Security in A World of “WE” – Embracing Our Third Party Ecosystems

/in /von

By Edna Conway In our increasingly digital world, technological innovation not only presents new opportunities, but also raises new risks and challenges that must be addressed collaboratively by industry, buyers, users, and policymakers. Specifically, digitization demands that risk be addressed across a dramatically expanding supply chain. These risks include the security threats of manipulation, espionage and disruption of information and information systems and services.
Empirical reports reveal that the third party ecosystem remains a fundamental risk to the integrity of our information systems. For example, analysis of the last nine consecutive years of Verizon’s global Data Breach Investigation Reports illustrates that where breaches can be attributed, 73% arise from the third party ecosystem. Moreover, not only are we increasing the volume of third parties in our information systems supply chains, we continue to invite third parties into our security inner sanctums – our security enforcing technology. Cisco’s 2018 Annual Cybersecurity Report revealed that 79% of global enterprises and governments rely on at least 20 third party security vendors.
The message is clear: the cyber supply chain and its related third party risk must be addressed. These security risks must be tackled comprehensively across all stages of the supply chain, including design, software development, manufacturing and sustainment. In parallel, our procurement practices, policies and certification and validation schemas should also seek to mitigate the impact of this third party risk. Public-private partnership brings civilian, government and defense agencies together with private industry to develop meaningful recommendations to effectively mitigate third party risk. NATO has recognized and is actively addressing this challenge in coordination with its member nations.
I will tackle this very challenge in my upcoming keynote, “The Trolls Under the Bridge: Who & What Lurks in Your Supply Chain?” at NATO’s NIAS19 Conference in Mons, Belgium in October https://nias19.com. I will share views on a path forward to meaningfully reduce risk across the increasingly broad and deep third party ecosystem upon which governments and enterprises around the world rely. I look forward to sharing the perspective that we simply must drive what I refer to as Pervasive Security. Pervasive Security designed to deploy a layered approach balancing physical security, operational security, behavioral security, information security and security technology across the cyber supply chain based on risk prioritization.
My discussion will build on NATO’s 2017 Technical and Implementation Directive on Supply Chain Security for COTS CIS Security Enforcing Products. And, I will showcase a practical framework to identify, prioritize and mitigate the impacts of tainted and counterfeit information systems technology across the supply chain and its third party members.
One of NIAS19’s key themes is “supply chain security challenges”. Specifically to answer that challenge, I will discuss tested, practical methods to address those challenges. After all, risk travels up and down the supply chain. Approaching supply chain security comprehensively is key to ensuring successful risk management. Fundamental steps to comprehensive security require that all supply chains:
1. Identify areas of potential impact, for example:
Risks to continuity of supply of third party provided software, services, components and raw materials
Natural disasters
Geopolitical and economic disruption
Workforce instability
Financial volatility
Weak infrastructure security
Insufficient end-user risk awareness
2. Prioritize risk by both likelihood of occurrence and severity of impact
3. Establish criteria for mitigating security threats and reducing the impact of incidents
4. Collaborate with industry and government on policy, regulations and directives.
October is Cybersecurity Awareness Month! Join the conversation, as all of us are part of the global supply chain. For additional insight on this challenge visit Cisco’s Value Chain Security Capability.

Source:: Cisco Security Notice

Duo and ISE Integrated Use Case – Delivering Zero Trust security for the workforce and workplace

/in /von

By Amanda Rogerson This blog series will highlight exciting new developments and integrations between solutions within the Cisco Security portfolio with our acquisition of Duo Security. These posts will cover details about the problems that are being solved by these integrations with links to helpful technical documentation if you are interested in seeing for yourself the benefits that are provided. If you would like further information on how you can improve your security posture by leveraging these integrations, please contact our sales team.
Zero trust is a comprehensive security approach that secures access by your users, devices, applications and networks. This approach to security helps organizations implement practices that establish trust in the users and devices accessing sensitive applications and network resources, helping to prevent unauthorized access and reducing the risk of an attacker’s lateral movement through the network. ​
To protect the workforce, a zero trust security approach ensures only the right users and secure devices can access applications. And for the workplace, it secures all user and device connections across the network, including IoT. The integrations provided between Duo Security and Cisco’s Identity Services Engine (ISE) provide zero trust application and network access controls you need for the workforce and workplace. ​
Use Case 1: Zero trust remote access
ISE and the AnyConnect Secure Mobility Client empowers your mobile workforce with secure Virtual Private Network (VPN) access to the workplace. By integrating with Duo, you gain enhanced device visibility and multi-factor authentication (MFA) and establishing device trust. ​
Problem Solved: Customers who want to implement additional verification of the user when providing access to their corporate network via VPN. The motivators behind this requirement are:
VPN access provides end users with access to the entire network, many environments do not have the network segmentation robust policy to provide access to only the resources users need. Next best step for protection is to implement MFA to achieve higher level of confidence the user is who they say they are.
Credential compromise is still one of the biggest reasons customers get breached
Compliance (HIPAA, PCI-DSS etc.)
Solution: You can enhance remote access security with Duo Security, Cisco ISE, and the AnyConnect Secure Mobility Client. It’s easy to add multi-factor authentication to VPN access so that you can verify the trust in remote users. Here’s how:
Cisco AnyConnect Client + Cisco ASA utilizes Cisco ISE for Access Control. Customers add the Duo Authentication Proxy as a 2nd authentication source in the Cisco ISE. Upon AnyConnect login users are prompted for 2FA from Duo.
Use Case 2: Zero trust network administration.
ISE controls network administrator access to critical network infrastructure equipment like switches and routers with the added security layer of Duo’s multi-factor authentication to mitigate the risks of unauthorized access which could result in intentional misconfigurations that cause severe network outages.​
Problem Solved: Most customers have network devices (Routers, Switches etc) in their environments which require access to manage and configure. Many of these network devices utilize a Cisco protocol called TACACS+ to authenticate and authorize end user admin access to the network device. Customers want to enable MFA for admin access to these network devices.
Solution: With the Duo MFA Integration with ISE for TACACS+ Device Administration with Microsoft Active Directory Users customers can protect admin access to network devices which utilize the TACACS+ protocol for primary authentication to ISE and 2FA with Duo by utilizing the Duo Authentication Proxy.
Stay tuned for more integration stories and use cases. You can learn more about Cisco Zero Trust here, and if you want to see the powerful security controls that Duo offers you can sign-up for a free trial at sign-up.duo.com .

Source:: Cisco Security Notice

Find What Your Endpoint Anti-Malware is Missing with CESA Built on Splunk

/in /von

By Jeff Reed There are many aspects to securing an endpoint beyond finding the malware on it. What do you know about the behavior of your endpoints? Can you track anomalous traffic? Can you tell what the applications and other software processes are up to? What is happening when the device is off the corporate network? Has a user or device evaded endpoint security measures? With insight to such issues, you can generate visibility that not only follows endpoints on and off network, but also finds threats often not addressed by anti-malware solutions.

With this in mind, Cisco has created a solution unlike anything available in the industry today — Cisco Endpoint Security Analytics (CESA) Built on Splunk. This new solution brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform. The result is an added layer of deep endpoint visibility that transforms endpoint-centric data into insights to proactively detect and mitigate network threats.
If you already use AnyConnect NVM, you know it creates a lot of detailed, endpoint-specific data. But by building and productizing CESA on top of Splunk, we’ve paired that data with an equally comprehensive and cost-effective analytics tool. CESA addresses endpoint security use cases such as:
Unapproved applications and SaaS visibility
Endpoint security evasion
Attribution of user to device to application to traffic and destination
Zero-trust monitoring
Data loss detection
Day-zero malware and threat hunting
Asset inventory
The behavioral data produced by NVM complements anti-malware agents like Cisco Advanced Malware Protection (AMP) for Endpoints that primarily focus on file analysis to detect malware on endpoints, which identifies known issues. But because CESA analyzes user and device behavior and identifies changes and anomalies, it enables threat hunters and analysts to discover malicious or suspicious endpoint activity, often without an additional endpoint agent. Where antivirus and other endpoint solutions would miss these threats, CESA provides early detection that increases security posture. CESA endpoint analytics also complements the broad network visbility provided by Cisco Stealthwatch by following endpoints on and off network, as well as enabling deep endpoint insight into down to the user account, device details and network interface levels of the endpoint. Together CESA and Stealthwatch cover every aspect of network and endpoint behavior leaving no blind spot unchecked.
How we address endpoint blindness
Even as security products continue to integrate, endpoint blindness is a persistent problem. Information security (infosec) teams need to know more about what is happening on the endpoints to anticipate where attacks are more likely to occur.
By leveraging the NVM telemetry that endpoints provide, we gain a better understanding of users‘ network behaviors and where threats are going to happen. These insights can raise potential red flags like:
Are my endpoints suddenly communicating with domains we’ve not seen in our environment before?
Has a user changed behavior suddenly, using applications and visiting hosts they don’t usually access?
Does an endpoint have unusual traffic patterns? Is it uploading or downloading more than usual? Is someone hoarding or exfiltrating data?
Are any machines using unapproved applications or SaaS services?
Has security been disabled on an endpoint?
Which endpoints have known bad files or applications?
What are my users doing when they are not connected to my network?
Which devices and operating systems are in use in my endpoint environment?
Who is using each device and what are they doing with it?
It’s important to note that CESA is integrated into the Cisco Security infrastructure. CESA works together with network visibility from Cisco Stealthwatch and endpoint control from Cisco AMP for Endpoints. Additionally, Cisco Identity Services Engine (ISE) is used to quarantine users when identified as suspicious. These integrations serve to further increase the security posture of the network.
Cisco’s CSIRT team uses CESA
Many of our case studies come from our partners and customers, but this time our Cisco infosec team put together a case study as they leveraged CESA within the Cisco organization. They used the solution to collect and analyze the data generated by NVM across approximately 96,000 endpoints, and extract context such as user, device, application, location, and destination. The analysis of this data, from when the user is both on- and off-prem, helped Cisco infosec reduce incident investigation time from days to hours, while filling gaps in endpoint visibility.
“Splunk makes accessing the data from NVM, writing queries, and analyzing the data very easy,” said Cisco CSIRT’s Imran Islam.
Before CESA, the infosec team would struggle to determine which user is associated with what machine. And drilling down further was difficult if not impossible – from identifying machine to traffic; from traffic to the application or software process producing it; and then the traffic’s destination, whether inbound or outbound. It was reported by the Cisco infosec team that 80% of CESA use cases could not have been addressed by other technology.
Partnering to create a more secure network
At Cisco, we’re leading the industry in multi-vendor partnering solutions because we understand that collaboration is key to our customers having effective and efficient security across their networks — from endpoint to data center and cloud to campus. In fact, the Internet Engineering Task Force (IETF) recently standardized the XMPP-Grid security data exchange framework – based on Cisco Platform Exchange Grid (pxGrid) – which enables seamless collaboration and the sharing of information between security platforms from multiple vendors.
While no one product can achieve absolute security, no security solution exists in complete isolation. As security products become more interconnected, share context for threats, and participate in incident response, the risk of data breaches and security incidents is increasingly mitigated. This is why we believe in working so closely with our partners like Splunk through the Cisco Security Technical Alliance to integrate solutions that protect against emerging threats and improve customer security.
Splunk’s analytics-driven security solutions continue to serve as a perfect complement to Cisco Security. And we’re excited to see CESA deliver endpoint visibility and advanced threat detection for our customers. Cisco AnyConnect (Cisco’s VPN Client) is already deployed by over 150 million endpoints, and many customers are already running the Splunk console, which makes CESA a simple addition that will bring immense value for infosec’s ability to anticipate and stop endpoint threats before they manifest on the network.
If you don’t yet have these products, learn more about CESA and how you can add Cisco AnyConnect NVM and Splunk here. Stay tuned in the coming weeks for added CESA integration with Cisco Umbrella to enable enforcement at the domain level.
You can learn more about how Cisco infosec utilized CESA in this case study.
Want to get started with CESA today? If you already have Splunk and AnyConnect, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. Finally, turn on NVM telemetry in your AnyConnect environment as outlined in these tech docs.
Finally, be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security.

Source:: Cisco Security Notice

Willkommen bei uns, Tim Spiller

/in /von

Seit dem 1. September haben wir Azubi-Nachschub. Wir freuen uns auf Dich, Tim Spiller. Tim hat in diesem Jahr sein Abitur am Gummersbacher Lindengymnasium bestanden und schließt nun eine Ausbildung zum Fachinformatiker in unserem Hause an.

In seiner Freizeit spielt er gerne mit Freunden Billard und hat bislang Judo und Jiu Jitsu praktiziert. Nach absolviertem Azubi-Bootcamp steht er nun den Kollegen im Bereich Technik zur Seite.

Wir wünschen Dir viel Erfolg und Spaß bei uns.