Take back control with an integrated security platform
In a makeshift SOC in the corner of his home, Matt starts his day with an alarm going off on his computer. There are four monitors ganged together, multiple consoles on each one of them, and numerous empty coffee mugs. This probably draws a snapshot of what’s been real for many of us. On top of the never-ending list of alerts in his inbox every morning, he is building playbooks, threat hunting, scanning news for the latest attack updates, and investigating alerts. Coffee stopped working a couple of hours ago. Matt wished he had more time in the day.… and it’s only 9 AM.
Imagine if Matt started his morning by simply reviewing the work that already took place through scheduled or event–based automation. The orchestration would simply happen in the background, dramatically reducing the friction and repetition in his processes, save time, and lower ongoing costs. Attempting to counter attacks with manual processes is like fighting a losing battle against relentlessly active adversaries. With attackers automating their offense, security teams must do the same for a stronger defense powered by an integrated security platform.
Cisco SecureX maximizes efficiency
It’s been almost a year since we announced the Cisco SecureX platform at RSA 2020. You don’t need me to tell you it’s been quite a journey since then. We had no idea, however, of the rigor of the tests that SecureX would get before it even turned a year old. With SecureX, we reimagined how security enabled your business — the need to consolidate functionality, simplify operations, and develop an open platform that would work with customers’ existing environments.
Getting started with security orchestration and automation
In my last blog, I spoke about the advantages of using orchestration and how it can maximize operational efficiency. SecureX orchestration is a workflow automation feature of our platform that enables you to define workflows to replace your typical security processes; the automation steps (activities), the logic or flow between these steps, and how to flow data from one step to the next. With Cisco SecureX, you can leverage Cisco and third-party systems, applications, databases, and network devices in your environment to create these workflows. The platform includes full multi-domain orchestration with a no/low-code approach and an intuitive drag-and-drop canvas to deliver a high-performance, scalable playbook automation capability.
Let’s talk about two important use cases that present opportunities for automation in your environment. Both workflows are especially relevant today, with an uptick in phishing scams during the current global pandemic and the recent SolarWinds supply chain attack.
1) Maneuvering the SolarWinds attacks with an integrated approach
Cyberattacks targeting the software supply chain have been on the rise. Since the discovery of the SolarWinds supply chain attack in early December, some security teams are scrambling to assess the impact, while others are revisiting their risk management practices and incident response playbooks. On the bright side, the Solarwinds attack may be a catalyst for transformation in your organization. As the industry comes to terms with the scope of the SolarWinds Orion / Sunburst backdoor cyberattack and associated breaches, our team has taken steps to help customers who may have been impacted. While the story continues to evolve, customers want to understand immediate risks to their business, how to recover if they have been breached, and what they can do to improve their security posture in the future. Here is how you can maneuver the SolarWinds Attacks with an integrated approach.
The SolarWinds supply chain attack workflow is designed to conduct an automated investigation based on the content of a Talos SolarWinds threat advisory blog post. The workflow starts by using the blog post as a source for observables and then SecureX threat response determines which of those observables are worth digging in to. Since SecureX is being used to investigate, the results of the workflow are tailored to each customer’s environment and telemetry from their integrated products. When the investigation is complete, you can document the findings in a SecureX threat response casebook and incident manager, ServiceNow incident ticket, and send notifications using Webex Teams, Slack, and email. The workflow also has an option to create an approval task that, upon approval, sets off automated remediation for non-clean observables. You can automate security workflows that are reactive to network and system states. And with playbooks that execute at machine speed, customers can reduce research and response time while also improving precision with less overhead.
“If you want to know the impact of the Orion malware, it will say, “Hey, I have this webpage showing me indicators of compromise with SecureX,” I basically get a button within my browser and I say, whatever is on this page, check it against my live environment.”
— Wouter Hindriks, Technical Team Lead Network & Security at Missing Piece BV
Explore our rapid response webpage to see how Cisco is moving forward after the SolarWinds breach
and understand how the SecureX platform approach can reduce dwell time for infrastructure attacks.
2) Automate Phishing investigations and remediation
Phishing emails are not a new type of threat to most security professionals but dealing with the growing volume and potential impact of them requires an innovative solution. The SecureX platform now supports a sample workflow for phishing that can help you accelerate investigation and respond to phishing–based email threats in your environment. By shortening the investigation timeline through security automation, your team can ensure that they’re not wasting valuable cycles performing repetitive, manual tasks.
This workflow is designed to be triggered by an email arriving in a phishing investigation mailbox. When an email is received, the workflow investigates its attachments and attempts to determine if anything in the email (or its attachments) was suspicious or malicious. This accelerates threat hunting and incident management. If anything suspicious or malicious is found, the user who submitted the email is told to delete it. A SecureX threat response casebook and incident are also created and notifications are sent via Webex Teams and email. This powerful workflow simplifies the complexity of handling phishing attempts, providing mailbox monitoring for incoming phishing reports.
Next steps: Getting started with SecureX
Security orchestration between multiple technologies will create opportunities for automation critical for success in the modern threat landscape. Now Matt can get a head start with pre-built sample workflows aligned to common use cases that can eliminate friction in the processes and automate routine tasks.
Set SecureX up in minutes and see the benefits almost immediately! Get Simplicity. Visibility. Efficiency today. If you are new to Cisco, explore our portfolio to start a trial. And if you are already a Cisco Secure customer and want to learn more? Watch a quick SecureX demo and explore additional workflows on GitHub to learn more.
More resources:
- Orchestration links
- SecureX webpage
- SecureX orchestration documentation
- SecureX orchestration GitHub link
- SolarWinds workflow docs
- Phishing workflow docs
like to see workflow for automating the whitelisting of a domain; a request that came through a ticketing system