Cisco acquired Sourcefire in 2013 as part of a strategic move to enhance Cisco’s security portfolio. Sourcefire’s catalog covers IPS/IDS, Application Security and Control, Firewalling, Malware Detection and a slew of open source tools such as SNORT, ClamAV, and Razorback.
One key piece to the Sourcefire puzzle is the management of the various solutions. This is done through Defense Center, which is the centralized management tool used for visibility of security and network events across the entire network. This post will provide a overview of using Defense Center from a administrative viewpoint.
The people from Cyber Crimebusters developed a Infographic about how Internet forensics has changed criminal investigations. The original can be found HERE.
The interesting points to me are how social media and mobile devices are becoming a common source for investigations. I find it humorous when people post pictures of themselves doing crazy things on social media sources and shocked when that comes back to haunt them later such as in job interviews. I’ve provided examples of how I used people’s data on Facebook (previous job roles, friend’s current location, etc) to pretend I’m a friend from years ago using a fake Facebook ID to obtain data during an authorized penetration testing (more on that HERE). Its critical to know what you have public about yourself and question anybody that seems fishy. Trust me, its better to ask for proof of identity when you don’t know who you are speaking with rather than assume the wrong person is a trusted friend. Continue reading →
Nicole Perlroth wrote a interesting post on the NewYorkTimes blog about a new type of Ransomware and Cisco’s view as it spreads in the wild. The original post can be found HERE.
It has been mere days since federal agents seized control of computer networks used by hackers to infect victims with CryptoLocker, a piece of malware known as “ransomware,” which encrypts the contents of computing devices so hackers can demand a ransom to decrypt it. More on Ransomware such as CryptoLocker can be found HERE.
Now security researchers are seeing an influx of another form of ransomware, called Cryptowall. Continue reading →
Today the folks at openssl.org published a new vulnerability found in OpenSSL encryption. For those that are not aware, OpenSSL is found on approximately 66% of all websites found on the Internet. You can find the official notice on this vulnerability HERE as well as details posted below. This time its a known bug and yet again, we are being told by the openssl team the remediation for this is to upgrade to the latest version of OpenSSL using the recently patches being released. Continue reading →
Every once in a while I like to do a product review. Next up is the meraki MX60 (shown above on the left next to the Meraki Z1). The official MX60 data sheet can be found HERE. The MX60 comes with or without wireless capabilities hence the MX60W means wireless while the one used in this post is a MX60. Outside of that, both models are the same and considered the low end / home model as shown in the next image. Continue reading →
I’m often asked “why did my system get infected when I had the latest system updates and anti-virus enabled?” Well, a fundamental concept behind security products is they can only look for so many things or use so many detection techniques before they must permit traffic. This means your defenses will fail if an attack uses a method that your detection system can’t see or scanner does not have an existing signature to scan against. This is why attackers hide exploits using techniques such as obfuscation to bypass security detection. Continue reading →
There are many SIEM solutions available however I was extremely impressed with recent innovations from Splunk regarding a free Application that can be used to centralize security data from multiple cisco solutions. By definition, a security information and event monitoring system aka SIEM is typically just that; either a good information sorting tool or solution that helps identify and react to events.
One of Splunk’s key market differentiators is their extensive application library developed by customers and Splunk engineering. These applications turn the traditional SIEM into a business enabler to meet specific use cases. Splunk has developed cisco applications in the past however recently face-lifted the cisco Security Application to include Cisco access control (ISE), email security (ESA), web security (WSA), Cisco firewalls, and even SourceFire (both network and only SIEM as of today to support malware aka AMP). This application can link findings with other vendor data such as taking ISE context (IE Joey’s windows 7 laptop on port 1/0/14) and matching it to any captured log by Splunk (For example a McAfee IPS event). This provides a true centralized view of data across a network.
Cisco announced this morning they will be acquiring ThreatGRID. ThreatGRID combines advanced malware analysis with deep threat analytics and content that is used to defend attacks and prevent malware outbreaks. Cisco originally got into the security research market back in 2007 with the acquisition of IronPort, which included a security research division now known as the Security Intelligence Operations akaSIO. Cisco enhanced this research team with the recent acquisition of SourceFire that includes open source projects such as SNORT, ClamAV, etc. ThreatGRID will provide even more research and development around identifying advanced threats as well as compliment SourceFire’s malware detection component known as fireAMP. ThreatGRID’s appliances and cloud offerings should improve the overall security vision of preventing attacks before, during and after they happen.
The people at IDF Marketing created a infographic covering the recently announced Hearthbleed bug. You can find more on IDF MarketingHERE. Check out this overview including a list of popular sites with heartbleed vulnerability status. Continue reading →