Cisco Blogs
Share

Find Advanced Threats with Cisco Cognitive Threat Analytics

- February 2, 2016 - 1 Comment

Attackers are constantly innovating, employing more sophisticated techniques to compromise organizations and gain access to other parts of the network and sensitive data including proprietary information, trade secrets, and of course financial information. Threats have evolved to the point that it’s no longer feasible to simply defend the perimeter.

In the 2016 Cisco Annual Security Report, Cisco researchers analyzed threat intelligence and examine some of the most compelling trends in attack vectors, attack methods and vulnerabilities. The report called out that malicious browser add-ons, typically viewed as a low-severity threat, were seen affecting more than 85 percent of organizations monitored. Malicious browser extensions can steal information, and they can be a major source of data leakage.

Identifying and blocking adware, malware, and exfiltration of data requires a multi-tiered security approach. By investing in new detection methodologies that are constantly monitoring and analyzing web communications security teams are able to identify new actors and new techniques, reducing time to detection in their environments.

Cisco Cognitive Threat Analytics (CTA) is a cloud-based service that discovers breaches, malware operating inside protected networks, and other security threats by means of statistical analysis of network traffic data. It addresses gaps in perimeter-based defenses by identifying the symptoms of a malware infection or data breach using behavioral analysis and anomaly detection. CTA relies
on advanced statistical modeling and machine learning to independently identify new threats, learn from what it sees, and adapt over time.

Analyzing more than 10 billion web requests daily, CTA finds malicious activity that has bypassed security controls, or entered through unmonitored channels (including removable media), and is operating inside an organization’s environment by answering these questions in nano-seconds:

  • Was it normal traffic to known websites?
  • Is the source and destination trusted?
  • Are other users in the organization communicating with the same destination?
  • Have these particular devices communicated before?
  • Are they using anonymous applications such as Tor?
  • Are files being transferred? If so, how large?

CTA uses a number of analytics engines to detect anomalous traffic including:

  • Data Exfiltration: Cognitive Threat Analytics uses statistical modeling of an organization’s network to identify anomalous web traffic and pinpoint the exfiltration of sensitive data. CTA recognizes data exfiltration even in HTTPS encoded traffic, without any need to decrypt transferred content.
  • Domain Generation Algorithms: Attackers generate an arbitrary number of domain names to avoid detection and blacklisting of hosts that provide malware. CTA recognizes malicious and obfuscated domain names generated from words, analyses the frequency of communication, information content of the headers and hundreds of other features we observe on each HTTP/HTTPS request.
  • Exploit Kits: Analyzing web requests allow CTA to uncover infections by exploit kits from 1) visiting an infected web page, 2) redirect to domain hosting Exploit Kit, 3) unknowing download by user, 4) successful exploitation, 5) download of malicious payload.
  • Tunneling through HTTP/HTTPS requests: Attackers often try to hide their activity and exfiltrate sensitive data, including credentials, using HTTP/HTTPS requests themselves. CTA uses multiple IOCs including global statistics and local anomaly scores to reliably distinguish malicious tunneling from benign use of the technique.

Previously available only as an add-on to Cisco Cloud Web Security, CTA is now available as an add on license to Cisco Web Security Appliance, as well as a stand-alone solution. CTA requires no software or hardware to be installed! After it establishes a network baseline it begins to identify breached devices in a matter of hours! On average, we find 45 breached devices per week in a company of 5,000 employees.

Want to see Cognitive in action? Check out this demo or visit www.cisco.com/go/cognitive.

 

Tags:

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments

  1. I have a Diploma of icnd and Lov the course and want to establish my own office if you can help.