Category Archives: Partners

Tackling the BEC Epidemic in a New Partnership with INTERPOL

In just a few short years, Business Email Compromise (BEC) has gone from a peripheral threat to a major cyber risk for organizations. It’s making criminal gangs millions of dollars each month, hitting corporate profits and reputation in the process. Trend Micro has built a formidable array of resources over the past few years to help protect our global customers from BEC. We also recognize that to combat cybercrime effectively, we have a duty to share these resources with law enforcement agencies wherever possible.

That’s why we’ve teamed up with INTERPOL in a new awareness-raising campaign set to launch in 59 participating countries around the world this month.

 BEC on the rise

Reported BEC attacks cost global firms nearly $1.3 billion in 2018, almost half of total cybercrime losses recorded by the FBI. The problem is getting worse. We detected a 58% increase in BEC attempts on customers in the first half of 2019 compared to the last six months of 2018. Some firms have been conned out of tens of millions of dollars. Among the list effected include Facebook ($99m) and Google ($23m), to name but a few.

Reports suggest BEC gangs are employing increasingly professionalized tactics, for example using commercial lead generation services to amass databases of tens of thousands of corporate executives to target. Victims need not be large enterprises either: BEC could affect SMBs, schools, non-profits — any organization that makes regular wire transfers.

It’s perhaps no surprise that BEC made such gangs over $300m each month in 2018 from US victims alone, according to the Treasury.

 Fighting back

At Trend Micro, we have developed multiple layers of protection to help insulate our customers from the worst effects of BEC. These include our AI-powered Writing Style DNA feature that learns the writing characteristics of your executives and sounds the alarm if it spots any emails deviating from the norm. We also make it a priority to collaborate with global law enforcement agencies to raise BEC awareness among global organizations.

INTERPOL’s new campaign will launch during the Europol-Interpol Cybercrime Conference on October 9-11 and feature a series of infographics posted across Twitter, Facebook and Instagram over the succeeding weeks. Each post will tackle a new area, including:

  • Which employees are typically targeted inside organizations
  • The role of malware and social engineering in attacks
  • Key prevention tips

Trend Micro will support the campaign by reposting the infographics and adding links to its own resources to further educate and raise awareness among possible BEC targets.


This is the latest in a long line of collaborative efforts between Trend Micro and INTERPOL.

Back in 2014, we signed an three year agreement to support the body with additional knowledge, resources and tactics, which has been extended through March 2021. Since then, we helped to disrupt a major $60m BEC network in a swoop that led to the arrest of its leader. In another joint operation, Trend Micro helped to identify nearly 270 websites infected with malware and 8,800 C&C servers across eight countries, which were responsible for spreading malware and spam, and launching DDoS attacks.

It’s great to see law enforcement making inroads into cybercrime gangs. Some 281 BEC suspects were recently arrested in a global crackdown. However, we know these efforts are just scratching the surface. That’s why we will continue to provide both industry leading threat protection for our customers, as well as collaborate on awareness raising and law enforcement operations. Public-private partnerships of this sort are necessary in a world in which the bad guys are often more agile and willing to team up to achieve common goals.

The post Tackling the BEC Epidemic in a New Partnership with INTERPOL appeared first on .

Whats So Strategic About the Trend Micro and Snyk Partnership?

What does a partnership between Trend Micro and Snyk mean for you, the customer? Can you really develop and deploy applications anywhere without security slowing you down? Greg Young, VP of Cybersecurity for Trend Micro, explains how the partnership benefits Trend Micro and gives our customers an extra edge in their security platform.

The post Whats So Strategic About the Trend Micro and Snyk Partnership? appeared first on .

Using CESA to Solve Endpoint Blindness for a World Class InfoSec Team

Cisco has an amazing set of products like AMP for Endpoints and Cisco Umbrella protecting devices from advanced malware threats.  There were other user and endpoint scenarios that remained unsolved until we introduced the new Cisco Endpoint Security Analytics (CESA) solution that was recently announced.  CESA provides an unprecedented level of endpoint and user networking visibility built on Cisco AnyConnect Network Visibility Module (NVM) endpoint telemetry and Splunk Enterprise.   Underlying the NVM technology is a protocol called nvzFlow (en-vizzy-flow) that I have blogged about in the past.


Why Did We Build CESA?

The CESA solution was originally developed by the Office of the Security CTO and then integrated into Cisco AnyConnect and Splunk products to solve a set of issues for Cisco InfoSec.  Cisco InfoSec realized that getting all the endpoint visibility they needed to perform incident response was a challenge. There were also endpoint security blind spots as more Cisco employees were working off premise and connecting to both enterprise and cloud resources.  They needed a way to collect and store a year of data for analysis of incidents while also getting information in real‑time to see what is happening in the network.  You can read more about the Cisco InfoSec use case in their case study on CESA.

The Office of the Security CTO looks at current and future customer problems that are not being solved by existing technology and then come up with ideas on how to solve them.  My fellow co-inventors, Andrew Zawadowskiy and Donovan O’Hara from the CTO Advanced Development team built the initial Proof of Concept and then worked on the final product release with the AnyConnect development team.

As we thought about ways to solve the problems Cisco InfoSec was facing, we wanted to do it in a way that built on standards technology so that not only could Cisco Stealtwatch and Cisco Tetration support it, but also provide an ecosystem for key partners to participate.  This is why we chose to build on IPFIX.  It is the perfect protocol to build the enhanced  context found in nvzFlow.  What do we mean by “Enhanced Context”?

The 5 key endpoint visibility categories conveyed by the protocol or “Enhanced Context” are:

  • User
  • Device
  • Application
  • Location
  • Destination

At the end of the blog will be a helpful table to show you details of the enhanced context that is provided.

Working with Great Partners like Splunk and Samsung

One of the key features of CESA is Splunk Enterprise, which performs the analytics and alerting on the NVM telemetry, turning it into actionable events. The new CESA Built on Splunk product, available exclusively from Cisco, provides a Splunk package customized and priced specifically for analyzing NVM telemetry.  Cisco InfoSec has been using the CESA solution for over two years now.  As noted earlier, you can read more about it in their Case Study.

Spunk Enterprise is a fantastic tool.  It was really easy for us to take the Cisco AnyConnect NVM data and not only import it into Splunk, but to also quickly create a high value set of dashboards and reports from the data.   There are two components in the Splunk store that make up the solution: Cisco AnyConnect Network Visibility Module (NVM) App for Splunk and Cisco NVM Technology Add-on for Splunk.  Because NVM produces so much high value data, Splunk created a special per-endpoint license available exclusively from Cisco that makes budgeting predictable and saves you money.  We also put together a helpful deployment guide to get you going.

Below is an example of the dozens of reports available in the AnyConnect NVM Splunk Dashboard.
As you can see the solution provides visibility into what applications are connecting to what domains and how much data is being transmitted/received.



From there, you can then drill down on the specific application and obtain finer grained details including the SHA256 hash of the process, the names of domains and IP addresses it connected to, what account it is running under, etc.  Just click on the specific element and it will take you to an investigation page for that observable.

You can easily integrate your favorite investigation tools right into the Splunk Enterprise dashboards.  For example, you can pivot from a DNS domain name observable into Cisco Umbrella, Talos Intelligence or Cisco Threat Response with just a couple lines of HTML.  This will allow you to obtain a threat disposition on the domain.

Similarly, you can take the SHA256 hash observable and pivot right into AMP for Endpoints, ThreatGrid or Cisco Threat Response.  This will allow you to obtain a threat disposition on the binary.

We’ve provided those integrations for you in the default dashboards. You can easily add more just by editing them to include your favorite tools.  Let us know if there is anything else that would be useful in the default screens.


Samsung has been another excellent partner from the start.  We have worked with them closely on their Knox program for a number of years with AnyConnect integrations and neat features like per-app VPN.  When we explained to them what we wanted to do with Cisco AnyConnect NVM, they were excited to help and developed the Network Platform Analytics (NPA) framework to make it possible.  It is the only framework available on mobile platforms to support Cisco AnyConnect NVM.  The best part is that you can enable and provision this capability using your favorite Enterprise Mobility Management (EMM) solution – no special device-mode needed!  Keep an eye out for a forthcoming quick‑start guide on this technology.  NVM is also available on Windows, MacOS and Linux platforms.

Those are some of the high points of the CESA Built on Splunk solution.  If you’d like to get into further technical details on the solution architecture and NVM telemetry itself, see my post on our Cisco Community Page.

Find What Your Endpoint Anti-Malware is Missing with CESA Built on Splunk

There are many aspects to securing an endpoint beyond finding the malware on it.  What do you know about the behavior of your endpoints? Can you track anomalous traffic? Can you tell what the applications and other software processes are up to?  What is happening when the device is off the corporate network? Has a user or device evaded endpoint security measures? With insight to such issues, you can generate visibility that not only follows endpoints on and off network, but also finds threats often not addressed by anti-malware solutions.


With this in mind, Cisco has created a solution unlike anything available in the industry today — Cisco Endpoint Security Analytics (CESA) Built on Splunk. This new solution brings together the unparalleled endpoint behavioral visibility of Cisco’s AnyConnect Network Visibility Module (NVM) and the data transformation power of the Splunk analytics platform. The result is an added layer of deep endpoint visibility that transforms endpoint-centric data into insights to proactively detect and mitigate network threats.

If you already use AnyConnect NVM, you know it creates a lot of detailed, endpoint-specific data. But by building and productizing CESA on top of Splunk, we’ve paired that data with an equally comprehensive and cost-effective analytics tool. CESA addresses endpoint security use cases such as:

  • Unapproved applications and SaaS visibility
  • Endpoint security evasion
  • Attribution of user to device to application to traffic and destination
  • Zero-trust monitoring
  • Data loss detection
  • Day-zero malware and threat hunting
  • Asset inventory

The behavioral data produced by NVM complements anti-malware agents like Cisco Advanced Malware Protection (AMP) for Endpoints that primarily focus on file analysis to detect malware on endpoints, which identifies known issues. But because CESA analyzes user and device behavior and identifies changes and anomalies, it enables threat hunters and analysts to discover malicious or suspicious endpoint activity, often without an additional endpoint agent. Where antivirus and other endpoint solutions would miss these threats, CESA provides early detection that increases security posture. CESA endpoint analytics also complements the broad network visbility provided by Cisco Stealthwatch by following endpoints on and off network, as well as enabling deep endpoint insight into down to the user account, device details and network interface levels of the endpoint.  Together CESA and Stealthwatch cover every aspect of network and endpoint behavior leaving no blind spot unchecked.  

How we address endpoint blindness

Even as security products continue to integrate, endpoint blindness is a persistent problem. Information security (infosec) teams need to know more about what is happening on the endpoints to anticipate where attacks are more likely to occur.

By leveraging the NVM telemetry that endpoints provide, we gain a better understanding of users’ network behaviors and where threats are going to happen. These insights can raise potential red flags like:

  • Are my endpoints suddenly communicating with domains we’ve not seen in our environment before?
  • Has a user changed behavior suddenly, using applications and visiting hosts they don’t usually access?
  • Does an endpoint have unusual traffic patterns? Is it uploading or downloading more than usual? Is someone hoarding or exfiltrating data?
  • Are any machines using unapproved applications or SaaS services?
  • Has security been disabled on an endpoint?
  • Which endpoints have known bad files or applications?
  • What are my users doing when they are not connected to my network?
  • Which devices and operating systems are in use in my endpoint environment?
  • Who is using each device and what are they doing with it?

It’s important to note that CESA is integrated into the Cisco Security infrastructure. CESA works together with network visibility from Cisco Stealthwatch and endpoint control from Cisco AMP for Endpoints. Additionally, Cisco Identity Services Engine (ISE) is used to quarantine users when identified as suspicious. These integrations serve to further increase the security posture of the network.

Cisco’s CSIRT team uses CESA

Many of our case studies come from our partners and customers, but this time our Cisco infosec team put together a case study as they leveraged CESA within the Cisco organization. They used the solution to collect and analyze the data generated by NVM across approximately 96,000 endpoints, and extract context such as user, device, application, location, and destination. The analysis of this data, from when the user is both on- and off-prem, helped Cisco infosec reduce incident investigation time from days to hours, while filling gaps in endpoint visibility.

“Splunk makes accessing the data from NVM, writing queries, and analyzing the data very easy,” said Cisco CSIRT’s Imran Islam.

Before CESA, the infosec team would struggle to determine which user is associated with what machine. And drilling down further was difficult if not impossible – from identifying machine to traffic; from traffic to the application or software process producing it; and then the traffic’s destination, whether inbound or outbound. It was reported by the Cisco infosec team that 80% of CESA use cases could not have been addressed by other technology.

Partnering to create a more secure network

At Cisco, we’re leading the industry in multi-vendor partnering solutions because we understand that collaboration is key to our customers having effective and efficient security across their networks — from endpoint to data center and cloud to campus. In fact, the Internet Engineering Task Force (IETF) recently standardized the XMPP-Grid security data exchange framework – based on Cisco Platform Exchange Grid (pxGrid) – which enables seamless collaboration and the sharing of information between security platforms from multiple vendors.

While no one product can achieve absolute security, no security solution exists in complete isolation. As security products become more interconnected, share context for threats, and participate in incident response, the risk of data breaches and security incidents is increasingly mitigated. This is why we believe in working so closely with our partners like Splunk through the Cisco Security Technical Alliance to integrate solutions that protect against emerging threats and improve customer security.

Splunk’s analytics-driven security solutions continue to serve as a perfect complement to Cisco Security. And we’re excited to see CESA deliver endpoint visibility and advanced threat detection for our customers. Cisco AnyConnect (Cisco’s VPN Client) is already deployed by over 150 million endpoints, and many customers are already running the Splunk console, which makes CESA a simple addition that will bring immense value for infosec’s ability to anticipate and stop endpoint threats before they manifest on the network.

If you don’t yet have these products, learn more about CESA and how you can add Cisco AnyConnect NVM and Splunk here. Stay tuned in the coming weeks for added CESA integration with Cisco Umbrella to enable enforcement at the domain level.

You can learn more about how Cisco infosec utilized CESA in this case study. 

Want to get started with CESA today? If you already have Splunk and AnyConnect, download and install the Cisco AnyConnect NVM App for Splunk from Splunkbase to create dashboards. Then, download and install the Cisco NVM Technology Add-On for Splunk from Splunkbase to bring NVM data into Splunk. Finally, turn on NVM telemetry in your AnyConnect environment as outlined in these tech docs.

Finally, be sure to follow me on Twitter and LinkedIn for the latest announcements from Cisco Security.