There has been an exponential increase in breaches within enterprises despite the carefully constructed and controlled perimeters that exist around applications and data. Once an attacker can access… Read more on Cisco Blogs
In our last blog, we gave a rundown of what the Telecommunications (Security) Act (TSA) is, why it’s been introduced, who it affects, when it starts, and how firms can prepare. Here, we take a closer look into the themes introduced by the Act, explore how the telecoms industry can explore zero trust to further improve its security posture, and outline the benefits that can be gained when complying.
When the Telecoms Security Act (TSA) was introduced, it was labelled as ‘one of the strongest telecoms security regimes in the world, a rise in standards across the board, set by the government rather than the industry’ by Matt Warman, former Minister of State at the Department for Digital, Culture, Media, and Sport. The industry is certainly feeling the impending impact of the act – with one industry pundit at an event we ran recently describing it as a ‘multi-generational change’ for the sector.
One of the headline grabbers stemming from the Act are the associated fines. With the new powers granted to it by the Act, Ofcom now has the responsibility to oversee operators’ security policies and impose fines of up to 10 percent of turnover or £100,000 a day in case operators don’t comply or the blanket ban of telecoms vendors such as Huawei. Sounds like the typical ‘stick’-based costly compliance messaging that no-one particularly wants to hear, right? But what if the TSA had some ‘carrot’-based business benefits that are much less discussed?
The TSA introduces a new security framework for the UK telecoms sector to ensure that public telecommunications providers operate secure and resilient networks and services and manage their supply chains appropriately. ny of the themes introduced in the code of practice can be aligned with the themes in a zero trust security model, which are also a focus for CISOs.
Zero trust security is a concept (also known as ‘never trust, always verify’) which establishes trust in users and devices through authentication and continuous monitoring of each access attempt, with custom security policies that protect every application. At Duo, our approach to zero trust is:
A crucial point to note here: much like a solution that claims to help with all aspects of the TSA, telecom providers should be wary of any vendor who claims to have a zero-trust product. Both are far much bigger than any ‘silver bullet’ solution purports to offer. But there is a good reason a zero-trust framework has been mandated by the US White House for all federal agencies, and recommended by the Australian Cyber Security Centre (ACSC) and the UK’s National Cyber Security Centre (NCSC).
As well as helping to mitigate the significant cyber risks presented to the telecoms industry, a zero-trust strategy provides many business benefits. Our recent Guide to Zero Trust Maturity shows that:
A robust zero-trust security program includes phishing-resistant multi factor authentication (MFA), access controls for devices and applications, risk-signalling, dynamic authentication, firewalls, analytics, web monitoring and more. As I said previously there is no one answer to zero trust, or indeed the TSA, but getting the basics right like strong MFA, single sign on (SSO) and device trust are an easy and effective way to get started.
The TSA will be a huge undertaking for industry, but it is important to focus on the benefits such a wide-reaching set of regulatory rules will inevitably result in. As another guest from our recent event put it: ‘the TSA is full of the latest and modern best practice around security, so the aim really is to raise the tide and all ships, which can only be a good thing.’
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
In November 2020, the Telecommunications (Security) Bill was formally introduced to the UK’s House of Commons by the department for Digital, Culture, Media & Sport. Now, after several readings, debates, committee hearings, and periods of consultation, the Telecommunications (Security) Act is quickly becoming reality for providers of public telecoms networks and services in the UK, going live on 1 October 2022. Here, we outline what exactly the requirements mean for these firms, and what they can do to prepare.
The Act outlines new legal duties on telecoms firms to increase the security of the entire UK network and introduces new regulatory powers to the UK Telecoms regulator OFCOM to regulate Public Telecommunications Providers in the area of cyber security. It place obligations on operators to put in place more measures around the security of their supply chains, which includes the security of the products they procure. The Act grants powers to the Secretary of State to introduce a so-called Code of Practice. It is this Code of Practice which contains the bulk of the technical requirements that operators must comply with. Those not in compliance face large fines (up to 10% of company turnover for one year).
Following the UK Telecoms Supply Chain review in 2018, the government identified three areas of concern that needed addressing:
Following the review, little did we know a major resilience test for the telecoms industry was about to face significant challenges brought on by the Covid-19 pandemic. Data released by Openreach – the UK’s largest broadband network, used by customers of BT, Plusnet, Sky, TalkTalk, Vodafone and Zen – showed that broadband usage more than doubled in 2020 with 50,000 Petabytes (PB) of data being consumed across the country, compared to around 22,000 in 2019.
There is no question the security resilience of the UK telecoms sector is becoming ever more crucial — especially as the government intends to bring gigabit capable broadband to every home and business across the UK by 2025. As outlined in the National Cyber Security Centre’s Security analysis for the UK telecoms sector, ‘As technologies grow and evolve, we must have a security framework that is fit for purpose and ensures the UK’s Critical National Telecoms Infrastructure remains online and secure both now and in the future’.
The legislation will apply to public telecoms providers (including large companies such as BT and Vodafone and smaller companies that offer telecoms networks or services to the public). More specifically to quote the Act itself:
As the requirements are long and varied and so the timelines to comply have been broken down to help organisations comply. The current Code of Practice expects Tier 1 providers to implement ‘the most straightforward and least resource intensive measures’ by 31 March 2024, and the more complex and resource intensive measures by 31 March 2025.
Tier 2 firms have been given an extra two years on top of the dates outlined above to reflect the relative sizes of providers. Tier 3 providers aren’t in scope of the regulatory changes currently but are strongly encouraged to use the Code of Practice as best practice. The Code of Practice also expects that these firms ‘must continue to take appropriate and proportionate measures to comply with their new duties under the Act and the regulations’.
The TSA introduces a range of new requirements for those in the telecoms industry to understand and follow. These will require a multi-year programme for affected organisations. An area of high focus for example will be on Third Party controls and managing the relationship with them.
However there are more common security requirements as well. From our work with many companies across many different industries, we know that establishing that users accessing corporate systems, data and applications are who they say they are is a key aspect of reducing risk by limiting the possibility of attacks coming in through the front door. This is a very real risk highlighted in Verizon’s 2022 Data Breaches Investigations Report, which states that around 82% of data breaches involved a human element, including incidents in which employees expose information directly or making a mistake that enables cyber criminals to access the organisation’s systems.
Therefore, one area to start to try and protect the organisation and take a step on the way to compliance is to build up authentication and secure access to systems, data and applications. However even this can take time to implement over large complex environments. It means gaining an understanding of all devices and ensuring there is a solid profile around them, so they can be reported on, attacks can be blocked and prevented, and access to applications can be controlled as needed.
We will be creating more information around the Act as we move closer to the deadlines, including part two of this blog where we will take a deeper dive into themes introduced by the bill, how it compare with other industries’ and jurisdictions’ cyber security initiatives, and explore what else the telecoms industry can do to improve its security posture.
We are also running an event in London on 13 October: ‘Are you ready for TSA?’ which will include peer discussions where participation is welcome on the TSA. If you are interested in attending, please register here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels
Just like the myriad expanding galaxies seen in the latest images from the James Webb space telescope, the cybersecurity landscape consists of a growing number of security technology vendors, each with the goal of addressing the continually evolving threats faced by customers today. In order to be effective, cybersecurity tools have to be collaborative—be it sharing relevant threat intelligence, device & user insights, acting on detection and remediation workflows, and more.
We at Cisco Secure have embraced this concept for a while now with our continually growing ecosystem of multi-vendor technology integrations. At the RSA Conference 2022 earlier this year, Jeetu Patel, Cisco’s Executive Vice President and General Manager of Security and Collaboration, spoke of how the ‘cybersecurity poverty line’ is widening and how malicious actors are taking advantage of this gaping hole to unleash persistent attacks. It is imperative that cybersecurity vendors interact with and collaborate with each other to lower this gap. To do this, security vendors must adopt open ecosystems of APIs to easily integrate with each other to provide effective ways for mutual customers to defend and react to cybersecurity attacks.
Like in prior years, this fiscal year 2022 saw us growing to include new ecosystem partners and integrations. With 22 new partners and 51 new integrations in our ecosystem, Cisco Secure Technical Alliance (CSTA) now boasts over 450 integrations, including technical integrations with Cisco Duo and Cisco Kenna. This allows our mutual customers the freedom to implement the cybersecurity tools of their choice with the knowledge that these tools can integrate with each other if they need to, thus realizing a better return on investment in their cybersecurity spending and improving cybersecurity posture.
In this annual round-up of our ecosystem, we congratulate our new partners in CSTA and existing partners as well, who have either created new integrations across our portfolio or augmented existing ones. For more details on each partner integration in this announcement, please read through the individual partner highlights below.
Happy integrating!
The AlienApp for Cisco Secure Endpoint enables you to automate threat detection and response activities between USM Anywhere and Cisco Secure Endpoint. It also enhances the threat response capabilities of USM Anywhere by providing orchestration and response actions to isolate or un-isolate hosts based on risks identified in USM Anywhere. In addition, it allows you to collect hourly events from Cisco Secure Endpoint through the USM Anywhere Job Scheduler. Read more here.
AttackIQ automates the evaluation of Cisco Secure Endpoint against the tactic categories as outlined by MITRE ATT&CK. The AttackIQ and Cisco partnership and technical integration enables organizations to validate that the Cisco Secure Endpoint is deployed correctly and configured optimally, ensuring protection for your endpoints against the latest threats. Read more here.
With Certego Tactical Response for Cisco Secure Endpoint, monitored endpoints are monitored by the Certego PanOptikon SOAR platform. When Certego IRT detects malicious activities on a specific host in the customer’s network, it can isolate compromised hosts to block the attack, even without requiring the user to access the Cisco Secure Endpoint Console. Read more about the Certego here.
Cisco Secure Endpoint is now certified for the ServiceNow ITSM San Diego release. The Cisco Secure Endpoint App on ServiceNow provides users with the ability to integrate event data from the Cisco Secure Endpoint into ServiceNow by creating ITSM incidents. The app automates the collection of events from Cisco Secure Endpoint and groups them into single incidents. Read more here.
FAMOC manage from Techstep, a Gartner-recognized MMS provider, is an MDM designed to give IT a complete view and absolute control over mobile devices used by the workforce, so that people can work more effectively and securely. With the Cisco Security Connector for iOS integration, FAMOC MDM extends its enterprise mobility management with an extra layer of network security and traffic analysis tool, giving IT admins tools to make actionable decisions and design access control policies. Read more here.
Elastic Security now supports event ingestion from Cisco Umbrella, providing visibility into user activity and attempts to access potentially malicious domains. This new integration supports Umbrella proxy, cloud firewall, IP, and DNS logs. This integration enables security analysts to detect threats and visualize Cisco Umbrella data, and also correlate Umbrella events with other data sources including endpoint, cloud, and network. This integration expands on Elastic’s on-going expansion of Cisco integrations including ASA, Nexus, Meraki, Duo and Secure Firewall Threat Defense. Read more here.
FortiSIEM brings together visibility, correlation, automated response, and remediation in a single, scalable solution. It reduces the complexity of managing network and security operations to effectively free resources, improve breach detection, and even prevent breaches. Read more here.
Hunters ingests Cisco Umbrella log and alert information into our SOC Platform; the Platform then correlates that information with all of the other (vendor agnostic) customer security telemetry, including EDR, Identity and Cloud/Network log data, in the customer’s infrastructure to synthesize and detect incidents with a higher fidelity than any single tool alone can produce. Read more here.
LearnSafe equips school leaders (K-12) with evidence-based information to better understand which students are exhibiting behavioral issues and in need of help based on what they are using, saying, and doing on the school-owned computer. With Cisco Umbrella, LearnSafe administrators are able to block access to domains their students should not be accessing. Read more here.
The Cisco Umbrella solution for Microsoft Azure Sentinel is now live! This integration enables your customers to ingest Cisco Umbrella events stored in Amazon S3 into Microsoft Sentinel using the Amazon S3 REST API. Read more here.
Sumo Logic’s cloud-native collector supports automatic ingestion of logs from Cisco Umbrella’s hosted AWS S3 buckets. Data collected from Umbrella can then be routed to Sumo’s Cloud SIEM, where it is then automatically normalized and applied to our rule’s engine. Several built-in rules for Umbrella have been created that, when triggered, will generate security signals in the platform. These and other security signals are then clustered together based on related entities (IP, email, domain name, URL, etc.) to create insights for review by the SOC. Read more here.
The Secure Firewall team and Alkira have validated Secure Firewall (Virtual) Version 7.1 to run on Alkira’s cloud network as-a-service (CNaaS) platform. The solution offers on-demand hybrid and multi-cloud connectivity, integrated network and security services, end-to-end visibility, controls and governance. Read more here.
The Secure Firewall team has validated Cyware’s STIX 1.2 threat intelligence feed for interoperability with Secure Firewall’s Threat Intelligence Director. Customers can quickly operationalize the inbound data to protect the network from the latest threats. Read more here.
Dragos protects critical infrastructure and has joined the CSTA program. Dragos inventories assets, determines risk and vulnerabilities and generates firewall policy objects that administrators can apply to their Cisco Secure Firewall deployment through its REST API. Read more here.
The Secure Firewall team and Equinix have validated Secure Firewall (Virtual) to run on Equinix’s Network Edge as a Service platform. Equinix Fabric allows you to connect digital infrastructure and services on demand via secure, software-defined interconnection (Ecosystem). Read more here.
Fastvue has joined the CSTA program. The Fastvue Site Clean engine intelligently interprets Cisco Secure Firewall log data so that non-technical employees can easily see what people are actually doing online. The data use to keep companies compliant with workplace and school policies. Read more here.
Alef Nula has developed a new integration with ISE. The Alef Nula Identity Bridge consumes identity updates published by pxGrid and serves them to ASA firewalls using the CDA/Radius protocol. Using pxGrid v2.0, it replaces unsupported Cisco CDA and allows ASA firewalls to become an identity consumer of ISE context. It can read the full identity database and can update registered ASA firewalls in Full Download mode. Read more here.
Forescout’s pxGrid Plugin integrates with existing Cisco ISE deployments so that you can benefit from Forescout visibility and assessment for policy decisions, while continuing to use ISE as an enforcement point. The pxGrid Plugin enables Forescout platform policies to detect ISE-related properties on endpoints, and to apply Cisco ISE ANC policies, including policies that assign Security Groups to devices. Read more here.
FortiManager provides automation-driven centralized management of Fortinet devices from a single console, enabling full administration and visibility of your network devices through streamlined provisioning and innovative automation tools. FortiManager dynamically collects updates from Cisco ISE with pxGrid and forwards them to FortiGate using the Fortinet Single Sign On (FSSO) protocol. This enables the use of session information collected by Cisco ISE to be leveraged in FortiOS security policies. Read more here.
Radiflow provides OT ICS policy creation and enforcement with the Radiflow iSID IDS. They recently completed a new integration with ISE leveraging pxGrid. With this integration Cisco ISE receives enriched data of OT devices from Radiflow iSID and will process it according to the profiles and policies which have been configured. Enriching ISE with OT specific insights available with iSID’s DPI engine enables better decision making within ISE by providing additional context to categorize devices by their type/function within the OT environment. Read more here.
XTENDISE is a simple web application connected to Cisco ISE. It is designed for administrators, helpdesk, operators or anyone who needs to work with ISE and helps them with everyday routine tasks related to 802.1X without the need to train them in Cisco ISE. XTENDISE saves administrators’ time, prevents errors and increases network security. Read more here.
The Cisco Secure Malware Analytics Add-On for Splunk leverages the Threat Grid API to enrich events within Splunk. The add-on is now updated for Splunk 8 and is available on Splunkbase. Read more here.
Censys now has an integration with SecureX threat response, which returns Sightings of IP and IPv6 Observables (IOCs) in an investigation. Read more about the Censys relay module here.
The new Exabeam integration empowers users to investigate an observable and determine if it is contained in a log message stored in Exabeam Fusion SIEM Data Lake. It provides users with the date and time the observable was seen in the log, the forwarder that sent the log, and the raw log messages. When you pivot into Exabeam and search for an observable in all the log messages, the results of the search are displayed in the Exabeam UI. This integration allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, URL, file path, user and email data types and it returns sightings of an observable from each log message. Read more here.
The LogRhythm integration empowers users to investigate an observable and determine if it is contained in an event stored in LogRhythm. It provides users with the date and time the observable was seen in the event and the raw event data. This integration allows you to query IPv4 and IPv6 data types and it returns sightings of an observable from each event. Read more here.
A proof-of-concept integration with RSA NetWitness SIEM was built for the RSAC SOC and Black Hat NOCs. The SecureX Concrete Relay implementation using NetWitness as a third-party Cyber Threat Intelligence service provider. The Relay itself is just a simple application written in Python that can be easily packaged and deployed. Read more here.
Cisco SecureX threat response integration with SecOps is now certified for the ServiceNow San Diego release. The module allows ServiceNow SecOps to leverage the Verdicts, Refer and Response capabilities provided by SecureX threat response to assist the security analyst in their investigation workflow. Read more here.
The Sumo Logic Cloud SIEM integration provides security analysts with enhanced visibility across the enterprise to thoroughly understand the impact and context of an attack. Streamlined workflows automatically triage alerts to maximize security analyst efficiency and focus. This integration indicates to users that the observable in an investigation is contained in an insight and/or signal within Sumo Logic Cloud SIEM. It allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, and URL data types. It also returns sightings and indicators of an observable from each insight and signal retrieved from Sumo Logic Cloud SIEM. Read more here.
APIVoid provides JSON APIs useful for cyber threat analysis, threat detection and threat prevention. The following APIVoid atomic actions for SecureX Orchestration Workflows are now available: Get Domain Reputation, Get IP Reputation, Get URL Reputation, Get URL Status. Access the workflows here.
Censys is a company that allows users to discover the devices, networks, and infrastructure on the Internet and monitor how it changes over time. SecureX orchestration atomic actions for Censys is now available and includes: Basic Search. Access the workflows here.
This integration radically reduces the time and resources enterprises spend to detect, investigate, and remediate ransomware threats to data. It empowers SecOps, ITOps and NetOps with visibility and automation to collaborate in countering ransomware — regardless of whether data resides on-premises or in the cloud — delivering enterprise-wide confidence in deterring, detecting, and recovering fast from cyberattacks. Cohesity’s next-gen data management enhances Cisco SecureX by adding visibility and context to data, complementing Cisco’s existing capabilities for networks, endpoints, clouds, and apps. Read more here.
SecureX orchestration atomic actions for workflows are now available for Farsight Security DNSDB. They include various items like DKIM key inspections, DNS Resource Records and more. Access the workflows here.
SecureX orchestration workflows for Fortinet FortiGate are now available: Block URL, IP and Domain Threat Containment. Access the workflows here.
SecureX orchestration workflows for Jamf Pro include: Lock Computer, Lock Mobile Device. Access the workflows here.
SecureX orchestration workflows for Palo Alto Networks Panorama are now available: Block URL, IP, Domain Threat Containment. Access the workflows here.
A new Orchestration action provides top MacOS IR Indicators to ServiceNow This workflow runs multiple Orbital queries on the endpoint provided to look for top incident response indicators of compromise. The results are then posted to a ServiceNow incident. Supported observables: ip, mac_address, amp_computer_guid, hostname. Access the workflow here.
Shodan is a database of billions of publicly available IP addresses, and it’s used by security experts to analyze network security. SecureX orchestration atomic actions for Shodan include: Basic Search. Access the workflows here.
Earlier this year we announced SecureX Device Insights which provides comprehensive endpoint inventory in a single unified view. Endpoint searching and reporting allows you to assess device security configuration on employee-owned, contractor-owned, company owned, and IoT/OT devices—without risking business disruption. With Device Insights you can
Device insights supports the following third-party sources in its initial release: Jamf Pro, Microsoft Intune, Ivanti MobileIron and VMware Workspace ONE (formerly AirWatch).
Bitglass’ Next-Gen CASB provides data protection, threat protection, access management, and visibility, while Duo offers identity verification options like SSO and MFA. The Duo and Bitglass integration provide a synergistic solution that funnels traffic through Duo’s SSO and verifies users via its MFA so Bitglass can deliver real-time data loss prevention and granular adaptive access control. Because of Bitglass’ agentless architecture, the joint solution can secure any app, any device, anywhere. Read more about the integration here. A joint solution brief is also available here.
Cmd helps companies authenticate and manage user security in Linux production environments without slowing down teams — you don’t need to individually configure identities and devices. Cmd integrates with Duo to put 2FA checkpoints into Linux-based data centers and cloud infrastructure. The combination of Cmd and Duo enables development teams to run at the modern, agile pace they are accustomed to without any security-induced slowdowns. Read more here.
Darktrace is an AI-native platform that delivers self-learning cyber defense and AI investigations and seamlessly integrates with other tools via an open and extensible architecture. Darktrace’s Security Module for Duo provides coverage over access, user sessions and platform administration within the Duo platform. Read more here.
Dashlane is a password manager that now supports Duo using Duo SSO. The integration lets IT Administrators easily deploy Duo + Dashlane and set up access policies. End users can easily access Dashlane and their passwords with SSO from Duo. Read more here.
HashiCorp Vault is an identity-based secrets and encryption management system. A secret is anything that you want to tightly control access to, such as API encryption keys, passwords, and certificates. Add another layer of protection and protect access to secrets within HashiCorp Vault with Duo Security MFA. Read more here. A recording of the Cisco Duo + HashiCorp webinar is available to view here.
Oort discovers vulnerabilities across an entire user population (or a segment of it). Trigger notifications related to behavioral anomalies or best practices, or policies not being followed. Oort integrates with Duo for identity analytics and threat detection to provide a complete picture of the user behavior and highlight any anomalous activity or identify risks. Read more here.
Perimeter 81 simplifies cyber and network security for the hybrid workforce, ensuring secure access to local networks, applications, and cloud infrastructure. Their integration with Duo provides protection for administrators and end-users who need to log in to Perimeter 81. Read more here.
Specops Software, a leading provider of password management and authentication solutions, protects businesses by securing user authentication across high-risk tasks including account unlocks and password recovery via self-service or the IT service desk. Organizations can extend Duo authentication to secure user verification across these use cases. Read about the integration here. A blog on the integration is also available here.
Sectona is a Privileged Access Management company that delivers integrated privilege management components for securing dynamic remote workforce access across on-premises or cloud workloads, endpoints, and machine-to-machine communication. Duo’s secure access multi-factor authentication can be used to ensure that each user authenticates using multiple methods (factors) while accessing Sectona Privileged Access Management. Read more here.
We’d love to hear what you think. Ask a Question, Comment Below, and Stay Connected with Cisco Secure on social!
Cisco Secure Social Channels