NSS labs just released their Breach Detection Systems Report found HERE. The purpose for this report is based on the concept that there is a need for security solutions that extend beyond defense measures found in common security products such as Anti-Virus and IPS network appliances. NSS labs have developed a name for the feature designed to stop advanced threats known as having “Breach Detection” capabilities. Its pretty much technology you would implement as a last layer in the event a threat breaches your firewall, AV and network security defenses. Continue reading
NetFlow is an important tool for incident responders, providing valuable insight into the activities that take place on organizations networks. NetFlow is capable of summarizing information about network traffic into brief records that may be maintained indefinitely, providing a running history of network connections that may be referenced during incident response.
With all the good NetFlow brings, there are still some misconceptions about NetFlow that need to be dispelled. Continue reading
For those that have been hanging on to the old Cisco IPSEC client, its time to really consider a migration. The client will no longer be downloadable as of July 29th of this 2014 year. This also means it will no longer be supported. The official notice can be found HERE. Continue reading
My buddy Aamir wrote a summary of the open source announcement by Cisco at RSA last week (original post can be found HERE). Cisco also announced integrating FireAMP with Cisco email, web and cloud security products. FireAMP gives Cisco products the ability to detect infected files by searching for known hashes, sandboxing unknown files and other detection means. More on the FireAMP capabilities can be found HERE. Another source for these announcements is on the Network World blog found HERE. Continue reading
I wrote a post comparing Cisco’s Next Generation Firewall known as ASA CX vs. Cisco’s Web Security Appliance / Proxy known as WSA HERE. Here is a update to that post as requested by some readers.
In summary, the WSA is a security appliance that can act as a proxy focusing on network bound traffic such as port 80, 443 and 21. The ASA CX is an all ports and protocol firewall with reputation and IPS security (IPS being added in October 2013). Both solutions can provide reputation based security meaning stopping the attacker (more on this concept can be found HERE), Integrate with authentication systems such as Active Directory, can view HTTPS via decryption, application visibly with policy enforcement (IE identify and block Farmsville within Facebook) and detection of threats however detection methods are slightly different (one uses a combination of AV / malware engines while the other uses IPS). Continue reading
The future of security must reach beyond the capability of an appliance. There are too many attack vectors that are continuously changing to detect with a silo solution. It basically comes down to this …. there are only so many signatures that can be checked against as well as behavior algorithms that can be put in place before you must let traffic pass. Odds are, a malicious attacker will eventually bypass detection based on the fact that there are hackers out there with a rack of all the latest vendor IPS, Firewalls, etc. in a lab designed to test how effective a piece of malware is against any enterprise security solution. So in a nutshell, you will only be able to stop the majority of attacks launched against your network. Something will eventually get through. This means detecting and preventing can’t be your only security strategy. Continue reading
Management of security devices is a critical function for maintaining the best performance and being aware of security related events. Cisco has released their second generation of ASA, which includes new management options. This post will cover the new management interface and compare it to the previous options. Continue reading
Pickpocketing is an old yet popular crime. Reason for this is the return can be as high as a robbing a store without the risk of using weapons or be identified by victims. Pickpockets can operate as a team or individually and typically involve a form of deception to conceal the crime. Most victims won’t realize they have been robbed until the pickpocket is long gone and if caught, the criminals face minimal jail time since lethal threats are not involved. Here is a review of the most common tactics used by pickpockets and methods to avoid becoming a victim. Continue reading
I recently stood up a Cisco 4345 Intrusion Detection / Prevention (IDS / IPS) appliance and documented the configuration process. Here is a simple guide to setup a next generation Cisco 4345 IPS appliance.
Cisco offers various forms of threat detection options that range from modules in firewalls to dedicated appliances such as the 4345 IPS. Regardless of platform, the underlying technology is similar using a mix of threat reputation described as identifying attackers and various forms of scanning for stopping attacks. An example of stopping an attacker is blocking websites with “bad credit scores” based on how long they have been up on the Internet, the content of the site, traffic seen from the site and so on. So a website claiming to be a American bank may get flagged based on being seen from a foreign country, recently registered as a new site and flagged for SPAM. The majority of attacks on your organization can be prevented by dropping obvious malicious traffic using this method. This leaves a security solution’s resource intensive detection processes the ability to focus on the remaining 5-10% of attacks that make it through credit scoring based detection rather than scanning everything. Continue reading