Tuesday, 30 July 2024

Blueprint to Cisco 300-445 ENNA Success: A Step-by-Step Guide

Top 7 Study Tips for Cisco 300-445 ENNA Certification Success

The Cisco 300-445 ENNA certification is a pivotal milestone for network professionals aiming to excel in enterprise network assurance. This comprehensive guide will walk you through what the Cisco CCNP Enterprise certification entails, how to start preparing for it, the exam content, and who should consider earning it.

Cisco 300-445 ENNA Exam Overview

The Cisco 300-445 ENNA, or Cisco Designing and Implementing Enterprise Network Assurance, is a certification that validates a professional’s expertise in designing, implementing, and maintaining enterprise network assurance. This certification focuses on ensuring the reliability, availability, and performance of network systems within an enterprise, which is critical for maintaining seamless business operations.

Achieving the Cisco CCNP Enterprise (300-445 ENNA) certification demonstrates that you possess the skills to utilize Cisco's tools and technologies to monitor and manage network performance, troubleshoot issues, and optimize network operations. This certification is part of Cisco's broader professional certification program, which aims to provide network professionals with the knowledge and skills needed to meet the demands of modern IT environments.

300-445 ENNA Exam Info:

  • Exam Name: Cisco Designing and Implementing Enterprise Network Assurance
  • Exam Price: $300 USD
  • Duration: 90 minutes
  • Number of Questions: 55-65
  • Passing Score: Variable (750-850 / 1000 Approx.)

What's On the Cisco 300-445 ENNA Exam?

The Cisco 300-445 ENNA (Implementing Cisco Enterprise Network Assurance) exam is a critical certification for IT professionals looking to validate their skills in enterprise network assurance. The exam covers a comprehensive array of topics that are essential for maintaining and optimizing enterprise networks. Here is an in-depth look at the key areas covered in the Cisco 300-445 ENNA exam:

1. Network Assurance Principles

Understanding Network Assurance: The exam begins with a foundational understanding of network assurance principles. Candidates need to comprehend methodologies such as performance monitoring, fault management, and Service Level Agreement (SLA) management. These principles are crucial for ensuring that network services meet predefined performance standards and reliability metrics.

2. Cisco DNA Center Assurance

Implementing Cisco DNA Center: A significant portion of the exam focuses on Cisco DNA Center, a centralized management dashboard. Candidates must demonstrate proficiency in configuring, deploying, and troubleshooting network assurance features within Cisco DNA Center. This includes understanding how to utilize the platform for continuous monitoring and maintaining optimal network performance.

3. Network Data Analytics

Leveraging Analytics Tools: Network data analytics is a vital skill assessed in this exam. Candidates should be adept at using various analytics tools and techniques to gather, analyze, and interpret data on network performance. This involves understanding how to convert raw data into actionable insights to improve network operations.

4. Telemetry and Monitoring

Deploying Telemetry Solutions: The exam tests knowledge on the deployment and configuration of telemetry and monitoring solutions. Candidates need to understand how to implement these solutions to ensure continuous network reliability and performance. This includes familiarity with protocols and tools that facilitate real-time data collection and analysis.

5. Automation and Programmability

Enhancing Network Operations: Automation and programmability are increasingly important in modern network environments. The Cisco 300-445 exam requires candidates to incorporate automation into network assurance practices. This reduces manual intervention, enhances efficiency, and ensures consistency in network operations. Understanding scripting languages and automation frameworks is essential.

6. Troubleshooting

Diagnosing Network Issues: Effective troubleshooting is a critical component of network assurance. Candidates must be able to diagnose and resolve network performance issues using Cisco tools and methodologies. This includes being familiar with various troubleshooting techniques and tools that help identify and fix network problems promptly.

7. Security Assurance

Ensuring Network Security: Lastly, the exam covers security assurance as part of the overall network assurance strategy. Candidates must ensure that network security compliance and integrity are maintained. This involves understanding security protocols, implementing security policies, and ensuring that network configurations do not introduce vulnerabilities.

Who Should Earn the 300-445 ENNA?

The Cisco 300-445 ENNA certification is ideal for network professionals who are responsible for ensuring the reliability and performance of enterprise networks. Specifically, it is suitable for:

  • Network Engineers
    • Professionals who design, implement, and manage enterprise networks will benefit from the skills validated by this certification.
  • Network Administrators
    • Administrators tasked with maintaining network performance and troubleshooting issues will find the certification invaluable.
  • Network Operations Specialists
    • Specialists focused on monitoring and optimizing network operations can enhance their expertise through this certification.
  • IT Managers
    • IT managers overseeing network teams will gain insights into best practices for network assurance, enabling them to lead their teams more effectively.
  • Aspiring Network Professionals
    • Individuals looking to advance their careers in network engineering and operations can use this certification to demonstrate their capabilities to potential employers.

Top 7 Tips on How to Prepare for Cisco 300-445 ENNA

Preparing for the Cisco 300-445 ENNA exam requires a strategic approach and dedicated effort. Here are the top seven tips to help you successfully prepare for this certification:

1. Understand the Exam Objectives

Start by thoroughly understanding the exam objectives provided by Cisco. This detailed syllabus outlines all the topics covered in the exam. Familiarizing yourself with these topics ensures that your study plan encompasses every necessary area. This understanding forms the foundation of your preparation, helping you to focus your efforts effectively.

2. Gather Study Materials

Collecting Resources: Accumulate a variety of study materials such as official Cisco training courses, study guides, and practice tests. The Cisco website and authorized training partners offer comprehensive resources specifically tailored for the 300-445 ENNA exam. These materials provide a structured learning path and essential information needed to master the exam content.

3. Create a Study Plan

Develop a study plan that allocates sufficient time to each topic area. Consistency is crucial, so establish regular study sessions and adhere to your schedule. A well-organized plan ensures that you cover all topics systematically, reducing the risk of last-minute cramming and enhancing long-term retention.

4. Join Study Groups and Forums

Participate in study groups and online forums where you can interact with other candidates and certified professionals. These platforms offer valuable insights, tips, and peer support, which can help you understand complex topics better. Collaborative learning often provides new perspectives and enhances your overall preparation experience.

5. Hands-On Practice

Practical experience is vital for the 300-445 ENNA exam. Set up a lab environment where you can practice configuring and managing enterprise network assurance solutions. Hands-on practice helps solidify your theoretical knowledge and prepares you for real-world scenarios. This practical exposure is essential for mastering the practical aspects of the exam.

6. Take 300-445 ENNA Practice Tests

Regularly taking practice tests is an excellent way to gauge your readiness. These exams help identify areas where you need further study and familiarize you with the exam format and question types. 300-445 ENNA Practice tests also help build your confidence and time management skills, ensuring that you are well-prepared for the actual exam day.

7. Review and Revise

Consistently review and revise your notes to reinforce your understanding of the material. Focus particularly on areas where you feel less confident and seek additional resources if necessary. Regular revision helps consolidate your knowledge, making it easier to recall information during the exam.

Comprehensive Study Plan for Cisco 300-445 ENNA

Week 1-2: Foundation and Core Concepts

Day 1 to 3: Network Assurance Principles

  • Objective: Understand the core principles of network assurance.
  • Activities:
    • Read Cisco’s documentation on network assurance.
    • Watch introductory videos on network performance monitoring.
    • Take notes on key concepts such as performance metrics, fault management, and SLA management.

Day 4 to 6: Cisco DNA Center Assurance

  • Objective: Learn how to implement and manage network assurance using Cisco DNA Center.
  • Activities:
    • Go through Cisco DNA Center Assurance deployment guides.
    • Set up a lab environment to practice configurations.
    • Perform hands-on labs for configuring and deploying Cisco DNA Center.

Day 7: Review and Practice

  • Objective: Reinforce the concepts learned in the first week.
  • Activities:
    • Review notes and highlight important points.
    • Take a short quiz on the topics covered.
    • Participate in a study group discussion to clarify doubts.

Week 3-4: Advanced Topics and Hands-On Practice

Day 1 to 3: Network Data Analytics

  • Objective: Utilize network data analytics tools.
  • Activities:
    • Study Cisco’s network analytics tools documentation.
    • Watch tutorials on data collection and interpretation.
    • Practice using network analytics tools in your lab environment.

Day 4 to 6: Telemetry and Monitoring

  • Objective: Deploy and configure telemetry and monitoring solutions.
  • Activities:
    • Read about different telemetry protocols and tools.
    • Configure telemetry solutions in the lab.
    • Monitor network performance and troubleshoot using telemetry data.

Day 7: Review and Practice

  • Objective: Consolidate the second week’s learning.
  • Activities:
    • Recap key topics and take detailed notes.
    • Engage in practical lab exercises focusing on telemetry and analytics.
    • Join an online forum discussion to exchange insights and tips.

Week 5-6: Automation, Troubleshooting, and Security

Day 1 to 3: Automation and Programmability

  • Objective: Incorporate automation into network assurance practices.
  • Activities:
    • Study Cisco’s documentation on network automation.
    • Explore scripting and automation tools like Python and Ansible.
    • Create basic automation scripts to manage network tasks.

Day 4 to 6: Troubleshooting and Security Assurance

  • Objective: Diagnose and resolve network issues while ensuring security.
  • Activities:
    • Read Cisco’s troubleshooting guides.
    • Watch videos on common network issues and their resolution.
    • Implement security assurance practices in the lab and test for vulnerabilities.

Day 7: Comprehensive Review and Mock Exam

  • Objective: Evaluate your overall preparation.
  • Activities:
    • Conduct a full review of all topics.
    • Take a mock exam to simulate the test environment.
    • Identify weak areas and revisit those topics.

Week 7: Final Preparation

Day 1 to 3: Focused Revision

  • Objective: Deep dive into challenging topics.
  • Activities:
    • Revisit complex topics based on mock exam performance.
    • Participate in focused study sessions with peers.
    • Use flashcards for quick revision.

Day 4 to 6: 300-445 Practice Tests

  • Objective: Build exam readiness.
  • Activities:
    • Take multiple ENNA practice tests to build confidence.
    • Time yourself to improve speed and accuracy.
    • Review explanations for any incorrect answers.

Day 7: Relax and Final Checks

  • Objective: Ensure readiness for the 300-445 exam.
  • Activities:
    • Light revision of key points.
    • Ensure all exam logistics are in place (ID, location, etc.).
    • Rest and relax to be in the best mental state for the exam.

Benefits of Online Cisco 300-445 Practice Test

An Infographic- Benefits of Online Cisco 300-445 Practice Test

Exam Day Strategies for Cisco 300-445 ENNA

  • Arrive Early: Plan to arrive at the exam center at least 30 minutes early. This allows you time to settle in, verify your ID, and relax before the exam starts.
  • Read Questions Carefully: Carefully read each question and all answer choices. Look out for keywords and phrases that may alter the meaning of the question.
  • Manage Your Time: Allocate a set amount of time for each question. If you get stuck, move on and return to it later if time permits. This ensures you don’t miss easier questions.
  • Use Elimination Method: If unsure about an answer, eliminate the clearly wrong choices first. This increases your chances of selecting the correct answer from the remaining options.
  • Stay Calm and Focused: Stay calm and maintain focus throughout the exam. Deep breathing exercises can help manage any anxiety and keep you centered.

Conclusion

Preparing for the Cisco 300-445 ENNA certification exam is a demanding but rewarding endeavor. By understanding the exam objectives, following a comprehensive study plan, engaging in hands-on practice, and adopting effective exam day strategies, you can significantly enhance your chances of success. This certification not only validates your expertise in enterprise network assurance but also opens doors to advanced career opportunities in the IT industry.

Start your preparation journey today, and remember, consistent effort and dedication are key to achieving your Cisco 300-445 ENNA certification. Best of luck!

Saturday, 27 July 2024

Communications Compliance is Taking Center Stage in the Boardroom

Communications Compliance is Taking Center Stage in the Boardroom

Within the modern governance landscape in financial services, communications compliance has emerged as a critical issue, spurred by the staggering fines for unmonitored communications that have surpassed $2 billion USD in the United States alone. In February 2024, an additional 16 firms faced SEC fines totaling $81 million, signaling a zero-tolerance stance by regulators against compliance violations.

The Cisco and Theta Lake partnership, established in 2018, reflects a strategic response to these challenges. Theta Lake enhances the security and compliance features of Cisco’s Webex collaboration suite. This joint solution ensures institutions can safely harness the power of Webex’s functionalities, while significantly reducing the risk of penalties, increasing user satisfaction, and enhancing ROI (return on investment).

Theta Lake’s “Digital Communications Governance, Compliance, and Security Survey” for 2023/24, sheds light on the evolving landscape. With independent responses from over 600 IT and compliance professionals, the Theta Lake report reveals that 40% of firms have now elevated communications compliance to a board-level concern, underscoring the pressing demand for a revamped compliance and security framework for Unified Communications and Collaboration (UCC) tools that are integral to the modern workplace.

Why Are Firms Reevaluating Their Communications Compliance Strategies?


The survey indicates a widespread reassessment of communications compliance strategies in financial services, with 77% of respondents revising their approaches, 17% planning to do so, and 45% considering a complete overhaul. Traditional methods often fail to seamlessly capture, retain, and supervise across diverse communication platforms, leading to inefficiencies and compliance lapses. To counter these challenges, organizations are restricting key features that users want and need, inadvertently pushing employees towards unmonitored channels.

Theta Lake, in partnership with Cisco Webex, offers a purpose-built compliance, supervision, and security solution that integrates seamlessly across the Webex Suite, whether content is displayed, shared, spoken, or written. This solution brings significant value to leading organizations, including some of Webex’s largest customers—six of the top ten North American banks.

Where Should Organizations Begin When Overhauling Their Digital Communications Strategy?


Addressing compliance complexities requires a structured, proactive approach. In a rapidly evolving digital landscape, organizations must anticipate regulatory expectations and strategically overhaul their digital communications governance.

Cisco and Theta Lake recommend a three-point strategy:

  • Effective Data Capture: Accurate and reliable record keeping starts by capturing the correct data at its source, along with its context and time of origin. This step is crucial for reconciliation and reporting.
  • Record Navigation: With comprehensive record keeping across various channels, searching and navigating records and their interwoven communications becomes both possible and efficient.
  • AI-Enhanced Compliance Scaling: AI (Artificial Intelligence) technology, specifically tailored for compliance, helps manage and oversee vast amounts of communication records, enabling institutions to identify and mitigate risks and maintain robust compliance standards.

Theta Lake: A Cisco SolutionsPlus Partner


The Cisco SolutionsPlus program features tested Cisco Compatible products. As a SolutionsPlus partner focused on collaboration and security, Theta Lake’s solution for the Webex Suite is available for purchase through the Cisco price list. This includes fully compliant capture, archiving (in existing systems or Theta Lake’s SEC-17a-4 compliant environment), and built-in policy-based AI-enabled risk detection/remediation/redaction capabilities for:

  • Webex Calling & Customer Experience Essentials (New!): Voice Recordings, Business Texts (SMS), and Call Detail Records.
  • Webex Meetings & Selective In-Meeting Communications: Video recordings, and selective archiving of any or all meeting components including audio or in-meeting eComms (such as chat, polling, Q&A, transcripts, and closed captioning).
  • Webex Messaging: All content, replies, and reactions—including files and rich media (like images and GIFs).
  • Polling/Slido: All content including polls, Q&A, surveys, and more.
  • Webex Connect: Archiving & supervision support of log exports via SMTP or Rest API for SMS and omnichannel content.

In an era of intense regulatory oversight, Cisco and Theta Lake’s joint solutions have transitioned from a strategic asset to an essential requirement for financial services organizations aiming to ensure robust communications compliance.

Source: cisco.com

Tuesday, 23 July 2024

Protecting Against regreSSHion with Secure Workload

On July 1, 2024, the Qualys Threat Research Unit (TRU) disclosed an unauthenticated, remote code execution vulnerability that affects the OpenSSH server (sshd) in glibc-based Linux systems.

Now we have seen how CVE-2024-6387 has taken the internet by storm, making network security teams scramble to protect the networks while app owners patch their systems.

Secure Workload helps organizations get visibility of application workload traffic flows and implement microsegmentation to reduce the attack surface and contain lateral movement, mitigating the risk of ransomware.

Below are multiple ways in which Secure Workload can be leveraged to get visibility of affected application workloads and enforce segmentation policies to mitigate the risk of workloads being compromised.

1. Visibility of SSH Traffic Flows

According to the Qualys Threat Research Unit, the versions of OpenSSH affected are those below 4.4p1, as well as versions 8.5p1 through 9.8p1, due to a regression of CVE-2006-5051 introduced in version 8.5p1.

With Secure Workload, it is easy to search for traffic flows generated by any given OpenSSH version, allowing us to spot affected workloads right away and act. By using the following search attributes, we can easily spot such communications:

◉ Consumer SSH Version
◉ Provider SSH Version

Protecting Against regreSSHion with Secure Workload
Figure 1: Visibility of OpenSSH version from Traffic Flows

2. Visibility of OpenSSH Package Version in Workloads

Navigate to Workloads > Agents > Agent List and click on the affected workloads. On the Packages tab, filter for the “openssh” name and it will search for the current OpenSSH package installed on the workload.

Protecting Against regreSSHion with Secure Workload
Figure 2: OpenSSH package Version

3. Visibility of CVE-ID Vulnerability in Workloads

Navigate to Vulnerabilities tab, and a quick search for the CVE ID 2024-6387 will search the current vulnerabilities on the workload:

Protecting Against regreSSHion with Secure Workload
Figure 3: Vulnerability ID Information Per Workload

4. Mitigating Risk of regreSSHion

Once the relevant workloads are spotted, there are three main avenues to mitigate the risk: either by microsegmenting the specific application workload, implementing organization-wide auto-quarantine policies to proactively reduce the attack surface, or performing a virtual patch with Secure Firewall.

◉ Microsegmentation: Microsegmentation policies allow you to create fine-grained allow-list policies for application workloads. This means that only the specified traffic flows will be permitted, denying any other traffic that might be generated from the workload.

Protecting Against regreSSHion with Secure Workload
Figure 4: Microsegmentation Policies For Affected Application Workload

◉ Auto-Quarantine: You can choose to implement organization-wide policies to reduce the attack surface by quarantining workloads that have installed a vulnerable OpenSSH package or are directly affected by the CVE ID.

Protecting Against regreSSHion with Secure Workload
Figure 5: Organization-Wide Auto-Quarantine Policies

◉ Virtual Patch: If quarantining a workload is too disruptive to the organization (e.g., business-critical applications or internet-exposed applications), you can perform a virtual patch with the help of Cisco Secure Firewall to protect the application workloads against the exploit while still maintaining connectivity for the application.

Protecting Against regreSSHion with Secure Workload
Figure 6: Virtual Patch with Secure Firewall Connector

Protecting Against regreSSHion with Secure Workload
Figure 7: Vulnerability Visibility and IPS Signature in FMC

5. Process Anomaly and Change-In Behavior Monitoring of regreSSHion

Even in the scenario where a workload is compromised, Secure Workload offers continuous monitoring and anomaly detection capabilities, as shown below:

◉ Process Snapshot: Provides a process tree of existing runtime processes on the workload. It also tracks and maps running processes to vulnerabilities, privilege escalation events, and forensic events that have built-in MITRE ATT&CK Techniques, Tactics, and Procedures.

Protecting Against regreSSHion with Secure Workload
Figure 8: Process Snapshot of Affected Workloads

◉ Forensic Rules: Secure Workload comes with 39 out-of-the-box MITRE ATT&CK rules to look for techniques, tactics, and procedures leveraged by adversaries. It is also possible to create custom forensic rules to track certain process activities, such as privilege escalation performed by processes. The system can also generate alerts and send them to the Secure Workload UI and SIEM systems.

Protecting Against regreSSHion with Secure Workload
Figure 9: Example Manual Forensic Rule Creation (left) and Built-In Mitre ATT&CK Rules (right)

Source: cisco.com

Saturday, 20 July 2024

Maintaining Digital Compliance with the PCI DSS 4.0

Maintaining Digital Compliance with the PCI DSS 4.0

The Payment Card Industry data security standards have evolved since 2002 when the first version was released. The most recent update, version 4.0.1, was released in June 2024. This updates the PCI 4.0 standard, which  has significant updates to both scope and requirements. These requirements are being phased now and through March 2025.

Cisco has been involved with PCI since the outset, having a seat on the board of advisors and helping craft the development of PCI standards through different evolutions. Cisco has consulted extensively with customers to help meet the requirements and provided extensive user friendly documentation on how customers can meet the requirements, both in minimizing the scope of the assessment as well as in ensuring security controls are present. We have released systems that are PCI compliant in control aspects as well as data plane aspects, and have built-in out-of-the box audit capabilities in a number of infrastructure based, and security based, solutions.

The purpose of this blog is to walk into the PCI DSS 4.0 with a focus on architects, leaders, and partners who have to navigate this transition. We will discuss what is new and relevant with PCI DSS 4.0, its goals and changes. We will then explore products and solution that customers are actively using in meeting these requirements, and how our products are evolving to meet the new requirements. This will be targeted to teams who already have been on the PCI journey. We’ll transition to an expansion into PCI DSS in more detail, for teams that are newer to the requirements framework.

One thing that is important to note about the 4.0 update, is it will be a phased rollout. Phase 1 items (13 requirements) had a deadline of March 31, 2024. The second phase is much larger and more time has been given, but it is coming up soon. Phase 2 has 51 technical requirements, and is due May of 2025.

Maintaining Digital Compliance with the PCI DSS 4.0
Implementation timelines as per PCI At a Glance

What’s new in PCI DSS 4.0, and what are its goals?


There are many changes in PCI DSS 4.0. these were guided by four overarching goals and themes:

Continue to meet the security needs of the payments industry.

Security is evolving at a rapid clip, the amount of public CVE’s published has doubled in the past 7 years (source: Statista). The evolving attack landscape is pushing security controls, and new  types of attack require new standards. Examples of this evolution are new requirements around Multi-Factor authentication, new password requirements, and new e-commerce and phishing controls.

Promote security as a continuous process

Point in time audits are useful but do not speak to the ongoing rigor and operational hygiene needed to ensure the proper level of security controls are in place in a changing security environment. This step is an important step in recognizing the need for continual service improvement vis-a-vis an audit. This means that process will be have additional audit criteria in addition to the application of a security control.

Provide flexibility in maintaining payment security

The standard now allows for risk based customized approaches to solving security challenges which is reflective to both the changing security environment, and the changing financial application environments. If the intent of the security control is able to be met with a novel approach, it can be considered as fulfilling a PCI requirement.

Enhance validation methods and procedures for compliance

“Clear validation and reporting options support transparency and granularity.” (PCI 4.0 at a glance).  Clarity in the measurements and reporting is articulated. This is important for a number of factors, you can’t improve what you don’t measure, and if you’re not systematically tracking it in well-defined language, it is cumbersome to reconcile. This focus will make reports such as the attestation report more closely aligned to reports on compliance and self-assessment questionnaires.

How Cisco helps customers meet their PCI Requirements.


Below is a table that briefly summarizes the requirements and technology solutions that customers can leverage to satisfy these requirements. We will go deeper into all of the requirements and the technical solutions to these.

PCI DSS 4.0 Requirement Cisco Technology/Solution 
1. Install and Maintain network security control.   Cisco Firepower Next-Generation Firewall (NGFW), ACI, SDA, Cisco SDWan, Hypershield, Panoptica, Cisco Secure Workload
2. Apply secure configurations to all system components.   Catalyst center, Meraki, Cisco SDWan, Cisco ACI, Cisco CX Best Practice configuration report 
3. Protect stored cardholder data   Cisco Advanced Malware Protection (AMP) for Endpoints
4. Protect cardholder data with strong cryptography during transmission over open, public networks   Wireless Security requirements satisfied with Catalyst Center and Meraki 
5. Protect all systems and networks from malicious software   Cisco AMP for Endpoints 
6. Develop and Maintain secure systems and software   Meraki, Catalyst Center, ACI, Firepower, SDWan. Cisco Vulnerability Manager 
7. Restrict access to cardholder data by business need-to-know   Cisco ISE, Cisco Duo, Trustsec, SDA, Firepower 
8. Identify users and authenticate access to system components   Cisco Duo for Multi-Factor Authentication (MFA), Cisco ISE, Splunk 
9. Restrict physical access to cardholder data   Cisco Video Surveillance Manager, Meraki MV, Cisco IOT product suite 
10. Log and monitor all access to system components and cardholder data   Thousand Eyes, Accedian, Splunk 
11. Test security of systems and networks regularly   Cisco Secure Network Analytics (Stealthwatch), Cisco Advanced Malware Protection, Cisco Catalyst Center, Cisco Splunk 
12. Support information security with organizational policies and programs Cisco CX Consulting and Incident Response, Cisco U

A more detailed look at the requirements and solutions is below:

Requirement 1: Install and Maintain network security control.

This requirement is will ensure that appropriate network security controls are in place to protect the cardholder data environment (CDE) from malicious devices, actors, and connectivity from the rest of the network. For network and security architects, this is a major focus of applying security controls. Quite simply this is all the technology and process to ensure “Network connections between trusted and untrusted networks are controlled.” This includes physical and logical segments, networks, cloud, and compute controls for use cases of dual attached servers.

Cisco helps customers meet this requirement through a number of different technologies. We have traditional controls include Firepower security, network segmentation via ACI, IPS, SD-Wan, and other network segmentation items. Newer technologies such as cloud security, multi cloud defense, hypershield, Panoptica and Cisco Secure Workload are helping meet the virtual requirements. Given the relevance of this control to network security, and the breadth of Cisco products, that list is not exhaustive, and there are a number of other products that can help meet this control that are beyond the scope of this blog.

Requirement 2: Apply secure configurations to all system components.

This requirement is to ensure processes for components are in place to have proper hardening and best practice configurations applied to minimize attack surfaces. This includes ensuring unused services are disabled, passwords have a level of complexity, and best practice hardening is applied to all system components.

This requirement is met with a number of controller based assessments of infrastructure, such as Catalyst center being able to report on configuration drift and best practices not being followed, Meraki, and SDWan as well. Multivendor solutions such as Cisco NSO can also help ensure configuration compliance is maintained. There are also numerous CX advanced services reports that can be run across the infrastructure to ensure Cisco best practices are being followed, with a corresponding report and artifact that can be used.

Requirement 3: Protect stored account data.

This requirement is application and database settings, and there isn’t a direct linkage to infrastructure. Analysis of how account data is stored, what is stored, and where it is stored, as well as cursory encryption for data at rest and the process for managing these, are covered in this requirement.

Requirement 4: Protect cardholder data with strong cryptography during transmission over open, public networks

This requirement is to ensure encryption of the primary account number when transmitted over open and public networks. Ideally this should be encrypted prior to transmission, but the scope applies also to wireless network encryption and authentication protocols as these have been attacked to attempt to enter the cardholder data environment. Ensuring appropriate security of the wireless networks can be done by the Catalyst Center and Meraki in ensuring appropriate settings are enabled.

Requirement 5: Protect all systems and networks from malicious software

Prevention of malware is a critical function for security teams in ensuring the integrity of the financial systems. This requirement focuses on malware and phishing, security and controls, across the breadth of devices that can make up the IT infrastructure.

This requirement is met with a number of Cisco security controls, Email security, Advanced malware protection for networks and for endpoints, NGFW, Cisco Umbrella, secure network analytics, and encrypted traffic analytics are just some of the solutions that must be brought to bear to adequately address this requirement.

Requirement 6: Develop and Maintain secure systems and software

Security vulnerabilities are a clear and present danger to the integrity of the entire payments platform. PCI recognizes the need for having the proper people, process, and technologies to update and maintain systems in an ongoing basis. Having a process for monitoring and applying vendor security patches, and maintaining strong development practices for bespoke software, is critical for protecting cardholder information.

This requirement is met with a number of controller based capabilities to assess and deploy software consistently and at speed, Meraki, Catalyst Center, ACI, Firepower and SD-Wan, all have the ability to monitor and maintain software. In addition, Cisco vulnerability manager is a unique capability to take into account real world metrics of publicly disclosed CVE’s in order to prioritize the most important and impactful patches to apply. Given the breadth of an IT environments software, attempting to do everything at equal priority means you are systematically not addressing the critical risks as quickly as possible. In order to address your priorities you must first prioritize, and Cisco vulnerability manager software helps financials solve this problem.

Requirement 7: Restrict access to cardholder data by business need-to-know

Authorization and application of least privilege access is a best practice, and enforced with this requirement. Applied at the network, application, and data level, access to critical systems must be limited to authorized people and systems based on need to know and according to job responsibilities.

The systems used to meet this requirement are in many cases, shared with requirement 8. With zero trust and context based access controls we include identification in with authorization, using role based access controls and context based access controls. Some of these can be provided via Cisco identity services engine, which has the ability to take into account a number of factors outside of identity (geography, VPN status, time of day), when making an authorization decision. Cisco DUO is also used extensively by financial institutions for context based capabilities for zero trust. For network security enforcement of job roles accessing the cardholder data environment, Cisco firepower and Software Defined access have the capabilities to make context and role based access decisions to help satisfy this requirement. For monitoring the required admin level controls to prevent privilege escalation and usage of root or system level accounts, Cisco Splunk can help teams ensure they are monitoring and able to satisfy these requirements.

Requirement 8: Identify users and authenticate access to system components

Identification of a user is critical to ensuring the authorization components are working. Ensuring a lifecycle for accounts and authentication controls are strictly managed are required. To satisfy this requirement, strong authentication controls must be in place, and teams must ensure Multi-factor authentication is in place for the cardholder data environments. They also must have strong processes around user identification are in place.

Cisco ISE and Cisco Duo can help teams satisfy the security controls around authentication controls and MFA. Coupled with that, Cisco Splunk can help meet the logging and auditing requirements of ensuring this security control is acting as expected.

Requirement 9: Restrict physical access to cardholder data

“Physical access to cardholder data or systems that store, process, or transmit cardholder data should be restricted so that unauthorized individuals cannot access or remove systems or hardcopies containing this data.” (PCI QRG). This affects security and access controls for facilities and systems, for personnel and visitors. It also contains guidance for how to manage media with cardholder data.

Outside the typical remit of traditional Cisco switches and routers, these devices play a supporting role in supporting the infrastructure of cameras and IOT devices used for access controls.  Some financials have deployed separate air gapped IOT networks with the cost efficiencies and simplified stack Meraki devices, which simplifies audit and administration of these environments. The legacy proprietary camera networks have been IP enabled, and support wired and wireless, and Meraki MV cameras offer cost affordable ways to scale out physical security controls securely and at speed. For building management systems, Cisco has a suite of IOT devices that support building physical interface capabilities, hardened environmental capabilities, and support for IOT protocols used in building management (BACNET). These can integrate together and log to Cisco Splunk for consolidated logging of physical access across all vendors and all access types.

Requirement 10: Log and monitor all access to system components and cardholder data
Financial institutions must be able to validate the fidelity of their financial transaction systems and all supporting infrastructure. Basic security hygiene includes logging and monitoring of all access to systems. This requirement spells out the best practice processes for how to conduct and manage logging of infrastructure devices that allow for forensic analysis, early detection, alarming, and root cause of issues.

Cisco and Splunk are the world leader in infrastructure log analytics for both infrastructure and security teams. It is deployed at the majority of large financials today to meet these requirements. To compliment this, active synthetic traffic such as Cisco Thousand Eyes and Accedian help financials detect failures in critical security control systems faster to satisfy requirement 10.7.

Requirement 11: Test security of systems and networks regularly

“Vulnerabilities are being discovered continually by malicious individuals and researchers, and being introduced by new software. System components, processes, and bespoke and custom software should be tested frequently to ensure security controls continue to reflect a changing environment.” (PCI QRG)

One of the largest pain points financials face is the management of applying regular security patching across their entire fleet. The rate of CVE’s released has doubled in the past 7 years, and tools like Cisco Vulnerability management is critical prioritizing an infinite security need against a finite amount of resources. Additional Cisco tools that can help satisfy this requirement is: Cisco Secure Network Analytics (11.5), Cisco Advanced Malware protection (11.5), Cisco Catalyst Center (11.2), Cisco Splunk (11.6).

Requirement 12: Support information security with organizational policies and programs

People, process, and technology all need to be addressed for a robust security program that can satisfy PCI requirements. This requirement focuses on the people and process that are instrumental in supporting the secure PCI environment. Items like security awareness training, which can be addressed with Cisco U, are included. Cisco CX has extensive experience consulting with security organizations and can help review and create policies that can help the organization stay secure. Finally, having a Cisco Incident Response program already lined up can help satisfy requirement 12.10 for being able to immediately respond to incidents.

Source: cisco.com

Thursday, 11 July 2024

The Trifecta Effect of Integrating XDR, SIEM, and SOAR

The Trifecta Effect of Integrating XDR, SIEM, and SOAR

In the ever-evolving landscape of cybersecurity, the integration of cutting-edge technologies has become paramount to stay ahead of sophisticated threats. One such powerful combination that is revolutionizing security operations is the integration of Extended Detection and Response (XDR), Security Information and Event Management (SIEM), and Security Orchestration, Automation, and Response (SOAR). Let’s delve into the trifecta effect of integrating these technologies and how they can enhance your organization’s security posture.

Security Information and Event Management (SIEM)


SIEM solutions play a crucial role in centralizing and analyzing security event data from various sources within an organization. They provide real-time monitoring, threat detection, and incident response capabilities. By aggregating logs and data from security and non-security disparate systems, SIEM enables security teams to detect anomalies, investigate security incidents, and comply with regulatory requirements.

Extended Detection and Response (XDR)


XDR represents a holistic approach to threat detection and response by consolidating multiple security layers into a unified platform. It provides enhanced visibility across endpoints, networks, and cloud environments, enabling security teams to detect and respond to threats more effectively. By leveraging advanced analytics and machine learning, XDR can correlate and analyze vast amounts of data to identify complex threats in real-time.

Security Orchestration, Automation, and Response (SOAR)


SOAR platforms empower security teams to automate repetitive tasks, orchestrate incident response workflows, and streamline security operations. By integrating with XDR and SIEM, SOAR can enhance the efficiency and effectiveness of incident response processes. It enables teams to respond to security incidents rapidly, reduce manual errors, and improve overall response times.

How XDR, SIEM, and SOAR Complement Each Other


The trifecta effect of integrating XDR, SIEM, and SOAR brings together the best of all three worlds, creating a comprehensive and synergistic security solution. Here’s how the components of each technology complement each other:

  • XDR and SIEM: XDR’s advanced analytics, machine learning, and threat detection capabilities are integrated with SIEM’s centralized log management and real-time monitoring. This combination enables organizations to detect and respond to both known and unknown threats more effectively, as well as comply with regulatory requirements. SIEM’s pattern recognition capabilities can help XDR identify threats through pattern recognition, while XDR’s API data access and stealth threat detection capabilities can enhance SIEM’s detection capabilities. XDR and SIEM can work together in a security architecture to provide a more robust and mature security posture. For instance, XDR can provide real-time visibility, and SIEM can provide forensic search, data archival, and customization. XDR can reduce the number of contextualized alerts sent to the SIEM for prioritized investigations, enabling security teams to respond to security incidents more efficiently.
  • XDR and SOAR: XDR’s response integrations can have similar functionality to SOAR platforms, with the potential to make SOAR a native part of XDR platforms in the future. This integration allows for automated threat response, enabling security teams to automatically remediate threats in their environment without human intervention. SOAR’s orchestration and automation capabilities can also enhance XDR’s response capabilities, providing a more proactive defense posture.
  • SIEM and SOAR: SIEM and SOAR can integrate best-of-breed components without vendor lock-in, allowing for more flexibility in security operations. SOAR’s incident response capabilities, such as use-case-based playbooks, can orchestrate response actions across the environment, assign tasks to personnel, and incorporate user inputs to augment automated actions. This integration can help SOAR platforms focus on incident response, while SIEM solutions can focus on data collection and analysis.

Case Study: Credential Stuffing Attack


Let’s walk through a scenario of a credential stuffing aAttack and model how this trifecta could come into play:

Phase 1: Attack Initiation and Initial Detection

An attacker begins a credential stuffing attack by using previously breached username and password pairs to gain unauthorized access to the organization’s web applications.

  • XDR Role: XDR monitors the endpoints and detects a high volume of failed login attempts from various IP addresses, which is unusual and indicative of a credential-stuffing attack. XDR can also identify successful logins from suspicious locations or devices, adding this information to the incident details.
  • SIEM Role: The SIEM system, collecting logs from web application firewalls (WAF), authentication servers, and user databases, notices an abnormal spike in authentication requests and login failures. This complements the XDR’s endpoint visibility by providing a network-wide perspective and helps to confirm the scale of the attack.

Phase 2: Alert Correlation and Confirmation of the Attack

The attack continues as the attacker tries to automate login requests to bypass security controls.

  • XDR Role: XDR correlates the failed authentication attempts with geographic anomalies (such as logins from countries where the company does not operate) and reports these findings to the SIEM.
  • SIEM Role: SIEM cross-references the XDR alerts with its log data, confirming the attack pattern. It leverages its correlation rules to identify legitimate accounts that may have been compromised during the attack, which XDR might not be able to determine on its own.

Phase 3: Automated Response and Mitigation

With the attack confirmed, rapid response is necessary to minimize damage.

  • SOAR Role: Upon receiving alerts from both XDR and SIEM, the SOAR platform triggers a predefined response playbook that automatically enforces additional authentication requirements for the affected accounts, such as multi-factor authentication (MFA), and blocks IP addresses associated with the attack.
  • XDR Role: XDR can automatically enforce endpoint-based security controls, like updating access policies or locking down accounts that have shown suspicious login activities.
  • SIEM Role: SIEM supports the response by providing additional context for the SOAR to execute its playbooks effectively, such as lists of affected user accounts and their associated devices.

Phase 4: Post-Attack Analysis and Strengthening Defenses

After blocking the immediate threat, a more in-depth analysis is conducted to ensure all compromised accounts are secured.

  • SIEM Role: SIEM facilitates a detailed investigation by querying historical data to uncover the full scope of the attack, identifying compromised accounts, and understanding the methods used by attackers.
  • SOAR Role: SOAR provides workflows and playbooks to automatically reset passwords and notify affected users, while also updating security policies based on the attack vectors used.
  • XDR Role: The XDR platform assists with forensic analysis by leveraging its integrated view across endpoints, network, and cloud to pinpoint how the attacker could bypass existing security measures.

Phase 5: Continuous Improvement and Monitoring

To prevent future attacks, the organization needs to refine its security posture and implement new controls.

  • SOAR Role: SOAR can automate the rollout of new security policies across the organization and conduct simulated phishing exercises to educate employees about security best practices.
  • SIEM Role: SIEM takes charge of long-term data collection and analysis to monitor for new patterns that may indicate a repeat of the attack, ensuring continuous improvement in the organization’s security monitoring capabilities.
  • XDR Role: XDR continuously monitors for any signs of a resurgence of the attack or similar tactics being used, ensuring ongoing vigilance and quick detection of any new threats.

In this scenario, XDR and SIEM play complementary roles where XDR’s real-time analysis and endpoint visibility are enhanced by SIEM’s ability to provide a broader view of the network and historical non-security context. The SOAR platform bridges the gap between detection and response, allowing for quick and efficient mitigation of the attack. This integrated approach ensures that no aspect of the attack goes unnoticed and that the organization can rapidly adapt to and defend against such sophisticated cyber threats.

Impact of Non-Integrated Approach


Removing either SIEM or XDR from the scenario would significantly affect the organization’s ability to effectively detect, respond to, and recover from a credential-stuffing attack. Let’s consider the impact of removing each one individually:

Removing SIEM

  • Loss of Centralized Log Management: Without SIEM, the organization loses centralized visibility into the security data generated by various devices and systems across the network. This makes it more challenging to detect patterns and anomalies that are indicative of a credential stuffing attack, especially when they span across multiple systems and applications.
  • Reduced Correlation and Contextualization: SIEM’s strength lies in its ability to correlate disparate events and provide context, such as flagging simultaneous login failures across different systems. Without SIEM, the organization may not connect related events that could indicate a coordinated attack.
  • Inefficient Incident Management: SIEM platforms often serve as the hub for incident management, providing tools for tracking, investigating, and documenting security incidents. Without it, the organization may struggle with managing incidents effectively, potentially leading to slower response times and less organized remediation efforts.
  • Difficulty in Compliance Reporting: Many organizations rely on SIEM for compliance reporting and audit trails. Without SIEM, they may find it more challenging to demonstrate compliance with various regulations, potentially leading to legal and financial consequences.

Removing XDR

  • Reduced Endpoint and Network Visibility: XDR provides a detailed view of activities on endpoints and across the network. Removing XDR would leave a blind spot in detecting malicious actions occurring on individual devices, which are often the entry points for credential-stuffing attacks.
  • Weakened Real-time Detection: XDR platforms are designed for real-time detection and response. Without XDR, the organization might not be able to detect and respond to threats as quickly, allowing attackers more time to exploit compromised credentials.
  • Limited Automated Response: XDR can automate immediate response actions, such as isolating a compromised endpoint or terminating a malicious process. Without XDR, the organization would have to rely more heavily on manual intervention, potentially allowing the attack to spread further.
  • Loss of Integrated Response Capabilities: XDR often integrates with other security tools to provide a coordinated response to detected threats. Without XDR, the organization may find it more difficult to execute a synchronized response across different security layers.

The Case for an Integrated Approach


The conversation should not be framed as “XDR vs. SIEM & SOAR” but rather as “XDR, SIEM and SOAR.” These three technologies are not mutually exclusive anymore; instead, they complement each other and serve to strengthen an organization’s security posture when integrated effectively.

In essence, the integration of XDR, SIEM, and SOAR technologies is not a competition but a collaboration that brings together the best features of all three worlds.

Source: cisco.com

Tuesday, 9 July 2024

Cisco at NAB 2024: Committed to Delivering Next-Level Experiences That ‘Wow’

Cisco at NAB 2024: Committed to Delivering Next-Level Experiences That ‘Wow’

We are less than two weeks away from the National Association of Broadcasters (NAB) 101st Show happening once again in Las Vegas, Nevada. As a decade-long returning attendee, I am always excited to be with customers, partners, and colleagues, shaking hands and engaging in stimulating conversations about the next wave of innovation hitting the media and entertainment industry. With new technology features, expanded partnerships, and growing customer momentum, I am looking forward to highlighting Cisco’s cutting-edge solutions and services to our booth visitors this year.

Our leadership in this space continues to grow as we innovate across our portfolio to transform the way broadcasters, content providers, venues, sports teams and leagues are harnessing the power of AI and other emerging technologies and taking audience experiences to the next level.

This year, we will showcase our comprehensive portfolio and demonstrate Cisco’s strategy and innovation across three key areas:

  • Enabling dynamic IP production and workflows   
  • Transforming content delivery, devices, and network assurance   
  • Operationalizing the fan experience with cutting-edge, technology-centric venues

Enabling Dynamic IP Production  


The broadcast industry’s evolution to IP requires sustainable technology to provide great multicast visibility and flexibility to allow integration of multiple multicast and/or unicast, on-premises and cloud domains. Visitors to the Cisco booth can expect to see our flagship solution, Cisco IP Fabric for Media (IPFM), on display at the Cloud Native Media Production- Anywhere demo to show how we are enabling these transitions to IP aligned with SMPTE 2110. With several hundred deployments across the globe, Cisco IP Fabric for Media continues to serve as the foundation to address broadcaster’s audio and video requirements. 

Cisco IPFM includes features for Non-Blocking Multicast (NBM), Network Address Translation (NAT), and now, Protocol Independent Multicast flooding mechanism with Source Discovery (PFM-SD). These components provide end-to-end multicast, live traffic visibility, simplified and flexible deployment at scale, innovations in NBM active, and both PTP and RTP flow monitoring. With our simplified network management and operations tool for provisioning IP-based media fabrics, Cisco Nexus Dashboard Fabric Controller (NDFC), users can now take advantage of an expansive view of the network with 2022-7 visibility and enhanced Events UI Tab to capture critical fault notifications. 

Together with Intel, we will be highlighting our innovative solution for Cloud Native Media Production which uses cloud-native architectures with open standards and open-source software to power new media workflows and help speed digital transformation. 

Transforming Content Delivery, Devices, and Network Assurance 


Together with our partner Qwilt, we will be showcasing Global Edge Cloud for Content Delivery, highlighting how together we are creating a more efficient way to deliver highly distributed live and on-demand content. Our joint solution, serving over one billion unique subscribers globally, provides Quality-as-a-Service by pushing content caching and delivery out to the embedded edge of the carrier network. 

Comprised of Cisco’s edge infrastructure and Qwilt’s Open Edge platform, the solution based on open caching is helping meet the ever-increasing demand for content delivery and edge cloud services and improving re-buffering time, time to first frame (TTFF), average bitrate (ABR) and error rate for live-streamed content delivery.  

We’ve seen a growing need for trusted collaboration tools and devices to help drive engaging virtual and hybrid entertainment experiences, and to connect teams across the globe. In the Cisco Devices: Be there, from Anywhere demo, we will highlight intuitive and interoperable device experiences that are designed to make remote and hybrid collaboration seamless and distraction-free, on any meeting platform. The native Microsoft Teams experience on certified Cisco collaboration devices is designed for frictionless employee experiences. 

Accedian will take center stage in our Cisco Critical Network Assurance demo, highlighting how the most recent addition to Cisco’s observability portfolio is providing industry-leading network performance monitoring and assurance to help enable seamless operations for content providers, service providers, and more.  

Operationalizing the Fan Experience 


One of my personal favorites, and arguably the cornerstone of our Sports, Media and Entertainment portfolio, is our best-in-class VisionEDGE solution for IPTV & Dynamic Digital Signage in partnership with Wipro. A solution that truly “wow’s”, VisionEDGE provides dynamic content management solutions and high quality experiences to every fan, in every seat at venues all over the world including (but not limited to) Allegiant Stadium here in Las Vegas, CITYPARK in St. Louis, Santiago Bernabéu Stadium in Madrid, GEODIS Park in Nashville, and SoFi Stadium and Hollywood Park in Los Angeles (host of Super Bowl LVI). 

As you make your way across the show floor at the Las Vegas Convention Center during NAB be sure to check out the Cisco Booth, #W2743 in the West Hall, and see for yourself how Cisco and our impressive ecosystem of partners are forging a path of innovative new experiences for the media and entertainment industry. 

Source: cisco.com

Saturday, 6 July 2024

The AI Revolution and Critical Infrastructure

The AI Revolution and Critical Infrastructure

Artificial intelligence was a central theme at Cisco Live US 2024, and it’s clear AI has already made significant strides in reshaping our world. Cisco’s AI-powered innovations build digital resilience by uniquely combining the power of the network with industry-leading security, observability, and data. They simplify adoption and offer visibility and insight across the entire digital footprint, and for those overseeing critical infrastructure, the potential benefits are clear. Undoubtedly, the latest technology offers the promise of enhanced operations. However, the unpredictability of AI’s outcomes can understandably give pause.

Different Kinds of AI 


There are multiple kinds of AI, and each plays a role in different operational situations. Some AI models produce consistent and predictable results, while others are well suited to identifying relevant information within huge mountains of unstructured data. Choosing the right AI model to address each operational need can be challenging. Cisco’s acquisition of Splunk provides an increasing number of security AI tools to address operational security needs. The vast ecosystem of Cisco’s partners enables a selection of AI tools for various operational use cases.  

Cisco’s Role in AI Solutions


At the heart of every AI solution is data movement and processing. This is where Cisco excels. Cisco’s infrastructure is designed to receive data from sensors and ensure its secure and reliable transport to the applications that require it, making it a key player in the AI landscape. Examples of AI solutions in critical infrastructure include failure detection, failure prediction, pothole detection, process optimization, and analysis queries. The video below of Roland Plett’s Cisco Live Session takes a deeper look at each of these examples.  

The AI Revolution and Critical Infrastructure


Summary

AI is changing the way we engage data in industrial operations. There are multiple kinds of AI models, and the combination of models you need depends on the problem you’re trying to solve. It’s essential to recognize that deep learning AI models, like generative AI, are based on probabilities and don’t have deterministic or repeatable outcomes. This is why choosing the right model for your desired result is critically important.

Source: cisco.com