Those of us who work in security operations are well accustomed to blind spots. Depending on the size of the network, our security technologies can trigger thousands of security alerts daily. We know from experience that the vast majority of these alerts are false-positives – innocuous activity that behaves a bit funny. But we also know that real threats are hiding in plain sight among the throng, finding safety in numbers. If threats are wolves in sheep’s clothing, false-positives are the sheep masquerading as wolves. How can we know the difference?
We can eliminate a sizable proportion of false-positives with reasonable certainty through investigation, but we struggle to cut this list down to a small number of confirmed threats, and we waste a lot of time chasing wild geese in the process. To hone in on confirmed threats, we need a better sieve for sifting through alerts. Advanced analytics and granular forensic technologies enable overburdened security operations personnel to separate the wheat from the chaff through high-fidelity threat investigation. Using advanced data analytics methodologies enables Cisco Active Threat Analytics investigators to weed out a huge proportion of false-positive alerts with great accuracy, and applying data enrichment and deep packet inspection tools in the threat investigation process equips us to validate confirmed threats quickly. Read More »
Tags: Active Threat Analytics, ATA, full packet capture, pcap, threat detection, threat investigation, threat management
Did you know that October is National Cyber Security Awareness Month? Here at Cisco, we understand how important cybersecurity is in today’s interconnected world. Because the Internet touches an increasingly large part of our lives, it’s necessary to engage and educate the public about how to stay protected. While we highlight the importance of cybersecurity in October, at Cisco we have initiatives and programs in place to make sure the education continues throughout the rest of the year as well.
We start from the inside out, making sure that our own employees are fully educated and trained in the latest in cybersecurity. Our Cisco Security Ninja Program, which challenges participants to reach for higher degrees of competency and proficiency in product security, has been a huge success. Employees can earn four distinct belts– white, green, blue, brown and black – that represent their advancing cybersecurity knowledge. Additionally, we offer a program in conjunction with San Jose State University that enables Cisco employees to earn their Master’s degree in Software Engineering with an emphasis in Cybersecurity. Plus, every year we have an internal conference on security – SecCon – that brings together hundreds of engineers from Cisco offices around the globe to share their knowledge and increase the overall security posture of Cisco products. All of these programs help ensure that our own employees are experts at the latest in cyber protection. Read More »
Tags: CyberAware, cybersecurity, National Cyber Security Awareness Month, NCSAM, security
We are happy to announce the final schedule for IRespondCon, a conference that is specifically designed for incident responders. IRespondCon is held annually at OpenDNS HQ and offers a day of free training, presentations, and networking with some of the top information security engineers, instructors, and fellow responders. They’ll be showing how to use freely available, open source tools to better defend networks and improve the effectiveness of DFIR efforts.
The agenda (subject to minor changes) is as follows:
Lenny Zeltser, SANS Institute: How to Run Malware Analysis Apps as Docker Containers.
Thibault Reuille, OpenDNS Labs: Using OpenGraphiti, the Open Source 3D Visualization Tool and framework.
Jason Craig, DropBox: An introduction to Sysmon and how it can be used for proactive hunting and IR in Windows environments.
Rob Fry, Netflix: Using FIDO the orchestration layer that automates the incident response process by evaluating, assessing and responding to malware and other detected threats.
Dean Sysman, Cymmetria: Using Nested virtualization with KVM. Showing how to create a nested virtualization array and it’s unique benefits for multiple security problems.
Rick Wesson, Support Intelligence: Performing static malware analysis using GPU’s.
Joel Esler Cisco: An update on Cisco Security Open Source projects and how they can help responders.
Kurt Hurtado, Elastic Search: Using Elastic Search and Logstash for Incident Responders.
For more information and to register visit https://irespondcon.eventbrite.com and for information on IRespondCon I check out our blog wrap-up from last year here at https://labs.opendns.com/2014/09/23/s4-irespond-con-wrap/.
Note: Seating is limited so register as soon as you know you can make it !
Tags: incident response, security research
In Greek mythology, Sisyphus was a trickster king cursed with the eternal torment of fruitless labor. As punishment for his hubris and wile, Zeus condemned this hapless figure to the unending task of pushing a boulder up a mountain. Once he reached the top, the boulder would fall back down. And he would begin again. And again. Every day. Forever.
I suspect that it will not be a great imaginative leap for those of you in the in the information security industry to empathize with this unfortunate soul. Cyberattacks are continuously growing in frequency and sophistication. Threats are ever-present. New technologies and changing business models are always forcing you to change your tactics. Protecting your organization’s sensitive information seems like a Sisyphean undertaking: constant and unceasing.
I hear this from our customers all the time. IT security feels like an uphill battle, and the struggle to guard against ever-evolving threats seems interminable. As innovative social, mobile, analytics, cloud, robotics, and Internet of Everything (IoE) technologies transform every organization into a digital organization, the prospect of maintaining a strong security posture amid such rapid and widespread change can be daunting. We hear you, we get it, and we are ready to help. Just as Cisco is helping organizations become digital, we are also deeply committed to ensuring that security is the bedrock upon which the successful digital enterprises of the future will stand. For that to happen, organizations will need security solutions designed for the world of tomorrow. To help organizations transform securely, we have created Cisco Active Threat Analytics – a suite of next-generation managed security services that will help customers to detect threats in their environments with great speed, accuracy, and focus.
Read More »
Tags: Active Threat Analytics, ATA, Big Data, full packet capture, Incident Management, information security, it security, network security, security operations, threat detection, threat management
Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.
In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.
Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.
Read more >>
Tags: ASIG, NTP, Talos, time, Vulnerability Research