A few months ago, Cisco Security announced the SecureX platform with two core capabilities: threat response and orchestration. In that announcement, we brought attention to nearly two dozen integrations with SecureX threat response, formerly Cisco Threat Response.
With SecureX, you can accelerate threat hunting and incident response by seamlessly integrating SecureX threat response and your existing security technologies. You have the flexibility to bring your tools together, whether it’s with integrations that are built-in, pre-packaged, or custom. If you have Cisco Stealthwatch, Firepower, AMP for Endpoints, Umbrella, Email Security, Web Security, or Threat Grid; SecureX threat response is included with your license at no additional cost.
Connect your entire security stack–Cisco or otherwise–for faster investigations Aggregate and correlate security context from multiple technologies in one view Get the most out of your existing security investments, including from our technology partners
The SecureX platform has three categories of integrations:
Built-in integrations are developed by Cisco, or select technology partners, for customers to instantly configure. These typically are integrations where SecureX threat response produces threat intelligence to be visualized in the partners’ user interface. Though there are some exceptions like VirusTotal or when a partner builds the threat response APIs into their core code. Pre-packaged integrations are developed by Cisco or technology partners for customers to use ready-made scripts that they install into cloud infrastructure, which they maintain. The time spent is minimized, as you don’t need to learn any APIs or write any code. These typically are SecureX threat response modules that produce threat intelligence to be visualized in SecureX. These are available modules in SecureX. Custom integrations can be created by customers leveraging Cisco and technology partners’ open APIs. The time spent on integration is reduced by using our resources on DevNet to quickly get started, including training, links to code on GitHub and extensive use case and workflow documentation on ReadtheDocs.
We made a promise in late April: “… we’re speeding up detection, investigation, and remediation across your environment with many more pre-packaged integrations. We are pleased to announce that time is now.
Built-in integrations
VirusTotal is a free service that inspects items with over 70 antivirus (AV) scanner and URL/domain blocked list services. The threat response VirusTotal module allows you to query a URL, IP address, domain or file hash, in the incident response process, to gain additional context from the AV scanners and services as to the threats associated with the sample. You can register for a free VirusTotal account and receive an API key. Threat Response uses the API key on your behalf to include VirusTotal query results in any investigation.
The threat response extension provides the capabilities to right-click pivot from an IP Address in QRadar into an investigation in the Threat Response console and hover over 100+ property field types and query threat response for Verdicts.
The threat response integration allows Polarity to search the Threat Response Enrich API to return information about various indicator types.
ServiceNow Security Operations
ServiceNow Security Operations (Security Incident Response and Threat Intelligence) can leverage the Verdicts, Refer and Response capabilities provided by threat response to assist the security analyst in their investigation workflow. This enables the analyst to take response actions from within ServiceNow to remediate threats.
SecureX Threat Response Add-On for Splunk provides a custom search command allowing users to query threat response for targets and verdicts from observables within a Splunk instance.
Phantom threat response plug-in enables a user, or an automated playbook/action, initiates a query to threat response for Verdicts or Sightings of an observable and render in a table.
Swimlane Security Operations Management
Swimlane threat response plugin allows connection to the Threat Response API, to extract and enrich observables.
TheHive Project – Cortex Analyzers*
The threat response analyzer connects to TheHive, a scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
Pre-packaged integrations
To utilize the pre-packaged integrations, you must first deploy a cloud infrastructure to implement the threat response serverless relay API. We created a step-by-step installation guide and recorded tutorials to make it easier and code on GitHub, that is pre-configured for AWS Lamba. The API itself is just a simple Flask (WSGI) application which can be easily packaged and deployed as an AWS Lambda Function, working behind an AWS API Gateway proxy using Zappa. An already deployed Relay API (e.g., packaged as an AWS Lambda Function) can be pushed to threat response as a Relay Module using the Threat Response Relay CLI. The threat response python API module is available with pip install.
Threat response module for the investigation of IPs and URLs. AbuseIPDB supports both IP and IPv6. API limits: 1000 / day. Returned Entities: Verdicts, Judgement, Sighting, Indicator.
Threat Response module to query AlienVault OTX for observables (IP, IPV6, domain, hash values) and return Sightings and Indicators from the “Pulses” in AlienVault. Pivot to AlienVault OTX UI via refer actions.
Threat Response module for investigations of IPs or domains and receives Sightings response from APIVoid blocklist aggregation.
Threat Response module for investigation of IPs. Query Auth0 Signals for an IP address to find out if it is on any blocklists. Return verdicts for the IP based on the scoring provided. Returns Open-Source Intelligence (OSINT) context from over 100 curated and normalized blocklists.
SecureX threat response module for investigation of IP addresses. SecureX receives a Verdict response from C1fApp. Malicious Verdict as the observable is found on a block list and the Indicator is the feed on which it was seen.
Threat response module for the investigation for verdicts on IPs and URLs, receiving Cybertracker Verdicts and Judgements.
Threat response module for the investigation of IPs, domains, hashes and file names. Returned Entities: Verdicts and Judgements.
The Farsight Security SecureX threat response module enables a user to initiate an investigation for verdicts on IPs and Domains. Farsight Security DNSDB provides enrichment data about IP Addresses (IP and IPv6) and Domains. Certified as Cisco Compatible.
The Gigamon ThreatINSIGHT module enables threat response to query network and threat data for Sightings of observables from the Gigamon intelligence. Gigamon completed the Cisco Compatible Certification for the integration and published a joint solution brief.
The Google Chronicle threat response module enables queries for Sightings of observables (IP, domain, hash, file name, file path) within the SIEM. Also, List Assets, obtain IOC Details, to List Alerts within a time range, and to List IOCs within a time range.
Threat response module for the integration of Google Safe Browsing; a blacklist service provided by Google that provides lists of URLs for web resources that contain malware or phishing content. The Google Chrome, Safari, Firefox, Vivaldi, and GNOME Web browsers use the lists from the Google Safe Browsing service for checking pages against potential threats, and this integration enables the user to have the blacklist intelligence in threat response.
Threat response module for the investigation of a SHA256. The module adds context around a compromised email and username associated with that email and context about a user for an environment. If Cisco Email Security Appliance module is enabled, then it returns that this SHA256 has been sent to identified email addresses, as has been seen in the data breaches. Small monthly for subscription.
The Microsoft Graph Security module queries for Sightings of an observables (IP, domain, hash, file name, file path) within Graph Security Alerts. Threat Response can access large volumes of Microsoft centric data as well as data from 3rd parties in a standardized format.
Threat response module for the investigation of URLs. Returns the Verdict.
The Quays Indication of Compromise threat response module is utilized for the investigation of Sightings of supported observables on Targets. Supports hashes (MD5, SHA256) of the file image on disk, the image on disk for a running process, and the image on disk for loaded modules. Also, File Name (Process Name), IP, Domain, File path and Mutex.
Radware WAF and DDoS
SecureX threat response modules for IP address(es) investigation, for both WAF and DDoS abusive activity, along with Indicators for those Sightings. Certified as Cisco Compatible.
Query SecurityTrails with this module, for enrichment data about Domains and IP Addresses (IP and IPv6). Pivot to Security Trails UI to search for Domains and IP Addresses (IP and IPv6).
ServiceNow Security Operations
The ServiceNow module in Threat Response, enables ServiceNow to be a data source when the analyst starts an investigation in the Threat Response UI or via the API. This enables the analyst to query ServiceNow for historical context from previous incidents that involved a given observable.
SecureX threat response Pivot / Respond menu on an IP address. Shodan is a search engine for Internet-connected devices. Web search engines, such as Google and Bing, are great for finding websites.
Signal Sciences Web Application Protection
Signal Sciences is a leading web application security company, with a next-gen web application firewall (WAF) and runtime application self-protection (RASP) solution. Through the threat response integration developed by Signal Sciences, your Security Operations team will have immediate visibility into attacks across all web application workloads With the integration, you can take immediate action. Certified as Cisco Compatible.
The SecureX threat response SpyCloud module empowers users to initiate an investigation into a SHA256. The module adds context around a compromised email and username associated with that email and context about a user for an environment. If Cisco Email Security module is enabled, then it returns that this SHA256 has been sent to e.g. these email addresses have been seen in the data breaches.
ThreatQuotient Security Operations Platform
ThreatQuotient periodically posts Judgements and Verdicts of observables to Cisco Threat Intelligence API, for visualization in threat response. In addition, ThreatQ uses threat response as an enrichment source for threat intelligence.
SecureX threat response module to submit URL(s) into urlscan.io for threat intelligence context.
The SecureX ecosystem will continue to grow, with additional integrations in development now, both by Cisco and our technology partners. You and your organization are also empowered to build your own. The power of the SecureX platform is yours.
Acknowledgements: My thanks to Michael Auger, manager of ecosystem integrations, and my partner in this endeavor. Michael designed the relay architecture that made rapid development possible, between SecureX and technology partners. Michael led a team of a dozen developers, program managers and quality assurance engineers, and worked closely with partners’ engineering teams; to build 27 integrations with 24 partners for the initial SecureX release. Well done!!
*Community/open source
The post SecureX threat response ecosystem appeared first on Cisco Blogs.
Read more: blogs.cisco.com
Cyber threats are having a significant impact on businesses — that much is clear. Budget and resources are being dedicated to securing infrastructure and applications, and educating staff on the dangers of phishing, malware and social engineering. For marketers, cyber security is quickly encroaching on brand protection as a whole, and rightly so. The lines between the two areas are blurring and in the future it is conceivable that the two disciplines are far more integrated than they are now.
But what about domains? How does domain security factor into wider online brand protection initiatives? While domain registration, renewal and management are an integral part of online brand protection, does security gain the same attention?
Regardless of the current approach, marketers should be focused on this aspect, especially seeing as the threat is increasing in the domain name system (DNS) space. Historically this wasn’t a target for cyber criminals or hackers, but as they become bolder and more sophisticated, nothing is off limits.
What’s the damage?
In an internet-enabled world, any issues with a brand’s website can have potentially devastating consequences, from loss of sales and revenue, to diminished customer trust. So how can hackers cause damage and disruption by launching a domain attack? Firstly, they can take your website offline. No website means no customers and no sales. Secondly, they can redirect traffic from your website to another one that may look like yours. In this way they can capture customer data, such as personal information or payment card details, or they can use the misdirection to sell counterfeit goods. Lastly, they could also possibly hack into your DNS account and transfer your domain away from your organisation.
Domain protection
Given the importance of domains, what should brands do to secure them and mitigate the risk?
Work with the right corporate registrar
Choosing the right corporate registrar is the first step in a domain security plan. The right register will have hardened security practices in place and an excellent understanding of the landscape, the threats and the ways to mitigate them. Such a registrar will also have specialised security features for preventing, detecting and responding to attacks against any domains, including:
Restricting access to a portal via an IP address Sending notifications on any name changes Avoiding automated emails as a primary means of communication Keeping activity logs to track all domain name updates Maintaining strong password management to force password changes Offering multiple levels of access Consolidate your portfolio
The best way of securing your domains is to know which ones you own — maintain careful records of all domain names across all your brands, offices and locations. Ideally, this should be a centralised, global view to ensure you’re always looking at the whole domain picture.
Monitor critical domains
It’s also important to constantly monitor the domains that are core to your brand. Again, working with the right registrar can help here, as they can monitor for differences between the nameservers stored at the registry compared to the nameservers stored in their databases. A mismatch could be the first sign someone has broken into a registry system and made an unauthorised update.
Use two-factor authentication as standard
When accessing a domain management portal or DNS management portal, use two-factor authentication because it provides an extra layer of security that requires not only a password and username, but also something that only the user can give, such as a one-time password via a physical token.
Use domain locking
To mitigate the threat of domain name hijacking, you should ensure your domains are locked. This means they can’t be transferred. Taking this a step further, you should also implement registrar locking, which is an elevated locking mechanism that freezes all domain configurations until the registrar unlocks them upon completion of a customer-specified security protocol. This should be applied to your most mission-critical domains such as transactional sites, email systems, intranets and site-supporting applications.
Moving forward
The threat that cyber criminals and hackers pose to brands shows no sign of abating. While the consequences of an attack could be severe for an organisation, there are ways to mitigate the risk, especially when it comes to domain security. Importantly, domain security needs to be considered as part of a much wider online brand protection strategy that also takes the cyber threat into account. As a result, working with the right partners and having the right processes in place can position your organisation to effectively deal with the threat.
Interested in hearing leading global brands discuss subjects like this in person?
Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.
Read more: marketingtechnews.net
Cyber threats are having a significant impact on businesses — that much is clear. Budget and resources are being dedicated to securing infrastructure and applications, and educating staff on the dangers of phishing, malware and social engineering. For marketers, cyber security is quickly encroaching on brand protection as a whole, and rightly so. The lines between the two areas are blurring and in the future it is conceivable that the two disciplines are far more integrated than they are now.
But what about domains? How does domain security factor into wider online brand protection initiatives? While domain registration, renewal and management are an integral part of online brand protection, does security gain the same attention?
Regardless of the current approach, marketers should be focused on this aspect, especially seeing as the threat is increasing in the domain name system (DNS) space. Historically this wasn’t a target for cyber criminals or hackers, but as they become bolder and more sophisticated, nothing is off limits.
What’s the damage?
In an internet-enabled world, any issues with a brand’s website can have potentially devastating consequences, from loss of sales and revenue, to diminished customer trust. So how can hackers cause damage and disruption by launching a domain attack? Firstly, they can take your website offline. No website means no customers and no sales. Secondly, they can redirect traffic from your website to another one that may look like yours. In this way they can capture customer data, such as personal information or payment card details, or they can use the misdirection to sell counterfeit goods. Lastly, they could also possibly hack into your DNS account and transfer your domain away from your organisation.
Domain protection
Given the importance of domains, what should brands do to secure them and mitigate the risk?
Work with the right corporate registrar
Choosing the right corporate registrar is the first step in a domain security plan. The right register will have hardened security practices in place and an excellent understanding of the landscape, the threats and the ways to mitigate them. Such a registrar will also have specialised security features for preventing, detecting and responding to attacks against any domains, including:
Restricting access to a portal via an IP address Sending notifications on any name changes Avoiding automated emails as a primary means of communication Keeping activity logs to track all domain name updates Maintaining strong password management to force password changes Offering multiple levels of access Consolidate your portfolio
The best way of securing your domains is to know which ones you own — maintain careful records of all domain names across all your brands, offices and locations. Ideally, this should be a centralised, global view to ensure you’re always looking at the whole domain picture.
Monitor critical domains
It’s also important to constantly monitor the domains that are core to your brand. Again, working with the right registrar can help here, as they can monitor for differences between the nameservers stored at the registry compared to the nameservers stored in their databases. A mismatch could be the first sign someone has broken into a registry system and made an unauthorised update.
Use two-factor authentication as standard
When accessing a domain management portal or DNS management portal, use two-factor authentication because it provides an extra layer of security that requires not only a password and username, but also something that only the user can give, such as a one-time password via a physical token.
Use domain locking
To mitigate the threat of domain name hijacking, you should ensure your domains are locked. This means they can’t be transferred. Taking this a step further, you should also implement registrar locking, which is an elevated locking mechanism that freezes all domain configurations until the registrar unlocks them upon completion of a customer-specified security protocol. This should be applied to your most mission-critical domains such as transactional sites, email systems, intranets and site-supporting applications.
Moving forward
The threat that cyber criminals and hackers pose to brands shows no sign of abating. While the consequences of an attack could be severe for an organisation, there are ways to mitigate the risk, especially when it comes to domain security. Importantly, domain security needs to be considered as part of a much wider online brand protection strategy that also takes the cyber threat into account. As a result, working with the right partners and having the right processes in place can position your organisation to effectively deal with the threat.
Interested in hearing leading global brands discuss subjects like this in person?
Find out more about Digital Marketing World Forum (#DMWF) Europe, London, North America, and Singapore.
Read more: marketingtechnews.net