Sicherheit von Online-Meetings

Unser Partner Cisco bietet Online-Meetings mit höchstem Sicherheitsniveau. Aktuell werden durch die vermehrte Home-Office Tätigkeit und die Reisebeschränkungen Online-Meetings immer häufiger genutzt – und wie aktuell durch die Presse ging, bieten nicht alle Anbieter auch ein hohes Sicherheitslevel, bzw. gehen mit Nutzerdaten nicht sorgsam um.

Zahlreiche Artikel im Spiegel, bei heise, oder Berichte in der Tagesschau sollten Nutzer entsprechend sensibilisiert haben.

Cisco hat zum Thema Sicherheit Folgendes veröffentlicht:

Webex Meetings bieten das höchste Sicherheitsniveau in der Branche und basieren auf einer einfachen Produktentwicklungsmethodik: Sicherheit als Designanforderung, nicht als Nachbesserung. Angesichts der jüngsten Ereignisse in der Videokonferenzbranche, bei denen böswillige Akteure die Meetings der Benutzer gestört haben, haben wir Sicherheitsprüfungen der Standorteinstellungen unserer Kunden durchgeführt, um solche unerwünschten Ergebnisse zu verhindern.

Ihre Meetings sind bereits durch Passwörter geschützt, die den Teilnehmern, die über die Webex-App auf ihren Desktop- und Mobilgeräten beitreten, die größtmögliche Sicherheit bieten.

Benutzer, die in ihr Webex-Konto eingeloggt sind, nehmen weiterhin so schnell wie bisher an ihren Meetings teil, und externe Benutzer werden zur Eingabe des Meeting-Passworts aufgefordert, bevor sie an Ihren Meetings teilnehmen können.

Darüber hinaus ergreifen wir die folgenden proaktiven Maßnahmen, um Ihnen Meetingsicherheit auf einem neuen Niveau zu bieten (es besteht kein Handlungsbedarf Ihrerseits):

Sperrung des persönlichen Raums nach 10 Minuten erzwingen (kommenden 11. April 2020)
Ihre Meetings in persönlichen Räumen werden 10 Minuten nach Beginn der Sitzung automatisch gesperrt. Dadurch wird verhindert, dass unerwünschte Personen an Ihren Meetings teilnehmen. Wenn Teilnehmer versuchen, Ihrem gesperrten Meeting beizutreten, werden Sie über die App darauf hingewiesen, dass diese auf eine Genehmigung warten. Sie können entscheiden, ob Sie diese Teilnehmer zum Meeting zulassen wollen, oder sie in der Lobby warten sollen. Dies gilt für alle bestehenden und zukünftigen Meetings, die in Ihrem persönlichen Raum stattfinden sollen.

Erzwingen von Meeting-Passwörtern beim Beitritt über das Telefon oder über Videokonferenzsysteme (jetzt verfügbar)
Benutzer, die über ein Telefon- oder Videokonferenzsystem an Ihren Meetings teilnehmen, müssen ein numerisches Passwort für das Meeting eingeben, bevor sie zum Meeting zugelassen werden. Das numerische Meetingspasswort wird in der Einladung zum Meeting angegeben. Dies gilt für neu anberaumte Meetings und für bestehende Meetings, wenn sie nach dieser Anpassung geändert werden.

Die aktuellste Zusammenstellung der besten Sicherheitspraktiken für Webex Meetings mit detaillierten Anweisungen finden Sie an den folgenden Stellen:

Wir möchten Sie auch dazu ermutigen, das Cisco Webex Meetings Security Whitepaper zu lesen. Dieses enthält eine detailliertere Beschreibung unseres branchenweit führenden Ansatzes zur Produktsicherheit.

 

Wenn Sie Cisco Webex auch für Ihr Unternehmen einsetzen möchten, sprechen Sie uns an:

DSC_2022 klein
Jörg Wegner
02261 9155052
wegner@oberberg.net
Dirk Zurawski
02261 9155051
zurawski@oberberg.net
DSC_2022 klein

Bastian Breidenbach

breidenbach@oberberg.net

Produktiv bleiben im Home-Office

Produktiv bleiben im Home-Office. Oder im normalen Büro. Ganz egal wo, mit unserem FUJITSU Leasingangebot erhalten Sie einen vollwertigen Arbeitsplatz inklusive Microsoft Windows 10 Pro für monatlich nur EURO 39,99 zzgl. MwSt.

 

 

Ihre Vorteile:

  • fest kalkulierbare Kosten pro Arbeitsplatz
  • mit dem 24 Zoll-Display deutlich größerer Arbeitsbereich, als mit jedem Notebook
  • Mit einem Knopfdruck am Monitor schalten Sie das gesamte System ein und aus
  • der schicke, kleine PC wird hinten am Monitor verschraubt – kein Kabelsalat auf dem Schreibtisch
  • Ordnung auf dem Schreibtisch mit kabelloser Maus und Tastatur (mit beleuchteten Tasten)
  • Erstkonfiguration in der Monatsrate bereits enthalten (Win 10 Setup und Patchen, Montage der Komponenten)
  • vollwertiger Arbeitsplatz, der nach Corona auch im Büro weitergenutzt werden kann

 

Für Ihr individuelles Angebot oder Ihre Wunschkonfiguration sprechen Sie einfach mit uns:

Daniel Wenzlau
02261 9155054
wenzlau@oberberg.net
Frank Erlinghagen
02261 9155055
erlinghagen@oberberg.net
Jörg Wegner
02261 9155052
wegner@oberberg.net

PoetRAT Uses Covid-19 Lures To Attack Azerbajian

By Talos Group Cisco Talos has discovered a new malware campaign based on a previously unknown family we’re calling “PoetRAT.” At this time, we do not believe this attack is associated with an already known threat actor. Our research shows the malware was distributed using URLs that mimic some Azerbaijan government domains, thus we believe the adversaries in this case want to target citizens of the country Azerbaijan, including private companies in the SCADA sector like wind turbine systems.The malware is distributed using URLs that mimic some Azerbaijan government domains. The droppers are Microsoft Word documents that deploy a Python-based remote access trojan (RAT). We named this malware PoetRAT due to the various references to William Shakespeare, an English poet and playwright. The RAT has all the standard features of this kind of malware, providing full control of the compromised system to the operation. For exfiltration, it uses FTP, which denotes an intention to transfer large amounts of data.
The campaign shows us that the operators manually pushed additional tools when they needed them on the compromised systems. We will describe a couple of these tools. The most interesting is a tool used to monitor the hard disk and exfiltrate data automatically. Besides these, there are keyloggers, browser-focused password stealers, camera control applications, and other generic password stealers.
In addition to the malware campaigns, the attacker performed phishing a campaign on the same infrastructure. This phishing website mimics the webmail of the Azerbaijan Government webmail infrastructure.
Read More >>>
The post PoetRAT Uses Covid-19 Lures To Attack Azerbajian appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Cisco Webex Tipps für Anwender

Oberberg-Online nutzt seit vielen Jahren die bewährte Cisco Webex Plattform, um mit Mitarbeitern im Home-Office, oder im Außeneinsatz in Verbindung zu bleiben. Mehr als 130 Millionen Anwender monatlich vertrauen Cisco Webex, um Meetings, Schulungen und Zusammenarbeit über Standort- und Unternehmensgrenzen hinweg unkompliziert, sicher und zuverlässig zu nutzen.

Webex Meetings bietet integrierte Audio- und Videofunktionen sowie Inhaltsfreigaben mit besonders sicheren Webex Meetings über die Cisco Webex Cloud – komplett verschlüsselt und durch Rechenzentren auch in Ihrer Nähe in herausragender Qualität.

Funktionen und Vorteile von Cisco Webex-Lösungen:

  • Einfacher Zugriff von allen Geräten
  • Preisgekrönte und zuverlässige Videotechnologie
  • Intelligentere Meetings
  • Meetings in der Arbeitsumgebung
  • Branchenführende Sicherheit

Um Ihnen den Einstieg in die einfache Nutzung von Cisco Webex noch simpler zu gestalten, haben wir hier einige Kurzanleitungen zu den elementaren Nutzungsszenarien von Webex Meetings bereitgestellt:

Remote Work Kurzanleitung für die Teilnehmer

Remote Work Kurzanleitung für die Gastgeber

Remote Work Kurzanleitung – Funktionen für Unterricht

Bei Oberberg-Online als autorisiertem  Cisco SaaS-Partner bekommen Sie alle erforderlichen Lizenzen, damit auch Sie von Cisco Webex profitieren können.

 

Security Stories Episode 3: Protecting Democracy, and Learning How to Spot Online Manipulation Tactics with Theresa Payt …

By Hazel Burton With the job that I have, I’m incredibly lucky in that I get to meet some truly fascinating people. Most recently, I got to meet someone who I know is going to have a lasting impact on me for many years to come.

That person is Theresa Payton, whom I interviewed for the latest episode of the Cisco Security Stories podcast. Theresa was named one of the top 25 Most Influential People in Security by Security Magazine, and she is one of the most respected authorities on security and intelligence operations. Her story is a fascinating one, and its one that she tells very humbly, and with many measurable insights and reflections.

Theresa was the first female CIO of The White House, taking up the post in George W Bush’s second term (although when she was first offered the role, she thought it might be a social engineering attempt!). As a preview, here’s Theresa talking about what the role meant to her to Cybercrime Magazine:

Theresa also starred in CBS‘ ‘Hunted‘ TV series, which gives ordinary citizens to chance to try and evade police capture. She ran the intelligence operations side – organising and collecting data in a way that would be most helpful and informative to the field team.

What really came across very strongly during our chat, was the fact that Theresa is very passionate about protecting people’s right to online privacy. She has co-authored two books which are focused on helping others learn how to protect their privacy online. Her third book is called ‘Manipulated: Inside the cyberwar to hijack elections and distort the truth‘ which is coming out on 22nd April, and we talk in quite a bit of detail about the topic of hijacking elections and what people can do to protect their voting rights.

Theresa also helped to set up the Linkedin group ‘Help a sister up‘; a rallying point and iniative for both men and women to promote and support women in cybersecurity.

Also in this episode of Security Stories, Ben and I chat about ‘credential dumping‘ which is the topic of Ben’s latest threat of the month blog. Credential dumping is an increasingly popular technique whereby an attacker scours a compromised computer for credentials in order to move laterally and/or carry out further attacks.

And finally, our ‘On this Day‘ feature takes us back to 1993, and the announcement of the ‘Clipper chip‘, which was designed to enhance the security of communications devices. It’s a really interesting story that addresses people’s right to privacy and the balance with surveillance, so stay tuned for that.

You can listen and subscribe to the Security Stories podcast on Apple Podcasts, Spotify, Google Podcasts, Stitcher, or wherever you get your podcasts. Or listen via the embed link below!

The post Security Stories Episode 3: Protecting Democracy, and Learning How to Spot Online Manipulation Tactics with Theresa Payt … appeared first on Cisco Blogs.

Source:: Cisco Security Notice

How to Monitor VPN Split Tunneling and Remote Endpoints with Existing Infrastructure

By Scott Pope Using AnyConnect for VPN? Got Splunk? If so, you have what you need to secure, monitor and gain detailed endpoint visibility to:
Implement VPN split tunneling to alleviate VPN capacity constraints without sacrificing security
Monitor and further optimize traffic you put over your existing split tunnel deployment
Analyze security behavior of remote endpoints, users and VPN “top talkers”. This is particularly useful for remote work endpoints that were rapidly deployed with less stringent that normal security compliance testing.
AnyConnect and Splunk are the infrastructure for Cisco Endpoint Security Analytics (CESA), which provides the monitoring and security analytics to address the scenarios above. With many IT orgs resistant to deploying any new infrastructure, CESA allows IT to use what they already have deployed to gain the VPN, zero-trust and remote work endpoint visibility they seek.
Let’s take a closer look at each of these scenarios.
————————————————————————————————————
Need increased remote work & VPN monitoring? Use CESA Splunk free for 90 days for licenses initiated before July 1. Contact your Cisco account team or channel partner for details.
————————————————————————————————————
Scenario 1: Want to deploy split tunneling, but lack detailed traffic visibility to implement it
Many networks would benefit from offloading as much remote worker traffic off their VPN infrastructure as possible. VPN throughput, and the network performance it enables for users, is at a premium. As such, offloading specific types of traffic like Office365, WebEx and other SaaS applications to a VPN “split tunnel” that directs traffic directly to its destination (instead of bringing it through the VPN concentrator) makes a lot of sense. But with split tunneling comes a lack of visibility into traffic traversing it, since that traffic is no longer coming back to the security stack at the “headquarters”. Furthermore, networks may need to offload more traffic than the obvious SaaS services to maintain acceptable end-user performance. But deciding what is “safe” to move to a split-tunnel is a challenge without detailed visibility into what types of traffic the VPN endpoints are generating. This is where CESA comes in.
CESA collects highly detailed traffic telemetry from AnyConnect VPN clients. This flow data provides detailed insight to applications generating/receiving traffic on the endpoint, as well as who the user is, domains they are communicating with (whether the user knows it or not) and all source/destinations. CESA can then see which of all that traffic–down to user/device/application/software-process/domain/port/source/destination level–is going over the VPN tunnel. With this visibility, IT orgs can then identify what traffic is “safe” to put into a split VPN tunnel to optimize VPN throughput capacity. Furthermore, AnyConnect enables “Dynamic Split Tunneling”, which makes it easy to direct split tunnel traffic by domain name (e.g. put all “*webex*.cisco.com” into the split tunnel). Dynamic Split Tunneling analytics is also supported in CESA.
Scenario 2: Already have split tunneling, but need better security monitoring & traffic optimization
For networks that have already implemented split tunneling, many are looking to: a) make sure there isn’t sensitive traffic in the split tunnel that shouldn’t be; b) see what other traffic they can safely offload into the split tunnel.
Similar to the initial split tunneling deployment scenario outlined above, CESA provides the VPN traffic insight needed to keep tabs on what traffic is going over the split tunnel and also identify the traffic that should be moved back into the corporate tunnel. And there reverse is also true. CESA can monitor the corporate tunnel to identify traffic that could be safely moved to the split tunnel. Furthermore, CESA tracks the volume of traffic by application, protocol, port, software process, domain, source/destination, etc. This enables IT orgs to identify high volume applications and data sources and move them to the split tunnel first to make the largest impact on VPN performance with the least amount of effort and configuration.

Scenario 3: Need more security monitoring for all these new remote users
In emergency situations, IT orgs are often put in the position of rolling out a high volume of remote workers in a very short time. Depending on the situation, normal validation of security oversights for these users might be overlooked to expedite getting business running again. This might mean the user endpoints aren’t on standard IT builds. Or they don’t have the usual endpoint security used for remote workers. Whatever the situation, rapidly deployed remote working often entails less than perfect remote user/endpoint security and visibility.
Given the foundation of CESA is the telemetry it gets from AnyConnect, it is a natural solution for enhancing remote endpoint security. CESA picks up endpoint security where endpoint protection platforms (EPP) and endpoint detection and remediation (EDR) solutions end. EPP/EDR solutions focus on malware by detecting known bad file hashes and then removing them from endpoints. CESA takes the next step by focusing on behavioral-based threats like malicious insiders and malware droppers and activity not detectible via file hash detection. And CESA can be configured to monitor endpoints both when they are off the network and when they are on it, giving complete visibility into all endpoint activity. If you are concerned about user privacy, you can set the AnyConnect telemetry collection parameters to only collect flow data when the VPN is active.
In a hastily deployed remote work environment, it can be difficult to be sure all the endpoint security “i’s” got dotted and “t’s” got crossed. CESA helps with that by looking for “all the weird stuff” that is only detectable via endpoint and user behavioral analytics. And when your employees come back to the office, you will have these same monitoring capabilities, such as detecting when users are on the corporate Wi-Fi and divert data through a non-corporate network interface like a Wi-Fi dongle.

Next Steps
As mentioned, if you already have Splunk Enterprise and AnyConnect deployed, CESA is essentially just a feature license that enables you to bring AnyConnect telemetry into Splunk cost-effectively and with a predictable fixed budget. CESA is priced per endpoint, so unlike a typical Splunk license, you don’t need to figure out how much data you’re bringing into Splunk; you just need to know the number of AnyConnect endpoints you want to monitor. And until July 1, 2020, CESA trial licenses are offered for 90 days free of charge to help IT orgs any surges of remote working they may be encountering. Contact your Cisco account team or channel partner for more details.
Deploying CESA for existing AnyConnect and Splunk customers involves 3 steps:
Configure AnyConnect clients to generate Network Visibility Module (NVM) telemetry. This is just a configuration parameter for AnyConnect 4.2 later and does not require “touching” the endpoint or deploying any new software of any sort.
Configure Splunk to receive and analyze AnyConnect NVM telemetry. To do this, install the AnyConnect NVM Splunk App for CESA and the AnyConnect NVM Technical Add-On for Splunk.
Check your Splunk storage capacity. Each AnyConnect client generates 6-10MB of telemetry per day, or less depending on what NVM fields are enabled or filtered out.
What if I don’t have AnyConnect or Splunk already?
You can still deploy CESA for these scenarios, but you’ll need to install Splunk Enterprise on a server or as a hosted VM. All necessary Splunk Enterprise software comes with the CESA license. Or if you are not using AnyConnect for VPN and still want to monitor endpoints on other VPN solutions, a standalone Cisco NVM module that generates all the telemetry discussed above can be installed on endpoints.
View a CiscoTV event with live Q&A explaining use-cases and capabilities of CESA. Register or view here.

The post How to Monitor VPN Split Tunneling and Remote Endpoints with Existing Infrastructure appeared first on Cisco Blogs.

Source:: Cisco Security Notice

The Firewall: The foundation for a robust Security Platform

By Brian Remmel After many years of a strong preference for ‘best of breed‘ security tools, the tides are turning. There’s growing fatigue of the operational downsides – managing countless alerts and manually correlating threats, for example – inherent in this approach. Security products today need to include out-of-box integrations, interoperate with third–party solutions, share threat and contextual information, leverage automation, and above all else, simplify operations. This trend has a name: the security platform.
Products like firewalls have historically been evaluated primarily on their merits as a standalone solution. This was logical since the firewall had always been viewed as a fundamental component of any organization’s security posture. This was also largely reinforced by vendors and industry analysts alike who would widely publish specific categories of firewall feature sets, deployment guides and performance characteristics. But as networks became more interconnected and threats grew more sophisticated and stealthier, the role of the firewall as a “standalone” and isolated solution became increasingly challenged.
As any security engineer will tell you, the answers to difficult questions like “are we vulnerable to this new threat?” or “what is the extent of this compromise?” are rarely found in a single tool. It takes an integrated and coordinated approach to really understand the scope of today’s cyber-threats. To that effect, how should you evaluate a point product like the firewall in the new world of the security platform? It starts with viewing the firewall as the foundation of a robust security platform.
The Future of Firewall
The firewall has long been the star player of any organization’s security stack. But as trends like cloud and mobility have taken off, it has greatly increased the size of the attack surface of our infrastructure and made the job of protecting our networks, data, users, and applications more complicated. What was once a single network perimeter has evolved into multiple micro-perimeters, and traditional firewalls are being augmented by a mixture of physical and virtual appliances and services.
The importance of the firewall hasn’t diminished – in fact, it’s more relevant than ever – but it’s time to think about it differently. We must look beyond form factors like physical or virtual appliances to think about ‘firewalling‘ as functionality. Firewalling is now about delivering world-class security controls – the key elements for preventing, detecting, and stopping attacks faster and more accurately – with common policy and threat visibility delivered where you need it: in the data center, in the cloud, at the branch office.
The firewall has added many advanced capabilities and integrations over the years, but at a certain point, you need something more. You need a single view across your entire security estate. A single point of multivendor integration. And a single place to conduct workflows and track key operational metrics. That’s where the security platform comes in.
The Rise of the Security Platform
The security industry has done a wonderful job of introducing exciting and new product categories. One estimate pegs the number of cybersecurity product categories at 70. As more categories are introduced, the level of noise and complexity rises. And this complexity can be clearly seen mirrored inside any organizations‘ security stack.
Businesses are struggling to operationalize disparate security solutions to maintain consistent policies and uniform threat visibility. According to our CISO Benchmark Study, only 35% of respondents said it was easy to investigate the scope of a compromise, contain it, and remediate it. In response to this challenge, a new product category has begun to take root: the security platform. Sometimes called XDR, the security platform is the central point of integration for a multitude of products. And it’s a welcome solution for the complexity problem that has overwhelmed us.
Some firewall vendors claim to already have a security platform. As Gartner described in the 2019 Magic Quadrant for Network Firewalls, “With firewall providers embedding multiple security features in firewalls and enabling integration and automation capabilities with other security products, firewalls are evolving into network security platforms.” While we applaud these efforts, no other vendor has the breadth of security portfolio and level of integration to deliver a security platform experience like Cisco.
Recently announced at RSA Conference, Cisco SecureX connects the breadth of Cisco’s integrated security portfolio – including market-leading firewall – and the customer’s infrastructure for a consistent experience that unifies visibility, enables automation, and strengthens your security across network, endpoints, cloud, and applications. By connecting technology in an integrated platform, SecureX delivers measurable insights, desirable outcomes, and unparalleled cross-team collaboration. 
Investing in a firewall should do more than just meet your needs for today. Ensure that your firewall helps you confidently secure your business as part of an open, integrated platform that will scale to support your organization’s growth and innovation well into the future.

Let’s explore some of the defining characteristics of a security platform – specifically, Cisco SecureX – and discuss what they mean in the context of the firewall.
Visibility
Visibility has long been touted as a critical need on which to base security. Users, endpoints, applications, etc., as the old adage goes “if you can’t see it, you can’t secure it.” Cisco NGFW offers robust visibility into the users, hosts, applications, mobile devices, virtual environments, threats, and vulnerabilities that exist in your constantly changing network.
Our SecureX platform takes visibility to a whole new level. It expands the aperture and shows your entire security environment in a single view. There’s no time wasted pivoting from one dashboard to the next; alerts are aggregated and prioritized so that you know where to direct your attention first.
SecureX provides unified visibility across all parts of your security portfolio – Cisco or third-party solutions – delivering metrics, an activity feed, and the latest threat intelligence. Crucially, SecureX can deliver key operational metrics to help track the success of your security program: Mean Time to Detection, Mean Time to Remediation, and Incident burndown times. These metrics are derived from full case management capabilities native to the SecureX platform.
Integration
Most firewalls today offer numerous integrations with other point products – for example, endpoint protection, sandboxing, or DNS security solutions. Organizations have done their best to integrate a functioning security infrastructure, but incompatible interfaces, steep learning curves, and siloed communication limit interoperability. Making these systems work together is a constant struggle that requires hard-to-find expertise. It’s no wonder that 91% of security leaders think integrating solutions is a significant challenge.
SecureX reduces complexity by integrating products with out–of-the-box interoperability. It connects the breadth of Cisco’s integrated security portfolio and the rest of your infrastructure for a consistent experience across network, endpoint, cloud, and applications. By connecting technology in an integrated platform, SecureX delivers measurable insights, desirable outcomes, and unparalleled cross-team collaboration.
Automation
Automation has enormous potential to help organizations to save time and bridge the talent gap. It’s already used with great success today in products like Cisco NGFW. For example, Firepower Management Center automatically correlates security events with the vulnerabilities in your environment so that your team can see which events they need to prioritize. It also automatically recommends security policies to put in place.
A security platform is the perfect place to enable truly powerful automation and orchestration. SecureX will deliver pre-built playbooks focused on common use cases, and customers can easily build their own using an intuitive, drag-and-drop interface.
For example, the SecureX incident workflow uses cross-product automation to gather information relevant to the incident from across technologies and teams into one place. High-fidelity events detected by your firewall or network analytics engine are promoted to Incidents in the Threat Response component of SecureX. From there, the SecureX automated Incident playbook will:
Run an investigation on the information provided in the Incident record against all your SecureX-capable technologies
Save a snapshot of the investigation results
Assign all related observables to a casebook
Alert the security team.
To deliver this capability, the playbook pre-processes the incident to extract observables, determines the verdict for observables, hunts for targets involved and enables you to take mitigation and/or preventative actions such as isolating the targets and blocking domains, IPs, and files.
Sign up for SecureX
These are just some examples of what you’ll be able to do with the first iteration of SecureX. The platform will continue to evolve so your security can keep up with the speed of business, and your business can keep taking new leaps.

SecureX will be generally available in June.
To stay updated on the latest about SecureX
Sign up 

The post The Firewall: The foundation for a robust Security Platform appeared first on Cisco Blogs.

Source:: Cisco Security Notice

5 Questions to Ask Your Security Platform Vendor

By Sana Yousuf CISO are always on the hunt for innovative solutions to solve their most pressing problems. They have been forced to choose their own adventure from an industry that’s rife with incompatibility, running their operations across dozens of tools and a plethora of consoles that don’t talk to each other. And this, combined with unmet scores of policy updates, inevitably leaves vulnerabilities in different point solutions across the security ecosystem. The reality is that most organizations already have an abundance of point products designed to address specific challenges, but most of these products can’t be easily integrated to fulfill a larger and more effective security strategy.
Choose your Adventure
“There are choices to be made, challenges to overcome, dangers to encounter and, as always in life consequences to be had. Choosing wisely could lead to triumph while taking the wrong path could end in disaster – but who’s to say what’s ‘right‘ and ‘wrong‘, anyway?” says Netflix for its first interactive television film Bandersnatch. The interactive film offers viewers various instances of choices, which can drastically change the outcome of the story. The parallel between a CISO looking at his next technology adventure and you as a viewer making those choice on behalf of the main protagonist is uncanny. These choices have the power to alter your endgame. Or as Netflix puts it “Fret not because once one experience comes to a close, you can – and should! – go back and make a new choice, alter the path of your story and maybe even change its outcome”. This reminds me of the ‘Choose your own adventure‘ books that we read in our childhood. Much like these books, wouldn’t it great if every CISO could retrace their decisions back to an outcome— not just technology but also people and processes — and find a totally different way to make them work. Together.
And ESG’s 2020 Integrated Platform report indicated that 30% of organizations use more than 50 different security products while 60% use more than 25. Every technology decision impacts your overall security program and creates more dependencies and vulnerabilities when these vendors‘ products are not integrated. Clearly, choosing your own adventure is not going to work. Security platforms are evolving in response to customers‘ need to consolidate their vendor landscape and simplify security.
The following are important questions to ask when you’re evaluating your options.
1. How is your platform different from a SIEM or SOAR?
Many vendors are calling their native SIEMs or SOARs “platforms” because they know the need for integration is so huge. The main purpose of SIEMs and SOARs is to cut down on the number of alerts, so response is more efficient. While they can automate incident investigation and response workflows, they don’t enable you to take holistic, coordinated actions across your environment. Even next-gen SIEMs and SOARs remain complex and tough to integrate. Without native connectivity between the backend control points and frontend workflows, you must divert limited staff resources to labor-intensive integration work. Platforms enable you to effectively integrate a portfolio of best-of-breed security products into your SIEM or SOAR tool to strengthen threat detection and research analysis for your SOC. Consider a vendor that offers a more sustainable platform approach that:
Provides a full lifecycle dashboard — unifying visibility and control across all your security solutions from one central location.
Streamlines workflows — enabling automated responses and coordinated actions to investigate and respond to threats more efficiently.
Unifies workflows — enabling NetOps and ITOps to serve as an extension of SecOps, improving each team’s productivity.
2. To which control points does your platform natively connect?
Your security solutions should work as a team, delivering consistent visibility and control across your entire environment. A platform should provide coverage for all major threat vectors and natively connect controls across the network, endpoints, cloud, and applications, giving you one unified view. This unified view enables teams to respond to threats from multiple angles and understand the full lifecycle of alerts, regardless of where they originate. It should enable you to choose what works for your business from a broad and open ecosystem. The fact is, two products do not make a platform – an open standard based exchange platform will allow you harness you existing investments and integrate with third party products seamlessly.
3. How many of my existing security components can connect to your platform?
There are incremental advantages to using multiple solutions from a portfolio-based platform vendor; however, wall-to-wall coverage isn’t a realistic goal or expectation. You need to be able to leverage your current investments and easily integrate new solutions in the future.
Ask your vendor how they prioritize working with third-party technologies; do they use partnerships, out-of-the-box integrations, standards-based information exchange, or open APIs?
Their platform should be:
SIEM/SOAR-agnostic — so you can connect the platform to any SIEM or SOAR one time to send fewer, higher-fidelity alerts from multiple control points.
Cloud-agnostic — so you can keep network security policies consistent, whether you’re using AWS, Azure, Google Cloud Platform, or on-prem control points.
Infrastructure-agnostic — so you can connect your existing best-of-breed solutions to the platform.
4. How will your platform increase my efficiency?
When your teams get buried under repetitive, manual tasks, efficiency goes down and the probability of errors goes up. A platform should deliver built-in automation and analytics that aid in policy and device management, detecting unknown threats, and coordinating response and policy change.
Find out if the platform can apply analytics to identify behavior anomalies across on-prem and cloud network traffic — even in encrypted flows. It should be able to do this while enforcing policies and automatically adapting network and application access for compromised endpoints. At the same time, your automation should be nuanced enough to not get in the way of productivity — while a compromised endpoint should automatically have its access blocked, the individual user should still have access on a healthy device.
5. How will I know your platform is improving my security?
The right platform won’t just help you improve your security across users, applications, and devices – it will help you measure and prove success. Does the vendor provide a unified, easy-to-consume dashboard with insights into how well your security program is mitigating risks?
Ask the vendor how easily the platform can create reports or show live views that measure how your security maturity is changing. If one of your objectives is to achieve a continuous improvement cycle, the platform should also provide metrics that map policy changes to the meaningfulness of alerts.

Read on Jon Oltsik take on why you should consider a more integrated cybersecurity approach.

The Cisco SecureX Answer
At Cisco, we’ve are answering these question with SecureX-an open, integrated platform approach that simplifies our customers‘ experience, enables automation, helps them accelerate their business, and protects their future. It connects the breadth of Cisco’s integrated security portfolio and your infrastructure to deliver measurable insights, desirable outcomes, and unparalleled cross-team collaboration.
You can stay updated by signing up for the SecureX waitlist. Click here to experience the world of Cisco SecureX and make an informed decision to drive your business forward.
The post 5 Questions to Ask Your Security Platform Vendor appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Threat Roundup for April 3 to April 10

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Apr 3 and Apr 10. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
20200410-tru.json – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for April 3 to April 10 appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Promising Results for Post-Quantum Certificates in TLS 1.3

By Panos Kampanakis The Challenge
Quantum Computers could threaten the security of TLS key exchange and authentication. To assess the performance of post-quantum certificates TLS 1.3, we evaluated NIST Round 2 signature algorithms and concluded that two of them offer acceptable speeds. We also analyzed other implications of post-quantum certs in TLS. More details in https://ia.cr/2020/071
We all know by now that the potential development of large-scale quantum computers has raised concerns among IT and security research professionals due to their ability to break public key cryptography. All currently used public key algorithms would be deemed insecure in a post-quantum (PQ) setting. In response, the National Institute of Standards and Technology (NIST) has initiated a process to standardize quantum-resistant crypto algorithms, focusing primarily on their security guarantees.
The Tests
The industry has been evaluating some of these algorithms for use in encryption protocols like TLS and IKEv2/IPsec. Cloudflare, Google, and AWS have been looking into PQ TLS key exchange. At Cisco, we focused on PQ authentication/certificates in TLS 1.3. We briefly discussed some of our early results in a recent blog post and detailed them in our paper presented at ETSI/IQC Quantum Safe Cryptography Workshop 2019.
A couple of months ago, we presented all of our results in our paper at NDSS 2020 in San Diego. The paper presented a detailed performance evaluation of the NIST signature algorithm candidates and investigated the imposed latency on TLS 1.3 connection establishment under realistic network conditions. In other words, we deployed servers all over the world. We proved that at least two candidate PQ signature algorithms perform similarly to RSA/ECDSA certificates, as shown in the figure below.

We also investigated PQ signature impact on TLS session throughput and analyzed the trade-off between lengthy PQ signatures and computationally heavy PQ cryptographic operations.
The Results
Our results demonstrated that the adoption of at least two PQ signature algorithms would be viable with little additional overhead over current signature algorithms. Also, we argued that many NIST PQ candidates could effectively be used for less time-sensitive applications, and discussed in depth the integration of PQ authentication in encrypted tunneling protocols. Finally, we evaluated and proposed the combination of different PQ signature algorithms across the same certificate chain in TLS. The results showed a reduction of the TLS handshake time and a significant increase of a server’s TLS tunnel connection rate over using a single PQ signature scheme.
For more details on the impact of PQ certificates on TLS, refer to our NDSS 2020 paper.
For additional resources, visit trust.cisco.comadditional resources, visit trust.cisco.com
The post Promising Results for Post-Quantum Certificates in TLS 1.3 appeared first on Cisco Blogs.

Source:: Cisco Security Notice