Source:: Innovaphone

By Rajat Gulati The Changing Face of Cyber Security
Cyber Security is quite like an onion; it brings tears to your eyes! And we at Cisco have made it our mission to wipe those tears and put a smile back on your face.
But the onion analogy does not end there. Good Cyber Defense is architected in layers, much like the anatomy of the tear-jerking bulbous root. As the network expands beyond the traditional perimeter, so does the need to provide defense in depth. We all see the trend: The boundaries of the network are blurring, even as it is being called upon to process even larger amounts of data. To monitor the pulse of your network, you have to dig deeper to find answers to the questions such as “Who attacked us?” or “What was compromised, and when?”. Your security teams might break into a sweat dealing with this reality without help, as the attack surface continues to expand.
Gone are the days when a bouncer at the entrance of your bar (or your friend’s bar) could keep troublemakers out. Today, bad actors can seep in through other points of entry, or disguise (encrypt) themselves and walk right through the front door. They sometimes even enter in plain sight, especially if they are not on the most-wanted list (yet). How then do you protect against such elements from seeping through the cracks?
What you need, if you stay with the bar analogy just a little longer, is a ‘stealthy‘ manager monitoring the behavior of all entities on your premises, so that you can get alerted when something looks amiss. This trusted aid should be armed to receive inputs from multiple sources: all points of entry, as well as from folks working the floor itself.
Jump back now to the real world of IT infrastructure (unless you actually own a bar, you should still read on), and what you need is a method to monitor all your traffic, both inbound/ outbound and lateral, using a single analytical tool. By bringing together these critical sources of telemetry, you get a unified view of your perimeter and internal threats, not by manual or point-by-point correlation, but by automated and programmatic means. In this manner, you get complete end-to-end visibility into your network, with the ability to detect threats and indicators of compromise. Now, what if this capability was available without need for authoring lengthy configurations or complex rules, while requiring minimal care and feeding? All of this may to sound like a fantasy novel, but often times facts are stranger than fiction.
Welcome to Cisco Security Analytics and Logging
Cisco Security Analytics and Logging was born in the cloud, with simplicity and ease of use as a core design tenet. It has a self-evident name, and an equally simple goal in mind: aggregation of your disparate sources of telemetry into a single data store. Automated means of analysis (statistical, M/L and behavioral modelling) can then be performed on this combined data set, treating it as a single logical input. Since every aggregation effort must have a start point, Security Analytics and Logging’s kick-off candidates are the most voluminous telemetry producers in networks today:
Firewall logs, which keep track of every connection made, and well as any incidents encountered (IPS/IDS or File/ Malware), mostly at the perimeter.
Internal traffic telemetry produced by connections between network elements such as endpoints, switches, wireless access points, routers, etc. on your premises.
To bring together perimeter and internal telemetry, Security Analytics and Logging integrates two avant-garde SaaS products in Cisco’s security portfolio:
Cisco Defense Orchestrator, a cloud-delivered, SaaS-based solution that cuts complexity for consistent management of policies across Cisco security products.

Stealthwatch Cloud, a cloud-delivered, SaaS-based solution that provides end-to-end visibility, behavioral analysis, and threat detection across your private network, public cloud, and hybrid environments.

Now, you might wonder “Why stop there”? We hear you, and you are right; we are NOT stopping here. Rather, this is just the start. Security Analytics and Logging is being built out as an aggregator of data, to provide intelligence derived from desperate points in the network, treating them as a pool for analysis. The discerning mind will differentiate this as being different from the outcomes of say a SOAR, which correlates processed data, rather than crunching raw data. In this manner, the output of Cisco Security Analytics and Logging’s analyzed outcomes become a source of input for other Incident Response (IR) tools.
Tell me why we need this:
Bringing machine-scale analysis to human-scale understanding
This is how I would explain it to my Grandmother: Information is Power. The more information I can gather, the better equipped I am to arrive at the correct conviction of a threat. While I can gather convictions from numerous trusted inspectors, I can also gather my own raw data straight from the source and build my own point of view. The disadvantage of relying on others‘ convictions alone is that each of them may have a limited view of the world; perimeter only, endpoint only, content only, etc. What if I gathered all the information for myself, treating these various sources as sensors, and made my own conviction in addition? Am I better or worse off?
My smart grandmother would say, “Well, that depends on your ability to process all that information intelligently”. And she would be right; You need a best of breed analysis engine to do your intelligent tasks. It is for this reason that Security Analytics and Logging is powered by Stealthwatch Cloud’s advanced entity behavioral modeling and threat detection engine. We use a combination of behavioral modeling, multilayered machine learning, and global threat intelligence to automatically detect threats. For those amongst you who are already familiar with the magic of Stealthwatch Cloud, I know you must be eager to end the conversation with my grandmother, order Security Analytics and Logging, and head to your friend’s bar. Stay a little longer, and I promise that you will be on your way.
Visibility, Visibility, Visibility
It all starts with visibility. You cannot protect what you cannot see. Often times, you don’t even realize what it is that you should be monitoring. Therefore, when it comes to visibility, there are some more advanced questions that need to be addressed. These questions may come up in a conversation with your security budget office. We shall speak to some of those now:
Question 1 – Tell me what ‘accretive‘ outcomes I achieve by sending firewall logs to Security Analytics and Logging for Analysis?
That is a great question. First of all, behavioral threat detections are based on baselining of network behavior based on established patterns. This is widely considered a more dynamic way of detecting threats than static rules or content-based inspection methods. It may come as no surprise to anyone that notwithstanding the most robust IPS/DPI inspection policies and rules, suspicious behaviors continue to be detected inside networks. The key word to understand here is ‘accretive‘; it is by no means suggested that Cisco Security Analytics and Logging attempts to be or will ever replace other sensors such as firewalls. It does however certainly enhance the efficacy of the said sensors, by allowing correlation of anomalous behavior within your network, with the traffic that is associated with it. Such analysis may point to a potential data exfiltration or a compromised insider. As stated before, Security Analytics and Logging enables you to additionally monitor traffic generated between your internal network elements (endpoint to access points, between switches and routers, etc.). Your firewall may not be in the path of this traffic, so may not be able to provide the depth of visibility needed for making high-fidelity convictions.
Question 2 – Apart from Security alerts based on correlation of my firewall logs and Network traffic, does Cisco Security Analytics and Logging provide any other outcomes?
It certainly does. One of the primary use cases of storing NGFW logs is providing a historical and live view of said logs. NetSec operators love (?) sitting in front of these views and scrolling to troubleshoot based on connections that have occurred at a particular time with a particular IP address. With filters on search, Security Analytics and Logging fulfills this use case, providing real-time visibility of what is happening at your firewalls. What is more, this view is rendered within the CDO (Cisco Defense Orchestrator) user interface. Furthermore, since CDO is the curator of firewall tenants analyzed by Security Analytics and Logging, it is simpler to view logs in the portal that is used to manage those very devices.
Question 3 – If I am an existing Stealthwatch Cloud customer using my private network monitoring, what accretive value can I derive from Security Analytics and Logging?
Let’s break this down. A firewall connection log has visibility beyond what just network elements can provide. An example for this could be blocked connections, which will immediately show up in the event viewer in CDO. Filtering by all ‘blocks‘, the operator can plainly see the policies that was responsible for the block. This is just one example of numerous workflows /sources that contribute to enhanced visibility that results from Security Analytics and Logging.
Better efficacy with smarter security
With our new offering, get ready to leverage effective policy management with CDO powered by Stealthwatch Cloud’s advanced behavioral analytics, for total network visibility and faster breach detection. You can now make better security policy management decisions with greater visibility and threat detection capabilities across the firewall and network. As the biggest security company in the world, Cisco has committed itself to solving platform-level challenges that span all the points in your network.
The good news is that Cisco Security Analytics and Logging, is just starting up. The intent is to foster a new security paradigm, one that reduces risk and makes compliance easier; one that fuses your business and security architecture, that frees your workforce to focus their valuable time and energy on business objectives. This will empower them to think less about threats, and more about opportunities.
Time now to enjoy that drink. Cheers.
Click here to learn more about Cisco Security Analytics and Logging for more details on how we are raising the bar on network security.

Source:: Cisco Security Notice

By Wendy Nather Does money make you feel secure? Probably not if you’re a CISO. According to our new report, “The Security Bottom Line,” no matter how large your budget is, you’re not likely to feel that you have everything you need to effectively protect your environment from cyberattacks. But you can still put other capabilities and practices in place to shore up your defenses.
As part of the report, we surveyed security professionals about their budgeting and planning efforts. It was telling to find that:
Ninety-four percent of respondents said they know they have further to go to implement effective security.
Eighty-four percent said they were able to afford some, but not all, of the minimum amount of security they needed to defend their infrastructure.

Security Success Factors
If it’s not all about the money, what other factors come into play? Through a double-blind survey of IT decision makers, the report examines various sized organizations‘ security prowess through the lens of:
Budget – How much are organizations spending on security?
Expertise – Do they have the appropriate staff and skills to comprehensively protect their most critical assets?
Capability – What other conditions can get in the way of strong security? (For example, architecture, regulations, etc.)
Influence – Can IT and security buyers influence vendors and partners to help safeguard their infrastructure?
All of these are critical aspects that contribute to a security program – it’s not just about funding. We can’t throw money at a problem without having the right foundation to make it work.
Security Maturity Pyramid

Source: Cisco 2019 Security Bottom Line Survey
Our new report explores fundamental steps organizations can and should be taking to strengthen their security – regardless of how much they have to spend. For example, conducting a cyber risk assessment, or increasing security staff training.
Do you have the right resources and strategies in place to proactively defend your environment? We invite you to explore “The Security Bottom Line” to determine where your organization stands amid your peers, and learn how you can take security to the next level.
Download report
Find out how Cisco Security can help

Source:: Cisco Security Notice

By Bryan Doerr At Cisco, our customers drive what we do in security. Stealthwatch provides customers around the clock visibility, and a system that keeps up with changes in their IT environments. In a survey that was sent to over 10,000 Stealthwatch customers, we were able to identify what sorts of security challenges are top of mind. Next, we examined how we could address these issues in the most helpful way. Stealthwatch provides users a comprehensive look into their security network. It reaches every port, host and every single individual threat that poses a security breach. Here is a breakdown of the most important takeaways from our research:
1. Lack of visibility was the top challenge that led our customers to Stealthwatch
Lack of visibility, insider threats, and the inability to conduct in-depth network analysis were the top three challenges for our customers and lack of visibility led the group. Those reasons haven’t changed much over the 17 years Stealthwatch has been in the market! Stealthwatch provides visibility across the enterprise network, from on-premises to cloud deployment. Further, it applies behavioral modeling and machine learning to generate alerts like data hoarding and data exfiltration, both of which are key indicators of insider threats. Stealthwatch is also able to store network telemetry long-term so that a security team can easily investigate incidents that have occurred in the past. As a result, Stealthwatch helps customers face these challenges head on. 74% of Stealthwatch customers agreed that Stealthwatch is a must have component of their network security. This number means we are doing our job!
2. Customers want a solution that integrates into their network and security stack
Our customers love the synergy between Cisco technologies. In fact, 67% believe that this is the #1 reason to choose Stealthwatch. Integration with Cisco products ensures that customers maximize their investment and ensure optimal operation of their network. Comprehensive visibility, ability to analyze encrypted traffic without decryption, and scalability were some other reasons why customers chose Stealthwatch. Stealthwatch consumes various types of telemetry from the network, endpoint, cloud and data center, and uses advanced analytics infused with Cisco Talos threat intelligence to find hidden threats. The survey identified Encrypted Traffic Analytics and integration with Identity Services Engine (ISE) as Stealthwatch’s most important features. The new Visibility Assessment app, which provides visibility into the overall network health, was also highly rated. In addition to summarizing traffic and conditions on the network, this app allows generation of a PDF security status report for senior management who typically don’t use the Stealthwatch dashboard.
3. Multi cloud and hybrid cloud are becoming increasingly common, bringing new security challenges
More than 95% of Stealthwatch on-premises respondents have deployed or are planning to deploy one or more cloud platforms spanning across Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure. Our SaaS (software-as-a-service) offer, Stealthwatch Cloud, can monitor all these environments by consuming native cloud telemetry such as VPC (Virtual Private Cloud) flow logs and NSG (Network Security Group) flow logs. In addition to disruption in service, cloud-related breaches can result in huge bills due to its pay-as-you-go pricing model. Customers understand that they need to secure their cloud network. Stealthwatch Cloud allows them to use a single security tool to do so. Customers identified unauthorized access, data loss, insider threats and misconfigurations as common cloud security challenges. Stealthwatch Cloud detects all these incidents.
4. Forensic analysis to determine the source and impact of the threat is one of the key use cases
Because Stealthwatch casts such a wide net on an organization’s network, it can address a number of different use cases. Interestingly, the top one mentioned by customers was the ability to investigate sources of threats through network audit trails. Stealthwatch can store network telemetry for long periods, allowing for forensic analysis related to past and current events. The intuitive flow search capability and included contextual information related to threat detections are presented within the user interface (UI), which helps accelerate incident response.
Other ways in which Stealthwatch helps our customers is the visibility it provides across users, devices and applications connecting to the network – who are they and what they are doing. Using this visibility, Stealthwatch can detect advanced threats quickly before they turn into a high-impact breach. Customers also love the fact that they can extend their existing network investments to improve security by seamlessly integrating Stealthwatch into their environment. Additionally, many customers use Stealthwatch to simplify their segmentation strategy. With the visibility it provides, Stealthwatch can help define effective security policies and trigger events when policies are violated using custom security events. Allowing customers to check assumptions related to normal network traffic is a key segmentation benefit offered by Stealthwatch.
5. Stealthwatch discovers a broad spectrum of security threats for our customers.
Lastly, customers provided feedback on the kind of things Stealthwatch has discovered in their environments:
Threats in encrypted traffic like malware/spyware (C&C) connections
Cryptomining activity
WannaCry campaigns
Configuration changes
Legacy devices that were thought to be disconnected from the network
Suspicious behavior
Security policy violations

The Stealthwatch team is committed to improving based on feedback from our customers. We thank all of our survey respondents.
You can find the detailed customer research and testimonials from this year as well as past surveys here.
To learn more about Stealthwatch, go to: https://cisco.com/go/stealthwatch or sign up for our free visibility assessment.

Source:: Cisco Security Notice

By Talos Group The Gustuff banking trojan is back with new features, months after initially appearing targeting financial institutions in Australia. Cisco Talos first reported on Gustuff in April. Soon after, the actors behind Gustuff started by changing the distribution hosts and later disabled its command and control (C2) infrastructure. The actor retained control of their malware since there is a secondary admin channel based on SMS.
The latest version of Gustuff no longer contains hardcoded package names, which dramatically lowers the static footprint when compared to previous versions. On the capability side, the addition of a “poor man scripting engine” based on JavaScript provides the operator with the ability to execute scripts while using its own internal commands backed by the power of JavaScript language. This is something that is very innovative in the Android malware space.
The first version of Gustuff that we analyzed was clearly based on Marcher, another banking trojan that’s been active for several years. Now, Gustuff has lost some similarities from Marcher, displaying changes in its methodology after infection.
Today, Gustuff still relies primarily on malicious SMS messages to infect users, mainly targeting users in Australia. Although Gustuff has evolved, the best defense remains token-based two-factor authentication, such as Cisco Duo, combined with security awareness and the use of only official app stores.
Read More >>

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 11 and Oct 18. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10182019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Talos Group Attackers are capitalizing on the recent discovery of a new vulnerability that exists across legacy iOS hardware. Cisco Talos recently discovered a malicious actor using a fake website that claims to give iPhone users the ability to jailbreak their phones. However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud.
Checkm8 is a vulnerability in the bootrom of some legacy iOS devices that allows users to control the boot process. The vulnerability impacts all legacy models of the iPhone from the 4S through the X. The campaign we’ll cover in this post tries to capitalize off of checkra1n, a project that uses the checkm8 vulnerability to modify the bootrom and load a jailbroken image onto the iPhone. Checkm8 can be exploited with an open-source tool called “ipwndfu” developed by Axi0mX.
The attackers we’re tracking run a malicious website called checkrain[.]com that aims to draw in users who are looking for checkra1n.
This discovery made headlines and caught the attention of many security researchers. Jailbreaking a mobile device can be attractive to researchers, average users and malicious actors. A researcher or user may want to jailbreak phones to bypass standard restrictions put in place by the manufacturer to download additional software onto the device or look deeper into the inner workings of the phone. However, an attacker could jailbreak a device for malicious purposes, eventually obtaining full control of the device.

Read More >>>

Source:: Cisco Security Notice

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Oct 4 and Oct 11. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10112019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.

Source:: Cisco Security Notice

By Wendy Nather As we get ready for the Gartner IT Symposium/Xpo in Orlando, we’ve been thinking more about every element and imperative in their CARTA model: Continuous Adaptive Risk and Trust Assessment. Since ‘C‘ also stands for Cisco, let’s start there.
Gartner uses the word “continuous” in a lot of places, including in their seven imperatives. It’s a reaction to the former practice of using what they call “one-time security gates”: you made a decision based on a static set of information (such as a source IP address or a username and password combination), and then you never revisited it. We know that this practice isn’t sufficient to maintain the proper level of trust. Trust is neither binary nor permanent: you don’t trust something or someone to do everything, and you don’t trust forever. Based on the changing nature of risk and the environment, you have to check more than once.
How often do you need to check, and does “continuous” really mean “all the time”? It depends on what you’re checking, what actions you’re taking based on those checks, and how both of those actions affect the system itself (users, applications, devices, networks and so on). Let’s take a look at a chart that Sounil Yu, formerly at Bank of America, devised for the purposes of identifying all the different ways that authentication can happen:

As you can see, a device can authenticate to a network using network access control; to an application using a client-side certificate; and to data with an encryption key. There are many opportunities to authenticate, but should you use all of them? If you try to make a user do all of the steps in the bottom row — authenticate to the device, the application, the network, the data — then you’re going to have a very cranky user. Continuous authentication, if you want to use it, has to be hidden from the user except at times when your estimation of risk really needs the user’s active participation.
On the other hand, devices and systems don’t mind continuous authentication, so doing the continuous checking and verification isn’t as disruptive. And continuous monitoring is fine, as long as you know what you’re going to do with all the data that’s generated. Can you interpret and respond to an ongoing stream of event data? Can you automate that response? If so, great; if not, you’ll end up throttling that “continuous” monitoring to produce the key data that you can actually use.
Gartner’s CARTA Imperative Number Two says “Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively.” How often do you do all of these things? Near real-time discovery of users and assets is the ideal state, and there are various ways to accomplish it. Continuous monitoring is (hopefully) a given. The tricky parts are assessment and prioritization, which often need a human to incorporate business context. For example, getting a login request from an unusual location could be a high risk, unless you already know that the employee using that account is really traveling there.
An organization needs to design its monitoring, analysis and actions around risk, but with tradeoffs against what the humans in the equation can reasonably support. How long can you let a successfully authenticated application session last before you start worrying that the user is no longer who you thought they were? Two hours? Eight hours (a typical working day)? A week? Can you force the user to re-authenticate just once through a single sign-on system, or will they have to log back into several applications? The answers can determine how frequently you carry out that “continuous” verification.
What events will cause you to revise your risk estimation and require fresh verification? It might be a request for a sensitive or unusual transaction, in which case you might resort to step-up authentication and kick off an extra permission workflow. It could be the release of a new security patch, so that you want to force all users to update before they can renew their access. Or it could be contact with an asset that is now known to be compromised, and you have to reset everything you knew and trusted about the application and its processes.
Your risk and trust assessments should be adaptive, but they shouldn’t be gratuitously continuous. They should be as often as your risk models require, and only as frequent as you can handle. Balancing controls against usability is the great challenge before us today.
Learn more about Cisco’s Zero Trust approach during Wendy’s talk on October 21 at 1:00 p.m. ET at Gartner IT Symposium/Xpo in Orlando, FL, which takes place at Walt Disney World Swan and Dolphin Resort.

Source:: Cisco Security Notice

By Talos Group Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.
read more >>

Source:: Cisco Security Notice