Cisco Blogs

Link Arms Against the Attackers: Observations from the 2016 Cisco ASR

- January 26, 2016 - 1 Comment

Remember 2007, when the underground economy began to flourish, using simple protocols and static subnet ranges to control their infrastructure? That was the same year Cisco published the first Annual Security Report (ASR). Nine years later, the drumbeat of cyberthreats grow louder, but the actors and threats are familiar, just as John reminded us when this year’s report was released.

Cyber-crime stats

What’s Changed?

  • Attackers have vastly increased the sophistication of their infrastructure, incorporated evasive techniques such as encryption and obfuscation, and diversified their revenue streams through ransomware.
  • Defenders are sharing cyber threat intelligence and recognizing the need for an Integrated Threat Defense architecture to provide visibility, control, intelligence, and context across their security estate. Today, a vast security product portfolio is available to defend your castle, from the network, to the endpoint, to the cloud, enabling mountain-top visibility and rapid mitigation.

In 2007, you might not have anticipated the degree to which you’d need to demonstrate to your business owners and stakeholders what you’re doing to protect your organization from pervasive, innovative cyber threats. In this year’s ASR: 92% of the respondents agreed that regulators and investors will expect companies to provide more information on cybersecurity risk exposure in the future. Business leaders are also anticipating that investors and regulators will ask tougher questions about security processes, just as they ask questions about other business functions.


To demonstrate accountability and make the best use of your security estate, focus on three things:

  1. Measure and reduce TTD: You won’t stop every threat, but you can keep attackers from progressing to the latter stages of the kill chain if you stop them early. Focus on reducing your time to detection (TTD), the window of time between the first observation of an unknown file and the detection of a threat. 24×7 monitoring and disciplined, expert handling of discovered threats is the key.
  2. Encryption. Deal with it: Incorporate data analytics to catch attacks that blend in due to encryption, obfuscation, and social media. Use Cisco NetFlow and anomaly detection to uncover back channels.
  3. Plan Incident Response: When you find a breach, know what to do, how to handle data, how to mitigate, and how to bring in experts and legal guidance where necessary. Organizations are increasingly hiring this expertise through services; in 2015, following a 7% increase from the prior year, we observe 42% of organizations outsourcing incident response.

One Year with Cisco Managed Security

We’ll never eradicate cyber attacks, but we can mitigate quickly, we can push the attackers back on the kill chain. Cisco’s Active Threat Analytics (ATA) team services a host of customers across many sectors. At one such customer, a global bank, you can observe the cat-and-mouse flow where security breaches are observed, ATA offers guidance at quarterly executive reviews, and controls are hardened, reducing the effective breaches. Over time, breach numbers are coming down, but it’s clearly a virtuous cycle.

One Year with Cisco ATA

Over one year with Cisco Active Threat Analytics (ATA), one enterprise tightens controls when attacks succeed, attackers find new methods, and the virtuous cycle continues.

Analyzing the average depth of each attack, ATA is able to demonstrate that attackers are not making the consistent progress they were before Active Threat Analytics’ monitoring began. This is substantive progress away from the end of the kill chain.

By pushing attackers back on the kill chain, Cisco was able to keep them from gaining an understanding of endpoint vulnerabilities which would have allowed malicious software installation on this customer's private network.

By pushing attackers back on the kill chain, Cisco was able to keep them from gaining an understanding of endpoint vulnerabilities which would have allowed malicious software installation on this customer’s private network.


We’re in this together. Security executives can link arms with expert security services to push attackers backwards. Prepare for the tough questions about security controls and plans by choosing security services that provide strategic guidance. The best services will leverage privileged security intelligence, mature visibility of security operations, and expert incident response to help you prepare for the tough questions.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


    Good common sense take-aways from the reports. I agree that the the TTD is critical to reduce. There just isn't room anymore for the "sit back and wait" mentality.