Archiv für die Kategorie: News

By Sana Yousuf In January 1900, the four-masted steamship S.S. Australia laid anchor in the Port of San Francisco. The ship sailed between Honolulu and San Francisco regularly, and its passengers and crew were declared clean. However, it is difficult to define what ‘clean‘ was in the absence of parameters that could trace the infection back to a single vector. Health and medical professionals struggled to assess and eradicate the disease-make sense of where it came from, if the disease had been seen somewhere in the world, who was the patient zero?
Fast forward to the future, the US Department of Energy’s laboratory Oak Ridge National Lab shuts down the Internet and email services after a cyberattack. The attacks were launched through phishing emails that were sent to about 573 lab employees. The emails were disguised to appear like it came from the lab’s HR department and purported to inform employees of some benefits related changes. Time is of essence in scenarios like this where technology needs to step up to provide answer and not alerts. Is your security program equipped to answer questions-Which email messages have seen this filename or file hash? Which email messages were targeted by this sender email address? Which email messages has seen this subject?
It’s not a matter of IF, but only a matter of when.
The launch of Cisco Threat Response represented a giant leap forward for the goal of reducing or eliminating the burden that exists within today’s Security Operations Center (SOC) by integrating security architecture. The next step in that process was establishing an integration with Security. With solutions like AMP Unity, we have visibility into the email gateway. But Cisco Email Security is the first platform integration that provides deep visibility into content as it travels the network toward the endpoint much like our four-masted steamship. It enables you to find your patient zero!
Being Prepared for the Inevitable
For today’s organizations, email is not only a critical component of business communication, but also a leading attack vector for security breaches. According to Cisco’s Annual Cybersecurity Report, bad actors continue to utilize email as the primary vector for spreading malware.
Additionally, research from the Department of Digital, Culture, Media & Sport states that 80% of businesses with a cybersecurity breach or attack in the last 12 months were targeted by a phishing attack. According to the 2018 Duo Trusted Access Report, 62% of phishing simulation campaigns ran through the Duo Insight tool captured at least one set of user credentials. Nearly a quarter of the campaign recipients clicked the phishing link in the email, and half of those that clicked the phishing link then entered credentials into the fake website. While these attacks aren’t always sophisticated, they are clearly becoming harder to spot by the untrained eye, as hackers find new ways to make malicious emails appear legitimate.
A recent report from Cisco Talos Intelligence Group shared information about a ransomware attack known as LockerGoga that leverages an encryption process to remove the victim’s ability to access files and other data that may be stored on infected systems. Phishing user credentials is one way that an attacker can gain network access, restrict file access, and then deliver a ransom note demanding payment in exchange for keys to decrypt files that LockerGoga has impacted. Cisco Email Security can block malicious emails sent by threat actors as part of their campaign to gain network access. This is just one example of how Cisco Threat Response can protect email as a threat vector.
All you have to do is peek into your personal email spam folder to find bad actors trying to gain access to you and your network through malicious, compromised, or spoofing emails. In fact, 85% of all email in April 2019 was spam, according to TalosIntelligence. Your network must be prepared for the inevitability of a threat delivered via email.
How Does Cisco Email Security Integration Work?
Without a single console to monitor network threats, email has been a difficult vector to protect. However, security architecture integration enables a SOC analyst to identify users who receive a malicious file, quarantine the file, and block the domain the file is reaching out to, without switching interfaces. Faster incident response times are possible because Threat Response provides the user a full picture of the attack, and immediate access to a broad array of integrated protective and mitigative technologies.
Cisco Email Security enables deeper visibility in Cisco Threat Response at multiple layers in an attack’s trajectory, including DNS, endpoint, and now email. With each integration, Threat Response provides enrichment of known attack data, and users can pivot directly into other Cisco Security product consoles to quickly access deeper details of the threat. Users are able to take action immediately through the Threat Response console by blocking the threat vector and associated malicious infrastructure.
Cisco Email Security provides information and context via the Cisco Threat Response platform on email-based threats, by responding to requests for enrichment of elements such as email subject, file name or sender email address, to name a few. Here’s how this works. Your Security Management Appliance (SMA) registers to Cisco’s cloud Security Service Exchange (SSE) and initiates a connection for SSE’s API proxy. Threat Response communicates with the SMA via this SSE proxy, which relays requests for enrichment to your email security solutions (whether on on-premise or in the cloud) and forwards responses back to Threat Response. Emails are never sent to the Threat Response or SSE clouds, and raw log data is not stored in the cloud. By providing this insight at the email messaging layer, Threat Response allows responders to find email-borne threats before they manifest on the endpoint.
Alternatively, in one of the recent releases, we have enabled direct integration of Email Security Appliance with Cisco Threat Response, without the use of SMA, which allows customers who have made investments in Email Security but do not use an SMA to benefit from Cisco Threat Response as well. In this scenario Cisco’s cloud Security Service Exchange connects to ESA directly, and SSE allows an ESA to register with the Exchange, while Cisco Threat Response is provided with an explicit permission by a customer to access the registered devices.
Check out this video to get an overview of the benefits of using Cisco Threat Response and Cisco Email Security together.
Cisco Threat Response Enables Detection to Remediation in 2 Clicks

It’s clear that integrated architecture improves security, drives cost efficiencies, and boosts productivity. And according to Forrester, our customers have seen as high as 70% improvement in security operational efficiency by implementing an integrated architecture.
Cisco Threat Response enables your Cisco Security products to integrate seamlessly and begin working to detect, investigate, and remediate threats. The information that you need across your deployed Cisco products is available immediately in one interface. This allows you to more quickly and intuitively formulate your response plan, while also helping you enact the plan with common response actions available directly and immediately in the Cisco Threat Response interface.

Cisco Security solutions continue to be integrated and add more value to the platform. In addition to Cisco Email Security, Threat Response opens visibility into a variety of contexts:
Users have visibility into the endpoint with Cisco AMP for Endpoints.
Visibility into content and edge security can be obtained with the above integration by configuring those devices into the AMP for Endpoints UI via the Unity feature.
Cisco Umbrella provides a portal into domain resolution requests and associated network activity.
Cisco Threat Grid provides access to context-rich automated malware analysis and threat intelligence.
Open API integrations support additional solutions already present in a customers‘ security setup.
Threat intelligence from Cisco Talos and third-party sources integrates automatically to research indicators of compromise (IOCs) and quickly confirm threats.
By providing automated integration across several Cisco Security products, including Email Security, Threat Response provides a seamless experience that serves as a foundation for fast, efficient incident investigation and response.
Building Value Through Integration
As previously mentioned, the value of Threat Response is in the integration of security architecture to enable the SOC to have all needed information and an increased level of detail to make a determination and take action against a network threat. These integrations continue to streamline processes and create cost efficiencies for our customers.
With Cisco Email Security, keeping email secure is no longer a time-intensive task. With its integration into Cisco Threat Response, email threats can now be solved in just minutes. While this is the first integration that steps into the middle ground between the external network and the endpoint, stay tuned for continued integrations that add further visibility into content as it traverses across the network.
Check out the Cisco Cybersecurity Report that examines email security from three angles: the current state of the challenges of security practitioners, the mechanisms behind phishing attacks, and recommendations for defenders. Cisco Threat Response adds enhanced protection to your network against email threats like malware, phishing, spoofing, ransomware, and business email compromise
If you’re interested in giving Cisco Threat Response and Cisco Email Security a test drive, be sure to visit our webpage or create an account in the U.S.or EMEAR to get started today.
Want to keep up to date on Cisco Threat Response? Now you can! Subscribe here to receive alerts every time a new blog is posted.
The post Combat Modern Day Plague in Security with Email Security and Cisco Threat Response Integration appeared first on Cisco Blogs.

Source:: Cisco Security Notice

By Jeff Reed Complexity is one of the top challenges our customers face today. CISOs not only want to enable their teams to detect and respond to threats faster, they want to simplify workflows and streamline operations at the same time. In our annual CISO surveys, we’ve been seeing a trend toward vendor consolidation, which tells us CISOs are looking for ways to make their solutions simpler.
Vendors typically work in siloes to solve these kinds of challenges. But at Cisco, we believe we can achieve more through collaboration. That’s why we’ve been working in partnership with IBM Security to provide joint customers an in-depth, end-to-end defense strategy while simplifying their vendor relationships.
The average organization juggles 45 different security vendors. Leveraging the breadth of Cisco and IBM’s security portfolios allows our customers to drastically reduce that number of vendors while still using best-in-class products. The reduction in vendor surface creates more than just technical efficiencies. By consolidating vendor relationships, customers can maximize their buying power through vehicles like Enterprise Agreements, as well as simplify contract management and support cases.
Leveraging Cisco and IBM strengths
At Cisco, we believe we have excellent technologies to help customers prevent threats to their businesses, and with products like Cisco Threat Response, we even speed up various elements of the technical response. With IBM, we have focused our initial integrations on QRadar and Resilient product lines to help customers further prioritize threats and better assist with their response both at a technical and business level.
Let’s say you had an insider attack. The Cisco/IBM integrated solutions enable faster investigations of suspicious behaviors that could compromise credentials or systems. For example:
Cisco Stealthwatch looks for behavioral indicators of compromise in activity traversing the network, including encrypted traffic without the need to decrypt the data. IBM QRadar builds on that detection, as well as other Cisco solutions like Firepower Threat Defense, to correlate events from network traffic and logs to help security teams quickly prioritize threats.
Cisco Identity Services Engine helps you associate malicious activity with specific user credentials, and you can quarantine the user and lock down network access right from QRadar.
Responding to the attack is not just about gathering the information. You also need to understand how the business responds to the threat — is this something that needs public release of information, do you need to involve law enforcement, will this result in employee termination, and so on. To help operationalize incident response, you can use investigation results from all the integrated solutions to create a report in Resilient.

Innovative solutions to address customer needs
Many of the Cisco/IBM collaborative solutions are unique for the industry, and they’re based on lessons Cisco and IBM have learned from our extensive customer bases and our threat intelligence teams, Cisco Talos and IBM X-Force.
To make breach response more efficient, earlier this year we integrated Cisco Advanced Malware Protection (AMP) for Endpoints with QRadar and IBM Resilient SOAR. These integrations enable security teams to do things like:
Receive AMP for Endpoints telemetry directly in QRadar for a consolidated view of events across endpoints and ability to search, analyze, and correlate them.
Pull AMP for Endpoints data into Resilient to investigate events, automatically bring the results into an incident, and get more details on detected threats, then quarantine detected malicious files.
Since threats evolve quickly, defenses can’t rely on one mechanism alone. We work together in various other ways to help you detect unknown threats like ransomware or speed up response time. For instance:
Resilient customers can submit suspicious malware samples to Cisco Threat Grid to get detonated, with the hashes sent back to Resilient. This can stop malware or ransomware before it ever reaches the end user.
IBM Resilient users can query Cisco Umbrella for a list of blocked domains, save them to a data table, and delete or add new ones — preventing end users from accessing risky internet connections.
We’re listening to your feedback
Because we’re invested in the results that this collaboration can produce for our customers, we’re continuously expanding and improving our integrated solutions based on your feedback. The latest examples are enhancements made to the Firepower Threat Defense and QRadar SIEM integration, which accelerate threat investigation and remediation by correlating events across network, applications, and users.
Our customers wanted to dig deeper than the top-level summaries previously available. We listened — and the new, enhanced Firepower app that we’re releasing provides a higher level of detail in the integrated dashboard.
With Firepower Threat Defense and QRadar, you can answer questions like:
Which hosts in my network are potentially compromised?
Which hosts are known to be compromised?
What malware is most often observed in my network?
Which hosts have sent the most malware?
This is just one of the new enhancements and expansions we’ve been making as part of our alliance, and more are on the roadmap. By reducing complexities, increasing visibility, and improving threat defenses, our collaboration is improving outcomes in areas that are top of mind for our customers.
Learn more
Cisco and IBM are continuously engaged in discussions about new possibilities, and we expect our combined forces to produce many new solutions. To see how you can benefit from this partnership, learn more about Cisco’s and IBM’s integrated technology, threat intelligence, and services.
The post Cisco and IBM: Solving Customer Challenges through the Power of Partnerships appeared first on Cisco Blogs.

Source:: Cisco Security Notice

Source:: Innovaphone

Source:: Innovaphone

By Talos Group
Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between Dec 6 and Dec 13. As with previous roundups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavioral characteristics, indicators of compromise, and discussing how our customers are automatically protected from these threats.
As a reminder, the information provided for the following threats in this post is non-exhaustive and current as of the date of publication. Additionally, please keep in mind that IOC searching is only one part of threat hunting. Spotting a single IOC does not necessarily indicate maliciousness. Detection and coverage for the following threats is subject to updates, pending additional threat or vulnerability analysis. For the most current information, please refer to your Firepower Management Center, Snort.org, or ClamAV.net.
Read More
Reference:
TRU12132019 – This is a JSON file that includes the IOCs referenced in this post, as well as all hashes associated with the cluster. The list is limited to 25 hashes in this blog post. As always, please remember that all IOCs contained in this document are indicators, and that one single IOC does not indicate maliciousness. See the Read More link above for more details.
The post Threat Roundup for December 6 to December 13 appeared first on Cisco Blogs.

Source:: Cisco Security Notice