broad, third party ecosystem and for all layers of the application and resource stack, IWO is able to deliver powerful capabilities that simplify day-to-day operations for IT team members (sysadmins, v-admins, production and integration teams, cloud architects and DevOps teams etc) in an organization.

Leveraging its agentless architecture that is modularized and delivered as a Service, Intersight Workload Optimizer can rapidly expand any supported ecosystem to meet our customers’ evolving needs, however and wherever they operate. It can truly provide a closed-loop operating model based on extensive and deep visualization between applications and infrastructure, powered by AI, analytics, and automation.

Continue reading

Protecting Workloads Across Any Cloud and Application…Anywhere!

Automating and implementing a secure, zero-trust model for micro-segmentation based on application behavior and telemetry is easy to do using Cisco Secure Workload (formerly known as Tetration). See how your business can seamlessly achieve workload protection by providing:

◉ Reduced attack surface – Automate micro-segmentation through customized recommendations based on your environment and applications.

◉ Remain compliant – Granular visibility and control over application components with automatic detection and enforcement of compliance.

◉ Gain visibility – Track the security posture of applications across your entire environment.

◉ Enable Zero Trust – Implement a zero-trust model via continuous behavioral monitoring and automated enforcement of micro segmentation policies to every workload

New Cisco Secure Workload Learning Module

In the new Cisco Secure Workload Learning Module, we will introduce the Open API, which includes easy to use and comprehensive APIs to perform reporting, make configuration changes, export flow data, and more. We will deep dive into the API endpoints that provide visibility and compliance of workloads, application and policy modeling, and deployment of agents and segmentation. We also review how to install and utilize the Secure Workload Python SDK.

In the first lab we will:

◉ Reserve a sandbox environment to work with

◉ Clone the necessary code from GitHub

◉ Setup Postman and Python environments

◉ Explore simple API requests using Postman and the Python SDK

For the second lab we will cover:

◉ Query & display all sensors in an application scope

◉ Download the agent package and configuration files programmatically

◉ Download & deploy the agent ‘auto-install’ script to an agent in the Secure Workload Sandbox Environment

◉ Query vulnerabilities on all sensors, identify new vulnerabilities introduced with new sensor

Continue reading

Cisco CCNP Security 350-701 Certification | Syllabus | Practice Test

 

Cisco SCOR Exam Description:

This exam tests a candidate's knowledge of implementing and operating core security technologies including network security, cloud security, content security, endpoint protection and detection, secure network access, visibility and enforcements. The course, Implementing and Operating Cisco Security Core Technologies, helps candidates to prepare for this exam.

Cisco 350-701 Exam Overview:

• Exam Name:- Implementing and Operating Cisco Security Core Technologies
• Exam Number:- 350-701 SCOR
• Exam Price:- $400 USD
• Duration:- 120 minutes
• Number of Questions:- 90-110
• Passing Score:- Variable (750-850 / 1000 Approx.)
• Recommended Training:- Implementing and Operating Cisco Security Core Technologies (SCOR)
• Exam Registration:- PEARSON VUE
• Sample Questions:- Cisco 350-701 Sample Questions
• Practice Exam:- Cisco Certified Network Professional Security Practice Test

Related Articles:-

1. CCNP Security 350-701 SCOR Certification: Secrets To Acing The Exam
2. Guidelines to Prepare for CCNP Security 350-701 Certification
3. Secure Your Job by Taking CCNP Security 350-701 Exam
4. CCNP Security 350-701 Exam Information and Tips for Your Exam Preparation in One Guide

Continue reading

A Three-Pronged Approach to Small Business Office Safety

For every small business, it’s essential to keep people healthy and safe. Like the old saying goes, safety first. And now with COVID-19, monitoring workplace hazards is an even higher priority. No matter how small your business might be, as an employer, you need to keep your workers and customers safe without disrupting the flow of business.

Using a combination of smart cameras and sensors, and collaboration tools, you can monitor your workplace and support social distancing and density limit policies. And apps for smartphones and wearables can help with employee health monitoring and contact tracing.

Beyond the technology, you need to take a three-pronged approach to help make sure everyone stays safe during the pandemic and beyond. You need to develop policies to prevent hazards, ensure that your safety procedures are implemented, and respond when emergencies arise.

Fortunately, easy to use technology can help in each of these areas.

1. Develop safety policies and procedures to prevent hazards

Effective workplace hazard monitoring goes hand-in-hand with well-designed safety policies. The US Occupational Health and Safety Administration (OSHA) has issued some general guidelines on preparing workplaces for COVID-19. OSHA recommends that all employers create an infectious disease preparedness and response plan for addressing the coronavirus as well as other potential health hazards. Similar codes exist around the globe. A well-designed plan should consider how workers might be exposed to COVID-19 through other workers, customers, and contacts outside the workplace. It should also factor in workers’ individual risk factors, such as age or pre-existing health conditions.

General preventive measures that OSHA advises employers to implement include:

◉ Exploring policies that can promote social distancing, such as telecommuting or flexible work hours

◉ Providing personal protective equipment, such as masks or goggles, as well as training for using such equipment

◉ Promoting hand washing

◉ Providing hand sanitizer containing at least 60% alcohol when hand-washing facilities aren’t available

◉ Encouraging workers to follow respiratory etiquette practices such as covering coughs and sneezes

◉ Advising sick workers to stay home

◉ Disinfecting surfaces and equipment regularly

◉ Discouraging workers from using other workers’ desks, phones, and equipment when possible

In addition to preventive policies, OSHA advises employers to develop policies and procedures for prompt identification and isolation of potentially infected workers. Such procedures can range from providing a separate room for workers exhibiting COVID-19 symptoms to instructing sick workers to stay home.

Technology can play a major role in helping employers implement these guidelines. For example, by using smart cameras in conjunction with analytics, you can gain a better understanding of how people move around your space so you can redesign workflows. Collaboration tools help simplify remote work and make it easier to manage staggered shifts where some people are in the office and some are not. Remote collaboration tools should include robust security features and be connected using network switches and routers that are user-friendly, flexible, and secure.

2. Monitor your workplace with smart cameras

Smart video cameras can be a valuable tool for monitoring the workplace to promote safety measures against COVID-19. Today’s cameras can be used for far more than simply physical security. They form part of a wireless ecosystem that small businesses can use for a wide range of applications. For example, Cisco Meraki MV smart cameras are used in retail environments for counting customers and analyzing floor traffic patterns to help optimize in-store marketing. That same technology can be deployed to collect information that supports workplace safety policies.

For example, let’s say your facility has a social distancing policy that requires workers to stay at least six feet apart. Just because people know the policy exists doesn’t necessarily mean it will be followed. Surveillance cameras can provide transparency and accountability and help you identify the areas of your facility that are most prone to social distancing issues. Armed with this information, you can take steps to remedy problems in those parts of your premises.

Ideally, a strategic plan for monitoring your small business with surveillance cameras should follow a three-step procedure:

◉ Install a smart camera surveillance system that can show you where people are, where they go, and what they’re doing.

◉ Connect your smart surveillance system to a cloud network that lets you review and analyze footage through a central dashboard

◉ Assess the footage and access the video analytics for object detection and motion heatmaps to support safer workplace policies and procedures

Cutting-edge smart cameras such as Cisco Meraki MV can pick up more information that just images. The built-in intelligence includes motion heatmaps that display relative movement over time so you can see traffic patterns and object detection that shows you where people are, so you can see where they’re congregating and where they linger.

For purposes of preventing COVID-19, you can track where workers and customers are congregating on your premises and whether there are any motion patterns that conflict with your social distancing policies. You can then review these movement patterns and determine whether measures such as installing barriers or rerouting traffic might help promote safer social distancing.

Workplace monitoring also can help you monitor worker behavior. For example, you can make sure hand washing and sanitizing procedures are being followed. Healthcare providers have long been aware that simply having hand hygiene policies does not guarantee their enforcement. On average, healthcare providers wash their hands less than half as often as they should, according to the Centers for Disease Control and Prevention.

A study by the Santa Clara Valley Medical Center found that healthcare workers are twice as likely to comply with hand washing policies when they know they are being monitored. Now some hospitals are installing digital sensors and apps to monitor how frequently workers wash their hands. The MV campers let you view video quickly with motion recap, which summarizes activity into a single image, so you don’t have to scroll through a lot of irrelevant video to get answers.

Smart surveillance cameras can also help promote policies requiring workers to wear masks. When workers know they’re being monitored, they’re more likely to comply with mask mandates. Cameras can help reduce the need for unpleasant confrontations and heavy-handed measures. Surveillance cameras can be particularly useful for monitoring parts of your facility where workers are most likely to neglect social distancing and mask-wearing policies, such as break rooms.

3. Identify and resolve issues

In addition to preventive measures, a viable COVID-19 workplace safety policy must include procedures for identifying and addressing situations where workers are displaying coronavirus symptoms or are already infected. This is another area where using the right technology tools can help you implement safety policies.

Some employers have adopted temperature checks and other diagnostic screening procedures as a way to identify workers with coronavirus symptoms. One way to protect screeners is by using telehealth technology to support social distancing during screening. By pairing smartphones with smart thermometers, you can take your temperature with your iPhone or Android device. Using this type of technology can allow workers to provide temperature readings to employers from a socially safe distance.

Stay safe and wash your hands

The Cisco Designed portfolio includes technology that is curated specifically for small businesses. We can help you set up tools for safe distancing and real-time monitoring.

Continue reading

Regaining Control of the Digital Experience

2020 will likely be remembered as the year that pushed enterprises over the digitization tipping point. In just a few months, enterprises have had to transform how their employees work, how they serve their customers, and in some cases, they have had to also pivot to a new business model. Knowledge workers are now working from anywhere, contact center agents are taking customer calls from their home, patients are electing to visit their physician virtually, and consumers have moved to digital channels.

Some of these changes are temporary, but many are likely here to stay.

This shift has led to a disaggregated digital footprint and hyper-distributed IT environments. As enterprises accelerate their adoption of cloud hosted applications across hybrid and multicloud architectures, applications and services have also become more distributed.

While the perimeter of the IT environment has drastically expanded, IT does not always have full control over the application and infrastructure stack, and connectivity is reliant on unpredictable third-party networks, IT is still responsible for delivering a seamless end user experience.

So how can IT continue to optimize digital experience?

It starts with visibility – with an end-to-end view of the delivery of applications and services over the Internet.

By pairing Application Performance Monitoring (APM) and Network Intelligence, enterprises can get a complete view of the health of their applications and how users experience them.

APM provides proactive visibility into the application delivery, performance, and key performance indicators of business metrics for applications hosted on premise or in the cloud – and managed by IT.

Network Intelligence provides visibility into external dependencies (such as SaaS applications, APIs, DNS, and ISP connectivity) and correlates application layer visibility with hop-by-hop visibility across network paths and Internet routing data.

APM provides visibility for DevOps teams, so that they can make the necessary architectural decisions to deliver optimal application performance. Network Intelligence gives inside-out and outside-in visibility for NetOps and CloudOps teams, so that they can reduce Mean Time to Troubleshoot (MTTT), ensure business continuity and maintain a high-quality end user experience.

While COVID may have accelerated the digital transformation of most enterprises and pushed them over the technology tipping point, “in the end, tipping points are a reaffirmation of the potential for change and the power of intelligent action” (Malcolm Gladwell).

Through the power of two industry leading solutions – AppDynamics and ThousandEyes – we believe that enterprises can take intelligent action and regain control of the digital experience of their employees and customers in a hyper distributed new normal.

Continue reading