Cisco Blogs


Cisco Blog > Security

Security Insights with British Telecom

The explosive growth of video, mobility, Internet-of-Things, and cloud services has brought about enormous business opportunities. Service Providers are adopting open and programmable network architectures that increase business agility and lower costs. However, adversaries are increasingly exploiting the growing attack surface presented by these new services and expanded network connections.

British Telecom, the largest service provider in the UK, has recently announced a partnership with Cisco to deliver threat-centric security solutions based on our joint expertise and leadership. By partnering with Cisco, BT will strengthen network and advanced threat protection capabilities and automate its threat intelligence to detect, analyze and remediate attacks, while providing the same security capabilities in offerings to their customers, with BT Assure Cyber, BT’s Managed Security Portfolio.

I recently had the opportunity to sit down with Les Anderson, VP of BT Cyber, and ask him how BT manages security to protect their networks and their customers and to get his take on our new partnership.

Sam Rastogi – Cisco Security: What changes in the threat landscape are you observing?
Les Anderson: Over the last 13 months, BT has experienced a 1,000% increase in threats. We’ve seen our networks targeted in ways that we haven’t seen before. There is unprecedented speed in the innovation, resiliency and evasiveness of cyber attacks.

CS: How do you counter these threats?
LA: Partnership with Cisco for threat-centric security and consolidating where it makes sense for our business and our customers.

CS: What security technologies are top of mind for you?
LA: We need threat-centric technologies that are able to stop threats. We look to solutions, such as ASA with FirePOWER Services, Advanced Malware Protection (AMP), and Next-Generation IPS (NGIPS) – all, working together. They amount to a differentiated capability in the market – to see and stop more threats for us and our customers.

CS: How do you view security as a growth engine for organizations?
LA: BT doesn’t compromise when it comes to prioritizing our own cybersecurity; security can be a growth engine for business like BT to take full advantage of today’s opportunities to be more productive, make organizations more efficient and customers happier by keeping systems — both ours and our customers — secure.  By relying on threat-centric security, we’re thus able to focus on our core business goals, making security a differentiator. Investing in security in turn inspires further trust in doing business with us and with our customers.

CS: Why did you choose to partner with Cisco? And why now?
LA: Cisco has made smart security acquisitions and technology innovations that provide a significant differentiation in the market. I’m seeing that Cisco has the ability to deploy security products into SDN and virtualized environments to unlock additional value that is critical to security. Lastly our joint portfolio has allowed us to sell the largest cyber strategic security capability globally to a nation state. This is all possible with the strong partnership we have in place together.

Watch this video to learn how BT is taking advantage of security solutions from Cisco to protect its own environment and its customers:

Tags: , , ,

New Cisco AnyConnect Network Visibility Module App for Splunk

Users on the network are an important layer of an organization’s security strategy – and a particularly vulnerable one. In fact, a recent IBM cybersecurity report found that human error was a contributing factor in 95% of all security incidents! It is critical to know what users are doing on the network, especially since some potential high-risk behaviors like data disclosure and shadow IT may not trigger current security layers (e.g. malware protection).

Cisco AnyConnect Network Visibility Module (NVM) empowers organizations to see endpoint and user behavior on their network. Cisco AnyConnect NVM collects flows from endpoints (e.g., laptops) both on and off-premise along with additional context like users, applications, devices, locations and destinations.  Now, IT administrators can use Splunk Enterprise to analyze and correlate this rich data with the new  Cisco AnyConnect Network Visibility (NVM) App for Splunk, which  provides collection and reporting of flows generated by the Cisco AnyConnect NVM endpoint sensor technology.

Read More »

Tags: , , , , ,

Update for Customers

Following a recent Juniper security bulletin discussing unauthorized code, we have fielded a number of related questions from our customers. Being trustworthy, transparent, and accountable is core to our team, so we are responding to these questions publicly.

First, we have a “no backdoor” policy and our principles are published at trust.cisco.com

Our development practices specifically prohibit any intentional behaviors or product features designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. These include, but are not limited to:

  • Undisclosed device access methods or “backdoors”.
  • Hardcoded or undocumented account credentials.
  • Covert communication channels.
  • Undocumented traffic diversion.

Second, we have no indication of unauthorized code in our products.

We have seen none of the indicators discussed in Juniper’s disclosure. Our products are the result of rigorous development practices that place security and trust at the fore. They also receive continuous scrutiny from Cisco engineers, our customers, and third party security researchers, contributing to product integrity and assurance.

Third, we have initiated an additional review of our products for similar malicious modification.

Although our normal practices should detect unauthorized software, we recognize that no process can eliminate all risk. Our additional review includes penetration testing and code reviews by engineers with deep networking and cryptography experience. We are tracking the case as PSIRT-0551621891, and will release any findings in accordance with our Security Vulnerability Policy.

Fourth, we initiated this additional review of our own accord.

Cisco launched the review because the trust of our customers is paramount. We have not been contacted by law enforcement about Juniper’s bulletin, and our review is not in response to any outside request. We are doing this because it’s the right thing to do.

Finally, we will investigate all credible reports and disclose findings with customer implications.

We ask all our customers and others to report any suspected vulnerabilities to the Cisco PSIRT for immediate investigation. Consistent with our long-standing process, we will manage and disclose results under the terms of our Security Vulnerability Policy.

Please see more information at our Trust & Transparency Center. Customers with additional questions can contact the Cisco PSIRT at psirt@cisco.com, referencing case: PSIRT-0551621891.

Tags: , , ,

Threat-Focused NG-Firewall – Who Cares? Part 3

This is Part 3 of our blog series about NG-Firewalls. See Part 1 here.

Part 3: Challenges of the Typical NGFW

What good is a malicious verdict on something that had already penetrated the system?

There is no system in the world that can stop 100% of attacks/attackers 100% of the time, so infection is an inevitability that must be anticipated. Something WILL get through and when it does, the quality of your threat system and incident response plan will surely be tested. The Cisco Firepower Threat-focused NGFW is designed to understand what has happened through the entire life cycle and to be able to make immediate and automatic adjustments to contain the threat and provide the Practitioner with the forensic details necessary to manage and respond to the incident.

Typical NGFW solutions add on extra defense systems (malware sandboxes, URL gateways, etc.) in an attempt to avoid this altogether with the focus on point-in-time prevention. Whether a Typical NGFW or a Threat-focused one, all use technologies like Threat Intelligence cloud lookups of known malware signatures, or even sandboxing to allow the full progression of an ‘unknown’ to operate in a contained environment and ultimately determine if clean or malicious so it can be given an accurate disposition at the initial point-in-time. How they are used is the critical point. While a threat-focused firewall integrates these functions into its core, the Typical NGFW leverages less-integrated add-on components in order to go back to step 1 and try to deny what shouldn’t get through at first sight – attempting to prevent everything with that binary decision. Great idea, except for a few critical deficiencies: First, most modern malware is sandbox-aware and only used once. Therefore, if it runs in a sandbox it may not execute the same way as it would in the wild. Signatures are only good for the 2nd time malware is seen, so a cloud lookup isn’t, with or without sandboxing, enough to confirm an unknown that only ever has one instantiation.

Read More »

Tags: , , , ,

Threat Spotlight: Holiday Greetings from Pro PoS – Is your payment card data someone else’s Christmas present?

The post was authored by Ben Baker and Earl Carter.

Payment cards without an EMV chip have reached their end-of-life. Point of Sale (PoS) malware, such as PoSeidon, has continued to threaten businesses. The news is continually filled with stories of payment card data being stolen through a breach in the company’s PoS system. From high-end hotels to large retail firms, threat actors are attacking PoS systems in the attempt to capture payment card data. PoS Malware is just another threat category that Talos is monitoring and developing defenses against. In this post, we will examine the functionality of Pro PoS so that you can better understand how this malware can be used to exfiltrate payment card information and potentially other valuable information from your network.

Beginning in October, merchants in the United States were required to use PoS terminals that provide support for chip-enabled cards or otherwise risk liability for fraudulent charges. These new chip-enabled readers help minimize the chance for PoS malware to steal payment card information because the chip on the payment card generates a single use token. This transition, however has been bumpy at best because the cost of new chip-enabled readers has made it difficult to upgrade to the newer readers. Another loophole is that gas stations have a different timeline and are not required to move to chip-based readers until October 2017. These two factors mean that many establishments still rely on card readers that are not chip-enabled and sending payment card data that can be duplicated and reused.

Pro PoS is simple-to-use PoS malware that is available for purchase, enabling multiple threat actors to easily take advantage of this malware to target businesses. The functionality of Pro PoS seems fairly extensive according to recent press releases. These claims include the following:

  1. Tor support
  2. Rootkit functionalities
  3. Mechanisms to avoid antivirus detection
  4. Polymorphic engine

In order to analyze the actual capabilities of Pro PoS, Talos collaborated with Flashpoint, a pioneer in threat intelligence from the Deep & Dark Web Not all of the claims in the press releases seem to be totally accurate given the Pro PoS version 1.1.5b sample that Talos analyzed. For instance we did not identify any significant mechanisms to avoid antivirus detection, other than a trivial packer that seemed to be more for compression than obfuscation. Unless you include tor2web, we did not find support for Tor. We did not find a Polymorphic engine. And finally, we did observe a rootkit being installed but it did not appear to be used by the malware.

Read More>>