Cisco ASA DoS Bug Attacked in Wild

By Talos Group
This post authored by Nick Biasini

Cisco Talos has recently noticed a sudden spike in exploitation attempts against a specific vulnerability in our Cisco Adaptive Security Appliance (ASA) and Firepower Appliance. The vulnerability, CVE-2018-0296, is a denial-of-service and information disclosure directory traversal bug found in the web framework of the appliance. The attacker can use a specially crafted URL to cause the ASA appliance to reboot or disclose unauthenticated information.

This vulnerability was first noticed being exploited publicly back in June 2018, but it appeared to increase in frequency in the past several days and weeks. As such, we are advising all customers to ensure they are running a non-affected version of code. Additionally, we want to highlight that there is a Snort signature in place to detect this specific attack (46897). Concerned customers should ensure it is enabled in applicable policies that could detect this exploitation attempt.
Read More>>

The post Cisco ASA DoS Bug Attacked in Wild appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Roundup for December 13 to December 20

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 13 and Dec 20. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or
Read More
TRU12202019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for December 13 to December 20 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

The 3 W’s in Zero Trust Security

By Cristina Errico Picture this scenario: you are a security guard at an office building. Today you are looking after a restricted area. A person you’ve never seen before walks straight past you into one of the rooms. Would you stop them or would you just assume they are allowed to be there?
In a physical world, trust is most commonly based on who you are, not where you are. A savvy security guard would ask you for your ID before allowing you in. Virtually, though, the situation is different: being in the right place is often enough. If you are inside of a company’s network perimeter, it is often assumed you have the right to be there. You gain access to the same data and tools that any other trusted user would. It’s clear that such an approach is no longer enough.
Zero trust security comes in as an alternative model, more in line with the current threat landscape. It is based on the principle of “always check, never trust“, originally introduced by Forrester. It takes into account 3 main factors:
Workforce: Employees are at risk of identity theft, which is one of the most widespread types of fraud today.
Workload: New vulnerabilities in applications and their improper management open highways for cybercriminals.
Workplace: With more and more connected devices, the workspace has extended far beyond the four walls of you company building.
Moving from a perimeter model to Zero Trust means assessing, adapting and implementing new security policies that address threats in a constantly changing environment. In this trust-centric approach access is granted to users and devices, not a network.

This means that policies now need to be calculated based on a vast number of data sources. All network activities must be continuously taken into account. Any indications of compromise or changes in the behaviour of apps, users and devices must be examined, validated and receive immediate responses.
How to apply a Zero Trust model
Cisco’s practical approach to Zero Trust includes six important steps.
Establish levels of trust for users and user devices (identity verification with multi-factor authentication and device status, which must be compliant and properly updated)
Establish levels of reliability for IoT and/or workloads (profile and baseline)
Establish SD perimeters to control access to the application (authorised access)
Establish SD perimeters to control access to the network (segmentation and micro-segmentation)
Automate the adaptive policy using normalisation (network, data centre and cloud)
Automate the adaptive policy using the response to threats (adapt the level of trust)

Zero Trust Security involves people, processes and technology in its adoption. It can provide a roadmap for a truly efficient and automated security infrastructure.
Join us at Cisco CISO Day in Barcelona
We will cover zero trust security and other strategic topics at the “Cisco CISO Day“, an exclusive event for CISOs, taking place on 27 January 2020 in Barcelona at the Cisco Co-Innovation Center.It is a great opportunity to talk with colleagues and experts and find concrete answers to any burning security questions.

The post The 3 W’s in Zero Trust Security appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Anomaly Detection in Complex Systems: Zero Trust for the Workplace

By Michele Festuccia Zero trust and complexity management represent a new basic combination for a closed-loop approach to anomaly detection and mitigation for critical infrastructures.
This abstract introduces a set of functional blocks that could enable automation and assurance for secure networks. These blocks are designed to reduce/simplify the impact of anomalies and/or anomalous behaviors on complex systems.
A closed-loop system uses feedback where a portion of the output signal is fed back to the system to reduce errors and improve stability. Access control and intelligent networks can generate data that could be compared with several patterns for gap analysis and feedback retroaction.

Closed-Loop System
Zero Trust is the New Secure Infrastructure Model
Zero trust is the latest and most efficient practice “to securing all access across your networks, applications, and environment. This approach helps secure access from users, end-user devices, APIs, IoT, microservices, containers, and more.
Provide more secure access, protect against gaps in visibility and reduce the attack surface.
Cisco Zero Trust allows you to [1]:
Consistently enforce policy-based controls
Gain visibility into users, devices, components, and more across your entire environment
Get detailed logs, reports, and alerts that can help you better detect and respond to threats.”
Quantitative Complexity Management: A New Approach to Anomaly Detection
Network visibility is essential [2] to zero trust. The scope of assurance systems is to qualify risk from an IT network and security perspective, based on analysis of networks and applications events.
Anomaly detection is the identification of rare items, events, patterns or observations which raise alerts by differing significantly from most of the data. The idea behind anomaly detection is to identify, or anticipate, cyberattacks and malfunctions. Machine learning could be used to detect anomalies very efficiently, as there are different algorithms that can address the topic. This is accomplished by presenting the learning algorithm with tens, hundreds or even thousands of examples of anomalies. And herein lies the problem.
In systems such as large networks or critical infrastructures, the high complexity may hide anomalies which can remain unknown or dormant for extended periods of time. Consequently, training an algorithm to recognize them is impossible. In addition, highly complex systems often comprise thousands or hundreds of thousands of data channels. In a similar context, defining and describing an anomaly may be very difficult and producing a significant set of learning vectors simply not feasible.
To better address anomaly detection, we can introduce new mathematical functions which change the approach. This method is based on the QCM (Quantitative Complexity Management), which can recognize that something unusual is going on without having seen it before.
Complexity is a new multi-dimensional descriptor of systems, networks or processes: it quantifies the amount of structured information within a system and is measured in bits. It has been observed that rapid complexity fluctuations usually correlate with or even anticipate transitions in dynamical systems, providing strong early warning signals. An example is shown below.

Complexity Index Trend Example
(Horizontal axis corresponds to time, the vertical to the complexity index)
However, the early warning feature offered by rapidly changing complexity is only the icing on the cake. In many cases, it is already immensely important to simply know that something harmful or damaging is taking place. Being able to answer the questions “are we under attack?” or “is our system becoming dangerously fragile?” is already a feat in many cases. Finally, QCM also indicates which data channels or variables are responsible for a spike in complexity, making it possible to quickly identify the source of a problem. Basically, this means that we no longer need to define anomalies in advance and then train an algorithm to recognize them. A sudden spike in complexity is an anomaly for which training isn’t necessary. QCM gets it right the first and only time a specific behaviour appears. [3]
An example of a Complexity Map, illustrated below, is relative to the software/electronics subsystem in a car. The map is synthesized in real-time using sensor data taken from the CAN bus.

Complexity Map example for Automotive
The map shows the instantaneous interdependencies between sub-systems, and also indicates which subsystems are the complexity drivers at a given time. These are pointed out by the larger boxes on the diagonal of the map. Knowing which sub-systems or components drive complexity is helpful when it comes to determining the source of problems or malfunctions.
Complexity and resilience are referenced by “ISO/TS 22375:2018 Security and resilience – Guidelines for complexity assessment process.” This document provides guidelines for the application of principles and processes for a complexity assessment of an organization’s systems to improve security and resilience. A real-time assessment can be implemented on different data streams of different sources. The index fluctuations analysis allows an organization to identify potential hidden vulnerabilities of its system and to provide an early indication of complexity-induced risk. [4]
A QCM block can actively drive the complexity of a given system to desired levels. Therefore, in the presence of complexity-increasing anomalies, the QCM controller will compensate, attempting to drive complexity to lower levels. A combination with network assurance systems and QCM is the base of closed-loop architecture.

Network Automation with Closed-Loop Architecture Plus QCM
Because highly complex systems are fragile and often operate close to collapse, it is most important to monitor their complexity. A crisis cannot always be predicted, but it is possible to identify pre-crisis conditions and scenarios, which is what QCM does by producing the mentioned complexity increases and spikes that alert of something anomalous.
[1] Zero Trust Going Beyond the Perimeter
[2] ‘Visibility on the network‘ is also a key threat listed in NIST’s 800-27 publication on Zero Trust Architecture, page 22 (U.S. guidelines on cybersecurity for federal agencies).
[3] “Complexity Management: New Perspectives and Challenges for CAE in the 21-st Century”, J. Marczyk, BenchMark Magazine, NAFEMS, July 2008.
[4] The ISO 22375 originates from the UNI 11613 published in 2015.
The post Anomaly Detection in Complex Systems: Zero Trust for the Workplace appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Stealthwatch Enterprise and Cisco Threat Response: Bringing machine-scale analysis to human-scale understanding

By Sana Yousuf From zero-day malware to cryptojacking, from man-in-the-middle attacks to spear phishing, from ransomware to distributed denial of service attacks (DDoS) attempts – businesses of all sizes and industries are the constant target of these attacks. It’s perfectly normal to find this barrage of threats overwhelming – and then there’s constant pivot between multiple security solutions required to detect, investigate and remediate.
Now imagine a world where disparate solutions do not exist. A world where there is no need to manually correlate information from various sources to build a complete picture of each potential threat. Where two clicks are all it takes to get situational awareness of the threat impact and potential scope of compromise, and the context needed to formulate an adequate response strategy.
Two clicks and done, you say?
What if you could get insights into everything going on across the network, and you could quickly baseline your environment’s normal behavior, no matter what your organization’s size or type? And what if this knowledge could also be correlated with alerts across your endpoints, firewall, web, etc. to make it easier to identify something suspicious and kick it off your network? With Cisco Threat Response, you can now convert this vision into reality. It is a key pillar of Cisco’s integrated security platform and is designed to give you the contextual awareness you need so you can see, investigate, and act on threats fast. Our obsession with connecting the dots within your network has already made Threat Response the Incident Response workbench of choice for SOCs across the world.
Get Answers, Not Alerts
An investigation can involve dozens or even hundreds of discrete data elements, multiple sources of threat intelligence and an armor of security products providing telemetry. Before Cisco Threat Response, each observable had to be investigated against each threat intel source and each network and security products individually and manually, which takes even seasoned experts a long time to do. With Threat Response, they can either simply paste all of those observables into Cisco Threat Response and it does the work for them. It brings all of that knowledge back from intel sources and security products, displaying results in seconds. From there, SOC teams can take action immediately or continue their investigation with the tools provided.
Cross-platform visibility and response powered by analytics
We all know that security analytics has become something of a buzzword, but it continues to gain positive momentum and sustain relevance. Cisco’s network security analytics solution, Cisco Stealthwatch Enterprise integration with Threat Response brings the power of each to the other.
How does this work?
Stealthwatch provides agentless enterprise-wide visibility, across on-premises, as well as in all public cloud environments. Using the power of behavioral modeling, multilayered machine learning, and global threat intelligence, Stealthwatch Enterprise produces alarms on critical threats by monitoring both north-south and east-west traffic. Stealthwatch sends those alarms directly to Cisco Threat Response’s Incident Manager feature, allowing users to see those alarms alongside prioritized security alerts from other products such as Firepower devices. This communication is handled via a secure intermediary cloud service called Cisco Security Service Exchange (SSE). No internal data is bulk uploaded to the cloud; sightings and the associated metadata are sent only in response to specific queries. In this way, investigations on all IP addresses are enriched with Stealthwatch insight, regardless of the catalyst for the investigation, all delivered in seconds and in an easy to read graphical format that helps you both intuitively understand what happened and respond quickly and effectively across your entire portfolio. These incidents can then be investigated with additional context from your other threat response-enabled technologies, all in one console, with one click. This lowers the time required to perform triage and response to these alarms.
Figure1- Ability to pivot and drill-down into the Stealthwatch Management Console or choose to investigate a directly in Threat ResponseFigure 2-Enrichment of Stealthwatch alarms with context from other security technologies. Block suspicious files, domains, and more–without having to log in to another product first.The Stealthwatch -Threat Response integration bring together a number of unique differentiators for the SOC workflow. Our Cisco Security customers are able to:
Streamline Investigation Workflow
With ability to pivot and drill-down into the Stealthwatch Management Console and other security technologies like Cisco Advanced Malware Protection (AMP) for Endpoints, Cisco Threat Grid, Cisco Umbrella, Cisco Email Security, Cisco Firepower/ NextGeneration Firewall (NGFW).

Enhance Collaboration with Case Book
The casebook browser plug in allows a Stealthwatch users to leverage all the power of their configured threat response modules, right from the Stealthwatch interface via built-in pivot menus. For example, you can use it to pull IP addresses or domains from Stealthwatch interface where there’s an observable and the casebook feature of Threat response will allow you to kick off an investigation directly from your browser.

Accelerate Response with Incident Reporting to Threat Response
Stealthwatch automatically shares critical and major Alarms with Cisco Threat Response as Incidents which are then further enriched. You are able to tie independent product data and events together to uncover threats by investigating multiple observables across multiple data sets and products. The integration gives you the power to investigate with automated enrichment and respond with confidence directly from the Threat Response interface using products such as AMP for endpoint and Umbrella.

Access the Power of Analytics ( for existing Threat Response users)
With the integration, Threat Response users can now investigate entity security events sent over from Stealthwatch in cases where the potential host can be the source or target of an event. This provides granular visibility on internal network activity for suspected hosts under investigation.

Simplify to Amplify
Threat Response is designed to get you more from your Cisco Security investments by automating integrations directly out of the box. It’s also designed to dramatically cut the time and effort needed to detect, investigate, and remediate – making your SOC operations more efficient and effective.
More than 6,700 customers today are reducing the time it takes to both investigate and respond to threats across multiple security technologies with Cisco Threat Response. And it’s included as part of the Cisco Security product licenses and take under 10 minutes to get up and running in your SOC. There’s nothing more to buy.
Overwhelmed to Empowered
At every RSA conference, 600 security vendors vie for the CISO’s mindshare with no shortage of vendors offering point solutions that offer miracles for your SOC.The reality is that most organizations already have an abundance of point products designed to address specific challenges, but most of these products can’t be easily integrated to fulfill a larger and more effective security strategy. Isn’t it time for the security industry to do better? At Cisco, we think it is. We’re building a platform that redefines security powered by integrations. At the heart of our platform approach is a simple idea: security solutions should be designed to act as a team. We invite you to come with us on this journey that simplifies your experience and reduces complexity, paves the path for an integrated and open platform that strengthens operations, stays out of the way, and gives your team time back.
For more information on Cisco Threat Response, visit our webpage or create an account in the U.S.or EMEAR to get started right away.
To learn more about Cisco Stealthwatch, go to
To learn more about Cisco Threat Response, go to
The post Stealthwatch Enterprise and Cisco Threat Response: Bringing machine-scale analysis to human-scale understanding appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Combat Modern Day Plague in Security with Email Security and Cisco Threat Response Integration

By Sana Yousuf In January 1900, the four-masted steamship S.S. Australia laid anchor in the Port of San Francisco. The ship sailed between Honolulu and San Francisco regularly, and its passengers and crew were declared clean. However, it is difficult to define what ‘clean‘ was in the absence of parameters that could trace the infection back to a single vector. Health and medical professionals struggled to assess and eradicate the disease-make sense of where it came from, if the disease had been seen somewhere in the world, who was the patient zero?
Fast forward to the future, the US Department of Energy’s laboratory Oak Ridge National Lab shuts down the Internet and email services after a cyberattack. The attacks were launched through phishing emails that were sent to about 573 lab employees. The emails were disguised to appear like it came from the lab’s HR department and purported to inform employees of some benefits related changes. Time is of essence in scenarios like this where technology needs to step up to provide answer and not alerts. Is your security program equipped to answer questions-Which email messages have seen this filename or file hash? Which email messages were targeted by this sender email address? Which email messages has seen this subject?
It’s not a matter of IF, but only a matter of when.
The launch of Cisco Threat Response represented a giant leap forward for the goal of reducing or eliminating the burden that exists within today’s Security Operations Center (SOC) by integrating security architecture. The next step in that process was establishing an integration with Security. With solutions like AMP Unity, we have visibility into the email gateway. But Cisco Email Security is the first platform integration that provides deep visibility into content as it travels the network toward the endpoint much like our four-masted steamship. It enables you to find your patient zero!
Being Prepared for the Inevitable
For today’s organizations, email is not only a critical component of business communication, but also a leading attack vector for security breaches. According to Cisco’s Annual Cybersecurity Report, bad actors continue to utilize email as the primary vector for spreading malware.
Additionally, research from the Department of Digital, Culture, Media & Sport states that 80% of businesses with a cybersecurity breach or attack in the last 12 months were targeted by a phishing attack. According to the 2018 Duo Trusted Access Report, 62% of phishing simulation campaigns ran through the Duo Insight tool captured at least one set of user credentials. Nearly a quarter of the campaign recipients clicked the phishing link in the email, and half of those that clicked the phishing link then entered credentials into the fake website. While these attacks aren’t always sophisticated, they are clearly becoming harder to spot by the untrained eye, as hackers find new ways to make malicious emails appear legitimate.
A recent report from Cisco Talos Intelligence Group shared information about a ransomware attack known as LockerGoga that leverages an encryption process to remove the victim’s ability to access files and other data that may be stored on infected systems. Phishing user credentials is one way that an attacker can gain network access, restrict file access, and then deliver a ransom note demanding payment in exchange for keys to decrypt files that LockerGoga has impacted. Cisco Email Security can block malicious emails sent by threat actors as part of their campaign to gain network access. This is just one example of how Cisco Threat Response can protect email as a threat vector.
All you have to do is peek into your personal email spam folder to find bad actors trying to gain access to you and your network through malicious, compromised, or spoofing emails. In fact, 85% of all email in April 2019 was spam, according to TalosIntelligence. Your network must be prepared for the inevitability of a threat delivered via email.
How Does Cisco Email Security Integration Work?
Without a single console to monitor network threats, email has been a difficult vector to protect. However, security architecture integration enables a SOC analyst to identify users who receive a malicious file, quarantine the file, and block the domain the file is reaching out to, without switching interfaces. Faster incident response times are possible because Threat Response provides the user a full picture of the attack, and immediate access to a broad array of integrated protective and mitigative technologies.
Cisco Email Security enables deeper visibility in Cisco Threat Response at multiple layers in an attack’s trajectory, including DNS, endpoint, and now email. With each integration, Threat Response provides enrichment of known attack data, and users can pivot directly into other Cisco Security product consoles to quickly access deeper details of the threat. Users are able to take action immediately through the Threat Response console by blocking the threat vector and associated malicious infrastructure.
Cisco Email Security provides information and context via the Cisco Threat Response platform on email-based threats, by responding to requests for enrichment of elements such as email subject, file name or sender email address, to name a few. Here’s how this works. Your Security Management Appliance (SMA) registers to Cisco’s cloud Security Service Exchange (SSE) and initiates a connection for SSE’s API proxy. Threat Response communicates with the SMA via this SSE proxy, which relays requests for enrichment to your email security solutions (whether on on-premise or in the cloud) and forwards responses back to Threat Response. Emails are never sent to the Threat Response or SSE clouds, and raw log data is not stored in the cloud. By providing this insight at the email messaging layer, Threat Response allows responders to find email-borne threats before they manifest on the endpoint.
Alternatively, in one of the recent releases, we have enabled direct integration of Email Security Appliance with Cisco Threat Response, without the use of SMA, which allows customers who have made investments in Email Security but do not use an SMA to benefit from Cisco Threat Response as well. In this scenario Cisco’s cloud Security Service Exchange connects to ESA directly, and SSE allows an ESA to register with the Exchange, while Cisco Threat Response is provided with an explicit permission by a customer to access the registered devices.
Check out this video to get an overview of the benefits of using Cisco Threat Response and Cisco Email Security together.
Cisco Threat Response Enables Detection to Remediation in 2 Clicks

It’s clear that integrated architecture improves security, drives cost efficiencies, and boosts productivity. And according to Forrester, our customers have seen as high as 70% improvement in security operational efficiency by implementing an integrated architecture.
Cisco Threat Response enables your Cisco Security products to integrate seamlessly and begin working to detect, investigate, and remediate threats. The information that you need across your deployed Cisco products is available immediately in one interface. This allows you to more quickly and intuitively formulate your response plan, while also helping you enact the plan with common response actions available directly and immediately in the Cisco Threat Response interface.

Cisco Security solutions continue to be integrated and add more value to the platform. In addition to Cisco Email Security, Threat Response opens visibility into a variety of contexts:
Users have visibility into the endpoint with Cisco AMP for Endpoints.
Visibility into content and edge security can be obtained with the above integration by configuring those devices into the AMP for Endpoints UI via the Unity feature.
Cisco Umbrella provides a portal into domain resolution requests and associated network activity.
Cisco Threat Grid provides access to context-rich automated malware analysis and threat intelligence.
Open API integrations support additional solutions already present in a customers‘ security setup.
Threat intelligence from Cisco Talos and third-party sources integrates automatically to research indicators of compromise (IOCs) and quickly confirm threats.
By providing automated integration across several Cisco Security products, including Email Security, Threat Response provides a seamless experience that serves as a foundation for fast, efficient incident investigation and response.
Building Value Through Integration
As previously mentioned, the value of Threat Response is in the integration of security architecture to enable the SOC to have all needed information and an increased level of detail to make a determination and take action against a network threat. These integrations continue to streamline processes and create cost efficiencies for our customers.
With Cisco Email Security, keeping email secure is no longer a time-intensive task. With its integration into Cisco Threat Response, email threats can now be solved in just minutes. While this is the first integration that steps into the middle ground between the external network and the endpoint, stay tuned for continued integrations that add further visibility into content as it traverses across the network.
Check out the Cisco Cybersecurity Report that examines email security from three angles: the current state of the challenges of security practitioners, the mechanisms behind phishing attacks, and recommendations for defenders. Cisco Threat Response adds enhanced protection to your network against email threats like malware, phishing, spoofing, ransomware, and business email compromise
If you’re interested in giving Cisco Threat Response and Cisco Email Security a test drive, be sure to visit our webpage or create an account in the U.S.or EMEAR to get started today.
Want to keep up to date on Cisco Threat Response? Now you can! Subscribe here to receive alerts every time a new blog is posted.
The post Combat Modern Day Plague in Security with Email Security and Cisco Threat Response Integration appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Frohe Weihnachten und ein gesundes Jahr 2020

Das Oberberg-Online Team bedankt sich bei allen Kunden und Freunden des Hauses für die gute Zusammenarbeit und das Vertrauen im vergangenen Jahr. Wir wünschen segensreiche Weihnachtstage im Kreise lieber Menschen und ein gesundes und sicheres Jahr 2020.

Cisco and IBM: Solving Customer Challenges through the Power of Partnerships

By Jeff Reed Complexity is one of the top challenges our customers face today. CISOs not only want to enable their teams to detect and respond to threats faster, they want to simplify workflows and streamline operations at the same time. In our annual CISO surveys, we’ve been seeing a trend toward vendor consolidation, which tells us CISOs are looking for ways to make their solutions simpler.
Vendors typically work in siloes to solve these kinds of challenges. But at Cisco, we believe we can achieve more through collaboration. That’s why we’ve been working in partnership with IBM Security to provide joint customers an in-depth, end-to-end defense strategy while simplifying their vendor relationships.
The average organization juggles 45 different security vendors. Leveraging the breadth of Cisco and IBM’s security portfolios allows our customers to drastically reduce that number of vendors while still using best-in-class products. The reduction in vendor surface creates more than just technical efficiencies. By consolidating vendor relationships, customers can maximize their buying power through vehicles like Enterprise Agreements, as well as simplify contract management and support cases.
Leveraging Cisco and IBM strengths
At Cisco, we believe we have excellent technologies to help customers prevent threats to their businesses, and with products like Cisco Threat Response, we even speed up various elements of the technical response. With IBM, we have focused our initial integrations on QRadar and Resilient product lines to help customers further prioritize threats and better assist with their response both at a technical and business level.
Let’s say you had an insider attack. The Cisco/IBM integrated solutions enable faster investigations of suspicious behaviors that could compromise credentials or systems. For example:
Cisco Stealthwatch looks for behavioral indicators of compromise in activity traversing the network, including encrypted traffic without the need to decrypt the data. IBM QRadar builds on that detection, as well as other Cisco solutions like Firepower Threat Defense, to correlate events from network traffic and logs to help security teams quickly prioritize threats.
Cisco Identity Services Engine helps you associate malicious activity with specific user credentials, and you can quarantine the user and lock down network access right from QRadar.
Responding to the attack is not just about gathering the information. You also need to understand how the business responds to the threat — is this something that needs public release of information, do you need to involve law enforcement, will this result in employee termination, and so on. To help operationalize incident response, you can use investigation results from all the integrated solutions to create a report in Resilient.

Innovative solutions to address customer needs
Many of the Cisco/IBM collaborative solutions are unique for the industry, and they’re based on lessons Cisco and IBM have learned from our extensive customer bases and our threat intelligence teams, Cisco Talos and IBM X-Force.
To make breach response more efficient, earlier this year we integrated Cisco Advanced Malware Protection (AMP) for Endpoints with QRadar and IBM Resilient SOAR. These integrations enable security teams to do things like:
Receive AMP for Endpoints telemetry directly in QRadar for a consolidated view of events across endpoints and ability to search, analyze, and correlate them.
Pull AMP for Endpoints data into Resilient to investigate events, automatically bring the results into an incident, and get more details on detected threats, then quarantine detected malicious files.
Since threats evolve quickly, defenses can’t rely on one mechanism alone. We work together in various other ways to help you detect unknown threats like ransomware or speed up response time. For instance:
Resilient customers can submit suspicious malware samples to Cisco Threat Grid to get detonated, with the hashes sent back to Resilient. This can stop malware or ransomware before it ever reaches the end user.
IBM Resilient users can query Cisco Umbrella for a list of blocked domains, save them to a data table, and delete or add new ones — preventing end users from accessing risky internet connections.
We’re listening to your feedback
Because we’re invested in the results that this collaboration can produce for our customers, we’re continuously expanding and improving our integrated solutions based on your feedback. The latest examples are enhancements made to the Firepower Threat Defense and QRadar SIEM integration, which accelerate threat investigation and remediation by correlating events across network, applications, and users.
Our customers wanted to dig deeper than the top-level summaries previously available. We listened — and the new, enhanced Firepower app that we’re releasing provides a higher level of detail in the integrated dashboard.
With Firepower Threat Defense and QRadar, you can answer questions like:
Which hosts in my network are potentially compromised?
Which hosts are known to be compromised?
What malware is most often observed in my network?
Which hosts have sent the most malware?
This is just one of the new enhancements and expansions we’ve been making as part of our alliance, and more are on the roadmap. By reducing complexities, increasing visibility, and improving threat defenses, our collaboration is improving outcomes in areas that are top of mind for our customers.
Learn more
Cisco and IBM are continuously engaged in discussions about new possibilities, and we expect our combined forces to produce many new solutions. To see how you can benefit from this partnership, learn more about Cisco’s and IBM’s integrated technology, threat intelligence, and services.
The post Cisco and IBM: Solving Customer Challenges through the Power of Partnerships appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Incident Response Lessons From Recent Maze Ransomware Attacks

By Talos Group
This post authored by JJ Cummings and Dave Liebenberg
This year, we have been flooded with reports of targeted ransomware attacks. Whether it’s a city, hospital, large- or medium-sized enterprise — they are all being targeted. These attacks can result in significant damage, cost, and have many different initial infection vectors. Recently, Talos Incident Response has been engaged with a couple of these attacks, which involved the use of targeted ransomware. The concept of targeted ransomware attacks is simple: Get access to a corporate network, gain access to many systems, encrypt the data on a large chunk of them, ask for a large lump sum payment to regain access to those systems, and profit.
The first widespread targeted ransomware attacks involved the SamSam ransomware, which Cisco Talos researchers first discovered in early 2016 and were incredibly profitable, despite ending in indictments from the U.S. government.
In 2019, there have been multiple players in this space, the most prolific of which has been the Ryuk campaigns that start with Emotet and Trickbot. Other targeted ransomware attacks have involved other types of ransomware and varied attack methodology. Included in this list is ransomware like LockerGoga, MegaCortex, Maze, RobbinHood, and Crysis, among others. More recently, attackers have taken the extra step of exfiltrating data and holding it hostage, which they claim they will release to the public unless payment is received, a form of doxxing.
The post Incident Response Lessons From Recent Maze Ransomware Attacks appeared first on Cisco Blogs.

Source:: Cisco Security Notice