Category Archives: Cisco

  • 0

Cisco and IBM collaborate to increase security effectiveness

Category : Cisco

On May 30, 2017, Cisco and IBM Security announced a key relationship to address the rising tide of security threats and the need to respond rapidly. Cisco and IBM Security will work together to offer specific product integrations, a managed security service provider (MSSP) roadmap, and threat intelligence collaboration programs.

The relationship focuses on making security simpler and more effective and is a reflection of each company’s commitment to openness and interoperability. Together, Cisco and IBM are focused on reducing the time to detect and mitigate threats, giving you integrated tools to automate threat response with greater speed and accuracy.

What are the offerings?

Here’s a closer look at the three pillars of the relationship:

1. Product integrations

Both organizations are building integrations among the product portfolios. Cisco is building new apps for the IBM QRadar SIEM platform, which helps security teams understand and respond to advanced threats. A variety of Cisco® security solutionswill increase the effectiveness of IBM QRadar® over time, with data from networks, endpoints and the cloud. On the other hand, IBM is building extensions into Resilient and X-Force Exchange to include Cisco products and intelligence data.

The first three apps focus on integrations with Cisco Firepower® technologyCisco Threat Grid and Cisco Identity Services Engine (ISE), and will be available on the IBM Security App Exchange.

Meanwhile, IBM is building extensions into Resilient and X-Force Exchange to include Cisco products. Resilient and X-Force Exchange will be able to ingest Cisco Threat Grid content.

2. Services

The IBM End to End Outsourcing and Managed Security Services team is working with Cisco to deliver new services aimed at further reducing complexity. As enterprise customers manage their equipment on premise and in a datacenter, they are also looking to migrate their security infrastructure to public and private cloud providers. IBM Security will provide outsourcing and managed security services to support Cisco security platforms in leading public cloud services as well as legacy on premise and datacenter environments.

Cisco and IBM Security customers will be able to consume these solutions in a way that complements their existing architecture. Customers will be able to build and manage their own integration, working with a trusted channel partner common to both IBM and Cisco, as well as deploy a full turnkey managed solution supported by IBM Security Services.

3. X-Force and Talos research collaboration

We have also established a new relationship between the IBM X-Force and Cisco Talos security research teams, who now share threat intelligence research and coordinate around major cybersecurity incidents. Shared intelligence also means enhanced performance of security products, and richer outcomes such as reduced time to detect.

For example, Cisco and IBM threat research teams collaborated on defending against the WannaCry ransomware attack. IBM and Cisco researchers coordinated their actions and exchanged insights into how the malware was spreading. Afterward, they continued the joint investigation to provide clients and the industry with the most relevant information.

What’s new and what’s next?

Product integrations will become available in the coming weeks, starting with the Cisco Firepower NGIPS, NGFW and Threat Grid apps. The Cisco ISE app will follow in the late fall and additional apps will become available later in 2017 and beyond. We are excited that the IBM Security team is working closely with Cisco product teams, and we hope to highlight this collaboration in future promotions from both companies including blogs and webinars.

Another important announcement

Today, IBM announced its intention to stop selling its Intrusion Prevention System (IPS) solution, the IBM QRadar Network Security (XGS) product line. This decision will take effect on December 31, 2017. However, current customers will be supported for a full five years through December 31, 2022.

IBM’s decision was based on an analysis of market conditions, competitiveness, strategic fit and it also reflects IBM’s belief in the strength and value of our partnership. When IBM XGS customers look to refresh their network security defenses, IBM’s sales organizations will introduce Cisco’s Firepower NGIPS and Firepower NGFW solutions.

More information on the Cisco and IBM security alliance is coming soon.

Visit our Cisco Firepower page to learn more about Cisco’s industry leading NGIPS.


Author: Dov Yoran 

  • 0

Deep Dive into AMP and Threat Grid integration with Cisco Email Security

Category : Cisco

In our previous blog posts about AMP and Threat Grid on Cisco Email Security, we have discussed the approach to email security, that organizations could take to protect themselves against advanced threats. We have as well discussed the components of the solution and how they work together to protect customers from the number one threat vector. As mentioned in Cisco’s 2017 Midyear Cybersecurity report, email continues to be a primary delivery method for ransomware and other malware, so defenders should stay focused on addressing this risk before it becomes impossible to manage.

In this blog post, we are going to dive deeper and explain the workflows of AMP and Threat Grid integration with Cisco Email Security (applies to both Cloud Email Security and on premise Email Security Appliance), as well as help administrators refine security posture in their organizations. Let’s start with a quick recap of how file reputation, file analysis and file retrospection work together in general.

File Reputation service allows the ability capture a file on a network, email, web gateway or on the endpoint, calculate a hash and query the AMP cloud to receive a disposition back – either clean, malicious or unknown. Malicious and clean files are normally not a subject for additional investigations and a policy action can be taken accordingly. For unknown files, this is when we want to provide additional analysis – we can do so by taking the file out of the network and uploading it up to the File Analysis service – Threat Grid. Threat Grid applies both static and dynamic analysis techniques and records results of file execution into a human-readable analysis report. It also issues a threat score overall. The two together help determine how likely it is that the file is malicious. The AMP cloud may be updated with the analysis results from Threat Grid, which can lead to AMP cloud changing the disposition for a given file. Cisco Talos also constantly pushes intelligence about the files they analyze into the AMP cloud, which complements AMP’s global intelligence. This can trigger retrospective events, that help us notify our customers about all the locations where these files were seen on their network – whether it was seen by network or content gateway or the endpoint, depending on where you have deployed the AMP license. What’s important to remember is that the authoritative source to convict a file is the AMP cloud, not Threat Grid.

Now let’s have a look at how we can apply the concepts, that we have just reviewed to Cisco Email Security solution (referred to as “ESA” further). AMP is a name of an add-on license for Cisco ESA, which brings:

  • capability to run file reputation queries on attachments against the AMP cloud
  • capability to submit unknown attachments that meet the criteria to Threat Grid
  • receive retrospective notifications from AMP, in case of a disposition change

So, where do those capabilities sit it in the ESA workqueue?

Assuming the message wasn’t blocked by the preceding ESA inspection layers, such as sender reputation, message filters, multiple anti-spam engines, multiple anti-virus engines – the message arrives to AMP and Threat Grid inspection point.

AMP File Reputation Workflow

In the first phase, ESA attempts to derive the disposition of the attachment from AMP, let’s break it down and review the exact steps taken by ESA in this phase.

When a message with an attachment reaches AMP after anti-virus scanning, ESA attempts to parse the attachment from the message by checking the message headers (check for compliance with RFC 2045). Even if the message is not fully compliant, ESA still makes best effort to parse the attachment. The next step is to check whether an attachment is an archive file and if so – attempt to unpack it. If any of the above steps fail, due to for example format errors or file corruption, the configurable policy for unscannable attachments comes into effect.

The files (along with the original compressed archive, if applicable) are then sent to the next step – checking of the internal ESA AMP cache to understand whether a disposition of this file was already queried in the past and whether it could be now derived from cache. On a side note, a useful addition in ESA 11.0 is the ability to configure the file reputation cache time to live, giving administrators more granular control over the cache usage. If the cache doesn’t contain an entry for this file, ESA will communicate with the AMP Cloud (public or private) to query the file reputation, which will return back a verdict: either clean, malicious or unknown. Clean files continue through ESA workqueue to perform graymail detection, content filtering and outbreak filtering inspections, if configured to do so. Malicious files are processed according to the configured policy. It’s important to keep in mind that if an archive has multiple files inside – if even one is malicious then the entire archive and message will be seen as malicious. Attachments with unknown disposition are treated differently and they may be requested by the AMP Cloud for upload to Threat Grid – this may happen when file analysis results for a given attachment are not available in the AMP cloud, meaning they were not shared by Threat Grid in the past, likely because the attachment was not analysed in Threat Grid. Such files can proceed to the next phase. 

File Upload Criteria Workflow

In the second phase, ESA performs a couple of checks to see if the unknown file meets the upload criteria and if it contains suspicious content, that could likely show up as malicious.

ESA first checks whether a file meets the following criteria:

  • supported file type – at the time of File Analysis configuration, ESA administrator can select the desired file types
  • does not exceed the file size threshold defined by Threat Grid

If the two criteria above are met, the attachment continues to the next step – ClamAV pre-classification check. This step helps determine whether there is dynamic content and object streams inside, such as macros, embedded EXE, flash, etc. This step is needed to ensure that only files that can possibly be malicious are uploaded to Threat Grid, and others that have no chance of being malicious are not uploaded and do not burn out file upload limits unnecessarily.

If either of those criteria are not met – the message continues through the workqueue without uploading the file to Threat Grid. Alternatively, if both criteria are met, ESA proceeds to the next phase.

Threat Grid File Analysis Workflow

In the third phase, more validations are performed before ESA finally uploads the attachment for analysis to Threat Grid. Let’s have a look at the workflow.

In this phase, the first couple of steps for ESA are to check whether the local file upload queue is full or not and whether Threat Grid (public or appliance) is reachable. If either of these conditions is not met, the attachment is not sent for analysis and the message continues through ESA workqueue (Content Filters and Outbreak Filters). Assuming the local upload queue is not full and Threat Grid is reachable, ESA proceeds by placing the associated message into File Analysis quarantine and by checking whether the attachment was already uploaded to Threat Grid by another device (for example, another ESA). If that’s the case, a duplicate will not be uploaded for analysis again. Alternatively, if the attachment is not yet known to Threat Grid, ESA would proceed and submit the file for analysis. This time it’s up to Threat Grid to check if the sample upload limit was reached. If that’s the case, Threat Grid discards the request and the associated message is released from quarantine. Customers can easily add more daily sample submissions to Threat Grid through Sample Packs or Premium subscription.

If the upload limit wasn’t reached, the file gets accepted and queued by Threat Grid. Simultaneously, ESA adds a record of the SHA256 of this file to its internal database (where it’s kept for up to 12 hours) and starts periodically querying if the analysis was complete, until it receives a positive response back from the File Analysis service. If there is no “file analysis complete” message from Threat Grid within 12 hours and if the File Analysis quarantine was configured to hold the message that long, the SHA256 ages out and ESA releases the message from quarantine to the workqueue. Alternatively, once Threat Grid analysis is complete, the results of this analysis are added to the AMP cache on ESA. At the same time, Threat Grid shares this information with the AMP cloud, so that other AMP and Threat Grid integrated devices on the network can take advantage of the new intelligence. Threat Grid cloud can share analysis results with AMP public cloud and Threat Grid appliance can share results with AMP private cloud, but not the other way around.

Along with the AMP cache update on ESA and the intelligence sharing between Threat Grid and AMP clouds, the associated message with an attachment is released from File Analysis quarantine. Further workqueue rescanning would skip the File Analysis workflow, since File Reputation query would use the updated AMP cache to derive a disposition for this file. Even if ESA still derives an ‘unknown’ disposition from cache, the upload to File Analysis service wouldn’t happen again, since the file is already known to Threat Grid.

It’s important to keep in mind, that either ESA or the AMP cloud can convict a file based on a threat score returned back after analysis. Threat Grid itself is not a solution to convict files or assign disposition to files directly, that’s also one of the reasons customers sometimes would see significant numbers of unknowns.

Retrospective Verdict

File verdicts can change as new information emerges – we’ve mentioned that AMP cloud can change file dispositions based on Talos analysis and based on Threat Grid analysis. Cisco ESA is constantly staying in touch with the AMP cloud by sending a periodic Heartbeat message, which also asks the cloud if there were any changes in dispositions of files, that were sent through ESA. If there was indeed a disposition change for a particular file that passed through AMP and Threat Grid inspection on ESA, the solution would alert the administrator, specifying the details necessary to go back and perform proper investigation. A notification includes information about the message and the attachment – such as subject, sender and recipient, file name and hash, and a new disposition.

The best way to track down how AMP and Threat Grid inspection works on your Cisco Email Security solution is to review the reports presented in the user interface, as well as to follow the traces in the AMP Engine logs. This information combined together will present a clear idea to the Email Security administrators about how File Reputation and File Analysis services work.

Securing your organization from advanced email-based threats is not an easy task and requires a multi-layered approach with all the inspection layers tightly working together and complementing each other. Make sure to always include Threat Grid Premium subscription with your AMP on Cisco Email Security evaluations to get access to Threat Grid cloud portal for manual file and URL uploads, extensive reporting, API for further integrations and premium threat intelligence feeds. To learn more about the integration of AMP and Threat Grid with Cisco Email Security solution, review the additional resources below:

AMP and Threat Grid Integrations with Email, Web and Endpoint Security – Cisco Live

Enabling AMP on Content Security products – Best Practices

AMP and Threat Grid on Cisco Email Security – Chalk Talk

AMP Engine Logs


Author: Evgeny Mirolyubov

  • 0

The Real IoT Opportunity for Enterprises? A Chance to Address Security Risks Head On

Category : Cisco

When business leaders think about the Internet of Things (IoT), they tend to focus on the potential opportunities for the enterprise and give far less attention to security risks. That’s a mistake. So, too, is believing that the IoT is only a concept on the distant horizon. The IoT already exists and is expanding rapidly. In fact, according to Gartner, at the end of 2016 more than 6 billion Internet-connected devices were in use worldwide; the research firm projects that by 2020, the number will exceed 20 billion.

To underscore the realness of the IoT, and why it’s critical for organizations not to dismiss IoT security risks, just consider what’s happening in the threat landscape. First, IoT botnets, and their population, are growing larger every day. And IoT-driven DDoS attacks of significant power—over 1 TBps—are actually last year’s news. (The Cisco 2017 Midyear Cybersecurity Report, which features IoT botnet research discusses these developments in detail.)

So, the IoT and IoT-related threats are very real. A massive compromise of IoT devices has the potential to severely disrupt not only organizations, but also the Internet itself. Fortunately, we are still in the early days of the IoT, which means there’s still time for defenders to do their part to help secure it.

Martin Lee summed up the unique but fleeting security opportunity that the IoT presents to defenders in a recent blog post: “As the world builds the infrastructure and deploys the devices that comprise the IoT, we as a society have the opportunity to apply the decades of good practices learned as part of the development of the Internet—including painful lessons about the importance of security.”

A top priority for all enterprises: more visibility

In the Cisco 2017 Midyear Cybersecurity Report, we outline several of the “good practices” that security teams should apply to IoT devices. Implementing patches promptly and employing IPS defenses are just two of our recommendations. These devices are computers and, therefore, require the same security measures as any other networked machine. But IoT devices typically lag well behind desktop security capabilities and have vulnerability issues that can take months or years to resolve and even with some issues never being addressed.

The top IoT security priority for any organization, though, should be gaining visibility into their budding IoT environment. This is a critical first step to IoT security. Enterprises need to know what IoT devices are connected to their network today and study how they are behaving.

If organizations have no idea what computers, of any size or type, are on their network, and what those computers are touching, how they’re interacting with other devices, and what their normal network traffic patterns are, then they can’t even begin to secure their network. And that lack of visibility will only get worse as the number of IoT connections grows exponentially over time, and as IT and operational technology (OT) systems become increasingly more integrated. Without visibility IoT devices offer our adversaries a safe haven inside our network. A place to observe, plan, and carry out future attacks.

Defenders must act now to address IoT security, or risk repeating critical mistakes that we made when building the Internet. This time, we all know better.

Borrowing again from my colleague’s blog post: “For businesses and consumers to truly embrace the convenience and power of IoT, they must feel fully confident that we’re building IoT with security foremost in mind.” For organizations, gaining that confidence will hinge on developing a proactive approach to security and a layered defense strategy—and understanding that every insecure IoT device, large or small, connected to their corporate network creates a security gap for attackers to exploit.

Read more about IoT-related threats and other security trends in the Cisco 2017 Midyear Cybersecurity Report.


Author: Craig Williams

  • 0

The Weather Report: Seamless Campaign, LuminosityLink RAT, and OG-Miner!

Category : Cisco

In our first ever Cisco Umbrella Security Weather Report, we break down the Seamless Exploit Kit Campaign, discuss the LuminosityLink Remote Access Trojanand Open Graphiti Miner!



  • 0

Cisco Cybersecurity Report, Exploit Kits Down, Email Malware Up

Category : Cisco

Cisco released its 2017 mid-year cybersecurity report showing some important trends in corporate cybersecurity, including a decline in use of exploit kits, a rise in IoT botnets and destruction of services campaigns, and the return of email spam as an effective attack vector.

Exploit Kits Are Fading Into The Background

According to Cisco’s cybersecurity report, three of the main exploit kits–Angler, Nuclear, and Neutrino–abruptly vanished from the landscape last year. Neutrino returned eventually, but in the form of a subscription service for attackers, rather than as an exploit kit that’s available as a one-time purchase.

What this “service” means for the landscape is that the attacks are more controlled, so it’s harder to detect, while at the same time giving smaller crime groups a chance to use it, too, for a lower subscription cost. However, Cisco said that the overall exploit kit activity has been declining dramatically since January 2016.

According to the company, reasons for the decline include the arrest of the Angler exploit kit author, as well a faster update cycle for previously more vulnerable software platforms such as Flash, web browsers, and Windows, which gained automatic updates with the launch of Windows 10.

Network security research firm Qualys found that it took companies, on average, 308 days to patch 80% of Flash vulnerabilities in 2014, whereas it took them only 62 days in 2016. Exploit kit developers now find that they have to chain together multiple exploits in order for their attacks to be successful.

Cisco’s own research also found that the time it takes to detect a data breach inside a company’s network has been reduced from 39 hours in 2015 to about 3.5 hours for the period from November 2016 to May 2017.

However, Cisco warned that companies should remain vigilant. Although the exploit kit landscape may remain dormant for now, the tools have already been created, and they could be re-activated with the appearance of new major vulnerabilities in popular platforms. If companies allow too much time to pass between the discovery of a major vulnerability and fixing it, then the exploit kit market could once again become lucrative.

Email Spam Is Back

As exploit kit activity has decreased, email spam and malware seem to have made a comeback. Malicious hackers use email as a delivery method for their ransomware and other types of malware. The Cisco researchers anticipate that the volume of email spam will continue to rise as the exploit kit landscape remains in flux. Through email, attackers can also gain entrance to more privileged areas of an organization’s network, from which they can do more damage.

According to Cisco, business email compromise (BEC) is the #1 threat in organizations, even though this type of attack is not as high-profile as ransomware attacks tend to be these days. A BEC campaign involves having an attacker request funds from a financial employee using spoofing to appear as if the request is a legitimate one.

Attackers have siphoned $5.3 billion from companies between 2013 and 2016 using this tactic, compared to only $1 billion gained through ransomware in 2016, according to the Internet Crime Complaint Center.

Ransom Denial Of Service (RdOS)

Some cybercriminal groups, such as the Armada Collective, leverage the threat of a DDoS attack to demand a ransom from companies. A “demo” attack usually follows the request to show that they mean business.

According to Cisco, nearly half (49%) of the researched companies received a ransom note in 2016, a number that seems striking. The Armada Collective typically asks for 20 Bitcoins as ransom, although other groups may ask for less or more.

Destruction Of Services

Destruction Of Services (DeOS), a term coined by Cisco, seems to be on the rise, as well. Over the past year, Cisco has observed attackers building IoT botnet capabilities that can later be used to disrupt services. We’ve also seen with the recent NotPetya attack that some actors, especially some nation-states, may not be interested in obtaining ransom money, but in destroying or disabling certain infrastructure.

IoT Botnets

As proven last year by the DynDNS attack, as well as other major DDoS attacks, we now seem to be in the age of terabit-per-second DDoS attacks enabled by hundreds of thousands or millions of infected Internet of Things (IoT) devices.

The open source Mirai botnet, as well as the severe lack of security or a proper automatic update mechanism for the vast majority of IoT devices, has led to attack campaigns that can be setup and launched with over 100,000 infected devices within a day.

Cisco recommended the following actions for companies looking to defend themselves against attacks targeting their IoT networks:

  • Keep older signatures active
  • Surround IoT devices with IPS defenses
  • Closely monitor network traffic (this is especially important to do in IIoT environments, where network traffic patterns are very predictable)
  • Track how IoT devices are touching the network and interacting with other devices (for example, if an IoT device is scanning another device, that is likely a red flag signaling malicious activity) Implement patches in a timely manner
  • Work with vendors that have a product security baseline and issue security advisories

Cybersecurity Has Never Been More Important

Cisco warned that attackers are building tools that can completely disrupt or destroy the operations of a company, because they know the vast majority of firms don’t have a contingency plan for rebuilding their IT infrastructure from scratch in case of a devastating cyber attack. The attackers plan to use this to their advantage, either to obtain larger sums of money as ransom or to further some other objective.

Cisco said that this means companies need to start taking cybersecurity much more seriously and to invest in tools and infrastructure that can keep their networks and data secure. Cisco also argued that security vendors need to work together to develop more interoperable tools that can together meet the challenge of more potent attacks.

“Complexity continues to hinder many organizations’ security efforts,” said David Ulevitch, Senior Vice President and General Manager, Security Business Group, Cisco, in an email to Tom’s Hardware.

“It’s obvious that the years of investing in point products that can’t integrate is creating huge opportunities for attackers who can easily identify overlooked vulnerabilities or gaps in security efforts. To effectively reduce Time to Detection and limit the impact of an attack, the industry must move to a more integrated, architectural approach that increases visibility and manageability, empowering security teams to close gaps,” he recommended.



  • 0

Database Updates, Backup/Restore and Collecting Troubleshoot with Firepower Device Manager

Category : Cisco

This video walks through the process of updating the various databases (signature, geolocation, url and vulnerability), explain how to maintain configuration backups, and collecting troubleshoot with Firepower Device Manager

  • 0

What your MDR does when threats like Nyetya hit

Category : Cisco

When your Security Operations team is finishing the day, and you get the following urgent alert, what do you do?

Cisco ATA SOC Communications

Does your SOC have the staff to cover basic threat detection needs, and pivot on a moment’s notice to hunt for the latest threat? Do you leverage the power of analytics to increase efficiencies and multiply your team’s capabilities? Whether you build it or buy it, your C-Suite and Board care about your SOC performing at 100%. What’s more, they want it within the same budget, but expect innovation. Cisco designed Active Threat Analytics (ATA) to partner with you for that outcome.

Let’s look inside a managed SOC when a major threat hits.

In June 2017, the Nyetya malware spread quickly through Windows systems across the world, but severely hit the Ukraine and Europe. Security savvy companies had already patched Windows systems before the WannaCry ransomware outbreak in May, but quite a few were hit in this resurgence. Another example: the Gmail wormthat hit thousands and was very well crafted. These are just a few examples of threats that disrupt your plans. Security professionals have come to know that these threats hit every day, and are multiple in force. I direct the Cisco ATA Delivery Team, where we leverage global talent to provide continuous threat and health monitoring for our global customer networks. ATA augments our clients’ Security Operations teams to perform threat hunting, leverage analytics to find threats that slip past security controls and detections. We execute thousands of security plays daily, each of which correlates security alerts, threat intelligence, and known context within our customer environments. This machine consumes hundreds of thousands of security events every day. When Nyetya and WannaCry erupted, we prioritized our highest fidelity intelligence and detection among the avalanche of alerts.

SOC analysts begin their investigation by reviewing play results, which drop into a case for triage and investigation. In the Nyetya outbreak, Talos delivered specific threat indicators to the Cisco ATA managed SOC, and analysts matched the indicators within client environments to detect compromise. Since the team is working 24/7, these continuous updates from threat intelligence enable threat hunters to deliver rapid detection, helping our customers avoid the disruption of a ransomware breach.

When these global outbreaks are erupting, authoritative information is sparse, and the ATA SOC can’t yet search for specific threat indicators. Instead, the SOC focuses detection on specific plays that detect the broad properties of the outbreak, such as high SMB scanning activity. ATA monitors to ensure that all plays are running efficiently, and monitors for new intelligence on the threat.

Talos Message:

Talos Intelligence part 1

As time passes during the investigation, threat indicators are derived and shared between Talos and ATA, coverage for Cisco endpoints and IPSs are verified, and clients are updated.

Updated Talos Intelligence

Talos intelligence part 2

ATA investigative and development teams work together to tweak analytic plays to ensure coverage of new threat indicators, and test plays for efficacy. Applying several types of analytics (Deterministic Rules-Based (DRB), Statistical Rules-Based (SRB) and Data Science-Centric (DSC) Analytics) helps expedite the hunt. Analytics adds a fulcrum to this process, enabling correlation to trace the difference between successful compromise, mitigated attacks, and attacks resulting in no impact (in other words, the target of the attack was not vulnerable). Once proven, the ATA SOC provides mitigation and remediation instructions to the client to prevent threat propagation.

This routine occurs thousands of times per day, with a team of analysts and investigators in the United StatesPoland and Japan. The SOCs use the ATA 3.0 platform to investigate and filter through alerts, narrowing them to actionable cases. (Which is why we’ve named our platform, “Magnet” – it helps our analysts find needles in haystacks.) Our SOCs are an extension of your team, enabling co-operative threat hunting, and developing a mutual understanding of their network, staff, and applications.

Layering analytic measures allows for effectual coverage of your network. A typical two-week slice of one of our average-sized clients proved 269,808 unique security events. In that particular week, ATA analysts and investigators narrowed 269,808 events down to 71 post-investigation cases that were actionable to our customer. We are proud to reliably collect our customers’ data and filter it to actionable results. This partnership saves our customer time, money and network compromise. In high-stress situations, like the Nyetya or WannaCry outbreaks, the ATA SOC takes the pressure for customers, guiding them toward using their own controls to block hot threats. The 2016 Gartner Market Guide to Managed Detection and Response advises, “Don’t go it alone when implementing an SOC capability. Look to an MDR service provider as a partner who can augment your SOC. This allows you to quickly implement mature threat detection and response capabilities rather than having to build from scratch. This can mean a SOC is operating at a greater maturity level in several months rather than several years.” We agree.


Author: Martin Nystrom

  • 0

Start Your Privacy Protection Planning Now

Category : Cisco

One of the most talked about topics at the June Infosecurity Europe 2017 conference in London was the General Data Protection Regulation (GDPR). This is a new law concerning data privacy which will render the implications of a data breach much more severe and comes into force in all EU countries from 25th May 2018.

It should be noted that the GDPR will affect any organisation that stores personal information on EU citizens. Under current legislation, the processing of data should happen inside the EU, unless the outside country offers a similar level of protection (for example, EU-US Privacy Shield). While the GDPR will harmonise data protection laws across the whole of the EU, which theoretically makes it easier for non-EU organisations to comply, the new requirements will be stricter which will ultimately make compliance more challenging.

The main consequence of not complying with this regulation is a fine for any organisation that suffers a data breach, and anything in that compromised data containing personal information on someone who resides within the EU. Such data can include someone’s name or address, as you might expect, but also their IP address. This law holds true of all personal data, which includes employment data and not just that of consumers. The fine can be as large as €20 million or up to 4% of annual global revenue, whichever is higher. In addition, organisations will be legally obliged to report a breach within 72 hours of it being discovered.

One question that people may have is whether Brexit will affect the GDPR. In short, it won’t. The governing body for data protection in the UK, the Information Commissioner’s Office, has already stated that it will be upholding the GDPR. While the future of UK law remains to be seen, there is a pressing urgency for organisations to get ready for the GDPR.

Everyone I spoke to at the Infosecurity Europe conference about the GDPR told me that they had started preparations, but could not clearly state how far along the compliance process they were. The fear is that many organisations are of the opinion that GDPR is a legal concern rather than a security concern. These discussions, and others, suggest that many organisations will not be equipped to avoid a fine in a year’s time.

What is the risk of GDPR non-compliance to you?

The risks of non-compliance should be considered by looking at the possible impacts and the likelihood of the occurrence of a breach. The most obvious impact is the large fine from the regulatory authorities. In addition to this, there will be the cost of informing everyone affected that their data has been breached, as well as the potential cost of removing their data should they make that request (all EU citizens will have the right, at any time, to ask for their personal data to be removed). These are the clear-cut financial impacts. There are also the impacts that are substantial but harder to quantify, such as brand and reputation damage, a decrease in trust and a negative news cycle which leads to a decrease in future revenue and lost business opportunities.

Establishing the likelihood of a breach is tricky. Data collected previously should give some indication of the probability within a 12-month period; however, organisations may not know that they have been breached and, if they do, they may not necessarily report it. While past data underestimates the likelihood of a breach, it does give us an indication.

Cisco’s 2017 Annual Cybersecurity Report provides insight into the impacts of a data breach. The organisations surveyed reported the following results of security breaches:

  • 49% had to manage public scrutiny
  • 31% of those breaches were disclosed by third-parties
  • 23% reported loss of opportunities
  • 25% of which was between 20-40%
  • 29% reported loss of revenue
  • 39% of which lost 20% or more

As a company that advises on security practices, it is clear to see why Cisco does not recommend running the risk of not making improvements. The idea – or misguided hope – that a breach is unlikely is simply incorrect.

Start planning for GDPR now.

Devising or updating a risk management plan in light of the GDPR is only one piece of a larger framework. Becoming GDPR-compliant requires taking a methodical and structured approach: start by understanding what is legally required, and then develop a solution. Simplistically, this process will require identifying all of the EU residents’ data held within your organisation’s estate, consolidating it into manageable clusters of data, and then ensuring that the data is secure and would maintain privacy if breached.

The determination of compliance will not rest simply upon the technical measures put into place. There must be policies that address the GDPR and staff must be made aware of these policies through training and education. Moreover, the business processes must uphold these policies. The regulator can deem that non-compliance came from a failure in culture rather than from misconfigurations in the implementation of technologies. This is why it is important to ensure that the GDPR compliance is aligned across people, processes, and technology.

The Cisco Security Advisory Services team can help to define the roadmap to becoming GDPR compliant, as well as provide support at every step along the way in the security lifecycle.

To learn more about how Cisco Security Services can help with GDPR compliance across people, processes and technology, then read more on our website here. Cisco Services can also help with conducting a Cybersecurity Management Program Assessmentintelligence-led security assessment, preparing an Incident Response plan and responding should an incident occur.

See what Cisco is doing internally to prepare for GDPR.


Author: Edward Thomson

  • 0

Nyetya. Global Ransomware Attack. What you want to know.

Category : Cisco

Hear from Martin Lee, technical lead on Cisco’s Talos threat research team, to understand the latest in the new malware variant, that we named Nyetya.

Nyetya is nasty because it spreads automatically, even using one of the same vulnerabilities that WannaCry used to spread.

Please join us this Friday, June 30, 2017 at 7 am PDT / 3 pm BST / 4 pm CEST to hear the latest on the attack and steps you can take to strengthen your security.

  • 0

How Cisco Engineers Used Machine Learning to Solve an Impossible Problem

Category : Cisco

In 2015 Rich West, a systems architect with Cisco’s infosec team, approached an engineer on Cisco’s Advanced Security Research team with a novel problem. The infosec team was looking for a way to protect Cisco employees from malware in encrypted traffic without sacrificing their privacy. At the time, there was really only one viable option, which was to proxy and inspect all SSL and TLS traffic by decrypting it.

When done maliciously it’s referred to as a man-in-the-middle attack. And even when done as a defensive measure, it can still be viewed as a breach of privacy, since it essentially breaks the encryption trust chain of any end user sending traffic to a secure site like a bank or an encrypted e-mail service. It’s also computationally expensive, enough so to cause a substantial degradation in network performance, not to mention the burden of managing extra SSL certificates, which are required to re-sign traffic after it is inspected.

Rich West and his team decided ultimately that the privacy trade-off was not worth it. They wanted a new approach, one that didn’t involve sending Cisco’s internal traffic through a bottleneck inspection point. To help, West contacted Cisco Engineering Fellow David McGrew.

A Complex, Unsolved Problem

McGrew had been working in Cisco’s Advanced Security Research group on new ways of algorithmically finding malware using NetFlows. When West made his team’s case for needing a method of finding attacks in encrypted data, McGrew decided to see if he could blend the two efforts. What followed is a two-year project that is now nearing its completion.

It is part of Cisco’s launch announced this week, a host of new networking products and software aimed to fundamentally change the blueprint of modern networks to one that is powered by intent and informed by context.

The data model McGrew and his team developed is called Encrypted Traffic Analytics (ETA), and it represents a huge step forward in Cisco’s goal to use its massive network and data set, combined with automation and machine learning, to apply security everywhere.

Encryption is most often viewed as a good thing. It keeps private Internet transactions and conversations private, free from man-in-the-middle attackers looking to glean private info or alter data in transit.

With the growing use of cloud services in enterprise environments, and the gentle pushes from companies like Google and Mozilla that force sites to use TLS, companies are accepting and routing a lot more encrypted traffic.

All encrypted traffic must first be signed with a certificate from a trusted certificate authority (CA). New authorities are spurring the growth in TLS traffic by making the process much easier and more cost-effective. A recent CSO article quoted a vice president at Venafi who described a “dangerous scenario” in which the cost of encryption has now effectively dropped to zero, leaving it a cheap operative for hackers to employ. And they are doing so.

Cyber attackers are hiding their command and control activity and data exfiltration efforts by passing through common ports just like normal TLS or SSL traffic.

For McGrew, detecting malware mixed in with that normal traffic was a rich, complex use case involving massive data sets, which is just the type of problem he enjoys tackling.

A NetFlow, he said in an interview, contains valuable information, but also has its contextual limitations. “It tells you what two devices talked, how long, how many bytes they sent, and things like that.” But it’s by no means a complete picture.

McGrew believed, however, the debate of privacy versus security should not always be a duality—a one-or-the-other choice. He also knew that in order to find a solution for a problem this complex, he’d need to create it from scratch, which would involve a lot of code writing and intensive data modeling.

‘OK, What Do You Need?’ — ‘Data. Lots of data.’

McGrew needed resources to get started, so he tapped Cisco’s Technology Investment Fund.

‘Tech Fund’ projects at Cisco are typically those that develop new products or technologies with the goal of disrupting the status quo. These projects can often take years to develop.

Even with funding secured, before a project could be formed and code written, McGrew also needed help obtaining and analyzing data samples from Cisco’s enormous network, including malware samples.

To leap this hurdle, McGrew enlisted the help of Blake Anderson in March 2015. Anderson is a data scientist who obtained his Ph.D. studying the application of machine learning to cybersecurity. At the time, he was working with the Los Alamos National Laboratory in New Mexico, applying machine learning methods to malware analysis.

When Anderson joined Cisco, McGrew’s small team had been developing analysis tools and had some success identifying specific applications using only NetFlow data. For instance, they were able to spot when a NetFlow was coming from a user’s Chrome browser or Microsoft’s update service. But the team had not yet applied any malware data.

To get the samples they needed, Anderson and the team worked with practically every product team at Cisco, including the internal infosec team, the Talos threat intelligence group and the recently acquired ThreatGRID team, which joined the Cisco portfolio in 2014.

After spending months writing more than 10,000 lines of code, McGrew and Anderson had a practical test for their data models. Using millions of packet captures and known malware samples, Anderson began sifting through it all and finding the “most descriptive characteristics” that would differentiate what was malware and what was benign traffic without decrypting anything.

“I think [gathering the right data] was the most important thing,” Anderson said. “Whereas a lot of times you see people saying, ‘We have this interesting data, what can we do with it?’ We took the opposite approach.” Anderson and McGrew began with a wish list of what data they would need, and then shopped it around Cisco’s product teams to help make it possible.

Fingerprinting Hidden Malware

Since at least 2009 attackers have been finding ways to abuse the trust system of the Internet by using forged, stolen or even legitimately signed SSL certificates.

TLS certificates signed by a valid CA give users reassurance that the site they’re visiting is legitimate. But it can also prove a false reassurance, as this sense of trust can play right into the hands of attackers. They will use that false sense of safety to lure victims into handing over their login credentials or downloading a malware payload.

Phishing sites like this one use free encryption keys to create an illusion of a safe, encrypted, legitimate site.

In the last few months, attacks using legitimate TLS certs appear to be rising. Part of the reason may be that obtaining a valid TLS certificate has become essentially free through CAs like Let’sEncrypt, and incredibly easy as mentioned before. As a result, phishing authors have capitalized on the opportunity and have been recently flooding the Internet with phishing sites spoofing legitimate sites like PayPal or bitcoin wallet providers.

Easily obtainable crypto keys can prove to be a sort of double-edged sword.

According to Rich West, security departments are, in a way, a victim of their own success. “They’ve pushed IT departments, vendors and app developers to better secure data in motion, but that creates new challenges for how to handle these encrypted flows,” he said.

Fortunately, by analyzing millions TLS flows, malware samples and packet captures, Anderson and McGrew found that the unencrypted metadata in a TLS flow contains fingerprints that attackers cannot hide, even with encryption. TLS is really good at obscuring plain text, but by doing so it also creates a “complex set of observable parameters” that engineers like McGrew and Anderson can use to train their data model.

For instance, when a TLS flow begins, it starts with a handshake. The client (like your Chrome browser) sends a ClientHello message to the server it’s trying to reach (like Facebook). The “hello” message includes a list of parameters, like what cipher suite to use, what versions are acceptable and a list of optional extensions.

ETA examines the ClientHello exchange, which holds many fingerprints that can be used to determine what traffic is malware.

TLS metadata like the ClientHello are not encrypted, because they transfer back and forth before the encrypted messages begin. This means Anderson’s model can analyze the unencrypted data with no knowledge of what is actually inside the message. And the model will then accurately categorize what traffic is malware and what is benign.

According to Anderson’s latest testing, not only does this approach preserve user privacy by not breaking encryption, but tests of ETA against large samples of  network data and malware samples show promising results for its accuracy. Using only NetFlow features, ETA catches malware about 67 percent of the time. When ETA is fed those NetFlow features with additional feature sets like Service Packet Length (SPL), DNS, TLS metadata, HTTP and others, the accuracy jumps up to more than 99 percent.

“The position Cisco is in,” Anderson said, “gave us all this data, and the Tech Fund Project allowed us to do this rapid prototype approach. It’s really invaluable, and allowed us to get some pretty powerful results quickly.”

With all the right resources, and as a result of their inter-departmental work, McGrew and Anderson have in two short years created a promising solution for a dire problem in cybersecurity.

McGrew said it’s a solution that likely could only have come from a company like Cisco, with both the resources and, just as important, the data to do it.

“For an engineer, for a scientist, being able to really focus on the technology is a fantastic privilege,” McGrew said. “Being a product engineer you don’t get to do that as often.”

Anderson’s hope is that ETA can be applied nearly anywhere through a software code update, and provide enforcement for encrypted malware at any location on the network. Any appliance handling network traffic could then be converted into a security appliance, even if its function is not security.

“I think it makes a lot of sense to push more of the decision making and enforcement to routers and switches,” Anderson said. “We can still train the models in the cloud, but we can push a lot of the intelligence to the network level. Me personally, I would like to see integration of this type of detection integrated into the actual data path, and [done] in an efficient way.”


Author: Owen Lystrup