Cisco Blogs


Cisco Blog > Security

Cisco Launches Security Incident Response Services

In security, there’s a gap between perception and reality. According to the Cisco 2015 Annual Security Report, 90 percent of companies are confident about their security policies, processes, and procedures – yet 54% have had to manage public scrutiny following a security breach. Not only are there direct costs to a security breach – there are also intangible expenses, including a negative impact to brand reputation, and the erosion of customer trust.

As John Chambers articulated recently at the World Economic Forum in Davos, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”  2015 is going to be another year where organizations around the world can expect to be under attack or will discover that they have been infiltrated.

There is a widening gap between resources and needs, as security practitioners lack both funding and manpower to adequately protect assets and infrastructure.  Because of this, CISO’s are increasingly looking to external experts for security guidance.

This is why we are unveiling our Security Incident Response Services.   Our new Incident Response Service is designed to advise organizations on how to reduce time to detection, containment and remediation. Our experts identify the source of infection, where it entered the environment, and what data was compromised. By going to the source – patient zero – and identifying malware movement throughout the environment, organizations can minimize the cost and overall impact of any breach, as well as identify methods to reduce future risk.  The service leverages threat intelligence from the Cisco Talos Security Intelligence and Research Group, Cisco security technologies including AMP Threat Grid and the expertise of the Cisco Security Solutions (CSS) team.  The Incident Response Service supports businesses in two areas:

Cyber Attack Response

Every event is unique and our Security Incident Response methodology provides expedience and allows for flexibility to continuously adjust to the dynamic threat landscape. Whether it’s an insider threat, distributed denial of service, advanced malware at the endpoints or customer data breach, the team guides an organization through identification, isolation and remediation using analysis and data mining, forensic image analysis, infected system dynamic instrumentation, malware reverse engineering and exploit analysis and re‐implementation.

Cyber Security Readiness

As businesses fall victim to increasingly targeted cyber-attacks and data breaches, they need external expertise to assess and promote security best practices as well as to protect corporate data and prepare for the inevitable data breach incident. An important pre-requisite for a successful incident response capability is a strong Incident Response plan, When an incident occurs, everyone knows how to respond, how to escalate, what to do, quickly and effectively. Cisco Incident Response offerings spans infrastructure breach preparedness assessments, security operations readiness assessments, breach communications assessments, and training among other activities.

Our team of experts has been actively working with customers for cyber attack response.  A recent engagement was initiated when a company had identified consumer credit card data exfiltration.  Working hand-in-hand with the customer, federal law enforcement and Cisco Talos, the Incident Response Services team discovered a new malware family targeting point of sale (PoS) systems.  The team identified malware patient zero and its lateral movement mechanism.  This ultimately led to the team’s discovery of a new family of malware, “PoSeidon,” which is detailed in this blog post.  Using best of breed technology, our incident response expertise, and working closely with Talos, the Cisco Incident Response Service team compressed the process of identifying, isolating and remediating for this customer by developing detection and countermeasures.

For more information on Security Incident Response Services team, please see our overview video and our Cisco Security Launch Page.

Tags: , ,

Cisco AMP Just Got Better – Enhancements for Continuous Breach Detection, Response, and Remediation

Breaches happen.

It makes us cringe to say it, but it’s the obvious truth. A week doesn’t go by that we don’t hear about the latest breach in the news. All of us in the IT security industry would love to say, “our technology can prevent all breaches.” But it’s a pipedream. Being able to prevent 100 percent of breaches or detect all threats trying to infiltrate the network is simply not reality.

Of course, we prevent what we can. And we can get pretty close. In fact, Cisco Advanced Malware Protection (AMP) was shown to block 99 percent of incoming malware in a comparative test on Breach Detection Systems done by NSS Labs.  Ninety-nine percent is pretty darn good, and in fact, Cisco AMP emerged a leader in that test. But still, it only takes one percent to cause a breach.

When malware gets through your front-line defenses, you need continuous threat protection in place that can quickly detect it, contain it, and remediate it before damage can be done. Cisco AMP provides the visibility and control to do exactly that. Even after files are initially inspected, AMP’s continuous analysis engines constantly monitor activity on endpoints, mobile devices, and in the network to spot any signs of malicious behavior, and provide continuous detection of threats in your environment. As a result, you have protection before, during, and after an attack.

Today I am excited to announce that Cisco AMP just got even better.  We are announcing new features and new innovations that enhance Cisco AMP’s protection capabilities and continuous threat protection in the following areas:

Continuous Detection and Retrospective Security

  • AMP still provides continuous analysis of files after an attack so that you can see the complete ancestry of an attack, scope a compromise, and continuously detect and uncover evasive threats. You get deep visibility to see threats in your environment and the control to quickly stop them.
  • Endpoint Indications of Compromise (IoCs) in AMP for Endpoints lets users now submit their own IoCs using the open IoC standard to catch targeted attacks.
  • The Low Prevalence feature in AMP for Endpoints uncovers stealthy, targeted threats that were only seen by a small number of users and automatically sends them for sandbox analysis.

Threat Intelligence and Dynamic Malware Analysis

  • The recent integration of Threat Grid capabilities into AMP gives you context-rich threat intelligence feeds, over 350 unique behavioral indicators that analyze the actions of a file, easy to understand threat scores and analytics, and billions of malware artifacts at your disposal to improve your ability to detect and prevent future attacks. These capabilities and more are also available as a standalone threat intelligence and dynamic malware analysis solution via AMP Threat Grid.
  • The new Vulnerabilities feature in AMP for Endpoints identifies vulnerable software being targeted by malware, and the potential exploit, providing you with a prioritized list of hosts to patch.

Deployment Flexibility and Choice

  • Deploy the solution how and where you want it: on the endpoint, mobile devices, in the network on a Cisco FirePOWER Next-Generation IPS security appliance, on a Cisco ASA firewall, and on web and email gateways. You can also deploy AMP Threat Grid as a standalone threat intelligence and dynamic malware analysis solution.
  • No need to manage multiple security platforms or deploy multiple appliances. Cisco AMP is fully integrated with Cisco security products for ease-of-deployment, ease-of-use, and ease-of operation.

To learn more about these innovations, visit our Cisco Security Launch page to watch videos, product demos, customer testimonials, and more.

Tags: , , ,

A New Way Forward: Continuous Threat Protection for Organizations of All Sizes

Organizations are under relentless attack, and security breaches happen every day. A global community of attackers creates advanced malware and launches it via multi-faceted attacks and through multiple attack vectors into organizations of all sizes.

These increasingly costly attacks against organizations of all sizes place customer data, corporate secrets, and intellectual property at risk. Smaller organizations that form part of the supply chain are targeted not only for their own assets but as an entry point for attacks against larger organizations that they partner with.

We believe the most effective way to address these real-world challenges is with continuous threat protection that is both pervasive and integrated. This goes beyond traditional point-in-time detection and taps into context-rich threat intelligence, dynamic malware analysis, and retrospective security to allow continuous breach detection, response, and remediation across the full attack continuum.

For this reason, we are unveiling new models of Cisco ASA with FirePOWER Services for SMB, midsize organizations, and branch offices. These next-generation firewall (NGFW) models bring integrated threat defense, low total cost of ownership, and simplified security management to smaller and distributed organizations.

Read More »

Tags: , , ,

Threat Spotlight: Spam Served With a Side of Dridex

This post was authored by Nick Biasini with contributions from Kevin Brooks

Overview

The use of macro enabled word documents has exploded over the last year, a primary example payload being Dridex. Last week, Talos researchers identified another short lived spam campaign that was delivering a new variant of Dridex. This particular campaign lasted less than five hours and was successful at mutating the subject and attachments to avoid detection. The five hour campaign actually consisted of two separate emails that both had malicious word documents as attachments. A sample of the two different subject lines are shown below.

Campaign One Subject:
Debit Note [97994] information attached to this email

Campaign Two Subject:
48142 – Your Latest Documents from RS Components 822379272

*Note: Italicized text used to identify mutating portions of email subject

Both campaigns centered on invoices being sent as word document attachments. Not only did the attackers use different subjects for every email they also rarely reused an attachment name. Less than five percent of the emails observed contained re-used attachment names.

Read More »

Tags: , , , ,

Research Spotlight: FreeSentry Mitigating use-after-free Vulnerabilities

This post was authored by Earl Carter & Yves Younan.

Talos is constantly researching the ways in which threat actors take advantage of security weaknesses to exploit systems. Use-after-free vulnerabilities have become an important class of security problems due to the existence of mitigations that protect against other types of vulnerabilities, such as buffer overflows. Today, Talos is releasing FreeSentry, a mitigation for use-after-free vulnerabilities.

FreeSentry works as a plugin for LLVM with an associated runtime library that tracks pointers when they are set to objects and invalidates them when the memory associated with that object is freed. Our initial approach was published at the 2015 Network and Distributed System Security (NDSS) Symposium in February. The paper can be downloaded here. At CanSecWest 2015, Yves Younan of Talos presented an enhanced version of FreeSentry which included further developments, such as porting the original mitigation from C Intermediate Language (CIL) to LLVM. The CanSecWest slides are available here. Note that the LLVM performance numbers in the CanSecWest presentation were preliminary numbers, and have been updated for this post.

Read More »

Tags: , , ,