Login
In an ever-evolving digital landscape, cybersecurity has become the cornerstone of organizational success. With the proliferation of sophisticated cyber threats, businesses must adopt a multi-layered… Read more on Cisco Blogs
Join the guided tour outside the Security Operations Center, where we’ll discuss real time network traffic of the RSA Conference, as seen in the NetWitness platform. Engineers will be using Cisco S… Read more on Cisco Blogs
On Sunday, February 11, over 160 million viewers from around the globe watched Super Bowl LVIII, making it one of the most viewed annual sporting events. It is also a good bet that a record number of… Read more on Cisco Blogs
The use of unmanaged and IoT devices in enterprises is growing exponentially, and will account for 55.7 billion connected devices by the end of 2025. A critical concern is deploying IoT devices without requisite security controls.
While these numbers are numbing, their reality is undeniable. 90% of customers believe digitization has accelerated the importance placed upon security. The World Economic Forum now lists cybersecurity failure as a critical threat, and estimates a gap of more than 3 million security experts worldwide, hindering secure deployments at scale. Furthermore, 83% of IoT-based transactions happen over plaintext channels and not SSL, making them especially risky.
Securing an IoT device can be achieved either through securing the IoT device itself, or hardening the network it accesses. Securing devices can be cumbersome, requiring complex manufacturing partnerships and increasing unit prices, thereby reducing adoption. On the other hand, securing the network is always desirable as it helps secure access, encrypt traffic, and ease management.
Being a leader in both security and networking, Cisco continues to bring security closer to networking, providing the network with built-in security, and enabling the network to act both as sensor and as an enforcer. The convergence of security and networking leverages the network’s intelligence and visibility to enable more-informed decisions on policy and threats.
Cisco uniquely integrates security and networking, for instance we recently integrated Cisco Secure Firewall to operate on Cisco Catalyst 9000 Series switches. Additionally, Secure Firewall can be deployed in a containerized form, on-premises and in clouds. Cisco Secure Firewall classifies traffic and protects applications while stopping exploitation of vulnerable systems. Additionally, we offer Identity Services Engine with AI Endpoint Analytics to passively identify IoT devices and apply segmentation policies. Furthermore, Cisco offers management flexibility by integrating with Cisco Defense Orchestrator and DNA Center and with existing customer tools like SIEMs and XDRs.
Let’s look at three use cases where the addition of Secure Firewall capability on Catalyst 9000 Series switches solves real world problems:
Use case 1: Securing the Smart Building: This solution is ideal to secure smart buildings, converging various IoT systems into a single IT-managed network infrastructure. Smart buildings lower the operational and energy costs. Smarter building systems, however, pose serious security risks as these include so many unmanaged devices such as window shades, lighting, tailored HVAC, and more. One of the methods to secure smart buildings is to control access to avoid manipulation of sensors. Such control is attained with a networking switch with enhanced firewall capability. The firewall ensures granular segmentation, directing policies for traffic generated out of IoT devices, providing access to the right users. This integration also brings security closer to endpoints, making policy orchestration simpler.
Use Case 2: Centrally manage isolated IoT network clusters: IoT devices which communicate with each other in the same subnet typically cannot be routed, which is a challenge. By default, most IoT networks are configured in the same subnet, making it difficult to manage them centrally. Administrators are forced to physically connect to the IoT network to manage and collect telemetry. Furthermore, IoT vendors often charge hefty amounts to update IP addresses of devices. Cisco Secure Firewall, hosted on the Catalyst switch, solves this problem and not only inspects traffic from the IoT network but also translates duplicate IoT IP addresses to unique global IP addresses using NAT for centralized management of isolated IoT networks.
Use Case 3: Securely encrypt IoT traffic passing through a shared IT network: At airports, for example, multiple vendors manage unique systems such as baggage, air quality, biometric access control, etc, which share a common network. IoT traffic is usually in plain text, making it susceptible to packet sniffing, eavesdropping, man-in-the-middle attacks, and other such exploits. The IPSec capability on Cisco Secure Firewall encrypts IoT traffic, securing data transfer and reducing risk.
Cisco’s IoT initiatives join the once disconnected worlds of IT and IoT, unifying networking and security. For further details refer to the At-A Glance and see how and an Australian oil company, Ampol, fortified its retail IoT with Cisco Secure!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Cybersecurity attacks complication and damaging impact are always keeping SOC analyst at their edge. Extended Detection and Response (XDR) solutions tend to simplify for Sam, a SOC analyst, his job by simplifying the workflow and process that involve the lifecycle of a threat investigation from detection to response. In this post we will explore how SecureX, Secure Cloud Analytics (NDR), Secure Endpoint (EDR) with their seamless integration accelerate the ability to achieve XDR outcomes.
One of the first challenges for Sam is alert fatigue. With the overwhelming number of alerts coming from multiple sources and the lack of relevance or correlation, decreases the value of these alerts to the point that they become as meaningless as having none. To counter this effect, Cisco Secure Cloud Analytics and Cisco Secure Endpoint limit alert promotion to SecureX to only include high fidelity alerts with critical severity and marking them as High Impact incidents within SecureX Incident manager.
This capability reduces the noise coming from the source, while keeping the other alerts available for investigation, putting impactful incidents at the top of Sam’s to do list. Now, Sam is confident that his time is spent in a prioritized manner and helps ensure he is tackling the most important threats first. Automatic incident provisioning accelerates incident response by bringing focus on the most impactful incidents.
Understanding the mechanics and data around a specific incident is a key factor for Remi, an incident responder, in his day-to-day work. Achieving his tasks accurately is tightly coupled with his ability to scope and understand the impact of an incident and to gather all possible data from the environment which can be associated with an incident including devices, users, files hashes, email ids, domains IPs and others. SecureX Incident Manager’s automatic enrichment capability completes this data collection for high impact incidents automatically. The data is then classified into targets, observables, and indicators and added to the incident to help the analyst better understand the incident’s scope and potential impact.
The Incident Manager and automatic enrichment provides Remi with crucial information such as the associated MITRE Tactics and Techniques applied during this incident, the contributing threat vectors, and security solutions. In addition, the Incident Manager aggregates events from multiple sources into the same high impact incident that the enrichment was triggered on future providing Remi with more vital context.
This automatic enrichment for high impact incidents is essential to Remi’s understanding as much as possible about an incident as it occurs and significantly accelerates him identifying the proper response for the threat. This brings us to the next step in our incident detection to response workflow.
It is important for an XDR to correlate the right information for the Security Analyst and incident responder to understand an attack but it is equally important to provide an effective response mechanism. This is exactly what SecureX provides with the ability to apply a response to an observable with a simple a single click or through automation.
These workflows can be invoked to block a domain, IP or URL across a full environment with a simple click, leveraging existing integrations such as firewalls or umbrella and others. Workflows can be made available to the threat response pivot menu where they are useful for performing specific host specific actions, such as isolate a host, take a host snapshot, and more.
In addition to response workflows, the pivot menu provides the ability to leverage Secure Cloud Analytics (SCA) telemetry by generating a case book linking back to telemetry searches within SCA. This automation is critical to understanding the spread of a threat across an environment. A good example on this, is identifying all hosts communicating to a command-and-control destination before this destination was identified as malicious. This is a pre-existing SecureX workflow which can be taken advantage of today see workflow 0005 – SCA – Generate Case book with Flow Links.
Reducing time to remediation is a key aspect of keeping a business secure, SecureX orchestration automates responses with various solutions specially with NDR detections from SCA and use observables from these alerts to isolate hosts leveraging Secure Endpoint. SCA can send alerts via Webhooks and SecureX Orchestration receive them as triggers to launch an NDR- EDR workflow to isolate hosts automatically. (0014-SCA-Isolate endpoints from alerts)
This orchestration workflow automatically isolates rogue devices in a network or contain confirmed threat alerts received from Cisco’s Machine learning threat detection cloud and can be used for multiple different response scenarios.
The power of automation brought by SecureX, Secure Cloud Analytics and Secure Endpoint accelerates XDR outcomes drastically which simplifies Security Analyst (Sam) and Incident Responder (Remi) jobs and make it more efficient with accurate incident prioritization, automatic investigation/enrichment and most importantly automating responses.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In the second part of this blog series on Unscrambling Cybersecurity Acronyms, we covered Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR) solutions, which included an overview of the evolution of endpoint security solutions. In this blog, we’ll go over Managed Detection and Response (MDR) and Extended Detection and Response (XDR) solutions in more depth.
MDR solutions are a security technology stack delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). They’re similar to Managed Endpoint Detection and Response (MEDR) solutions since both solutions are managed cybersecurity services that use Security Operations Center (SOC) experts to monitor, detect, and respond to threats targeting your organization. However, the main difference between these two offerings is that MEDR solutions monitor only your endpoints while MDR solutions monitor a broader environment.
While MDR security solutions don’t have an exact definition for the types of infrastructure they monitor and the underlying security stack that powers them, they often monitor your endpoint, network, and cloud environments via a ‘follow the sun’ approach that uses multiple security teams distributed around the world to continually defend your environment. These security analysts monitor your environment 24/7 for threats, analyze and prioritize threats, investigate potential incidents, and offer guided remediation of attacks. This enables you to quickly detect advanced threats, effectively contain attacks, and rapidly respond to incidents.
More importantly, MDR security solutions allow you to augment or outsource your security to cybersecurity experts. While nearly every organization must defend their environment from cyberattacks, not every organization has the time, expertise, or personnel to run their own security solution. These organizations can benefit from outsourcing their security to MDR services, which enable them to focus on their core business while getting the security expertise they need. In addition, some organizations don’t have the budget or resources to monitor their environment 24/7 or they may have a small security team that struggles to investigate every threat. MDR security services can also help these organizations by giving them always-on security operations while enabling them to address every threat to their organization.
One drawback to deploying an MDR security service is that you become dependent on a third-party for your security needs. While many organizations don’t have any issues with this, some organizations may be hesitant to hand over control of their cybersecurity to a third-party vendor. In addition, organizations such as larger, more-risk averse companies may not desire an MDR service because they’ve already made cybersecurity investments such as developing their own SOC. Finally, MDR security solutions don’t have truly unified detection and response capabilities since they’re typically powered by heterogenous security technology stacks that lack consolidated telemetry, correlated detections, and holistic incident response. This is where XDR solutions shine.
XDR solutions unify threat monitoring, detection, and response across your entire environment by centralizing visibility, delivering contextual insights, and coordinating response. While ‘XDR’ means different things to different people because it’s a fairly nascent technology, XDR solutions usually consolidate security telemetry from multiple security products into a single solution. Moreover, XDR security solutions provide enriched context by correlating alerts from different security solutions. Finally, comprehensive XDR solutions can simplify incident response by allowing you to automate and orchestrate threat response across your environment.
These solutions speed up threat detection and response by providing a single pane of glass for gaining visibility into threats as well as detecting and responding to attacks. Furthermore, XDR security solutions reduce alert fatigue and false positives with actionable, contextual insights from higher-fidelity detections that mean you spend less time sifting through endless alerts and can focus on the most critical threats. Finally, XDR solutions enable you to streamline your security operations with improved efficiency from automated, orchestrated response across your entire security stack from one unified console.
A major downside to XDR security solutions is that you typically have to deploy and manage these solutions yourself versus having a third-party vendor run them for you. While Managed XDR (MXDR) services are growing, these solutions are still very much in their infancy. In addition, not every organization will want or need a full-fledged XDR solution. For instance, organizations with a higher risk threshold may be satisfied with using an EDR solution and/or an MDR service to defend their organization from threats.
As I mentioned in the first and second parts of this blog series, you shouldn’t take a ‘one-size-fits-all’ approach to cybersecurity since every organization has different needs, goals, risk appetites, staffing levels, and more. This logic holds true for MDR and XDR solutions, with these solutions working well for certain organizations and not so well for other organizations. Regardless, there are a few aspects to consider when evaluating MDR and XDR security solutions.
One factor to keep in mind is if you already have or are planning on building out your own SOC. This is important to think about because developing and operating a SOC can require large investments in cybersecurity, which includes having the right expertise on your security teams. Organizations unwilling to make these commitments usually end up choosing managed security services such as MDR solutions, which allows them to protect their organization without considerable upfront investments.
Other critical factors to consider are your existing security maturity and overall goals. For instance, organizations who have already made significant commitments to cybersecurity often think about ways to improve the operational efficiency of their security teams. These organizations frequently turn to XDR tools since these solutions reduce threat detection and response times, provide better visibility and context while decreasing alert fatigue. Moreover, organizations with substantial security investments should consider open and extensible XDR solutions that integrate with their existing tools to avoid having to ‘rip and replace’ security tools, which can be costly and cumbersome.
I hope this blog series on the different threat detection and response solutions help you make sense of the different cybersecurity acronyms while guiding you in your decision on the right security solution for your organization. For more information on MDR solutions, read about how Cisco Secure Managed Detection and Response (MDR) rapidly detects and contains threats with an elite team of security experts. For more information on XDR solutions, learn how the Cisco XDR offering finds and remediates threats faster with increased visibility and critical context to automate threat response.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
The word is out! Cisco Secure Endpoint’s effectiveness is off the charts in protecting your enterprise environment.
This is not just a baseless opinion; however, the facts are rooted in actual test results from the annual AV-Comparative EPR Test Report published in October 2022. Not only did Secure Endpoint knock it out of the park in enterprise protection; but Cisco Secure Endpoint obtained the lowest total cost of ownership (TCO) per agent at $587 over 5 years. No one else was remotely close in this area. More to come on that later.
If you are not familiar with the “AV-Comparatives Endpoint Prevention and Response Test is the most comprehensive test of EPR products ever performed. The 10 products in the test were subjected to 50 separate targeted attack scenarios, which used a variety of different techniques.”
These results are from an industry-respected third-party organization that assesses antivirus software and has just confirmed what we know and believe here at Cisco, which is our Secure Endpoint product is the industry’s best of the best.
Look for yourself at where we landed. That’s right, Cisco Secure Endpoint smashed this test, we are almost off the quadrant as one of the “Strategic Leaders”.
We ended up here for a combination of reasons, with the top being our efficacy in protecting our customers’ environments in this real-world test that emulates multi-stage attacks similar to MITRE’s ATT&CK evaluations which are conducted as part of this process (click here for an overview of MITRE ATT&CK techniques). Out of all the 50 scenarios tested, Secure Endpoint was the only product that STOPPED 100% of targeted threats toward enterprise users, which prevented further infiltration into the organization.
In addition, this test not only assesses the efficacy of endpoint security products but also analyzes their cost-effectiveness. Following up on my earlier remarks about achieving the lowest cost of ownership, the graph below displays how we stacked up against other industry players in this space including several well-known vendors that chose not to display their names due to poor results.
These results provide a meaningful proof point that Cisco Secure Endpoint is perfectly positioned to secure the enterprise as well as secure the future of hybrid workers.
Enriched with built-in Extended Detection and Response (XDR) capabilities, Cisco Secure Endpoint has allowed our customers to maintain resiliency when faced with outside threats.
As we embark on securing “what’s next” by staying ahead of unforeseen cyber threats of tomorrow, Cisco Secure Endpoint integration with the complete Cisco Secure Solutions portfolio allows you to move forward with the peace of mind that if it’s connected, we can and will protect it.
Now that you have seen how effective Secure Endpoint is with live real-world testing, try it for yourself with one of our live instant demos. Click here to access instructions on how to download and install your demo account for a test drive.
Click here to see what analysts, customers, and third-party testing organizations have to say about Cisco Secure Endpoint Security efficacy, easy implementation and overall low total cost of ownership for their organization —and stay ahead of threats.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Scott Heider is a manager within the Cisco Security Visibility and Incident Command team that reports to the company’s Security & Trust Organization. Primarily tasked with helping to keep the integration of an acquired company’s solutions as efficient as possible, Heider and his team are typically brought into the process after a public announcement of the acquisition has already been made. This blog is the final in a series focused on M&A cybersecurity, following Dan Burke’s post on Making Merger and Acquisition Cybersecurity More Manageable.
Mergers and acquisitions (M&A) are complicated. Many factors are involved, ensuring cybersecurity across the entire ecosystem as an organization integrates a newly acquired company’s products and solutions—and personnel—into its workstreams.
Through decades of acquisitions, Cisco has gained expertise and experience to make its M&A efforts seamless and successful. This success is in large part to a variety of internal teams that keep cybersecurity top of mind throughout the implementation and integration process.
“Priority one for the team,” says Heider, “is to balance the enablement of business innovation with the protection of Cisco’s information and systems. Because Cisco is now the ultimate responsible party of that acquisition, we make sure that the acquisition adheres to a minimum level of security policy standards and guidelines.”
The team looks at the acquired company’s security posture and then partners with the company to educate and influence them to take necessary actions to achieve Cisco’s security baseline.
That process starts with assessing the acquired company’s infrastructure to identify and rate attack surfaces and threats. Heider asks questions that help identify issues around what he calls the four pillars of security, monitoring, and incident response:
The infrastructure that Heider’s team evaluates isn’t just the company’s servers and data center infrastructure. It can also include the systems the acquisition rents data center space to or public cloud infrastructure. Those considerations further complicate security and must be assessed for threats and vulnerabilities.
Once Heider’s team is activated, they partner with the acquired company and meet with them regularly to suggest areas where that acquisition can improve its security posture and reduce the overall risk to Cisco.
Identifying and addressing risk is critical for both sides of the table, however, not just for Cisco. “A lot of acquisitions don’t realize that when Cisco acquires a company, that organization suddenly has a bigger target on its back,” says Heider. “Threat actors will often look at who Cisco is acquiring, and they might know that that company’s security posture isn’t adequate—because a lot of times these acquisitions are just focused on their go-to-market strategy.”
Those security vulnerabilities can become easy entry points for threat actors to gain access to Cisco’s systems and data. That’s why Heider works so closely with acquisitions to gain visibility into the company’s environment to reduce those security threats. Some companies are more focused on security than others, and it’s up to Heider’s team to figure out what each acquisition needs.
“The acquisition might not have an established forensics program, for instance, and that’s where Cisco can come in and help out,” Heider says. “They might not have tools like Stealthwatch or NetFlow monitoring, or Firepower for IDS/IPS operations.”
When Heider’s team can bring in their established toolset and experienced personnel, “that’s where the relationship between my team and that acquisition grows because they see we can provide things that they just never thought about, or that they don’t have at their disposal,” he says.
One of the most important factors in a successful acquisition, according to Heider, is to develop a true partnership with the acquired company and work with the new personnel to reduce risk as efficiently as possible—but without major disruption.
Cisco acquires companies to expand its solution offerings to customers, so disrupting an acquisition’s infrastructure or workflow would only slow down its integration. “We don’t want to disrupt that acquisition’s processes. We don’t want to disrupt their people. We don’t want to disrupt the technology,” says Heider. “What we want to do is be a complement to that acquisition, – that approach is an evolution, not a revolution.”
The focus on evolution can sometimes result in a long process, but along the way, the teams come to trust each other and work together. “They know their environment better than we do. They often know what works—so we try to learn from them. And that’s where constant discussion, constant partnership with them helps them know that we are not a threat, we’re an ally,” says Heider. “My team can’t be everywhere. And that’s where we need these acquisitions to be the eyes and ears of specific areas of Cisco’s infrastructure.”
Training is another way Heider, and his team help acquisitions get up to speed on Cisco’s security standards. “Training is one of the top priorities within our commitments to both Cisco and the industry,” Heider says. “That includes training in Cisco technologies, but also making sure that these individuals are able to connect with other security professionals at conferences and other industry events.”
When asked what advice he has for enterprises that want to maintain security while acquiring other companies, Heider has a few recommendations.
Having the right security agents and clear visibility into endpoints is critical. As is inputting the data logs of those endpoints into a security event and incident management (SEIM) system. That way, explains Heider, you have visibility into your endpoints and can run plays against those logs to identify security threats. “We’ll reach out to the asset owner and say they might have malware on their system—which is something nobody wants to hear,” says Heider. “But that’s what the job entails.”
Often, end users don’t know that they’re clicking on something that could have malware on it. Heider says user education is almost as important as visibility into endpoints. “Cisco really believes in training our users to be custodians of security, because they’re safeguarding our assets and our customers’ data as well.”
End users should be educated about practices such as creating strong passwords and not reusing passwords across different applications. Multi-factor authentication is a good practice, and end users should become familiar with the guidelines around it.
Updating software and systems is a never-ending job, but it’s crucial for keeping infrastructure operating. Sometimes, updating a system can weaken security and create vulnerabilities. Enterprises must maintain a balance between enabling business innovation and keeping systems and data secure. Patching systems can be challenging but neglecting the task can also allow threat actors into a vulnerable system.
Heider says public cloud operations can be beneficial because you’re transferring ownership liability operations to a third party, like Amazon Web Services or Google Cloud platform. “The only caveat,” he says, “is to make sure you understand that environment before you go and put your customer’s data on it. You might make one false click and expose your certificates to the Internet.”
Heider says that while a big part of his job is helping acquisitions uplevel their security domain to meet baseline security requirements, there’s always the goal to do even better. “We don’t want to be just that baseline,” he says. His team has learned from acquisitions in the past and taken some of those functionalities and technologies back to the product groups to make improvements across Cisco’s solutions portfolio.
“We’re customer zero – Cisco is Cisco’s premier customer,” says Heider, “because we will take a product or technology into our environment, identify any gaps, and then circle back to product engineering to improve upon it for us and our customers.”
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
Making Merger and Acquisition Cybersecurity More Manageable
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Dan Burke is the director of strategy, risk, and compliance for AppDynamics, a company acquired by Cisco in 2017. Burke and his team are a vital part of the Cisco acquisition process in helping acquired companies adhere to a higher level of cybersecurity. This blog is the fourth in a series focused on M&A cybersecurity, following Shiva Persaud’s post on When It Comes to M&A, Security Is a Journey.
Part of the secret to Cisco’s success is its ability to acquire companies that strengthen its technology portfolio and securely integrate them into the larger organization. From the outside, that process might appear seamless—consider Webex or Duo Security, for instance—but a fruitful acquisition takes tremendous work by multiple cross-functional teams, mainly to ensure the acquired company’s solutions and products meet Cisco’s rigorous security requirements.
“My team is responsible for aligning new acquisitions to Cisco controls to maintain our compliance with SOC2 and FedRAMP, as well as other required certifications,” says Burke.
When Cisco acquires a new company, it conducts an assessment and produces a security readiness plan (SRP) document. The SRP details the identified weaknesses and risks within that company and what they need to fix to meet Cisco standards.
“In the past, my team wouldn’t find out about an acquisition until they received a completed SRP. The downside of this approach was that the assessments and negotiations had been done without input from our group of experts, and target dates for resolution had already been decided on,” shares Burke.
“We needed to be involved in the process before the SRP was created to understand all risks and compliance issues in advance. Now we have a partnership with the Cisco Security and Trust M&A team and know about an acquisition months before we can start working to address risks and other issues—before the SRP is completed and the due dates have been assigned,” Burke adds.
“Another issue resolved in this process change is that Cisco can gain earlier access to the people in the acquired company who know the security risks of their solutions. During acquisitions, people will often leave the company, taking with them their institutional knowledge, resulting in Cisco having to start from scratch to identify and assess the risks and determine how best to resolve them as quickly as possible,” says Burke. “It could be vulnerabilities in physical infrastructure or software code or both. It could be that the company isn’t scanning often enough, or they don’t have SOC 2 or FedRAMP certification yet—or they’re not using Cisco’s tools.”
“Third-party vendors and suppliers can also present an issue,” he adds. “One of the biggest risk areas of any company is outside vendors who have access to a company’s data. It’s vital to identify who these vendors are and understand the level of access they have to data and applications. The earlier we know all these things, the more time we must devise solutions to solve them.”
“Now that I’m in the process earlier, I can build a relationship with the people who have the security knowledge—before they leave. If I can understand their mindset and how all these issues came about, I can help them assimilate more easily into the bigger Cisco family,” says Burke.
The additional benefits of bringing teams in earlier are reduced risk and compliance requirements can be met earlier. It also provides a smoother transition for the company being acquired and ensures they meet the security requirements that customers expect when using their technology solutions.
“Without that early involvement, we might treat a low-risk issue as high risk, or vice versa. The misclassification of risk is extremely dangerous. If you’re treating something as high risk, that’s low risk, and you’re wasting people’s time and money. But if something’s high risk and you’re treating it as low risk, then you’re in danger of harming your company,” Burke shares.
“The key is to involve their risk, compliance, and security professionals from the beginning. I think other companies keep the M&A process so closely guarded, to their detriment. I understand the need for privacy and to make sure deals are confidential but bringing us in earlier was an advantage for the M&A team and us,” Burke adds.
When asked what he thinks makes Cisco successful in M&A, Burke says, “Cisco does an excellent job of assimilating everyone into the larger organization. I have worked at other companies where they kept their acquisitions separate, which means you have people operating separately with different controls for different companies. That’s not only a financial burden but also a compliance headache.”
“That’s why Cisco tries to drive all its acquisitions through our main programs and controls. It makes life easier for everyone in terms of compliance. With Cisco, you have that security confidence knowing that all these companies are brought up to their already very high standards, and you can rely on the fact that they don’t treat them separately. And when an acquisition has vulnerabilities, we identify them, set out a remediation path, and manage the process until those risks are resolved,” Burke concludes.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
When It Comes to M&A, Security Is a Journey
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Shiva Persaud is the director of security engineering for Cisco. His team is responsible for the Cisco Secure Development Lifecycle (CSDL), a set of practices based on a “secure-by-design” philosophy developed to ensure that security and compliance are top-of-mind in every step of a solution’s lifecycle. This blog is the third in a series focused on M&A cybersecurity, following Jason Button’s post on Demonstrating Trust and Transparency in Mergers and Acquisitions.
One of the most important considerations when Cisco acquires a company, is ensuring that the security posture of the acquisition’s solutions and infrastructure meets the enterprise’s security standards. That can be a tricky proposition and certainly doesn’t happen overnight. In fact, at Cisco, it only comes about thanks to the efforts of a multitude of people working hard behind the scenes.
“The consistent message is that no matter where a product is in its security journey, from inception to end-of-life activities, there’s still a lot of work that can happen to lead to a better security outcome,” says Persaud.
While Persaud and his team work within Cisco on all the company’s products and solutions, they also play a critical role in maintaining security standards in Cisco’s mergers and acquisitions (M&A) work.
Simply put, Persaud’s team is tasked with identifying the security risks posed by an acquisition’s technology and helping teams mitigate those risks.
“It starts with a risk assessment where we ask ourselves what an attacker would do to compromise this specific technology,” says Persaud. “What are the industry best practices for securing this type of technology? What do our customers expect this technology to provide from a security perspective? And once we have those risks enumerated, we prioritize them to decide which is the most important to take care of first.”
To anticipate where a hacker might find vulnerabilities and the actions they might take, the CSDL team must put themselves in that attack mindset. Fortunately for Persaud, his interest in computer security started as early as middle school. “It just kind of grew from there,” he says. “For many folks I’ve worked with and hired over the years, it’s a similar situation.”
That lifelong interest and experience work to the team’s advantage. They take a risk-based approach to security, in which they identify all the issues that need to be fixed and then rate them based on the likelihood of occurrence and seriousness of the results of an attack. Those ratings inform their decisions on which issues to fix first.
“We come up with ways to go mitigate those risks and co-author a plan called the Security Readiness Plan, or SRP,” Persaud says. “Then we partner with teams to take that plan and execute it over time.”
In alignment with CSDL’s continuous approach to security throughout a solution’s lifecycle, Persaud says that “security is a journey, so the workflow to finish the secure development lifecycle never ends.”
While initial onboarding of an acquired company—including completion of the initial risk assessment and the SRP—typically ends within several months of the acquisition. Persaud adds, “The work continues as the technology is integrated into a larger tech stack or as it’s modified and sold as a standalone offering to our customers.” As the solution or technology evolves and begins to include new features and functionalities, the CSDL work continues to make sure those features are secure as well.
That work can have its obstacles. Persaud says that one of the primary challenges his team deals with is cutting through the flurry of activity and bids for the acquisition’s attention that come pouring in from all sides. It’s a crazy time for both Cisco and the acquisition, with many important tasks at the top of everyone’s to-do lists. “Not just in the security realm,” says Persaud,” but in many other areas, too. So being able to get the acquisition to focus on security in a meaningful way in the context of everything else that’s happening is a major challenge.”
Another challenge is dealing with acquisitions that might not have much security expertise on their original team. That means they’re not able to give Persaud’s team much help in determining where security risks lie and how serious they are—so Cisco’s engineers have a lot more investigative work to do.
When asked what advice he would give to organizations that want to maintain a good security posture when acquiring another company, Persaud names three key factors.
To succeed in M&A security, it’s critical that the organization’s board of directors, CEO, and all subsequent levels of management support and be committed to meeting a high level of security standards and outcomes. The remaining management of the acquisition also needs to be on board with the security commitment, and both organizations should make sure that all employees recognize that commitment and support. If management support is not there, the work ultimately won’t get done. It can be difficult and time-consuming and without companywide recognition of its key importance, it won’t get prioritized, and it will get lost in the myriad of other things that all the teams have to do.
The issue of security can get really complicated, very quickly. Persaud says it’s smart to find industry standards and best practices that already exist and are available to everyone, “so you’re not reinventing the wheel—or more concerning, reinventing the wheel poorly.”
Where to look for those industry standards will vary, depending on the technology stack that needs to be secured. “If you are interested in securing a web application,” says Persaud, “then starting with the OWASP Top Ten list is a good place to start. If you are selling a cloud offer or cloud service, then look at the Cloud Security Alliance’s Cloud Controls Matrix (CCM) or the Cisco Cloud Controls Framework.”
One way to think of it, Persaud says, is that there are a variety of security frameworks certain customers will need a company to adhere to before they can use their solutions. Think frameworks like FedRAMP, SOC-2, Common Criteria, or FIPS.
“You can align your product security work to those frameworks as a baseline and then build on top of them to make technology more resilient.” It’s a great place to start.
It’s essential that an organization be very clear on what it wants to accomplish when it comes to ensuring security of an acquisition’s solutions and infrastructure. This will help it avoid “trying to boil the whole ocean,” says Persaud.
Persaud and his team talk about working up to security fitness the way a runner would start with a 5K and work up to an Ironman competition. “You take progressive steps towards improving,” he says. “You’re very explicit about what milestones of improvement you’ll encounter on your journey of good security.”
Persaud says Cisco is uniquely positioned to help organizations maintain security standards when acquiring other companies. He points to three critical differentiators.
“The level of visibility and support that we have for security at Cisco, starts with our board of directors and our CEO, and then throughout the organization,” says Persaud. “This is a very special and unique situation that allows us to do a lot of impactful work from a security perspective,”
Cisco has long been adamant about security that’s built in from the ground up and not bolted on as an afterthought. It’s the reason the CSDL exists, as well as the Cisco Security & Trust Organization and the many, many teams that work every day to infuse security and privacy awareness into every product, service, and solution—including the technology and infrastructure of newly acquired companies.
Once Persaud’s team has identified and assessed the security risks of an acquisition, his and other teams go about helping the acquisition address and mitigate those risks. Cisco provides a set of common building blocks or tools that teams can use to improve the security posture of an acquisition.
“We have secure libraries that teams can integrate into their code base to help them do certain things securely, so that the individual teams don’t have to implement that security functionality from scratch,” says Persaud. “And Cisco produces certain pieces of hardware that can be leveraged across our product lines, such as secure boot and secure storage.”
“Cisco’s operations stack also has various services acquisitions can use,” says Persaud. “An example of this comes from our Security Vulnerability and Incident Command team (SVIC). They provide logging capabilities that cloud offers at Cisco can leverage to do centralized logging, and then monitor those logs. SVIC also offers a security vulnerability scanning service so individual teams don’t have to do it independently.”
Another critical building block is Persaud’s team and their expertise. They act as a valuable resource that teams can consult when they want to build a new feature securely or improve the security of an existing feature.
Persaud concludes, “Cisco has an extremely strong and active security community where teams can ask questions, gain insights, give guidance, troubleshoot issues, share ideas and technology, and discuss emerging security topics. The community is committed to helping others instead of competing against each other. Members have the mindset of enriching the overall approach to security at Cisco and learning from any source they can to make things continually better.
Managing Cybersecurity Risk in M&A
Demonstrating Trust and Transparency in Mergers and Acquisitions
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Jason Button is a director at Cisco and leads the company’s Security and Trust Mergers and Acquisitions (M&A) team. He was formerly the director of IT at Duo Security, a company Cisco acquired in 2018, making him uniquely positioned to lend his expertise to the M&A process. This blog is the second in a series focused on M&A cybersecurity, following Jacob Bolotin’s post on Managing Cybersecurity Risk in M&A.
All good relationships are built on trust. Add in transparency, and the union becomes even more substantial. “Trust and transparency underpin everything we do,” says Button, “Cisco takes security, trust, and transparency very seriously, and it’s part of our team’s fabric.”
When Cisco acquires a company, the Security and Trust M&A team looks at not only what they can offer in the way of security but also what unique qualities the acquired company brings to Cisco. These qualities might be related to security, but they’re also found in the acquired company’s culture, technical knowledge, and processes.
In all acquisitions, the M&A team needs to move fast. In fact, the Cisco team is committed to pushing even faster as long as they never compromise on security. Around 2020, Button and his team began taking stock of how it does things. They evaluated everything from the ground up, willing to tease out what is working and toss out what isn’t.
The team is also on a trajectory of identifying how it can digitize and automate security.
“If we were going to do things differently, we needed to be bold about it,” says Mohammad Iqbal, information security architect in the Security and Trust M&A team. One of the changes Iqbal proposed to his colleagues is to ensure that an acquired company is integrated into Cisco’s critical security controls within three months after the acquisition deal closes.
To successfully meet the three-month target, the M&A team works closely with the acquired company to identify and address all non-integrated risks (NIRs) that Cisco inherits from an acquisition and encompass:
NIRs are a subset of eight security domains, or operating norms, that align with Cisco’s security and trust objectives and top priorities of the larger security community (Figure 1). The M&A team’s focus on NIRs steers the due diligence conversation away from identifying the acquisition’s security deficiencies and towards understanding the inherent risks associated with the acquisition and measuring the security liability.
“Acquisitions are coming in with these risks, and so we must address NIRs early when we’re signing non-disclosure agreements. In doing so, we help put these companies in a position to integrate successfully with all the security domains. And this integration should be done in the shortest time possible within a year of close,” Iqbal says.
Building trust and being transparent early on is critical so the acquired company knows what’s expected of them and is ready to accomplish its three-month and first-year goals.
“I wish this type of conversation was offered to me when Cisco acquired Duo,” Button says. “Being on the Duo side of that deal, I would’ve been able to say with confidence, ‘OK, I get it. I know what’s expected of me. I know where to go. I know what I need to do with my team.’”
“We have a limited time window to make sure an acquisition company is heading down the right route. We want to get in there early and quickly and make it easy,” adds Button.
Reducing the manual intervention required by the acquired company is integral to helping the acquisition meet the three-month goal. Here’s where automation can play a significant role and the M&A team is looking toward innovation.
“We’re working on bringing in automated processes to lessen the burden on the acquired company,” says Iqbal. The M&A team realizes that much of the automation can be applied in instrumenting the security controls and associated APIs to help the team move beyond what they have already assessed at acquisition day 0 and gain the visibility they need to get the acquired company to its three-month goal. For example, they can automate getting the acquired company on Cisco’s vulnerability scans, using internal tools, or attaining administrative access privileges.
So, Iqbal, Button, and the rest of the team are working on automating processes—developing the appropriate architecture pipeline and workflows—that help acquired companies integrate critical security controls. While the ability to automate integration with security controls is not novel, the innovation that the M&A team brings to the table is the ability to position an acquired target to integrate with security controls in the most expedited way possible.
As with due diligence, the M&A team strives to complete the discovery phase before the acquisition deal close. Here’s another step where digitization and automation can simplify and shorten processes. Take the acquisition company questionnaire, for instance.
“Instead of asking dozens of questions, we could give the company an audit script to run in their environment,” Iqbal says. “Then, all they have to do is give us the results.”
Also, the questionnaire can be dynamically rendered through a dashboard, improving the user experience, and shortening completion time. For example, the number of questions about containers could automatically retract if the acquired company uses Azure Kubernetes Service.
Many teams within Cisco compete for an acquired company’s time before and after an acquisition deal closes. The acquired company is pulled in several different directions. That’s why the Security and Trust M&A team doesn’t stop looking for ways to digitize and automate security processes after the close—to continue to help make the acquired company’s transition more manageable.
“If we can make processes simple, people will use them and see the value in them within days, not weeks or quarters,” says Button.
“The majority of companies we acquire are smaller,” Button says. “They don’t have large security teams. We want them to tap our plethora of security experts. We want to enable an acquired company to apply Cisco’s ability to scale security at their company. Again, we want things to be simple for them.”
The M&A team helps facilitate simplicity by telling a consistent story (maintaining consistent messaging unique to the acquired company) to all the groups at Cisco involved in the acquisition, including M&A’s extended Security and Trust partners such as corporate security, IT, and supply chain. Because each group deals with different security aspects of the integration plan, it’s essential that everyone is on the same page and understands the changes, improvements, and benefits of the acquisition that are relevant to them. Maintaining a consistent message can go a long way toward reducing complexity.
The human element can easily get overlooked throughout an acquisition’s myriad business, technical, and administrative facets. Balancing the human aspect with business goals and priorities is essential to Button and the entire Security and Trust M&A team. They want to bring the human connection to the table. In this way, trust and transparency are on their side.
“Emotions can run the gamut in an acquisition. Some people will be happy. Others will be scared. If you don’t make a human connection, you’ll lose so much value in the acquisition,” Button says. “You can lose people, skillsets, efforts. If we don’t make that human connection, then we lose that balance, and we won’t be off to a great start.”
One way the M&A team helps maintain that balance is by embracing the things that make the acquired company unique. “It’s vital to identify those things early on so we can protect and nurture them,” says Button.
He also wants to remind companies that they don’t have to be experts at everything asked of them during acquisition. “Cisco has been here for a while. We have entire teams within M&A that are dedicated to doing one thing. We can help acquired companies find out where they’re struggling. We can handle the things they don’t want to deal with.”
“M&A is complex, but complexity is off the chart when you talk about M&A and security. Our team won’t be successful if we can’t find a way to make things easier for the acquired company. They need to understand where they’re headed and why,” Button says. “It’s up to us to motivate them towards a successful outcome.”
Managing Cybersecurity Risk in M&A
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
As Technology Audit Director at Cisco, Jacob Bolotin focuses on assessing Cisco’s technology, business, and strategic risk. Providing assurance that residual risk posture falls within business risk tolerance is critical to Cisco’s Audit Committee and executive leadership team, especially during the mergers and acquisitions (M&A) process.
Bolotin champions the continued advancement of the technology audit profession and received a master’s degree in cybersecurity from the University of California Berkeley. After completing the program in 2020, he spearheaded a grant from Cisco to fund research conducted by the university’s Center for Long-Term Cybersecurity, which included identifying best practices around cybersecurity risk and risk management in the M&A process, captured in this co-authored report.
When asked about his approach to evaluating risk management, Bolotin likens the corporate dynamics to a Formula One racing team, whose success depends on the effective collaboration of experts to meet the challenges of the most demanding racecourses. In Bolotin’s analogy, a corporation (say, Cisco) is the Formula One vehicle, and the business (i.e., executive and functional leaders) races the car on the track. In the pit, you have IT and technology support, which maintains operations and optimizes efficiencies to ensure the vehicle’s peak performance. Meanwhile, InfoSec is the designer and implementor of risk management capabilities (for instance, ensuring the latest technology is deployed and within expected specifications). These groups converge to help keep the business running and help ensure the vehicle is race-day-worthy.
An M&A deal is a significant business opportunity and represents the transition to a new Formula One race car. In this scenario, the business cannot physically get behind the wheel and test drive it. Frequently, the car cannot be inspected, and critical data is not available for review before the deal. The competitive balance and sensitive nature of M&A deals require the business to trust that the car will perform as expected. “Laser-focused due diligence enables you to understand where the paved roads [the most efficient paths to data security, for example] may lie. This is where the Cisco Security and Trust M&A team plays an integral role,” says Bolotin. “They can look down those paved roads and determine, from a cybersecurity perspective, which capabilities Cisco should own, and which ones are better for the acquired business to manage. This team understands what to validate, so the audit committee and key stakeholders can be confident that the business will be able to drive the new Formula One car successfully and win the race.”
Risk management, assessment, and assurance are vital to establishing this confidence. The technology audit team conducts risk assessments across all of Cisco, including M&As, for key technology risk areas, including product build and operation. In addition to risk management oversight, Bolotin and the technology audit team are responsible for assuring the Audit Committee that the acquired entity can be operationalized within Cisco’s capabilities without undermining the asset’s valuation.
“We don’t want to run duplicate processes and systems, especially when we have bigger economies of scale to leverage,” Bolotin says. “We must operationalize the acquisition. That is table stakes. And we must do it while maintaining the integrity and security of the entity we are acquiring.”
In 2019, Bolotin resurrected a working group of technology audit director peers from companies, including Apple, Google, Microsoft, ServiceNow, and VMware, called the “Silicon Valley IT Audit Director Working Group”. The directors meet regularly to share insights and explore issues around technology risk, risk management, and business risk tolerance. “I wanted to get with my peers and understand how they do their job,” he says. “We collaborate on defining ‘what good looks like,’ as we co-develop audit and risk management programs to help move the industry forward”.
Bolotin, along with a few other members of the working group, was selected to participate in a separate research study conducted by the Center for Long-Term Cybersecurity, aimed at developing a generalized framework for improving cybersecurity risk management and oversight within M&A. Among the research questions, the working group members were asked to identify their key cybersecurity risks and where those risks sit in the M&A process.
“In my opinion, the biggest cybersecurity risks today are cloud security posture and third-party software inventory and bill of materials, or SBOM,” says Bolotin. “These risks impact not only product acquisitions but our ability to secure and operationalize business capabilities within Cisco. Whether we transition capabilities to run within Cisco or leave them for the acquired company to operate, we must have a thorough understanding of any third-party risks that may exist in IT, in the technologies and systems used by the acquired company, or anywhere else. Especially those that may impact the broader Cisco enterprise as the new entity is integrated.”
Cybersecurity risk is attached to talent management and moral hazards as well. “It’s not uncommon to lose talent in acquisition deals,” Bolotin says, “and these days, much of this talent is cybersecurity focused. This potential loss is a huge risk for us and can sometimes be due to cultural differences between Cisco and the acquired entity. People who would rather be on a swift and elegant sailboat do not readily choose to be a passenger on a massive cruise ship, no matter how grand or impressive.”
Moral hazards are always a concern in M&A. Red flags can include ongoing data breaches and either downplaying or providing misleading information about a security incident. The Cisco Security and Trust M&A team does a tremendous amount of due diligence around these hazards, sometimes augmented by investigative techniques from a Cisco security partner, such as trolling the dark web. Companies can protect themselves against the risk of moral hazards through clauses inserted in the acquisition contract.
Concerning contracts, Bolotin advises companies to ensure the risk management commitments they set down are realistic. “Companies need to be very sure they have received the right inputs to enable them to manage every relevant cybersecurity vulnerability, whether it is a misconfiguration on the acquisition’s security firewall, within their network, their product in the cloud, or any other significant vulnerability, based on contractual obligations. You need to be sure you can commit to privacy investigation and breach event readiness, and notification process the acquired entity needs and have a clear sense of how fast you can meet these requirements.”
Bolotin ardently reminds companies that risk management in cybersecurity is not owned by a solitary group. Managing risk is a collective effort that transcends different organizations, each of which should understand its role in helping to mitigate the risks.
“Risk management begins in the production environment, with the engineers building code and downloading software to help them create new products and capabilities,” says Bolotin. “It’s essential that everyone understands how to identify and properly manage cybersecurity risks in their everyday work, including the tools and services used to enable the business, and work to mitigate applicable risks, especially in these critical areas.”
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In the first part of this blog series on Unscrambling Cybersecurity Acronyms, we provided a high-level overview of the different threat detection and response solutions and went over how to find the right solution for your organization. In this blog, we’ll do a deeper dive on two of these solutions – Endpoint Detection and Response (EDR) and Managed Endpoint Detection and Response (MEDR). However, first let’s take a look back at the history of endpoint security solutions and understand how we got EDR and MEDR security solutions.
The very first endpoint security solutions started out as anti-virus solutions (AV) with basic security functionality that relied heavily on signature-based detection. These solutions were effective against known threats where a signature was created, but ineffective against unknown threats such as new and emerging attacks. That meant that organizations struggled to stay ahead of attackers, who were continuously evolving their techniques to evade detection with new types of malware.
To address this problem, AV vendors added detection technologies such as heuristics, reputational analysis, behavioral protection, and even machine learning to their solutions, which became known as Endpoint Protection Platforms (EPP). These unified solutions were effective against both known and unknown threats and frequently used multiple approaches to prevent malware and other attacks from infecting endpoints.
As cyberattacks grew increasingly sophisticated though, many in the cybersecurity industry recognized that protection against threats wasn’t enough. Effective endpoint security had to include detection and response capabilities to quickly investigate and remediate the inevitable security breach. This led to the creation of EDR security solutions, which focused on post-breach efforts to contain and clean up attacks on compromised endpoints.
Today, most endpoint security vendors combine EPP and EDR solutions into a single, converged solution that provides holistic defense to customers with protection, detection, and response capabilities. Many vendors are also offering EDR as a managed service (also known as MEDR) to customers who need help in securing their endpoints or who don’t have the resources to configure and manage their own EDR solution. Now that we’ve gone over how endpoint security evolved into EDR and MEDR security solutions, let’s cover EDR and MEDR in more depth.
EDR solutions continuously monitor your endpoints for threats, alert you in case suspicious activity is detected, and allow you to investigate, respond to and contain potential attacks. Moreover, many EDR security solutions provide threat hunting functionality to help you proactively spot threats in your environment. They’re often coupled with or part of a broader endpoint security solution that also includes prevention capabilities via an EPP solution to protect against the initial incursion.
As a result, EDR security solutions enable you to protect your organization from sophisticated attacks by rapidly detecting, containing, and remediating threats on your endpoints before they gain a foothold in your environment. They give you deep visibility into your endpoints while effectively identifying both known and unknown threats. Furthermore, you can quickly contain attacks that get through your defenses with automated response capabilities and hunt for hidden threats that are difficult to detect.
While EDR provides several benefits to customers, it has some drawbacks. Chief among them is that EDR security solutions are focused on monitoring endpoints only versus monitoring a broader environment. This means that EDR solutions don’t detect threats targeting other parts of your environment such as your network, email, or cloud infrastructure. In addition, not every organization has the security staff, budget, and/or skills to deploy and run an EDR solution. This is where MEDR solutions come into play.
Managed EDR or MEDR solutions are EDR capabilities delivered as a managed service to customers by third-parties such as cybersecurity vendors or Managed Service Providers (MSPs). This includes key EDR functionality such as monitoring endpoints, detecting advanced threats, rapidly containing threats, and responding to attacks. These third-parties usually have a team of Security Operations Center (SOC) specialists who monitor, detect, and respond to threats across your endpoints around the clock via a ‘follow the sun’ approach to monitoring.
MEDR security solutions allow you to offload the work of securing your endpoints to a team of security professionals. Many organizations need to defend their endpoints from advanced threats but don’t necessarily have the desire, resources, or expertise to manage an EDR solution. In addition, a team of dedicated SOC experts with advanced security tools can typically detect and respond to threats faster than in-house security teams, all while investigating every incident and prioritizing the most critical threats. This enables you to focus on your core business while getting always-on security operations.
Similar to EDR though, one downside to MEDR security solutions is that they defend only your endpoints from advanced threats and don’t monitor other parts of your infrastructure. Moreover, while many organizations want to deploy EDR as a managed service, not everyone desires this. For example, larger and/or more risk-averse organizations who are looking to invest heavily in cybersecurity are typically satisfied with running their own EDR solution. Now, let’s discuss how to choose the right endpoint security solution when trying to defend your endpoints from threats.
As I mentioned in my previous blog, there isn’t a single correct solution for every organization. This logic applies to EDR and MEDR security solutions as well since each solution works well for different types of organizations, depending on their needs, resources, motivations, and more. Nevertheless, one major factor to consider is if you have or are willing to build out a SOC for your organization. This is important because organizations that don’t have or aren’t willing to develop a SOC usually gravitate towards MEDR solutions, which don’t require significant investments in cybersecurity.
Another factor to keep in mind is your security expertise. Even if you’re have or are willing to build a SOC, you may not have the right cybersecurity talent and skills within your organization. While you can always build out your security team, you may want to evaluate an MEDR solution because a lack of expertise makes it difficult to effectively manage an EDR solution. Finally, a common misconception is that you must choose between an EDR and a MEDR solution and that you cannot run both solutions. In reality, many organizations end up using both EDR and MEDR since MEDR solutions often complement EDR deployments.
I hope this information and key factors help you better understand EDR and MEDR solutions while acting as a guide to selecting the best endpoint security solution for your organization. For more details on the different cybersecurity acronyms and how to identify the right solution for your needs, stay tuned for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of MDR and XDR Security. In the meantime, learn how Cisco Secure Endpoint stops threats with a comprehensive endpoint security solution that includes both advanced EDR and MEDR capabilities powered by an integrated security platform!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Security tools are only as good as the intelligence and expertise that feeds them. We’re very fortunate to have our security technologies powered by Cisco Talos, one of the largest and most trusted threat intelligence groups in the world. Talos is comprised of highly skilled researchers, analysts, and engineers who provide industry-leading visibility, actionable intelligence, and vulnerability research to protect both our customers and the internet at large.
The Talos team serves as a crucial pillar of our innovation — alerting customers and the public to new threats and mitigation tactics, enabling us to quickly incorporate protection into our products, and stepping in to help organizations with incident response, threat hunting, compromise assessments and more. Talos can also be found securing large-scale events such as the Super Bowl, and working with government and law enforcement organizations across the globe to share intelligence.
With Cisco’s vast customer base and broad portfolio — from routers and switches to email and endpoints — Talos has visibility into worldwide telemetry. Once a threat is seen, whether it’s a phishing URL or an IP address hosting malware, detections are created and indicators of compromise are categorized and blocked across our Cisco Secure portfolio.
Talos also leverages its unique insights to help society as a whole better understand and combat the cyberattacks facing us daily. During the war in Ukraine, the group has taken on the additional task of defending over 30 critical infrastructure providers in the country by directly managing and monitoring their endpoint security.
The reality of security today is that organizations must be constantly ready to detect and contain both known and unknown threats, minimize impact, and keep business going no matter what happens in the cyber realm. In light of hybrid work, evolving network architectures, and increasingly insidious attacks, all organizations must also be prepared to rapidly recover if disaster strikes, and then emerge stronger. We refer to this as security resilience, and Talos plays a critical role in helping our customers achieve it.
For several years, our integrated, cloud-native Cisco SecureX platform has been delivering extended detection and response (XDR) capabilities and more. SecureX allows customers to aggregate, analyze, and act on intelligence from disparate sources for a coordinated response to cyber threats.
Through the SecureX platform, intelligence from Talos is combined with telemetry from our customers’ environments — including many third-party tools — to provide a more complete picture of what’s going on in the network. Additionally, built-in, automated response functionality helps to speed up and streamline mitigation. This way, potential attacks can be identified, prioritized, and remediated before they lead to major impact.
For XDR to be successful, it must not only aggregate data, but also make sense of it. Through combined insights from various resources, SecureX customers obtain the unified visibility and context needed to rapidly prioritize the right threats at the right time. With SecureX, security analysts spend up to 90 percent less time per incident.
One of Australia’s largest universities, Deakin University, needed to improve its outdated security posture and transition from ad hoc processes to a mature program. Its small security team sought an integrated solution to simplify and strengthen threat defense.
With a suite of Cisco security products integrated through SecureX, Deakin University was able to reduce the typical investigation and response time for a major threat down from over a week to just an hour. The university was also able to decrease its response time for malicious emails from an hour to as little as five minutes.
“The most important outcome that we have achieved so far is that security is now a trusted function.”
– Fadi Aljafari, Information Security and Risk Manager, Deakin University
Also in the education space, AzEduNet provides connectivity and online services to 1.5 million students and 150,000 teachers at 4,300 educational institutions in Azerbaijan. “We don’t have enough staff to monitor every entry point into our network and correlate all the information from our security solutions,” says Bahruz Ibrahimov, senior information security engineer at AzEduNet.
The organization therefore implemented Cisco SecureX to accelerate investigations and incident management, maximize operational efficiency with automated workflows, and decrease threat response time. With SecureX, AzEduNet has reduced its security incidents by 80 percent.
“The integration with all our Cisco Secure solutions and with other vendors saves us response and investigation time, as well as saving time for our engineers.”
– Bahruz Ibrahimov, Senior Information Security Engineer, AzEduNet
The sophistication of attackers and sheer number of threats out there today make it extremely challenging for most cybersecurity teams to effectively stay on top of alerts and recognize when something requires their immediate attention. According to a survey by ESG, 81 percent of organizations say their security operations have been affected by the cybersecurity skills shortage.
That’s why Talos employs hundreds of researchers around the globe — and around the clock — to collect and analyze massive amounts of threat data. The group uses the latest in machine learning logic and custom algorithms to distill the data into manageable, actionable intelligence.
“Make no mistake, this is a battle,” said Nick Biasini, head of outreach for Cisco Talos, who oversees a team of global threat hunters. “In order to keep up with the adversaries, you really need a deep technical understanding of how these threats are constructed and how the malware operates to quickly identify how it’s changing and evolving. Offense is easy, defense is hard.”
Earlier this year, we unveiled our strategic vision for the Cisco Security Cloud to deliver end-to-end security across hybrid, multicloud environments. Talos will continue to play a pivotal role in our technology as we execute on this vision. In addition to driving protection in our products, Talos also offers more customized and hands-on expertise to customers when needed.
Cisco Talos Incident Response provides a full suite of proactive and emergency services to help organizations prepare for, respond to, and recover from a breach — 24 hours a day. Additionally, the recently released Talos Intel on Demand service delivers custom research unique to your organization, as well as direct access to Talos security analysts for increased awareness and confidence.
Visit our dedicated Cisco Talos web page to learn more about the group and the resources it offers to help keep global organizations cyber resilient. Then, discover how XDR helps Security Operations Center (SOC) teams hunt for, investigate, and remediate threats.
Watch video: What it means to be a threat hunter
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Ransomware and other advanced attacks continue to evolve and threaten organizations around the world. Effectively defending your endpoints from these attacks can be a complex undertaking, and a seemingly endless number of security acronyms only compounds that complexity. There are so many acronyms – EPP, EDR, MEDR, MDR, XDR, and more – for various cybersecurity products and services that it becomes difficult to understand the differences between them and choose the right solution for your organization. Deciphering all these acronyms is a task on its own and deciding which solution works best for you is even more challenging.
We here at Cisco believe that understanding these acronyms and determining which security products or services are the best fit for your organization’s needs doesn’t have to be so hard. That’s why we developed this blog – the first in a series – to give you an overview of the different types of threat detection and response solutions.
This series will help you understand the benefits and disadvantages of each solution, the similarities and differences between these solutions, and how to identify the right solution for your organization. Now let’s go over the different types of security solutions.
There are several types of threat detection and response solutions, including:
These solutions are similar in that they all enable you to detect and respond to threats, but they differ by the environment(s) being monitored for threats, who conducts the monitoring, as well as how alerts are consolidated and correlated. For instance, certain solutions will only monitor your endpoints (EDR, MEDR) while others will monitor a broader environment (XDR, MDR). In addition, some of these solutions are actually managed services where a third-party monitors your environment (MEDR, MDR) versus solutions that you monitor and manage yourself (EDR, XDR).
When evaluating these solutions, keep in mind that there isn’t a single correct solution for every organization. This is because each organization has different needs, security maturities, resource levels, and goals. For example, deploying an EDR makes sense for an organization that currently has only a basic anti-virus solution, but this seems like table stakes to a company that already has a Security Operations Center (SOC).
That being said, there are a few questions you can ask yourself to find the cybersecurity solution that best fits your needs, including:
Of these questions, the most critical are about your security goals and current cybersecurity posture. For instance, organizations at the beginning of their security journey may want to look at an EDR or MEDR solution, while companies that are further along their journey are more likely to be interested in an XDR. Asking whether you already have or are willing to build out a SOC is another essential question. This will help you understand whether you should run your security yourself (EDR, XDR) or find a third-party to manage it for you (MEDR, MDR).
Asking whether you have or are willing to hire the right security talent is another critical question to pose. This will also help determine whether to manage your cybersecurity solution yourself or have a third-party run it for you. Finally, questions about visibility and context, alert, and security tool fatigue, as well as detection and response times will help you to decide if your current security stack is sufficient or if you need to deploy a next-generation solution such as an XDR.
These questions will help guide your decision-making process and give you the information you need to make an informed decision on your cybersecurity solution. For more details on the different endpoint security acronyms and how to determine the right solution for your organization, keep an eye out for the next blog in this series – Unscrambling Cybersecurity Acronyms: The ABCs of EDR and MEDR. Stay tuned!
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
A deep dive into the latest updates from Secure Network and Cloud Analytics that show Cisco’s leadership in the Security Industry.
The year 2022 has been rather hectic for many reasons, and as the World undergoes its various challenges and opportunities, We At Cisco Security have buckled up and focused on improving the World in the way which we know best: by making it more Secure.
In an increasingly vulnerable Internet environment, where attackers rapidly develop new techniques to compromise organizations around the world, ensuring a robust security infrastructure becomes ever more imperative. Across the Cisco Security Portfolio, Secure Network Analytics (SNA) and Secure Cloud Analytics (SCA) have continued to add value for their customers since their inception by innovating their products and enhancing their capabilities.
In the latest SNA 7.4.1 release, four core features have been added to target important milestones in our roadmap. As a first addition, SNA has widely expanded on its Data Store deployment options by introducing the single node Data Store; supporting existing Flow Collector (FC) and new Data Store expansion by the Manager; and the capacity to mix and match virtual and physical appliances to build a Data Store deployment.
The SNA Data Store started as a simple concept, and while it maintained its simplicity, it became increasingly more robust and performant over the recent releases. In essence, it represents a new and improved database architecture design that can be made up of virtual or physical appliances to provide industry leading horizontal scaling for telemetry and event retention for over a year. Additionally, the Flow Ingest from the Flow Collectors is now separate from the data storage, which allows them to now scale to 500K + Flows Per Second (FPS). With this new database design, are now optimized for performance, which has improved across all metrics by a considerable amount.
For the second major addition, SNA now supports multi-telemetry collection within a single deployment. Such data encompasses network telemetry, firewall logging, and remote worker telemetry. Now, Firewall logs can be stored on premises with the Data Store, making data available to the Firepower Management Center (FMC) via APIs to support remote queries. From the FMC, users can pivot directly to the Data Store interface and look at detailed events that optimize SecOps workflows, such as automatically filtering on events of interest.
On the topic of interfaces, users can now benefit from an intelligent viewer which provides all Firewall data. This feature allows to select custom timeframes, apply unique filters on Security Events, create custom views based on relevant subsets of data, visualize trends from summary reports, and finally to export any such view as a CSV format for archiving or further forensic investigations.
With respect to VPN telemetry, the AnyConnect Secure Mobility Client can now store all network traffic even if users are not using their VPN in the given moment. Once a VPN connection is restored, the data is then sent to the Flow Collector, and, with a Data Store deployment, off-network flow updates can bypass FC flow caches which allow NVM historical data to be stored correctly.
Continuing down the Data Store journey (and, what a journey indeed), users can now monitor and evaluate its performance in a simple and intuitive way. This is achieved with charts and trends directly available in the Manager, which can now support traditional non-Data Store FCs and one singular Data Store. The division of Flow Collectors is made possible by SNA Domains, where a Data Store Domain can be created, and new FCs added to it when desired. This comes as part of a series of robust enhancements to the Flow Collector, where the FC can now be made up of a single image (NetFlow + sFlow) and its image can be switched between the two options. As yet another perk of the new database design, any FC can send its data to the Data Store.
As it can be seen, the Data Store has been the star of the latest SNA release, and for obvious good reasons. Before coming to an ending though, it has one more feature up its sleeve: Converged Analytics. This SNA feature brings a simplified, intuitive and clear analytics experience to Secure Network Analytics users. It comes with out- of-the-box detections mapped to MITRE with clearly defined tactics and techniques, self-taught baselining and graduated alerting, and the ability to quiet non-relevant alerts, leading to more relevant detections.
This new Analytics feature is a strong step forward to give users the confidence of network security awareness thanks to an intuitive workflow and 43 new alerts. It also gives them a deep understanding of each alert with observations and mappings related to the industry-standard MITRE tactics and techniques. When you think it couldn’t get any better, the Secure Network and Cloud Analytics teams have worked hard to add even more value to this release, and ensured the same workflows, functionality and user experience could be further available in the SCA portal. Yes, this is the first step towards a more cohesive experience across both SNA and SCA, where users of either platform will start to benefit from more consistent outcomes regardless of their deployment model. As some would say, it’s like a birthday coming early.
Pivoting to Secure Cloud Analytics, as per Network sibling, the product got several enhancements over the last months of development. The core additions revolve around additional detections and context, as well as usability and integration enhancements, including those in Secure Cloud Insights. In parallel with SNA’s Converged Analytics, SCA benefits from detections mapped to the MITRE ATT&CK framework. Additionally, several detections underwent algorithm improvements, while 4 new ones were added, such as Worm Propagation, which was native to SNA. Regarding the backbone of SCA’s alerts, a multitude of new roles and observations were added to the platform, to further optimize and tune the alerts for the users.
Additionally, alerts now offer a pivot directly to AWS’ load balancer and VPC, as well as direct access to Azure Security Groups, to allow for further investigation through streamlined workflows. The two Public Cloud Providers are now also included in coverage reports that provide a gap analysis to gain insight as to what logs may have potentially gone missing.
Focusing more on the detection workflows, the Alert Details view also got additional information pertaining to device context which gives insight into hostnames, subnets, and role metrics. The ingest mechanism has also gotten more robust thanks to data now coming from Talos intelligence feed and ISE, shown in the Event Viewer for expanded forensics and visibility use cases.
While dealing with integrations, the highly requested SecureX integration can now be enabled in 1 click, with no API keys needed and a workflow that is seamless across the two platforms. Among some of the other improvements around graphs and visualizations, the Encrypted Traffic widget now allows an hourly breakdown of the data, while the Event Viewer now displays bi-directional session traffic, to bring even greater context to SCA flows.
In the context of pivots, as a user is navigating through devices that, for example, have raised an alert, they will now also see the new functionality to pivot directly into the Secure Cloud Insights (SCI) Knowledge Graph, to learn more about how various sources are connected to one another. Another SCI integration is present within the Device Outline of an Alert, to gain more posture context, and as part of a configuration menu, it’s now possible to run cloud posture assessments on demand, for immediate results and recommendations.
With this all said, we from the Secure Analytics team are extremely excited about the adoption and usage of these features so that we can keep on improving the product and iterating to solve even more use cases. As we look ahead, the World has never needed more than now a comprehensive solution to solve one of the most pressing problems in our society: cyber threats in the continuously evolving Internet space. And Secure Analytics will be there, to pioneer and lead the effort for a safe World.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Extended Detection and Response, or XDR, the cybersecurity topic that dominated the RSA conference 2022 show floor with multiple vendors, has been getting a lot of attention lately, and for good reason. A connected, unified approach to detection and response promises to give security professionals all the tools and capabilities they need to address the ever-growing attack surface.
At Cisco, we wanted to get an independent view of what XDR means to a security operations audience, so we partnered with ESG on a survey conducted in April 2022 of 376 IT cybersecurity professionals in North America, which explored some key questions and trends for security operations centers as it relates to XDR. This new eBook, SOC Modernization and the Role of XDR, provides insights into the survey. Unsurprisingly, 52 percent of organizations surveyed believe that security operations are more challenging than just two years ago, and it’s clear cybersecurity professionals are looking for the next architecture to solve these challenges.
The distributed nature of the network is resulting in more data from multiple control points. The survey showed that while 80 percent of organizations are already using more than 10 data sources as a part of their security operations, they want even more as they realize the value of being able to aggregate, normalize, correlate, and contextualize data so they can take better actions faster. At the same time, 81 percent say that they have been impacted by the cybersecurity skills shortage, and more data without the capabilities and skills in place to act will only diminish the ability to address threats.
To help fill those skills gaps, improved threat detection playbooks and incident prioritization will be critical aspects of the security operations strategy. Another key tool widely recognized as important in building a foundation is the MITRE ATT&CK framework that can help your teams focus and understand adversary tactics and techniques based on real-world observations.
While a common industry definition remains elusive, one thing is clear: XDR will play a critical role in the modernization of the security operations center. Determining how it will help your security operations team, and which partners to work with as you build out your XDR approach, will determine your level of success.
You need XDR to transform your infrastructure from a series of disjointed solutions into a fully integrated ecosystem that gets you to your outcome more effectively and efficiently. Cisco has built XDR capabilities into the broad portfolio of our security products and easily integrates with existing solutions in your environment using open APIs. After you’ve read the ESG SOC Modernization and the Role of XDR eBook, we invite you to take a look at the Cisco XDR Buyer’s Guide, which outlines five key elements of XDR done right and provides some questions to ask as you consider which vendors you want to work with in building out your security strategy. Don’t wait to start planning how XDR will help your security operations team.
Source: ESG Research Study, SOC Modernization and the Role of XDR, June 2022
See XDR done right:
Cisco XDR Buyer’s Guide
This article is part of a series in which we will explore several features, principles, and the building blocks of a security detection engine within an extended detection and response (XDR) solution.
In this second installment, we will look at ways of structuring the presentation of machine-generated alerts, so that each alert offers a cohesive and compelling narrative, as if written by a human analyst, at scale and in realtime.
In cyber security, we are used to two types of stories.
The first story is common for reports written by humans. It contains sections such as “impact,” “reproduction,” and “remediation” to help us understand what is at stake and what we need to fix. For example:
IMPACT: An SSH server which supports password authentication is susceptible to brute-forcing attacks.
REPRODUCTION: Use the `ssh` command in verbose mode (`ssh -v`) to determine supported authentication methods. Look for “keyboard-interactive” and “password” methods.
REMEDIATION: Disable unneeded authentication methods.
The second story comes from machine detections. It is much terser in content and sometimes leaves us scratching our heads. “Malware,” the machine says with little explanation, followed by a horde of gibberish-looking data of network flows, executable traces, and so on.
The challenge is now to get the best of both worlds: to enhance machine-generated alerts with the richness of human-written reports. The following sections explain how this can be approached.
In our example of a report written by a human, the “reproduction” section would help us understand, from a factual perspective, how exactly the conclusions were derived.
On the other hand, the machine-generated horde of data provides evidence in a very nondescript way. We would need to be smart enough to spot or reverse-engineer what algorithm the machine was following on said data. Most security analysts do not wish to do this. Instead, they attempt to seek the first story type. “Surely, someone must have written a blog or something more descriptive about this already,” they would say. Then, they would copy-paste anything that looks like a searchable term – an IP address, domain, SHA checksum – and start searching it, either on a threat intelligence search site or even a general-purpose search engine.
Having such cryptic machine-generated alerts is leading us to our first two issues: first, when the story is incomplete or misunderstood, it may lead the analyst astray. For example, the security event might involve requests to communicate with an IP address, and the analyst would say, “This IP address belongs to my DNS server, so the traffic is legitimate.” However, the detection engine was really saying, “I suspect there is DNS tunnelling activity happening through your DNS server—just look at the volume.”
Second, when an analyst seeks explanations from elsewhere, the main function of an advanced detection engine — finding novel, localized, and targeted attacks — cannot work. Information on attacks is generally available only after they have been discovered and analyzed, not when they happen initially.
A common approach to remedy this situation is to include a short description of the algorithm. “This detector works by maintaining a baseline of when during the day a user is active and then reports any deviations,” a help dialog would say. “Okay, that’s clever,” an analyst would reply. But this is not enough. “Wait, what is the baseline, and how was it violated in this particular security event?” To find the answer, we need to go back to the horde of data.
To mimic the “reproduction” section of the human-written report, our security events are enriched with an annotation—a short summary of the behavior described by the event. Here are a few examples of such annotated events:
In the first and second cases, the story is relatively straightforward: in the horde of data, successful communication with said hostnames was observed. An inference through threat intelligence associates these hostnames to the Sality malware.
The third line informs us that, on a factual basis, only a communication with an IP address was observed. Further chain of inferences is that this IP address was associated by a passive DNS mechanism to a hostname which is in turn associated to the Sality malware.
In the fourth event, we have an observation of full HTTP URL requests, and inference through a pattern matcher associates this URL to the Sality malware. In this case, neither the hostname nor the IP address is important to the detector.
In all these annotated events, an analyst can easily grasp the factual circumstances and what the detection engine infers and thinks about the observations. Note that whether these events describe benign, malicious, relevant, or irrelevant behavior, or whether they lead to true or false positives, is not necessarily the concern. The concern is to be specific about the circumstances of the observed behavior and to be transparent about the inferences.
When we eventually succeed in explaining the security events, we might not be finished with the storytelling yet. The analyst would face another dilemma. They would ask: “What relevance does this event have in my environment? Is it part of an attack, an attack technique perhaps? What should I look for next?”
In the human-written report, the “impact” section provides a translation between the fact-based technical language of “how” and the business language of “what.” In this business language, we talk about threats, risks, attacker objectives, their progress, and so on.
This translation is an important part of the story. In our previous example about DNS tunnelling, we might want to express that “an anomaly in DNS traffic is a sign of an attacker communicating with their command-and-control infrastructure,” or that “it is a sign of exfiltration,” or perhaps both. The connotation is that both techniques are post-infection, and that there is probably already a foothold that the attacker has established. Perhaps other security events point to this, or perhaps it needs to be sought after by the analyst.
When it is not explicit, the analyst needs to mentally perform the translation. Again, an analyst might look up some intelligence in external sources and incorrectly interpret the detection engine’s message. Instead, they might conclude that “an anomaly in DNS traffic is a policy violation, user error, or reconnaissance activity,” leading them astray from pivoting and searching for the endpoint foothold that performs the command-and-control activity.
We take special attention not to mix these two different dictionaries. Rather, we express separately the factual observations versus the conclusions in the form of threats and risks. Inbetween, there are the various chains of inferences. Based on the complexity, the depth of the story varies, but the beginning and the end will always be there: facts versus conclusions.
This is very similar to how an analyst would set up their investigation board to organize what they know about the case. Here is an elaborate example:
In this case, from top to bottom:
In all points, the “what” and “how” languages are distinguished from each other. Finally, the whole story is stitched together into one alert by using the alert fusion algorithm described in the Intelligent alert management blog post.
Have we bridged the storytelling gap between machine-generated and human-generated reports?
Threat detections need to be narrated in sufficient detail, so that our users can understand them. Previously, we relied on the human aspect—we would need to document, provide support, and even reverse-engineer what the detection algorithms said.
The two solutions, distinguishing the “what/how” languages and the annotated events, provide the bandwidth to transmit the details and the expert knowledge directly from the detection algorithms. Our stories are now rich with detail and are built automatically in real time.
The result allows for quick orientation in complex detections and lowers the time to triage. It also helps to correctly convey the message, from our team, through the detection engine, and towards the analyst, lowering the possibility of misinterpretation.
This capability is part of Cisco Global Threat Alerts, currently available within Cisco Secure Network Analytics and Cisco Secure Endpoint, and has been continually improved based on customer feedback. In the future, it will also be available in Cisco SecureX XDR.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
It’s a busy month for cybersecurity, with the return of in-person RSAC in San Francisco, followed by Cisco Live in very lively Las Vegas! With so much happening, and so many announcements from every security vendor out there, it can be hard to keep track of everything going on. Let us help give you the highlights from a Cisco SecureX perspective!
We have been busy this past year, with our acquisition of Kenna Security and our recent innovations around device insights – all helping to expand and strengthen SecureX and our extended detection and response (XDR) capabilities.
Let’s start with device insights. We know that correlation of incidents and alerts is a vital capability for every good XDR offering, but what about correlating and aggregating information about the devices themselves? With the growing number of devices in many customer environments there is also a growing number of products with information about those devices. This can cause duplicate records and multiple alerts from the same device – which means more potentially false positive incidents to investigate, and more headaches trying to manually correlate and connect device information. With device insights organizations can discover, normalize, and consolidate information about all the devices in your environment – so you can avoid duplicate alerts, and discover devices that may be sneaking through gaps in your security. Device insights gives you a comprehensive view into each device’s security posture and management status.
Now, a more insightful view of all the devices across your infrastructure is a must-have, but so is the ability to view and manage vulnerabilities across these endpoints. With Cisco’s acquisition of Kenna Security last year, and our on-going integration of Kenna offerings into the Cisco Secure portfolio, we’re continuing to fortify SecureX and our XDR capabilities with industry leading risk-based vulnerability management. Kenna vulnerability management has already started integrations with Cisco Secure Endpoint, providing vulnerability scores on the OS version, as well as any available fixes. On the SecureX side, Kenna integrations are being leveraged to automatically enrich threat detections with vulnerability information, and automatically create ticketing workflows for Kenna.VM customers using ServiceNow.
With these integrations, and more innovations planned for the near future, risk-based vulnerability management will become a cornerstone for all endpoint and XDR deployments.
Check out our recent blog posts for more information about device insights and Kenna and SecureX orchestration!
Visit us at RSAC at booth 6045 for Cisco Secure, and booth 6362 for Kenna, and at Cisco Live in the World of Solutions to learn more.
Cisco Secure Firewall stops threats faster, empowers collaboration between teams, and enables consistency across your on-premises, hybrid, and multi-cloud environments. With an included entitlement for Cisco SecureX, our XDR and orchestration platform, you’ll experience efficiency at scale and maximize your productivity. New streamlined Secure Firewall integrations make it easier to use SecureX capabilities to increase threat detection, save time and provide the rapid and deeper investigations you require. These new features and workflows provide the integration and automation to simplify your security.
The entire suite of Firewall Management Center APIs is now available in the cloud. This means that existing APIs can now be executed from the cloud. Cisco makes this even easier for you by delivering fully operational workflows as well as pre-built drag-n-drop code blocks that you can use to craft your own custom workflows. SecureX is able to proxy API calls from the cloud to the SSE connector embedded in the FMC codebase. This integration between Firewall 7.2 and SecureX provides your Firewall with modern cloud-based automation.
We’ve dramatically reduced the amount of time needed to fully integrate Firewall into Securex. Even existing Firewall customers who use on-premises Firewall Management Center will be able to upgrade to version 7.2 and start automating/orchestrating in under 15 minutes — a huge time savings! The 7.2 release makes the opportunities for automating your Firewall deployment limitless with our built-in low code orchestration engine.
Previously Firewall admins had to jump through hoops to link their smart licensing account with SecureX which resulted in a very complicated integration process. With the new one-click integration, simply click “Enable SecureX” in your Firewall Management Center and log into SecureX. That’s it! Your Firewalls will automatically be onboarded to SecureX.
Cisco Secure Firewall users now get immense value from SecureX with the orchestration capability built natively into the Firewall. Previously Firewall admins would have to deploy an on-premises virtual machine in vCenter to take advantage of Firewall APIs in the cloud which was a major hurdle to overcome. With the 7.2 release, orchestration is built right into your existing Firewall Management Center. There is no on-premises connector required; SecureX orchestration is able to communicate directly with Firewall APIs highlighting the power of Cisco-on-Cisco integrations.
The PSIRT impact monitoring workflows helps customers streamline their patch management process to ensure their network is always up to date and not vulnerable to CVE’s. This workflow will check for new PSIRTs, determine if device versions are impacted, and suggest a fixed version to upgrade to. By scheduling this workflow to run once a week customers can be notified via email if there is any potential impact from a PSIRT.
This workflow will run every 15 minutes to pull a health report from FMC and proactively notify customers via email if any devices are unhealthy. This means customers can rest assured that their fleet of devices is operating as expected or be notified of things like high CPU usage, low disk space, or interfaces going down.
This workflow highlights the power of automation and showcases what is possible by using the orchestration proxy to use FMC API’s. Managing policy is always an on-going effort but can be made easier by introducing automation. This workflow can be run once a week to search through Firewall policies and determine if any rules are going to expire soon. This makes managing policy much easier because customers will be notified before rules expire and can make changes accordingly.
This workflow is a one-click response action available from the threat response pivot menu. With the click of a button a URL is added to an object in a block rule of your access control policy. This action can be invoked during an investigation in SecureX or from any browser page using the SecureX browser extension. Reducing time to remediation is a critical aspect of keeping your business secure. This workflow turns a multi-step policy change into a single click by taking advantage of Secure Firewall’s integration with SecureX.
A recent Forrester Economic Impact Study of Secure Firewall show that deploying these types of workflows in SecureX with Secure Firewall increased operational efficiency.
In fact, SecureX in combination with Secure Firewall helped to dramatically reduce the risk of a material breach. It’s clear that the integration of the two meant a significant time savings for already overburdened teams.
We continue to innovate new features and workflows that prioritize the efficacy of your teams and help drive the security resilience of your organization.
Ready to add SecureX capabilities to your Firewall environment? Start here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Instagram
Facebook
Twitter
LinkedIn
FreshRSS 