Over the past several years, tech startups have emerged and disrupted all areas of the Financial Services industry. Wealth Management is no exception. A recent study by Roubini ThoughtLab in partnership with Cisco and 16 prestigious firms gave us deep insights into this disruption.
The study highlights that Wealth Management firms must adjust to new business models and business disruptors by:
• Transforming how customers connect with advisors. The study found this can only be accomplished by re-engineering front, middle, and back offices to put customers at the very center of a digital strategy.
• Personalizing the experience. Firms must invest in a digital strategy to provide personalized, tailored advice to investors.
• Anytime, Anywhere. Today’s investors consume data and make decisions on-the-go. Firms looking to disrupt are providing access to various investment opportunities and investment strategies at any time, any place, on any device and across any channel.
Wealth Management firms have been monitoring these trends for a while, but thus far few have enhanced their digital experiences. The Wealth 2021 study revealed that less than half of investment firms feel prepared to ensure cyber security.
Despite this, providers have big plans to grow the use of technology.
They expect to grow the use of
• Telepresence and Collaboration by 68%,
• Web analytics and Sentiment Analysis by 77%,
• Artificial Intelligence by 128%.
Firms that do not adapt will be at a significant disadvantage. Those firms that learn to use new technologies to transform customer experiences may soon be able to surpass the competition and create their own market disruption.
On January 31, 2016, at 12pm EST Roubini ThoughtLab joins Cisco to discuss the elements of Digital Transformation in depth. We’ll look at key drivers of change, and how the local economy may shift with government transitions. Join us for this thought provoking and informative webinar!
There’s a lot of buzz around just now when it comes to supporting vendor-neutral data models at the device layer, so it’s a good time to talk about what Cisco is doing to support open models, and OpenConfig models in particular.
Customers have been rapidly adopting automation techniques to reduce the costs and increase reliability of the day-to-day operations of the network, and we have a whole sub-industry built up around the growing number of data model-based interfaces presented by network devices, Slack rooms devoted to discussing network automation (consider signing up to networktocode if you haven’t already!), etc. Equipment vendors are waking up to this new emphasis on automation, but are we just building the XML/JSON/GPB equivalent of our multiple CLI dialects? Or are we really getting to grips with model-driven manageability and programmability?
Cisco has a growing commitment to models, and developers can look at the models we are publishing for IOS-XR, IOS-XE and NX-OS. More, developers can also se the shift of emphasis towards open models, be they from the OpenConfig Group, the IETF or any other body that helps design and publish vendor-neutral data models that address customer/operator requirements. And, as part of that commitment, we’re baking open models into the core of our manageability infrastructure across our platforms, so it’s useful to look how and what Cisco is doing, and what developers can already use to ease network automation day-to-day.
The reference architecture across our core IOS-XR, IOS-XE and NX-OS platforms looks something like:
The overlay models Cisco is focusing on today are those from the OpenConfig Group, and in the most recent release of IOS-XR, 6.1.2, we have support for:
openconfig-bgp.yang:
openconfig-bgp-multiprotocol.yang
openconfig-bgp-operational.yang
openconfig-bgp-policy.yang
openconfig-interfaces.yang:
openconfig-if-aggregate.yang
openconfig-if-ethernet.yang
openconfig-if-ip.yang
openconfig-mpls.yang:
openconfig-mpls-igp.yang
openconfig-mpls-ldp.yang
openconfig-mpls-rsvp.yang
openconfig-mpls-sr.yang
openconfig-mpls-static.yang
openconfig-mpls-te.yang
openconfig-routing-policy.yang
openconfig-telemetry.yang
openconfig-vlan.yang
These models address both configuration and operational state, incredibly important as automation transitions from being mainly about configuring the network to actually operating the network. So, the same models will be used to describe the data traversing telemetry feeds relating to performance, routing changes, etc.
While coverage isn’t yet complete for these models, each new release broadens coverage, and, as we move into 2017, developers will also begin to see support for OpenConfig models on IOS-XE and NX-OS platforms, starting with the core set of models already supported on IOS-XR. Looking a little further ahead, Cisco is also looking at support for the expanding OpenConfig ecosystem, including openconfig-platform, openconfig-acl, openconfig-network-instance, openconfig-fib, openconfig-isis, and more over time.
We also realize that open models, by their very nature, represent commonality across multiple vendors and a focus on the use cases of the model authors, which the OpenConfig Group spells out on their home page:
“OpenConfig’s initial focus is on compiling a consistent set of vendor-neutral data models (written in YANG) based on actual operational needs from use cases and requirements from multiple network operators.”
So, while the current scope of OpenConfig models may address the needs of some customers, others have learned that these models do not yet express the entirety of their configurations. To address this, Cisco is evaluating how to provide augmentations to OpenConfig models, which will cover features that maybe not all customers use, but which are, nonetheless, important. These augmentations would allow customers to work inside a single frame of reference as coverage is built out, rather than having to deal with a mix of OpenConfig models, native models and CLI.
With the growing support across the industry for open models and with their expanding coverage, we are lowering barriers to entry for those who wish to automate their networks. We are making it simpler to roll out config, to figure out what your devices are doing, and to collect data for analytics. While screen scraping is still a day-to-day reality, models are coming, and they are starting to make it easier to automate day-to-day operations!
To follow up on network automation, programmability, telemetry and more with XR and other Cisco platforms, take a look at the resources you can find on @xrdocs and Cisco’s Open Device Programmability site.
One of your sales people, Susan, is on the road putting some finishing touches on a presentation before a big meeting. Using the hotel Wi-Fi she does a quick search to see if there’s any relevant company or industry news she needs to know about before meeting with the client. She clicks on several websites, gets the information she needs to make sure she’s current, and heads off to deliver the presentation.
After a great meeting Susan goes straight to the airport. With an hour to spare she decides to work on the proposal for the client and clicks on the airport’s Wi-Fi network. She connects to the corporate network to download the approved pricing information she needs from the server. She sees an email from her daughter and clicks on it quickly. It’s about a vacation they’ve been planning so she downloads the video tour of the resort to watch on the plane. Back at the office the next day, Susan connects to the corporate network and sets to work wrapping up the contract, eager to close the big deal.
Sounds like a typical scenario doesn’t it? It’s how business gets done in a digital world. But there’s more here than meets the eye. Every time Susan goes online, surfs the web, clicks on an email, downloads a file, connects to the corporate network, or accesses resources in the enterprise, she’s potentially exposing her laptop and the company to threats. How can you make sure she and your organization are protected?
Companies need to empower people to work from anywhere, using any device, and remain secure. This is why Cisco’s endpoint security strategy encompasses more than protection from advanced threats that target end-user devices. It also includes productivity to connect seamlessly and safely from anywhere, and security compliance so devices always stay compliant with an organization’s security policies as employees access the tools and data they need to get their jobs done – whenever and wherever they are.
Boost Productivity
Can your end users connect back to your enterprise securely from any device, at any time from any location? In our scenario, whenever Susan connects to the corporate network from the road, whether finalizing pricing details or working on an order, she uses Cisco AnyConnect Mobility Solution for highly secure remote access, providing an encrypted connection back to office resources and systems behind the firewall. Unlike public Wi-Fi networks, which are notoriously insecure, with secure connectivity no one can intercept the details of the deal. She can enter the meeting with confidence that she’s well prepared, and after the meeting can immediately work on processing the contract, making the best use of her time and a great impression on her customer.
Ensure Compliance
Making sure every device, corporate- or employee-owned, that connects to the network is compliant with an organization’s particular security policies is crucial. When Susan tries to access pricing information, it must be automatically confirmed that she is authorized to access that data – and is allowed to do so from that device. What’s more, you’ll want to know if the device has the necessary security like advanced malware protection and anti-virus – and that is it up to date. Naturally, you’ll want to confirm that the device hasn’t been infected before it can get onto the network. And how about if the device is running vulnerable software making it an easier target for attacks? You’ll want to know that too. Cisco AnyConnect with Cisco Identity Services Engine (ISE) prevents non-compliant devices from accessing the network. The solution immediately conducts a posture assessment so you know who to allow on the network, where they can go, and what content they can access. Cisco Advanced Malware Protection (AMP) for Endpoints is built to integrate with ISE on the network; if AMP for Endpoints detects a compromised client, we can leverage ISE to restrict network access accordingly. This integrated approach mitigates the risk of threats to your network, high-value data, and other digital assets.
Strengthen Protection
There are plenty of points during the day, where Susan could inadvertently introduce security risks to the business. If she is off the VPN and connects to the Internet directly, Cisco Umbrella and Umbrella Roaming delivers a first line of defense against infections by blocking connections to bad IP addresses, URLs and domains. Cisco Umbrella protects any and all devices using any ports and can be easily activated in AnyConnect. She is seamlessly protected from malware, phishing, and command-and-control callbacks. Complementing Cisco Umbrella, Cisco AMP for Endpoints provides protection on the endpoint itself. If Susan clicks on a site that has been recently infected with malware or attempts to download a malicious file, Cisco AMP for Endpoints stops these types of known and unknown attacks. It uses various detection methods including machine learning, advanced behavioral detection and fuzzy fingerprinting, our built-in Threat Grid sandbox, and leading Talos threat intelligence. If something does get in, AMP provides continuous monitoring and threat detection to quickly spot malicious behavior, and response capabilities to stop and remove threats wherever they are in the organization before damage can be done. Even if user devices don’t have an AMP for Endpoint agent, AMP can tell you if the system is compromised. Cisco Cognitive Threat Analytics extends threat detection and protection to devices where AMP for Endpoints can’t be installed, like IoT-type devices and personal devices. It pinpoints unusual traffic before data can be exfiltrated.
There’s more than meets the eye when it comes to endpoint security. Antivirus or even endpoint detection and response solutions can’t do it alone. Adversaries are taking advantage of new business models, devices, and vulnerabilities to launch attacks. To truly be effective, endpoint security must enable productivity, compliance, and best-in-class protection with an integrated portfolio of solutions that work together.
Endpoint security is one of the three pillars in our portfolio of security solutions. The other two pillars are network security and cloud security. In each of these areas we’re focused on increasing security effectiveness with integrated threat defenses. Coming up I’ll share details on our network security strategy and how we continue to advance how customers can secure their networks with our Cisco Firepower NGFW as the platform.
Recent cyber attacks on organizations around the world have demonstrated the need for consistency in managing security vulnerabilities. To answer that demand, the Industry Consortium for the Advancement of Security on the Internet (ICASI) and the Forum of Incident Response and Security Teams (FIRST) created the FIRST Vulnerability Coordination Special Interest Group (SIG). This is a collaboration among vendors, security researchers, product security incident response teams (PSIRTs), computer security incident response teams (CSIRTs), and other stakeholders in the incident response community. One of the goals for the Vulnerability Coordination SIG is to “develop and publish vulnerability coordination best practices, which include use cases or examples that describe scenario and disclosure paths”.
The paper covers five different use cases including different security vulnerability coordination scenarios. It also provides several guiding concepts and best practices for incident response teams, including:
The final draft of the paper is open to public comment through January 31, 2017. Comments should be submitted by email to vulcoord-sig-comments@first.org. After the comment period is closed, the Vulnerability Coordination SIG will revise the document and publish a final version.
As a matter of policy, Cisco takes security vulnerabilities very seriously and continues to take active measures to safeguard the security and reliability of our equipment. We maintain a very open relationship with the security research community and view this collaborative relationship as vital to helping protect our customers’ networks. Working with industry peers, security researchers, and incident response teams on cooperative efforts like Vulnerability Coordination SIG enhance the way we collectively protect our customers while coordinating, disclosing and fixing security vulnerabilities.
2017 is officially here and it’s an exciting time to be in manufacturing. The industry is continuing to evolve as we see continued discussion around how to improve productivity, performance, and apply smarter analytics to improve overall operations. Manufacturing is also seeing a lot more focus on cybersecurity as more connectivity helps drive innovation, but potentially leads to more risk as industrial systems are now one of the most targeted sectors for attacks.
https://youtu.be/UKrL_Ke9lmc
At Cisco, we have explored many of these topics across several blogs from leading industry experts in manufacturing. This month we are going to elevate things to the next level as we begin a monthly Factory of the Future webinar series. These events will be a mix of Cisco and industry manufacturing experts discussing topics such as cyber threats, secure manufacturing, and IT/OT convergence in the connected factory.
A full list of the topics, speakers, and registration can be found here. All webinars will begin at 11AM EST and will be available on demand if you are unable to attend the live sessions. We will continue to add more topics throughout the year, so be on the lookout for additions to the series.
We hope you will join us and we welcome any feedback on topics you would like to see us cover in this series. Please let us know in the comment section below or tweet us @ciscomfg.
Converged Infrastructure featuring all-flash storage offers the promise of ease of use, faster performance, and better ROI. This is particularly true in the SAP world where the ability to rapidly access and process critical data can have a huge impact on one’s business.
We understand this quite well because at Cisco we run our own business on SAP, and use in-memory HANA-based analytics to deliver real-time insights every day to our various lines of business. In fact, the first reference architecture for Big Data and SAP HANA Vora is just one of our many co-innovations with SAP, and we couldn’t be more pleased with the business improvements it has helped us achieve.
Our latest innovation to help SAP users gain maximum benefit from their data center investment is FlashStack for SAP HANA, a joint all-flash solution from Cisco and Pure Storage. If you’re reading this blog, you are almost certainly familiar with Pure Storage. But you may not know that Gartner identifies Pure Storage as one of the highest rated flash storage providers. (“2016 Gartner Magic Quadrant for Solid-State Arrays”)
Characterizing Cisco as “the pioneer of converged infrastructure,” Pure Storage CEO, Scott Dietzen, noted that the release of FlashStack is part of Pure’s expanded relationship with Cisco. And in an interview with ChannelBuzz said FlashStack is an important element of “an environment that augurs a bright future for Pure.”
So what is FlashStack and what can it do for your SAP environment?
FlashStack combines compute, network, storage hardware and virtualization software, into a single, integrated all-flash architecture:
Speeds time to deployment – Fully tested, validated, and documented for rapid deployment and reduced management complexity.
Lowers overall IT costs – Dramatic savings in power, cooling, and space with 100% Flash storage.
Scales easily without disruption – Consolidate 100’s of enterprise-class applications in a single rack.
Delivers flexibility to support your most intensive workloads – Suitable for enterprise applications such as SAP, Big Data and real-time analytics, and heavy transactional databases.
Reduces operational risk –Highly available architecture with no single point of failure, non-disruptive operations, and no downtime.
To make integration of FlashStack within your SAP Data Center as simple as possible, especially in SAP Tailored Datacenter Integration landscapes, Cisco and Pure collaborated on a new Cisco Validated Design for FlashStack for SAP HANA TDI.
If you are interested in implementing an all-flash solution for SAP, please click on the link above for a faster, more reliable, fully predictable deployment.
This blog post was authored by Veronica Valeros and Lukas Machlica
Malicious actors are constantly evolving their techniques in order to evade detection. It is not only the sophistication or the rapid pace of change that is challenging us as defenders, but the scale of attacks. With the continuous flood of threats that we are facing, detection is just the first step. In order to keep our organizations healthy, prioritizing threats is key.
Figure 1: Cognitive Threat Analytics (CTA) Health Status Dashboard shows which threats require immediate action from incident responders. Prioritization has become key for keeping our organizations healthy.
In our previous blog, Cognitive Threat Analytics: Turn Your Proxy Into Security Device, we showed how CTA detects breaches and malware that already bypassed the security perimeter of our organizations. Detecting the malicious traffic alone is not enough. Organizations need to understand the context in order to effectively prioritize and remediate those incidents. And when it comes to remediating security breaches, time is of the essence.
In this blog post we present how we improved CTA threat classification, now able to communicate the intent of every new finding by incorporating an extra layer of intelligence into the CTA detection chain [1]. CTA is now able to automatically classify and prioritize malicious traffic in specific threat categories from banking trojans, click-fraud and malware distribution to ad-injectors, money scams and malicious advertising campaigns. This blog explores how we are building a reliable training set in a big data environment, how we use it to train a new decision forest classifier and how we created a learning loop which led to a significant increase in the number of detections.
The cornerstone: building a reliable training set
CTA processes billions of HTTP & HTTPS requests every day. We extract feature vectors, and use them to build the training set for the classifiers. However, three major issues arise when working with this huge amount of data:
Unbalanced ratio of malicious and benign requests: in network security the number of benign requests significantly surpasses the number of malicious requests.
Computational costs: the computational horse power required for analyzing billions of requests becomes extremely expensive.
Scarce labels: it is a fact that network data can not be fully labeled, only a small portion of requests can be labeled.
To deal with the first two issues, we need to reduce the amount of data in a way that the final dataset is more balanced and the computational costs are reduced. A dataset is considered balanced when it contains, in this context, a similar number of malicious and benign requests. To achieve this goal we take advantage of the Anomaly Detection Layer in CTA [1]. The Anomaly Detection Layer can be seen as a clever sampling tool capable of filtering out most of the ordinary traffic as illustrated in Figure 2. Using this component we are able to drastically reduce the input data and keep only a small percentage of the most interesting and important requests. This leads to a more balanced ratio of malicious and benign requests. The anomalous requests, are much likely to lie in the classification-relevant part of the feature space leading to well defined decision borders, which will be discussed later.
Figure 2: Filtering of the input data (telemetry). Only the most anomalous traffic is kept based on the anomaly score provided by the anomaly detection layer, reducing and balancing the remaining data.
The third issue has a direct impact on the precision of the resulting classifier. Since network data cannot be fully labeled, we can only tell with certainty what is malicious and what is benign for a small portion of requests, which we call samples. How do we solve this? Typical methods use only labeled data for training. While these approaches can have good performance on the labeled dataset, the performance often does not hold when classifying the full unlabeled telemetry. This approach may result in weak decision boundaries as illustrated in Figure 3. In order to have a diverse background training set, we also include the unlabeled samples for the training. While this approach may lead to drops in the recall of the classifier, it results in stronger decision boundaries and significantly boosting the precision of detections.
Figure 3: Feature space. Green and red circles represent labeled legitimate and malicious samples, while blue and yellow are legitimate and malicious but yet unlabeled samples. First image (a) depicts the decision borders if only the labeled samples are used for the training. Once the unlabeled samples are included (b), the decision boundaries are found to be inaccurate, therefore the precision of the classifier decreases. If we use also the unlabeled samples for the training, we get much stronger decision boundaries yielding high precision of the detection (c).
As we mentioned above, we use all labeled data available and the full unlabeled data for training. Where do we get the set of labeled malicious samples? We use the Confirmed Threats provided by the third layer of CTA: the relationship modeling layer [1]. This layer correlates information across our global intelligence in order to find common attack patterns and malware behaviors in different organizations. Each confirmed threat is assigned a specific malware category and a risk score which are further leveraged for training data. We will get back to this in the learning loop.
Superforest, a special multi-class classifier
Decision forests are a set of numerous decision trees where the final decision of the forest is given by voting of individual trees in the entire group (see figure 4 for an example). To improve the robustness, precision and generalization performance of the classifier, we use the favored random forest implementation. As a binary classifier (malicious vs. legit) the random forests are already deployed in the CTA Event classification layer [1] for classification of general communication patterns such as DGA and other C&C behaviors.
Figure 4: Example of a decision tree with depth 5. The tree is traversed from the root node (brown circle) down to a leaf node (green circle). Decision path is depicted by full circles. The classification is given by the class with majority of samples that end up in the leaf node during the training phase.
The Superforest classifier is a special type of multi-class classifier. Three key characteristics distinguishes it from the previous ones:
Different training strategy: instead of training multiple binary classifiers for each type of malware, we train only one model, i.e. the multi-class random forests.
Size of training samples: while previous versions of classifiers were trained on hundreds of thousands of samples, for this we used tens of millions of samples to boost the performance of the classifier.
Depth of the trees: the size of the training data set impacts the depth of the trees leading to significant increases in the number of nodes per tree from hundreds to tens of thousands.
As we mentioned in the beginning, detecting malicious incidents alone is no longer enough. The Superforest classifier is able to classify new incidents with a deeper level of detail, which is extremely valuable when it comes to prioritizing incidents, and using this information to remediate threats in an organization. Figure 5 exemplifies the benefits of such classifier.
Figure 5: The anomaly detection layer is able to distinguish benign from legitimate (a). Normal classifiers can go further and group malicious behaviors by common characteristics such as the ones depicted in (b). The Superforest classifier is able to provide even more detailed information of each detection (c), which is extremely valuable at the time of prioritizing and remediating threats.
One step further: a learning loop
The learning loop is where all these pieces fit together. The Superforest and other classifiers, part of the CTA Event Classification Layer [1], produce novel detections. The next layer, Relationship Modeling [1], correlates this new findings increasing the number of Confirmed Threats. As we mentioned before, Confirmed Threats are used to train the classifiers. The increase on Confirmed Threats increases the available data for training causing an increase of the recall of the Superforest classifier each time it is retrained. The learning loop is depicted in Figure 6.
Figure 6: Classification and learning loop.
A boost in performance
In order to demonstrate the power of the enhanced CTA Event classification layer, we tracked the performance of the learning loop for 3 weeks. Precision of the classification was higher than 95% in all the cases. Figure 7 depicts a click fraud example where the yellow area shows the number of incidents per day given by the Relationship Modeling layer and the blue area represents the number of incidents per day as a result of the learning loop and the Superforest classifier.
Figure 7: The figure depicts the number of incidents per day given the relationship modelling (yellow) and the whole classification loop with the deployed Superforest classifier (blue). We can observe significant increase in the detections (doubled or even tripled in some cases) over the whole observed timeline. Note that the significant drops in the number of detections are because of the weekends.
Conclusion
The amount of threats organizations have to deal with present a challenge, for organizations and for security solutions. Identifying malicious traffic is table stakes and context is needed so organizations can prioritize the incidents, take action and reduce the potential damage caused by these threats. The Superforest multi-class classifier is leveraging both labeled and unlabeled data to classify incidents with a high level of detail. This approach is only possible by having a good set of training data, which implies solving three key issues: imbalance of data, computational costs and scarce labels. Cognitive Threat Analytics is able to go further, joining all pieces together in a learning loop which can improve itself over time boosting the performance of the detections.
Where to go next
To request a free evaluation that will uncover command and control communications lurking in your environment, visit: https://cognitive.cisco.com/
Read more about Cognitive Threat Analytics research:
The stakeholders at the Forum of Incident Response and Security Teams (FIRST) have done a great job in this new version to address some of the challenges we faced with its predecessor (CVSSv2). The new enhancements allow incident response, IT security, and cyber security teams to analyze the impact of security vulnerabilities to determine the urgency of response. CVSSv3 analyzes the scope of a vulnerability and identifies the privileges an attacker needs to exploit it. The new changes introduced in CVSSv3 allow vendors, such as Cisco, to better analyze security vulnerability impact.
The following figure illustrates the CVSSv3 score in a Cisco Security Advisory:
Table 1. SIR and CVSSv3 Qualitative Severity Rating Scale
The following figure highlights the SIR in the same Cisco Security Advisory:
Cisco is also using CVSSv3 in all multivendor vulnerability alerts, as shown in the following figure:
Cisco also updated its CVSS calculator to support CVSSv3, as illustrated by the following figure:
Cisco PSIRT will continue to adapt to enable our customers to quickly assess and mitigate any risks in their networks. To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.
Of course, the answer is neither, because neither exist.
It’s pretty much impossible to define what a millennial is – try it, Google has plenty of results. It’s become a shorthand term for the stage in life somewhere between skateboards and mortgages, between saving up for your first smartphone to saving up for your kids College education. It’s such a broad term that it’s almost meaningless
So in a world of increasing fragmentation and improving analytics, we owe it to our audiences to know and understand them better.
It’s time to move away from broad strokes and instead, look at what actually happens to our audiences as they transition – sometimes quickly – from one life stage to another. And, in doing so, look at what we need to do to give them the content they want at each stage, how and when they want it.
Critically, we also need to learn how to grow with them and keep their loyalty.
One of the key things about change is that it requires flexibility. Service Providers need to be flexible to make sure they remain relevant to the audiences that have grown up with their content.
They need to ensure that they can provide the right kind of service that keeps pace with their audience’s changes:
in location as they transition from their home, to shared living, to their own home;
in time, as they move from being children to being parents and
financially, as pocket money becomes salary
At Cisco we know change. We’ve been driving change for so long its part of our DNA.
Our Infinite Video Platform gives our customers the flexibility to offer all kinds of video services, from linear to VoD, from catch-up to time shift, and across all platforms – broadcast, IP, Cable and OTT. We make sure that as your audience changes, your service can be a constant. By staying relevant to your audience, you can keep your audience.
