Security, the cloud, and AI: building powerful outcomes while simplifying your experience

Over the past year, I’ve spoken with hundreds of professionals about what they expect from their network security. This question is mostly met with equal parts enthusiasm and angst. As we wrap up another successful Cisco Live, I’m eager to share the deep insights I’ve gathered from these extensive conversations and how Cisco is actively addressing your security needs.

As organizations navigate application transformations and grapple with the intricacies of defending increasingly complex networks, they’re also confronting a new wave of technological advancements.

Naturally, these advancements can be a double-edged sword. While they offer the potential for enhanced security measures, they also empower threat actors, who can now exploit vulnerabilities with alarming speed and efficiency.

The overwhelming message is twofold: Organizations need help bolstering their security, but also in streamlining their processes. Integrating too many security tools alone has become its own source of complexity, diluting the focus on threats and stretching resources too thin.

This point was poignantly made during a recent conversation with a Chief Information Security Officer (CISO), who expressed a sentiment all too common in the industry. Faced with the prospect of integrating yet another security solution, the CISO lamented, “I can’t ask my team to adopt the 212th tool in our portfolio!”

The CISO’s frustration illustrates a critical challenge for security leaders: They must balance the adoption of necessary security measures with the practical limitations of their teams’ capacity and the potential for tool sprawl.

In response to this complexity, organizations are hungry for a more streamlined approach to security, one that prioritizes the consolidation of tools and the simplification of security policies without compromising the efficacy of defense mechanisms.

Meanwhile, cybersecurity organizations must deliver solutions that are not just robust and cutting-edge, but also manageable and user-friendly. This way we can empower security teams to effectively combat the threats of tomorrow while keeping their operational sanity today.

Vendors, point products, and a transition to the cloud 

For many professionals, buying a specialized security product leads to something called “the Ferrari problem”. Like that expensive sports car, you’re purchasing something costly and specialized. The product may indeed do the specialized task very well. But security is not done in isolation—some level of integration will inevitability be required.

Thus, the expensive, specialized product opens the door to even more costly integrations (or, in the case of the car, costly repairs).

This doesn’t even count the disjointed security of working with different vendor solutions or the radical complexity of deploying a configuration or security policy across hundreds or thousands of branch offices.

There’s a reason many security professionals avoid updating their tools. With all this complexity, they’re afraid it will disrupt the business or the customer experience.

How Cisco is redefining effective, simplified security for the cloud  

It’s no secret that Cisco built the backbone of switching and routing across the globe for our one million+ customers and partner ecosystem. And we’re currently responsible for facilitating 85% of the world’s internet traffic.

Now, we’ve taken another giant leap by launching Cisco Security Cloud Control.

Cisco Security Cloud Control is designed to unify management for the Cisco Security Cloud, starting with a network security fabric.

Security Cloud Control delivers an AI-native approach to proactively surface actionable insights and automate resolution across hybrid environments. It is designed to help teams get the most of out their Cisco Security investment—saving time and benefiting from simpler and streamlined policies

Building robust security for complicated, ever-shifting cloud environments  

With too many tools and too much complexity to manage, the only answer is a security system that seamlessly ties everything together. We’ve answered the call, building a platform that blends Cisco Hypershield, multi-cloud defenses, advanced firewalls, and microsegmentation technologies.

This platform can collect information across the system and explain what it finds in reports, and via a natural language interface, show the risks to sensitive business assets like PCI databases. You can even ask the system about its own insights and next steps.

But at its heart is the promise of comprehensive visibility and complete detection across every facet of the network, whether it’s ingress/egress at a cloud edge, data center edge, campus, or branch, all the way down to every process and connection from your applications and workloads.

The level of visibility and management from Security Cloud Control helps leaders focus on delivering the outcomes their teams need. From taking intent-based policies in one place and translating them throughout all the control points in your network to streamlining, troubleshooting and recommending policies that span multiple solutions, Cisco Security Cloud Control helps with it all.

And Security Cloud Control’s ability to translate the complex language of cybersecurity delivers an added benefit: the ability to explain and articulate what’s happening–and what you need– to decision-makers. The simplicity and clarity of reports can help you keep leadership informed and engaged in your cybersecurity work.

At the core of this is, yes, AI technology but not just a prompt-based assistant—this is one driving proactive insights and sections across your network and will transform how you engage across the platform.

In essence, what we’ve built stands as a testament to the future of cybersecurity—a single platform that not only anticipates and neutralizes threats, it also empowers organizations to develop a more sophisticated, responsive, and resilient approach to protecting their digital assets.

It’s not just a powerful solution; it’s a strategic enabler for any enterprise looking to secure its future in an unpredictable cyber world, across network requirements that are only destined to become even more complex.

Source: cisco.com

Continue reading

Cisco AI Assistant for Managing Firewall Policies Is Now Available

Cisco AI Assistant is now available for Cisco XDR and Cisco Defense Orchestrator

Managing firewall policies and locating relevant documentation can be daunting for firewall administrators. However, the AI Assistant integrated with the Cisco Defense Orchestrator (CDO) and the cloud-delivered Firewall Management Center simplifies these processes. With this powerful combination, administrators can effortlessly manage firewall devices, configure policies, and access reference materials whenever required, streamlining their workflow and boosting overall efficiency.

Prerequisites

Administrators need to ensure they have met the following prerequisites to use the AI Assistant:

User roles:

● CDO and cloud-delivered Firewall Management Center – Super Admin or Admin

● On-Prem FMC – Global Domain Admin

Upon successful login into your tenant, you will notice an AI Assistant button positioned in the top menu bar of the dashboard.

Click the AI Assistant button on the CDO or cloud-delivered Firewall Management Center home page to access the AI Assistant.

The Cisco AI Assistant interface contains the following components: Text Input Box, New Chat, Chat History, Expand View, and Feedback.

Cisco AI Assistant interface following the best Generative AI assistant practices.

AI Assistant interaction

AI Assistant completion with the prompt “Can you provide me with the distinct IP addresses that are currently blocked by our firewall policies?”

AI Assistant completion with the prompt “What access control rules are disabled?”

If you think that response is wrong, please click the thumbs-down button below for the related completion and fill out and submit the form.

AI Assistant can’t proceed with some prompts and questions. In this case, you can see the following completion:

It looks like the engineering team decided not to display answers if there is insufficient data to correct them or in cases where the model can hallucinate.

Source: cisco.com

Continue reading

Funding a Whole of State Approach for your Community

The funds are incentivizing states to provide cybersecurity services to local governments rather than the usual method (passing-through cash). At present, at least thirty states are providing cybersecurity services to local and Tribal governments with more states expected to announce the rollout of whole of state cybersecurity.

As you consider how to leverage SLCGP grants for a whole of state approach, there are five things I suggest Cisco account managers and partners should be aware of.

1. Understanding SLCGP funding

Cisco customers, account managers, and partners should be familiar with how the SLCGP allocates funding to states and how states distribute funds or services to local governments. The “whole of state” approach aims to ensure that cybersecurity funding is not just allocated to states for state use; instead, at least 80% of funds must benefit local governments and rural communities. Local government cost-share or matching funds begin at 10% in year one and rises to 40% in year four. SLCGP funds must supplement existing cybersecurity expenditures and may never supplant or replace approved and budgeted expenditures.

2. States select the vendors and cybersecurity services provided to local governments

Cisco account managers and partners should communicate to state customers why Cisco products and services ought to be available to local and rural governments. If a state creates a list of SLCGP-funded products and services for local governments, Cisco customers benefit most if Cisco products and services are on the list. States are not publishing the names of local governments awarded subgrants, nor details of cybersecurity services provided to named local governments.

3. Customer Cybersecurity Planning and Strategy

Development of comprehensive cybersecurity plans that include risk assessments, resource allocation, and incident response strategies is an eligible expense for state and local governments. Cisco account managers and partners should be prepared to contribute to these plans by offering their expertise in cybersecurity and by understanding the specific needs and challenges faced by their public sector clients.

4. Compliance and Best Practices

Recipients of SLCGP funds will be required to adhere to specified cybersecurity best practices and standards. Cisco account managers and partners need to be well-versed in these requirements, which may include frameworks like NIST (National Institute of Standards and Technology), to ensure that the solutions they are offering are compliant and can be funded by the grant.

5. Educational and Workforce Development

A portion of the grants may be allocated to cybersecurity education of the customer’s workforce. Cisco account managers and partners should be aware of Cisco’s own training and certification programs, such as the Cisco Networking Academy, which can be integrated into broader educational initiatives.

As you research funding for whole of state and other needs, it’s also important to stay updated on the latest announcements by state governments of state grant programs, competitive subgrants, and application deadlines. For the most current information, Cisco account managers and partners should reach out to your Cisco Public Funding Advisor. They’ll be glad to help answer any questions you may have about whole of state or other funding opportunities.

Source: cisco.com

Continue reading

Cisco Defense Orchestrator’s Path to FedRAMP Authorization

Cisco Defense Orchestrator is a cloud-based multi-device manager that enables consistent policy implementation across highly distributed environments. CDO’s centralized management allows rapid deployment of policy changes when minutes matter, and reusing policy objects across all firewall form factors reduces both administrative effort and organizational risk. Security teams that adopt CDO spend less time deploying and maintaining their firewalls and more time optimizing policies and managing threats.

Moving forward on FedRAMP

Cisco has made great progress in moving a variety of our solutions through the FedRAMP process. Created to encourage use of cloud computing, FedRAMP serves to streamline the exchange of information and accelerate services within federal agencies, plus improve their interaction with the public. In 2023, the FedRAMP Authorization Act was passed, codifying the FedRAMP program as the authoritative standardized approach to security assessment and authorization for cloud products and offerings.

With FedRAMP, federal agencies are provided a uniform framework for evaluating, approving, and continually overseeing cloud services. This includes procedures for security assessments, authorizations, and ongoing surveillance of cloud services utilized by federal entities. In addition, you should understand the following:

• The US General Services Administration (GSA) administers FedRAMP in collaboration with the Department of Homeland Security (DHS) and the Department of Defense (DoD).
• The compliance parameters set by FedRAMP are in alignment with the National Institute of Standards and Technology (NIST) Special Publication 800-53, which outlines technical standards for cloud computing.
• FedRAMP also promotes adherence to the Federal Information Security Management Act (FISMA) and the OMB Circular A-130 by federal agencies.

The FedRAMP process and Cisco Defense Orchestrator

FedRAMP Authorization can be pursued with an individual agency sponsor or multi-agency authorization. For CDO, Cisco is working with the United States National Institute of Health (NIH) as the individual agency sponsor.

Preparation Phase

The initial phase with individual agency sponsorship is known as the Preparation Phase. It consists of two key steps if no sponsor agency is available: conducting a Readiness Assessment and engaging in Pre-Authorization activities.

Preparation Step 1: Readiness Assessment

The Readiness Assessment is an optional stage aimed at helping cloud offerings obtain a sponsor. Readiness assessments are performed by certified Third-Party Assessment Organizations (3PAOs), who produce a Readiness Assessment Report (RAR) that shows potential sponsoring agencies that the solution is ready to meet the federal government’s security standards.

Preparation Step 2: Pre-Authorization

If sponsoring agency is available, you can go straight to Pre-Authorization, skipping the Readiness Assessment stage. Cisco has completed Pre-Authorization with NIH. This means the CDO team has implemented the requisite technical and procedural requirements and compiled the security documentation necessary for the authorization process.

During this phase, Cisco accomplished the following tasks:

• Demonstrated that the CDO for government solution is fully built and functional.
• Completed a CSP Information Form.
• Determined the security categorization of the data that will be placed within the system utilizing the FIPS 199 categorization template along with the appropriate guidance of FIPS 199 and NIST Special Publication 800-60 Volume 2 Revision 1 to correctly categorize the CDO system based on the types of information processed, stored, and transmitted.

After the successful completion of a kickoff meeting with NIH on February 22, 2024, CDO achieved the In Process status on the FedRAMP Marketplace.

Authorization Phase

The next step is the Authorization Phase, which has two parts: Full Security Assessment and Agency Authorization Process.

Authorization Step 1: Full Security Assessment

The first authorization step is a full security assessment by a certified 3PAO. Before this assessment, Cisco completed the Site Security Plan (SSP) and reviewed it with NIH. Schellman Compliance, LLC is the 3PAO responsible for the Security Assessment Plan (SAP) for CDO and the Security Assessment Report (SAR) that will document test findings and suggestions relevant to attaining FedRAMP Authorization.

Once the 3PAO assessment is finished, Cisco develops a Plan of Action and Milestones (POA&M) outlining the plan to address the test findings in the SAR.

Authorization Step 2: Agency Authorization Process

The second authorization step is Agency Authorization, in which NIH will review the complete authorization package and may hold a SAR debrief with the FedRAMP Project Management Office. NIH will also implement, test, and document the customer-responsible controls during this phase. Then the NIH will perform a risk analysis and issue an Approval to Operate (ATO) when identified risks are sufficiently addressed.

At this point, CDO will have agency authorization to operate but still require review by the FedRAMP PMO to be included in the FedRAMP Marketplace. When finished, the FedRAMP PMO will update the Marketplace listing to reflect FedRAMP Authorized Status and the date of Authorization. The security package will then be made available to agency information security personnel, who can issue subsequent ATOs, by completing the FedRAMP Package Access Request Form.

Post-Authorization

Once CDO receives Authorization status in the FedRAMP Marketplace, it will enter a continuous monitoring phase to ensure ongoing protection of the system and government data. In this phase, Cisco submits regular security documentation—including vulnerability scans, refreshed Plans of Action and Milestones (POA&M), yearly security evaluations, reports on incidents, and requests for significant changes—to each of their agency clients. Cisco will make use of the FedRAMP secure repository to upload continuous monitoring content for all agencies that deploy CDO to review.

Leveraging the Cisco Federal Ops Stack

Cisco is leveraging the Cisco Federal Operational Security Stack (Fed Ops Stack) as a core component of the CDO FedRAMP process to speed future FedRAMP development and assessments. The Cisco Fed Ops Stack is a centralized set of tools and services that cover approximately 50% of FedRAMP Moderate requirements. Once Fed Ops Stack has received authorization to operate, along with CDO, Cisco can leverage these shared services in future SaaS products to make audits and continuous monitoring simpler for Cisco and federal agencies.

Pushing forward on CDO FedRAMP compliance

Our team at Cisco is fully committed to getting CDO FedRAMP compliant, so federal agencies can simplify their management of distributed security policies. We are pleased to have completed the Agency Review with our agency sponsor NIH and achieved In Process status. Watch for more updates as we get closer to full FedRAMP Authorization for CDO, the Cisco Fed Ops Stack, and additional SaaS offers from Cisco.

    

Source: cisco.com

Continue reading

Managing Firewall complexity and Augmenting Effectiveness with AIOps for Cisco Firewall

Firewalls are a critical line of defense for any organization’s network security. But as companies grow and the threat landscape evolves, managing these firewalls becomes increasingly complex.

Security teams often find it challenging to stay updated with the ongoing changes and adjustments required for firewall settings and rules to adapt to new threats, network changes, and compliance requirements. Often this leads to security gaps and vulnerabilities if not managed correctly.

One of the main risks associated with firewall management is misconfiguration. The process of manually reviewing and configuring firewalls is not only laborious but also susceptible to human error, which can create exploitable weaknesses in a network’s defenses. Gartner has forecasted that misconfigurations will account for 99% of firewall breaches by the year 2025, highlighting the need for a more reliable and automated management solution.

Additionally, the cybersecurity industry is facing a skills shortage, making it difficult for organizations to hire professionals who possess the depth of knowledge required to leverage all the features a firewall offers. This shortage can lead to security tools being underutilized, meaning that companies aren’t seeing the full potential return on their investment in these technologies.

Lastly, traditional firewall management tends to be reactive rather than proactive. Security teams often find themselves in a position where they are addressing issues after they have already arisen, rather than anticipating and preventing them. This can lead to costly downtime and security breaches.

These challenges highlight the need for a new approach to firewall management.

What is AIOps for Cisco Firewalls?

Imagine your firewall fuelled by AI and machine learning (ML) that involves correlating data, predicting issues, identifying reasons for failure or potential failure with data, providing recommendations, and then automating tasks to enhance overall efficiency and security. That’s essentially what AIOps for Firewalls is! 

AIOps analyses massive amounts of data like firewall logs, alerts, metrics and network activity patterns using various range of models and can detect complex patterns, guide remediation efforts, and even automate responses to enhance both efficiency and security.

Traditional firewall management is reactive, but AIOps takes a proactive stance. It anticipates problems before they happen, preventing downtime and headaches.

Think of it like this: Imagine your car with advanced driver-assistance systems that warn you about lane departures. AIOps for Firewalls is like having a self-driving car for your cloud and network security. It continuously monitors your configuration and traffic, identifies potential hazards such as usage spikes, misconfigurations, best practices, and security threats, and guides you to take corrective actions to keep your system secure.

Our Approach: The Path to an Autonomous Firewall Future

Like Tesla’s journey towards self-driving cars, Cisco is on a quest to infuse its AIOps for Firewalls with greater intelligence and automation.

You can expect an era of intelligent alerting where the system delivers clear, actionable alerts that cut through the noise, prioritizing the most critical issues and conveying a sense of urgency where needed. This means an end to the flood of irrelevant notifications, enabling security teams to focus on what truly matters. Its smart event correlation will connect disparate events to highlight unusual patterns, improving threat detection.

Furthermore, AIOps will detect anomalous behavior using dynamic baselines and offer forecasting abilities to predict and prevent potential issues using multiple advanced forecasting models.

It will also provide precise remediation suggestions powered by GenAI , assisting in rapid problem resolution. Ultimately, the goal is to achieve self-healing or automated remediations, minimizing the need for human intervention and ensuring consistent network uptime and security.

The Benefits for You

Imagine a world where your business operations are rarely interrupted by network outages/downtime. With near zero downtime, you can say goodbye to those stressful moments scrambling to get things back online. This translates to smoother workflows, happier customers, and a more productive work environment.

But that’s not all, your investment in a firewall is amplified. A well-maintained firewall with maximized effectiveness becomes an impenetrable shield, keeping your business safe from ever-changing threats. Imagine having the peace of mind that comes with knowing your data and operations are constantly protected by a robust security posture. This is the reality that awaits you with the right tools and strategies.

Beyond Management: AIOps for Cisco Firewall

AIOps identifies areas where your defenses could be strengthened and provides Best Practice Recommendations to close any security gaps. It also ensures you’re getting the most out of your firewall investment by providing a clear picture of which features you’re using, and which ones remain untapped. This allows you to maximize your return on investment by leveraging the full potential of your firewall’s capabilities.

It delves deep into your firewall policies and provides optimization recommendations, acting like a security policy editor/auditor. Furthermore, AIOps acts like a real-time traffic cop, constantly monitoring your network. It provides insightful analysis of historical and real-time traffic patterns, helping you identify and resolve any issues quickly.

Best Practice Recommendations & Feature Adoption for Stronger Defense

Imagine an offering that allows you to survey the entire landscape of your security ecosystem through a unified dashboard. This scans your network to identify security lapses and opportunities for optimization, aligning with best practices widely recognized across the industry.

It addresses potential concerns, pinpointing vulnerabilities like misconfigured network translations, excessive logging that clogs your system, or outdated security measures. The dashboard also highlights urgent threats like unaddressed security advisories and missing backups, while flagging inefficient resource usage and potential compliance gaps.

This comprehensive overview empowers you to optimize your network configuration, ensure secure log storage, and streamline your defenses for maximum protection.

Policy Insights with Policy Analyzer & Optimizer

This essential service conducts an in-depth review and enhancement of firewall policies, pinpointing and rectifying redundancies, duplications, overlapping, shadowed, and mergeable rules, as well as those that are expired or inactive. By providing tailored remediation recommendations, it ensures that firewall policies remain streamlined and efficient, significantly cutting down on deployment time.

Traffic & Capacity Insights

Traffic & Capacity Insights offer both real-time and historical analyses of network traffic, aiding in the identification and resolution of problems and forecasting potential problems. Administrators often lack visibility into sudden surges in network usage.

For instance, substantial enduring data transfers, known as Elephant flows, have the potential to burden firewall devices, which can result in dropped traffic, a weakened security posture, and diminished firewall efficiency. By monitoring these extensive network flows, firewalls can predict their impact on resources like CPU and memory.

Utilizing AIOps insights, we can proactively recommend strategies such as rerouting low-risk applications and regulating high-risk ones to streamline network traffic. This proactive approach enables administrators to address issues before they escalate.

Conclusion

By incorporating AIOps into our services, we are advancing beyond mere firewall management by simplifying operations and improving security posture.

We are adopting a more intelligent and proactive methodology to safeguard and optimize the performance and security of your network infrastructure through various insights into traffic, capacity, operations and health. Coming soon from Cisco Security Cloud Control aka Cisco Defense Orchestrator.

Source: cisco.com

Continue reading

Navigating DORA (Digital Operational Resilience Act) with Secure Workload

Over the past decade, the cyber threat landscape has undergone a significant transformation, escalating from isolated attacks by lone wolves to sophisticated, coordinated breaches by state-sponsored entities and organized crime groups. During this period of change, cybersecurity has often been a secondary thought for enterprises, frequently addressed through reactive measures insufficient to counteract such advanced threats. However, we’re witnessing a pivotal shift, predominantly driven by regulatory bodies, toward establishing harmonized guidelines that can keep pace with the dynamic nature of cyber threats.

The Digital Operational Resilience Act (DORA) represents one such proactive stride in this direction. Targeted at the European Union (EU) financial sector and built around five core pillars, DORA advocates for a risk-based framework  that enhances the sector’s capabilities to prevent, respond to, and recover from cyber incidents.

Figure 1: DORA Core Pillars

How can you leverage Secure Workload to prepare for DORA?

While DORA does not dictate precise technical requirements, it provides the groundwork for a risk-based shift in cybersecurity. Secure Workload serves as a pivotal tool in this transition, enabling organizations to understand risk, prevent and mitigate risk, and report risks associated with their application workloads.

1. Understanding Risk

To understand risk, you must have visibility to know what is happening in your environment. Secure Workload delivers in-depth insights into how your workloads communicate and behave, including identifying any vulnerable packages installed. You can quickly answer questions such as:

◉ “Are my workloads utilizing approved enterprise services for common services such as DNS or NTP?”

◉ “Am I vulnerable to a specific vulnerability?

◉ “What is the risk of that vulnerability” Is it easily exploitable?

◉ “Are my workloads using insecure or obsolete transport session protocols and ciphers?”

◉ “Are my financial application workloads communicating to non-production environments?

◉ “How is my financial application communicating to external dependencies?”

◉ “Is it communicating to malicious networks?”

Figure 2: Application Dependency Map and Traffic Flow Search

Figure 3: Vulnerability Risk Information Distribution

2. Preventing and Mitigating Risk

Once the risk is understood, it is time to act. This action can take the form of proactive controls and compensating controls.

◉ Proactive Controls: Secure Workload microsegmentation policies allow you to create fine-grained allow-list policies for applications by discovering their dependencies. Additionally, guardrail policies can be established to restrict communications from risk-prone environments to your production workloads, such as non-production cannot talk to production workloads, or the PCI Cardholder Environment cannot talk to PCI Out-of-Scope or perhaps OT network cannot communicate with the data center, allowing to contain lateral movement and reduce the blast radius.

Figure 4: Proactive Segmentation Controls with Microsegmentation

◉ Compensating Controls: Even in the worst-case scenario, where a new zero-day vulnerability is disclosed or ransomware hits the organization, Secure Workload can rapidly act on this and restrict For example, you can quarantine a workload communication based on multiple attributes, such as CVE information, CVE Score, or even the access vectors access vectotr assestment.You can also choose to leverage Virtual Patch through the Secure Firewall integration to protect your workloads against exploits while the patch is applied. Even in the scenario that a workload changes its behavior (e.g., from trusted to untrusted due to an intrusion event or malware event) you can leverage Secure Firewall intelligence through FMC (Firewall Management Center) to quarantine workloads.

Figure 5: Compensating Control with Virtual Patch

Figure 6: Change-in Behavior Controls

3. Reporting Risk

DORA mandates to report major ICT-related incidents to relevant competent authorities. Because of this, reporting becomes a paramount process within the organization. Secure Workload offers multiple options for reporting, ranging from near real-time visualization dashboard and reports to detailed point-in-time retrospectives of incidents.

• Security Dashboard: Provides a high-level overview of the security posture and hygiene of the environment.
• Vulnerability Dashboard: Displays current CVEs within the environment along with a detailed assessment of their potential impact on confidentiality, integrity, and availability. Additional metrics such as risk score, exploitability, and complexity are also included.
• Reporting Dashboard: Presents a detailed view tailored to specific roles like SecOps and NetOps. An important capability to mention here is how the security summary maps to a modern risk-based approach to detect adversaries MITRE ATT&CK framework. Secure Workload has multiple forensic rules mapped to the MITRE ATT&CK TTPs (Technique, Tactics, and Procedures) allowing one to identify an adversary and follow every single step taken to compromise, exploit, and exfiltrate data.

Figure 7: Security Summary in Compliance Reports

Figure 8: Forensic Event Incident

Key Takeaways

While navigating the requirements of DORA may seem daunting, the right tools can revolutionize your organization’s approach to Cyber Resilience with a risk-centric focus. Secure Workload can be instrumental in facilitating this transformation, enabling your organization to achieve:

• Strategic Cyber Resilience: Secure Workload can be a strategic enabler for aligning with DORA’s vision. Transitioning from a reactive cybersecurity stance to a proactive, risk-based approach, prepares your organization to anticipate and counteract the evolving cyber threat landscape
• Comprehensive Risk Insights: With granular visibility into application workload communications, dependencies, and vulnerabilities, coupled with the implementation of robust microsegmentation and compensating controls, Secure Workload equips you with the capabilities to not only understand but also to effectively mitigate risks before they materialize into breaches.

Source: cisco.com

Continue reading

Demystifying Multicloud Networking with Cisco Multicloud Defense

In today’s modern IT environment, most organizations leverage both the public cloud and private data center to house critical business applications. In many cases, these applications require communication with other applications to execute a particular need for the business. A common challenge among the customers I have spoken with is that they have applications in one environment that need to talk to applications in another environment, but they don’t want to send that data directly over the internet.

I don’t blame them— enterprises want to minimize their internet exposure as much as possible, hiding internal apps away from the internet.

Traditionally, organizations have leaned on dedicated connection (or cloud-native) services like AWS Direct Connect or Azure ExpressRoute to connect applications in the public cloud to the private data center. While these methods are high-speed options that facilitate connections between the public cloud and private data center, these connections are costly at scale, are not encrypted using IPsec, do not facilitate cloud-to-cloud connectivity, and require different configuration depending on the cloud environment.

To solve these challenges, Cisco has released new multicloud networking capabilities enabling scalable, secure site-to-cloud and cloud-to-cloud connectivity. These features use Cisco VPN code on the Multicloud Defense Egress Gateway and BGP routing for better connectivity across your cloud environment.

Figure 1: Applications are deployed everywhere

Why Multicloud Networking?

Customers can leverage multicloud networking from Cisco to build highly secure connections between applications and environments using a simplified architecture and workflow. This means organizations can easily connect applications from one environment to another at scale while also keeping operations in house to reduce cost. Our multicloud networking capabilities use widely adopted route-based VPN and BGP routing for secure connections and automated network advertisements. These multicloud networking capabilities can be described as:

◉ Site-to-cloud networking: Secure connectivity between the data center and the cloud

◉ Cloud-to-cloud networking: Secure connectivity between clouds

A Closer Look

To build site-to-cloud and cloud-to-cloud connections, customers would leverage Cisco Defense Orchestrator for establishing fully orchestrated and automated IPsec tunnels between environments. The platform uses BGP for optimized, resilient routing, allowing for the secure connection between the data center and the cloud (site-to-cloud) and between clouds (cloud-to-cloud).

When building a site-to-cloud connection, customers would use Cisco Secure Firewall (either physical or virtual appliance) at the data center edge and a Multicloud Defense Gateway at the cloud edge for the beginning and the end of the connection. For multicloud deployments that require cloud-to-cloud connectivity, multiple Multicloud Defense Gateways would be used. Site-to-cloud and cloud-to-cloud networking capabilities can be supported in both centralized and distributed security models.

The Multicloud Defense Gateway is based on a single-pass architecture and includes VPN code embedded in the data path pipeline. This enables direct termination of route-based IPsec VPN on the egress gateway. Route-based VPN is used with BGP routing for an automated CIDR advertisement. As soon as the IPsec tunnel is terminated on the egress gateway it advertises and learns all the networks using BGP, enabling automated traffic steering.

Figure 2: Multicloud Networking

Site-to-cloud Networking

Cisco Multicloud Defense and Cisco Defense Orchestrator provide an automated way to build highly secure, full-automated VPN tunnels between data centers and cloud environments.

Figure 3: Site-to-cloud networking (centralized security model)

Figure 3 shows that on-premises Secure Firewall appliances (physical or virtual) are managed by Cisco Defense Orchestrator and the Multicloud Defense egress gateways are managed by the Multicloud Defense Controller.

Cisco Defense Orchestrator orchestrates VPN configuration on the on-premises firewalls as well as talks to the Cisco Multicloud Defense Controller using APIs. This API communication between Cisco Defense Orchestrator and the Multicloud Defense Controller enables the orchestration of VPN configuration on the Multicloud Defense egress gateway(s). This approach provides customers with fully orchestrated secure IPsec connections, enabling secure connectivity between the data center and the cloud.

Figure 4: Site-to-cloud networking (distributed security model)

Figure 4 shows how Cisco also supports site-to-cloud networking in a distributed security model using Cisco Defense Orchestrator, Secure Firewall, the Multicloud Defense Controller, and the Multicloud Defense egress gateway.

Cloud-to-cloud Networking

Cisco Multicloud Defense provides an automated way to build highly secure, full-automated VPN tunnels between cloud environments. IPsec tunnels are terminated on the Multicloud Defense egress gateways.

Figure 5: Cloud-to-cloud networking (centralized security model)

Figure 5 shows the application VPC in AWS and the application VNet in Azure are protected using an egress gateway in the centralized deployment model. The Cisco Multicloud Defense Controller orchestrates IPsec VPN between egress gateways in Azure and AWS.

Figure 6: Cloud-to-cloud networking (distributed security model)

Figure 6 shows how Cisco also supports cloud-to-cloud networking in a distributed security model using Cisco Defense Orchestrator, the Multicloud Defense Controller, and multiple Multicloud Defense egress gateways.

The new multicloud networking capabilities add fully orchestrated VPN tunnels where IPsec tunnels are formed between networks advertised in the BGP domain. In addition to secure connectivity, customers need a way to enable threat-centric policies between source and destination subnets. To solve this challenge, Cisco is enabling common security objects across on-premises Cisco firewalls and Multicloud Defense Gateways with the new Hybrid Segmentation feature.

Hybrid Segmentation

For the site-to-cloud connectivity use case, sharing network objects between Secure Firewall, Multicloud Defense, and Cisco Defense Orchestrator simplifies the hybrid segmentation policy creation process for administrators by pooling objects across into one centralized location. This reduces complexity, minimizes human error when creating new objects, and removes duplicative processes.

Static object sharing

Now static network objects can be shared between Cisco Multicloud Defense and the Cisco Defense Orchestrator.

Figure 7: Hybrid Segmentation (Static Object sharing)

Figure 7 shows objects being shared between CDO and Multicloud Defense controller. Object “db” is imported from the CDO and objects “app1-aws” & “app2-aws” are automatically synchronized from the Cisco Multicloud Cloud Defense Controller.

Now administrator can configure the following policies in CDO and the Multicloud Defense Controller:

◉ Policy on CDO and Multicloud Defense Controller: Allow app1-aws, app2-aws access to db

In addition, to secure VPN connectivity features advanced threat security features can also be enabled on Multicloud Defense Egress Gateway.

Conclusion

Modern enterprises are becoming an increasingly complex spiderweb of connections between on-premises datacenters, branch locations, cloud VPCs, cloud regions, and cloud accounts. The traditional approach of doing direct connections between all the networks, or manually managing IPsec connectivity adds a lot of complexity. Cisco has brought together Cisco Defense Orchestrator, Secure Firewall, and Multicloud Defense to manage creating the connectivity across all the environments—ensuring applications can reach the destinations they require. Through these capabilities, customers achieve greater control while reducing cost by bringing operations in-house. In addition to building secure connections, these solutions together also simplify policy creation for customers by way of network object sharing between environments—reducing risk of human error when building policy and minimizing complexity across environments.

Source: cisco.com

Continue reading