
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdaySecurity – Cisco Blog

Accelerate XDR Outcomes with NDR and EDR

By Hanna Jabbour

Cybersecurity attacks complication and damaging impact are always keeping SOC analyst at their edge. Extended Detection and Response (XDR) solutions tend to simplify for Sam, a SOC analyst, his job by simplifying the workflow and process that involve the lifecycle of a threat investigation from detection to response. In this post we will explore how SecureX, Secure Cloud Analytics (NDR), Secure Endpoint (EDR) with their seamless integration accelerate the ability to achieve XDR outcomes. 

Meaningful incidents  

One of the first challenges for Sam is alert fatigue. With the overwhelming number of alerts coming from multiple sources and the lack of relevance or correlation, decreases the value of these alerts to the point that they become as meaningless as having none. To counter this effect, Cisco Secure Cloud Analytics and Cisco Secure Endpoint limit alert promotion to SecureX to only include high fidelity alerts with critical severity and marking them as High Impact incidents within SecureX Incident manager.

Figure 1

This capability reduces the noise coming from the source, while keeping the other alerts available for investigation, putting impactful incidents at the top of Sam’s to do list. Now, Sam is confident that his time is spent in a prioritized manner and helps ensure he is tackling the most important threats first. Automatic incident provisioning accelerates incident response by bringing focus on the most impactful incidents.

Valuable enrichment

Understanding the mechanics and data around a specific incident is a key factor for Remi, an incident responder, in his day-to-day work. Achieving his tasks accurately is tightly coupled with his ability to scope and understand the impact of an incident and to gather all possible data from the environment which can be associated with an incident including devices, users, files hashes, email ids, domains IPs and others. SecureX Incident Manager’s automatic enrichment capability completes this data collection for high impact incidents automatically. The data is then classified into targets, observables, and indicators and added to the incident to help the analyst better understand the incident’s scope and potential impact.

Figure 2

The Incident Manager and automatic enrichment provides Remi with crucial information such as the associated MITRE Tactics and Techniques applied during this incident, the contributing threat vectors, and security solutions. In addition, the Incident Manager aggregates events from multiple sources into the same high impact incident that the enrichment was triggered on future providing Remi with more vital context.

Figure 3

This automatic enrichment for high impact incidents is essential to Remi’s understanding as much as possible about an incident as it occurs and significantly accelerates him identifying the proper response for the threat.  This brings us to the next step in our incident detection to response workflow.

Faster response and investigations

It is important for an XDR to correlate the right information for the Security Analyst and incident responder to understand an attack but it is equally important to provide an effective response mechanism. This is exactly what SecureX provides with the ability to apply a response to an observable with a simple a single click or through automation.

These workflows can be invoked to block a domain, IP or URL across a full environment with a simple click, leveraging existing integrations such as firewalls or umbrella and others. Workflows can be made available to the threat response pivot menu where they are useful for performing specific host specific actions, such as isolate a host, take a host snapshot, and more.

In addition to response workflows, the pivot menu provides the ability to leverage Secure Cloud Analytics (SCA) telemetry by generating a case book linking back to telemetry searches within SCA.  This automation is critical to understanding the spread of a threat across an environment. A good example on this, is identifying all hosts communicating to a command-and-control destination before this destination was identified as malicious.  This is a pre-existing SecureX workflow which can be taken advantage of today see workflow 0005 – SCA – Generate Case book with Flow Links.

Automating responses

Reducing time to remediation is a key aspect of keeping a business secure, SecureX orchestration automates responses with various solutions specially with NDR detections from SCA and use observables from these alerts to isolate hosts leveraging Secure Endpoint.  SCA can send alerts via Webhooks and SecureX Orchestration receive them as triggers to launch an NDR- EDR workflow to isolate hosts automatically. (0014-SCA-Isolate endpoints from alerts)

This orchestration workflow automatically isolates rogue devices in a network or contain confirmed threat alerts received from Cisco’s Machine learning threat detection cloud and can be used for multiple different response scenarios.

The power of automation brought by SecureX, Secure Cloud Analytics and Secure Endpoint accelerates XDR outcomes drastically which simplifies Security Analyst (Sam) and Incident Responder (Remi) jobs and make it more efficient with accurate incident prioritization, automatic investigation/enrichment and most importantly automating responses.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Get Ready: Top Security Trends For 2023 That You Need To Know About

By Richard Archdeacon

We recently had the chance to discuss the top trend predictions for 2023, issued by Gartner®, and what these may mean for CISOs. The trends are below:

  1. Consumer privacy rights will cover 5 billion citizens and more than 70% of global GDP.
  2. Most enterprises will adopt a strategy to unify web, cloud services and private application access from a single vendor’s SSE platform.
  3. 60% of organizations will embrace zero trust as a starting point for security by 2025. More than half will fail to realize the benefits.
  4. By 2025, 60% of organizations will use cybersecurity risk as a primary determinant in conducting third-party transactions and business engagements.
  5. Through 2025, 30% of nation-states will pass legislation that regulates ransomware payments, fines and negotiations.
  6. By 2025, threat actors will have weaponized operational technology environments successfully to cause human casualties.
  7. By 2025, 70% of CEOs will mandate a culture of organizational resilience to survive.
  8. By 2026, 50% of C-level executives will have performance requirements related to risk built into their employment contracts.

These showed several themes: internal pressures, external changes and solution adoption.

CISOs need to be aware of the pressures that may come from inside the business.  C Level executives having risk related elements in their employment contracts (8) may result in a higher focus on Risk management. This may benefit CISOs to position cyber security as part of the Risk calculation and perhaps unlock more support for risk reduction initiatives.

Aligned is the concept of a culture of organisational resilience being mandated by CEOs (7).  CISOs now talk about culture change in cyber security, making business colleagues identify as part of the overall security of the organisation.  This may now include resilience.  Again, this may provide a vehicle for change for CISOs.

Risk as a factor when assessing whether to do business with third parties (4) will highlight the third-party dependency issues that now concern CISOs.  The perimeter is now long gone; security extends beyond the organisational remit of the CISO.  The ability to understand and collaborate with third party security will become n increasing requirement. There is a downside for CISOs.  Many are already burdened with the need to report on compliance and audits. This may increase as requests come in from business partners, current and potential, on the organisation’s cyber security posture.

Related to compliance and reporting is the issue of Privacy. It is predicted the consumer privacy will increase to cover most countries (1). This may require additional focus on the extent and scope to which Privacy is reported. Many CISOs address this already due to requirements such as GDPR. This may provide a strong basis to move forward. CISOs have seen Privacy as a positive.  “Do you really need that data?” is a question often asked. Organisations can reduce the amount of unwanted data stored and needing security.

Responding to attacks and the relentless change in tactics is an additional trend.  Payments for ransomware is contentious.  From the morale, legal and practical aspects of making payments. If this becomes regulated (5) it may provide a clearer basis for decision making.   Perhaps it may provide a for of deterrent for attacks.  If the victim cannot pay why attack them? Perhaps this is just wishful thinking. On the negative side attackers may increase the capability of their tools in the operational technology environment with extreme impact (6).  A current area of concern for CISOs that may increase in focus.

On a positive side a majority of organisation will adopt zero trust as a starting point for their security (3).  However, many will not gain the benefits.  CISOs are now increasing addressing the organisational and cultural change required to make Zero Trust succeed and realising it is not just about the technology.  There are clear benefits that have been identified in Cisco research papers1. CISOs are looking to introduce new consolidated technologies in web, cloud services and private application access (3). This may reduce tech debt, enable smoother operational management, centralised policy control and better reporting.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Preparing for 2023 and what lies in store for Endpoint Security

By Pat Correia

A new year is almost upon us and as we look back on our accomplishments in 2022, we also look forward to helping our customers become more security resilient and be better prepared for 2023. As part of this forward-looking process, and with the help of Gartner Peer Insights, we surveyed 100 Security and IT professionals to understand their level of security maturity and obtain their perspective on the future.

The results of the survey, called “Gartner Peer Insights – Future of Endpoint Security” can be found here in Infographic form.

Key insights from the Survey:

  • Many organizations are employing EDR and XDR capabilities, but few have reached full maturity.
  • Organizations are looking for integrated platforms that support hybrid workforces while simplifying vendor management.
  • In anticipation of the ever-increasing threat landscape, organizations are looking to highly integrated and automated endpoint security solutions.
  • Organizations want future-proof endpoint security solutions that bolster their security resilience.

Insight Example

Regarding the first key insight, approximately two-thirds of the organizations surveyed have implemented EDR and XDR capabilities. These two capabilities are critical to detecting and eliminating threats, either before a breach has occurred or before a breach has had an opportunity to create damage.

Figure 1: Deployed endpoint security capabilities

Insight Example

Another key insight is related to endpoint vendor selection. In the survey, it’s noted that the top criterion organizations are looking for when selecting an endpoint security solution is the ability to support a hybrid workforce. This isn’t surprising given the events that have occurred over the last few years and the mix of remote workers expanding to working from home. Many organizations feel that the hybrid workforce is here to stay, in varying levels of remote workforce vs. on-premises workforce. The obvious implications directly related to the endpoint solutions are flexibility (e.g., deployment options), scalability, efficacy, resilience, and manageability, as a few examples.

Endpoint Security
Figure 2: Top Motivations when considering endpoint security


The survey infographic provides much more insights than these two examples. The good news is that Cisco Secure Endpoint meets the challenges ahead for 2023 and beyond. If you haven’t researched Secure Endpoint lately, go here to see What’s New.

To find out more insights from the 100 Security and IT professionals we surveyed, please read the “Gartner Peer Insights – Future of Endpoint Security” survey.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Explorations in the spam folder–Holiday Edition

By Ben Nahorney

Watch ThreatWise TV: Explorations in the spam folder

The spam folder: that dark and disregarded corner of every email account, full of too-good-to-be-true offers, unexpected shipments, and supposedly free giveaways.

You’re right to ignore this folder; few good things come from exploring it. But every once in a while one of these misleading, and sometimes malicious, emails manages to evade the filters that normally siphon them off, landing them in your inbox instead.

Fortunately, it’s easy enough to spot these emails if you know what to look for. We’ve investigated this folder once before, showcasing a variety of scams. With the holiday season in full swing, we thought this would be a good time to revisit how scammers are trying to trick unsuspecting users.

The holiday season is traditionally a time when this type of activity increases, and this year is no different. According to research published by credit reporting agency TransUnion, the average daily number of suspected digital fraud attempts was up 82 percent globally between Thanksgiving and Cyber Monday (Nov 24–Nov 28) compared to the rest of the year (Jan 1–Nov 23) and 127 percent higher for transactions originating in the US.

This level of activity makes it all the more important to be aware of these scams. With that in mind, let’s dive into the spam folder to get a picture of the types of campaigns currently circulating.

A word of caution

While much of the spam circulating is innocuous, many emails are phishing attempts, and some are indeed malicious. To explore these scams, we used a dedicated computer, segmented from the rest of the network, and leveraged Cisco Secure Malware Analytics to safely open the emails before clicking on links or opening attachments. The point being, we do not recommend doing this at home.

10 questions for an amazing gift

By far, the largest category of spam we saw were surveys scams. According to these emails, if you fill out a simple survey you’ll receive “exclusive offers” such as gift cards, smartphones, smart watches, power drills, or even pots and pans.

Image 1 – Survey scam emails

There are even some campaigns that specifically target the holiday shopping season.

Image 2 – Holiday-themed survey scams

Clicking the links in these emails takes the recipient to sites where they are asked to fill out a survey.

Image 3 – Survey landing pages

These pages often include fake testimonials that say how easy the survey is and what they did with their free gift.

Image 4 – Fake testimonials

The surveys are straightforward, comprising 10-20 simple questions that cover demographic information and shopping habits.

Image 5 – Survey questions

After the survey is completed, these sites offer the choice of a handful of rewards. All the recipient must do is pay for shipping. They are then brought to a page where they can fill out shipping and payment information, and the reward is supposedly shipped.

Image 6 – Steps to receive a “special deal”

However, the attempts to make payment often appear to fail, or the recipient is informed that the prize is no longer available.

Image 7 – Failed attempts to claim rewards

An unsuspecting user may simply give up at this point, disappointed that they won’t be getting their free gift. What they may not be aware of, is that they have just given their credit card details away in a phishing scam.

In their 2021 Internet Crime Report, the Internet Crime Complaint Center (IC3) said that Non-Payment / Non-Delivery scams such as these led to more than $337 million in losses, up from $265 million in 2020. Credit card fraud amounted to $172 million in 2021 and has been climbing continuously at a conservative rate of 15-20 percent since 2019.

According to Cisco Umbrella, many of the sites asking for credit card details are known phishing sites, or worse, host malware.

Image 8 – Malicious domain hosting survey scams

Your package is in route

Another topic that we covered the last time we explored these types of scams was package delivery spam. These continue to circulate today. There are a variety of shipping companies impersonated in these campaigns, and some generic ones as well.

Image 9 – Package scam emails

Many of these campaigns claim that a package could not be delivered. If the recipient clicks on a link in an email, they’re brought to a web page that explains that there are outstanding delivery fees that need to be paid.

Image 10 – Steps in package delivery phishing scam

The recipient is further enticed by suggestions that the package contains a big-ticket item, such as an iPhone or iPad Pro. All the recipient is required to do is enter their credit card details to cover the shipping.

Image 11 – Credit card entry steps in package delivery phishing scam

While no outright malicious activity was detected while examining these emails in Secure Malware Analytics, several suspicious behaviors were flagged. Chances are the bad actors behind these campaigns are phishing for credit card details.

Image 12 – Indications of phishing activity

Plain-text messages

Sometimes the simplest approaches can work just as well as the flashiest. This certainly holds true with spam campaigns, given the prominence of plain-text messages.

Image 13 – Plain-text spam email examples

The topics covered in such emails run the gamut, including medical cures, 419 scams, romance and dating, pharmaceuticals, weight loss, and many of the scam types we’ve already covered. Many of these link to phishing sites, though some attempt to establish a dialog with the recipient, tricking them into sending the scammers money.

The IC3 report says that victims of confidence fraud and romance scams lost $956 million collectively, which is up from $600 million in 2020. Healthcare fraud, such as the miracle pills and prescriptions scams, resulted in $7 million in losses in 2021, but nearly $30 million in 2020.  While these types of scams seem generic and easily spotted, they still work, and so it’s important to be aware and avoid them.

Problems with your account

Many emails hitting the spam box attempt to trick users of various services into believing that there is a problem with their account. The problems cover all sorts of services, including streaming platforms, email providers, antivirus subscriptions, and even public records.

Image 14 – Emails indicating problems with an account

If the links are clicked, the recipient is presented with landing pages that mimic the respective services. Any details that are entered will likely be phished, leading to account takeover and/or access to personal records. However, some domains encountered in these cases may do more than just steal information, they could deliver malware too.

Image 15 – Likely malicious activity

Billing scams

Another frequently encountered scam surrounds billing. Many of these appear to be unexpected bills for services the recipient never purchased.

Image 16 – Billing scam examples

These emails include attachments that are designed to look like official invoices. Interestingly, most of the attachments that we looked at this time were harmless. The goal is to get the recipient to call what appears to be a toll-free number.

Image 17 – Billing scam attachments

While we haven’t called any of these numbers, the experience usually unfolds like a standard customer service call. In the end the “agents” simply claim the charges—which never existed in the first place—have been removed. Meanwhile the scammers steal any personal or financial information provided during the call.

Malicious billing scams

While most billing scams we encountered played out as described above, a few did indeed contain malware.

In this example, the email appears to come from an internet service provider, informing us that our monthly bill is ready.

Image 18 – A malicious billing scam email

An invoice appears to be attached, stored within a .zip file. If the recipient opens it and double clicks the file within, a command prompt appears.

Image 19 – Command prompt launched by attachment

This may seem unusual to the recipient, especially since no invoice appears, but by this point it’s too late. The file contains a script that launches PowerShell and attempts to download a remote file.

Image 20 – Contents of batch file

While the remote file was no longer available at the time of analysis, there is a high likelihood it was malicious. But even though we were unable to determine its contents, Secure Malware Analytics flagged the script execution as malicious.

Image 21 – Script launching PowerShell to download further files

Defending yourself

Knowing about prevalent scams, especially during the holiday season, is a first step in guarding against them. Granted the bad actors who distribute these spam campaigns do everything they can to make their scams look legitimate.

Fortunately, there are several things that you can do to identify scams and defend against them:

  • Be wary of any unsolicited offers, giveaways, and other suspicious communications.
  • Ensure that the sender’s email address corresponds with the organization it claims to come from. In many of the examples above they do not.
  • When holiday shopping, stick to known vendors, visiting their websites directly or using their official apps.
  • Do not open links or attachments in emails coming from unknown sources.

But even the best of us can be fooled, and when overseeing a large operation it’s more a matter of when, rather than if, someone clicks on the wrong link. There are elements of the Cisco Secure portfolio that can help for when the inevitable happens.

Cisco Secure Malware Analytics is the malware analysis and malware threat intelligence engine behind all products across the Cisco Security Architecture. The system delivers enhanced, in-depth, advanced malware analysis and context-rich intelligence to help better understand and fight malware within your environments. Secure Malware Analytics is available as a standalone solution, as a component in other Cisco Security solutions, and through software-as-a-service (SaaS) in the cloud, on-premises, and hybrid delivery models.

Cisco Secure Email protects against fraudulent senders, malware, phishing links, and spam. Its advanced threat detection capabilities can uncover known, emerging, and targeted threats. In addition, it defends against phishing by using advance machine learning techniques, real time behavior analytics, relationship modeling, and telemetry that protects against identity deception–based threats.

Cisco Umbrella unifies multiple security functions in a single cloud service to secure internet access. By enforcing security at the DNS layer, Umbrella blocks requests to malware before a connection is even established—before they reach your network or endpoints. In addition, the secure web gateway logs and inspects all web traffic for greater transparency, control, and protection, while the cloud-delivered firewall helps to block unwanted traffic.

Cisco Secure Endpoint is a single-agent solution that provides comprehensive protection, detection, response, and user access coverage to defend against threats to your endpoints. The SecureX platform is built into Secure Endpoint, as are Extended Detection and Response (XDR) capabilities. With the introduction of Cisco Secure MDR for Endpoint, we have combined Secure Endpoint’s superior capabilities with security operations to create a comprehensive endpoint security solution that dramatically decreases the mean time to detect and respond to threats while offering the highest level of always-on endpoint protection.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Modernizing the Security of Australia’s Largest Fuel Network

By Lisa Snow

Ampol has been Australia’s leading transport fuel company since 1900. What began over 125 years ago is now an organization that powers a country, operating 1,500 retail stores and stations across ANZ, plus 89 depots for refining and importing fuels and lubricants, and 8,200 employees throughout Australia, New Zealand, the United States, and Singapore. And while Ampol’s history goes back a century, they are a modern organization, using internet of things (IoT) technology across operational and retail locations, with sensors on everything from electric vehicle charging units to fuel tank gauges to transportation trucks to refrigeration units inside retail stores.

As a critical energy provider to a country of over 25 million people, Ampol’s security needed to match its evolving infrastructure. As Satish Chowdhary, Network Enterprise Architect, said, “At Ampol, we have implemented sensor technology across our network: from gauges in the fuel tanks to monitor fuel quality and quantity to sensors that monitor the temperature in various refrigerators across our retail sites to ensure goods stay chilled. It’s critical to manage these devices effectively and securely, and that’s where Cisco comes in…With IoT, a major security risk is posed by dodgy legacy devices left unpatched and vulnerable within your network. Cisco’s TrustSec and VLAN segregation automatically isolate vulnerable devices, not exposing the rest of the network to risks from untrusted devices.”


Making security an enabler, not a hindrance

In addition to securing the IoT that let’s Ampol monitor and manage its critical operations, Cisco was able to create a comprehensive security environment that solved for their three strategic goals.

“Three key components of our cyber-resilient strategy were isolation, orchestration, and rapid recovery. Cisco SecureX nailed all three providing us a single interface to see all security events, and malicious files, thus expediting how fast we can isolate events and recover,” Chowdhary explained.  “Before using Cisco Secure, security was a hindrance, not an enabler for our IT team, employees, and even customers,” he added.

In fact, Cisco Secure helped Ampol improve their security posture so much that they were able to quickly pivot during the early days of the pandemic.

“When Covid triggered supply challenges during lockdowns, people not being able to access groceries turned to their local service station convenience stores to get what they needed.  For Ampol, maintaining that supply continuity was critical, not just for our business, but for the customers who were relying on us to get their supplies. And all of this was done when many employees were now having to work remotely… This was possible only because we could maintain our revamped locations, staff, clients, and business partners safe on our network – while still maintaining speed and efficiency. Cisco Secure was the ticket to Ampol’s resilience in the face of major change,” Chowdhary said.

Solving security challenges with speed and simplicity

In addition to enabling flexibility against supply chain fluctuations, Ampol is readily protected against  threats, cyberattacks, and other vulnerabilities. Their Cisco security solution included:

  • Cisco Secure Firewall and Identity Service Engines (ISE) allow Ampol’s 3rd-party vendors to safely access the network
  • Cisco Umbrella and Secure Endpoint protected network and wi-fi access at retail locations
  • Cisco Duo protected the SCADA pipeline network users and devices against phishing attacks and established device trust
  • Improved efficiency and threat detection with Cisco SecureX

“The major force for our Cisco Secure investment was simplification by integrating the entire Security portfolio…If we ever happen to have a cyber-attack, we can quickly find it and contain it,” Chowdhary said, adding, “The greatest outcome of using Cisco Secure is simplicity at its core. We achieved great efficiency integration, better visibility, and context that’s not hidden across five, ten, or fifteen consoles, and ultimately, greater security outcomes.”

To find out how else Cisco Secure is helping protect Ampol against sophisticated threats and other challenges, read the full Ampol case study.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Unscrambling Cybersecurity Acronyms – The ABCs of MDR and XDR Security

By Nirav Shah

In the second part of this blog series on Unscrambling Cybersecurity Acronyms, we covered Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR) solutions, which included an overview of the evolution of endpoint security solutions. In this blog, we’ll go over Managed Detection and Response (MDR) and Extended Detection and Response (XDR) solutions in more depth.

What are Managed Detection and Response (MDR) solutions? 

MDR solutions are a security technology stack delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). They’re similar to Managed Endpoint Detection and Response (MEDR) solutions since both solutions are managed cybersecurity services that use Security Operations Center (SOC) experts to monitor, detect, and respond to threats targeting your organization. However, the main difference between these two offerings is that MEDR solutions monitor only your endpoints while MDR solutions monitor a broader environment.

While MDR security solutions don’t have an exact definition for the types of infrastructure they monitor and the underlying security stack that powers them, they often monitor your endpoint, network, and cloud environments via a ‘follow the sun’ approach that uses multiple security teams distributed around the world to continually defend your environment. These security analysts monitor your environment 24/7 for threats, analyze and prioritize threats, investigate potential incidents, and offer guided remediation of attacks. This enables you to quickly detect advanced threats, effectively contain attacks, and rapidly respond to incidents.

More importantly, MDR security solutions allow you to augment or outsource your security to cybersecurity experts. While nearly every organization must defend their environment from cyberattacks, not every organization has the time, expertise, or personnel to run their own security solution. These organizations can benefit from outsourcing their security to MDR services, which enable them to focus on their core business while getting the security expertise they need. In addition, some organizations don’t have the budget or resources to monitor their environment 24/7 or they may have a small security team that struggles to investigate every threat. MDR security services can also help these organizations by giving them always-on security operations while enabling them to address every threat to their organization.

One drawback to deploying an MDR security service is that you become dependent on a third-party for your security needs. While many organizations don’t have any issues with this, some organizations may be hesitant to hand over control of their cybersecurity to a third-party vendor. In addition, organizations such as larger, more-risk averse companies may not desire an MDR service because they’ve already made cybersecurity investments such as developing their own SOC. Finally, MDR security solutions don’t have truly unified detection and response capabilities since they’re typically powered by heterogenous security technology stacks that lack consolidated telemetry, correlated detections, and holistic incident response. This is where XDR solutions shine.

What are Extended Detection and Response (XDR) solutions? 

XDR solutions unify threat monitoring, detection, and response across your entire environment by centralizing visibility, delivering contextual insights, and coordinating response. While ‘XDR’ means different things to different people because it’s a fairly nascent technology, XDR solutions usually consolidate security telemetry from multiple security products into a single solution. Moreover, XDR security solutions provide enriched context by correlating alerts from different security solutions. Finally, comprehensive XDR solutions can simplify incident response by allowing you to automate and orchestrate threat response across your environment.

These solutions speed up threat detection and response by providing a single pane of glass for gaining visibility into threats as well as detecting and responding to attacks. Furthermore, XDR security solutions reduce alert fatigue and false positives with actionable, contextual insights from higher-fidelity detections that mean you spend less time sifting through endless alerts and can focus on the most critical threats. Finally, XDR solutions enable you to streamline your security operations with improved efficiency from automated, orchestrated response across your entire security stack from one unified console.

A major downside to XDR security solutions is that you typically have to deploy and manage these solutions yourself versus having a third-party vendor run them for you. While Managed XDR (MXDR) services are growing, these solutions are still very much in their infancy. In addition, not every organization will want or need a full-fledged XDR solution. For instance, organizations with a higher risk threshold may be satisfied with using an EDR solution and/or an MDR service to defend their organization from threats.

Choosing the Right Cybersecurity Solution  

As I mentioned in the first and second parts of this blog series, you shouldn’t take a ‘one-size-fits-all’ approach to cybersecurity since every organization has different needs, goals, risk appetites, staffing levels, and more. This logic holds true for MDR and XDR solutions, with these solutions working well for certain organizations and not so well for other organizations. Regardless, there are a few aspects to consider when evaluating MDR and XDR security solutions.

One factor to keep in mind is if you already have or are planning on building out your own SOC. This is important to think about because developing and operating a SOC can require large investments in cybersecurity, which includes having the right expertise on your security teams. Organizations unwilling to make these commitments usually end up choosing managed security services such as MDR solutions, which allows them to protect their organization without considerable upfront investments.

Other critical factors to consider are your existing security maturity and overall goals. For instance, organizations who have already made significant commitments to cybersecurity often think about ways to improve the operational efficiency of their security teams. These organizations frequently turn to XDR tools since these solutions reduce threat detection and response times, provide better visibility and context while decreasing alert fatigue. Moreover, organizations with substantial security investments should consider open and extensible XDR solutions that integrate with their existing tools to avoid having to ‘rip and replace’ security tools, which can be costly and cumbersome.

I hope this blog series on the different threat detection and response solutions help you make sense of the different cybersecurity acronyms while guiding you in your decision on the right security solution for your organization. For more information on MDR solutions, read about how Cisco Secure Managed Detection and Response (MDR) rapidly detects and contains threats with an elite team of security experts. For more information on XDR solutions, learn how the Cisco XDR offering finds and remediates threats faster with increased visibility and critical context to automate threat response.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Cisco Secure Endpoint – looking very positive in recent reports!

By Pat Correia

Lots of exciting things happening at Cisco, and for our customers, all to help them better prepare for what’s next. Case in point, we just returned from a very successful Cisco Partner Summit where the spotlight shined on cyber security. When our executives were on stage talking about solutions, the attendees heard a very catchy phrase; “if it’s connected, it’s protected.”  A cool phrase, but there is more to that phrase and much more behind it.   

To tie both connected and protected together, it’s good to note that Cisco is uniquely positioned as a security vendor with 80% of the worldwide internet traffic running through our network hardware and secured by our open platform, with hundreds of thousands of customers benefitting from automation, and from enriched and prioritized threat intel via our Extended Detection and Response (XDR) capabilities. That means a vast amount of unique insights for our customers to become more resilient, stay ahead of threats, be more confident, and benefit from less risk. 

But there are questions, naturally!  

As examples of these questions above: 

 (1) what about proof points on the above? 

 (2) and do Cisco’s capabilities align with what customers want and need?  

Let’s find out on the first by bringing the XDR aspect of security into the discussion, and the second by observing responses from a Forrester Total Economic Impact ™ 

 (TEI) study commissioned by Cisco, both points utilizing our Secure Endpoint solution. 

XDR Proof Points via Secure Endpoint Test Results 

First off, in simple terms, XDR provides the benefit of integrating threat intel from all control points of the security platform and combines that into actionable insights for better, faster, and where appropriate, prioritized remediation of the most critical threats, i.e. XDR helps security teams to identify the threats that can do the most damage and enables the workflows to neutralize those threats first. 

And here is where the proof point comes in. One of the most critical components of XDR is endpoint security. And in the case of Cisco, it’s our Secure Endpoint solution. Cisco recently participated in the AV-Comparatives’ Endpoint Prevention and Response (EPR) Test. The AV-C test is described by that independent test organization as “… the most comprehensive test of EPR products ever performed.” Secure Endpoint was one of the 10 endpoint security products in the test that were subjected to 50 separate targeted attack scenarios, which used a variety of different techniques.  

Here are the highlights of the AV-C EPR report where Cisco Secure Endpoint: 

  • clearly achieved the highest ranking of 100% out of 10 vendors 
  • was the only vendor with 100% in all phases, for both active and passive responses, for all 50 separate targeted attack scenarios   
  • delivered the lowest TCO out of 10 products – $587 5-year TCO (per agent) 

Stunning results and confidence building for our customers that Cisco is effective in endpoint security. Read the complete AV-C EPR Test Report here.

And then, what about the second proof point – is Cisco providing what customers want & need? 

Customer Alignment Proof Points via Forrester Secure Endpoint TEI Report 

Cisco commissioned Forrester Consulting to perform an unbiased cost-benefit analysis of our Cisco Secure Endpoint product. The report yielded the highlights below, based upon a composite organization, and also includes 20+ outstanding customer quotes. 

Here’s the Forrester TEI Study bottom line for the composite organization: 

  • achieved ROI of up to 287% and saw payback <6 months  
  • After deploying Cisco Secure Endpoint and SecureX, the time to investigate and/or remediate is reduced by 50% 
  • customers modernized their security and reduced their risk of material breach and productivity loss   

Very good results and again, confidence building for our customers that Cisco is effective in endpoint security. Read the Forrester “The Total Economic Impact™ Of Cisco Secure Endpoint” Study here. 

One last thing, what about those customer quotes? Here are a couple of examples: 

“Having something take immediate action to quarantine something that could have propagated quickly and take down your network [is] a priceless piece.”  

Director of IT security, logistics 

“We wanted [a company that] is passionate and cares about us running through the night.” 

Director of IT security, logistics

To find out more, read Forrester’s “The Total Economic Impact™ Of Cisco Secure Endpoint” Study here. And if you are not familiar with Secure Endpoint, or would like to sign up for a free trial, check it out here.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Cisco Secure Endpoint Crushed the AV-Comparative EPR Test

By Truman Coburn

The word is out! Cisco Secure Endpoint’s effectiveness is off the charts in protecting your enterprise environment.

This is not just a baseless opinion; however, the facts are rooted in actual test results from the annual AV-Comparative EPR Test Report published in October 2022. Not only did Secure Endpoint knock it out of the park in enterprise protection; but Cisco Secure Endpoint obtained the lowest total cost of ownership (TCO) per agent at $587 over 5 years. No one else was remotely close in this area. More to come on that later.

If you are not familiar with the “AV-Comparatives Endpoint Prevention and Response Test is the most comprehensive test of EPR products ever performed. The 10 products in the test were subjected to 50 separate targeted attack scenarios, which used a variety of different techniques.”

These results are from an industry-respected third-party organization that assesses antivirus software and has just confirmed what we know and believe here at Cisco, which is our Secure Endpoint product is the industry’s best of the best.

Leader of the pack

Look for yourself at where we landed. That’s right, Cisco Secure Endpoint smashed this test, we are almost off the quadrant as one of the “Strategic Leaders”.

We ended up here for a combination of reasons, with the top being our efficacy in protecting our customers’ environments in this real-world test that emulates multi-stage attacks similar to MITRE’s ATT&CK evaluations which are conducted as part of this process (click here for an overview of MITRE ATT&CK techniques). Out of all the 50 scenarios tested, Secure Endpoint was the only product that STOPPED 100% of targeted threats toward enterprise users, which prevented further infiltration into the organization.

Lowest Total Cost of Ownership

In addition, this test not only assesses the efficacy of endpoint security products but also analyzes their cost-effectiveness. Following up on my earlier remarks about achieving the lowest cost of ownership, the graph below displays how we stacked up against other industry players in this space including several well-known vendors that chose not to display their names due to poor results.

These results provide a meaningful proof point that Cisco Secure Endpoint is perfectly positioned to secure the enterprise as well as secure the future of hybrid workers.

Enriched with built-in Extended Detection and Response (XDR) capabilities, Cisco Secure Endpoint has allowed our customers to maintain resiliency when faced with outside threats.

As we embark on securing “what’s next” by staying ahead of unforeseen cyber threats of tomorrow, Cisco Secure Endpoint integration with the complete Cisco Secure Solutions portfolio allows you to move forward with the peace of mind that if it’s connected, we can and will protect it.

Secure Endpoint live instant demo

Now that you have seen how effective Secure Endpoint is with live real-world testing, try it for yourself with one of our live instant demos. Click here to access instructions on how to download and install your demo account for a test drive.

Click here to see what analysts, customers, and third-party testing organizations have to say about Cisco Secure Endpoint Security efficacy, easy implementation and overall low total cost of ownership for their organization —and stay ahead of threats.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Secure Your Hybrid Workforce Using These SOC Best Practices

By Pat Correia

Hybrid Workforce is here to stay

Just a few years ago when the topic of supporting offsite workers arose, some of the key conversation topics were related to purchase, logistics, deployment, maintenance and similar issues. The discussions back then were more like “special cases” vs. today’s environment where supporting workers offsite (now known as the hybrid workforce) has become a critical mainstream topic.

Figure 1: Security challenges in supporting the hybrid workforce

Now with the bulk of many organization’s workers off-premise, the topic of security and the ability of a security vendor to help support an organization’s hybrid workers has risen to the top of the selection criteria.  In a soon to be released Cisco endpoint survey, it’s not surprising that the ability of a security vendor to make supporting the hybrid workforce easier and more efficient was the key motivating factor when organizations choose security solutions.

Figure 2: Results from recent Cisco Survey

Best Practices complement your security tools

Today, when prospects and existing customers look at Cisco’s ability to support hybrid workers with our advanced security solution set and open platform, it’s quite clear that we can deliver on that promise. But, yes, good tools make it easier and more efficient, but the reality is that running a SOC or any security group, large or small, still takes a lot of work. Most organizations not only rely on advanced security tools but utilize a set of best practices to provide clarity of roles, efficiency of operation, and for the more prepared, have tested these best practices to prove to themselves that they are prepared for what’s next.

Give this a listen!

Knowing that not all organizations have this degree of security maturity and preparedness, we gathered a couple of subject matter experts together to discuss 5 areas of time-tested best practices that, besides the advanced tools offered by Cisco and others, can help your SOC (or small security team) yield actionable insights and guide you faster, and with more confidence, toward the outcomes you want.

In this webinar you will hear practical advice from Cisco technical marketing and a representative from our award winning Talos Threat Intelligence group, the same group who have created and are maintaining breach defense in partnership with Fortune 500 Security Operating Centers (SOC) around the globe.

Figure 3: Webinar Speakers

You can expect to hear our 5 Best Practices recommendations on the following topics;

  1. Establishing Consistency – know your roles and responsibilities without hesitation.
  2. Incident Response Plan – document it, share it and test it with your stakeholders.
  3. Threat Hunting – find out what you don’t know and minimize the threat.
  4. Retro Learning – learn from the past and be better prepared.
  5. Unifying stakeholders – don’t go it alone.

Access this On-Demand Webinar now!

Check out our webinar to find out how you can become more security resilient and be better prepared for what’s next.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Defend your organization from ransomware attacks with Cisco Secure Endpoint

By Nirav Shah

Ransomware is one of the most dangerous threats organizations face today, so it’s no wonder that Cisco Talos Incident Response named it the top threat of the year in 2021. These attacks continue to grow and become more advanced, with ransomware attacks  growing by 13% over 2021 and a whopping 79% over 2020 so far this year (see Figure 1 below).1  Stopping ransomware attacks isn’t easy either, as adversaries continue to change their techniques and attacks become increasingly sophisticated.

Figure 1: Publicized ransomware attacks by month (2020-2022)

Fortunately, Cisco Secure Endpoint defends your organization from ransomware by delivering security outcomes that enable you to radically simplify your security, maximize your security operations, and achieve peace of mind. Let’s dive deeper into each of these areas to better understand how Secure Endpoint can help your organization defend against ransomware attacks.

Radically Simplify Your Security

Cybersecurity has become increasingly complex due to the numerous security solutions deployed by organizations today. These disparate point-products increase complexity while creating security gaps because they require additional management overhead and typically don’t communicate with each other. This increases the burden on security operations teams since they must spend time managing these different solutions and filling in the gaps between tools rather than using their time to investigate and respond to threats

Cisco takes a very different approach to cybersecurity by looking at ransomware endpoint protection holistically, as part of an integrated security solution. For instance, Secure Endpoint includes built-in extended detection and response (XDR) capabilities from the Cisco SecureX platform that centralizes visibility in a single console, creates high-fidelity detections by correlating threats, and coordinates threat response across your entire security environment. In addition, Secure Endpoint unifies your security stack, simplifies management, and reduces agent fatigue because we’ve consolidated endpoint protection, cloud security, and remote access agents into a single agent.

Learn more about how Secure Endpoint helps you simplify your security while defending your organization from ransomware attacks by watching this video:

Maximize Your Security Operations

One of the common themes we’ve heard from our customers is that their security operations teams are frequently overstretched. The ongoing cybersecurity skills shortage means that security teams have to do more with less and a vast number of security tools to manage along with inefficient security operations processes, often leading to burned-out security teams.

Cisco addresses these challenges by allowing you to get the most out of your security operations. For example, you can accelerate investigation and incident response with valuable vulnerability context since we’ve integrated risk-based vulnerability management from Kenna Security into Secure Endpoint. Moreover, Secure Endpoint includes advanced endpoint detection and response (EDR) capabilities via Orbital Advanced Search and built-in XDR from SecureX that enable you to rapidly detect, respond to, and contain ransomware attacks. Lastly, you can get the security expertise you need with proactive threat hunting from SecureX Threat Hunting, which uses an analyst-centric process to quickly spot hidden ransomware.

Check out how Secure Endpoint helps you maximize your security operations while defending your organization from ransomware attacks by watching this video:

Achieve Peace of Mind

Keeping up with the latest ransomware attacks can seem like an impossible challenge due to Ransomware-as-a-service (RaaS) kits which make it simple and lucrative to target organizations with ransomware and the evolving threat landscape, where attackers are continuously changing their methods to evade detection.

Cisco helps you stay ahead of the newest ransomware attacks and gives you the peace of mind you deserve by taking a comprehensive approach to ransomware endpoint protection. This means ensuring that you never have to go it alone with always-on security operations from Cisco Secure Endpoint Pro, a managed service that uses a team of Cisco security experts to perform the heavy lifting of securing your endpoints. It also includes offering advanced EDR and integrated XDR capabilities such as Orbital and SecureX to speed detection and response, simplify investigations, and quickly contain ransomware attacks before it’s too late. Finally, Secure Endpoint prevents initial ransomware infections with multifaceted prevention techniques such as machine learning, exploit prevention, and behavioral protection as well as actionable threat intelligence from the Cisco Talos research team.

Learn more about how Secure Endpoint helps you achieve peace of mind while defending your organization from ransomware attacks by watching this video:

All these capabilities in Cisco Secure Endpoint enable you to defend against ransomware attacks from compromising your endpoints while ensuring you stay resilient against threats. For more information on how Secure Endpoint can defend your organization from ransomware attacks, please watch the Cisco Secure Endpoint Ransomware Series.

1 BlackFog The State of Ransomware in 2022:

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Unscrambling Cybersecurity Acronyms: The ABCs of EDR and MEDR Security

By Nirav Shah

In the first part of this blog series on Unscrambling Cybersecurity Acronyms, we provided a high-level overview of the different threat detection and response solutions and went over how to find the right solution for your organization. In this blog, we’ll do a deeper dive on two of these solutions – Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR). However, first let’s take a look back at the history of endpoint security solutions and understand how we got EDR and MEDR security solutions.

Evolution of endpoint security solutions

The very first endpoint security solutions started out as anti-virus solutions (AV) with basic security functionality that relied heavily on signature-based detection. These solutions were effective against known threats where a signature was created, but ineffective against unknown threats such as new and emerging attacks. That meant that organizations struggled to stay ahead of attackers, who were continuously evolving their techniques to evade detection with new types of malware.

To address this problem, AV vendors added detection technologies such as heuristics, reputational analysis, behavioral protection, and even machine learning to their solutions, which became known as Endpoint Protection Platforms (EPP). These unified solutions were effective against both known and unknown threats and frequently used multiple approaches to prevent malware and other attacks from infecting endpoints.

As cyberattacks grew increasingly sophisticated though, many in the cybersecurity industry recognized that protection against threats wasn’t enough. Effective endpoint security had to include detection and response capabilities to quickly investigate and remediate the inevitable security breach. This led to the creation of EDR security solutions, which focused on post-breach efforts to contain and clean up attacks on compromised endpoints.

Today, most endpoint security vendors combine EPP and EDR solutions into a single, converged solution that provides holistic defense to customers with protection, detection, and response capabilities. Many vendors are also offering EDR as a managed service (also known as MEDR) to customers who need help in securing their endpoints or who don’t have the resources to configure and manage their own EDR solution. Now that we’ve gone over how endpoint security evolved into EDR and MEDR security solutions, let’s cover EDR and MEDR in more depth.

Figure 1: History of Endpoint Security Solutions

What are Endpoint Detection and Response (EDR) solutions?

EDR solutions continuously monitor your endpoints for threats, alert you in case suspicious activity is detected, and allow you to investigate, respond to and contain potential attacks. Moreover, many EDR security solutions provide threat hunting functionality to help you proactively spot threats in your environment. They’re often coupled with or part of a broader endpoint security solution that also includes prevention capabilities via an EPP solution to protect against the initial incursion.

As a result, EDR security solutions enable you to protect your organization from sophisticated attacks by rapidly detecting, containing, and remediating threats on your endpoints before they gain a foothold in your environment. They give you deep visibility into your endpoints while effectively identifying both known and unknown threats. Furthermore, you can quickly contain attacks that get through your defenses with automated response capabilities and hunt for hidden threats that are difficult to detect.

While EDR provides several benefits to customers, it has some drawbacks. Chief among them is that EDR security solutions are focused on monitoring endpoints only versus monitoring a broader environment. This means that EDR solutions don’t detect threats targeting other parts of your environment such as your network, email, or cloud infrastructure. In addition, not every organization has the security staff, budget, and/or skills to deploy and run an EDR solution. This is where MEDR solutions come into play.

What are Managed Endpoint Detection and Response (MEDR) solutions?

Managed EDR or MEDR solutions are EDR capabilities delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). This includes key EDR functionality such as monitoring endpoints, detecting advanced threats, rapidly containing threats, and responding to attacks. These third-parties usually have a team of Security Operations Center (SOC) specialists who monitor, detect, and respond to threats across your endpoints around the clock via a ‘follow the sun’ approach to monitoring.

MEDR security solutions allow you to offload the work of securing your endpoints to a team of security professionals. Many organizations need to defend their endpoints from advanced threats but don’t necessarily have the desire, resources, or expertise to manage an EDR solution. In addition, a team of dedicated SOC experts with advanced security tools can typically detect and respond to threats faster than in-house security teams, all while investigating every incident and prioritizing the most critical threats. This enables you to focus on your core business while getting always-on security operations.

Similar to EDR though, one downside to MEDR security solutions is that they defend only your endpoints from advanced threats and don’t monitor other parts of your infrastructure. Moreover, while many organizations want to deploy EDR as a managed service, not everyone desires this. For example, larger and/or more risk-averse organizations who are looking to invest heavily in cybersecurity are typically satisfied with running their own EDR solution. Now, let’s discuss how to choose the right endpoint security solution when trying to defend your endpoints from threats.

Choosing the Right Endpoint Security Solution

As I mentioned in my previous blog, there isn’t a single correct solution for every organization. This logic applies to EDR and MEDR security solutions as well since each solution works well for different types of organizations, depending on their needs, resources, motivations, and more. Nevertheless, one major factor to consider is if you have or are willing to build out a SOC for your organization. This is important because organizations that don’t have or aren’t willing to develop a SOC usually gravitate towards MEDR solutions, which don’t require significant investments in cybersecurity.

Another factor to keep in mind is your security expertise. Even if you’re have or are willing to build a SOC, you may not have the right cybersecurity talent and skills within your organization. While you can always build out your security team, you may want to evaluate an MEDR solution because a lack of expertise makes it difficult to effectively manage an EDR solution. Finally, a common misconception is that you must choose between an EDR and a MEDR solution and that you cannot run both solutions. In reality, many organizations end up using both EDR and MEDR since MEDR solutions often complement EDR deployments.

I hope this information and key factors help you better understand EDR and MEDR solutions while acting as a guide to selecting the best endpoint security solution for your organization. For more details on the different cybersecurity acronyms and how to identify the right solution for your needs, stay tuned for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of MDR and XDR Security. In the meantime, learn how Cisco Secure Endpoint stops threats with a comprehensive endpoint security solution that includes both advanced EDR and MEDR capabilities powered by an integrated security platform!

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Cisco Secure 5 Best Practices Security Analysts Can Use to Secure Their Hybrid Workforce.

By Truman Coburn

The hybrid work environment has been around for years, albeit not common but it existed. I can recall my first job where I was able to split my time working in an office and working from my makeshift home office. This was many moons ago as I will call it… pre-COVID-19. 

Job seekers are certainly looking to have the flexibility of working from anywhere at any time – preferably in an environment of their choosing. Even though a hybrid workforce will provide people with the option to work from anywhere, those remote locations are sometimes in unsecured locations. Organizations must now reimagine a workforce that will need access to your internal collaboration tools along with access to your network from both on- and off-premises. 

Leading the way in a hybrid environment 

Cisco, a leader in equipping organizations with the right products for a hybrid workforce, provides the tools & services to protect your organization from bad threat actors. 

With pervasive ransomware attacks, malware attacks, and email attacks, you must be ready and have not only a security solution but also a security analyst team ready to respond when an attack happens. 

Securing access to your endpoint must be a top priority and your security analysts must be agile and have the right telemetry to provide around-the-clock monitoring and the ability to quickly respond to threats. 

Security Analyst don’t just monitor they respond to threats  

Cisco Secure Endpoint provides you with the visibility and ability to respond to threats by blocking them before they compromise your network. Combined with global, proactive threat hunting, leading-edge forensic/analytic capabilities, and reduced leading Mean Time To Detection (MTTD)/Mean Time To Resolution (MTTR) across the supply chain that no other vendor can parallel; why would you partner with any other company to secure and scale your unique hybrid workforce or workplace clients? 

Click here to listen to my fireside chat on how we at Cisco would define 5 Best Practices Security Analysts Can Use to Secure Their Hybrid Workforce:

I am joined by Cisco Talos global Senior Threat Defense and Response Analyst, William (Bill) Largent who has over 20 plus years of infosec experience, specifically in network intrusion detection, traffic analysis, and signature/rule writing. 

I will also be speaking with Eric Howard, Cisco Secure Technical Marketing Engineer Leader for the Security Platform and Response Group. Eric is a seasoned team leader in both Information Security Sales, and Product Management. He has built and led teams that apply deep technical understanding to business needs, initiatives, and strategies in both start-ups and established companies. 

This is a conversation you do not want to skip! There were a lot of gems shared by these gentlemen that will get you where you need to be as a Security Analyst. 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Cisco Talos — Our not-so-secret threat intel advantage

By Neville Letzerich

Security tools are only as good as the intelligence and expertise that feeds them. We’re very fortunate to have our security technologies powered by Cisco Talos, one of the largest and most trusted threat intelligence groups in the world. Talos is comprised of highly skilled researchers, analysts, and engineers who provide industry-leading visibility, actionable intelligence, and vulnerability research to protect both our customers and the internet at large.

The Talos team serves as a crucial pillar of our innovation — alerting customers and the public to new threats and mitigation tactics, enabling us to quickly incorporate protection into our products, and stepping in to help organizations with incident response, threat hunting, compromise assessments and more. Talos can also be found securing large-scale events such as the Super Bowl, and working with government and law enforcement organizations across the globe to share intelligence.

With Cisco’s vast customer base and broad portfolio — from routers and switches to email and endpoints — Talos has visibility into worldwide telemetry. Once a threat is seen, whether it’s a phishing URL or an IP address hosting malware, detections are created and indicators of compromise are categorized and blocked across our Cisco Secure portfolio.

Talos also leverages its unique insights to help society as a whole better understand and combat the cyberattacks facing us daily. During the war in Ukraine, the group has taken on the additional task of defending over 30 critical infrastructure providers in the country by directly managing and monitoring their endpoint security.

How Talos powers XDR

The reality of security today is that organizations must be constantly ready to detect and contain both known and unknown threats, minimize impact, and keep business going no matter what happens in the cyber realm. In light of hybrid work, evolving network architectures, and increasingly insidious attacks, all organizations must also be prepared to rapidly recover if disaster strikes, and then emerge stronger. We refer to this as security resilience, and Talos plays a critical role in helping our customers achieve it.

For several years, our integrated, cloud-native Cisco SecureX platform has been delivering extended detection and response (XDR) capabilities and more. SecureX allows customers to aggregate, analyze, and act on intelligence from disparate sources for a coordinated response to cyber threats.

Through the SecureX platform, intelligence from Talos is combined with telemetry from our customers’ environments — including many third-party tools — to provide a more complete picture of what’s going on in the network. Additionally, built-in, automated response functionality helps to speed up and streamline mitigation. This way, potential attacks can be identified, prioritized, and remediated before they lead to major impact.

For XDR to be successful, it must not only aggregate data, but also make sense of it. Through combined insights from various resources, SecureX customers obtain the unified visibility and context needed to rapidly prioritize the right threats at the right time. With SecureX, security analysts spend up to 90 percent less time per incident.

Accelerating threat detection and response

One of Australia’s largest universities, Deakin University, needed to improve its outdated security posture and transition from ad hoc processes to a mature program. Its small security team sought an integrated solution to simplify and strengthen threat defense.

With a suite of Cisco security products integrated through SecureX, Deakin University was able to reduce the typical investigation and response time for a major threat down from over a week to just an hour. The university was also able to decrease its response time for malicious emails from an hour to as little as five minutes.

“The most important outcome that we have achieved so far is that security is now a trusted function.”

– Fadi Aljafari, Information Security and Risk Manager, Deakin University

Also in the education space, AzEduNet provides connectivity and online services to 1.5 million students and 150,000 teachers at 4,300 educational institutions in Azerbaijan. “We don’t have enough staff to monitor every entry point into our network and correlate all the information from our security solutions,” says Bahruz Ibrahimov, senior information security engineer at AzEduNet.

The organization therefore implemented Cisco SecureX to accelerate investigations and incident management, maximize operational efficiency with automated workflows, and decrease threat response time. With SecureX, AzEduNet has reduced its security incidents by 80 percent.

“The integration with all our Cisco Secure solutions and with other vendors saves us response and investigation time, as well as saving time for our engineers.”

– Bahruz Ibrahimov, Senior Information Security Engineer, AzEduNet

Boosting cyber resilience with Talos

The sophistication of attackers and sheer number of threats out there today make it extremely challenging for most cybersecurity teams to effectively stay on top of alerts and recognize when something requires their immediate attention. According to a survey by ESG, 81 percent of organizations say their security operations have been affected by the cybersecurity skills shortage.

That’s why Talos employs hundreds of researchers around the globe — and around the clock — to collect and analyze massive amounts of threat data. The group uses the latest in machine learning logic and custom algorithms to distill the data into manageable, actionable intelligence.

“Make no mistake, this is a battle,” said Nick Biasini, head of outreach for Cisco Talos, who oversees a team of global threat hunters. “In order to keep up with the adversaries, you really need a deep technical understanding of how these threats are constructed and how the malware operates to quickly identify how it’s changing and evolving. Offense is easy, defense is hard.”

Maximizing defense against future threats  

Earlier this year, we unveiled our strategic vision for the Cisco Security Cloud to deliver end-to-end security across hybrid, multicloud environments. Talos will continue to play a pivotal role in our technology as we execute on this vision. In addition to driving protection in our products, Talos also offers more customized and hands-on expertise to customers when needed.

Cisco Talos Incident Response provides a full suite of proactive and emergency services to help organizations prepare for, respond to, and recover from a breach — 24 hours a day. Additionally, the recently released Talos Intel on Demand service delivers custom research unique to your organization, as well as direct access to Talos security analysts for increased awareness and confidence.

Enhance your intelligence + security operations

Visit our dedicated Cisco Talos web page to learn more about the group and the resources it offers to help keep global organizations cyber resilient. Then, discover how XDR helps Security Operations Center (SOC) teams hunt for, investigate, and remediate threats.

Watch video: What it means to be a threat hunter

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Announcing SOC 2 Compliance for Cisco Secure Endpoint, Cisco Secure Malware Analytics, and Cisco SecureX

By Farzad Bakhtiar

With a rising number of cyberattacks targeting organizations, protecting sensitive customer information has never been more critical. The stakes are high due to the financial losses, reputational damage, legal & compliance fines, and more that often stem from mishandled data. At Cisco Secure, we recognize this and are continuously looking for ways to improve our information security practices.

As a result, we are excited to announce that we have achieved SOC 2 compliance for the Cisco Secure Endpoint solution, Cisco Malware Analytics, and the Cisco SecureX platform! SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that helps ensure organizations responsibly handle customer data. This is done via strong information security practices that adhere to trust service criteria for security, availability, and confidentiality.

Achieving SOC 2 compliance means that we have adhered to these trust principles and gone through a rigorous audit by an independent, third-party firm to validate our information security practices. This shows that we are committed to safeguarding your sensitive data with robust controls in place and gives you the peace of mind that your data is in good hands. We have achieved SOC 2 Type 2 compliance for the following Cisco Secure products:

To learn more about SOC 2 compliance for these solutions, please speak to your Cisco representative, or visit the Cisco Trust Portal, where you can access the SOC 2 reports.

Unscrambling Cybersecurity Acronyms: The ABCs of Endpoint Security

By Nirav Shah

Ransomware and other advanced attacks continue to evolve and threaten organizations around the world. Effectively defending your endpoints from these attacks can be a complex undertaking, and a seemingly endless number of security acronyms only compounds that complexity. There are so many acronyms – EPP, EDR, MEDR, MDR, XDR, and more – for various cybersecurity products and services that it becomes difficult to understand the differences between them and choose the right solution for your organization. Deciphering all these acronyms is a task on its own and deciding which solution works best for you is even more challenging.

We here at Cisco believe that understanding these acronyms and determining which security products or services are the best fit for your organization’s needs doesn’t have to be so hard. That’s why we developed this blog – the first in a series – to give you an overview of the different types of threat detection and response solutions.

This series will help you understand the benefits and disadvantages of each solution, the similarities and differences between these solutions, and how to identify the right solution for your organization. Now let’s go over the different types of security solutions.

Overview of Threat Detection and Response Solutions

There are several types of threat detection and response solutions, including:

  • Endpoint Detection and Response (EDR) A product that monitors, detects, and responds to threats across your endpoint environment
  • Managed Endpoint Detection and Response (MEDR) A managed service operated by a third-party that monitors, detects, and responds to threats across your endpoint environment
  • Managed Detection and Response (MDR) A managed service operated by a third-party that monitors, detects, and responds to threats across your cybersecurity environment
  • Extended Detection and Response (XDR) A security platform that monitors, detects, and responds to threats across your cybersecurity environment with consolidated telemetry, unified visibility and coordinated response

These solutions are similar in that they all enable you to detect and respond to threats, but they differ by the environment(s) being monitored for threats, who conducts the monitoring, as well as how alerts are consolidated and correlated. For instance, certain solutions will only monitor your endpoints (EDR, MEDR) while others will monitor a broader environment (XDR, MDR). In addition, some of these solutions are actually managed services where a third-party monitors your environment (MEDR, MDR) versus solutions that you monitor and manage yourself (EDR, XDR).

How to Select the Right Solution for your Organization

When evaluating these solutions, keep in mind that there isn’t a single correct solution for every organization. This is because each organization has different needs, security maturities, resource levels, and goals. For example, deploying an EDR makes sense for an organization that currently has only a basic anti-virus solution, but this seems like table stakes to a company that already has a Security Operations Center (SOC).

That being said, there are a few questions you can ask yourself to find the cybersecurity solution that best fits your needs, including:

  • What are our security goals? Where are we in our cybersecurity journey?
  • Do we have a SOC or want to build a SOC?
  • Do we have the right cybersecurity talent, skills, and knowledge?
  • Do we have enough visibility and context into security incidents? Do we suffer from too many alerts and/or too many security tools?
  • How long does it take us to detect and respond to threats? Is that adequate?

Of these questions, the most critical are about your security goals and current cybersecurity posture. For instance, organizations at the beginning of their security journey may want to look at an EDR or MEDR solution, while companies that are further along their journey are more likely to be interested in an XDR. Asking whether you already have or are willing to build out a SOC is another essential question. This will help you understand whether you should run your security yourself (EDR, XDR) or find a third-party to manage it for you (MEDR, MDR).

Asking whether you have or are willing to hire the right security talent is another critical question to pose. This will also help determine whether to manage your cybersecurity solution yourself or have a third-party run it for you. Finally, questions about visibility and context, alert, and security tool fatigue, as well as detection and response times will help you to decide if your current security stack is sufficient or if you need to deploy a next-generation solution such as an XDR.

These questions will help guide your decision-making process and give you the information you need to make an informed decision on your cybersecurity solution. For more details on the different endpoint security acronyms and how to determine the right solution for your organization, keep an eye out for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of EDR and MEDR. Stay tuned!



We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



More than a VPN: Announcing Cisco Secure Client (formerly AnyConnect)

By Jay Bethea

We’re excited to announce Cisco Secure Client, formerly AnyConnect, as the new version of one of the most widely deployed security agents. As the unified security agent for Cisco Secure, it addresses common operational use cases applicable to Cisco Secure endpoint agents. Those who install Secure Client’s next-generation software will benefit from a shared user interface for tighter and simplified management of Cisco agents for endpoint security.

Screengrab of the new Cisco Secure Client UI


Go Beyond Traditional Secure Access

Swift Endpoint Detection & Response and Improved Remote Access

Now, with Secure Client, you gain improved secure remote access, a suite of modular security services, and a path for enabling Zero Trust Network Access (ZTNA) across the distributed network. The newest capability is in Secure Endpoint as a new module within the unified endpoint agent framework. Now you can harness Endpoint Detection & Response (EDR) from within Secure Client. You no longer need to deploy and manage Secure Client and Secure Endpoint as separate agents, making management more effortless on the backend.

Increased Visibility and Simplified Endpoint Security Agents

Within Device Insights, Secure Client lets you deploy, update, and manage your agents from a new cloud management system inside SecureX. If you choose to use cloud management, Secure Client policy and deployment configuration are done in the Insights section of Cisco SecureX. Powerful visibility capabilities in SecureX Device Insights show which endpoints have Secure Client installed in addition to what module versions and profiles they are using.

Screengrab of the Securex Threat Response tool, showing new Secure Client features.

The emphasis on interoperability of endpoint security agents helps provide the much-needed visibility and simplification across multiple Cisco security solutions while simultaneously reducing the complexity of managing multiple endpoints and agents. Application and data visibility is one of the top ways Secure Client can be an important part of an effective security resilience strategy.

View of the SecureX Device Insights UI with new Secure Client features.


Visit our homepage to see how Secure Client can help your organization today.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Cisco Salutes the League of Cybersecurity Heroes

By Cristina Errico

We have entered a world where uncertainty has become the normal operating mode for everyone. Within this new frontier, cybersecurity has become even more challenging. However, some cybersecurity professionals have stood out, using their unique skills and resourcefulness to protect the integrity of their businesses, and to withstand unpredictable and dynamically changing threats. In the end, they, and their businesses have emerged even stronger.

These accomplishments have lead them to be selected from over more than 700 Cisco Cybersecurity Advocates – who are also members of Cisco Insider Advocates – to join the League of Cybersecurity Heroes.

Cisco Insider Advocates is a peer networking community developed several years ago for Cisco customers around the globe. Currently, over 14,000 customers are using it to share technology insights, feedback, and best practices, and also to make meaningful connections with others in the industry. We at Cisco believe that when we connect, anything is possible, and the Insider Advocacy program is a great example of the great things that can happen when people come together.

Let’s meet our League of Cybersecurity Heroes

Roberto Alunda

As the global CISO of Mediapro, Roberto has deployed Cisco SecureX together with Umbrella, Secure Endpoint, Secure Firewall, ISE, NGIP, Threat Response, AnyConnect, and Web security. With this partnership, Mediapro has reduced its threat detection time by 90%. In addition, they have seen no false positives in their threat detection alerts. It is rare to boast of a 100% success rate, but they can boldly make that pronouncement. All of this has also benefitted Mediapro financially by incurring zero fines for any compliance issues

Blair Anderson

What do music, cybersecurity, and teaching all have in common? They all culminate in a readiness to perform. Equally, they all require collaboration, comfort with the unexpected, and a passion for the job. Blair exemplifies the best of these traits, and in doing so, he provides inspiration and excellence to all with whom he interacts. Watching Blair at work makes one wonder if there are more hours granted to him during a day than the average person. He is a time-maximizer, spending most of that time in the service of others.

Kevin Brown

Too often, cybersecurity certifications are treated derisively by some of the very professionals who need them most. This is not the case with Kevin, who can list the many benefits of attaining certifications. Kevin’s desire to improve his knowledge doesn’t stop with technology and cybersecurity. He is an avid reader of anything that can raise him up to be better than he was the day before. With a career that started in the US Marine Corps, Kevin continues to learn and grow, all the while remaining as masterful at a computer keyboard as he is his with his traditional 55-gallon-barrel BBQ smoker and grill.

Steve Cruse

Steve is a Senior Cybersecurity and Network Architect at Lake Trust Credit Union. Like most organizations, Lake Trust has had to transition to a completely remote workforce quickly, and thanks to Secure Network Analytics, they were able to transition the employees to work remotely while maintaining the same high level of visibility and protection in place. Steve was the subject of a case study about the benefits that Cisco products have brought to Lake Trust Credit Unions’ customers. He is currently collaborating to update that information to share more of his knowledge.

Enric Cuixeres

Being the Head of Information Technology is never an easy job. However, when food manufacturer, Leng-d’Or, was faced with a challenge during the pandemic that could have interrupted its production line, quick thinking, skilled leadership, and a close partnership with Cisco all lead to positive outcomes, and helped them to pull through stronger than before. Part of this success comes from Enric’s distinct understanding of the threats, solutions, and processes needed to bring security to a higher level for the Leng-d’Or organization. Enric also shares his success story very freely, adding immeasurable benefits to the security community.

Tony Dous

Cybersecurity is truly a global discipline. Tony Dous proves this by practicing his craft as a Senior Network Security Engineer in Cairo, Egypt. Tony’s involvement with the Cisco community shows how no distance is too far for a motivated cybersecurity professional.

John Patrick Duro

When John Patrick is on the job, there is no longer any feeling that the criminals are one-step ahead of the good guys. He adopted Umbrella together with Meraki to develop a proactive security approach inside his organization. John Patrick created a more unified network from a patchwork of disparate entities. In doing so, he reduced the complexity within the environment. Complexity is so often responsible for security gaps, and John Patrick’s work not only corrected those gaps, but he brought people together in the process. He and his team received great feedback from the employees, who enjoyed a consistent network experience.

Amit Gumber

We often hear stories about teenagers who become enamored with technology, leading to the fulfillment of a dream. Amit Gumber became interested in cybersecurity at an early age, pursued his passion and has worked in the field ever since. His sense of advocacy is best described in his own words: “I’m quite passionate about sharing knowledge and ideas with peers and participating in collaborative activities.” Amit’s use of Cisco technologies has helped HCL Technologies to stabilize and secure their environment.

Mark Healey

One of the most important factors for success is insatiable curiosity. Mark Healey is a continuous learner, and he is an example of someone who enthusiastically shares his knowledge. Whether it is on a personal level, or through his high engagement as part of the Cisco Insider Advocates community, or as an active member of the Internet Society, Mark is an evangelist and a positive voice for cybersecurity.

Wouter Hindriks

Wouter holds a special designation, not only as a member of the League of Cybersecurity Heroes, but also as the recipient of the “Cybersecurity Defender of the Year” award. Wouter is an active participant in the cybersecurity community, working with an almost evangelical zeal towards sharing the importance of holistic cybersecurity. His contributions stand out towards making the cyber realm a safer place.

Bahruz Ibrahimov

It is often said that the job of a cybersecurity professional in an educational facility is especially challenging. When that facility happens to be the largest in an entire country, with over 4,000 schools and universities, the job of protecting it can seem insurmountable. At AzEduNet, in Azerbaijan, Bahruz and his team is tasked with securing the network for its 1.5 Million students. With Cisco Secure, the security team reduced security incidents by 80%. This not only ensures access for the students, but also keeps the data safe.

Walther Noel Meraz Olivarria

Many people want to enter the cybersecurity profession, but few have the dedication and perseverance to fully embrace the skillset required to meet that goal. Walther Noel not only had the desire to refocus his career, but he proved it by earning the CyberOps Associate Certification. His accomplishment is a prime example of how one can step outside of their comfort zone to grow and thrive.

Pascual Sevilla

Pascual demonstrates how important it is to make the most of the learning opportunities in Cisco Insiders Advocates. While already a successful NOC engineer, he sought to advance his professional development by studying cybersecurity. He passed the CCNA CyberOps 200-201 exam, moving him closer to propelling his career to even higher achievements.

Inderdeep Singh

One of the noblest expressions of knowledge is the desire to freely share that information. Inderdeep lives up to this ideal, offering his expertise to all with no expectations of reciprocity. His charitable spirit has not gone unnoticed, as he has been a previous award winner for Cisco IT Blogs, as well as a designation on the Feedspot top 100 Networking Blog.

Luigi Vassallo

Being the first to try a new technology can be a risky proposition. However, as a COO, risk calculations are in one’s blood. Luigi, along with the Sara Assicurazioni organization, hails as the first company in Italy to embrace cloud technology. As a company with more than one million customers, this was a bold initiative that required careful planning, keen insight, and above all, collaboration. In the end, this has resulted not only in a digital transformation, but a business transformation.

Whether it is a technical achievement, a personal triumph, or a spirit of helping others, each member of our League of Cybersecurity Heroes proves how technology and humanity can work together to accomplish the impossible. Congratulations to all of them!

Want to learn more about how Cisco can help you succeed?

Join the Cisco Insider Advocacy community


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels



Get Comprehensive Insights into Your Network with Secure Analytics and MITRE Mappings

By Claudio Lener

A deep dive into the latest updates from Secure Network and Cloud Analytics that show Cisco’s leadership in the Security Industry.

The year 2022 has been rather hectic for many reasons, and as the World undergoes its various challenges and opportunities, We At Cisco Security have buckled up and focused on improving the World in the way which we know best: by making it more Secure.

In an increasingly vulnerable Internet environment, where attackers rapidly develop new techniques to compromise organizations around the world, ensuring a robust security infrastructure becomes ever more imperative. Across the Cisco Security Portfolio, Secure Network Analytics (SNA) and Secure Cloud Analytics (SCA) have continued to add value for their customers since their inception by innovating their products and enhancing their capabilities.

In the latest SNA 7.4.1 release, four core features have been added to target important milestones in our roadmap. As a first addition, SNA has widely expanded on its Data Store deployment options by introducing the single node Data Store; supporting existing Flow Collector (FC) and new Data Store expansion by the Manager; and the capacity to mix and match virtual and physical appliances to build a Data Store deployment.

The SNA Data Store started as a simple concept, and while it maintained its simplicity, it became increasingly more robust and performant over the recent releases. In essence, it represents a new and improved database architecture design that can be made up of virtual or physical appliances to provide industry leading horizontal scaling for telemetry and event retention for over a year. Additionally, the Flow Ingest from the Flow Collectors is now separate from the data storage, which allows them to now scale to 500K + Flows Per Second (FPS). With this new database design, are now optimized for performance, which has improved across all metrics by a considerable amount.

For the second major addition, SNA now supports multi-telemetry collection within a single deployment. Such data encompasses network telemetry, firewall logging, and remote worker telemetry. Now, Firewall logs can be stored on premises with the Data Store, making data available to the Firepower Management Center (FMC) via APIs to support remote queries. From the FMC, users can pivot directly to the Data Store interface and look at detailed events that optimize SecOps workflows, such as automatically filtering on events of interest.

On the topic of interfaces, users can now benefit from an intelligent viewer which provides all Firewall data. This feature allows to select custom timeframes, apply unique filters on Security Events, create custom views based on relevant subsets of data, visualize trends from summary reports, and finally to export any such view as a CSV format for archiving or further forensic investigations.

With respect to VPN telemetry, the AnyConnect Secure Mobility Client can now store all network traffic even if users are not using their VPN in the given moment. Once a VPN connection is restored, the data is then sent to the Flow Collector, and, with a Data Store deployment, off-network flow updates can bypass FC flow caches which allow NVM historical data to be stored correctly.

Continuing down the Data Store journey (and, what a journey indeed), users can now monitor and evaluate its performance in a simple and intuitive way. This is achieved with charts and trends directly available in the Manager, which can now support traditional non-Data Store FCs and one singular Data Store. The division of Flow Collectors is made possible by SNA Domains, where a Data Store Domain can be created, and new FCs added to it when desired. This comes as part of a series of robust enhancements to the Flow Collector, where the FC can now be made up of a single image (NetFlow + sFlow) and its image can be switched between the two options. As yet another perk of the new database design, any FC can send its data to the Data Store.

As it can be seen, the Data Store has been the star of the latest SNA release, and for obvious good reasons. Before coming to an ending though, it has one more feature up its sleeve: Converged Analytics. This SNA feature brings a simplified, intuitive and clear analytics experience to Secure Network Analytics users. It comes with out- of-the-box detections mapped to MITRE with clearly defined tactics and techniques, self-taught baselining and graduated alerting, and the ability to quiet non-relevant alerts, leading to more relevant detections.

This new Analytics feature is a strong step forward to give users the confidence of network security awareness thanks to an intuitive workflow and 43 new alerts. It also gives them a deep understanding of each alert with observations and mappings related to the industry-standard MITRE tactics and techniques. When you think it couldn’t get any better, the Secure Network and Cloud Analytics teams have worked hard to add even more value to this release, and ensured the same workflows, functionality and user experience could be further available in the SCA portal. Yes, this is the first step towards a more cohesive experience across both SNA and SCA, where users of either platform will start to benefit from more consistent outcomes regardless of their deployment model. As some would say, it’s like a birthday coming early.

Pivoting to Secure Cloud Analytics, as per Network sibling, the product got several enhancements over the last months of development. The core additions revolve around additional detections and context, as well as usability and integration enhancements, including those in Secure Cloud Insights. In parallel with SNA’s Converged Analytics, SCA benefits from detections mapped to the MITRE ATT&CK framework. Additionally, several detections underwent algorithm improvements, while 4 new ones were added, such as Worm Propagation, which was native to SNA. Regarding the backbone of SCA’s alerts, a multitude of new roles and observations were added to the platform, to further optimize and tune the alerts for the users.

Additionally, alerts now offer a pivot directly to AWS’ load balancer and VPC, as well as direct access to Azure Security Groups, to allow for further investigation through streamlined workflows. The two Public Cloud Providers are now also included in coverage reports that provide a gap analysis to gain insight as to what logs may have potentially gone missing.

Focusing more on the detection workflows, the Alert Details view also got additional information pertaining to device context which gives insight into hostnames, subnets, and role metrics. The ingest mechanism has also gotten more robust thanks to data now coming from Talos intelligence feed and ISE, shown in the Event Viewer for expanded forensics and visibility use cases.

While dealing with integrations, the highly requested SecureX integration can now be enabled in 1 click, with no API keys needed and a workflow that is seamless across the two platforms. Among some of the other improvements around graphs and visualizations, the Encrypted Traffic widget now allows an hourly breakdown of the data, while the Event Viewer now displays bi-directional session traffic, to bring even greater context to SCA flows.

In the context of pivots, as a user is navigating through devices that, for example, have raised an alert, they will now also see the new functionality to pivot directly into the Secure Cloud Insights (SCI) Knowledge Graph, to learn more about how various sources are connected to one another. Another SCI integration is present within the Device Outline of an Alert, to gain more posture context, and as part of a configuration menu, it’s now possible to run cloud posture assessments on demand, for immediate results and recommendations.

With this all said, we from the Secure Analytics team are extremely excited about the adoption and usage of these features so that we can keep on improving the product and iterating to solve even more use cases. As we look ahead, the World has never needed more than now a comprehensive solution to solve one of the most pressing problems in our society: cyber threats in the continuously evolving Internet space. And Secure Analytics will be there, to pioneer and lead the effort for a safe World.

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels


Ransomware attacks can and will shut you down

By Truman Coburn

No, ransomware attacks are not random. From extortion to data breaches, ransomware is always evolving, and is becoming very lucrative with ransomware-as-a-service kit making it easier to target organizations. The days of just a single bad actor searching for vulnerabilities in your security stack are over.  Security Operations Centers (SOCs) and the security analyst community are dealing with a sophisticated global network of adversaries who can do irreversible damage. The conversation must shift from how we can prevent a breach to how do we prepare for the inevitable breach.

What happened

Recently I found out that the small private college I attended right out of high school closed their doors permanently, falling victim to a targeted ransomware attack. This institution not only provided an education but also contributed to the local economy in this rural town for over 150 years.

The cyberattack occurred during the pandemic when most educational institutions had suddenly shifted to remote learning. Adversaries knew that the shift to remote learning would expose the college’s lack of acceptable tools for monitoring and managing applications, frequently from unsecure locations.

Unfortunately, the hackers were able to halt all admission activities, locked the administrators out from accessing critical data pertaining to the upcoming school year and ultimately, forced the school to close their doors – even after they paid the hackers the ransom.

And this is not an isolated case – Comparitech published a story ‘Ransomware attacks on US schools and colleges cost $3.56bn in 2021’ and outlined how threat actors have evolved with their ransomware attacks on schools and colleges. This is particularly concerning as many of these institutions do not have the skillsets or resources to protect their students or organization from these attacks. Below you can review their findings from a study done between 2018 – 2022:

Map: Comparitech  Get the data  Created with Datawrapper

Key findings 

In 2021: 

  • 67 individual ransomware attacks on schools and colleges–a 19 percent decrease from 2020 (83) 
  • 954 separate schools and colleges were potentially affected–a 46 percent decrease from 2020 (1,753) 
  • 950,129 individual students could have been impacted–a 31 percent decrease from 2020 
  • Ransomware amounts varied from $100,000 to a whopping $40 million 
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time 
  • On average, schools lose over four days to downtime and spend almost a month (30 days) recovering from the attack 
  • Hackers demanded up to $52.3 million across just six attacks and received payment in two out of 18 cases where the school/college disclosed whether or not it paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have). In one case, hackers received $547,000 
  • The overall cost of these attacks is estimated at around $3.56 billion 

Protect yourself from Cyber criminals 

Just having a firewall alone will not stop all of the attacks, it’s just a matter of time before you experience a breach.  Once the breach happens, you need a security system that will quickly detect and remediate the threat .

Resiliency must be a critical outcome for any security solution and Cisco Secure Endpoint is built to stop hackers at the point of entry. Our cloud native solution allows your security operations team to quickly detect and respond to threats minutes after a breach occurs.

Securing vectors threat actors have to your network has to be the goal 

Small to medium size businesses, hospitals, and educational institutions internal network will rely on cyber insurance in-lieu of a fully staffed, skilled cyber-security team. In today’s climate of ever-increasing sophisticated cyber threats this won’t cut it. You will need an agent that quickly detects, responds, and has visibility across your different security solutions.

With Cisco Secure Endpoint Pro we are equipped to assist with the responsibility of monitoring your endpoints for cyberattacks.  With 24/7/365 monitoring capabilities, our SOC will quickly detect and remediate any threats that targets your organization. Secure endpoint pro provides flexibility and the option of letting our SOC team do the heavy lifting while you focus on your core business.

Tangible outcomes provided by Secure Endpoint and Secure Endpoint Pro:

  • Stop threats before you’re compromised
  • Remediate faster and more completely
  • Maximize your security operations – Focus on the most important threats and gain always on security with managed EDR

Limit the amount of time threat actors have to your network

An effective managed endpoint detection and response solution frees up time for your SOC team along with accelerating detection and response time.  Cisco Secure Endpoint can reduce incident response time by as much as 97%, which limits the damage threat actors can cause after you have been breached.

Cisco Security has launched a solution geared towards protecting your school’s network by blocking malicious threats before they enter the endpoint and compromising your data. The secure endpoint agent is deployed, sits on the school endpoint freeing up time from a stretched thin IT department.

Don’t know where to get started? Check out how our EDR solution got you covered below and how to contact us to learn more.


Sign up for a Secure Endpoint 30-day free trial

and test drive a demo account


Did You Know: Cisco has a grant and funding option available for schools?

Interested? Reach out to to learn about public funding options available in your state.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

