Part 2: Visibility to detect and stop threats fast

In my last post, we explored how a firewall should be using top-notch threat intelligence, sound security policy, and features like intrusion prevention to pre-emptively stop threats before they can embed themselves in your network. These preventive security measures can usually stop 99% of threats encountered in the wild.

But it only takes one successful attack to make you tomorrow’s headline news. What if an attacker, or extremely sophisticated malware, manages to creep inside your network, sight unseen?

The biggest newsworthy breaches have been situations where the attackers infiltrated an organization’s ecosystem, and then operated freely for years undetected. The affected organizations had no idea they were there. This is because many network and security teams struggle with achieving sufficient visibility into threat activity. They aren’t sure if their security tools are showing them the full picture. Without exceptional visibility, they can’t detect and eliminate active threats fast enough before damage is done.

Have you asked how your firewall can help?

In part #2 of this blog series, let’s explore how a Cisco Next-Generation Firewall (NGFW), as a core component of your security defenses, can provide exceptional visibility to detect and stop threats fast.

Broad and deep visibility – see the forest and the trees

Good visibility starts with having more eyes watching more places across your extended network. Why? Because threats can attack you via multiple “attack vectors”, via network, endpoint, web, email, etc. The more areas you watch, the more likely you’ll be able to quickly thwart an attack.

That’s why Cisco NGFWs give you visibility into telemetry and potentially malicious file activity across users, hosts, networks, and infrastructure. The Cisco NGFW, especially when tapped into the resources of the broader Cisco Security ecosystem of products, shows users, application protocols, file transfers, web applications, active threats across command and control servers, operating systems, routers and switches, network servers, client applications, mobile devices, and more.

Using screenshots from the Firepower Management Center (FMC), one of the management options available for Cisco NGFWs, you can quickly see information to conduct thorough, fast investigations of potential threats.

With “indications of compromise” (Figure 1), the firewall has detected behavioral evidence that certain hosts may be infected, prioritizes the most likely candidates, and presents them to the administrator. This is a great place for the security team to “click-in” and start an investigation.

Under “Network Information” and “Operating Systems” (Figure 1), the Cisco NGFW passively detects operating systems (no endpoint agents needed) running on the network. It shows that some devices are running Windows XP on the network. An old operating system with more vulnerabilities is a risk and you can quickly drill down to identify the devices and make decisions to upgrade or decommission them.

Figure 1 – Indications of Compromise and Network Information

The application protocol menu (Figure 2) shows applications running on the network, allowing you to make decisions about what controls to put in place. The Cisco NGFW is able to rank applications by risk and business relevance to make the process of reducing risk from applications quick and easy. If an application has a high level of risk and low business relevance, it may be a good candidate to block. A double-click on any application in the pie chart lets you see more information for each application.

Figure 2 – Application Protocol Information

Cisco NGFW also comes with integrated sandboxing technology powered by Threat Grid (Figure 3) that analyzes files and suspicious behavior across your environment against millions of samples and billions of malware artifacts. Your security teams are provided with an explanation of the type of malware, what it’s doing, and how large a threat it poses to your organization—all written in plain English. The security team can even safely interact with malware samples to observe behavior directly. All of this allows your team to understand and respond to threats faster.

Figure 3 – Dynamic Malware Analysis

Continuous analysis is always watching

Visibility cannot just be snapshots of file activity at a single point-in-time. Visibility must be continuous and fluid, always watching network and file activity in order to quickly uncover stealthy attacks, and provide you with context to understand an attack. Through integration with our Cisco Advanced Malware Protection (AMP) technology, the Cisco NGFW doesn’t just inspect files and network traffic at point-of-entry – it continuously analyzes file behavior throughout the lifetime of the file. This gives you deep visibility into what files are doing and how they behave, showing you the full lifecycle of a threat from edge to endpoint. You can see where a threat originated, where it’s been, and what it’s doing—and automatically stop it.

Even if a file is deemed “good” or “unknown” after first inspection, the AMP technology keeps a watchful eye on file activity regardless of the file’s disposition. It can automatically contain a potential threat and alert you if it detects malicious intent or behavior later in the future. This automated retrospection (Figure 4) allows the NGFW to essentially “change its mind” from its initial analysis if the file exhibits a sequence of behavior that may indicate malicious intent, or if our Talos intelligence cloud receives new information on a file. This intelligence can come directly from Talos research, or from another user who is part of the Cisco AMP community who deemed the same file on their system as malicious.

Network File Trajectory report
Figure 4 – Continuous Analysis and Retrospection

This continuous approach has proven to drastically reduce time-to-detection of advanced threats. Cisco defines time-to-detection, or TTD, as the window of time between a compromise and the identification of a threat. While the Cisco NGFW detects most threats within seconds or minutes, for really advanced threats, Cisco averages a TTD of 4.6 hours compared with the industry average of over 100 days.i

Visibility Prioritization and Customization

You may be thinking, “More visibility will allow me to detect, uncover, and stop threats faster. But wow, this is a lot of visibility.” That’s why Cisco NGFW prioritizes and streamlines the information it shows you, providing the right information at the right time to the right audience. Management and investigations become easier, more efficient, and more effective, keeping your team nimble and able to draw conclusions and respond to attacks faster.

Threats are prioritized using a simple threat scoring system (Figure 5) that makes sure you address the most pressing problems first. Administrators are not overwhelmed with generic threat alerts en masse, without correlation or context. Instead, threats are organized into “indications of compromise” that link individual threats in one place with related or duplicate malware elsewhere in your system. Multiple pieces of malware can be identified as part of the same attack, so that when the NGFW sees one threat in one place, it can automatically stop, contain, and remediate all of the related malware from the same attack—see it once, stop it everywhere.

To further the goal of reducing resolution overhead and wasted time, customization of the management console is also available. For instance, look at figure 5. You can decide what tabs and information to display on your summary dashboard given what applications or devices are the most important to your business. This administrator has decided to keep the sharpest eye on network activity, threats, and intrusion events as evidenced by the first three tabs on the top line. On the network traffic tab, the administrator has prioritized traffic by application risk and business relevance, top web/server/client apps, and operating systems. Once the dashboards have been customized, they can be used to generate reports on a daily, weekly or monthly basis.

Figure 5 – Management Customization


Can your firewall give you unprecedented visibility to see and stop threats fast? A Cisco firewall can. See how we do it with a guided tour of visibility capabilities in this demo of Cisco Firepower Next-Generation Firewalls.


Click here to learn more about Cisco NGFWs, and join us next time in part 3 of this blog series as we explore how automation and integration can help your organization save time, reduce complexity, and work smarter. Yes, your firewall can do that too.


Part 1: Prevent breaches automatically to keep your business moving

Part 3: Save time and reduce complexity with better management, automated operations, and product integration


Cisco 2018 Annual Cybersecurity Report