Category Archives: NGFW

3 things you need to know about Cisco Threat Response at CLUS

Overwhelmed by the sheer volume of security alerts and potential threats hitting your SOC? Security risks have never been greater, with networks expanding into the cloud, the explosion of mobile and IoT devices, and increasingly sophisticated threats. On top of that, disparate security tools make it tougher to find and remediate threats, especially when you’re under attack and time matters most.

So how can you stay ahead of threats? Enter Cisco Threat Response, a tool that was created to help SOC analysts simplify and speed threat detection, investigation, and remediation from a single interface.

This week at Cisco Live, we’re excited to share continued innovations from Threat Response designed to make your life even easier.

1. Introducing our integration with Cisco Firepower NGFW

You may know that Threat Response is already integrated across multiple Cisco Security products – AMP for Endpoints, Threat Grid, Umbrella, and Email Security. In the coming weeks, you will be able to analyze and triage high priority IPS alerts in Threat Response and enrich these IPS events alongside data from other integrated products. This means  streamlined threat investigations with a fuller picture of the impact across your network, all from a single console.

Join us at Cisco Live to get a preview of this exciting integration. You can see a live NGFW demo at the Cisco Security booth in the World of Solutions. In the meantime, check out this new episode of ThreatWise TV that showcases how Firepower events are integrated into Threat Response.

2. Learn how to enhance your existing SIEM and SOAR tools with open APIs

Threat Response isn’t trying to replace the SIEM or SOAR you’ve already got; rather you can leverage our open APIs for 3rd-party integrations to complement your existing security stack. Script up your own integrations to automate data enrichment and response actions across multiple security products, all in a single interface for a seamless workflow.

At Cisco Live, get your learn on and get hands-on in the DevNet Zone:

  • DEVNET-2505– Automate your threat hunting workflow with Cisco Threat Response APIs – Presented by Christopher Van Der Made.
  • DEVWKS-2639– Security Research and Response Workflows with APIs – Workshop with Neil Patel.

3. Use our browser plug-ins to access threat intel and kick off investigations now

Still haven’t leveraged our APIs or you’re using non-Cisco security products?  Don’t worry, you can still use Cisco Threat Response thanks to our browser plug-ins for Chrome and Firefox. In seconds, you’ll be able to pull threat intelligence to get verdicts on observables and start investigations.

You can see the Threat Response browser plug-in in action in demos and breakout sessions at Cisco Live. We’ll show you how you can pull threat data from sources like Talos  and take actions without native integrations.

  • Demos across the Cisco Security booth in World of Solutions, such as Stealthwatch Cloud.
  • BRKSEC-2433– Threat hunting and incident response with Cisco Threat Response – Breakout session with Ben Greenbaum.

Additionally, you can check out Threat Response elsewhere on the ground in San Diego:

More integrated demos at the Cisco Security booth in World of Solutions

  • AMP for Endpoints
  • Email Security
  • Umbrella theater sessions: Umbrella Investigate, Umbrella and AMP for Endpoints

Hands-on Labs

  • LABSEC-1012– Threat intelligence, security investigation, incident response with Cisco Threat Response – Sunil Kumar and Vivek Singh
  • LTRSEC-2200– You Got Hacked! Here is What to Do (AMP4E, TG, Splunk, CTR, CTA)
  • – Karel Simek, Michal Svoboda, Ben Greenbaum


  • CCP-1302– Roadmap: Endpoint Security – Cisco Customer Connection Program session with Snehal Patel (CCP membership required – it’s free to join, sign up here)

Come see why there’s so much buzz around Threat Response at Cisco Live this week. Holler at me on Twitter @jolenetam if you’ll be around! Until then, learn more at


The post 3 things you need to know about Cisco Threat Response at CLUS appeared first on Cisco Blog.

Security Happenings at Cisco Live U.S.

Come learn from the best in threat defense

Throughout the year, you hear us talking about our innovative security strategy – about how integration, automation, and simplification make your security posture better. We highlight the need for a new approach to security in a multi-domain world. An approach that securely connects any user, on any device, on any network, to any application.

Next week is your chance to join us for interactive sessions, professional networking, and hands-on demos to find out where your security stands. Whether you discover that you’re on the right track, or that you have a long way to go, our security events at Cisco Live San Diego will provide valuable insight to take your security to the next level. And you will have some fun in the process!

Below are the major security activities happening at Cisco Live from June 9 – 13 at the San Diego Convention Center.

Captivating Keynotes

Don’t miss these Cisco keynotes to hear about our overall strategy and how security fits into the bigger picture:

You Make Possible | Monday, June 10 |  10:30 a.m. – 12:00 p.m.

Join Cisco CEO Chuck Robbins and engineering leader David Goeckeler as they share Cisco’s vision for the future and unveil new innovations that will transform our industry, your business, and our world.

Innovation Without Boundaries | Tuesday, June 11 | 10:30 a.m. – 12:00 p.m.

CEO Chuck Robbins, networking and security leader David Goeckeler, collaboration leader Amy Chang, and chief customer experience officer Maria Martinez will discuss our commitment to your success through our game-changing technology and an entirely new customer experience.

Simple, Secure, Digital Workplace with Cisco Meraki | Tuesday, June 11 | 2:00 – 2:30 p.m.

Today’s users demand next-generation, digital experiences within applications that are securely accessible from anywhere. This session, led by Meraki SVP and GM Todd Nightingale, will demonstrate Meraki’s innovative, data-driven approach to engineering, optimizing customer networks, prioritizing application traffic, and security.

What Is the Future of the Firewall? | Wednesday, June 12 | 11:30 a.m. – 12:00 p.m.

In the world we live in today, is the perimeter dead? Or do we actually need firewalls in more places than ever before? If so, how do we manage them all? Come see our SVP of security product management, Jeff Reed, to learn about the future of the firewall and see demos of Cisco Defense Orchestrator and Cisco Threat Response.

And make sure you stay for our closing keynote with Julia Louis-Dreyfus!

A Conversation with Julia Louis-Dreyfus | Thursday, June 13 | 3:00 – 4:00 p.m.

Much like the tech industry, the entertainment industry is rapidly changing. Join the star of the HBO hit series, Veep, as she humorously delivers insights and inspiration on how to remain relevant despite the chaos.

Click here for more details on these and other keynotes throughout the week.

Insightful Security Sessions

Today’s dynamic threat landscape demands a security strategy that focuses on the threat itself more than simply prevention. Cisco security solutions provide threat-centric protection that spans the entire attack continuum – before, during, and after an attack. And we cover you wherever threats get in – from edge to endpoint and beyond.

Cisco Security will present over 160 sessions at Cisco Live. Check out the Cisco Live security page to plan your schedule for the week. Our security sessions, labs, and technical seminars will help you take a holistic approach to security and stop more threats faster.

If you’re interested in these sessions, be sure to book them now. They fill up fast!

We know that 160+ sessions is a lot. See the end of this post for 10 recommended crowd pleasers!

World of Solutions

Don’t forget about the show floor as a treasure trove of valuable information and experiences. The World of Solutions is the energetic core of Cisco Live, where you’ll have the chance to learn about the latest innovations from Cisco and our partners, and connect in one amazing space.

Spend some time in the Cisco Showcase and Security Village to get up close and personal with Cisco and partner technologies. Attend expo sessions, see live demos across our security portfolio, network with your peers, and kick back a little. Also be sure to stop by the Duo Security area to learn about Cisco Zero Trust, charge up your devices, and zone out on some games.

The Park

Are you struggling with more remote users, more cloud apps than you can count, and network decentralization? Come see our Cisco Umbrella team at The Park to find out how they provide a first line of defense for securing users anywhere they access the Internet.

Meet the Expert/Engineer

Consistently rated as one of the highest value programs at Cisco Live, these meetings give you the opportunity to set the agenda for a 1:1 conversation with a Cisco expert. Visit the “Meet the Engineer” desk on site to schedule a personalized discussion focused on your unique questions and challenges.

Capture the Flag

Think you have what it takes to root out threats and protect the network? Check out Capture the Flag in the Sails Pavilion on the 2nd floor.

Cisco Live Celebration

If you need a break from all your learning, be sure to attend the infamous Cisco Live Celebration on Wednesday, featuring the Foo Fighters and Weezer!

What’s new?

While you’re at the show, keep an eye on our news page and social media for the major product announcements we’re making during the week. See something you like? You’ll be in the perfect place to ask questions and learn more. You’ll also find chances on our Cisco Security Facebook and Twitter pages to win great prizes like a Samsung 55″ 4K Smart TV and a Sonos Beam Soundbar.

Live Broadcast

Can’t make it to San Diego? You can still get your front row seat to Cisco Live by tuning into the live broadcast.

10 Recommended Security Sessions

Make sure you review the full agenda of security sessions to choose what’s right for you. But if you don’t know where to start, here are some suggestions:

Talos Insights: The State of Cyber Security | Monday, June 10 | 1:00 – 2:30 p.m.

Cisco’s Talos team specializes in early-warning intelligence and threat analysis for maintaining a secure network. In this talk, we will perform deep analysis of recent threats and see how Talos leverages large datasets to deliver product improvements and mitigation strategies.

Converge or Die: Security Products and Services | Tuesday, June 11 | 9:30 – 10:30 a.m.

Products and services are converging. Attend this session and walk away with the knowledge you need to approach today’s dynamic threat landscape with confidence.

Cisco SD-WAN Security from the WAN to Cloud Edge | Wednesday, June 12 | 8:00 – 9:00 a.m.

WAN transformation increases your exposure to a range of internal and external threats that were previously handled by your data center security. We’ll learn more about these threats and why a combination of on-premises and cloud security is a must-have for your IT team.

Endpoint Security, Your Last Line of Defense | Wednesday, June 12 | 1:00 – 3:00 p.m.

With the proliferation of advanced malware, and the endpoint being the target of the vast majority of attacks, security on the endpoint is more important now than ever. This session will dive into the arsenal of Cisco endpoint security products.

Behind the Perimeter: Fighting Advanced Attackers | Wednesday, June 12 | 4:00 – 5:30 p.m.

Unlike defending against automated and predictable infections that we see every day, dealing with advanced adversaries can be a painful experience. Our goal is to derive a series of principles that make such attacks expensive to mount, maintain, and cover.

Demystifying Zero Trust – What does it really mean? How do you achieve it with Cisco and Duo Security? | Thursday, June 13 | 8:00 – 10:00 a.m.

In this intermediate-level session, we will provide clarity into how to go from “zero” to “hero” when it comes to deploying Zero Trust in your environment.

Protecting Your Office 365 Environment: Leverage the Firepower API, Cisco Cloud Email Security, and more | Thursday, June 13 | 8:00 – 10:00 a.m.

Office 365 has become a popular choice to consume Microsoft’s email, voice, and file sharing applications. Due to changes in the consumption of applications, we need to think differently about how to secure our networks, endpoints, and users.

Workload Security and Visibility | Thursday, June 13 | 9:30 – 10:30 a.m.

Modern applications no longer just reside within a company’s physical data center, but are also deployed across a multi-cloud environment. As a result, customers must now rethink their approach to data center security and workload protection as the available attack surface and opportunity for data theft has expanded.

Risky Business: Help Reduce Risk by Gaining Visibility and Control of Cloud App Usage | Thursday, June 13 | 1:00 – 2:30 p.m.

In this session, we’ll address the security risks involved with cloud app usage and how you can gain full visibility and control of cloud applications in your environment using Cisco Umbrella.

The Future of Security Analytics | Thursday, June 13 | 1:00 – 2:30 p.m.

What does it mean to deliver superior security analytics? Join Cisco Distinguished Engineer TK Keanini to explore security analytics in its entirety: reviewing new forms of telemetry, analytical techniques, and the mistakes and shortcomings of the past so that we don’t make them again in the future.

See you next week at #CLUS!

Subscribe to our Cisco Live blog series to stay updated on everything happening at Cisco Live 2019.

The post Security Happenings at Cisco Live U.S. appeared first on Cisco Blog.

Security Analytics and Logging: Supercharging FirePower with Stealthwatch

When we consider network threat detection, most of us immediately think of signature and rule-based intrusion detection and prevention systems (IDPSs). However, it is a little discussed fact that the very first intrusion detection systems, built back in the ‘80s, were actually based on anomaly detection!

Those pioneers understood that with the presence of zero-days and the lack of exhaustive black-lists, we needed to use the full range of analytical techniques at our disposal to be effective.

Those anomaly detection roots may not be so evident in today’s IDPSs however they were not totally lost. In fact, a whole new branch of network threat detection systems were developed that used those very same anomaly detection techniques. That heritage manifests itself, today in so-called Network Traffic Analysis (NTA) tools.

While IDPSs have made detecting the initial intrusion in the packet stream their relentless focus, NTA systems take a very different approach. They generally work on metadata generated from the network, often called network flows, so they can expand our scope of analysis in both time and space to become essential in post-breach analysis, incident response, and even threat hunting situations.

Well Cisco has arranged a family reunion!

We are proud to announce the combination of our best-in-class IDPS and NTA products, Cisco Firepower and Cisco Stealthwatch. The Security Analytics and Logging (SAL) solution brings the best of perimeter-based protection and detection with the power of visibility and security analytics over the entire network. We believe we have created the most comprehensive network-centric threat protection, detection, and response solution – something that only Cisco is in the position to achieve.

Raising the bar on Network Security

It is very well understood how IDPSs are effective in security protection: blocking activity that can be identified as a threat or violates some policy. However, we accept that threats still get through and that is why IDPS have robust rules-based detection engines based on content-inspection.

But what do we do with all these detections? What if the traffic cannot be inspected? What if decryption is not an option? What if the threat is spreading internally?

Security Analytics and Logging service is specifically designed to augment your Cisco Firepower deployment with security analytics, from the Stealthwatch Cloud platform, to drive improved threat detections and provide the insight needed for more effective protection.

It All Starts with Visibility

The foundation of the solution is the aggregation of the connection and detection logs from Cisco Firepower with the network flows that the Stealthwatch platform collects. Just think about that. A dataset that gives us unprecedented visibility into the entire breadth of your network from perimeter to access, from campus to branch. But that’s not all! That “general ledger” not only contains all the header-based metadata, but now also includes all the metadata and inferences derived from all the deep content-inspection the Cisco Firepower engine provides.

Now you might be thinking to yourself, “there are plenty of tools I can use to gain this type of visibility.” However, in practice the sheer volume, velocity, and variety of the data can lead to staggering costs. The Stealthwatch team has made working at these scales our speciality and because our back ends are optimally engineered for the security outcomes we desire, we can offer this visibility in a much more cost-effective manner.

Security Analytics Driving Rapid Response

With all that visibility comes the opportunity to apply security analytics that can detect breaches that have bypassed the content-inspection based rules at the perimeter.

The security analytics powered by Stealthwatch can achieve this by baselining normal behavior of endpoints on the network in a process we call entity modelling. These models are then used to detect malicious activity based on any changes in behavior and indicators of compromise. The Stealthwatch engine can then combine these observations with others that may come from other parts of the network or even the detection engine in Cisco Firepower to create reliable and useful alerts.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs, all from within Cisco Defense Orchestrator (CDO) and from that same interface, you can modify your network-wide policy to immediately deploy a remediation strategy. In addition, CDO is fully integrated with Cisco Threat Response which allows you to build incident casebooks and drive response actions across the whole of the Cisco security portfolio.

Closing the Loop: Improving Protection through Policy Tuning

Up until now, I have discussed the during and after phases of an attack but with SAL we can close the loop and reason more effectively about the before phase. In this phase we, as security practitioners, try to understand what is actually on our networks and what activity is to be allowed or blocked.

We express this intent through policies that enshrine both threat defense and compliance considerations. But designing and managing these policies across an increasingly complex digital business has historically been a major challenge and can leave many organizations vulnerable to attack.

The insight that it brings to the game drastically improves the way you can make policy decisions from within CDO. Through this capability you can query the logs collected from Cisco Firepower devices to play out what-if scenarios and validate the correct behavior of the policy at the enforcement point. In addition, the extended visibility of the rest of the network that the Stealthwatch platform provides can even allow you to determine if traffic is bypassing your enforcement points.

You can then turn around and deploy these highly tuned policies across the entire portfolio of security products right from within CDO! This is an entirely new paradigm that is required to not only scale with your growing network but also help you seamlessly manage policies across your environment powered by intelligence and insight.

Through this, you get detection of internal and external threats based on the analysis of network telemetry and IDPS logs all from within Cisco Defense Orchestrator (CDO) and from that same interface you can modify your network-wide policy to immediately deploy a remediation strategy.


I have been in-and-around security analytics and threat detection for almost 16 years and have seen many cool improvements and integrations but this one excites me in a way that I have not been before.

This is truly a case where one-plus-one is more that two. We have taken two pillars of network security and turned them into one comprehensive, network-centric, threat detection, protection, and response system. In addition, this solution will grow with you as we look to extend the visibility to every corner of the digital business including the public cloud and software defined network as well allowing you to benefit from the on-going R&D that delivers new threat detection at the speed-of-SaaS.

This may be just the start of this particular journey, but we are starting with all of the accumulated wisdom of those pioneers from back in the ‘80s, and all those that have followed in their footsteps.

To learn more about Cisco’s Security Analytics and Logging, a cloud-delivered security platform that leverages Cisco Defense Orchestrator, Cisco Firepower Next-Generation Firewalls and Stealthwatch Cloud to help you simplify security policy management please visit or contact to get started.

The post Security Analytics and Logging: Supercharging FirePower with Stealthwatch appeared first on Cisco Blog.

Cisco and BT at 30: Creating a Future-Proof Security Solution

Some things just get better with age. And you could say the same for the over 30-year partnership between Cisco and British Telecom (BT). Through the course of our partnership, Cisco and BT have innovated together to deliver network and IT solutions around the world. At Cisco, we view service provider partners as an extension of our team, and we’re committed to investing in their success and future growth. We’re proud to work so closely with BT — one of only five Cisco Global Gold Certified Partners — to serve the needs of its customers.

Networking and cybersecurity have changed drastically since we first partnered with BT. There has been a pronounced shift toward digitalization, which means a movement away from the hub and spoke environment, with the management of onsite physical hardware and software. And with the advent of SaaS offerings like Office 365 and Azure, the experience of end users has changed as applications move to the cloud. Additionally, the threat surface has expanded as cloud adoption has grown, and attackers are getting more sophisticated in the ways they are challenging today’s network defenses.

At Cisco, we are always looking to stay ahead of emerging threats, which is why we are committed to securing the cloud. With Cisco’s growth rate of 14.3%, analyst firm Canalys recently recognized Cisco as the largest cybersecurity vendor by revenue. In its report, the firm stated that the cloud is “the fastest growing deployment area” in the industry. The addition of Cisco’s cloud technology to BT’s security service offerings enables BT not only to support its customers wherever and however they are consuming date, but also improving threat efficacy in terms of malware prevention, botnets, C2 callbacks, phishing, and more.

Recognizing a Shift in Security Needs

As its customers sought out a trusted partner with a hands-on, integrated, intrinsic security strategy for addressing the modern threat landscape, BT recognized this opportunity to further its ties with Cisco’s security portfolio. With Cisco’s integrated architecture, BT can detect and stop threats faster and better with built-in intelligence and threat hunting. A Forrester report found that integrated architecture can also enable 70% improvement in IT productivity.

Cisco’s best-of-breed security services, like Cisco Umbrella and Cisco’s Firepower Next-Generation Firewall (NGFW) technologies, are now part of a comprehensive security solution for BT’s customers. 

BT’s end-to-end managed service is based on Cisco Umbrella — the industry’s first Secure Internet Gateway in the cloud. As the first line of defense against threats on the internet, Cisco Umbrella uncovers current and emerging threats, enables visibility across devices and ports, and stops threats earlier. The platform is simple and easy to deploy in just hours, and it allows BT to manage policy and seamlessly transmit logs into BT’s 24/7 security operations center (SOC).

We’ve seen fantastic results for customers using Cisco Umbrella, including a 100% reduction in ransomware, a 99% decrease in overall threats with a 75% reduction in investigation time, and at least a 60% malware reduction. We expect BT’s customers to see the same level of threat mitigation.

Cisco’s Firepower NGFW technologies are capable of automatically preventing breaches, safeguarding the organization, and keeping the network operational, with the industry’s most effective threat protection. Recently, Frost & Sullivan awarded Cisco the 2018 Market Leadership Award in the Global Network Firewall Market in recognition of Cisco NGFW’s ability to meet the needs of cybersecurity customers not only now, but in the future.

Both of these flexible solutions enable BT to keep its customers safe and outpace threats, while also decreasing the time to deploy services and increasing business agility. The interoperable nature of Cisco’s security portfolio means that each platform builds on the other, which creates a stronger security service. And if a threat is seen once, it can be blocked everywhere, whether it’s on the network, endpoint, or cloud.

“Services such as Cisco Umbrella, along with our SD-WAN services, allows us to be able to offer that integrated network and security managed services,” says Rob Daniels, GM Portfolio Strategy & Propositions for BT Security. “The Cisco relationship is absolutely critical for BT’s current and future long-term success. With both Cisco Firepower and Cisco Umbrella, we can ensure that we have the right security portfolio for our customers both today and in the future.”

Each of Cisco’s security solutions integrates with our threat intelligence powered by Talos — the backbone of Cisco’s security portfolio. With integrated threat intelligence, BT is enabled to better understand threat issues that cause problems for its customers. This real-time threat analysis is a major differentiator, and BT is now able to use its own threat analysis combined with Talos to provide reports on incoming threats as regular touchpoints for its customers.

BT can manage all of these customers with a simple, multi-tenant MSSP console. With visibility into all of its customers in one place, BT’s team is far more effective in drilling down into security threats, while maintaining customer confidentiality. Cisco and BT’s partnership takes the best technology from Cisco and marries it with the skills in BT security to build superior managed capabilities.

“The relationship that BT and Cisco have together is one of the strongest and most strategic that we have within the business,” says Chris Marwood, GM Managed Security Services for BT Security. “We’ve innovated together for a very long time and developed solutions that take the best technology from Cisco, and we marry that together with the great skills that we have in BT security to build fantastic managed capabilities.”

Differentiated Managed Security Services to Meet Security Demands

Today’s MSSP growth is driven by digital transformation, the move to cloud computing, bring your own device (BYOD), and user mobility. Cisco makes it easier and more profitable for MSSPs like BT to deliver differentiated managed security services to counter the complex threats faced by their customers.

It starts with a comprehensive and integrated security portfolio to protect customer data and brand reputations. The seamless combination of network architecture, security, open API integration, and easy-to-manage portals across products help service providers and end-customers shift from best-of-breed to best-of-need. According to a recent survey by Cisco, 82% of customers expect technology solutions to be bundled with other managed service offerings from a single Managed Service Provider. This expectation allows for Cisco’s integrated architecture to be a key differentiator for customers, with solutions that work together to create a holistic security solution grounded in threat intelligence.

With accelerated managed service creation and delivery, MSSPs can speed their time to market, increase agility across deployment scenarios, and scale with service experts. And, only Cisco can offer:

  • Threat intelligence from Talos
  • End-to-end security portfolio
  • Networking market leadership
  • A breadth of cloud offerings

Cisco is a strong partner for service profitability, helping MSSPs reduce time to monetization, drive recurring revenue, and grow their businesses with flexible licensing options.

As one of the largest MSSPs in the world, BT provides security services for customers of all sizes. Find out more about BT’s ability to handle today’s cybersecurity threats. In a multicloud world, security isn’t getting any less complex. You need a cloud-delivered security solution that provides sufficient end-user security. Learn more about how Cisco secures the cloud.

On May 14, the Cisco Security team will host a webinar to share insights on the cloud-managed security opportunity for Service Providers. You’ll also learn about the latest offerings in the managed security space and how MSSPs can reduce time to monetization, grow security business, and drive recurring revenue. Register for the webinar today.

Be sure to join us at Cisco Live U.S. — June 9 -13 in San Diego — to check out all the latest innovations at Cisco. You can be a part of my Innovation Talk on June 12 about the future of firewall, where I’ll discuss the need for firewalls, proper firewall management, and consistent policy. Finally, don’t forget to follow me on Twitter and LinkedIn for the latest Cisco cloud security announcements from the Cisco Security team.


The post Cisco and BT at 30: Creating a Future-Proof Security Solution appeared first on Cisco Blog.