Introducing SecureX

By Jeff Reed Making Security an Enabler, so Your Business Can Take an Exponential Leap
I joined the Cisco Security team the week after the RSA Conference in 2017. At that time there was a lot of discussion around the journey Cisco Security was on, particularly around our efforts to deliver an integrated architecture. For the previous years we had been integrating threat intelligence, context sharing and our anti-malware engine across our portfolio and were seeing dramatic improvements in key metrics such as time to detection.
But from the perspective of a security practitioner’s daily experience with our portfolio, we were failing. The user experience was siloed, it took too long to stitch our products (and third-party products) together, and even the navigation and look and feel of our products varied dramatically.
Shortly after that RSA we made the decision to focus our attention on the operational experience of our Security products, realizing that the usability component was equally as important as the underlying architecture. We stood up a team to lead us on that journey and began laying the foundation for what would become a huge leap forward for Cisco Security and for our customers.

Today we are introducing Cisco SecureX – a new way for users to experience Cisco’s Security portfolio. Cisco SecureX streamlines our customers‘ operations with increased visibility across their security portfolio and provides out-of-box integrations, powerful security analytics, and automated workflows to speed threat detection and response. SecureX is an open, cloud-native platform that connects Cisco’s integrated security portfolio and customers‘ security portfolios for a simpler, more consistent experience across endpoints, cloud, network, and applications.
The foundational capabilities of SecureX
SecureX builds on the foundational work we’ve been doing over the past 2.5 years, including Cisco Threat Response, common user experience, single sign on, secure data sharing between on-prem and the cloud and more. But it does a whole lot more. The best way to experience SecureX is to visit us at the RSA conference. For those of you who can’t make it, here are some of the most important capabilities of the platform:
Unified visibility
SecureX provides unified visibility across all parts of your security portfolio – Cisco or third-party solutions – delivering metrics, activity feed and the latest threat intelligence. I am particularly excited about the operational metrics capabilities of SecureX: Mean Time to Detection, Mean Time to Remediation, and Incident burndown times. These metrics are derived from full case management capabilities native to the SecureX platform. Case management enables SecureX customers to assign cases, track them to closure, and add relevant artifacts captured during investigation.
Automation
SecureX brings full multi-domain orchestration and automation capabilities to our customers using a no/low-code approach and intuitive drag-and-drop interface to deliver high-performance and scalable playbook capability. The SecureX orchestration and automation capabilities use an adapter model that allows users to quickly and easily orchestrate across Security, Networking, IoT, Cloud, Collaboration, and Data Centers. SecureX already has 50+ adaptors across these domains and will continue to develop more.
Playbooks
SecureX will deliver pre-built playbooks, and customers can also develop their own playbooks tailored to their own environment of Cisco and non-Cisco products. With our phishing playbook for example, end users can submit suspicious email to SecureX to get a recommendation of whether it is malicious or not. If the submitted email is malicious, the end user will be notified of recommended next steps, and an event will be generated in SecureX alerting the security team. To deliver this capability, the playbook pre-processes email to extract observables, determines the verdict for observables, hunts for targets involved and takes mitigation and/or preventative actions such as isolating the targets involved, blocking the malicious domain as necessary, etc.
Managed threat hunting
Only Cisco can bring multi-domain managed threat hunting capability across endpoint, cloud, email, etc. because of the breath and scope of our product portfolio. Multi-domain managed threat hunting detects threats leveraging a combination of intel and data techniques to surface activity that might have slipped past traditional threat, behavioral, and ML-based techniques. High fidelity threats confirmed by our Talos and Research teams are then communicated to customers through the SecureX activity panel as well as via emails with detail artifacts, targets involved, and remediation recommendations.
Fast time to value
Unlike other security platforms in the market, SecureX helps customers get value quickly. Getting started is simple – if you have a CCO account, login and add products to SecureX by providing API keys and adding on-prem devices (for Firewall and on-prem Email solutions). If you don’t have a CCO account, create a SecureX account on the homepage, add products to SecureX by providing an API key and adding on-prem devices (for Firewall and on-prem Email solutions). You are ready to go in minutes vs. hours and days.
Learn More about SecureX
These are just some examples of what you’ll be able to do with the first release of SecureX. The platform will continue to evolve so your security can keep up with the speed of business, and your business can keep taking new leaps.

Be one of the first to experience how we’re redefining
and simplifying security with our new platform —
Sign up for our SecureX Waitlist

Or, join us to learn more about SecureX at the RSA Conference.

The post Introducing SecureX appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

The Future of Cisco Security: Protecting What’s Now and What’s Next

By Dr. Gee Rittenhouse When we look at the world today, it has been revolutionized by the cloud, and it has disrupted the way business is done. Companies can now connect any user on any device to any network or application. But from a security perspective this has greatly expanded the attack surface. This represents an opportunity to fundamentally change the way we think about security. That is the journey that Cisco Security has been on.
Until now, security has largely been piecemeal with companies introducing new point products into their environments to address every new threat category that arises. As a result, security teams that are already stretched thin have found themselves managing massive security infrastructures and pivoting between dozens of products that don’t work together and generate thousands of often conflicting alerts. In the absence of automation and staff, half of all legitimate alerts are not remediated (Cisco’s 2020 CISO Benchmark Study). So, complexity becomes an overwhelming proposition that can hinder business and become a threat in and of itself.
Our vision is to enable the world to reach its full potential, securely. To accomplish this requires the radical simplification of security where it is a business enabler that creates a secure experience, so businesses can fully embrace the digital transformation.
For our part, we have invested more than $6 billion over five years to create the broadest security portfolio in the industry that spans network, endpoint, cloud and applications. Our strategy has been to take this portfolio and integrate the backend with our market-leading threat intelligence from Cisco Talos to deliver a see it once, enforce it everywhere architecture. We achieve this by analyzing diverse datasets across the portfolio, which amounts to almost 50 billion Web requests, 200 billion DNS requests and two trillion email artifacts every day. With Cisco size and scale, we can provide the highest efficacy possible and block more threats.
But in order for security to be truly simple, customers need to be able to have a radically different experience on the frontend of the portfolio where they are doing their daily work and making critical decisions. So, over the last year we evolved from an integrated architecture to a security platform to give customers the industry’s best protection and a simple user experience. This first presented itself with Cisco Threat Response (CTR), which automates integrations across Cisco Security products to accelerate detection, investigation and remediation. With that product, 83 percent of customers surveyed said the time spent on investigations was reduced by 25 percent or more (Tech Validate Survey, October 2019).
Building on that success, we have continued to rethink what is possible. And today, we are excited to unveil Cisco SecureX, a cloud-native platform that completely changes the user experience. Connecting the breadth of our integrated security portfolio and customers‘ security infrastructure, it provides a consistent experience that unifies visibility; enables automation; simplifies analytics; and strengthens security across network, endpoint, cloud and applications.
Cisco SecureX provides real business value by allowing customers to:
Confidently secure every business endeavor with the broadest, most integrated security platform that covers every threat vector and access point.
Unify visibility across their entire security portfolio with actionable insights across network, endpoint, cloud and applications to accelerate threat response and realize desired outcomes.
Automate critical security workflows by increasing the efficiency and precision of existing resources to advance security maturity and stay ahead of an ever-changing threat landscape.
Collaborate better than ever with shared context between SecOps, ITOps and NetOps to harmonize security policies and drive stronger outcomes across workflows.
Reduce complexity and maximize portfolio benefits by allowing them to try other components of the Cisco portfolio with click before you buy as well as connect to their existing security infrastructure via out-of-the-box interoperability.
Read Jeff Reed’s blog post for more insight into the industry-leading technology behind the platform and what you can expect from SecureX.

We are excited to bring this innovation to customers, but this is only the beginning. This framework is extensible, and we will continue to add functionality so that our customers can confidently secure every business endeavor with an open, integrated platform to meet the security needs of today and tomorrow.
SecureX will be generally available in June. Sign up to stay updated on the latest about SecureX, and visit us this week at the RSA Conference in San Francisco.

The post The Future of Cisco Security: Protecting What’s Now and What’s Next appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

Threat Roundup for February 14 to February 21

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Feb 14 and Feb 21. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU02212020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for February 14 to February 21 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

ObliqueRAT: New RAT hits victims’ endpoints via malicious documents

By Talos Group By Asheer Malhotra.
Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we’re calling “ObliqueRAT.”
These maldocs use malicious macros to deliver the second stage RAT payload.
This campaign appears to target organizations in Southeast Asia.
Network based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

What’s New?
Cisco Talos has recently discovered a new campaign distributing a malicious remote access trojan (RAT) family we’re calling “ObliqueRAT.” Cisco Talos also discovered a link between ObliqueRAT and another campaign from December 2019 distributing CrimsonRAT sharing similar maldocs and macros. CrimsonRAT has been known to target diplomatic and government organizations in Southeast Asia.
Read More>>
The post ObliqueRAT: New RAT hits victims‘ endpoints via malicious documents appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

4 Cybersecurity Trends that Will Make an Impact in 2020

By Jeff Reed My cybersecurity trends outlook for 2020 builds on my forecast for 2019. Identity and application security are still top-of-mind this year, but in new and more advanced ways.
As we approach RSA 2020, these are four trends in cybersecurity that I expect will make an impact this year.
1. Zero Trust goes beyond the hype and becomes reality.
Zero Trust had its buzzword breakout at RSA 2018, but there were a lot of questions. What is it? What does it mean? What does a Zero Trust architecture truly look like? As this security approach matures, it’s clear why Zero Trust is so important – there’s data to prove it.
According to the 2017 Verizon Data Breach Report, 81% of breaches involved compromised credentials
According to Imperva, 54% of web app vulnerabilities have a public exploit available to hackers
According to Positive Technologies, 92% of external penetration tests led to a breach of network perimeters
As a colleague of mine says, “Hackers aren’t breaking into networks, they’re logging onto networks.” We need to be smarter about how we establish the identity of a user or device connecting to a network or application before access is approved or denied. The principles of Zero Trust are consistent, but the “how” varies depending on what’s being protected – whether it’s a user, container, IoT device, or something else.
Zero Trust technology is maturing and customers are gaining a more consistent understanding of it as they begin this journey. Moving to Zero Trust is the No. 1 topic for many customers I speak with and it was a top priority for many at Cisco’s CISO Forum.
2. Customers lean toward a platform approach that embraces best-of-suite, instead of best-of-breed.
Security is complex, and CISOs today don’t want a complex solution to an already complex problem. In response, we’re beginning to see a majority of customers shift from a “best-of-breed” to “best-of-suite” approach to security solutions.
I’m seeing a push for fewer strategic partners and more out-of-the-box value from products designed to work together. And I think that push is only going to get stronger. Many CISOs I talk with can’t afford to spend more money for more tools that require more effort to get a team up and running on each tool. This loss of time keeps security teams from high-value work, like applying security insights to keep the enterprise secure.
As I mentioned in my most recent blog post, our annual CISO survey revealed a trend toward vendor consolidation, which tells us CISOs are looking for ways to make network security easier to manage. This trend toward simple solutions will only continue in 2020 and will be a key topic for Cisco Security at the 2020 RSA Conference.
3. SASE principles take hold as cloud security replaces on-prem security.
I personally hope 2020 is the year we can agree on a new acronym for SASE (pronounced “sassy”). But even if it isn’t, the underlying principles of Secure Access Service Edge are legitimate as more customers adopt security in the cloud. You can read more about the principles of SASE in this article from SDxCentral.
Gartner’s recent 2019 Hype Cycle Report states SASE will be as disruptive to network and network security architectures as IaaS was to the architecture for data center design. The principles of SaaS (software as a service) will unlock a new set of capabilities for security as SASE connects individual users and equipment to the cloud – which, by the way, is now a highly dependable and trustworthy place to house all of your applications and services.
This trend is important because the move to cloud is fundamentally changing how users and devices connect to applications and data. As this happens, we need to re-think the type of security controls required and where those controls should be placed. The ideal model will provide flexibility to security teams to place those controls optimally based on the traffic and access patterns of their environment. In some cases those controls will continue to reside on-prem, but increasingly those controls will move to a cloud edge.
We have already seen this with DNS security, and now are seeing capabilities such as secure web gateway and cloud delivered firewall. A key to this transition will be meeting the security efficacy requirements—and is an area that we at Cisco are leaning into.
4. Security moves into application development via DevSecOps.
Another key point coming from Cisco’s CISO Forum is the continued evolution of application security. We’re seeing it in the plethora of new technologies targeting this space. But I’m also seeing a significant change in the organizational model to deal with it. One of the more surprising data points from our fall CISO Forum was the number of CISOs who are embedding security staff directly into application development teams, often without establishing an ongoing relationship with the security organization. DevSecOps enables greater security knowledge within application development teams, gives security a true stake in the development process, and enables security to build relationships within apps teams.
In my conversations with CISOs over the last few years, I’ve seen application security rise dramatically in importance. And now we’re seeing this come to fruition as security talent is moved into the application development process.
A benchmark in the security industry each year is the RSA Conference, and this year is no exception. We’ll be talking about how these trends are already making an impact in the industry and within Cisco’s security strategy. I hope you can join us in San Francisco on February 24-28, 2020.
Be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security during RSA 2020. It’s going to be big.
The post 4 Cybersecurity Trends that Will Make an Impact in 2020 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

The Voice of the CISO Customers – CISO Day in Europe

By Cindy Valladares As part of the activities surrounding Cisco Live Barcelona, we held a very special event specifically tailored for our CISO customers: Cisco CISO Day. It was a full day of exploring topics curated for this executive audience, and an opportunity for them to connect with peers in the security industry. We had engaging discussions around a variety of topics, including: Zero Trust, DevSecOps, cross-domain security, key factors for security success, and more. Below are a few highlights and key insights from the day.
Leadership Through Influence
Perhaps my favorite presentation of the day was by one of our customers, Michael Jenkins, MBE CISO of His experience in both military and academia is intriguing, and has allowed him to ascertain that the best way to lead is through influence. Some tips that he recommended for building strong relationships to support your security goals include:
Take your colleagues out for coffee; share your strategy and obtain their feedback
Select a few vendors and treat them as strategic partners – like friends who have your back
Get buy-in for a common goal and do not be afraid to tell people when things go wrongKey insights from CISOs during Cisco Live Europe teach us how to lead with influence, connect security to the business, address skill shortage and protect industrial IoT environments. Read more
Educate and help – we’re not here to shame or punish
Get plugged into the larger community within your industry and work with law enforcement to help combat threats
Encourage everyone to care about security and privacy – offer security clinics, show the SOC in action, etc.
Connecting Security to the Business
Many of the executives at our CISO Day are still finding it hard to be a part of board conversations surrounding security. Some focus on how their teams can create a competitive advantage and increase revenue, while others spend more time struggling with obtaining the appropriate budget needed for their efforts. If this is a topic of interest to you, be on the lookout for the upcoming Cisco CISO Benchmark Survey, in which we discuss leadership support, metrics that matter, and security on a limited budget. (Register here to be alerted when it comes out.)
The Human Factor
A common challenge that continues to plague CISOs is the lack of a trained and skilled security workforce. Several organizations have talent retention and training programs for their employees, yet even with these incentives, they’re finding it difficult to keep up with their needs. Some are working with local universities to provide opportunities to young professionals. What are you doing to address this issue? (You can read more about it here.)
Industrial IoT Security
Although not all organizations need to protect operational technology, this is a topic that drove several conversations from CISOs in a variety of industries like manufacturing, utilities, telecommunications, and others. Securing these industrial IoT environments is more complex than protecting your typical IT shop, and the need for availability and reliability supersedes the traditional confidentiality and integrity in the CIA triad.
For More Information
It’s always a fantastic day when you get the opportunity to learn from your customers and share challenges and opportunities. If you’re interested in learning more about these topics and would like to receive a copy of the presentations from our CISO Day or see a summary of the main topics we’ve discussed, take a look here.
The post The Voice of the CISO Customers – CISO Day in Europe appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

Building a bypass with MSBuild

By Talos Group By Vanja Svajcer.
In one of our previous posts, we discussed the usage of default operating system functionality and other legitimate executables to execute the so-called “living-off-the-land” approach to the post-compromise phase of an attack. We called those binaries LoLBins. Since then, Cisco Talos has analyzed telemetry we received from Cisco products and attempted to measure the usage of LoLBins in real-world attacks.
Specifically, we are going to focus on MSBuild as a platform for post-exploitation activities. For that, we are collecting information from open and closed data repositories as well as the behavior of samples submitted for analysis to the Cisco Threat Grid platform.
What’s new?
We collected malicious MSBuild project configuration files and documented their structure, observed infection vectors and final payloads. We also discuss potential actors behind the discovered threats.
Read More >>
The post Building a bypass with MSBuild appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

Threat Roundup for February 7 to February 14

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Feb 7 and Feb 14. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU02142020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for February 7 to February 14 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

Threat actors attempt to capitalize on coronavirus outbreak

By Talos Group
By Nick Biasini and Edmund Brumaghin.
Coronavirus is dominating the news and threat actors are taking advantage.
Cisco Talos has found multiple malware families being distributed with Coronavirus lures and themes. This includes emotet and several RAT variants.
Executive Summary
Using the news to try and increase clicks and drive traffic is nothing new for malicious actors. We commonly see actors leveraging current news stories or events to try and increase the likelihood of infection. The biggest news currently is focused on the new virus affecting the world, with a focus on China: the coronavirus. There are countless news articles and email-based marketing campaigns going at full throttle right now, as such, we wanted to take a deeper look at how this is manifesting itself on the threat landscape.
Our investigation had several phases, first looking at the email based campaigns then pivoting into open-source intelligence sources for additional samples. These investigations uncovered a series of campaigns from the adversaries behind Emotet, along with a series of other commodity malware families using these same topics as lures, and a couple of odd documents and applications along the way. What was also striking was the amount of legitimate emails containing things like Microsoft Word documents and Excel spreadsheets related to the coronavirus. This really underscores why using these as lures is so attractive to adversaries and why organizations and individuals need to be vigilant when opening mail attachments, regardless of its origins.
Read More >>
The post Threat actors attempt to capitalize on coronavirus outbreak appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von

Cisco and Telenor: Working Together to Protect Infrastructure

By Dan Kurschner For service providers around the world, security is a fundamental and integral part of what they do. With operations across Scandinavia and Asia, Telenor is no exception. The company connects 183 million customers, and each one of them expects secure connections. It’s a given. That’s a key reason Telenor Group and Cisco signed a Joint Purpose Agreement (JPA) to expand their innovation partnership. The JPA consists of helping Telenor establish a security framework architecture, expand their security solutions, and build new security services for their end customers.
Security isn’t optional
For Cisco, this is a multi-year journey with Telenor because when Telenor deploys new infrastructures, security must be built into everything they do. One of the first major milestones is the roll-out of Cisco Stealthwatch in all of Telenor´s business units across their telecommunications and IT operations.
Stealthwatch is a comprehensive visibility and network traffic security analytics solution that uses enterprise telemetry from the existing network infrastructure. It provides pervasive network visibility and sophisticated security analytics for advanced protection across the extended network and cloud. With Stealthwatch, you can:
Outsmart emerging threats in your digital business with industry-leading machine learning and behavioral modeling
Know who is on the network and what they are doing using telemetry from your network infrastructure
The threat landscape is changing rapidly. We’re facing adversaries that are moving and we have to move with them. The service provider world is essentially our new enterprise customer. A partner like Telenor can provide the security solutions and answers that customers need today at scale.
The network is watching
Stealthwatch uses the existing network infrastructure by turning the network itself into a security sensor that can see all of your users. This real-time visibility and analytics translate into actionable information that makes quick response to even advanced attacks possible.
Andre Arnes, CSO and SVP, Telenor Group said, “It’s a big strength for Cisco to be able to leverage Talos threat intelligence. That’s one important attribute of the scale of the partnership between Cisco and Telenor. We set some KPIs for how to measure and grow this service. We saw that we would not only reach the 2019 KPIs in 2019, but also the 2020 ambitions.”
Telenor is continuing to work with Cisco on the development of Cisco Umbrella, Stealthwatch, and Stealthwatch Cloud, the firewall intrusion detection and next-generation identity solutions.
Solving challenges and building trust

For Telenor, partnerships with Cisco and other global security players are essential to understanding and solving today’s security challenges. Watch the video to find out more about the collaborative way Telenor is working with Cisco to keep their network and their customers secure.

The post Cisco and Telenor: Working Together to Protect Infrastructure appeared first on Cisco Blogs.

Source:: Cisco Security Notice

/von