By Ben Nahorney What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.
From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.
It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.
So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.
The usual suspects
Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.
Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.
While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.
Credential dumping
There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.
Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.
However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal
An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.
WDigestThis is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
Security Accounts Manager (SAM)This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
LSA SecretsThe Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
KerberosThe Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.
If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.
NTDSThis is where Active Directory stores information about members of a domain in order to verify users and credentials.
Group Policy Preference filesThis Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
DCSyncInstead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.
However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.
For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”
There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping.
Monitor access to services like LSASS and databases like SAM.
Keep an eye out for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look out for unexpected connections from IP addresses not assigned to known domain controllers.
The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.
Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.
Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.
A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.
Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.
Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

The post COVID-19 relief package provides another platform for bad actors appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 20 and Mar 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200327-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 20 to March 27 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.
Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.
Read More >>
The post Threat Update: COVID-19 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Radhika Mitra Public cloud is still a hotly debated topic amongst organizations, and take a guess as to why? Security. However, that hasn’t kept businesses from investing heavily in public cloud strategies. By the end of 2020, Forbes has forecasted “67% of enterprise IT infrastructure and software will be cloud-based.” If you’re trying to increase your network scale, realize greater network value or transform to a more dynamic infrastructure, you’re either already in the midst of your journey or at least part of the way there. And with services and assets shared between your on-premises networks and the cloud, it can be a little fuzzy on how or what to secure. The public cloud Shared Responsibility model was designed to combat exactly that—and make clear delineation on who is responsible for securing what.
There are two key areas of the Shared Responsibility model:

“Security of the Cloud” – The cloud vendor is accountable to protect and ensure availability of the infrastructure and the services that make up the cloud. Cloud infrastructure is composed of the hardware, software, networking, and facilities that run the respective vendor’s cloud services.

“Security in the Cloud” — You are responsible for your cloud-based assets and management. Ultimately you design your own unique security strategy and manage your risks for any and all cloud services, asset and data you add in a public cloud. For example, any compute instances you run, you are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the cloud-based firewall on each instance. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
With all the different security offerings available in each of the public cloud providers marketplaces, it becomes overwhelming and confusing trying to identify the right tools to help you fulfill your end of the shared responsibility model. To alleviate the confusion and to help you maintain a consistent posture both on premises and in the cloud, a good rule of thumb is to partner with a security partner that supports a broad range of cloud providers. Likewise, leveraging the same tools you use to secure your premises-based networks in clouds ensures a faster deployment, alleviates misconfigurations and ensures stronger security for all your cloud-based investments.

At Cisco, we do the heavy lifting for you. We offer a comprehensive suite of security solutions for public cloud environments and maintain strong technology partners with the leading public cloud providers (AWS, Google Cloud, Azure). This allows you to integrate security seamless into your cloud environments, deliver a consistent experience for your users and maintain visibility and control over all your cloud data and assets. The depth and breadth of our solutions ensures your business can safely transition to the cloud while aligning security to the speed of your digital business:
Cloud security: Cisco Umbrella integrates multiple security services in the cloud including DNS-layer security, firewall, secure web gateway, cloud access security broker, and more to secure internet access. Since DNS is built into the foundation of the internet, security at the DNS-layer can be simple to deploy and highly effective for securing the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established.
Secure On-prem to Public Cloud: Cisco Next Generation Firewall can bring advanced capabilities of your firewall into your cloud environment, acting as a gateway and also extending your data center security policies into cloud and remaining compliant. What’s more, you can create a consistent security posture that extends from your on-premises environment to your cloud infrastructure, making the migration to public cloud seamless and painless.
Cloud Workload Security & Microsegmentation: One of the most vulnerable assets are your applications(read more on app security) and securing application workloads using microsegmentation with Cisco Tetration in your cloud can unleash the potential of your developers and security operation reaching harmonious freedom.
Advanced Threat Detection: What about network flow? Get advanced threat detection in your cloud network with Stealthwatch Cloud.
Secure Access to your Cloud: Also, ensure you have secure access using Duo multi-factor authentication to your cloud-based services.
Cisco Services is a true partner in your journey to a shared responsibility model by helping you deploy and manage your security solutions in the cloud. With Cisco you are not alone, you have the power of a trusted partner to bring along with you on your digital transformation journey to ensure a consistent security posture for your hybrid network.
The post Understanding the Shared Responsibility Model: Securing Public Cloud Just Got Easier appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 13 and Mar 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200320-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 13 to March 20 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Anthony Grieco People are the key to any effective cybersecurity strategy. If your people don’t understand relevant cyber risks or don’t know how to take the proper action when they occur, the rest of your strategy simply doesn’t matter. At Cisco, we practice a pervasive security culture. Our combination of workforce training and educational initiatives instills a company-wide commitment and collective sense of responsibility and ownership to protect ourselves and our customers.
How do you get a global network of employees and contractors to take personal responsibility for cybersecurity, data protection, and privacy? We knew we had to develop a campaign that would garner attention in a fun and creative way to keep people engaged and alert. In response, we developed Keep Cisco Safe, an innovative internal risk mitigation awareness and education program. It combined out-of-the-box creative thinking, gamification, digital signage, a personalized rewards system including achievement badges and top-down executive sponsorship to change worker’s behaviors.
A key facet of the campaign included cyber “monsters,” each representing threat characters. With a focus on data protection, privacy, secure product development, and threats such as adware, malware and phishing, the monsters gave Cisco employees an eye-catching opportunity to identify, learn and act. To learn more, I highly encourage you to read the complete case study.

Now with over 97,000 actively engaged, we’ve found that Cisco employees and contractors have increased their cybersecurity knowledge and vigilance. This is clear by the spike of incidents being reported to our Data Protection and Privacy Response team. It’s not that we have experienced more incidents, it is the fact that more people are reporting them through proper channels.
To call the Keep Cisco Safe campaign “monstrously” successful would be an understatement. I am honored to share the campaign has been named a winner in Info Security Product Guide’s 2020 Global Excellence Awards!
Info Security Products Guide – the industry’s leading information security research and advisory guide – recognizes cybersecurity IT vendors with advanced, ground-breaking marketing programs, solutions, and services that are raising the bar for the security industry.
Like any effective education and training initiative, our Keep Cisco Safe program continues to evolve and grow. We are honored to be recognized as an industry leader by the Info Security Products Guide. Behind this distinguished success is our relentless effort to drive pervasive security, trust, data protection, and privacy into everything we do at Cisco. This recognition from Info Security PG’s Global Excellence Award further validates our commitment to security and trust within our enterprise and for our customers.
For more on Cisco’s strategy to protect itself and its customers, visit our Trust Center.

The post Cisco Wins Global Excellence for Cybersecurity Education and Awareness appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Sunil Amin We’ve reached an interesting turning point for encrypted traffic.
Gartner predicted that 80% of web traffic would be encrypted by 2019. Sure enough, this prediction came true. Last year, the team at Let’s Encrypt, an organization that helps enable encryption for websites, cited that 80% of web traffic they’ve seen is now encrypted. We have reached the point where the average volume of encrypted traffic on the internet has now surpassed the average volume of unencrypted traffic.
This is largely good news, as moving forward, encrypting internet traffic is now the new norm online and will continue to grow. This is good for data privacy and should let us sleep a bit easier knowing that as out information traverses the internet, it’ll be encrypted.
However, much like the adoption rate of encrypted traffic, encrypted threats are also on the rise. This year, Gartner has predicted that more than 70% of malware campaigns will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration. Complicating matters, it’s also predicted that 60% of organizations will fail to decrypt HTTPS efficiently, thereby missing critical encrypted threats.
Traditional threat inspection methods that rely on bulk decryption, analysis, and re-encryption are not always practical or feasible, for both performance and resource reasons. These methods also compromise privacy and data integrity. Unfortunately, many organizations do not have a way to detect malicious activity in encrypted traffic without the use of decryption. With the growing amount of encrypted traffic and the number of threats hiding within it, how should organizations ensure the encrypted traffic coming into their network is safe, without compromising the integrity of that data?
A better approach to analyzing encrypted traffic
Stealthwatch Cloud is a Software-as-a-Service (SaaS) solution that is easy to try, easy to buy, and simple to operate and maintain. Stealthwatch Cloud analyzes network behavior to detect advanced threats, even those hiding in encrypted traffic. Cisco’s proprietary Encrypted Traffic Analytics (ETA) technology uses attributes like Initial Data Packet (IDP) to detect malware in encrypted traffic, without decrypting the data.
Recently, Stealthwatch Cloud has added further integrations with Cognitive Intelligence, our amazing cloud-based machine learning and AI R&D team as well as its Confirmed Threat Service.
These integrations allow Stealthwatch Cloud to ingest ETA telemetry from supported Cisco networking devices and provide additional, enhanced fidelity of encrypted (as well as non-encrypted) traffic. From there, ETA will alert users of potential threats that might be hiding in encrypted traffic. These alerts include cryptomining, unpublished TOR, botnets, Ramnit, Sality, malicious file download, phishing and typosquatting and more.
In a performance study by Miercom, Cisco Encrypted Traffic Analytics showed as much as 36% faster rates of detection, finding 100% of threats in three hours. Furthermore, the study found that Cisco ETA detected 100% of malicious flows within three hours
How it Works
Cognitive Intelligence’s Confirmed Threat Service provides Stealthwatch Cloud with a list of high-confidence Indicators of Compromise (IOCs in the form of IPs and domains), a full description of the related global threat, and a write-up of recommended remediation steps. These IOCs are generated as a result of processing billions of connections from across the globe using a pipeline of analytical techniques which include the collection of Initial Data Packets. In essence, the Confirmed Threat Service is the outcome of multi-layered machine learning and encrypted traffic analytics that can convict known as well as unknown global threat campaigns. Cisco ETA can match field data extracted from the IDP against known IOCs which allows Stealthwatch Cloud to then correlate local customer telemetry to the global Confirmed Threat Service.

New alerts created via this threat intelligence will show up as “Confirmed Threat Watchlist Hit” alerts. These alerts can include named malware type families and also provide details on what they do (exfiltration, exploit, content distribution, botnets, ransomware, etc). Some of the threat intelligence provided by the Confirmed Threat Service is created in collaboration with Cisco Talos. Talos will seed intelligence (initial set of seed IOCs), title and description of a threat. Cognitive Intelligence will then expand this seed set of IOCs with new occurrences using information gathered from IDPs and machine learning – which in turn yields new IPs and domains that are also related to the given threat and appear in real customer telemetry.

Meeting Compliance Needs

In addition to being able to effectively monitor encrypted traffic coming into their network, organizations also have to consider how they use encryption on their own data. When using encryption for data privacy and protection, an organization should be able to answer major questions:
How much of the digital business uses strong encryption?
What is the quality of that encryption?
This information is critical to prevent threat actors from getting into the encrypted stream in the first place. Today, the only way to ensure that encrypted traffic is policy compliant is to perform periodic audits to look for any TLS violations. However, this method isn’t perfect due to the sheer number of devices and the amount of traffic flowing through most businesses.
Cisco Encrypted Traffic Analytics provides continuous monitoring without the cost and time overhead of decryption-based monitoring. Using the collected enhanced telemetry, Stealthwatch provides the ability to view and search on parameters such as encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc. to help ensure cryptographic compliance.
Together, Cisco ETA and Stealthwatch Cloud can also identify encryption quality instantly from every network conversation, providing organizations with the visibility to ensure enterprise compliance with cryptographic protocols. These tools deliver the knowledge of what is being encrypted and what is not being encrypted on your network so you can confidently claim that your digital business is protected and compliant. This cryptographic assessment is displayed in Stealthwatch Cloud and can be exported via APIs to third-party tools for monitoring and auditing of encryption compliance.
Conclusion
With encryption becoming the new norm, it’s become increasingly important for organizations to be able to gain visibility into all traffic across the enterprise, without compromising data integrity. Cisco’s intuitive network can help detect hidden security threats, even those lurking in encrypted traffic. The powerful combination of Cisco ETA and Cognitive Intelligence help make Stealthwatch Cloud a premier encrypted traffic analytics powerhouse.
To learn more about Cisco Stealthwatch Cloud and Encrypted Traffic Analytics, read the At a Glance and the white paper.
Get started with a free 60-day trial of Cisco Stealthwatch Cloud today!

The post SaaS-delivered Encrypted Traffic Analytics with Cisco Stealthwatch Cloud appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Wir haben sie, die Notebook-Alternative für das Home-Office.

 

UPDATE 26.03.2020:

Fragen Sie uns nach aktuellen restlichen Verfügbarkeiten für Business-Notebooks. Kleine Chargen sind aktuell verfügbar.

 

Aktuell haben viele Unternehmen und öffentliche Auftraggeber Probleme, ihr Personal mit Notebooks auszustatten. Damit steht die gewünschte Verlagerung ins Home-Office nicht zur Verfügung. Die Liefersituation ist aktuell bei einer Verfügbarkeit gegen Null Stück.

Benötigen Sie aktuell Geräte, um Ihre Mitarbeiter während der Corona-Welle ins Home-Office zu verlegen? Dann sprechen Sie mit uns über die preislich attraktive Alternative für Ihr Haus.

Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net
DSC_2012 klein
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net
DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net

By Barry Fisher When I booked a family vacation recently, I was reminded of the simplicity of travel planning these days. Hop on a platform like Expedia, enter your destination and travel timeline, and in just a few minutes and with a few clicks, you’re all set to jet off to any exotic location your heart desires. Booking is a simple experience. And efficient.
Imagine if we could do the same for security.
Today, security works a bit like travel booking did more than a decade ago. Remember when you had to spend a lot of time and effort getting separate information from airlines, hotels, and car rental companies, then any extras you wanted, like tour operators? You’d then have to compare options, ensure the scheduling and other details synced up — and finally make separate arrangements with each vendor. It was tedious and time-consuming. And could get complex, depending on your destination.
In security, of course, most teams deal with more than three or four vendors or data sources. A lot more. Cisco’s 2020 CISO Benchmark report showed that 13% of organizations have more than 20 security vendors. And ESG’s 2020 Integrated Platform report indicated that 30% of organizations use more than 50 different security products while 60% use more than 25. More often than not, these vendors‘ products don’t talk to each other. So, it doesn’t surprise anyone that 76% of organizations claim that threat detection and response is more difficult today than 2 years ago.
Isn’t it time for the security industry to do better?
Security’s vicious cycle
This may be a familiar scenario:
You have more users connecting everywhere, more devices accessing data, and new digitization initiatives demanding more teams and new workflows to secure it all — with limited resources.
You can’t forget to keep the software you already have up to date against a growing number of vulnerabilities and sophisticated tactics and techniques used by adversaries.
You added more solutions to solve individual problems, but these point solutions fragmented your visibility across users, devices, applications, and networks — you get more visibility, but not in one place to easily understand the complete picture.
Your solution sprawl now represents as much of a vulnerability as new threats. And don’t know where to close the loop with manual workflows that lack shared context or any collaboration between your SecOps, ITOps and NetOps teams.
Incidents take longer to investigate and remediate. And more vendors offer you yet more tools to solve this problem.
This is the vicious cycle that security teams are stuck in today. Over time, security has grown more complex and overwhelming to manage.
Which brings me back to my earlier thought — imagine if we could do for security what Expedia did for travel.
To simplify security, it would take a platform approach that integrates all your security solutions in the backend, and connects them to a consistent interface that unifies visibility, enables automation, and strengthens security across all control points. Just like Expedia changed how you experience travel planning; this integrated platform would completely change how you experience security.
Watch the 90-second Cisco SecureX explainer

The evolution of platform approaches
The platform approach is certainly not a new idea. SIEM is one of the earliest examples. Considered revolutionary when introduced over a decade ago, the technology picked up steam as customers looked to solve alert fatigue, along with compliance.
But SIEM — and now its younger cousin, SOAR — only addresses part of the problem. While it correlates data and automates incident investigation so you can respond to alerts faster, these additional layers of technology burden your team with the labor-intensive ask to integrate many control points one by one. And beyond security operations, what about the security use cases that IT and network operation teams care about, such as policy management.
Both customers and vendors are realizing that security platforms need to evolve, and platforms are becoming a buzzword. How do you sift through the noise? You have to think about the outcomes you want, and how the platform meets those outcomes.
We built our platform with the idea that security solutions should work as a team, learning from each other, listening to each other, and responding as a coordinated unit. We believe this is a systematic approach that both simplifies security and makes it more effective.
How SecureX helps escape the trap
For several years, we’ve been working to integrate our security portfolio across all the control points, so our solutions work seamlessly on the backend. Now, Cisco SecureX takes this work to the next level, connecting the backend to a unified frontend as well as your existing security investments. A platform that gives our customers the ability to access their security from one central location across the full life cycle.
SecureX connects the breadth of Cisco’s integrated security portfolio and customer’s entire security infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoint, cloud, and applications. The result is a simplified experience, built into the Cisco Security products you already have – it’s not a new layer of technology you must buy and deploy before you realize new value. And if you have an existing SIEM investment, SecureX will connect to it to unlock the full potential of your security working better together. With an open platform, security teams can easily integrate the products they use now, as well as cutting-edge products they’ll want to use in the future.
With SecureX, you can:
Confidently secure every business endeavor: Meet your security needs of today and tomorrow with the broadest, most integrated security platform that covers every threat vector and access point.
Unify visibility across the entire security infrastructure: Gain actionable insights with analytics across network, endpoint, cloud, and applications to accelerate threat response and realize desired outcomes.
Automate critical security workflows: Increase the efficiency and precision of your existing resources to advance your security maturity and stay ahead of an ever-changing threat landscape.
Collaborate better than ever: Share context between SecOps, ITOps, and NetOps to harmonize security policies and drive stronger outcomes across workflows.
Reduce complexity and maximize portfolio benefits: Advance the potential of your Cisco Security investments, try other components of the Cisco portfolio with a click before you buy, and connect to your existing security infrastructure via out-of-the-box interoperability.
What’s next
We want to simplify your experience, accelerate your success, and protect your future — and we’re just getting started with our platform approach. We have a bold vision for where we want to go in this journey, and we invite you to come along.

Learn more about Cisco SecureX and sign up to our SecureX waitlist to be one of the first to experience it.

The post Security’s Vicious Cycle appeared first on Cisco Blogs.

Source:: Cisco Security Notice