By Talos Group Cisco Talos has a new plugin available for IDA Pro that provides a new disassembler for TileGX binaries. This tool should assist researchers in reverse-engineering threats in IDA Pro that target TileGX.
read more >>
Source:: Cisco Security Notice
By Mike Luken Today’s digital economy relies on secure communications in both our personal and business activities. We expect that when private data is transmitted over the internet, or other communications channels, it will be protected against tampering and prying eyes. The integrity and confidentiality of information is typically achieved using cryptography, mathematically based methods to encrypt and decrypt information.
We assume our communications are secure. But are they? Cryptography provides the foundation of secure communications, but how do we know that the cryptography we are using is correct and secure? When was the last time you verified that the algorithms used have been implemented correctly? Or that they have not been intentionally or unintentionally altered to make them less secure?
Fortunately for all of us, there are organizations that have active programs to do just this. As highlighted in Anthony Grieco’s blog on “Automating Explicit Trust,” Cisco and industry leaders are working to develop technologies that provide explicit trust (i.e. evidence of trustworthiness) and enhance communications security. A notable example is the Cryptographic Module Validation Program (CMVP) conducted by the National Institute of Standards and Technology (NIST) as a part of Federal Information Processing Standard (FIPS). Many organizations are required to only utilize products that contain NIST validated cryptographic modules. And this makes sense. Leaders want the communications used in their organizations to be based on a sound foundation to ensure the integrity and confidentiality of their information.
Historically, CMVP testing required significant manual effort which made the endeavor both costly to vendors and extremely time consuming. This resulted in vendors having to make hard decisions on which products and software versions to validate. The organizations requiring this validation, saw the following:
A smaller number of available validated products and software versions
Having to choose between using a non-validated version of software that contains vulnerability fixes vs. using existing validated products with known vulnerabilities while waiting for the new software to be validated.
Recognizing the impact of this dilemma, NIST and industry have been working together to create the Automated Cryptographic Validation Testing (ACVT) program. A bold and visionary move that should increase the number of validated products, reduce the lag between vulnerability fix and validation, and reduce risks inherent with manual operations. This is all made possible with the new Automated Cryptographic Validation Protocol (ACVP) which provides the communications between product under test and the NIST test server.
The ACVT program is live and the NIST ACVT server is online. Industry is actively incorporating ACVP into products. Recently, Cisco successfully passed ACVT algorithm testing for one of its core cryptographic modules (validation # A4); thereby, formally validating the cryptography used to secure customer communications.
Network and system attacks by bad actors are frequently in the news. It is encouraging to know there is now an industry defined, independent 3rd party capability available and in-use to validate that the cryptography used to secure communications. +1 for the good guys.
Visit the Trust Center to learn more about Cisco’s commitment to trustworthiness, transparency, and accountability.
Additional references:
Industry Working Group on Automated Cryptographic Algorithm Validation
NIST: Security Testing, Validation and Measurement
Source:: Cisco Security Notice
By Steve Martino October is Cybersecurity Awareness Month, reminding us that cyber-attacks know no boundaries between work and home, so we need to be diligent about cyber hygiene across all environments. With the abundance of connected devices we all depend on, protecting your digital footprint is no longer optional. But where do you learn what to do?
People who work for larger corporations may receive cyber information and training from their employer. For instance, at Cisco every employee gets basic cyber training and increasingly advanced training based on your role; we even share educational materials on applying best practices at home. But not all businesses have the resources to dedicate to such training. And in the home, most people have limited cyber knowledge at best, and only pay attention if or when they become victims of an attack.
To get you started, here are a few tips that will help you to “own IT, protect IT and secure IT” to stay safe online.
Recognize we are experiencing radical change. With our busy lives, we take technology for granted. But it’s important to realize that technology is changing society faster than any other advance in human history. Adults need to get smart about the implications and actively discuss “today’s digital reality” with their children. Just as you teach a toddler to avoid a hot stove, teach them from an early age about safe online practices.
Ask questions. When you acquire a new connected device, stop and ask where it came from. Who connects with it and/or captures data from it? For what purpose do they collect the data and is that important to me? How do they care for the protection of your data and privacy? The more knowledgeable you become, the smarter your next questions will be.
Maintain your devices. Understand if the device you’re buying has software that will need updated and patched as vulnerabilities are found and fixed. If so, make sure that gets done. Just like not replacing expired batteries in a smoke alarm, using outdated unsecure software won’t keep you safe.
Secure and Protect Passwords. Make your passwords long and complex; change them regularly; don’t use the same password for multiple applications Change default password settings on new devices. We all know multiple passwords can get cumbersome and hard to remember, so use a reputable password manager to keep track for you. Many businesses and institutions provide Two-factor authentication (2FA) as an added step to protect your on-line identity and data. If it’s offered, use it.
Embrace technology, but be aware. If you were walking down a dark street in an unfamiliar city, you’d likely be more aware about who else is around you or may be following you. Treat the internet the same way. Being connected does not mean bad things will happen, but it pays to stay alert and understand best practices and how to apply them. For instance, don’t open email attachments if you’re not completely sure of the sender’s trustworthiness. Don’t click on emailed links that you haven’t asked for. “Stop, think before you click” to avoid the burden of what may come after a malicious attack.
Remember Data Privacy. While security and privacy are different, they’re definitely related. When you’re watching for online threats, also remember that nothing online is really ‘free‘ – you’re most likely giving up something (data) to get a “free service/app”. Ask – is the intrinsic value of the “free” thing worth it? When you download an app or sign up for a new service that collects your data, choose carefully what sharing you allow. And remember, when you put personal information online, it stays around for a long time and may come back to you in unexpected, and unwelcome, ways.
It’s time to bring cybersecurity into the greater social consciousness and constructive discussions about changing norms. As new capabilities keep coming to market faster, we should and can have the right social adaptation to embrace technology safely.
Additional Resources
Tips to help improve your cyber-hygiene (Infographic)
Trust.cisco.com
Source:: Cisco Security Notice
By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Sep. 27 to Oct 4. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU10042019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
Source:: Cisco Security Notice
By Vinny Parla Cisco has an amazing set of products like AMP for Endpoints and Cisco Umbrella protecting devices from advanced malware threats. There were other user and endpoint scenarios that remained unsolved until we introduced the new Cisco Endpoint Security Analytics (CESA) solution that was recently announced. CESA provides an unprecedented level of endpoint and user networking visibility built on Cisco AnyConnect Network Visibility Module (NVM) endpoint telemetry and Splunk Enterprise. Underlying the NVM technology is a protocol called nvzFlow (en-vizzy-flow) that I have blogged about in the past.
Why Did We Build CESA?
The CESA solution was originally developed by the Office of the Security CTO and then integrated into Cisco AnyConnect and Splunk products to solve a set of issues for Cisco InfoSec. Cisco InfoSec realized that getting all the endpoint visibility they needed to perform incident response was a challenge. There were also endpoint security blind spots as more Cisco employees were working off premise and connecting to both enterprise and cloud resources. They needed a way to collect and store a year of data for analysis of incidents while also getting information in real‑time to see what is happening in the network. You can read more about the Cisco InfoSec use case in their case study on CESA.
The Office of the Security CTO looks at current and future customer problems that are not being solved by existing technology and then come up with ideas on how to solve them. My fellow co-inventors, Andrew Zawadowskiy and Donovan O’Hara from the CTO Advanced Development team built the initial Proof of Concept and then worked on the final product release with the AnyConnect development team.
As we thought about ways to solve the problems Cisco InfoSec was facing, we wanted to do it in a way that built on standards technology so that not only could Cisco Stealtwatch and Cisco Tetration support it, but also provide an ecosystem for key partners to participate. This is why we chose to build on IPFIX. It is the perfect protocol to build the enhanced context found in nvzFlow. What do we mean by “Enhanced Context”?
The 5 key endpoint visibility categories conveyed by the protocol or “Enhanced Context” are:
User
Device
Application
Location
Destination
At the end of the blog will be a helpful table to show you details of the enhanced context that is provided.
Working with Great Partners like Splunk and Samsung
One of the key features of CESA is Splunk Enterprise, which performs the analytics and alerting on the NVM telemetry, turning it into actionable events. The new CESA Built on Splunk product, available exclusively from Cisco, provides a Splunk package customized and priced specifically for analyzing NVM telemetry. Cisco InfoSec has been using the CESA solution for over two years now. As noted earlier, you can read more about it in their Case Study.
Spunk Enterprise is a fantastic tool. It was really easy for us to take the Cisco AnyConnect NVM data and not only import it into Splunk, but to also quickly create a high value set of dashboards and reports from the data. There are two components in the Splunk store that make up the solution: Cisco AnyConnect Network Visibility Module (NVM) App for Splunk and Cisco NVM Technology Add-on for Splunk. Because NVM produces so much high value data, Splunk created a special per-endpoint license available exclusively from Cisco that makes budgeting predictable and saves you money. We also put together a helpful deployment guide to get you going.
Below is an example of the dozens of reports available in the AnyConnect NVM Splunk Dashboard.
As you can see the solution provides visibility into what applications are connecting to what domains and how much data is being transmitted/received.
From there, you can then drill down on the specific application and obtain finer grained details including the SHA256 hash of the process, the names of domains and IP addresses it connected to, what account it is running under, etc. Just click on the specific element and it will take you to an investigation page for that observable.
You can easily integrate your favorite investigation tools right into the Splunk Enterprise dashboards. For example, you can pivot from a DNS domain name observable into Cisco Umbrella, Talos Intelligence or Cisco Threat Response with just a couple lines of HTML. This will allow you to obtain a threat disposition on the domain.
Similarly, you can take the SHA256 hash observable and pivot right into AMP for Endpoints, ThreatGrid or Cisco Threat Response. This will allow you to obtain a threat disposition on the binary.
We’ve provided those integrations for you in the default dashboards. You can easily add more just by editing them to include your favorite tools. Let us know if there is anything else that would be useful in the default screens.
Samsung has been another excellent partner from the start. We have worked with them closely on their Knox program for a number of years with AnyConnect integrations and neat features like per-app VPN. When we explained to them what we wanted to do with Cisco AnyConnect NVM, they were excited to help and developed the Network Platform Analytics (NPA) framework to make it possible. It is the only framework available on mobile platforms to support Cisco AnyConnect NVM. The best part is that you can enable and provision this capability using your favorite Enterprise Mobility Management (EMM) solution – no special device-mode needed! Keep an eye out for a forthcoming quick‑start guide on this technology. NVM is also available on Windows, MacOS and Linux platforms.
Those are some of the high points of the CESA Built on Splunk solution. If you’d like to get into further technical details on the solution architecture and NVM telemetry itself, see my post on our Cisco Community Page.
Source:: Cisco Security Notice
By Sean Mason Sean Mason, Director of Cisco Incident Response Services andJeff Bollinger, Investigations Manager, Cisco Security Incident Response Team (CSIRT)
As security practitioners who continuously look for adversarial malice, one of the questions we are asked frequently is: What’s around the corner? Threat actors evolve over time, so how do we know not only what they’re doing now, but also what’s next? And if things are quiet and we’re not observing any incidents, does that mean that everything is under control? Or are adversaries simply retooling?
To help answer these tough questions, we have threat hunting. The objective of this ongoing exercise is to find and eliminate adversaries that have penetrated defenses and are yet to be detected. Essentially, it’s a shift in mentality. Instead of waiting to respond to an incident after it has triggered an alarm, we’re turning over some rocks to find things we don’t know yet.
As explained in Cisco’s recent report, “Hunting for Hidden Threats,” threat hunting is one more tool in the incident responder’s arsenal. It’s not a silver bullet. But — based on our own 30 years of combined experience mitigating threats, not to mention the whole of Cisco’s experience — we believe it’s an essential component of making security foundational.
How valuable to you is the ability to keep your organization’s data from being stolen or locked, or to keep your organization’s name out of the headlines for a breach? If you can stop even one attack successfully, then all the time and money you’ve invested into threat hunting is worth its weight in gold.
Benefits of threat hunting
Although the ultimate objective is to get ahead of adversaries by finding and expelling them before they cause damage, threat hunting has many other benefits, some of which are:
Improving security operations: While threat hunting itself can sometimes be arduous, you can use it to improve efficiencies in other areas. Once you develop techniques and ways of discovering malicious activity, commoditize and operationalize that by creating playbooks as well as automating some of your day-to-day incident response. At Cisco, for example, our incident response team has more than 400 unique playbooks, many of them informed by our threat hunting activities. We use these plays regularly to look for suspicious activity and to free up analysts‘ time.
Understanding your environment: Let’s say you’re a new CISO who needs to get a better picture of what’s going on in your network. A threat hunt, or a compromise assessment, is a good way to understand what you’ve inherited and have signed up to defend. The end result is concrete evidence that you can take to your leadership and ensure you have adequate resources to secure the organization. The hunt can prove that the threats are not just theoretical and are actually lurking inside your ecosystem.
Hardening the environment: From a day-to-day perspective, identifying gaps in security gives you the opportunity to remediate and fix larger problems. As you’re doing hunts, you’ll inevitably discover weaknesses that threat actors can exploit. Apply the knowledge you’ve gained through threat hunting to proactively improve tooling and strengthen the overall security posture.
What it takes to be successful
There are many components to a successful threat hunting program, but the ones that we can’t stress enough include access to the data, a diverse team, and the right mindset.
The importance of high-quality data is obvious, but you may be surprised how big a challenge access can be. We commonly find a lack of necessary data during threat hunts for our customers — and even in our own environment.
Instead of treating a data-access problem like a dead end, think outside the box. Can you look at things differently? Can you use a different set of network logs? And just as important, turn this into an opportunity to improve the outcome next time and go the extra mile to collaborate with those teams that can give you better data.
Which brings us to the people component. There are two aspects to it, and one is the importance of building relationships across teams. Especially those impacted by your security activities, such as the network admins and developers. The other side is the people on the hunting team. Success requires diversity of thought. Include individuals who can think creatively and look at the world a little differently, rather than only thinking in ones and zeroes. We find threat hunters from a variety of backgrounds — even nontechnical.
This also helps you hunt with the right mindset. It’s hard to be objective when you’re living and breathing your security environment day in and day out, especially if you’ve architected it. Taking a step back and asking what you may be missing is not easy. A diverse team that both designs and executes the hunt gives you new perspectives.
Jumping in
Besides the right people, you need the right technology and processes. You may already have a basic foundation you can build on — chances are, you’ve been doing threat hunting without even knowing it. If you’ve ever investigated attacks to try to understand what happened, you’ve been answering some of the same questions and following some of the same steps that hunters do.
A deliberate program, however, does take time to develop. Start with small steps and easy, tactical data sources, then build from there. Don’t make the mistake of throwing a bunch of data sources in at once, or you’ll run into challenges. You don’t even need complicated tools to get off the ground, because you can discover malicious behavior with OS event logs or logs your sysadmin keeps for troubleshooting purposes.
One final thought. There’s a misconception that only larger organizations can implement a threat hunting program. In reality, threat actors don’t concern themselves with size and are looking for easy targets — smaller organizations can benefit just as much, if not more, from getting ahead of these threats. If you don’t have in-house resources, outsource to an expert consultant. And if you already have an outside IR team on retainer, start the conversation about what it would take to proactively look for adversaries.
Want to learn more about establishing a threat hunting program? Download the recent Cisco Cybersecurity Series report, “Hunting for Hidden Threats: Incorporating Threat Hunting Into Your Security Program.”
Source:: Cisco Security Notice
By Edna Conway In our increasingly digital world, technological innovation not only presents new opportunities, but also raises new risks and challenges that must be addressed collaboratively by industry, buyers, users, and policymakers. Specifically, digitization demands that risk be addressed across a dramatically expanding supply chain. These risks include the security threats of manipulation, espionage and disruption of information and information systems and services.
Empirical reports reveal that the third party ecosystem remains a fundamental risk to the integrity of our information systems. For example, analysis of the last nine consecutive years of Verizon’s global Data Breach Investigation Reports illustrates that where breaches can be attributed, 73% arise from the third party ecosystem. Moreover, not only are we increasing the volume of third parties in our information systems supply chains, we continue to invite third parties into our security inner sanctums – our security enforcing technology. Cisco’s 2018 Annual Cybersecurity Report revealed that 79% of global enterprises and governments rely on at least 20 third party security vendors.
The message is clear: the cyber supply chain and its related third party risk must be addressed. These security risks must be tackled comprehensively across all stages of the supply chain, including design, software development, manufacturing and sustainment. In parallel, our procurement practices, policies and certification and validation schemas should also seek to mitigate the impact of this third party risk. Public-private partnership brings civilian, government and defense agencies together with private industry to develop meaningful recommendations to effectively mitigate third party risk. NATO has recognized and is actively addressing this challenge in coordination with its member nations.
I will tackle this very challenge in my upcoming keynote, “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” at NATO’s NIAS19 Conference in Mons, Belgium in October https://nias19.com. I will share views on a path forward to meaningfully reduce risk across the increasingly broad and deep third party ecosystem upon which governments and enterprises around the world rely. I look forward to sharing the perspective that we simply must drive what I refer to as Pervasive Security. Pervasive Security designed to deploy a layered approach balancing physical security, operational security, behavioral security, information security and security technology across the cyber supply chain based on risk prioritization.
My discussion will build on NATO’s 2017 Technical and Implementation Directive on Supply Chain Security for COTS CIS Security Enforcing Products. And, I will showcase a practical framework to identify, prioritize and mitigate the impacts of tainted and counterfeit information systems technology across the supply chain and its third party members.
One of NIAS19’s key themes is “supply chain security challenges”. Specifically to answer that challenge, I will discuss tested, practical methods to address those challenges. After all, risk travels up and down the supply chain. Approaching supply chain security comprehensively is key to ensuring successful risk management. Fundamental steps to comprehensive security require that all supply chains:
1. Identify areas of potential impact, for example:
Risks to continuity of supply of third party provided software, services, components and raw materials
Natural disasters
Geopolitical and economic disruption
Workforce instability
Financial volatility
Weak infrastructure security
Insufficient end-user risk awareness
2. Prioritize risk by both likelihood of occurrence and severity of impact
3. Establish criteria for mitigating security threats and reducing the impact of incidents
4. Collaborate with industry and government on policy, regulations and directives.
October is Cybersecurity Awareness Month! Join the conversation, as all of us are part of the global supply chain. For additional insight on this challenge visit Cisco’s Value Chain Security Capability.
Source:: Cisco Security Notice
By Amanda Rogerson This blog series will highlight exciting new developments and integrations between solutions within the Cisco Security portfolio with our acquisition of Duo Security. These posts will cover details about the problems that are being solved by these integrations with links to helpful technical documentation if you are interested in seeing for yourself the benefits that are provided. If you would like further information on how you can improve your security posture by leveraging these integrations, please contact our sales team.
Zero trust is a comprehensive security approach that secures access by your users, devices, applications and networks. This approach to security helps organizations implement practices that establish trust in the users and devices accessing sensitive applications and network resources, helping to prevent unauthorized access and reducing the risk of an attacker’s lateral movement through the network.
To protect the workforce, a zero trust security approach ensures only the right users and secure devices can access applications. And for the workplace, it secures all user and device connections across the network, including IoT. The integrations provided between Duo Security and Cisco’s Identity Services Engine (ISE) provide zero trust application and network access controls you need for the workforce and workplace.
Use Case 1: Zero trust remote access
ISE and the AnyConnect Secure Mobility Client empowers your mobile workforce with secure Virtual Private Network (VPN) access to the workplace. By integrating with Duo, you gain enhanced device visibility and multi-factor authentication (MFA) and establishing device trust.
Problem Solved: Customers who want to implement additional verification of the user when providing access to their corporate network via VPN. The motivators behind this requirement are:
VPN access provides end users with access to the entire network, many environments do not have the network segmentation robust policy to provide access to only the resources users need. Next best step for protection is to implement MFA to achieve higher level of confidence the user is who they say they are.
Credential compromise is still one of the biggest reasons customers get breached
Compliance (HIPAA, PCI-DSS etc.)
Solution: You can enhance remote access security with Duo Security, Cisco ISE, and the AnyConnect Secure Mobility Client. It’s easy to add multi-factor authentication to VPN access so that you can verify the trust in remote users. Here’s how:
Cisco AnyConnect Client + Cisco ASA utilizes Cisco ISE for Access Control. Customers add the Duo Authentication Proxy as a 2nd authentication source in the Cisco ISE. Upon AnyConnect login users are prompted for 2FA from Duo.
Use Case 2: Zero trust network administration.
ISE controls network administrator access to critical network infrastructure equipment like switches and routers with the added security layer of Duo’s multi-factor authentication to mitigate the risks of unauthorized access which could result in intentional misconfigurations that cause severe network outages.
Problem Solved: Most customers have network devices (Routers, Switches etc) in their environments which require access to manage and configure. Many of these network devices utilize a Cisco protocol called TACACS+ to authenticate and authorize end user admin access to the network device. Customers want to enable MFA for admin access to these network devices.
Solution: With the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users customers can protect admin access to network devices which utilize the TACACS+ protocol for primary authentication to ISE and 2FA with Duo by utilizing the Duo Authentication Proxy.
Stay tuned for more integration stories and use cases. You can learn more about Cisco Zero Trust here, and if you want to see the powerful security controls that Duo offers you can sign-up for a free trial at sign-up.duo.com .
Source:: Cisco Security Notice
By Jeff Reed There are many aspects to securing an endpoint beyond finding the malware on it. What do you know about the behavior of your endpoints? Can you track anomalous traffic? Can you tell what the applications and other software processes are up to? What is happening when the device is off the corporate network? Has a user or device evaded endpoint security measures? With insight to such issues, you can generate visibility that not only follows endpoints on and off network, but also finds threats often not addressed by anti-malware solutions.
With this in mind, Cisco has created a solution unlike anything available in the industry today — Cisco Endpoint Security Analytics (CESA) Built on Splunk. This new solution brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform. The result is an added layer of deep endpoint visibility that transforms endpoint-centric data into insights to proactively detect and mitigate network threats.
If you already use AnyConnect NVM, you know it creates a lot of detailed, endpoint-specific data. But by building and productizing CESA on top of Splunk, we’ve paired that data with an equally comprehensive and cost-effective analytics tool. CESA addresses endpoint security use cases such as:
Unapproved applications and SaaS visibility
Endpoint security evasion
Attribution of user to device to application to traffic and destination
Zero-trust monitoring
Data loss detection
Day-zero malware and threat hunting
Asset inventory
The behavioral data produced by NVM complements anti-malware agents like Cisco Advanced Malware Protection (AMP) for Endpoints that primarily focus on file analysis to detect malware on endpoints, which identifies known issues. But because CESA analyzes user and device behavior and identifies changes and anomalies, it enables threat hunters and analysts to discover malicious or suspicious endpoint activity, often without an additional endpoint agent. Where antivirus and other endpoint solutions would miss these threats, CESA provides early detection that increases security posture. CESA endpoint analytics also complements the broad network visbility provided by Cisco Stealthwatch by following endpoints on and off network, as well as enabling deep endpoint insight into down to the user account, device details and network interface levels of the endpoint. Together CESA and Stealthwatch cover every aspect of network and endpoint behavior leaving no blind spot unchecked.
How we address endpoint blindness
Even as security products continue to integrate, endpoint blindness is a persistent problem. Information security (infosec) teams need to know more about what is happening on the endpoints to anticipate where attacks are more likely to occur.
By leveraging the NVM telemetry that endpoints provide, we gain a better understanding of users‘ network behaviors and where threats are going to happen. These insights can raise potential red flags like:
Are my endpoints suddenly communicating with domains we’ve not seen in our environment before?
Has a user changed behavior suddenly, using applications and visiting hosts they don’t usually access?
Does an endpoint have unusual traffic patterns? Is it uploading or downloading more than usual? Is someone hoarding or exfiltrating data?
Are any machines using unapproved applications or SaaS services?
Has security been disabled on an endpoint?
Which endpoints have known bad files or applications?
What are my users doing when they are not connected to my network?
Which devices and operating systems are in use in my endpoint environment?
Who is using each device and what are they doing with it?
It’s important to note that CESA is integrated into the Cisco Security infrastructure. CESA works together with network visibility from Cisco Stealthwatch and endpoint control from Cisco AMP for Endpoints. Additionally, Cisco Identity Services Engine (ISE) is used to quarantine users when identified as suspicious. These integrations serve to further increase the security posture of the network.
Cisco’s CSIRT team uses CESA
Many of our case studies come from our partners and customers, but this time our Cisco infosec team put together a case study as they leveraged CESA within the Cisco organization. They used the solution to collect and analyze the data generated by NVM across approximately 96,000 endpoints, and extract context such as user, device, application, location, and destination. The analysis of this data, from when the user is both on- and off-prem, helped Cisco infosec reduce incident investigation time from days to hours, while filling gaps in endpoint visibility.
“Splunk makes accessing the data from NVM, writing queries, and analyzing the data very easy,” said Cisco CSIRT’s Imran Islam.
Before CESA, the infosec team would struggle to determine which user is associated with what machine. And drilling down further was difficult if not impossible – from identifying machine to traffic; from traffic to the application or software process producing it; and then the traffic’s destination, whether inbound or outbound. It was reported by the Cisco infosec team that 80% of CESA use cases could not have been addressed by other technology.
Partnering to create a more secure network
At Cisco, we’re leading the industry in multi-vendor partnering solutions because we understand that collaboration is key to our customers having effective and efficient security across their networks — from endpoint to data center and cloud to campus. In fact, the Internet Engineering Task Force (IETF) recently standardized the XMPP-Grid security data exchange framework – based on Cisco Platform Exchange Grid (pxGrid) – which enables seamless collaboration and the sharing of information between security platforms from multiple vendors.
While no one product can achieve absolute security, no security solution exists in complete isolation. As security products become more interconnected, share context for threats, and participate in incident response, the risk of data breaches and security incidents is increasingly mitigated. This is why we believe in working so closely with our partners like Splunk through the Cisco Security Technical Alliance to integrate solutions that protect against emerging threats and improve customer security.
Splunk’s analytics-driven security solutions continue to serve as a perfect complement to Cisco Security. And we’re excited to see CESA deliver endpoint visibility and advanced threat detection for our customers. Cisco AnyConnect (Cisco’s VPN Client) is already deployed by over 150 million endpoints, and many customers are already running the Splunk console, which makes CESA a simple addition that will bring immense value for infosec’s ability to anticipate and stop endpoint threats before they manifest on the network.
If you don’t yet have these products, learn more about CESA and how you can add Cisco AnyConnect NVM and Splunk here. Stay tuned in the coming weeks for added CESA integration with Cisco Umbrella to enable enforcement at the domain level.
You can learn more about how Cisco infosec utilized CESA in this case study.
Want to get started with CESA today? If you already have Splunk and AnyConnect, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. Finally, turn on NVM telemetry in your AnyConnect environment as outlined in these tech docs.
Finally, be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security.
Source:: Cisco Security Notice
By John N. Stewart October is Cybersecurity Awareness Month and for me, it’s a time to reflect on where we’ve been and how far we’ve come, study the trends and challenges we face today, and look ahead to the next generation of opportunities facing not only the security community, but society at large.
In my more than 30 years in the security industry, it’s been interesting to see how technology has evolved and changed the world. Security started off as a ‘systems‘ conversation. Now, technology touches everyone’s lives, and as a result, cybersecurity affects us all – individuals, businesses, cities, countries, our global community.
From Use to Reliance
During our lifetimes, we’ve shifted from using technology to, in very subtle ways, becoming reliant on it. Whether we realize it or not, these subtleties have made us dependent on technology. The notion of ‘always on‘ access to data is highly disruptive to us when we don’t have it. Take maps for example: using a printed map is foreign to us today, and when the maps on our devices don’t work, we’re lost, literally.
When technology is unavailable, in many respects we feel ‘out of the loop‘ and behind in knowing what’s going on. There’s a lagging indicator that says, ‘Now that we have access to current information, we always expect this level of connectivity – we depend on it.‘ That reliance makes securing the data and the systems that deliver it to us that much more vital.
A Confluence of Change – All in Three Years
Since 2017, three major transitions have occurred that illustrate how complicated cybersecurity has become for us all globally. These transitions have caused security professionals to feel the pressure and scrutiny from a number of organizations that have upped their games. They’re having to catch up to a confluence of changes, all occurring at the same time:
1. Technology
Prior to 2017, IT predominantly built and ran an organization’s technology infrastructure, spending on security and hoping it works, relying on best-of-breed products, and managing it all reactively.
We all needed cybersecurity, but how could we net the best results – the greatest level of efficacy – from the solutions we purchased? Exactly how much value are we getting when spending on a solution? Is it all integrated as a best strategy or are we simply buying technology from the leading brand name or best advertised?
Today, leading IT teams build, buy and run security, use a ‘best-of-integrated‘ architecture approach and emphasize visibility, controls, measures and proactive approaches to security that drive efficacy and value.
2. Laws, Regulations, and Customer Requirements
This transition shows the increasing influence that laws, regulations and customer requirements have on a technology or service provider to its clients, and in turn, to their customers, citizens, colleagues, families and friends.
The formalization of laws and regulations – from the EU-NIS Directive to GDPR to the Australian Government Protective Security Policy Framework to the California Consumer Privacy Act, to name a few – have driven greater scrutiny and reform. It’s accelerated substantially in a short period of time, from ‘do-it-yourself‘ disharmonious regulations and rule, to a set of country, inter-country and international use standards.
Now corporate and government leaders across the international community are being held accountable. This transition from varying self-rule and self-regulation to accountability, breach reporting and disclosure highlights the implications of mishandling data and privacy through significant fines and executive firings.
In many respects, it’s been a long time coming. What’s interesting is that now that it’s here, it’s caught many off-guard – and it’s by no means slowing down.
3. Internal Oversight
When I started in InfoSec, security was mainly an engineering or computer science discipline. The security team was often avoided so that they couldn’t suppress innovation because of security concerns. The business was self-governing with inconsistent levels of oversight.
Today, internal reporting to and oversight by executive leadership, the CEO, the board of directors and shareholders are becoming standard practice to ensure proper governance. In part, it is a response to the regulatory landscape and the need for higher levels of accountability and oversight from within. It’s also based on the criticality of technology moving from something we use to something we rely on to deliver a service.
All three of these transitions came to the fore in a very short period of time to know how to effectively react, govern and solve for it. By the way, we’re all going through this and determining our own strategies to face the challenges, net the value they deliver, and understand how to be safe and secure in and around it all.
Our Future Demands
Today, there are about 4 billion internet users globally – all told about 10X of what it was in 2000. We’re in a world where everything is being connected and generating data. This will have significant impact on the next few years in particular and even more substantially into the future.
By next year, there will be about 200 billion devices ‘on air,‘ which includes cars, telemetry in cities, sensors and a multitude of other connected devices. Two-hundred billion is almost an ephemeral number, but it’s not to be underestimated because the number of vendors creating IoT-connected technology is growing probably 3-4X every year than the prior year. That’s a trend that I don’t see slowing down any time soon.
By 2021, cybercrime is estimated to be a $6 trillion industry – a very profitable industry, though I don’t recommend it as a career choice. It does illustrate the depth and breadth of the challenge – that it’s an international and global issue that we all have to work together to solve because it’s something that we all face.
Raising the Bar for a More Secure Future
Governments and businesses globally are raising the bar to meet the challenge around product assurance, cloud assurance, IoT, lawful intercept, data protection, privacy and the like. Some 30-odd countries are writing or revising their cybersecurity strategies and each can have profound implications on how data is shared and how systems are built.
So, during Cybersecurity Awareness Month, consider what you can do to make the world more safe and secure, and take action. What can you do as individuals? How are you protecting yourself online and helping your business, colleagues, friends and family to do the same? Each individual act, when taken together, can move us all to a more secure future.
We’re not looking for headlines that show ‘good‘ or ‘bad.‘ We need trend lines that show that what we’re doing collectively is moving us all towards lower risk. As long as the trend line is going in the right direction, we’re doing what we need to do – and we must all do our part.
For governments, companies and individuals alike, Cisco’s Cybersecurity Awareness Month site offers events, activities and educational content, and ways to get involved. The Cisco Trust Center also offers resources to help you with security, data protection and privacy. Both feature links to security reports, videos, threat intelligence, thought leadership and more that will keep you informed.
Source:: Cisco Security Notice
