Category Archives: AMP for Endpoints

Staying Ahead of ‘Andromeda-Style’ Threats in Your Environment

Why rapid attack containment and a short remediation cycle matter

When a new threat gets in the environment, a security incident could unfold very quickly. Detecting the compromise and taking control of the infected endpoint fast is not only critical to preventing the spread of the threat, it is also vital to shrinking the remediation cycle time and cost.


Lessons learned from the ‘Andromeda Strain’

It only takes a single unknown threat getting a foothold in your network for a damaging incident to cause immeasurable harm to the business. Next thing you know, you’re living Michael Crichton’s “Andromeda Strain,” battling a contagious virus you don’t fully understand. And, like Crichton’s protagonists, you know that the longer you allow the threat to run wild, the more havoc it will wreak.

A little fun fact: when Crichton unleashed his fictional extraterrestrial virus bent on destroying Earth in the “The Andromeda Strain” 50 years ago, the best-seller launched his blockbuster career. The deadly outbreak in the novel started when a military satellite introduced the virus from space, leading scientists on a hair-raising quest to contain it. Andromeda killed nearly instantly. If it didn’t, it wouldn’t be worth a movie and a series years later, after all.

Destroying the mutating Andromeda microbe was a matter of life or death. Containing a rogue endpoint? Maybe not. But with every hour or day, an infection that roams inside your network is driving up your remediation costs. As the attack’s footprint grows, so does the potential of escalation to a full-blown data breach.

 ‘Time to remediation’ the new name of the game

The days when mean time to detection (MTTD) was a top cybersecurity KPI have gone the way of legacy AV. Certainly, fast detection is imperative. But that’s not your inflection point. Especially if you’re finding yourself in an Andromeda-type scenario where you have no idea what you’re dealing with.

The containment phase is where you can start taking control from the bad guys and limiting the damage — and avoiding a long, expensive remediation cycle.

In our annual CISO benchmark survey, the number of respondents using MTTD as a metric has decreased from 61% in 2018 to 51% in 2019. For 48% of CISOs, mean time to remediate (MTTR) is the top indicator of cybersecurity posture, compared to 30% in 2018. This shift in focus to rapid incident response and mitigation indicates a strategic change, but a SANS incident response report suggests that it’s also a struggling point. Although 53% of the SANS respondents said they detected incidents within 24 hours, it took the majority (61%) two or more days to remediate.

Turning the table with Cisco AMP for Endpoints

The majority of security incidents, as well as data breaches, involve either malware or an evolved form like ransomware. SANS found that for 37% of organizations, containment takes at least two to seven days. How much mayhem can malware cause in that window? Think WannaCry.

With Cisco AMP for Endpoints, you can rapidly contain the attack by isolating an infected endpoint, so you can stop the threat from spreading. Drastically reducing the footprint of the attack, you can accelerate incident investigation and response, while shrinking remediation costs. Here’s how it works:

  • From the endpoint connector, isolate an infected endpoint through the cloud console.
  • The endpoint is removed from the network while maintaining communication with the cloud console — you have complete control of the host and the logging and forensic data.
  • Automatically trigger endpoint isolation through automation APIs.
  • Quickly reactivate the host once you return it to a clean state.

Dealing with the ‘comeback kid’

Threat actors, sadly, don’t take a hint. Like way too many movies and TV shows from the ‘90s, they keep coming back.

Your job is to successfully contain and clean up an infection. The attacker’s “job” is to keep trying. In fact, in the SANS survey, 26% of respondents said they’ve been breached by the same actor more than once.

The challenge is two-fold. On one side is the increased threat complexity. On the other, according to an ESG Research survey, is the heterogenous nature of the defense tools and the manual processes. The survey found that 76% of security pros felt that threat detection and response is more difficult now than two years ago, primarily due to the volume and sophistication of the threats. Almost half agreed or strongly agreed that the process and tooling around detecting and responding to threats are limited, with 64% identifying manual processes as the challenge; and 66% struggled because of the multiple independent point tools.

A few highlights of how Cisco AMP for Endpoints can address these challenges:

  • Delivers prevention, detection and response capabilities in one solution.
  • Helps you respond to incidents in hours instead of days or months.
  • Enables you to proactively hunt for the riskiest 1% of threats.
  • With retrospective security, it blocks threats as soon as they begin to act maliciously, even if they seemed benign when they entered the endpoint.
  • You only have to spot a threat once — with our shared intelligence and integrated security architecture, it is blocked anywhere else across the environment.

You never know when you’re facing your next Andromeda. Don’t delay – boost your ability to rapidly contain threats. Learn more or start today with the free trial of Cisco AMP for Endpoints.

The post Staying Ahead of ‘Andromeda-Style’ Threats in Your Environment appeared first on Cisco Blog.

Incident response: Putting all the R’s in IR

It is well established that the ‘R’ in IR stands for “Response.” But given the challenges facing incident response teams today, IR could just as well stand for “It’s Rough.” The landscape is challenging, tools are multiplying, and the talent shortage seems insurmountable.

First of all, according to Cisco’s recent CISO Benchmark Study, 79 percent of security leaders are finding it challenging to orchestrate threat response in a multi-vendor environment. There has also been a drop from Cisco’s 2018 survey in the number of legitimate security alerts organizations are remediating – down from roughly 50 percent last year to just under 43 percent this year. All this means that incident response is not getting any easier: only 35 percent of security professionals find it easy to determine the scope of a compromise, contain it, and remediate it.

Attackers continue to innovate and come up with new attack types at a record pace. They’re so brazen that they even use Facebook and other social networks to share tools and sell stolen, personal information. Meanwhile, security teams struggle to keep up with this innovation, acquiring new technology to deal with every emerging threat.

IT infrastructure is too complicated, and resources are too scarce, to manage all of these tools and derive the intended benefits from them. Especially since, often times, security products don’t talk to one another – requiring the manual analysis and comparison of seemingly infinite alerts and logs to try to make sense of what’s going on.

But there is some good news in all of this. According to a Cybersecurity Almanac published by Cisco and Cybersecurity Ventures, Fortune 500 and Global 2000 CISOs are expected to reduce the number of point security products they are using by 15-18 percent this year. Additionally, our CISO Benchmark Study tells us that more security teams are using time to remediate as a success metric for their operations (48 percent compared to just 30 percent last year). Remediation is difficult, demonstrating that security teams are setting the bar very high for themselves.

This hopefully shows that organizations are allowing CISOs to think more strategically about security – and that the C-suite in general is perhaps realizing that it’s about more than just buying a bunch of products and hoping they work.

Three more R’s: readiness, recon, and remediation

In actuality, there’s more to the ‘R’ in IR than just ‘response.’ To effectively respond to attacks, organizations not only have to react when they occur, but also:

  1. Be prepared for them in the first place. (Readiness.)
  2. Have an efficient way of obtaining visibility into any threats that make their way in. (Recon.)
  3. Mitigate attacks as quickly as possible. (Remediation.)

How do you master all these R’s? First of all, if your environment is made up of dozens of security technologies each performing siloed tasks and not sharing intelligence, you can’t really succeed. You will never have enough time, resources, and patience to piece all of this disparate information together and identify attacks before they rip through your environment.

At Cisco, we are constantly trying to figure out how to make security better to more effectively protect today’s businesses. Above all else – beyond all the latest features and capabilities – we focus on integrated security above everything. We don’t want our products to protect against just one type of attack, or secure just one area of the network. We want to cover you from edge to endpoint – and we want our products to work together to lessen the burden on you and your team.

Here are some of the newer ways we are helping to fortify organizations’ incident response plans, and putting all the R’s in IR.

Cisco Stealthwatch – A whole lot of readiness  

Talk about being prepared. Cisco Stealthwatch has recently become the first and only security analytics platform to provide comprehensive visibility and threat detection across today’s modern infrastructure – including private, hybrid, and public multi-cloud environments. It automatically aggregates and analyzes security information across the entire enterprise to deliver a clear, understandable look at what’s going on 24/7. Stealthwatch prioritizes the most critical issues for the security team, and enables team members to easily drill down into any alerts that require further investigation.

Essentially, Stealthwatch serves as the eyes and ears of the network, using a combination of behavioral modeling and machine learning to pinpoint anomalies that could signify risk. It even detects threats in encrypted traffic without the burden of IT teams having to do decryption. In addition to monitoring on-premises infrastructure and private clouds, Stealthwatch can monitor all public cloud environments including Amazon Web Services, Google Cloud Platform, and Microsoft Azure.

Cisco Threat Response – Advanced recon and remediation

In the one year since we introduced our threat response platform, included for free with several of our security products, Cisco Threat Response (CTR) has become a foundation for fast, efficient incident investigation and response across the entire Cisco security architecture. It brings together threat intelligence from Cisco and third-party technologies, as well as Cisco Talos, via a single, intuitive console.

CTR reduces the need for security teams to shift between different interfaces and manually piece together data. If a threat is uncovered, it can be quickly remediated directly through CTR. The result is dramatically accelerated threat detection, investigation, and response.

This year, we unveiled a new browser plug-in for CTR to further simplify investigations. With the plug-in, if you are on a web site (such as the Talos blog) that includes information and observables on specific attacks, you can easily pull those observables into CTR to determine if the attack is present in your environment. It works with any web page that includes data on Indicators of Compromise (IOCs), allowing security analysts to quickly kick off the threat investigation process.

AMP for Endpoints – Speaking of recon and remediation…  

Some of you may already be familiar with our Advanced Malware Protection (AMP) technology. But do you know that it can be used to proactively hunt for the riskiest one percent of threats in your environment to improve both security posture and operations? AMP for Endpoints provides a holistic view of all end devices on your network, including IoT devices. It continuously monitors and records all files to quickly detect stealthy malware.

AMP provides valuable insight into how malware got in, where it’s been, what it’s doing, and how to stop it. This greatly simplifies investigations and shortens incident triage and mitigation time. Once a threat is uncovered, you can quickly block it within AMP using just a few clicks.

Through integrations with other prominent Cisco security technologies, this investigation and remediation can also be extended to other parts of the network beyond just endpoints. AMP can see a threat in one area of your environment and then automatically block it everywhere else it appears.

Integrated solutions for accelerated response

These are just a few of the ways Cisco is helping to speed and improve incident response. These new features are complemented by our comprehensive, integrated security portfolio, as well as a full array of professional services. In fact, we’ve also recently enhanced our incident response services to increase customer resiliency in the face of evolving attacks.

Putting all the R’s in IR? That’s Imminently Reachable.

Find out how we can help. See our infographic to get started.

The post Incident response: Putting all the R’s in IR appeared first on Cisco Blog.