Cisco Blogs


Cisco Blog > Security

Tracking Malicious Activity with Passive DNS Query Monitoring

Ask anyone in the information security field they will tell you:

Security is not fair. There is essentially an unlimited supply of attackers that can test your defenses with impunity until they eventually succeed.

As a member of the Cisco Computer Security Incident Response Team (CSIRT) I’ve seen this asymmetry up close, so I can tell you that good security is really hard. Besides the normal security practices like deploying firewalls, IDS sensors, antivirus (AV), and Web Security Appliances, CSIRT is increasingly looking to the network as a data source. We have been collecting NetFlow for years but we have always wanted additional context for the flow data. While it is true that the Internet is built on TCP/IP, Internet services—both good and bad—are found by name using the Domain Name System (DNS). For years infosec has been network-address-centric and the attackers have adapted. Today it is very common to see malware command and control (C&C) use domain generation algorithms (DGAs), Peer-to-Peer (P2P), or even fast-flux DNS to evade IP address-based detection and blocking. It has become absolutely clear that to keep up with the latest attacks and attackers you must have a view into the DNS activity on your network.

CSIRT has been struggling with limited DNS information for a while now, so I am pleased to say we finally have comprehensive visibility into the DNS activity on our network. Before I dive into how we tackled this problem I should back up and explain a bit more about DNS…

Read More »

Tags: , , , , ,

Managing Communications During Customer-Impacting Incidents

No matter how you prepare, you never know how or when it will begin. The phone rings and sixty seconds later a sense of dread emerges. It grows slowly, peaking just as you hang up the phone. Sitting back in your chair, you take a deep breath and turn your mind to all the customers, executives, and journalists who will soon know what you know.

You and I both have a sense of the work involved in managing customer-impacting data exposures, privacy breaches, or malicious attacks. These are high pressure, high profile incidents that demand the very best response team—a team that includes technical and non-technical expertise.

Working as I do with Cisco security and incident response teams, I sit alongside some great people who understand the value of having a professional communicator at the table. With a technical response underway, the communicator can do what they do best—summarize the topic, identify impacted audiences, assess their needs, and craft the required messaging. Regardless of their department—public relations, employee communications, customer communications, or marketing—these people will be critical to sustaining customer relationships and protecting your organization’s reputation.

Read More »

Tags: , , ,

NCSAM: Diversity, Consistency, and Security Intelligence

The security community at Cisco is very diverse. It extends beyond the typical researcher or analyst roles to include customer-facing engineers and marketing, public relations, and legal teams. The community is comprised of individuals with greatly varied backgrounds, skill sets, and charters and contains a wealth of knowledge on just about any topic. This diversity allows Cisco Security Intelligence Operations to understand and react appropriately to today’s threats as well as those that we may face in the future.

If we think about security intelligence—which I define as raw information enhanced through correlation, processing or perspective—having an established variety of inputs is key. Our people are certainly one of those inputs.

The trick, however, is utilizing that diversity in such a way that you can create consistent and predictable outputs that can be easily absorbed and acted on.

Read More »

Tags: , , ,

Connected Kids can be Safe Online

Let’s face it; today’s kids are more connected than ever before.  In fact, according to a study by the Kaiser Family Foundation, children between the ages of 8-18 spend more than 7 ½ hours a day with those electronic devices, not including the hour and a half they spend texting, or the small amount (30 min) they actually talk on the cell phone.

And these kids are truly digital natives. To them, online access is ubiquitous and expected.  Internet access is everywhere and like oxygen  -- they rely on it, crave it. Whether they tweet, text, update statuses, post pictures, chat and video chat, kids are using their devices to connect, to explore, to share, and yes, to learn.  In fact, a new study has shown that users of social networking sites (SNS) such as Twitter and Facebook, are better off socially, are more trusting of other people and are more civically engaged. Even in classrooms today, teachers have found that using technology has increased their student’s motivation, provided new outlets for student’s creativity, and helped the teachers become better organized. (Read more)

Read More »

Tags: , , , , , ,

A Secure Network is a Productive Network

Because it’s Cyber Security Month, security has been top of mind for me, I’ve realized that network security plays a silent role in almost everything we do.

Last week our power went out.  This is pretty rare where I live, because I’m on the same power grid as Disney World; which means that there are two major power sources sending electricity our way (imagine the cost of a power outage to Disney World!).  I really never thought it would happen.  Even the year that Central Florida was hit by three hurricanes the power never faltered here.  But, a little transformer blew in town and knocked the lights out.  No power, no network.  So, I picked up my laptop and scooted out to the local Starbucks without giving it a second thought.

Read More »

Tags: , , ,