Threat Roundup for February 21 to February 28

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Feb 21 and Feb 28. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center,, or
Read More
TRU02282020 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for February 21 to February 28 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

‘Never Trust, Always Verify’: Duo joins forces with AMP for Endpoint

By Sana Yousuf 29.3 billion – that’s the approximate number of devices and network connections estimated globally by 2023, according to the latest Cisco Annual Internet Report. As we get more connected, we can expect to see a massive rise in cybersecurity threats – a trend that is predicted to double from 9 million in 2018 to 15.4 million by 2023 globally. The increasing consumerization of IT and growing distributed network of users who access business critical applications are posing a real and serious challenge for security teams.
You need a platform that can meet your evolving enterprise needs to securely connect trusted users to the right applications on the network fast. You need a solution that is continuously nourished with contextual insights from your network to make access control decisions. But the real question is: How do you continually verify trust for both users and devices at scale when massive data and device proliferation is part of today’s reality?
Unifying User and Device Protection with Cisco Endpoint Security and Duo
We are beyond excited to announce that the integration between Cisco® Advanced Malware Protection (AMP) for Endpoints with Duo is now available. This powerful tandem unifies secure user access and device protection, empowering your zero-trust security platform for all users, devices and applications. This means endpoints that deemed infected or compromised will be blocked from accessing Duo-protected applications. With AMP for endpoint you get a comprehensive cloud-delivered next-generation antivirus endpoint protection platform (EPP), and advanced endpoint detection and response (EDR). It’s the endpoint security you need to stop breaches and block malware; then rapidly detect, contain, and remediates advanced threats that evade front-line defenses. On the other hand, Duo enables unified access security and multi-factor authentication (MFA) and contextual user access policies that can verify a user’s identity to ensure they are who they say they are and add more checks on the trustworthiness of devices through security health inspections.

“It’s not about getting rid of the perimeter – but rather tightening security on the inside. The new perimeter is less about the edge of the network, and now more about any place you make an access control decision.”
Wendy Nather, Head of Advisory CISOs, Cisco Duo, Summarized from Zero Trust: Going Beyond the Perimeter
Trust is neither Binary nor Permanent
Duo’s Trusted Endpoints feature lets you define and manage trusted endpoints and grant secure access to your organization’s applications with device certificate verification policies. Every time a user logs into an application using Duo, it reaches out to its cloud service that applies the Trusted Endpoints policy setting to the access attempt. The Duo prompt checks for the Duo device certificate in the user’s personal store. If present. Duo reports the endpoint as trusted. If the Duo certificate isn’t present, we report that the endpoint does not have a certificate (and is therefore not a managed endpoint). Application access may be blocked from that device. This helps you distinguish between unmanaged endpoints and managed endpoints that access your browser-based applications and enable you to set create newer policies within AMP. These new endpoints policies that we create would then tracks whether users accessing the applications have the Duo device certificate present or can block access to various applications from systems without the Duo certificate. The platform enables us to create synergy and harness integration touchpoints between technologies to basically see once and block everywhere.

Establishing Device Trust to Secure the Workforce: Visibility that informs Policy
AMP for Endpoint continuously monitoring and can quickly detect a threat, identify it’s point of origin, track its rate of progression, show you where else it’s been, see exactly what it is doing, and if it has infected any other endpoints on the network. When Duo and Cisco AMP for Endpoints have shared visibility into a Windows or macOS endpoint, Duo can block user access to applications protected by Duo from endpoints deemed compromised by AMP.

With zero-trust security from Duo, Cisco protects access to 3,000 applications for 120,000 users and 400,000 devices worldwide. Check out the ‘Duo + Cisco: Workforce Zero Trust‘ to learn more.
A Platform Approach to Security
Cisco’s vision for a security platform is built from a simple idea that we mentioned earlier -security solutions should act as a team, learning from each other, listening and responding as a coordinated unit. Our platform, Cisco SecureX, connects the breadth of Cisco’s integrated security portfolio and your entire security infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across your network, endpoints, cloud, and applications. We’re committed to creating a platform that delivers a better security experience at every point in your network. The seamless integration with other security technologies, backed by Talos threat intelligence, helps you block, detect, investigate, and respond to threats across your entire environment–not just at your endpoints.
Leverage Cisco Threat Response to accelerate threat investigations, Adaptive Multi-Factor Authentication (MFA) to enable zero trust and Cisco’s robust API to integrate with technology partners and get more value from your Cisco Security investment. With the AMP for Endpoint and Duo integration, we can ensure business agility by providing a secure, frictionless access to any application, from anywhere, while significantly reducing the attack surface.
If you are joining us this week at RSAC2020 come check out Endpoint Security and Duo to experience a demo within the Security area. Start securing your applications with a free trial of Duo and AMP for Endpoint today.
The post ‘Never Trust, Always Verify‘: Duo joins forces with AMP for Endpoint appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat hunting doesn’t have to be difficult—Taking a proactive position with your cybersecurity

By Adam G. Tomeo Your Endpoint Protection Platform (EPP) is up to date with the latest version. Your Endpoint Detection and Response (EDR) technology has all of the latest framework rules and automaton in place. Vulnerabilities and patches for hardware and software are all covered. Your Defense in Depth strategy appears to be keeping your organization secure. But, and there is always a “but”, some adversarial techniques are difficult to DETECT even on a good day. Exfiltration can be quite difficult to detect even if you are looking for it.
As advanced threats continue to proliferate throughout an organizations‘ IT resources, threat hunting as a practice has appeared. For an elite security organization, threat hunting takes a more proactive stance to threat detection. Threat hunting was a natural, security progression saved for the most mature environments where skilled personnel leverage knowledge and tools to formulate and investigate hypotheses relating to their organization’s security across the landscape. Now with technology advancements and automation, threat hunting has now become within reach for every organization.
Threat hunting is an analyst-centric process that enables organizations to uncover hidden, advanced threats, missed by automated preventative and detective controls.
Security professionals are beginning to discover threat hunting practices to advance their detection and response monitoring. Threat hunting requires a highly skilled person as well as wide-ranging data forensics and live response across the IT environment. There are only a handful of companies in verticals such as financial services, high-tech manufacturing, and defense that can claim to have advanced threat hunting teams that deliver results.
Today’s threat actors are well-organized, highly intelligent, motivated and focused on their targets. These adversaries could be lurking on your network or threating to break into it, using increasingly sophisticated methods to reach their goal. In addition, the attacks can come from many different threat surfaces to exploit the many vulnerabilities that may be present across an organizations‘ network and people. Worst of all, organizations do not know by whom, when, where or how a well-planned attack will occur. Today’s rule-based defenses and solutions have limitations, even advanced detection mechanisms struggle to anticipate how attack vectors will evolve. To mitigate threats more proactively, organizations must move quicker than the speed of the threat. The easiest way to put it, when the existing rules are undermined, it is time to start threat hunting.
Pyramid of PainThreat Hunting also allows security teams to address the top most tiers of the Pyramid of Pain, making more difficult for adversaries to impact environments. At the “Tools” level, analysts are taking away one or more specific tools that an adversary would use in an attack. At the apex of the pyramid are the TTPs (Tactics,Techniques and Procedures), when analysts detect and respond at this level, they are operating directly on the adversary’s behaviors, not against their tools, forcing them to learn new behaviors.
There are three types of hunts.
Intelligence-Driven (Atomic Indicators) – These are low-hanging fruit hunts. They are generally known threats that bypass traditional security controls
TTP-Driven (Behavioral and Compound Indicators) – These are hunts looking for techniques used by advanced attackers, where analysts take a methodological approach for discovering unknowns. Generally attempting to interrupt the adversaries TTPs (Techniques, Tactics, and Procedures)
Anomaly-Driven (Generic Behaviors) – These hunts are based on low-prevalence artifacts and outlier behaviors. These are unknown threat leads.
Benefits of Starting a Threat Hunting Practice
There are many benefits from starting a threat hunting practice. Obviously, discovering and thwarting an attack before it causes significant damage. However, what about a threat hunt that doesn’t find anything? Is that really a bad thing? Having stronger knowledge of vulnerabilities and risks on the network will allow a hardening of your security environment which in turn should equate to fewer breaches and breach attempts. Moreover, the insights gathered from threat hunts will aid in reducing the attack surface. Another key result from beginning a threat hunting practice is that security teams will realize increased speed and accuracy of threat responses. Ultimately, organizations should witness measurable improvements for key security indicators such as mean time to detect and mean time to respond.
In-House or Outsourced?
Through outsourcing, threat hunting can be accessible for organizations of all sizes, but especially for small and medium sized organization as they often do not have a Security Operations Center (SOC) as it often is too expensive to build and support. Many Mid-Market sized companies have a SOC and are considering the addition of threat hunting to their current environment. Enterprise and large organizations perhaps are looking for assurance by augmenting existing threat hunting efforts. And in many cases, these enterprise organizations simply want to empower and educate their staff.
***Just in time for RSAC, Cisco is pleased to announce that it will be adding Threat Hunting as a feature to our Cisco AMP for Endpoints offering. Our new threat hunting by Cisco Talos uniquely identifies advanced threats, alerting our customers before they can cause any further damage by:
Uncovering hidden threats faster across the attack surface using MITRE ATT&CK and other industry best practices
Performing human-driven hunts based on playbooks producing high fidelity alerts
Continually developing systematic playbooks, executing on broad, low-level telemetry on product backend
Our new threat hunting capability:
Is provided by Cisco Talos, the largest non-governmental threat intelligence organization on the planet
Is not limited to just one control point (i.e.: endpoint), instead, we hunt across multiple environments
Uniquely combines our new Orbital Advanced Search technology with expertise from elite threat hunters to proactively find more sophisticated threats
If you are at RSAC be sure to stop by our booth #6045 in the North Hall. If you aren’t at RSAC, sign up for a Cisco Threat Hunting Workshop to learn more about Threat Hunting.

The post Threat hunting doesn’t have to be difficult—Taking a proactive position with your cybersecurity appeared first on Cisco Blogs.

Source:: Cisco Security Notice

A Platform Approach + Precise Analytics = Better Equation

By Ben Munroe There are so many companies each year at the RSA Conference, it would be useful to have some analytics to help guide your time there; which of the 700 plus vendors should you try and spend time with to solve your current problems? Similarly, customers are trying to keep up with the growing list of tools from all these companies that they can use to protect their environments.
With today’s constant deluge of attacks and complex enterprise infrastructure, a successful security program requires the right mix of ingredients. The CISOs I talk to are more likely to ask, “How many more ingredients do I have to add to the mix? I am already struggling to manage and respond to the alerts I am receiving from my current technologies. Where does it end?”

In my last blog post, I discussed the criticality of security analytics for dealing with this challenge. Without analytics, our security professionals would be even more overwhelmed than they already are, trying to make sense of non-stop alerts from various technologies. Through the use of analytics, intelligence, and automation, Cisco is helping security teams take back control of their environments and their schedules through more proactive defenses.
According to our newly released 2020 CISO Benchmark Report, a majority (77%) of respondents are planning to increase automation to simplify and speed up response in their security ecosystems over the next year. We can’t fix the current state of security overnight, but it’s a goal that Cisco is continually striving for as we expand and evolve our portfolio.
Introducing Cisco SecureX – The broadest, most integrated security platform
This week at the RSA Conference, we are announcing our new security platform, called Cisco SecureX. As the broadest, most integrated platform on the market, SecureX brings Cisco and other security products and capabilities together to work as a team. It connects the breadth of Cisco’s integrated security portfolio and customers‘ entire security infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens protection.

Cisco SecureX makes it easy to establish coverage across every threat vector and access point, and evolve security to meet the needs of tomorrow. It leverages all parts of your infrastructure to enable better decision making based on comprehensive threat detection and meaningful security analytics.
You’ve probably heard others talk about security platforms before. Here’s the thing: their platforms don’t cover all the threat vectors. They don’t work with an ecosystem of third-party technologies. And they don’t integrate with core business technologies like the network.
Cisco SecureX does all of this to bring enhanced integration, visibility, and automation to security teams. This results in more streamlined, efficient, and collaborative protection across your entire infrastructure. And analytics play a key role in connecting these dots and extracting maximum value from an integrated security platform.
Precise Analytics Across the Platform
My previous blog post focused on the valuable security analytics delivered by our Network Traffic Analysis technology, Cisco Stealthwatch. While crucial, it’s important to note that Stealthwatch is just one component of our analytics capabilities, which span our entire platform and portfolio – from the network and cloud to endpoints and applications. There are now seemingly infinite avenues for attackers to infiltrate our environments, so each one must be equipped with strong security fortified by analytics and intelligence.
On the network…
Cisco Stealthwatch leverages behavioral modeling and machine learning to process billions of network transactions, detect anomalies, and reduce them to critical alerts for enhanced threat detection – even in encrypted traffic. Meanwhile, Cisco Web Security uses URL filtering, reputation analysis, and other techniques to automatically detect and block web-based threats.
In the cloud…
Cisco Umbrella uses statistical models to automatically score and classify data processed by our global network to detect anomalies, identify attacker infrastructure, and uncover known and emergent threats. This helps users remain safe while on the Internet – anytime, and from anywhere. Additionally, Stealthwatch threat detection can also be extended into the public cloud via Stealthwatch Cloud.

On the endpoints…
Our AMP for Endpoints product is trained by algorithms to “learn” to identify malicious files and activity based on the attributes of known malware. Machine learning capabilities in AMP for Endpoints can help detect never-before-seen malware at the point of entry. Additionally, Cisco Endpoint Security Analytics Built on Splunk uses behavioral analysis to obtain insight and shorten investigation time for potential threats on the endpoints, whether they are on or off the network.
Within applications…
Duo Security develops a baseline of normal access within an organization, and then analyzes each new access attempt to highlight anomalous behavior. This way, unauthorized users can be prevented from accessing sensitive applications and data. Additionally, Cisco Tetration uses security analytics to understand application behaviors for faster threat detection and consistent microsegmentation.
For More Information
Security analytics can help detect unknown threats and policy violations, and also reduce alert fatigue within security teams. The best part is, through our platform approach, these multiple analytics engines will not work in silos. Our products are being strategically integrated to exchange information, share context, increase automation, and more comprehensively protect your environment.
For more information on our Cisco SecureX platform, go to: To learn more about our security analytics capabilities, go to
The post A Platform Approach + Precise Analytics = Better Equation appeared first on Cisco Blogs.

Source:: Cisco Security Notice

New Research Paper: Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem

By Talos Group Detection of malware is a constant battle between the technologies designed to detect and prevent malware and the authors creating them. One common technique adversaries leverage is packing binaries. Packing an executable is similar to applying compression or encryption and can inhibit the ability of some technologies to detect the packed malware. High entropy is traditionally a tell-tale sign of the presence of a packer, but many malware analysts may have probably encountered low-entropy packers more than once. Numerous popular tools (e.g., PEiD, Manalyze, Detect It Easy), malware-related courses, and even reference books on the topic, affirm that packed malware often shows a high entropy. As a consequence, many researchers use this heuristic in their analysis routines. It is also well known that the tools typically used to detect packers are based on signature matching and may sometimes combine other heuristics, but again, the results are not completely faithful, as many of the signatures that circulate are prone to false positives
The post New Research Paper: Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Explorations in the spam folder

By Ben Nahorney Everyone has a spam folder. It’s often disregarded as a dark, bottomless pit for fake emails from FedEx, pharmacy offers, and introductory emails from women far too amorous to be anything but fantastical. You’d be right to largely ignore this folder.
Yet each day new emails end up in it. Most of us have learned to leave it well enough alone. Still, few would admit to having no curiosity as to what’s in there. To satisfy this curiosity, we’ve dug into spam folders to explore the current types of messages being sent and find out what happens if you click the links and open the attachments. In essence, we’re opening these spam messages so you don’t have to.
Do not try this at home
This exploration is meant to inform, showcasing some of the scams and threats currently out there. However, in all of the spam messages we’ve examined, the links were clicked and attachments opened within a secure, sandbox environment.
In this case we used Cisco Threat Grid, which is an advanced sandboxing tool that can analyze threats against millions of other samples to fully understand its behaviors in a historical and global context, and then provide context-rich analytics and threat intelligence. We’ve also coupled this with Cisco Umbrella Investigate, which provides an excellent view of the relationships and history of particular internet domains and IP.
While most of the spam we looked at was prosaic, many were not. It’s mostly the latter that we’re showcasing here. Opening these emails on your own computer or device is very risky and can end up compromising it. In short, do not try this at home.
Snake oil sales
Let’s start off with the more mundane spam emails—the ones that more often than not simply attempt to part a fool from their money.
If there were a unified theory of spam it would be that it plays to both our aspirations and our insecurities: get in shape, lose weight, get a great night’s sleep, get the girl/guy, protect your family, improve your credit score, etc. There’s a wide variety of these emails that play to these desires—far too many to cover in any detail. Consider these as a smattering of what’s currently out in the spam landscape.

In this type of spam messages, many of the message bodies share similar characteristics. This points to the use of email spam kits that leverage templates for crafting emails. These kits go far beyond the email bodies too, allowing all sorts of customization. For instance, some of the examples above were marked as “high importance” and flagged for follow-up before they even hit the spam folder.

Text only spam
Sometimes saying nothing is more effective than saying anything at all. That’s certainly the case with spam, as bare-bones spam messages are very popular. For instance, some emails just put the recipient’s name in the body, along with a link. The link leads to a get-rich-quick scheme in the guise of a fake news report about a Bitcoin investment platform. A “Try Now” link on the page leads to a second site that gives the user an option to register.

Spam promising romance or intimate encounters with strangers is also very common. Many are clearly advertisements, while others are attempts to begin a rapport before asking the victim for money. In this case, the site that you are directed to depends on the country you’re visiting it from. In general, these links guide users to lesser-known dating and meet-up sites, where it’s likely the scammers are generating ad revenue through click-through programs.

Social networking spam
Likes, comments, and profile views are the lifeblood of social networking, and the networks often entice users to return to their sites by sending emails on the user’s profile activity. In this particular example, the scammers have lifted the look of a LinkedIn email notifying the user that their profile had appeared in searches. If any of the links in the email are clicked, the page that loads isn’t LinkedIn. Instead, the user is notified that they are the “5-billionth search.” As a result, they can claim prizes ranging from gift cards to hardware devices. However, before receiving their prize, the user is required to fill out a survey and provide some personal details. More than likely the gift card never materializes.

Are they safe?
In each of the examples shown so far, there were indications that some sort of suspicious activity could be taking place. However, there was no smoking gun. Some sites and IP addresses appeared to have participated in past phishing campaigns or other malicious activity. So while these scams may not be performing malicious activity today, there’s nothing to say they won’t be tomorrow.

So now that we’ve covered the suspicious, let’s move on to the obviously malicious.
Log in to view
In the following example, the email appears to hint at an upcoming disbursement. While the details are sparse, the idea of unexpected money could lead a curious individual to click. After all, the email simultaneously warns the user that the email is from outside their organization and that it comes from a “trusted sender,” hoping that the recipient will let their guard down.

While it looks like the document is attached, the email only contains an image of an attachment. Clicking it does take the recipient to an actual Word doc, hosted on a SharePoint subdomain.

This document contains a link to what appears to be another document. Clicking that link opens another window containing what looks like an Office 365 login page:

Clicking the first link will take the user to another page that requests the user use their Office login details:

When they click the “Sign in” button, the user is redirected to a legitimate Office 365 page that presents an error message:

However, login details entered into the previous page have been logged on the malicious site, successfully stealing them from the user.

This type of spam isn’t exclusive to Office 365. There are plenty of instances where the bad actors go after other valuable login details, such as those from other webmail accounts, subscription services, or social media accounts.
Package delivery spam
This popular type of spam has proven to be effective enough that it’s used for a variety of objectives. The shipping companies impersonated vary widely and the spam emails are often modeled directly after email notifications you would receive from the actual company.

In other cases, the emails are a little more toned down, arriving as plaintext and including attachments rather than links.

The attached document, if opened, doesn’t show the user the promised contact form. In fact, it doesn’t appear to do anything at all. However, behind the scenes the attachment has compromised the computer with a trojan called “Hawkeye.” This threat is an infostealer that is often used to extract passwords from email and web browser applications, as well as log keystrokes, harvest stored credentials, screenshots, and network activity.

The worst of the worst
The bad actors behind Emotet are one of the largest malicious spam email peddlers these days. We’ve discussed this threat our Defending against today’s critical threats report, and Talos Intelligence has published multiple blogs on the threat. The folks behind Emotet have a few tricks up their sleeves when it comes to email distribution. Their spam campaigns often leverage news headlines and regularly utilize package delivery spam as described above.

Emotet also often pulls a trick that’s less likely to end up in your spam folder with ordinary email filters applied. These emails often arrive as replies to email conversations you may already be having with someone you know, usually an acquaintance, a co-worker, or an associate in another organization you do business with.

The attachments in these cases, if opened, generally download a copy of Emotet, effectively compromising the system.

How to protect yourself
The simplest way to protect yourself from spam emails such as these is to simply leave them in your spam folder. However, not all spam filtering applications are created equal and sometimes such messages can end up in your inbox—in particular some of the latter examples showcased here. The best thing you can do to identify spam is check for anomalies in the email messages you receive:
Multiple spelling and grammar errors in emails that appear to come from legitimate organizations should raise a red flag.
Move your mouse over URLs without clicking them. If the URL that appears at the bottom of the browser window looks at all suspicious, don’t click it.
Check the From: address. Does the name align with the email address? If not, disregard it.
Beyond the user-based aspects of identifying spam, a layered approach to security is critical in defending an organization from such threats.
Spam filtering software for email is critical. Deploying a robust email threat defense like Cisco Email Security that utilizes URL blocking capabilities and Advanced Phishing Protection’s machine learning to understand and authenticate email identities and behavioral relationships filter out spam emails and prevent attacks.
Endpoint protection software can also assist in detecting and quarantining malicious attachments. Cisco AMP for Email Security defends your business against such threats. Not only that, but AMP analyzes emails for threats such as zero-day exploits hidden in malicious attachments. It gives you advanced protection against spear phishing, ransomware, and other sophisticated attacks.
Tools for dynamically sandboxing threats, such as Cisco Threat Grid, can be used to analyze threats in a safe environment. Even better, integrate sandboxing so that it happens automatically in the background for new files and URLs arriving in email to quickly understand if they are malicious.
Finally, solutions such as Cisco Umbrella can not only block access to malicious sites, stopping many threats in their tracks, but additional tools like Umbrella Investigate provide further threat intelligence around a URL, domain, or IP address to better understand the sites your organization comes in contact with.
Enjoyed reading this Threat of the Month? Subscribe to the Threat of the Month blog series and get alerted when new blogs are published.
The post Explorations in the spam folder appeared first on Cisco Blogs.

Source:: Cisco Security Notice

A 20/20 Vision for Cybersecurity

By Steve Martino As a CISO, where do you see your organization going this year? Perhaps some 20/20 vision could help?
If you can forgive the pun, I’m delighted to announce Cisco’s 2020 CISO Benchmark Report. This year we have combined our current standing in the Gregorian calendar with the notion of perfect eyesight. The end result is 20 recommendations for 2020, which can help security leaders achieve the vision they want for their organization.
We know that life can be tough for a CISO. It’s a role that is arguably right up there with the CEO in terms of responsibility and accountability, and the demands are eternally shifting. There are no defined boundaries as to what a CISO needs to address, from security operations, risk management to compliance mandates and beyond.
Security is boundless. It permeates everything in the organization. That is why – as a CISO – not only are you the person whose job is on the line for every data breach, you also need to be able to influence several departments in addition to the C-suite and board of directors.
And, of course, CISOs are also able to set a strategy that ensures cybersecurity can be a business enabler, and even a business winner. We’ve seen examples of a strong security posture deliver dividends when it comes to due diligence in the sales process.
The most successful CISOs try to knock down siloes to achieve effective protection everywhere. That means thinking big picture on security strategy, while talking in bits and bytes to your technology teams, and talking in debits and credits to your board members.
About the report
To help you achieve your 2020 vision, our annual CISO Benchmark Report contains contextually useful information for any security leader today. From how to influence the board and what reporting metrics are useful for them, to what causes downtime, and how to deal with complexity.
To compile this report, we surveyed 2800 security leaders globally to inform us about what they experienced in the previous year in their roles. Then we interviewed current and former CISOs to augment the data with expertise and opinion on leading practices. We posed questions such as:
What considerations drive security budgets and spending?
How do you balance spending on trust verification and threat detection?
How much downtime did you experience?
What types of threats has your organization faced?
For a detailed overview on these questions and more, be sure to download the CISO Benchmark Report today.
Here are some of the highlights:
Security leaders who had established clear security outcome objectives or metrics were less likely to experience cyber fatigue. It seems that clear metrics help you sleep better at night.
Brand reputation has climbed over the years as an area of the business affected by a security breach – brand reputation is now the second-most impacted business area after operations.
Voluntary breach disclosure is at an all-time high.
Those who were very/extremely collaborative between security and networking, or endpoint management and security groups, showed significantly lower breach costs.
Forty six percent of organizations (up from 30 percent in last year’s report) had an incident caused by an unpatched vulnerability.
Malware and malicious spam come in as the first- and second-most commonly cited causes of breach. Ransomware is responsible for causing the most destructive amount of downtime (more than 17 hours) and also doesn’t discriminate – this is the case for both small-to-medium businesses and large enterprises.
We’ve also provided key insights throughout the report from CISOs and security leaders, such as this one from Mick Jenkins, CISO for Brunel University London on the CISO’s role with executive leadership and the board:
“Every organization is different in terms of the executive makeup and there are many different styles
of executive leadership. The role of a CISO is to break through into that, have conversations, and engage
with the business by demonstrating that well-designed security will give value back to the business.”
Also new this year are key topics to ask about as you prepare to raise your organization’s security posture. If these questions resonate with you, or provoke additional areas of inquiry, we’d love to hear from you at

We welcome you to download the 2020 CISO Benchmark Report today

The post A 20/20 Vision for Cybersecurity appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Introducing SecureX

By Jeff Reed Making Security an Enabler, so Your Business Can Take an Exponential Leap
I joined the Cisco Security team the week after the RSA Conference in 2017. At that time there was a lot of discussion around the journey Cisco Security was on, particularly around our efforts to deliver an integrated architecture. For the previous years we had been integrating threat intelligence, context sharing and our anti-malware engine across our portfolio and were seeing dramatic improvements in key metrics such as time to detection.
But from the perspective of a security practitioner’s daily experience with our portfolio, we were failing. The user experience was siloed, it took too long to stitch our products (and third-party products) together, and even the navigation and look and feel of our products varied dramatically.
Shortly after that RSA we made the decision to focus our attention on the operational experience of our Security products, realizing that the usability component was equally as important as the underlying architecture. We stood up a team to lead us on that journey and began laying the foundation for what would become a huge leap forward for Cisco Security and for our customers.

Today we are introducing Cisco SecureX – a new way for users to experience Cisco’s Security portfolio. Cisco SecureX streamlines our customers‘ operations with increased visibility across their security portfolio and provides out-of-box integrations, powerful security analytics, and automated workflows to speed threat detection and response. SecureX is an open, cloud-native platform that connects Cisco’s integrated security portfolio and customers‘ security portfolios for a simpler, more consistent experience across endpoints, cloud, network, and applications.
The foundational capabilities of SecureX
SecureX builds on the foundational work we’ve been doing over the past 2.5 years, including Cisco Threat Response, common user experience, single sign on, secure data sharing between on-prem and the cloud and more. But it does a whole lot more. The best way to experience SecureX is to visit us at the RSA conference. For those of you who can’t make it, here are some of the most important capabilities of the platform:
Unified visibility
SecureX provides unified visibility across all parts of your security portfolio – Cisco or third-party solutions – delivering metrics, activity feed and the latest threat intelligence. I am particularly excited about the operational metrics capabilities of SecureX: Mean Time to Detection, Mean Time to Remediation, and Incident burndown times. These metrics are derived from full case management capabilities native to the SecureX platform. Case management enables SecureX customers to assign cases, track them to closure, and add relevant artifacts captured during investigation.
SecureX brings full multi-domain orchestration and automation capabilities to our customers using a no/low-code approach and intuitive drag-and-drop interface to deliver high-performance and scalable playbook capability. The SecureX orchestration and automation capabilities use an adapter model that allows users to quickly and easily orchestrate across Security, Networking, IoT, Cloud, Collaboration, and Data Centers. SecureX already has 50+ adaptors across these domains and will continue to develop more.
SecureX will deliver pre-built playbooks, and customers can also develop their own playbooks tailored to their own environment of Cisco and non-Cisco products. With our phishing playbook for example, end users can submit suspicious email to SecureX to get a recommendation of whether it is malicious or not. If the submitted email is malicious, the end user will be notified of recommended next steps, and an event will be generated in SecureX alerting the security team. To deliver this capability, the playbook pre-processes email to extract observables, determines the verdict for observables, hunts for targets involved and takes mitigation and/or preventative actions such as isolating the targets involved, blocking the malicious domain as necessary, etc.
Managed threat hunting
Only Cisco can bring multi-domain managed threat hunting capability across endpoint, cloud, email, etc. because of the breath and scope of our product portfolio. Multi-domain managed threat hunting detects threats leveraging a combination of intel and data techniques to surface activity that might have slipped past traditional threat, behavioral, and ML-based techniques. High fidelity threats confirmed by our Talos and Research teams are then communicated to customers through the SecureX activity panel as well as via emails with detail artifacts, targets involved, and remediation recommendations.
Fast time to value
Unlike other security platforms in the market, SecureX helps customers get value quickly. Getting started is simple – if you have a CCO account, login and add products to SecureX by providing API keys and adding on-prem devices (for Firewall and on-prem Email solutions). If you don’t have a CCO account, create a SecureX account on the homepage, add products to SecureX by providing an API key and adding on-prem devices (for Firewall and on-prem Email solutions). You are ready to go in minutes vs. hours and days.
Learn More about SecureX
These are just some examples of what you’ll be able to do with the first release of SecureX. The platform will continue to evolve so your security can keep up with the speed of business, and your business can keep taking new leaps.

Be one of the first to experience how we’re redefining
and simplifying security with our new platform —
Sign up for our SecureX Waitlist

Or, join us to learn more about SecureX at the RSA Conference.

The post Introducing SecureX appeared first on Cisco Blogs.

Source:: Cisco Security Notice

The Future of Cisco Security: Protecting What’s Now and What’s Next

By Dr. Gee Rittenhouse When we look at the world today, it has been revolutionized by the cloud, and it has disrupted the way business is done. Companies can now connect any user on any device to any network or application. But from a security perspective this has greatly expanded the attack surface. This represents an opportunity to fundamentally change the way we think about security. That is the journey that Cisco Security has been on.
Until now, security has largely been piecemeal with companies introducing new point products into their environments to address every new threat category that arises. As a result, security teams that are already stretched thin have found themselves managing massive security infrastructures and pivoting between dozens of products that don’t work together and generate thousands of often conflicting alerts. In the absence of automation and staff, half of all legitimate alerts are not remediated (Cisco’s 2020 CISO Benchmark Study). So, complexity becomes an overwhelming proposition that can hinder business and become a threat in and of itself.
Our vision is to enable the world to reach its full potential, securely. To accomplish this requires the radical simplification of security where it is a business enabler that creates a secure experience, so businesses can fully embrace the digital transformation.
For our part, we have invested more than $6 billion over five years to create the broadest security portfolio in the industry that spans network, endpoint, cloud and applications. Our strategy has been to take this portfolio and integrate the backend with our market-leading threat intelligence from Cisco Talos to deliver a see it once, enforce it everywhere architecture. We achieve this by analyzing diverse datasets across the portfolio, which amounts to almost 50 billion Web requests, 200 billion DNS requests and two trillion email artifacts every day. With Cisco size and scale, we can provide the highest efficacy possible and block more threats.
But in order for security to be truly simple, customers need to be able to have a radically different experience on the frontend of the portfolio where they are doing their daily work and making critical decisions. So, over the last year we evolved from an integrated architecture to a security platform to give customers the industry’s best protection and a simple user experience. This first presented itself with Cisco Threat Response (CTR), which automates integrations across Cisco Security products to accelerate detection, investigation and remediation. With that product, 83 percent of customers surveyed said the time spent on investigations was reduced by 25 percent or more (Tech Validate Survey, October 2019).
Building on that success, we have continued to rethink what is possible. And today, we are excited to unveil Cisco SecureX, a cloud-native platform that completely changes the user experience. Connecting the breadth of our integrated security portfolio and customers‘ security infrastructure, it provides a consistent experience that unifies visibility; enables automation; simplifies analytics; and strengthens security across network, endpoint, cloud and applications.
Cisco SecureX provides real business value by allowing customers to:
Confidently secure every business endeavor with the broadest, most integrated security platform that covers every threat vector and access point.
Unify visibility across their entire security portfolio with actionable insights across network, endpoint, cloud and applications to accelerate threat response and realize desired outcomes.
Automate critical security workflows by increasing the efficiency and precision of existing resources to advance security maturity and stay ahead of an ever-changing threat landscape.
Collaborate better than ever with shared context between SecOps, ITOps and NetOps to harmonize security policies and drive stronger outcomes across workflows.
Reduce complexity and maximize portfolio benefits by allowing them to try other components of the Cisco portfolio with click before you buy as well as connect to their existing security infrastructure via out-of-the-box interoperability.
Read Jeff Reed’s blog post for more insight into the industry-leading technology behind the platform and what you can expect from SecureX.

We are excited to bring this innovation to customers, but this is only the beginning. This framework is extensible, and we will continue to add functionality so that our customers can confidently secure every business endeavor with an open, integrated platform to meet the security needs of today and tomorrow.
SecureX will be generally available in June. Sign up to stay updated on the latest about SecureX, and visit us this week at the RSA Conference in San Francisco.

The post The Future of Cisco Security: Protecting What’s Now and What’s Next appeared first on Cisco Blogs.

Source:: Cisco Security Notice