By Ben Munroe Zero trust has gone mainstream. Everyone’s either promoting the concept, offering solutions to address the challenge, or just wanting to understand what it’s all about. And that’s the trouble: it means different things to different people, especially the word “trust,” which is a loaded term in security.
Just as we don’t trust hackers and cybercriminals, we do want to trust our employees, contractors, and business partners, don’t we? How do we succeed in business, after all, without trusting our users and guests to seamlessly access our data and resources?
That’s actually where zero trust comes in. We permit users to access the resources they need to get their jobs done. We try to stay out of our users‘ way when we can. And we don’t do so blindly. We put safeguards in place to make sure users don’t leverage their access for wrongdoing, and that outsiders don’t usurp that access to carry out attacks.
As discussed on a recent security podcast, while zero trust is not new, it is now moving from the realm of hype to a pragmatic, accepted standard. In fact, Cisco was recently named a leader in the 2019 Forrester Zero Trust Wave.
Don’t let just anyone into your home…
Think of it this way. We choose to let certain visitors into our homes, but we don’t let just anybody in. We make sure we know them first, or that they can prove they’re from the plumbing company we called, for example.
We have security cameras so we can watch what people are doing when they approach our home and door. We have locks on our doors, and fences and gates around our yards, so we can decide who gets in and out. And when people do come in, we often confine them to certain areas of the house.
In a nutshell, that’s what zero trust is for our computing environments. It’s a comprehensive approach to securing access across your networks, applications, and infrastructure – including access from users, computers, phones, IoT devices, cloud applications, and more.

Amidst today’s complex computing environment, security teams are losing visibility into and control over who and what is accessing their networks and data. According to our 2020 CISO Benchmark Report, 52 percent of respondents find mobile devices very or extremely challenging to defend. And, 52 percent also said that it is very or extremely challenging to secure data stored in the public cloud.
Traditional security solutions were based on the concept of a finite network perimeter. But with the evolution of today’s workplace, the perimeter has changed due to the introduction of technologies like cloud, mobile, and the internet of things (IoT). We can no longer base security on the location from which an access request originates – because today’s users and devices are everywhere.
Cisco Zero Trust
By verifying the validity of every access request, no matter which user, location, and device it comes from, zero trust ensures that only the right users and devices get access, and that attackers cannot move laterally across the network. However, not all zero trust models are created equal.
Cisco Zero Trust protects your workforce, workloads, and workplace.Some zero trust solutions focus on just one component of your ecosystem, while Cisco Zero Trust offers comprehensive security across your workforce, workloads, and workplace, and dynamically adjusts to address new levels of risk. Cisco also extends zero trust across our security portfolio, and to third-party technologies, to enhance visibility and policy enforcement across your entire infrastructure.
In other words, your home security measures can protect your house and yard, but can they also secure the people, appliances, and other objects in and around your home?

Cisco Zero Trust video
Main components of Cisco Zero Trust
Zero trust is a framework and way of doing security, versus a single product or solution. That’s why vendors who want to sell you a single product to solve your zero trust challenges should be looked at with suspicion. Zero trust takes the precise coordination of people, processes, and technology to do it right. The key pillars of Cisco’s zero trust strategy include the following:
Secure your workforce
Duo Security secures your workforce, ensuring that only the right users and devices can access applications. It helps protect your users and their devices against stolen credentials, phishing, and other identity-based attacks. And, it verifies users‘ identities and establishes device trust before granting access to applications – from any location.
According to Vivian Ho, Software Engineer at Lyft, “My team’s main objective is to design and build tools and services that help keep Lyft’s infrastructure and data safe, and we believe Duo is a trusted partner in this journey…we see Duo serving as a core technology building block to enable our zero trust security philosophy.”
Protect your workload
Cisco Tetration protects your workloads, securing all connections within your applications across data centers and multi-cloud environments. It contains breaches and minimizes lateral movement through application micro-segmentation.
“Tetration gives me 20/20 vision in the data center,” said Eugene Pretorius, CIO of Infrastructure and Security at First National Bank. “It’s the only tool in the world that can show what is happening across the network, application, and server planes all on one screen.”
Defend your workplace
Cisco SD-Access segments your workplace, securing user and device connections across your network, including for IoT devices like cameras, manufacturing equipment, heart pumps, and more.
“With Cisco SD-Access, we can automate and apply segmentation and security policies to our network devices up to 10 times faster than before,” said Frank Weiler, who heads up the networking department for the City of Luxembourg.

Cisco SecureX – A platform approach to zero trust
The above technologies work together, and with other Cisco and third-party technologies, through our platform approach to security – SecureX. Today’s security professionals can no longer get by with siloed technologies. With SecureX, the whole is greater than the sum of its parts as multiple security technologies are integrated to share information and work together as a team. Ninety-five percent of customers say SecureX is valuable for helping them take action and remediate threats.
Cisco SecureX is the industry’s broadest, most integrated security platform.Much like the security sensors on the windows in your home can trigger an alarm, which alerts your home security provider, who can call the police – SecureX seamlessly unifies visibility, enables automation, and strengthens security across network, endpoint, cloud, and applications. It’s all about greater simplicity and better security.
At the heart of our platform approach is the belief that security solutions should learn from one another and respond as a coordinated unit. And, that security should be built in versus bolted on, making it more holistic and effective. With this kind of strategy, implementing zero trust becomes less of a manual, onerous process, and more of an invisible, yet powerful means of protecting your environment – reducing the attack surface and accelerating incident response.
Get started with zero trust
Protect your network like you protect your home. Go to cisco.com/go/zero-trust and cisco.com/go/securex for further details.
The post Zero chance of tackling zero trust without a platform approach appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Ben Nahorney What’s the quickest way to access a computer? Logging in. As obvious as this may sound, it’s worth reflecting on this. Because while logging in is so second nature that you probably don’t give it much consideration, it’s also one of the most common techniques for taking over a computer.
From a malicious standpoint, stealing and using legitimate credentials to gain access is more likely to go undetected as an attacker attempts to move through a network. Dropping a trojan or exploiting a vulnerability can certainly gain you initial access, but authorized credentials help you navigate laterally under the radar.
It’s no wonder that login credentials are a primary target of bad actors. According to Verizon’s 2019 Data Breach Investigations Report, using stolen credentials was the second-most common activity conducted by attackers during a breach.
So how do bad actors go about stealing credentials? Some techniques are well known, others not as much.
The usual suspects
Phishing emails are by far the most popular method to steal credentials. As we’ve discussed in the past, the scams take many forms, from notifications that there’s a document online that you should view, to notifications of upgrades to your account.
Keyloggers—another common tool for stealing credentials—sit in the background and log keystrokes on a compromised computer. An attacker can load up a keylogger, then wait for it to record credentials as they are input into the computer.
While these are popular methods for stealing credentials, they aren’t the only options. When an attacker gains access to a system, it turns out there’s a veritable gold mine of credentials that they can attempt to access. This is where a technique called credential dumping comes in. While end users may not be aware of it, credential dumping is actually a wildly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks. Users may be familiar with headlines touting phishing or keylogging attacks, but credential dumping often receives less wide-spread attention; however, this only underscores the importance of understanding the attack method.
Credential dumping
There are a variety of places within operating systems where credentials are stored for use in everyday operation. If an attacker can gain access to a particular system, they can attempt to locate, copy, and “dump” the credentials.
Credential dumping is possible mainly because software and operating systems have worked to reduce the number of times a user is required to enter their password. Oftentimes, operating systems store passwords in memory, databases, or files. The idea is that the operating system will ask for a password, but then use the cached password for successive logins in the short term, saving the user from having to enter it again.
Tools of the trade
Problems arise when an attacker gains low-level access to a computer. If the attacker can execute code, he or she can extract credentials from memory with various credential dumping tools. There are several tools an attacker can wield to steal credentials in these cases. Tools like gsecdump, creddump, and PWDumpX can be used in a variety of ways to steal credentials.
However, the most popular credential dumping tool by far is Mimikatz. Developed in 2007 by Benjamin Delpy, it began as a tool to highlight a flaw in Microsoft Windows Local Security Authority Subsystem Service (LSASS). LSASS stores credentials so that users don’t have to log in repeatedly each time they want to access system resources. While the flaw in question was eventually fixed, Mimikatz evolved to become an important tool for penetration testers and other security professionals to check for credential dumping weaknesses within systems. Unfortunately, it has become a popular tool for malicious actors as well.

Where to steal
An attacker can pull credentials from different areas on a system. With access to a regular endpoint computer, an attacker can look for credentials in the following locations.
WDigestThis is a legacy protocol used to authenticate users in Windows. When enabled, LSASS keeps a plain-text copy of logged in user’s password in memory. While the service is disabled by default nowadays, it still exists in the latest versions of Windows, and attackers often enable it in order to steal credentials.
Security Accounts Manager (SAM)This is a database file that’s existed in Windows since the XP days. SAM is used to authenticate users, both local and remote, allowing access when the provide credentials match what SAM has on file. If this file is stolen by attackers, it can potentially be decrypted, and usernames and passwords stored within can be extracted.
LSA SecretsThe Local Security Authority (LSA) manages authentication and the logging in of users on a Windows system, as well as the local security policy for a computer. Sensitive data used by this subsystem is stored in a protected storage area called “LSA secrets.”
KerberosThe Kerberos protocol was specifically designed for strong, secure authentication. It does so through a ticketing system, granting various permissions to users and services. Attacks against Kerberos generally involve forging or injecting stolen Kerberos tickets to gain access.
If an attacker manages to get onto a domain controller—the network server responsible for managing authentication on the domain—then there are additional areas where credentials are stored.
NTDSThis is where Active Directory stores information about members of a domain in order to verify users and credentials.
Group Policy Preference filesThis Windows tool lets administrators roll up domain policies to include embedded credentials, making administration easier. These policies are generally stored in a share called SYSVOL, which any domain user can view, and potentially decrypt.
DCSyncInstead of a location, DCSync is a technique where an attacker takes advantage of the way domain controllers handle available API calls. In short, the attacker mimics the behavior of another domain controller through API calls and gets the controller to send over credential hashes that can be used in further attacks.
Using the credentials
Once an attacker has gathered credentials, how do they use them? It’s pretty straightforward when it comes to user names and passwords that have been stolen through phishing, keylogging, or stolen and successfully decrypted.
However, not all credentials can easily be decrypted. You may think that that’s the end of line in these cases. Unfortunately, that’s not the case. There’s a whole group of attack techniques centered around using these credentials as-is.
For instance, consider that many user names and passwords are encrypted (a.k.a. “hashed”) on the authenticating server. When you log into one of these services, they generally decrypt the password on the server and compare them. Another way to compare is to encrypt the password that arrives, then compare it to the encrypted password on file. Either way, if there’s a match, access is granted.
If an attacker manages to steal user credentials, but can’t decrypted them, they can attempt to pass them to the authentication server. If the server simply compares the two hashed passwords, and if they match, access is granted. This technique is often called “passing the hash.”
There are a number of similar authentication attacks. For instance, an attacker could also dump Kerberos tickets from a compromised system, then use them to attempt to log in in a similar fashion. As a variation of the overall theme, this attack is called “pass the ticket.”
There are plenty of variations out there. An attacker can “overpass the hash,” by which they pass a hash to an NT LAN Manager in the hopes that it will pass them back a Kerberos ticket, which they can then use to log into network resources. There are also techniques that can grant them “golden” and “silver” Kerberos tickets, which as the names suggest, offer elevated privileges and access throughout a network administered by Kerberos.
What to do
Fortunately, there are many ways to defend against credential dumping.
Monitor access to services like LSASS and databases like SAM.
Keep an eye out for command-line arguments used in credential dumping attacks.
On domain controllers, monitor logs for unscheduled activity.
Look out for unexpected connections from IP addresses not assigned to known domain controllers.
The security capabilities found in AMP for Endpoints can continuously analyze and monitor file and process activity. AMP can automatically generate alerts at the first sign of malicious behavior, such as when an attacker attempts to spawn an unauthorized LSASS process, quickly stopping attacks in their tracks before they can cause any further damage.
Of course, if an attacker does manage to steal credentials, using multi-factor authentication (MFA) can prevent the attacker from actually using them to gain access to other systems. Cisco Duo protects your systems by using a second source of validation to verify user identity before granting access.
Even better, combine the powers of AMP and Duo to reduce the attack surface by allowing AMP to notify Duo when an endpoint has potentially been compromised, allowing Duo to automatically block that endpoint from accessing critical apps that Duo is protecting.
A zero-trust strategy can also go a long way to limit or prevent an attacker from moving laterally through a network. Cisco Identity Services Engine simplifies the delivery of consistent, highly secure access control across all network connections. With far-reaching, intelligent sensor and profiling capabilities, ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources, preventing unwanted access as a result.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Stealing passwords with credential dumping appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group The ongoing COVID-19 pandemic continues to yield new subject matter that bad actors can turn into fodder for enticing victims into clicking on malicious links and attachments. On March 27, the CARES Act was signed into law by the President, enacting a wide range of stimulus packages designed to aid Americans and businesses during the crisis. One such measure will authorize a supplemental stimulus check to American citizens.
Along with the general increase in coronavirus and COVID-19-themed attacks, this stimulus package will also be leveraged as a lure to deliver additional attacks to harm the unsuspecting victim into divulging personal information or be subject to financially based exploitation.
Talos has already detected an increase in suspicious stimulus-based domains being registered and we anticipate they will be leveraged to launch malicious campaigns against users.

The post COVID-19 relief package provides another platform for bad actors appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 20 and Mar 27. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200327-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 20 to March 27 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group The COVID-19 pandemic is changing everyday life for workers across the globe. Cisco Talos continues to see attackers take advantage of the coronavirus situation to lure unsuspecting users into various pitfalls such as phishing, fraud, and disinformation campaigns. Talos has not yet observed any new techniques during this event. Rather, we have seen malicious actors shift the subject matter of their attacks to focus on COVID themes. We continue to monitor the situation and are sharing intel with the security community, customers, law enforcement, and governments.
Protecting your organization from threats that leverage COVID themes relies on the same strong security infrastructure foundation that your organization hopefully already has. However, security organizations must ensure existing protections and capabilities function in a newly remote environment, that users are aware of the threats and how to identify them and that organizations have implemented security best practices for remote work.
Read More >>
The post Threat Update: COVID-19 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Radhika Mitra Public cloud is still a hotly debated topic amongst organizations, and take a guess as to why? Security. However, that hasn’t kept businesses from investing heavily in public cloud strategies. By the end of 2020, Forbes has forecasted “67% of enterprise IT infrastructure and software will be cloud-based.” If you’re trying to increase your network scale, realize greater network value or transform to a more dynamic infrastructure, you’re either already in the midst of your journey or at least part of the way there. And with services and assets shared between your on-premises networks and the cloud, it can be a little fuzzy on how or what to secure. The public cloud Shared Responsibility model was designed to combat exactly that—and make clear delineation on who is responsible for securing what.
There are two key areas of the Shared Responsibility model:

“Security of the Cloud” – The cloud vendor is accountable to protect and ensure availability of the infrastructure and the services that make up the cloud. Cloud infrastructure is composed of the hardware, software, networking, and facilities that run the respective vendor’s cloud services.

“Security in the Cloud” — You are responsible for your cloud-based assets and management. Ultimately you design your own unique security strategy and manage your risks for any and all cloud services, asset and data you add in a public cloud. For example, any compute instances you run, you are responsible for the management of the guest operating system (including updates and security patches), any application software or utilities you install on the instances, and the configuration of the cloud-based firewall on each instance. You are responsible for managing your data (including encryption options), classifying your assets, and using IAM tools to apply the appropriate permissions.
With all the different security offerings available in each of the public cloud providers marketplaces, it becomes overwhelming and confusing trying to identify the right tools to help you fulfill your end of the shared responsibility model. To alleviate the confusion and to help you maintain a consistent posture both on premises and in the cloud, a good rule of thumb is to partner with a security partner that supports a broad range of cloud providers. Likewise, leveraging the same tools you use to secure your premises-based networks in clouds ensures a faster deployment, alleviates misconfigurations and ensures stronger security for all your cloud-based investments.

At Cisco, we do the heavy lifting for you. We offer a comprehensive suite of security solutions for public cloud environments and maintain strong technology partners with the leading public cloud providers (AWS, Google Cloud, Azure). This allows you to integrate security seamless into your cloud environments, deliver a consistent experience for your users and maintain visibility and control over all your cloud data and assets. The depth and breadth of our solutions ensures your business can safely transition to the cloud while aligning security to the speed of your digital business:
Cloud security: Cisco Umbrella integrates multiple security services in the cloud including DNS-layer security, firewall, secure web gateway, cloud access security broker, and more to secure internet access. Since DNS is built into the foundation of the internet, security at the DNS-layer can be simple to deploy and highly effective for securing the public cloud. Cisco Umbrella provides DNS-based security that blocks requests to malware, phishing, and botnets before a connection is even established.
Secure On-prem to Public Cloud: Cisco Next Generation Firewall can bring advanced capabilities of your firewall into your cloud environment, acting as a gateway and also extending your data center security policies into cloud and remaining compliant. What’s more, you can create a consistent security posture that extends from your on-premises environment to your cloud infrastructure, making the migration to public cloud seamless and painless.
Cloud Workload Security & Microsegmentation: One of the most vulnerable assets are your applications(read more on app security) and securing application workloads using microsegmentation with Cisco Tetration in your cloud can unleash the potential of your developers and security operation reaching harmonious freedom.
Advanced Threat Detection: What about network flow? Get advanced threat detection in your cloud network with Stealthwatch Cloud.
Secure Access to your Cloud: Also, ensure you have secure access using Duo multi-factor authentication to your cloud-based services.
Cisco Services is a true partner in your journey to a shared responsibility model by helping you deploy and manage your security solutions in the cloud. With Cisco you are not alone, you have the power of a trusted partner to bring along with you on your digital transformation journey to ensure a consistent security posture for your hybrid network.
The post Understanding the Shared Responsibility Model: Securing Public Cloud Just Got Easier appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Mar 13 and Mar 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200320-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for March 13 to March 20 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Anthony Grieco People are the key to any effective cybersecurity strategy. If your people don’t understand relevant cyber risks or don’t know how to take the proper action when they occur, the rest of your strategy simply doesn’t matter. At Cisco, we practice a pervasive security culture. Our combination of workforce training and educational initiatives instills a company-wide commitment and collective sense of responsibility and ownership to protect ourselves and our customers.
How do you get a global network of employees and contractors to take personal responsibility for cybersecurity, data protection, and privacy? We knew we had to develop a campaign that would garner attention in a fun and creative way to keep people engaged and alert. In response, we developed Keep Cisco Safe, an innovative internal risk mitigation awareness and education program. It combined out-of-the-box creative thinking, gamification, digital signage, a personalized rewards system including achievement badges and top-down executive sponsorship to change worker’s behaviors.
A key facet of the campaign included cyber “monsters,” each representing threat characters. With a focus on data protection, privacy, secure product development, and threats such as adware, malware and phishing, the monsters gave Cisco employees an eye-catching opportunity to identify, learn and act. To learn more, I highly encourage you to read the complete case study.

Now with over 97,000 actively engaged, we’ve found that Cisco employees and contractors have increased their cybersecurity knowledge and vigilance. This is clear by the spike of incidents being reported to our Data Protection and Privacy Response team. It’s not that we have experienced more incidents, it is the fact that more people are reporting them through proper channels.
To call the Keep Cisco Safe campaign “monstrously” successful would be an understatement. I am honored to share the campaign has been named a winner in Info Security Product Guide’s 2020 Global Excellence Awards!
Info Security Products Guide – the industry’s leading information security research and advisory guide – recognizes cybersecurity IT vendors with advanced, ground-breaking marketing programs, solutions, and services that are raising the bar for the security industry.
Like any effective education and training initiative, our Keep Cisco Safe program continues to evolve and grow. We are honored to be recognized as an industry leader by the Info Security Products Guide. Behind this distinguished success is our relentless effort to drive pervasive security, trust, data protection, and privacy into everything we do at Cisco. This recognition from Info Security PG’s Global Excellence Award further validates our commitment to security and trust within our enterprise and for our customers.
For more on Cisco’s strategy to protect itself and its customers, visit our Trust Center.

The post Cisco Wins Global Excellence for Cybersecurity Education and Awareness appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Sunil Amin We’ve reached an interesting turning point for encrypted traffic.
Gartner predicted that 80% of web traffic would be encrypted by 2019. Sure enough, this prediction came true. Last year, the team at Let’s Encrypt, an organization that helps enable encryption for websites, cited that 80% of web traffic they’ve seen is now encrypted. We have reached the point where the average volume of encrypted traffic on the internet has now surpassed the average volume of unencrypted traffic.
This is largely good news, as moving forward, encrypting internet traffic is now the new norm online and will continue to grow. This is good for data privacy and should let us sleep a bit easier knowing that as out information traverses the internet, it’ll be encrypted.
However, much like the adoption rate of encrypted traffic, encrypted threats are also on the rise. This year, Gartner has predicted that more than 70% of malware campaigns will use some type of encryption to conceal malware delivery, command-and-control activity, or data exfiltration. Complicating matters, it’s also predicted that 60% of organizations will fail to decrypt HTTPS efficiently, thereby missing critical encrypted threats.
Traditional threat inspection methods that rely on bulk decryption, analysis, and re-encryption are not always practical or feasible, for both performance and resource reasons. These methods also compromise privacy and data integrity. Unfortunately, many organizations do not have a way to detect malicious activity in encrypted traffic without the use of decryption. With the growing amount of encrypted traffic and the number of threats hiding within it, how should organizations ensure the encrypted traffic coming into their network is safe, without compromising the integrity of that data?
A better approach to analyzing encrypted traffic
Stealthwatch Cloud is a Software-as-a-Service (SaaS) solution that is easy to try, easy to buy, and simple to operate and maintain. Stealthwatch Cloud analyzes network behavior to detect advanced threats, even those hiding in encrypted traffic. Cisco’s proprietary Encrypted Traffic Analytics (ETA) technology uses attributes like Initial Data Packet (IDP) to detect malware in encrypted traffic, without decrypting the data.
Recently, Stealthwatch Cloud has added further integrations with Cognitive Intelligence, our amazing cloud-based machine learning and AI R&D team as well as its Confirmed Threat Service.
These integrations allow Stealthwatch Cloud to ingest ETA telemetry from supported Cisco networking devices and provide additional, enhanced fidelity of encrypted (as well as non-encrypted) traffic. From there, ETA will alert users of potential threats that might be hiding in encrypted traffic. These alerts include cryptomining, unpublished TOR, botnets, Ramnit, Sality, malicious file download, phishing and typosquatting and more.
In a performance study by Miercom, Cisco Encrypted Traffic Analytics showed as much as 36% faster rates of detection, finding 100% of threats in three hours. Furthermore, the study found that Cisco ETA detected 100% of malicious flows within three hours
How it Works
Cognitive Intelligence’s Confirmed Threat Service provides Stealthwatch Cloud with a list of high-confidence Indicators of Compromise (IOCs in the form of IPs and domains), a full description of the related global threat, and a write-up of recommended remediation steps. These IOCs are generated as a result of processing billions of connections from across the globe using a pipeline of analytical techniques which include the collection of Initial Data Packets. In essence, the Confirmed Threat Service is the outcome of multi-layered machine learning and encrypted traffic analytics that can convict known as well as unknown global threat campaigns. Cisco ETA can match field data extracted from the IDP against known IOCs which allows Stealthwatch Cloud to then correlate local customer telemetry to the global Confirmed Threat Service.

New alerts created via this threat intelligence will show up as “Confirmed Threat Watchlist Hit” alerts. These alerts can include named malware type families and also provide details on what they do (exfiltration, exploit, content distribution, botnets, ransomware, etc). Some of the threat intelligence provided by the Confirmed Threat Service is created in collaboration with Cisco Talos. Talos will seed intelligence (initial set of seed IOCs), title and description of a threat. Cognitive Intelligence will then expand this seed set of IOCs with new occurrences using information gathered from IDPs and machine learning – which in turn yields new IPs and domains that are also related to the given threat and appear in real customer telemetry.

Meeting Compliance Needs

In addition to being able to effectively monitor encrypted traffic coming into their network, organizations also have to consider how they use encryption on their own data. When using encryption for data privacy and protection, an organization should be able to answer major questions:
How much of the digital business uses strong encryption?
What is the quality of that encryption?
This information is critical to prevent threat actors from getting into the encrypted stream in the first place. Today, the only way to ensure that encrypted traffic is policy compliant is to perform periodic audits to look for any TLS violations. However, this method isn’t perfect due to the sheer number of devices and the amount of traffic flowing through most businesses.
Cisco Encrypted Traffic Analytics provides continuous monitoring without the cost and time overhead of decryption-based monitoring. Using the collected enhanced telemetry, Stealthwatch provides the ability to view and search on parameters such as encryption key exchange, encryption algorithm, key length, TLS/SSL version, etc. to help ensure cryptographic compliance.
Together, Cisco ETA and Stealthwatch Cloud can also identify encryption quality instantly from every network conversation, providing organizations with the visibility to ensure enterprise compliance with cryptographic protocols. These tools deliver the knowledge of what is being encrypted and what is not being encrypted on your network so you can confidently claim that your digital business is protected and compliant. This cryptographic assessment is displayed in Stealthwatch Cloud and can be exported via APIs to third-party tools for monitoring and auditing of encryption compliance.
Conclusion
With encryption becoming the new norm, it’s become increasingly important for organizations to be able to gain visibility into all traffic across the enterprise, without compromising data integrity. Cisco’s intuitive network can help detect hidden security threats, even those lurking in encrypted traffic. The powerful combination of Cisco ETA and Cognitive Intelligence help make Stealthwatch Cloud a premier encrypted traffic analytics powerhouse.
To learn more about Cisco Stealthwatch Cloud and Encrypted Traffic Analytics, read the At a Glance and the white paper.
Get started with a free 60-day trial of Cisco Stealthwatch Cloud today!

The post SaaS-delivered Encrypted Traffic Analytics with Cisco Stealthwatch Cloud appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Wir haben sie, die Notebook-Alternative für das Home-Office.

 

UPDATE 26.03.2020:

Fragen Sie uns nach aktuellen restlichen Verfügbarkeiten für Business-Notebooks. Kleine Chargen sind aktuell verfügbar.

 

Aktuell haben viele Unternehmen und öffentliche Auftraggeber Probleme, ihr Personal mit Notebooks auszustatten. Damit steht die gewünschte Verlagerung ins Home-Office nicht zur Verfügung. Die Liefersituation ist aktuell bei einer Verfügbarkeit gegen Null Stück.

Benötigen Sie aktuell Geräte, um Ihre Mitarbeiter während der Corona-Welle ins Home-Office zu verlegen? Dann sprechen Sie mit uns über die preislich attraktive Alternative für Ihr Haus.

Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net
DSC_2012 klein
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net
DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net