No security risk assessment is complete without the executive summary section. Something that can answer the high level questions security teams get asked including “how secure are we?”, “what threats are affecting our network today?” and “how healthy is our network?” We have recently revamped the Cognitive Threat Analytics dashboard to provide answers to these questions and more.
Cisco Cognitive Threat Analytics (CTA) is a breach detection and analytics platform. It analyzes web traffic to discover command-and-control communications, data exfiltration, and potentially unwanted applications operating in your infrastructure. All without the need to deploy any additional software or hardware.
At the very top, the health status section displays an overall summary of threats discovered in your network by their risk level, ranging from “critical” to “low,” allowing anyone to quickly see how many threats are affecting them right now.
The next section, relative threat exposure, puts these absolute numbers into perspective. It answers the question, “how is my organization doing with respect to others?” The benchmark takes into account the number and risk of your incidents as well as your organization’s network size. It then compares to trends measured across the entire customer base, across customers with similar network size, and across other customers in the same vertical. The exposure benchmark in each case can range from “low” (best), through “below average,” “average,” “above average,” to “high” (worst).
The three vertical sections start with a list of specific behaviors, giving a high-level breakdown of the detected threats, organized by risk they pose to your organization. Specific behaviors, as opposed to generic behaviors are identified by CTA within “confirmed” and high confidence “detected” threats. This shows you if ransomware is operating in your environment, or data is being exfiltrated right now.
We follow with the highest risk list outlining the top incidents that require immediate attention. Each incident includes user name, list of specific behaviors and a time frame information. In the example shown, the top risk is an infection for user54 with risk level 10 and a specific detection of ransomware. The infection was first detected on June 10, and lasted for 25 days.
Low risk infections will eventually escalate. Last, but not least, is a list of top risk escalations, which draws attention to the infections that have recently escalated. This list includes a user name, old and new risk levels as well as the “diff” in case new specific behaviors associated to the threat have been identified. In the example above, user34 had an escalation on July 19 from risk level 6 to risk level 9. There was a new “information stealer” specific behavior observed, as well as continuation of the existing ones, e.g. “ad-injector”, “PUA”, and “scareware.” This is an example of a multi-stage attack that begins with a relatively benign file, downloads additional components to a malicious payload, and becomes much more severe.
The CTA dashboard is fully interactive. By clicking on an incident, you can navigate to the incident detail and begin investigating. And like a true executive summary, it’s perfectly ok to print it!
Cisco Cognitive Threat Analytics (CTA) has been recently integrated with Cisco Advanced Malware Protection (AMP) for Endpoints. To learn more, please visit http://www.cisco.com/go/ampendpoint-cta, and be sure to to see how it works.