Cisco Blogs

Cisco Blog > Inside Cisco IT

Inside Cisco IT: Finding Secure Cloud Services

cspmoCisco uses a variety of external cloud services, in concert with our internal IT service offerings. These cloud services could be storing or working with internal confidential material, so before we select which services to use, the cloud service providers (CSPs) which furnish these capabilities must go through a risk assessment process. This is to ensure their environments comply with our internal Information Security (Infosec) requirements, align to our system architecture and meet overall business objectives.
Read More »

Tags: , , , , ,

Cisco Secure Ops demonstrated at Cisco Live 2015

As I mentioned in my last blog: “Cisco Live Hosts Enhanced Cisco Collaborative Operations Solution Demonstration“, Cisco Live excited many delegates this year, and one of the highlights was indeed the World of Solutions. I talked about how the industrial section of the ‘Cisco Campus’ not only showed off lots of new advances, but, for the first time, the small but important process industries (including Oil and Gas) booth opened up showing the services-based solutions Secure Ops and Collaborative Operations. Now let’s talk about Secure Ops.

In the video, I interview Cisco and Partner representatives to discuss the Secure Ops Solution from Cisco: What it is, what the business need is, and how Cisco is helping customers get better better business outcomes – especially when it comes to cybersecurity! Having the Secure Ops solution can increase availability of systems and critical infrastructure, reducing downtime in, for example, the oil and gas industry, or or any industry that relies on critical infrastructure such as process manufacturing, oil and gas, pharmaceuticals or other industrial automation environments.

Cisco Secure Ops delivers a standardized, comprehensive and integrated approach to security. It is supported by automation suppliers such as Yokogawa and Rockwell and technology providers such as McAfee and Symantec and provides a framework for a wide range of partners to participate. It’s currently installed at customers such as Royal Dutch Shell.

Rob Arlic of Cisco is joined by Galina Antova at Cisco Live. Rob talks about what Secure Ops is, how it helps provide not only cybersecurity protection, but also demonstrable regulation compliance. It therefore provide companies with higher availability and better Operational Excellence.

Galina talks about what’s new. Added capabilities include going deeper than just the IP network to gain more profound visibility into operations. Then gaining a view of what’s normal/abnormal in those other networks which can be assessed. Managing all that is key, and included.

Rob concludes by summing up: “It’s all about up-time and availability. If there are security vulnerabilities, (making sure) those are addressed proactively, proactively and preemptively”.

To learn more go to

And, as always, tell us what you think.

Tags: , , , , , , , , , , ,

Vulnerability Spotlight: Apple Quicktime Corrupt stbl Atom Remote Code Execution

This post was authored by Rich Johnson, William Largent, and Ryan Pentney. Earl Carter contributed to this post.

Cisco Talos, in conjunction with Apple’s security advisory issued on June 30th,  is disclosing the discovery of a remote code execution vulnerability within Apple Quicktime. This vulnerability was initially discovered by the Talos Vulnerability Research & Development Team and reported in accordance with responsible disclosure policies to Apple.

There is a remote code execution vulnerability in Apple Quicktime (TALOS-2015-0018/CVE-2015-3667). An attacker who can control the data inside an stbl atom in a .MOV file can cause an undersized allocation which can lead to an out-of-bounds read. An attacker can use this to create a use-after-free scenario that could lead to remote code execution.

There is a function within QuickTime (QuickTimeMPEG4!0x147f0) which is responsible for processing the data in an hdlr atom. There is a 16-byte memory region, allocated near the beginning of the function, if the hdlr subtype field in an mdia atom is set to ‘vide’, this reference is passed to a set of two functions.


Read More »

Tags: , , , , , , ,

Cisco Announces Intent to Acquire OpenDNS

Every day, more people, processes, data and things become connected. As this trend continues to grow exponentially, so too, do opportunities for security breaches and malicious threats. With an estimated 50 billion devices being connected by 2020, enterprise customers will face greater challenges in protecting their ever-expanding networks. To address these risks Cisco is focused on providing solutions across the extended network for its customers, what we call Security Everywhere. We are embedding threat protection capabilities from the enterprise infrastructure to the data center, from mobile to the cloud, and on the endpoints within their environment.

To enhance our strategy, I am pleased to announce our intent to acquire OpenDNS, a leading provider of advanced threat protection for any device, anywhere, anytime, delivered in a Software-as-a-Service (SaaS) model. The acquisition will extend our ability to provide customers enhanced visibility and threat protection for unmonitored and potentially unsecure entry points into the network, and to quickly and efficiently deploy and integrate these capabilities as part of their defense architecture. This acquisition builds on Cisco’s security strategy, adding broad visibility and predictive threat intelligence from OpenDNS’ cloud platform, accessed by more than 65 million users daily.

To build on Cisco’s advanced threat protection capabilities, we plan to continue to innovate a cloud delivered Security platform integrating OpenDNS’ key capabilities to accelerate that work. Over time, we will look to unite our cloud-delivered solutions, enhancing Cisco’s advanced threat protection capabilities across the full attack continuum—before, during and after an attack.

The OpenDNS team will join the Cisco Security Business Group under the leadership of Senior Vice President and General Manager David Goeckeler. Their deep security expertise and key technologies will be a natural fit to Cisco’s security vision and the Security Business Group. The acquisition is expected to close in the first quarter of fiscal 2016.

Tags: , , ,

AMP Threat Grid integrates with Tripwire Enterprise

Today’s threat landscape is completely different than last year; and next years will be, not surprisingly, even worse. The Industrialization of Hacking has spawned a new era of professional, entrepreneurial, and resourceful cyber criminals. In recent year’s dynamic malware analysis (aka sandboxing) has become the shiny new technology that we all want, no, need to have. At one time anti-virus held this position as well, and the same will eventually be said of sandbox technology used to fight advanced malware.

You may have purchased a sandbox a few years ago but it’s likely that your malware analysis needs have gone beyond the traditional sandboxing technologies that simply extract suspicious samples, analyze in a local virtual machine, and quarantine. You need a more robust malware analysis tool that fits into your infrastructure and can continuously detect even the most advanced threats that are environmentally aware and can evade detection.

Tripwire recently partnered with Cisco and integrated the AMP Threat Grid dynamic malware analysis solutions into Tripwire Enterprise. But why choose this dynamic malware analysis tool? After careful evaluation there were a few key reasons to integrate this tool versus others:

  1. It’s not just dynamic malware analysis

    AMP Threat Grid provides both static and dynamic malware analysis, and a full subscription provides an API that is used to seamlessly deliver context rich threat intelligence into existing security technologies.

  2. Not everyone out there is a security expert

    Heck, very few are. AMP Threat Grid was designed to empower junior security analysts by providing a Threat Score so they can easily determine how malicious a sample is. The behavioral indicators are written in plain English so they can understand what the file is doing, and why its behavior is malicious, suspicious, or benign.

    Tripwire Sandboxing 1

  3. Lack of instrumentation

    AMP Threat Grid was designed without any instrumentation inside the virtual machine. Most experts agree that around 40% of today’s malware is environment aware, checking to see if it is running in a sandbox or the age of the operating system before detonating.

There are 3 ways that most people deploy a malware analysis tool:

  1. A stand-alone solution designed to feed itself samples for analysis without dependency on other security products. This has the most flexibility in deployment but adds significant hardware costs and complexity to management and analysis, especially for distributed enterprises.
  2. A distributed feeding sensor approach, such as firewalls, IPS, or UTMs with built-in sandboxing capabilities. These solutions are usually cost effective and easy to deploy but are less effective in detecting a broad range of suspicious files including web files. They can also introduce bandwidth limitations that can hamper network performance and privacy concerns when a cloud-based solution is the only option.
  3. Built into secure content gateways, such as web or email gateways. This approach is also cost effective but focuses on web and email channels only and also introduces performance limitations and privacy concerns.

Since Tripwire is already monitoring and collecting the data on your mission critical systems, these approaches don’t seem to work. But there’s a fourth way that actually takes the best of what these approaches offer and raises the bar to help you fight well-funded attackers that get better at what they do every day: Cisco AMP Threat Grid. Through AMP Threat Grid, Cisco offers advanced malware analysis and intelligence that delivers integration directly with Tripwire Enterprise providing you with a better ROI and more visibility into what is happening in your environment. Tripwire has integrated AMP Threat Grid into their Tripwire Enterprise, providing both static and dynamic analysis so you can better understand the malware targeting your organization, as well as the ability to automate the consumption of threat intelligence into your existing security infrastructure.

How does the Integration actually work?

AMP Threat Grid’s content driven security analytics dynamically and statically analyzes all submitted files, executing the sample in a safe environment, examining the behavior of the samples, and correlating the results with hundreds of millions of other analyzed malware artifacts. In less than 10 minutes AMP Threat Grid reports back and Tripwire Enterprise tags the file with the result. This enables Tripwire Enterprise customers to prioritize actions for changes on systems with threats identified by AMP Threat Grid and initiate workflow actions for quick remediation.

Tripwire Sandboxing 2

Not only does AMP Threat Grid analyze a broad range of objects, but those interested in an AMP Threat Grid subscription will also be provided with deep analytics capabilities wrapped with robust context. With over 350 behavioral indicators and a malware knowledge base sourced from around the globe, AMP Threat Grid provides more accurate, context rich analytics into malware than ever before. Tripwire customers can register for their free demo here.

Tags: , , ,