Avatar

Jeff Bollinger

CSIRT Manager

Infosec CSIRT

Jeff Bollinger joined Cisco Systems in 2002 supporting Cisco's security technologies and solutions for SMB and enterprise customers. In 2006 Jeff moved to the Computer Security Incident Response Team (CSIRT) and rapidly developed its global security monitoring and incident response capabilities. Specialising in investigations, and intrusion detection, Jeff built one of the largest Cisco IPS networks in the world as well as an enterprise class secure web proxy architecture. His recent efforts include log mining and optimisation, threat research, and security investigations.

Articles

January 15, 2020

SECURITY

Disk Image Deception

11 min read

Cisco's Computer Security Incident Response Team (CSIRT) detected a large and ongoing malspam campaign leveraging the .IMG file extension to bypass automated malware analysis tools and infect machines with a variety of Remote Access Trojans. During our investigation, we observed multiple tactics, techniques, and procedures (TTPs) that defenders can monitor for in their environments. Our incident response and security monitoring team's analysis on a suspicious phishing attack uncovered some helpful improvements in our detection capabilities and timing.

May 12, 2019

SECURITY

Cisco Security First: Focusing on the Issues of Incident Response and Security Teams

2 min read

Cisco CSIRT is a global team of information security professionals responsible for the 24/7 monitoring, investigation and response to cybersecurity incidents for Cisco-owned businesses. CSIRT engages in proactive threat assessment,...

February 9, 2018

SECURITY

Cisco Hosting Amsterdam 2018 FIRST Technical Colloquium

2 min read

We would like to announce a “Save the Date” and “Call for Speakers” for the FIRST Amsterdam Technical Colloquium (TC) 2018.

August 7, 2017

SECURITY

Open Source Threat Intel: GOSINT

2 min read

It’s our pleasure to announce the public availability of GOSINT – the open source intelligence gathering and processing framework. GOSINT allows a security analyst to collect and standardize structured and unstructured threat intelligence. Applying threat intelligence to security operations enriches alert data with additional confidence, context, and co-occurrence. This means that you are applying research […]

February 27, 2015

SECURITY

Cisco Hosting Amsterdam 2015 FIRST Technical Colloquium

1 min read

Registration is now open for the upcoming FIRST Technical Colloquium May 4-6, 2015 at Cisco Systems in Amsterdam, Netherlands. Please contact us at amsterdam-tc@first.org for any questions. The event already has an exciting preliminary program covering: Attacks Against Cloud Server Honeypots Emerging Threats – The State of Cyber Security Cisco IOS and IOS-XE Integrity Assurance […]

December 3, 2013

SECURITY

Operational Security Intelligence

7 min read

Security intelligence, threat intelligence, cyber threat intelligence, or “intel” for short is a popular topic these days in the Infosec world. It seems everyone has a feed of “bad” IP addresses and hostnames they want to sell you, or share. This is an encouraging trend in that it indicates the security industry is attempting to […]

October 24, 2013

SECURITY

To SIEM or Not to SIEM? Part II

10 min read

The Great Correlate Debate SIEMs have been pitched in the past as "correlation engines" and their special algorithms can take in volumes of logs and filter everything down to just...

October 22, 2013

SECURITY

To SIEM or Not to SIEM? Part I

7 min read

Security information and event management systems (SIEM, or sometimes SEIM) are intended to be the glue between an organization's various security tools. Security and other event log sources export their...

October 3, 2013

SECURITY

Big Security—Mining Mountains of Log Data to Find Bad Stuff

4 min read

Your network, servers, and a horde of laptops have been hacked. You might suspect it, or you might think it’s not possible, but it’s happened already. What’s your next move? The dilemma of the “next move” is that you can only discover an attack either as it’s happening, or after it’s already happened. In most […]