Security admins can relate to this scenario.
You just learned of an infected system in your environment of thousands of devices. How many others are affected? That’s hard to figure out even in elite operations. What you do know is that uncovering how big the problem is will be messy – manual, imperfect, and time-consuming.
So how can you quickly assess the situation and respond faster? Even great teams struggle to juggle dozens of product consoles, absorb the assault of thousands of rapid-fire event logs, or engage in an incident response malware goose-chase fast enough.
What you need is a simple and effective way to reduce the burden on teams while accelerating the time to detect and respond to threats. Like drones used by the military to see where the enemy is and outsmart them, to cover more ground faster. You need a force multiplier that can quickly, easily, and intelligently take action across all of your security solutions, so that you can then focus efforts where they are needed most. That’s where automation can help.
Automation can be your force multiplier.
See Once, Protect Everywhere
This concept is at the heart of how automation is the force multiplier security teams need today. See a threat in one place and call on all security technology to instantly protect against it everywhere. Instead of multiple team members hunting down details from different systems and trying to piece things together, automation removes that manual burden from teams and enables them to detect and respond more quickly. And time matters. Reducing the time and space that attackers have to operate can significantly limit the damage they can do. Automation is key to closing that window.
In addition to making security more effective with solutions that are simple and open, we are also deeply committed to incorporating automation across our entire security portfolio. Our goal is to deliver security solutions that work together seamlessly for a systemic, automatic response. An integrated threat defense starts with products that have some automation in their own right, but that also work together for automated security across the integrated architecture.
Here are a few proofs of how Cisco is using automation to make security more simple and effective.
Automated Threat Hunting
Despite your best efforts to protect against compromise, a persistent attacker will eventually breach your defenses and get inside. What if security could automatically hunt for threats inside the network?
With Cisco Advanced Malware Protection (AMP) we can do that. The low prevalence capability detects targeted malware and prevents it from slipping under the detection radar. In two clicks, it surfaces files that were only seen by a small number of users and automatically analyzes them for malware.
Automated, Cross-platform Malware Response
What if security could find and block malware on one system and then instantly block it and remove all traces of it across all of your networks and systems? Automatically. In real time. We see a threat once and stop it everywhere.
We do that today with Cisco Advanced Malware Protection (AMP). It sees a threat once on a device and instantly blocks that threat everywhere – across the entire network. AMP also automates malware remediation. Once a file is identified as malicious, it simply takes a few clicks and then it’s gone from all endpoints.
Automation Driven Solutions
How about going a step further with multiple products that integrate threat defenses for automated security? As we know, products are vastly more powerful when used together. We do that too.
Let’s start by bringing together the NGFW and the network with Rapid Threat Containment. Upon detecting a threat on an endpoint, Cisco Firepower Management Center, Stealthwatch, or Cisco AMP automatically work with the Cisco Identity Services Engine (ISE) to contain the infected endpoint. No team member needed to do this.
What about the network itself – can it automate security? As it turns out, it can. We call it Network as a Sensor and Enforcer and it is another examples of Cisco products working together to automate responses. We quickly identify suspicious traffic on the network with Cisco Stealthwatch; instantly know what user and device the traffic pertains to with Cisco ISE contextual information; and then use Cisco TrustSec to automatically enforce a security policy on the network to quarantine the infected device. Only Cisco can combine the power of your network with best-in-class security products to accelerate detection and response.
We mentioned before that making sense of hundreds or thousands of alerts or logs can be tough – and undermine security effectiveness. To ease this burden, we automatically prioritize events for you in Firepower Management Center. More than that, it can even see what comes online and figure out what needs to be done – recommending rules, updating policies, and denying access when a threat is clear. Talk about the power of integrated visibility and control for immediate response.
To get to the point where we are as agile as attackers, we need security responses that work in real-time, all-the-time, anytime. An integrated threat defense where every piece in the security puzzle must play a part, integrated to work in concert for a systemic response. Not only does this make our good stuff harder to steal, but it makes our security more effective. Getting to this level of defense is a journey that has no shortcuts. But with our commitment to delivering security solutions that are simple, open, and automated, we are well on our way.
It may not be as cool as operating a drone, but for those of us in the security industry the outcomes are probably just as satisfying.
[We’ll have a look at Integrated Threat Defense in a future post so stay tuned for that.]