Cisco Blogs


Cisco Blog > Security

NSS Labs Breach Detection Systems Testing Demonstrates Why Threat Protection Must be Continuous

Long before becoming a part of Cisco, the Sourcefire team was aggressively addressing the advanced malware challenges our customers face daily. We believe that the most effective way to address these challenges is a continuous Advanced Malware Protection (AMP) approach that does more than just track malware at a point in time, but is also unrelenting in both monitoring and applying protection. Cisco shares this vision, which is why the combination of our technologies is so powerful. It’s not just about the network, or just about the endpoint— it’s about connecting these and everything in between for complete protection.

While our customers knew it and we knew it, the industry at large can now be certain that this continuous approach is the most effective for addressing advanced threats. NSS Labs tested AMP along with other security solutions for its 2014 Breach Detection System Security Value Map (SVM) and Product Analysis Report (PAR). NSS Labs defines Breach Detection Systems as solutions that provide enhanced detection of advanced malware, zero-day and targeted attacks that could bypass traditional defenses. The SVM results speak for themselves:

NSS Labs Breach Detection SVM Graphic

The SVM is a unique graphical representation of the security effectiveness and value of tested products. It’s no surprise to us that AMP scored as high as it did, but the results are great validation of our commitment to delivering this leading protection with the best total cost of ownership (TCO).

The SVM is also further proof that solutions marketed at addressing targeted advanced persistent threats (APT) and zero-day attacks can’t stop at only offering point-in-time detection. Advanced Malware Protection is the only solution to offer continuous analysis, retrospective security, and multi-source Indicators of Compromise (IoC) for protection before, during and after attacks across the extended network. These capabilities address an important gap that exists in all point-in-time products. Our AMP solution provides the continuous capability to “go back in time” and retrospectively identify and then remediate files that initially evade defenses.

Some highlights from testing:

  • AMP has the lowest TCO of any product tested
  • AMP is a leader in security effectiveness achieving detection of 99 percent of all tested attacks
  • AMP excelled in time-to-detection, catching threats faster than competing Breach Detection Systems

When we talk about AMP with our customers, we call it “AMP Everywhere” because it can protect from the cloud to the network to the endpoint. It has been available as a connector for endpoints and mobile devices, a standalone appliance, and as part of Next-Generation Firewall and Next-Generation IPS for the last two years. It has also recently been integrated into Cisco’s portfolio of Web and Email Security Appliances and Cloud Web Security. With web and email interactions remaining one of the primary vectors for malware infection in organizations, AMP integration on our leading email appliance and web security gateways provides our customers with even stronger protection wherever a threat can manifest itself.

“AMP Everywhere” is a reality. An extremely effective one, at that. I encourage you to see the results for yourself. Download a free copy of the 2014 NSS Labs Breach Detection Systems SVM and PAR for Advanced Malware Protection.

Tags: , , , , , , , , ,

Malware is Everywhere. Now, so is Advanced Malware Protection from Cisco.

Malware is everywhere and it’s incredibly challenging to combat, using whatever unprotected path exists to reach its target and accomplish its mission.

Malware has become the weapon of choice for hackers. According to the 2013 Verizon Data Breach Investigation Report, of the top 20 types of threat actions last year, malware is the most common method used, followed by hacking and social engineering. Increasingly, blended threats that combine several methods – for example, phishing, malware and hacking – are being used to introduce malware, embed the malware in networks, remain undetected for long periods of time and steal data or disrupt critical systems. More specifically on blended threats, the report tells us that more than 95 percent of all attacks intended for conduct espionage employed phishing. What is more, a prominent recent retail breach began with a targeted email phishing attack that ultimately led to access to payment system data via malware uploaded to PoS systems.

Read More »

Tags: , , , , ,

Cisco Announces OpenAppID – the Next Open Source ‘Game Changer’ in Cybersecurity

One of the big lessons I learned during the early days, when I was first creating Snort®, was that the open source model was an incredibly strong way to build great software and attack difficult problems in a way that the user community rallied around. I still see this as one of the chief strengths of the open source development model and why it will be with us for the foreseeable future.

As most every security professional knows, cloud applications are one of the most prevalent attack vectors exploited by hackers and some of the most challenging to protect. There are more than 1,000 new cloud-delivered applications per year, and IT is dependent on vendors to create new visibility and threat detection tools and keep up with the accelerating pace of change. The problem is that vendors can’t always move fast enough and IT can’t afford to wait. Countless custom applications pile on even more complexity.

So today, Cisco is announcing OpenAppID, an open, application-focused detection language and processing module for Snort that enables users to create, share, and implement application detection. OpenAppID puts control in the hands of users, allowing them to control application usage in their network environments and eliminating the risk that comes with waiting for vendors to issue updates. Practically speaking, we’re making it possible for people to build their own open source Next-Generation Firewalls.

Read More »

Tags: , , , , ,

Summary : Sourcefire in our Data Center by Cisco Chief Security Officer

December 6, 2013 at 7:00 am PST

 

Sourcefire

 

 

 

 

 

Last October , Cisco confirmed that Sourcefire was now part of our family of security products and solutions .

“With this acquisition, we take a significant and exciting step in our journey to define the future of security. As one company, we offer an unbeatable combination that will greatly accelerate our mission of delivering a new, threat-centric security model. Through the addition of Sourcefire’s competitive talent and technologies, I see vast opportunities to expand Cisco’s global security footprint in both new and emerging markets, broaden our solution sets and deepen our customer relationships “

Chris Young, Cisco Senior Vice President Security Group
in his blog “Delivers Threat-Centric Security Model “

“Beyond the technology, one of the things that is important to me is that Cisco and Sourcefire both share key values that transcend our company names, HQ locations and number of employees. Much like Sourcefire’s Firemen Principles, you can be confident that these values will continue as one team at Cisco.”

Martin Roesch, Sourcefire founder and CTO and now VP and Chief Architect of Cisco Security Group
in his blog ONE Team 

These days , John Stewart , Senior Vice President, Cisco Chief Security Officer , announced that we completed the  deployment of Sourcefire at Cisco . John Stewart oversees at Cisco the Threat Response, Intelligence and Development ( TRIAD ) organization .

The implementation is already giving us insights into our data center that we never had before

To know  more about this deployment and John’s first impressions check his blog
 The First Inline Production Deployment at Cisco 

 

The Cisco security architecture helps data center networking teams take advantage of security capabilities built into the underlying data center fabric, to accelerate safe data center innovation. There are three important security measures that every IT organization should follow to securely support data center innovation. 
To learn more, download the Cisco white paper “Three Must-Have Security Measures that Accelerate Data Center Innovation.”

Tell us what do you think of the acquisition of Sourcefire by Cisco .

 

Tags: , , , , , , , ,

The Internet of Everything, Including Malware

December 4, 2013 at 1:09 pm PST

We are witnessing the growth of the Internet of Everything (IoE), the network of embedded physical objects accessed through the Internet, and it’s connecting new devices to the Internet which may not traditionally have been there before. Unfortunately, some of these devices may be deployed with a security posture that may need improvement.

Naturally when we saw a few posts about multi-architecture malware focused on the “Internet of Things”, we decided to take a look. The issue being exploited in those posts is CVE-2012-1823, which has both an existing Cisco IPS signature as well as some for Snort. It turns out this vulnerability is actually quite heavily exploited by many different worms, and it took quite a bit of effort to exclude all of the alerts generated by other pieces of malware in Cisco IPS network participation. Due to the vulnerability-specific nature of the Cisco IPS signature, the same signature covers this issue as well as any others that use this technique; just one signature provides protection against all attempts to exploit this vulnerability.  As you can see in the graph below this is a heavily exploited vulnerability. Note that these events are any attack attempting to exploit this issue, not necessarily just the Zollard worm.

The graph below is derived from both Cisco IPS and Sourcefire IPS customers. The Cisco data is from customers who have ‘opted-in’ to network participation. This service is not on by default. The Sourcefire data below is derived from their SPARK network of test sensors. This graph is showing the percent increase of alert volume from the normal for each dataset at the specified time.

zollard_cisco_sf

Read More »

Tags: , , , , , , ,