Preparing for 2023 and what lies in store for Endpoint Security

A new year is almost upon us and as we look back on our accomplishments in 2022, we also look forward to helping our customers become more security resilient and be better prepared for 2023. As part of this forward-looking process, and with the help of Gartner Peer Insights, we surveyed 100 Security and IT professionals to understand their level of security maturity and obtain their perspective on the future.

The results of the survey, called “Gartner Peer Insights – Future of Endpoint Security” can be found here in Infographic form.

Key insights from the Survey:

◉ Many organizations are employing EDR and XDR capabilities, but few have reached full maturity.

◉ Organizations are looking for integrated platforms that support hybrid workforces while simplifying vendor management.

◉ In anticipation of the ever-increasing threat landscape, organizations are looking to highly integrated and automated endpoint security solutions.

◉ Organizations want future-proof endpoint security solutions that bolster their security resilience.

Insight Example

Regarding the first key insight, approximately two-thirds of the organizations surveyed have implemented EDR and XDR capabilities. These two capabilities are critical to detecting and eliminating threats, either before a breach has occurred or before a breach has had an opportunity to create damage.

Figure 1: Deployed endpoint security capabilities

Insight Example

Another key insight is related to endpoint vendor selection. In the survey, it’s noted that the top criterion organizations are looking for when selecting an endpoint security solution is the ability to support a hybrid workforce. This isn’t surprising given the events that have occurred over the last few years and the mix of remote workers expanding to working from home. Many organizations feel that the hybrid workforce is here to stay, in varying levels of remote workforce vs. on-premises workforce. The obvious implications directly related to the endpoint solutions are flexibility (e.g., deployment options), scalability, efficacy, resilience, and manageability, as a few examples.

Figure 2: Top Motivations when considering endpoint security

Source: cisco.com

Continue reading

Application Resource Management in Healthcare

Four Ways Healthcare Providers Have Benefited from Intersight Workload Optimizer

IT operations teams are like doctors. Doctors practice preventive medicine to help patients keep their health on track. When a patient’s health goes off track, the doctor minimizes symptoms through medication and rest, and they perform assessments to identify the root cause of the ailment.

In a similar way, IT operations teams keep their organizations’ mission-critical applications on track by providing computing, networking, and storage resources. Sometimes an application demonstrates symptoms indicating there’s something wrong (such as sluggish performance). If the root cause is serious enough and goes unaddressed, it can lead to downtime and impact the end user experience.

Treating the symptoms of poor application performance

Too often IT teams spend most of their time addressing the symptoms of underperforming applications or resuscitating them when they go offline. They’re alerted when there’s an issue, but they can’t easily pinpoint the root cause. This means the symptoms get treated to keep applications running, but the underlying cause or causes go untreated, which can lead to recurring application performance issues and costly staff time spent addressing them.

How to stay ahead of application resource issues

Application resource management solutions like Cisco Intersight Workload Optimizer (IWO) provide vital capabilities to help IT teams prevent application resource issues from occurring while optimizing costs to control their budgets.

Here are four examples where Cisco healthcare customers used application resource management to maintain the health of their organizations’ applications in fiscally responsible ways.

1) Ensuring mission-critical application performance

A healthcare services provider was experiencing performance issues with mission-critical applications. They couldn’t identify where in the stack the issues were originating from, so they used AppDynamics and IWO to gain deep visibility from their applications through their underlying computing infrastructure, particularly into hundreds of virtual machines. The visibility showed them when application performance began to stretch VM workloads and how to optimize their virtual environment to ensure continuous resources for optimal application performance. In addition to providing continuous up-time for their mission-critical applications, the customer has used IWO to optimize workloads in the public cloud and reduce public cloud spend by 40%.

2) Maintaining application performance at a lower cost

1) In order to provide continuous application uptime, a healthcare provider in the midwestern United States uses on-premises infrastructure and hosting services through a public cloud provider. However, the costs for on-premises infrastructure and cloud resources were rising rapidly and not sustainable. Using IWO’s “what-if” scenario planning, Cisco worked with the client’s IT group to demonstrate how they could right-size new server purchases and identify the most cost-effective cloud resources to meet their budget requirements. As a result, the healthcare provider can continue to deliver computing resources to provide experiences their application users expect while delivering tangible cost savings.

2) A healthcare provider in the southeastern United States and Cisco UCS customer needed to improve overall infrastructure availability, specifically by getting better insight into the real-time status of VMs and other computing resources. With a restricted IT budget, they also needed to extend the life of existing systems to reduce their CapEx expenses. Using IWO, the healthcare provider identified an opportunity to reduce the number of hosts by 50% while maintaining the same levels of utilization and avoiding unnecessary CapEx investments. At the same time, the healthcare provider used IWO to ensure workload configurations comply with its policies, which has helped the customer improve its HIPAA compliance posture.

3) Conducting an EHR cloud migration analysis

This healthcare provider needed to refresh its Epic hyperspace environment for its primary electronic health record (EHR) system. Their IT team was considering moving to the EHR provider’s cloud-based IaaS solution. The Cisco team used IWO to conduct a detailed total cost of ownership (TCO)/return on investment (ROI) analysis. The study showed the ability to maintain desired application performance with fewer servers (and less cost) than the EHR provider prescribed. The analysis revealed the healthcare provider would save $500,000 per month over three years, or $18 million, by using an on-premises UCS solution instead of the hosted solution. The healthcare provider also went on to use IWO to continue optimizing its virtual environment for ongoing application resource management and cost containment.

Keep your applications in shape through application resource management

As a healthcare provider, your patients, caregivers, and others rely on your applications. With solutions like IWO at your disposal, you have the power to adopt best practices in application resource management and ensure uptime to deliver the experiences your users expect while gaining cost-containment capabilities. Rise above treating the symptoms of an ailing infrastructure; exercise proactive application resource management with Cisco Intersight Workload Optimizer to keep your applications and infrastructure in outstanding shape.

Source: cisco.com

Continue reading

How does ketchup and mustard relate to Cloud Monitoring for Catalyst and DNA Center?

My two sons have very different tastes in many things like activities, clothes, brands, food, and, more than anything, condiments! At home, we have these endless battles on whether ketchup is better than mustard or mustard than ketchup. The message to my kids is that there’s no such thing as a universal better option. There are many reasons why one would choose one over the other: food sensitivities, ingredients, nutritional value, and taste to name a few. My older son likes everything sweet and he doesn’t care too much about sugar content so ketchup is the best option for him. My younger son doesn’t like to mix sweet and savory food and also is more mindful of the nutritional value. For this reason, mustard is best for my younger son.

All this to say that, at Cisco, we strongly believe in giving choices to customers so that everyone can have the solution that works best for them. And this is also true when it comes to managing your Cisco Catalyst infrastructure. One option would be Cisco DNA Center for which I’ve written numerous blogs. We will discuss the characteristics of the recently introduced new option: Cloud Monitoring for Catalyst with Meraki Dashboard. The purpose of these blogs is to give you enough information to make the best choice for your environment.

Meraki Dashboard can provide cloud-based monitoring for Catalyst devices and it’s a great option for numerous environments. For example, networks with Catalyst fixed configuration switches with no management platform or a legacy management platform that needs to be replaced.  Another great use case would be mixed environments with Catalyst switches and Meraki infrastructure like we see in the picture below:

Figure 1: Use Case Examples of Cloud Monitoring for Catalyst

How do you know if Cloud Monitoring is right for your environment? In the next sections we will explore the following capabilities:

◉ Unified view of Cisco network infrastructure

◉ Device health and troubleshooting

◉ Network client and traffic information

Unified view of Cisco network infrastructure

Cisco Cloud Monitoring for Catalyst is especially interesting for environments with mixed Catalyst and Meraki devices because the Meraki dashboard can provide a unified view of the infrastructure including information like switch Up/Down status, model, version, serial number and firmware. Meraki dashboard also provides a topology view of the unified network:

Figure 2: Unified view of Cisco network infrastructure in topology mode

Device health and troubleshooting

Meraki dashboard provides best-in-class cloud monitoring for Meraki devices and now to Catalyst devices as well.  Network administrators can monitor Catalyst connectivity and health from the dashboard, obtain real-time switch and port health, port-level packet and error counters, and alerts for switch or port issues. Catalyst devices also benefit from live troubleshooting tools, like ping and port cycle,  to help identify and correct problems remotely.

Figure 3: Detailed port visibility and live troubleshooting tools

Network client and traffic information

Another very useful capability of the Meraki dashboard is that it provides visibility into the connected devices across the network and detailed network usage and traffic statistics. Meraki dashboard also provides application visibility including top users in the network and top application traffic over time.

Figure 4: Application Visibility

What else do you need to know?

Besides the features and capabilities, there are a few other things you need to know to decide if this platform is the right operational choice for your environment.

◉ Platform: Meraki Cloud Dashboard – SaaS

◉ Capabilities: Monitoring Only (Meraki Dashboard will not configure the device)

◉ Supported Devices: Catalyst Switches 9200/L,  9300/L/X and 9500

◉ Switch OS: IOS-XE

◉ License: DNA Essentials or DNA Advantage

Cisco Catalyst switches mentioned in the list above can be on-boarded for cloud monitoring while retaining all features and capabilities available in IOS-XE. Having said that, the Meraki dashboard will only provide visibility on those features that are available in the Meraki Dashboard. For example, a Catalyst 9300 switch, can run a container with ThousandEyes Enterprise Agent. This switch can be monitored by the Meraki dashboard for all the capabilities mentioned in this blog. It can also retain the ThousandEyes Enterprise Agent installed. However, the Meraki dashboard will not provide monitoring capabilities on ThousandEyes Enterprise Agent deployed in the switch.

For Cloud Monitoring for Catalyst, the switches retain the IOS-XE operating system and the DNA license. There’s no requirement to convert the license to a Meraki license. The switches will leverage the DNA license and both “Essentials” and “Advantage” licenses are supported.  The difference between both is that traffic analytics is only available with the “Advantage” license. All other features are available with both “Essentials” and “Advantage” licenses.

Figure 5: Essentials and Advantage Licenses

With this blog, I hope to have helped you decide your best choice for your operational platform for Catalyst infrastructure.

Source: cisco.com

Continue reading

Cisco Catalyst 9200CX now orderable!

Now is the time to make sure your network is ready for a hybrid world where the workplace is anywhere, endpoints could be anything, and applications are hosted all over the place.

Extending the power of the secure network as close to the edge as possible helps you to better respond to the unexpected… transforming the challenges of hybrid work into opportunities for innovation.

Introducing Cisco® Catalyst® 9200CX compact switches

Figure 1: Catalyst 9200CX 12 port

As part of the Catalyst 9000 family, these highly anticipated compact switches bring IOS® XE and enterprise-class access down to the very edge with an extra level of security, and the features required to handle our ever-changing world of hybrid work.

The new compact Catalyst 9200CX models are optimized for flexibility and security and are ideal for

◉ Fiber to the edge

◉ Small branches

◉ Healthcare, retail, hospitality, sports, media, and entertainment

◉ smart building retrofits

◉ places where space is at a premium and quiet operation is a must.

The smaller footprint and quiet, fan-less design means Catalyst 9200CX compact switches can go in places other switches cannot, like on or under a desk, mounted on the wall or ceiling, or in a closet, hospital room, or classroom. But at the same time, they offer many advanced features that are firsts for a compact switch:

◉ MACsec-256 encryption

◉ Full flexible NetFlow/IPFIX

◉ Plug-and-play zero-touch provisioning

◉ SD-Access edge node capabilities with 16 VNs!

And to top it off, they’re also IPsec, AVB/PTP, and BGP EVPN hardware ready. 

The Catalyst 9200CX is designed to allow you to secure your network from the inside out, applying continuous zero-trust security anywhere you need it, and often extending your network to places it has never been before.

Whether in the board room or the bedroom, at the checkout counter, or the check-in desk, don’t box in your network to a traditional workspace or workplace; embrace the future of hybrid work with Catalyst 9200CX compact switches.

Source: cisco.com

Continue reading

Cisco Catalyst 9300X – IPsec And Cisco Umbrella

In this blog, you will learn how to configure IPsec and Cisco Umbrella tunnels on a Catalyst 9300X by onboarding it with the Plug and Play (PNP) Cloud Service and Cisco DNA Center.

This capability is supported with Cisco DNA Center 2.3.4. The switch will need IOS-XE 17.8.1 for onboarding and an Advantage license. The IPsec feature on the switch requires an HSEC K9. Please refer to Part 1 of this series to understand at least three use cases that can leverage IPsec on a Catalyst switch.

PnP Cloud Service (Onboarding C9300X with IPsec)

The onboarding section below assumes that the switch only has direct internet and requires a secure connection back to Cisco DNA Center for management. Traditionally a switch has access to a local PnP Server but with this lean branch deployment with just the 9300X connectivity back to a PnP server is highly unlikely.

Figure 1. Day 0 Automation Workflow for onboarding Catalyst 9300X

Cisco has augmented the PNP Connect with Plug and Play as a Service (PnPaaS). This enhancement allows Cisco DNA Center to send the Day 0 switch configuration file to the PnP Cloud Service. Once the switch sends its PnP request to devicehelper.cisco.com, the PnP Cloud Service responds with the configuration file. This allows the switch to establish the IPsec tunnel and for Cisco DNA Center to manage the newly onboarded switch.

Figure 2. Onboard Catalyst 9300X Device using PnP Cloud

So, how do you create the Day 0 configuration file? Easy, it’s pretty straightforward. Just go to Cisco DNA Center Provision –> Services –> Secure Tunnels and click on Onboard New Device. The form will ask for a Site and a Virtual Account where the switch is associated. Once this information is confirmed, the form can be completed with the following: the switch serial number, a management IP (resulting in a loopback address on the switch), the IP address of the Head-End (or remote side), an IPsec pre-shared key, the HSEC token, and a switch hostname. If the switch already has the HSEC token pre-installed from manufacturing at the time of purchase (it requires a selection in CCW), then the HSEC token entry does not need to be filled in. To look at the configuration file prior to its implementation, select the Day-0 Configuration Preview tab.

Figure 3. Cisco DNA Center Plug and Play Status

After selecting the Onboard Device option, the onboarding status of the switch can be verified under Provision –> Network Devices –> Plug and Play. Initially, the switch will appear as Unclaimed, and the state as Planned. When the process completes (please be patient, it will take several minutes) the switch appears under Provisioned and the state as Provisioned.

Figure 4. Cisco Catalyst 9300X with IPsec in Inventory

After the switch is onboarded, it can be managed over the IPsec tunnel using the loopback by selecting Provision –> Network Devices –> Inventory.

Cisco Umbrella – Creating Secure Tunnels

Now that the switch is under Cisco DNA Center management, additional IPsec tunnels can be configured to connect to a Secure Internet Gateway (SIG). In this case, it will be to Cisco Umbrella, but it can also be to a third party like Zscaler. In order to automate both sides of the tunnel the switch and Cisco Umbrella there is a prerequisite to integrate Cisco Umbrella and Cisco DNA Center using API Keys (System –> Settings –> External Services). This topic is not covered here. Cisco DNA Center will only automate the switch portion when the API integration is not established.

Figure 5. Cisco Umbrella IPsec Tunnel Creation in Cisco DNA Center

In order to add the Cisco Umbrella tunnels, go to Cisco DNA Center Provision –> Services –> Secure Tunnels but this time click on Create Secure Tunnel. The form will require the following information: Site, Device, number of Cisco Umbrella tunnels (up to 4), Tunnel Name, and Tunnel Source Interface. In addition, a selection of the Cisco Umbrella data center location can be made, otherwise, the selection will be made based on the switch site location. If you have more than one tunnel, either the same data center or a different location can be selected.

Figure 6. Cisco Umbrella IPsec Pre-Shared Key in Cisco DNA Center

The next screen will ask for the Cisco Umbrella Tunnel Pre-Shared Key and the option to change the default IKEv2 and Transform Set values. The default values are for best practice and should not be changed unless it is for interoperability or other security reasons.

Figure 7. Handling Site Traffic using ECMP or PBR

In the next screen, traffic can be handled either by sending all traffic to Cisco Umbrella using Equal-Cost Multi-Path (ECMP) load balancing when using multiple tunnels or traffic can be steered using Policy-Based Routing (PBR). Handling the traffic in this manner should help with most use cases. Subsequently, there will be a summary screen and a selection to create the tunnel(s).

Figure 8. Cisco DNA Center and Cisco Umbrella Tunnel Confirmation

After the switch and Cisco Umbrella have been provisioned, the status of the tunnels can be verified under Cisco DNA Center Provision –> Services –> Secure Tunnels.

Figure 9. C9300X IPsec Tunnels Cisco DNA Center and Cisco Umbrella

The IPsec tunnel information to both Cisco DNA Center and Cisco Umbrella can be verified via the CLI as well. Tunnel1 is the tunnel to Cisco DNA Center and Tunnel2 is the tunnel to Cisco Umbrella.

Figure 10. Cisco Umbrella UI IPsec tunnel to C9300X

Alternatively, Cisco Umbrella can also display the IPsec tunnel established to the Catalyst 9300X.

Source: cisco.com

Continue reading

High Availability – Features in Cisco IOS XE Software Makes It Appear Seamless

High availability (HA) networks continue to function even when some components fail. A variety of features in Cisco IOS XE Software provide hardware and software redundancy that contribute to five nines (99.999%) uptime, which translates to no more than 5.26 minutes of downtime per year. That’s the kind of reliability that Cisco customers have come to expect. Thousands of Cisco engineers in offices throughout the world make it possible.

This is the first in a series of three blogs that describe significant features in Cisco IOS XE that contribute to HA in the enterprise.

Stack Manager

Cisco Stack Manager is a platform-independent discovery protocol that provides failover from active to standby switches in case the active switch experiences a failure. Available on Cisco Catalyst 9000 series, it enables a switch to discover peer nodes, verify their authenticity, raise alarms in case of a mismatch, allocate a unique switch number during discovery, and assign a HA role (e.g., active, standby, and member in one type of configuration). In case of failover, switchover, or a reload of the active switch card, the standby switch takes over.

After Stack Manager assigns roles to the switches (e.g., Active, Standby, Member), the Cisco IOS XE redundancy framework enables the control plane protocols to synchronize configuration data to the standby node. Standby protocols remain in a hot state so the standby switch can become active in case of a failure.

Stack Manager works in three different HA configurations, which will be described in an upcoming blog:

1. Switch connected via stack cable to up to eight nodes

2. Switch connected via StackWise Virtual Link to up to two nodes

3. Dedicated HA interface for wireless devices like controllers

Cluster Manager

Cluster Manager is an adaptation of Stack Manager for use with Cisco Next Gen StackWise® Virtual Link, which provides the ability to virtualize two connected switches into a single virtual switch. Cluster Manager enables the same standby/active failover features provided by Stack Manager, with the added ability to provide HA across an entire data center environment using Next Gen StackWise Virtual Link. Virtualization eliminates the need to physically stack switches on top of each other. Soon, Cluster Manager will be able to support HA in switch clusters across different geographically dispersed locations.

Redundancy Management Interface

The Stack Manager solution connects switches in a ring up to 8 switches but in configurations using StackWise Virtual Link and in wireless deployments, there is only a single interface between two nodes: one active, one standby. So, two technologies were created to handle split-brain-related HA scenarios in these configurations: Redundancy Management Interface (RMI) and Dual Active Detection (DAD).

RMI adds another interface to wireless controllers so that if one interface falters or fails, the other will take over to handle HA, first determining if it is an actual failure or just a momentary glitch. If it is an actual failure, RMI provides the redundant connection to ensure that if the active switch goes down, the standby takes over.

Dual Active Detection

For deployments using StackWise Virtual Link, if the connection between the active and standby switches is lost, if one switch fails over to the second, the Dual Active Detection (DAD) process is activated. It queries the node manager for the existence of the lost peer. If it is available, it sends a recovery handshake. Once the handshake is completed, if the lost connection was due to a momentary glitch, the standby switch goes into recovery mode. If the switch is experiencing a failure, the other switch goes into recovery mode and assumes the active role.

Operational Data Manager

All processes in active switches update the database and the database maintains the device’s state. Since the standby doesn’t communicate to the outside world, when it is updated by the active switch, it uses Operational Data Manager (ODM) to update the database. ODM uses Replication Manager to trigger all the data to sync from an active to a standby switch. The update first goes to the DB and then out to update the processes in the hot standby switch.

Symmetric Early Stacking Authentication

Symmetric Early Stacking Authentication (SESA) imposes authentication when one Catalyst 9000 series switch interacts with another and encrypts and decrypts all the remote inter-process communication between them to guard against hacking attempts. It works alongside standard stacking, StackWise Virtual Link, and wireless HA solutions and is Federal Information Processing Standards (FIPS) compliant.

Extended Fast Software Upgrade

In the past, reloading software on Cisco platforms could take 6-7 minutes. Now, with Extended Fast Software Upgrade (xFSU), the process is reduced to 30 seconds or less. This fast reload feature for Catalyst 9300 series switches decreases downtime during reload ― the hardware is never powered off and traffic keeps flowing ― while maintaining the control plane in an operational state during the reload process.

Graceful Insertion and Removal

Network admins may wish to remove a network device from the network to perform troubleshooting or upgrade operations. To remove one device and replace it with another, the Graceful Insertion and Removal (GIR) function notifies the protocols of both devices that there is a maintenance window but not to go down. When the platform undergoing maintenance comes back online, it goes immediately into production without having to recreate the sessions it missed, minimizing traffic disruption both at the time of removal from the network and during insertion back into the network.

Hot Patching

Another area that contributes to HA is hot patching. Cisco issues small micro images containing only the code necessary for a critical bug or security fix. Customers can install it on devices in a fraction of a second using hot patching without any network disruption. Hot patching doesn’t result in a device reload and the fix takes effect immediately. Because of the small size of the patches, they are easy to distribute. Because of their limited content, customers can have much higher confidence in installing these micro patches in their production network without going through the complete validation process. The Cisco IOS XE hot patching feature is a toolchain of integrated technology and is expected to provide a default hitless defect fix.

ISSU

With the in-service software upgrade (ISSU) feature, Cisco customers using Cisco IOS XE products with HA functionality, including both routing and switching platforms, can avoid disruptions from image upgrades. ISSU orchestrates the upgrade on standby and active processors one after the other and then switches between them in the control plane so that there is zero effective downtime and zero traffic loss. The Cisco IOS XE software stack has the ability to do ISSU between any–to–any releases and the development team has an elaborate feature development testing and governance process to ensure this happens without failures occurring. Cisco defines policies for a smooth ISSU experience based on platform and releases combinations.

An Ongoing Quest for High Availability

Handling failover at the device level seems straightforward, with automatic features guiding active, standby, and sometimes member switches that are all waiting in line. (For Cisco ASR 1000 routers, active and standby route processors also provide failover and HA, much like Catalyst 9000 series switches.) But for Cisco engineers working on Cisco IOS XE solutions, HA is an ongoing, complex challenge, with vulnerabilities addressed by the many solutions above.

Source: cisco.com

Continue reading

Kenna.VM Premier: Accelerate Vulnerability Management with Cisco Talos Intel and Remediation Analytics

New level unlocked. The next step for Kenna.VM users who are maturing their risk-based vulnerability management program is Kenna.VM Premier—and it’s live. 

The Cisco Kenna team is excited to release a new tier of the Kenna Security platform designed specifically for customers or prospects that have reached a point of maturity in which they can and want to do more with their vulnerability management program.

In addition to the existing Kenna features and functionality you know and love, the new Kenna.VM Premier tier includes:

◉ In-depth and actionable remediation scoring (New!)  

◉ Zero-day vulnerability intelligence, powered by Cisco Talos (New!) 

◉ Access to Kenna’s vulnerability intelligence via an API or user interface (UI) 

We’re particularly excited about the new features that are debuting with this tier. So, let’s take a closer look at everything that’s included.

Remediation scoring 

On the Kenna.VM homepage, a new metric will appear at the top right corner (Figure 1). The Remediation Score, as this measurement is known, quantifies how well an organization is addressing risk overall.

Figure 1: Remediation Score in Kenna.VM homepage

The Remediation Score itself encompasses four key measurements (Figure 2), which may sound familiar to you if you’ve been reading any of the Prioritization to Prediction reports produced by Kenna and the Cyentia Institute:  

    ◉ Coverage: Of all vulnerabilities that should be remediated, what percentage was correctly identified for remediation?  

    ◉ Efficiency: Of all vulnerabilities identified for remediation, what percentage should have been remediated? 

    ◉ Capacity: What is the average proportion of open vulnerabilities that were closed in a given period? 

◉ Velocity: What is the speed and progress of remediation?  

Figure 2: Remediation sub-scores in Kenna.VM homepage

These new remediation insights will allow organizations to shift away from relying on just the Risk Score itself as a measurement to assess the performance of remediation teams. While many organizations opt to use the Risk Score in this manner, there are inherent problems with evaluating performance based on the Risk Score—particularly for mature programs. A Risk Score can spike at any moment due to a suddenly high-risk vulnerability—a spike that isn’t a reflection on the remediation team themselves. And as organizations mature, they’re likely to reach a ‘steady state’ with their Risk Score, which makes it a difficult metric to use to measure progress.

Ultimately, these performance metrics will help customers better understand what areas of their remediation efforts are doing well and which might need to be adjusted.

Zero-day vulnerability intel—brought to you by Cisco Talos 

Another new addition to the Kenna.VM platform is zero-day vulnerability intelligence powered by Cisco Talos. Talos regularly identifies high-priority security vulnerabilities in commonly used operating systems and software. The team works with vendors to disclose more than 200 vulnerabilities every year.  

This new integration with Talos gives Kenna.VM users access to information on zero-day vulnerabilities documented by the Talos research team (and likely to be in their environment). With the “Zero Days” filter in Kenna.VM, users can isolate zero-day vulnerabilities, investigate, and take action leveraging Snort rule IDs provided by Talos, when applicable (Figure 3).

Figure 3: “Zero Days” filter isolates all zero-day vulnerabilities in Kenna.VM Explore page

Vulnerability intelligence—your way 

The last (but certainly not least) piece of the Kenna.VM Premier puzzle is the inclusion of Kenna’s recently enhanced vulnerability intelligence User Interface and API. Kenna is known for its risk scoring, but what people may not realize is just how much data we consume and turn into finished, actionable intelligence. There are more than 18+ threat and exploit intelligence feeds that power our understanding of vulnerabilities, and our vulnerability intel API and UI make of this information available to customers. 

The UI provides a dashboard to research any CVE—regardless of whether or not a scanner found that vulnerability in the customer’s environment. Meanwhile, the API allows customers to query Kenna and export as much of our vulnerability intelligence on as many vulnerabilities as they wish, and use that data to enrich any existing IT, dev or security workflows, including Cisco’s very own SecureX. The data in this set includes descriptions, publication dates, CVSS data, available exploits and fixes, insight into remote exploitable vulnerabilities, and much more. Also provided is the Kenna Risk Score for each vulnerability and an indication of whether it is predicted to be exploitable—unique data points derived by Kenna’s data science.

Figure 4: Kenna’s vulnerability intel dashboard lets you research any CVE to see its risk score and other characteristics

This intelligence, combined with our new remediation scoring and Talos zero-day intelligence, rounds out the Kenna.VM Premier tier as the ideal package for any customer or prospect who is looking to take their vulnerability management program to the next stage of maturity.

Kenna.VM Premier is available today. If you’re interested in learning more, contact your sales representatives or send us a demo request to unlock the next level of your vulnerability management journey.

Source: cisco.com

Continue reading