A New Day for Critical Infrastructure Security & Resilience

By Edna Conway It’s a new Day for National Critical Infrastructure Security and Resilience. While November is recognized as the month focused on this issue in the U.S., for some time, digital transformation has widened the aperture of our lens dramatically.
This year, led by the new Department of Homeland Security (DHS) Critical Infrastructure and Security Agency (CISA), the public and private sector are zooming in on collaborative resilience. The accelerated convergence of information technology with operational technology running our Critical Infrastructure demands this new joint approach.
As CISA noted in its National Critical Functions, newly defined this year, “goods, people and utilities move in, out, and across the United States through distribution functions. Effective, safe, efficient, lawful, and responsive management drives our way of life, our economy, and the cohesion of our society.” Given such reliance on a dynamic global ecosystem, we must clearly identify our most trusted insiders and our most dangerous adversaries and build resilience accordingly. I believe DHS‘ designation of National Critical Functions is a major step forward toward this resiliency approach. I encourage readers to review the Interim Report recently issued by the DHS Information and Communications Technology Supply Chain Risk Management Task Force.
We must shift both our thinking and practice to effectively build resiliency and security into our critical infrastructure. Security must be approached from a layered perspective to address operational, cyber and physical risks together. Omitting any one of these important layer’s leaves glaring gaps in the security posture of our infrastructure.
Let’s explore a few fundamental building blocks:

While Access Management has traditionally been applied to IT systems, it is also uniquely applicable to any number of Critical Infrastructure aspects, such as its creation, operation and use. Mapping who needs access to what and when is how we start. The basics include:
Structuring teams and their respective access based on role
Ensuring that least privilege is applied, limiting access to the least amount of resources necessary to get the job done for a specific role
Applying that least privilege not just to information access, but also to physical access, operational control and authority. E.g. in a manufacturing plant, a camera sensor should not be allowed to control a robot outside of the camera sensor’s purview.
Verified Identity is essential to successful access management. After all, if we are granting access to the wrong person, tool or operation, we have failed. Methods for validation can range from passwords/passphrases, to electronic key cards to biometric identifiers. Methods should be deployed based on risk, e.g. an individual’s role and the operation to be undertaken.
Segmentation ensures that if one part of a network goes down, users can readily switch to another that is still functional, minimizing the failure’s impact. This concept, often used in minimizing information technology network disruption, should also be part of our infrastructure resiliency planning. Consider these basic steps:
Establish a baseline of device configurations as a foundation
Start your systems segmentation with basic categories such as enterprise, plant and process
Once you have locked down your segments, identify the key connections which are essential to each function. Then comes the fun part: map your actual connections against your list of key connections needed. And then simplify, simplify, simplify.
Third Party Risk Management becomes even more essential in today’s distributed Critical Infrastructure environments. Critical Infrastructure relies upon, in part:
Third party cloud platforms digitally enabling operations controls, data storage and workflows
Consultants performing data mining and analytics
Equipment component suppliers
Service providers working onsite to install or maintain equipment
All these third parties impact the success or failure of the security and resiliency of the Infrastructure in which they play a role.
These basic building blocks, which must be deployed by all of us, are essential to operational success. Resilient and increasingly secure Critical Infrastructure and services can only be achieved when we work together.
Additional Resources:
Critical Infrastructure Protection
Value Chain Security
The Trust Center
The post A New Day for Critical Infrastructure Security & Resilience appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Verhalten bei IT-Notfällen

Oberberg-Online ist als Mitglied der Allianz für Cybersicherheit permanent an der Verbesserung der IT-Sicherheit seiner Kunden interessiert. In diesem Zusammenhang greifen wir heute ein Thema des BSI auf und stellen diese Informationen hier gesammelt zur Verfügung.

Wichtig ist im Falle eines Falles das korrekte Verhalten der Mitarbeiter bei IT-Notfällen. Damit sollen Schäden minimiert werden und ein abgestimmtes, zügiges Handeln ermöglicht werden.

Analog zur Info-Karte „Verhalten im Brandfall“ stellt das BSI hier eine IT-Notfallkarte zur Verfügung, in der die Nummer der im Notfall zu verständigenden Personen eingetragen werden sollte.

Schulungen und Sensibilisierungsmaßnahmen in der Organisation bieten sich als Rahmen an, um die IT-Notfallkarte einzuführen. So kann es gelingen, dass die Belegschaft zu einem wichtigen Bestandteil der Cyber-Sicherheit einer Organisation wird. Hierzu beachten Sie auch bitte die Awareness-Schulungssysteme unseres Partners G DATA, über die wir hier bereits informiert haben.

Hier finden Sie die IT-Notfallkarte als Download im Format A5.

Hier finden Sie die IT-Notfallkarte als Download im Format A4.

Platzieren Sie die IT-Notfallkarte in Fluren, in den Arbeits- oder Werkräumen oder den IT-Arbeitsplätzen: überall dort, wo IT-Anwenderinnen und IT-Anwender diese Information im IT-Notfall finden sollten.

Für Geschäftsführer und IT-Verantwortliche in kleinen und mittleren Unternehmen haben wir hier noch weitere BSI-Kurzinformationen zusammengestellt, die wir für empfehlenswert zum Thema IT-Notfälle halten:

Maßnahmenkatalog zum Notfallmanagement mit dem Fokus auf IT-Notfälle

TOP 12 Maßnahmen bei Cyberangriffen

Unsere Security-Lösungen unterstützen Sie bei der Verteidigung gegen Cyberangriffe. Sprechen Sie mit uns:

DSC_2022 klein

Bastian Breidenbach

breidenbach@oberberg.net

Dirk Zurawski
02261 9155051
zurawski@oberberg.net
DSC_2012 klein
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net

Malvertising

By Ben Nahorney Online advertising is an integral part of today’s internet experience. In many ways, ads are the lifeblood behind many websites, providing the necessary funding to keep sites running, as well as supporting the creation of new content.
While it may appear as though the ads that are displayed are just a component of the site you’re visiting, this isn’t often the case. Behind the scenes there is a complex network of advertisers, affiliates, and ad exchanges that bring the ads to you. A whole industry has built up around the process of serving up ads, by some estimates exceeding $100 billion in revenue per year. Tracking the sites a user visits and the ads they click on, alongside other metrics, has led to the tailored advertising experience we often see today.
These ads can run the gamut from amusing to annoying. The latter can be a source of frustration for users, with ads popping up while viewing a page, appearing in the middle of an article, or being masked as “sponsored content” that can sometimes be difficult to distinguish from the core content on a page.
In addition, many legitimate websites and content creators heavily rely on ad revenue as an income stream. This can cause even greater confusion for users trying to stay safe online, as legitimate sites may urge users to turn off any ad-blocking software they may have installed. Likewise, content creators and influencers are known to ask users to engage with their ads in order to support their work. Simply put, ad culture is everywhere online.
And those ads can be dangerous. Malicious advertising, or “malvertising” for short, has become a more common occurrence as bad actors have figured out how to infiltrate ad networks in order to serve up malicious content. And while there are steps that you can take, there is no simple, silver bullet to fully protect yourself and your organization from malvertising.
Today’s ad networks
There are a variety of delivery methods for online advertising, though ad exchanges are one of the most common today. This process includes publishers who post the ads to the site, exchanges that facilitate bidding for ad placement, and advertisers who bid to win placement on the site.
At a basic level, you can look at this process as being similar to a car auction. The seller (web user) puts their car (ad space) up at an auction house (publisher). The auctioneer (ad exchange) opens bidding up to the potential buyers (advertisers). The highest bid ultimately wins the car, and the buyer pays the user with money (ad).
To be more specific, this process for serving ads works like this:
A user requests a particular page that includes an ad space.
A publisher collects information about the user and passes it to an ad exchange.
The ad exchange passes the information available to advertisers and creates an auction placing an ad on the page.
The advertisers determine if they have suitable ads and make bids for the ad space accordingly.
The winning bid is passed back to the publisher, who displays the ad to the user.

Figure 1 – Ad network process.The entire bidding process takes place in a fraction of a second. It’s so quick that multiple bids can be completed between the time a link is clicked and the page loads.
The data that drives the process—determining which ads advertisers bid for and how much they bid—is often the information gathered about the user. Geographic location, language, browser type and version, and operating system can commonly be determined when a page loads. If you add information gathered from third-party cookies, such as age and other demographics, far more information can be gathered as well.
Where things go wrong
From an advertiser’s perspective, ad exchanges can help facilitate cheaper ads that reach the customers that they want to reach. However, the bar is quite low in terms of who qualifies as an “advertiser.” In many ways this is necessary for smaller businesses and sellers to be able to get their ads easily distributed online. However, it also leaves the door open for bad actors.
Without significant vetting taking place on many advertising networks, it’s fairly straightforward for cyber criminals to enter these networks and bid for ad placement alongside legitimate advertisers. By doing so, these bad actors have the opportunity to place malicious ads in front of users.
Not only that, but a malicious advertiser can leverage the advantages gained by the information gathered about the user. For instance, if the malicious actor learns that the user is running an out-of-date version of the Google Chrome web browser they can place a bid and, if they win the auction, serve up a malicious ad that could exploit the vulnerable browser.
It’s also important to note that websites rely on the legitimacy and security of ad networks when utilizing them to display ads on their sites. There is very little that they can do to screen for malvertising. If a malicious ad is identified, website owners can technically request that it be removed, but that does little to protect already affected users. Because of this, it’s important that users not conflate the trust instilled in a particular website with the ads displayed in the site.
Redirection in malvertising
While more could be done, online advertising isn’t entirely a free-for-all, and some vetting does occur. That means a bad actor can’t necessarily send a user directly to a page with an exploit or a malicious payload without being found out.
As a result, attackers leverage redirection. In a nutshell, when a redirection is included in a URL or on a web page, the browser is told to go to another site to retrieve the content it is looking for. Frequently, malicious actors will redirect a user through a series of URLs before landing on the malicious page.
There are a variety of ways attackers can do this. One of the most common methods today is by using what are called 302 requests in HTTP. In these cases, the browser is told that the page they are looking for has temporarily been moved to another location and a new URL is provided.
In other cases, a redirection can be performed using HTML or JavaScript. There are even techniques, such as the JavaScript location.replace method, that don’t even leave a record in the browser’s history, masking the redirect from the user.
Payload delivery
Using this method, an attacker can attempt to distribute any sort of payload they wish. In many cases, the final content displaying on the user’s page is an ad that entices them to download adware or potentially unwanted applications (PUAs) that offer a service, but does so by displaying further ads.
In other cases, the malicious ad opens a window or alert that attempts to trick the user into thinking their software is out-of-date. However, if they attempt to install the fake update, they find themselves infected with malware.
Figure 2- A fake Flash update.However, what’s most concerning is the information that an attacker can glean from a user, through the ad exchange, can be used for active exploitation. For instance, an attacker can choose to only bid on ads that come from users running Internet Explorer. Obtaining the winning bid, the attacker can send an Adobe Flash Player exploit in their “ad.” If the version of Flash installed is out-of-date, the machine can be compromised without the user even clicking the ad. The attacker has exploited the browser right out of the gate, requiring zero interaction from the user apart from loading the page that contains the ad.
Figure 3- Targeted selection options in an ad network.Protecting against malvertising
The simplest way to shield yourself from malvertising is to block ads and connections to third-party sites (sites beyond the specific domain in the URL). Ad blocking add-ons are available for most major browsers, and sometimes protections come baked in to modern browsers.
However, taking too aggressive a stance against ads can impact the performance of a web site. Sometimes it may break key features and components. Many sites now stop browsers with ad-blocking from viewing their site to begin with, requesting that the user disable it to view the site’s content. And in some cases, ad blocking software will allow certain ads through anyway, if the ad provider has paid the blocker to avoid them.
Given the current advertising network climate, there really isn’t a simple solution to protect against all forms of attack. Ultimately, a layered approach is the best defense against malicious advertising.
Domain-level protections, such as those offered by Cisco Umbrella, will help to block redirects to domains that are known to be malicious, often stopping a series of redirects halfway through the chain.
An endpoint protection application, such as AMP for Endpoints, can prevent malicious payloads from being installed onto a computer that encounters a malicious advertisement.
Network Security appliances that include IPS signatures, like Next-Generation Intrusion Prevention System, can detect malicious activity such as exploit attempts against vulnerable software.
Cisco’s Secure Internet Gateway and Web Security Appliance contain web scanning features that can prevent access to malicious websites.
Finally, if you’re looking for a deep dive into malvertising, how it works, and more of the latest techniques used by cyber criminals, check out Cisco Talos‘ blog post on the topic, Malvertising: Online advertising’s darker side.

Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Malvertising appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Why We Must Get Data Privacy Right

By Robert Waitman As consumers the world over gear up for the holiday shopping season, and with Black Friday and Cyber Monday soon upon us here in the US, global consumers will be purchasing online more than ever before. In fact, global e-commerce sales are projected to be more than $140 billion over the holidays, up 15 percent from last year’s record. With all this online commerce, consumers will be knowingly – or unknowingly – sharing their personal information with companies and websites when they make purchases. A common belief is that consumers have lost the ability and will to control how their personal information is used online. But that appears to be changing.
According to the Cisco 2019 Consumer Privacy Survey released today, a significant group of consumers cares so deeply about data privacy that they are already acting to protect their data – even by changing providers when necessary. Our study draws on survey responses from more than 2600 adult respondents in 12 countries worldwide. It explores consumer attitudes and actions regarding their personal data, the products and services they use, their comfort level with potential new business models, and the impact of data privacy regulations. By surveying consumers, our study also adds an end-user perspective to Cisco research on the corporate impact of changes in the data privacy industry.
What consumers tell us about privacy
Overall, our findings reveal a new landscape in which privacy has become a critical business imperative and an important driver of consumer behavior. Specifically, we cover four areas of insights in the study:
People care about privacy and many have already taken actions to protect it. We’ve identified a group of consumers (32%), which we call “Privacy Actives”, who say they care about privacy, are willing to act to protect it, and have already acted by switching companies or providers based on their data-sharing practices. The Privacy Active group is sizable and is an attractive demographic for companies because its members skew younger and do more shopping online. Perhaps most importantly, this group sees respect for privacy as core to the customer experience.
Privacy regulations and policies provide “guardrails” for innovation and help build trust. Our research looked at several potential new business models where personal data might be used in unexpected ways but could enhance personal safety and security. One example would be sharing personal information from home or a car in exchange for health or safety warnings. Overall, consumers were generally uncomfortable with these models, but those respondents who were aware of privacy regulations (for example, the EU General Data Protection Regulation – or GDPR) were much more comfortable than respondents who were unaware.
Consumers value government’s role in regulating the use of data, and they view the GDPR very favorably. Survey respondents want the government to play a role in providing oversight and to make sure companies are complying with the law and their stated policies. Perhaps for this reason, GDPR is perceived very positively around the world (55% favorable vs. 5% unfavorable). In addition, consumers felt that GDPR has given them more control over their data and has enhanced their trust in companies using their data.
Many consumers (43%) say they still cannot effectively protect their data today. While there are many reasons for this, by far the biggest reason stated is that it’s too hard to figure out what companies are actually doing with their data.
A new way to understand the value of privacy to companies
Our research also suggests a new framework for measuring the benefits and return on privacy investment beyond regulatory and compliance requirements. Specifically, the areas of benefit include:
Attracting and retaining customers who care about privacy and are willing to act
Improving business agility and innovation
Reducing sales friction
Enhancing the overall attractiveness of the company.
As more consumers place a premium on proper protection of their data, companies have a significant opportunity to meet regulatory requirements while they realize business benefits and build trust with their customers.
For most organizations, privacy has become a critical business imperative. Cisco recognizes this imperative, and we prioritize being clear and transparent with our customers. Some of the tangible ways we do this include providing information on our Trust Portal and with our privacy data sheets and data maps that clearly describe how our products and services use data.

More Information
Cisco 2019 Consumer Privacy Survey
Cisco 2019 Data Privacy Benchmark Study
Cisco Data Privacy
Cisco Trust Portal
The post Why We Must Get Data Privacy Right appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Innovaphone IP101 und IP102

IP-Telefone für Einsteiger

Sie suchen ein IP-Einsteigertelefon und möchten trotzdem nicht auf beste Sprachqualität und moderne Sicherheitsprotokolle verzichten? Unser Partner innovaphone produziert in Deutschland die beiden Modelle IP101 und IP102. Diese eignen sich bestens dafür, sind zudem ideal im Einsatz für klassische Telefonie und unterscheiden sich lediglich durch eine USB-Schnittstelle für Headsets und einen Gigabit- bzw. Fast-Ethernet-Anschluss.

Die Daten hierzu finden Sie bei innovaphone unter folgenden Links:

Daten zum IP 101

Daten zum IP 102

Oberberg-Online ist seit 16 Jahren zertifizierter innovaphone-Partner und bietet IP-Kommunikationslösungen für jede Unternehmensgröße an. Sprechen Sie mit uns, wenn Sie auf Qualität und Sicherheit aus Deutschland setzen wollen:

DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net
Dirk Zurawski
02261 9155051
zurawski@oberberg.net
Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net

The Importance of the Network in Detecting Incidents in Critical Infrastructure

By Simon Finn As we saw in my last blog, the network plays a key role in defending critical infrastructure and IoT. The devices that we are connecting drive our business, enabling us to make smarter decisions and gain greater efficiency through digitization. But how do we ensure those connected devices are acting as intended? From an industrial operations perspective, we need to know that plant operations are nominal, irrespective of cyber threat. The network is well positioned to assist us in detecting misbehaving devices.

Network telemetry for visibility
In order to have assurance of business operations, it is critical to have visibility and awareness into what is occurring on the network at any given time. Network telemetry offers extensive and useful detection capabilities which can be coupled with dedicated analysis systems to collect, trend and correlate observed activity. In the security world we can infer much from network telemetry, from malware behaviour and reconnaissance, to data exfiltration. It is even possible to infer to some extent what is contained in encrypted traffic. Not only can we use this traffic for detection, but also for investigation. Having a historical record of communication also assists with investigating incidents. We can see, for example, what other hosts may have talked to a command and control server, or we can look at any lateral movement from a host.
The first step is to collect Netflow, which is a unidirectional sequence of packets with some common properties that pass through a network device. These collected flows are exported to an external device, the NetFlow collector. Network flows are highly granular; for example, flow records include details such as IP addresses, packet and byte counts, timestamps, Type of Service (ToS), application ports, input and output interfaces.
Exported NetFlow data is used for a variety of purposes, including enterprise accounting and departmental chargebacks, ISP billing, data warehousing, network monitoring, capacity planning, application monitoring and profiling, user monitoring and profiling, security analysis, and data mining for marketing purposes.
For most network devices (including many ruggedized devices used in OT environments), Netflow is simply an option you can turn on sending this data to a Netflow collector. Lower-end switches may not have this option; however, a span port can send traffic to a Netflow Sensor to accomplish this task. Gathering network telemetry visibility is the first step for organisations. The next steps are to utilise tools that can analyse the traffic and look for behavioural anomalies. For more advanced use cases, Encrypted Traffic Analytics (ETA) offers insights into encrypted traffic as well.

Accelerating detection through smarter tooling
The problem of scale in IoT, is also evidenced in security incident detection and response, where we have more traffic to review, and accordingly, more events. We need tools to help us, and Machine Learning (ML) and Artificial Intelligence (AI) based tooling are important technologies, particularly when it comes to network behaviour. Devices, as opposed to humans, tend to have very defined behaviour, so leveraging ML and AI to observe and baseline this behaviour offers high fidelity alert sources.
Machine Learning in Network Security

Leveraging context for better results
To really accelerate detection and lower our median time to detect, we need all our tools to work together. In the previous post we discussed network context and understanding what a device policy should be, at scale. What if we could leverage that same information to assist with detection? Understanding contextual information and what a device’s policy should be, can help increase fidelity of behavioural alerts. Investigators also benefit from having this information integrated into their tools, which helps speed investigations.
Stay tuned for the next blog post in the series which will explain the last key issue – The network’s key role in how we respond to incidents. November is Critical Infrastructure Security and Resiliency Month, so head over to our Trust Center to learn more about critical infrastructure protection.

The post The Importance of the Network in Detecting Incidents in Critical Infrastructure appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Finding the malicious needles in your endpoint haystacks

By Samuel Brown Accelerate Threat Hunts and Investigations with Pre-Curated Complex Queries
Security teams often lack the ability to gain deep visibility into the state of all their endpoints in real time. Even with a bevy of tools at their fingertips, once an incident occurs, conducting investigations can be likened to searching for a needle in a haystack. Teams struggle to make well informed remediation decisions fast enough, finding themselves asking questions like, what should I be searching for? Where specifically in my environment should I zero-in? Which datasets matter? Which are irrelevant? The struggle is real. As we all know, the longer a threat runs wild, the more havoc it stands to wreak on your environment. Between the intense time-pressure, endless datasets to sift through, and ambiguity associated with not knowing where or how to start, incident investigations can feel like frenzied wild goose chases.
Many teams have adopted threat hunting to take a more proactive and preventative (rather than purely reactive) approach to managing their security hygiene. With 43% of organizations performing continuous threat hunting operations in 2018, versus just 35% in 2017, the practice is undoubtedly growing in scope and popularity. However, this begs the question: what’s holding back the remaining majority – the other 57% – of organizations? The reality is that although many teams want to threat hunt, they simply don’t know how to get started, or erroneously believe that they don’t have the personnel, time, and resources to dedicate to the endeavor. But fortunately, that’s no longer the case…
Know everything. About every endpoint. Right now.
Cisco recently rolled out a powerful new advanced threat hunting and investigation capability in Cisco® AdvancedMalware Protection (AMP) for Endpoints called Advanced Search that gives users the ability to search across all endpoints for forensic information and malware artifacts. Think of this as the ultimate search engine for all your endpoints – with over a hundred pre-canned queries provided, Advanced Search makes security investigations and threat hunting simple by allowing you to quickly run complex queries on hundreds of attributes in near real-time on any or all endpoints. For example, it allows you to type in queries like:
Show me all computers that are listening on certain ports – something that certain variants of malware will do when they are waiting on instructions from a C&C on what to do.
Show me all processes that are running in memory but do not have a file on disk – something that is rarely seen with innocuous processes, and thus strongly indicates the possible presence of fileless malware trying to escape scanning and analysis hiding out in your environment.
Show me all the users logged in – if a user is logged into systems in a department that the user doesn’t belong in, or if the user is logged into multiple machines at one time, this could indicate a breach.
Advanced Search gives you deep visibility into what’s happening on any endpoint at any time by taking a snapshot of its current state, and the search options are limitless; users can immediately perform advanced searches via the 100+ curated queries that come with the tool or create their own custom queries. Whether you’re threat hunting, conducting an incident investigation, IT operations, or vulnerability and compliance assessments, Advanced Search gets you the answers you need about your endpoints fast.

How does it work?
Whether you are investigating an incident or proactively hunting for threats Advanced Search can help you simplify and accelerate these tedious processes in the following ways:
Forensics snapshots. We can capture snapshots of data from endpoints such as running processes, open network ports and a lot more at the time of detection or on demand. It’s like “freeze framing” activity on an endpoint right to the moment. This allows you to know exactly what was happening on your endpoint at that point in time.
Live search. Run complex queries on your endpoints for threat indicators on demand or on a schedule, capturing the information you need about your endpoints in near real time.
Predefined and customizable queries. We provide over a hundred predefined queries that you can quickly run as they are or customize them as needed. These queries are simply organized in a catalog of common use cases and mapped to the MITRE ATT&CK.
Storage options. The results of your queries can be stored in the cloud or sent to other applications such as Cisco Threat Response for further or future investigations.

Common use cases
Advanced Search can help you do the following important tasks better, faster:
Advanced Threat Hunting: Search for malicious artifacts across any or all your endpoints in near real-time to accelerate threat hunts.
Mature organizations – Streamline workflows for seasoned teams that already perform continuous threat hunting operations and get beyond atomic and computed IOCs and into the really interesting stuff, like registry keys, process PID exploits, and all kinds of attacker TTPs cataloged with Threat Grid and the MITRE ATT&CK.
Novice Threat Hunters – Empowers teams that don’t have threat hunting programs in place to begin to threat hunt without requiring them to hire additional staff or rip and replace their security stack.

Incident Investigation: Get to the root cause of incidents faster to accelerate incident investigation and remediation efforts.
IT Operations: Track software inventory, disk space, memory, computer utilization, and other IT operations artifacts quickly and expediently – good threat hunting tools can also be used to enhance IT operations.
Vulnerability and Compliance: Easily check the status of Operating Systems for things like software version levels to validate patch management to ensure that your endpoints are in compliance with current policies.
Threat Hunting Versus Incident Response
An additional bonus to threat hunting is that it breeds familiarity with tools and techniques that come into play when an incident or breach does occur, effectively training teams to be better incident responders. Since both disciplines deal directly with threats in your environment, the skills exercised when threat hunting are arguably one and the same as those associated with incident response. The only difference is that whereas incident response is reactive and involves known evidence of a threat in your environment, threat hunting is a proactive practice that is carried out without evidence. Since practicing threat hunting sharpens investigative skills and response times, teams that threat hunt are naturally better equipped to react like pros when faced with real incidents. The ‘Hunting for hidden threats‘ whitepaper in Cisco’s Cybersecurity Report Series covers this topic in more detail and is a great place to learn even more.
Whether you’re new to threat hunting, are a seasoned veteran who wants to streamline operations and take your threat hunting program to the next level, or merely want to accelerate incident remediation, the solution to your woes has arrived. Test drive Advanced Search today with a free trial of Cisco AMP for Endpoints, or register for one of our Threat Hunting Workshops to get hands-on experience threat hunting, investigating, and responding to threats so that you can become a pro at finding the malicious needles in your digital haystacks.
The post Finding the malicious needles in your endpoint haystacks appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Welcome to the New Zero Trust

By Thu T. Pham Complexity, opacity and the gatekeeping of knowledge are tactics often used to appear sophisticated or intelligent. They can also be used to intimidate.
In security and technology, complexity can lead to critical gaps in visibility and an extended attack surface – with too many vendors and solutions to interconnect and manage. Additionally, many enterprises are operating with limited budgets, too many projects with conflicting priorities, projects creating disparity between different technology teams; all supported by a limited security team (or an IT or networking team doing double duty). As a result, complexity creep has risen to counteract our best security efforts.
At Cisco, we’re seeking to eliminate that complexity and close knowledge gaps with simplicity in how we execute and deliver security, as well as transparency in how we talk about it. The security industry is often guilty of using buzzwords and jargon that can add to the growing complexity and shifting priorities as enterprises attempt to follow best security practices defined by the industry.
Zero Trust: The Concept, Defined
To that end, let’s start with defining and simplifying the most popular buzzword, ‘zero trust‘ – it’s about never implicitly trusting, but always verifying someone or something that is requesting access to work resources.
It’s not about getting rid of the perimeter – but rather tightening security on the inside.The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.
–Wendy Nather, Head of Advisory CISOs, Summarized from Zero Trust: Going Beyond the Perimeter
Historically:
Users, devices and applications were located behind a firewall, on the corporate network
All endpoints accessing resources were managed by the enterprise
Systems managed by enterprises could all inherently trust one another, and trust was often based on network location
The new zero trust is about:
Gaining visibility to intelligently inform policy, and enabling BYOD (bring your own device) or IoT (Internet of Things) devices for business agility
Continual reestablishment of user, device and application trust
Continuous monitoring and threat containment
Protecting the Workforce, Workloads & Workplace
With all of that in mind, what exactly are you trying to protect?
Enterprises are complex by nature. They have vast IT ecosystems, with many different vendors, software and infrastructure spread across the multi-cloud and on-premises. They have many different types of users – employees, contractors, customers, etc. – everywhere across the world – often using their own personal devices to work. They have applications that talk to each other via APIs, microservices and containers. And they still have enterprise networks that devices regularly access, including IoT.
That’s why we’ve simplified things – by classifying each area of your enterprise IT as equally important to protect using a zero-trust security approach.
Zero Trust for the Workforce – Ensure only the right users (employees, contractors, partners, etc.) and their secure devices (BYOD) can access applications (regardless of location).
Zero Trust for Workloads – Secure all connections within your applications (when an API, micro-service or container is accessing an application’s database), across the multi-cloud (cloud, data centers and other virtualized environments).
Zero Trust for the Workplace – Secure all user and device connections across your enterprise network, including IoT (types of devices may include: servers, printers, cameras, HVAC systems, infusion pumps, industrial control systems, etc.).
For complete zero-trust security, you need to address each area of your IT ecosystem – securing access across all environments, in a consistent and automated way.
Enter the Cisco Approach to Zero Trust
Cisco’s approach does not implicitly trust a request – but rather establishes trust for every access request, regardless of where the request is coming from. It secures access across your applications and network, while extending trust to support modern enterprises with BYOD, cloud apps and hybrid environments.
Cisco implements zero trust with a three-step methodology across the workforce, workloads and workplace by:
Establishing trust of a user, device, application, etc. – before granting access or allowing connections or communications.
Enforcing trust-based access policies with granular controls based on changing context – such as the security posture of devices and the behavior of applications
Continuously verifying trust by monitoring for risky devices, policy noncompliance, behavior deviations and software vulnerabilities
For the workforce, Duo Security protects against phishing, compromised credentials or other identity-based attacks with multi-factor authentication (MFA) to verify user identities and establish device trust before granting access to applications.
For workloads, Tetration secures hybrid, multi-cloud workloads and contains lateral movement with application segmentation. Identify vulnerabilities in software versions and block communication to reduce your overall attack surface.
For the workplace, Software-Defined Access (SD-Access) provides insight into users and devices, identify threats and provides control over all connections across the enterprise network, including IoT devices.
Extending Trust
While this is a good starting place, other solutions in the Cisco Security portfolio can extend the zero-trust security model further. Cisco’s framework is built to integrate seamlessly with your existing infrastructure and investments using an open API model, standards-based platform and strong technology partnerships to ensure that everything across your environment is protected – securing your enterprise as you scale.
Those strong partnerships include major players in the industry, including Microsoft, Amazon Web Services (AWS), Google and many more.Extending trust to integrate with third parties for better visibility and consistent policy enforcement is key to making a zero-trust approach practical and effective for modern enterprises.
Benefits of a Zero-Trust Security Approach
Overall – this framework provides the benefits of a comprehensive zero-trust approach:
Increased visibility – Get insight into the contextual data behind access requests, including users, user endpoints and IoT devices connecting and talking to your applications and network
Reduced attack surface – Mitigate risks related to identity attacks (stolen or compromised passwords, phishing) and lateral attacker movement within your network (in the event of a breach – contain the impact of the initial breach)
Broad coverage – Zero-trust security for not just the workforce, but across workloads and the workplace for complete coverage and a consistent approach to securing access and enforcing policies, regardless of where data or applications are located

Learn more about Cisco Zero Trust. Or, sign up for a free trial of Duo, demo Tetration and learn more about SD-Access to start your zero-trust journey today.
Did you hear? Cisco was named a leader in The Forrester Wave: Zero Trust eXtended Ecosystem Platform Providers, Q4 2019 – read the report.

The post Welcome to the New Zero Trust appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Consolidate your Security in the Cloud with Cisco Umbrella

By Meg Diaz
What makes a great partnership? Open communication and a passion for constant advancement are two important elements. Our customers have helped us continuously innovate, and together, we’re transforming how security is delivered. Over the past 12+ months, we embarked on a journey to take Cisco Umbrella to a new level.
DNS has always been at our core — starting as a recursive DNS service (OpenDNS) in 2006, then moving into the enterprise security space in 2012 with the release of Umbrella. Enforcing security at the DNS layer was something brand new at the time. People started to see how valuable it was to have a single view of all internet activity across every location, and it was an incredibly effective way to block threats at the earliest possible point (and who doesn’t love fewer alerts to investigate!?). Add in the fact that it’s delivered from the cloud and can be deployed enterprise-wide in minutes…you can start to see the appeal it has.
As we saw more applications and infrastructure move to the cloud, more people working off-network (and “forgetting” to turn on that pesky VPN), and the move to more direct internet access at remote offices, we heard more from our customers about what they needed from a security service. It wasn’t just about DNS-layer security — they often needed more. We’re excited to share that we’re now delivering more. Much more.
Now, Umbrella offers secure web gateway, cloud-delivered firewall, and cloud access security broker (CASB) functionality — in addition to the DNS-layer security and threat intelligence from Investigate — all in a single, integrated cloud console. All of this is available in a new Umbrella package: Secure Internet Gateway Essentials.
By unifying multiple security services in the cloud, we are now able to offer our customers greater flexibility, sharper visibility, and consistent enforcement, everywhere your users work. The goal is simple ­– if we can simplify your security operations and reduce complexity, then you can reduce risk and accelerate secure cloud adoption.
Here are a few examples of innovations that we’re introducing as part of this:
Bye Security Silos, Hello Consolidation
It can be an overwhelming endeavor to help your organization transition to the cloud and secure direct internet access. It takes skill and a considerable amount of resources. How many office locations are you tasked with securing? We’ve heard loud and clear that it’s not sustainable for you to build a separate security stack in each location. By moving those core security services to a single cloud solution, you’ll be able to deploy the right level of security consistently across your organization. And you have the flexibility to deploy it as needed — you’re not forced to proxy everything or deploy in a specific way. For example, you could start with DNS for fast protection everywhere and leverage additional security services (secure web gateway, firewall, CASB, etc.) wherever you need them.

“I like the simplicity of Cisco Umbrella from a management perspective, but I also enjoy the complexity of the advanced layers of protection that Cisco Umbrella provides. This one product has truly transformed our ability to protect our entire workforce, regardless of location.” – Ryan Deppe, Network Operation Supervisor, Cianbro Corporation

Well-known Technology, Brand New Approach
IPSec tunnels have been around forever. But, we set out to do something different based on what we’ve heard from you. Cisco developed a new technology for IPSec tunnels that minimizes downtime and eliminates the need to build secondary tunnels with a patent-pending approach using Anycast technology for automated failover. A single IPsec tunnel can be deployed to send traffic to Umbrella from any network device, including SD-WAN. This integrated approach combined with Anycast routing can efficiently protect branch users, connected devices, and application usage from all internet breakouts with 100% business uptime.
Real-time Detection of DNS Tunneling
Even though we’ve been a leader in DNS-layer security for years, we won’t rest on our laurels. We’re watching attacker tactics and quickly adjusting ours — DNS Tunneling is one example. DNS tunneling utilizes the DNS protocol to communicate non-DNS traffic (i.e. HTTP) over port 53. There are legitimate reasons why you would use DNS tunneling, but attackers have been using it for data exfiltration and command and control callbacks. To better identify and stop this, we’ve added advanced detection capabilities, real-time heuristics, signature, and encoded data detection to Umbrella.
Deeper Web Control, Retrospective Alerts on Malicious Files
Our new secure web gateway (full proxy) provides complete web traffic visibility, control, and protection — with capabilities such as content filtering at the URL-level, blocking applications or app functions, HTTPS decryption (either for select sites or all), file inspection with Cisco Advanced Malware Protection and antivirus, sandboxing unknown files with Cisco Threat Grid, and retrospective alerts on files that subsequently display malicious behavior. Think about it — file behavior can change over time or could put mechanisms in place to evade initial detection. If a file is initially determined to be safe by Threat Grid and downloaded from the web, but later is deemed to be malicious, you can now see that in Umbrella.
All of these Umbrella enhancements are designed to help your organization accelerate cloud adoption with confidence — you need assurance that your users will be secure wherever they connect to the internet and that’s exactly what we’re focused on delivering for you. If you want to learn more, join our Security Virtual Summit on November 12th and check out Jeff Reed’s blog to hear about other Cisco Security innovations.
The post Consolidate your Security in the Cloud with Cisco Umbrella appeared first on Cisco Blogs.

Source:: Cisco Security Notice

The death of the network perimeter and the firewall? Not so fast.

By Don Meyer Welcome to The Future of Firewalling, Part 1…
For over two decades, the firewall has been the de-facto tool that facilitated secure connectivity between different networks. Firewalls were traditionally designed around the idea that internal traffic and users were inherently trustworthy and external traffic wasn’t. Thus, the firewall was deployed to create a trust boundary – or perimeter – between networks. This network perimeter became the logical security control point to protect an organization’s network, data, users, and devices. What’s more, all network traffic (whether originating from the corporate headquarters, its data center, or remote workers) was funneled through this single control point, making it easy to maintain that trust boundary and establish consistent control. Life was good.
Then the world went digital
And when it did, the way we worked, consumed data, and exchanged ideas transformed. The introduction of the “cloud” further compounded things: many of our business-critical applications started moving from our data centers and premises-based networks to places we no longer owned or controlled. At the same time, our branch offices started directly connecting to the Internet to consume services that are now more frequently hosted outside our data centers. And users began accessing more and more resources from their personal devices everywhere but in the office.
As our networks have become far more interconnected, the notion of a single perimeter or control point no longer exists. The industry has been abuzz for some time about the “dissolving perimeter” and whether the firewall is even necessary anymore. I would argue that not only is the firewall more relevant than ever, we now need more firewalls everywhere – on our premises networks, at branch offices, at the gateway and within our data center, in the cloud, on devices, and even within our application workloads.
From macro to micro
Instead of a single perimeter we now have multiple “micro-perimeters” across a variety of networks, devices, users, and data. Typically, each of these new “perimeters” is secured by adding different point technologies, which require a lot of manual intervention just to get going. Couple that with the significant shortage of available talent to manage all these new devices and we’ve got an even bigger challenge. As a result, organizations are struggling to operationalize their disparate security solutions to maintain consistent policies and uniform threat visibility. Network complexity? Check. Network security complexity? Check. Misconfigurations and inconsistencies leading to exposures and breaches? Check mate!
And while we’re struggling to get a handle on all this complexity, our adversaries continue to unleash more sophisticated threats more frequently across more threat vectors. In fact, the average reported rate of data breaches was 46% in 2018, up from 24% in 2017, according to the 2018 Global Threat Report. This steep climb in reported breaches is a testament to the increasingly sophisticated methods bad actors are using to infiltrate our networks; the growing rate of their success shows just how ineffective the status quo is against modern threats.
And here we are
It has become painfully obvious that we’ve lost visibility and control. We no longer have a good understanding of where our users and data go nor how exposed our businesses are. It’s hard to determine what’s communicating with what, or if we’ve even been breached, until it’s too late. And the pace of change is accelerating as more businesses embrace digital transformation, creating a perfect storm of opportunity for motivated hackers. And a perfect headache for those of us tasked with security. Where do we start to get a handle on it all?
It’s time to rethink the firewall
The importance of the firewall hasn’t diminished – in fact it’s more relevant than ever – but we need to think differently about it. We must go beyond form factors and physical or virtual appliances to embrace firewalling as a functionality. Firewalling needs to be about delivering world-class security controls – the key elements for preventing, detecting, and stopping attacks faster and more accurately – with common policy and threat visibility delivered where you need it: in the data center, in the cloud, at the branch office. So you’re protected everywhere.
At Cisco, we’ve been hard at work bringing that vision into reality, so you can build your strongest security posture for today and tomorrow. Stay tuned to The Future of Firewalling blog series to hear about it. And visit cisco.com/go/ngfw to learn more about Cisco Next-Generation Firewalls.
Coming soon:
The Future of Firewalling, Part 2: Don’t let complexity ruin your security
The post The death of the network perimeter and the firewall? Not so fast. appeared first on Cisco Blogs.

Source:: Cisco Security Notice