October 2, 2024 • 50 mins
Cisco Secure Endpoint is a comprehensive endpoint security solution designed to protect devices from various cyber threats. It provides a range of security features to safeguard your endpoints, including:
Endpoint Protection Platform (EPP): Offers real-time protection against malware, viruses, and ransomware attacks.
Endpoint Detection and Response (EDR): Detects and responds to advanced threats, including file-less attacks and living-off-the-land attacks.
Vulnerability Management: Identifies and prioritizes vulnerabilities on your endpoints, helping you patch them promptly.
Data Loss Prevention (DLP): Prevents sensitive data from being exfiltrated from your endpoints.
Network Access Control (NAC): Enforces network access policies based on device health and user identity.
Cisco Secure Endpoint is designed to work seamlessly with other Cisco security solutions, providing a comprehensive and integrated approach to endpoint security. It offers a centralized management console for easy administration and monitoring of your endpoints.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
All right, well for everybody on the call, thanks for joining. Good afternoon. Good morning. If you're in the West Coast, it is Thursday, November 16th, and welcome to the security and 45 show no slides just conversation.
(00:16):
That's our motto for the show.
Each episode of the show does cover a different security challenge in the industry, and we talked about how to protect users devices from those challenges. Now, last session was awesome we talked about XDR and what that means and then we also talked about Cisco XDR that recording and all the recordings are available on Cisco com, making it easy to get caught up if you missed anything.
(00:44):
Andres for today, what is on the agenda.
Oh, we have a really nice session today. Very excited to get to talk about user and endpoint protection.
This one feels like it's connected to the previous one and XDR so very happy that we can do that connection as well here but yeah today we're joined by two super special guests.
(01:12):
Chad, he's known as the Iceman here in the team. He has a really good great background Cisco Ice, and then we also have Eric Howard he's a leader and technical manager for the security platform and response group hopefully I got that right.
And we're super excited to have you guys.
(01:34):
At the end, I want to make sure that I mentioned this at the end we have feedback section that soon as you close WebEx is going to ask you a few questions.
This is going to be a survey, just make sure that you fill it out we're with all the participants or everybody that fills it out. We're going to make sure that we select one winner for a really nice Cisco hoodie.
(02:03):
And I like that hoodie first off I'm super pumped about our guests Eric long time it was great getting to catch up with you about your background coming from fire ramp and source fire and just just a lot going on there in terms of technical death.
Chad I've known I've known you for so many years all the way back to the TAC day specializing in Cisco Ice and now just being on a general security team.
(02:24):
Quick question about the hoodie. It is starting to get a little cold here in North Carolina. Am I eligible for the Cisco hoodie?
No Mike this is just for the audience. Just make sure.
All right well I had to ask. We got two great guests on the show and only 45 minutes. So let's kick it off.
And Eric I'll give you the first one here. You know you've got a lot of strong background a lot of different areas in security. Now specific to the end point. Can you talk about what you have seen in your experience about protecting the end point and kind of how that's evolved over time.
(03:01):
Yeah yeah I'm glad to be here. Thanks for the opportunity.
Intro was great Andre except for the manager part. I'm not leading a team anymore. I'm back to being an individual contributor and so I'm actually pretty cool with that.
But right so I have been in security for a little while now and I've seen a few things change.
You know if we if we think back to several years ago where even the motivation behind a lot of attacker stuff was just was vastly different whether it was you know people that had a political message right when the hack a site and post a message like free
(03:38):
to bet or something like that or it was just I want to you know knock a network offline, whatever the case might be there there there wasn't as much. Certainly, you know look at today ransomware reasons to get at data, holding things hostage money behind it.
So the motivations have greatly changed for many who are now involved in attacking networks, the reason why they're doing it is different and that motivation also drives innovation right it's not enough to just knock a network off the internet,
(04:15):
but I want to be able to do something that gives me continued access to the systems that I that are going to then be valuable to me as an attacker. That then means that I as a defender have to be innovative also and what I do in the days of SQL slammer if that was
your threat, right all I really had to do was drop an apple in the router. And if I or if I had a simple packet for the firewall I can block access to a particular port of traffic coming into my network shut it down there.
(04:47):
My network settles down, and things begin to really kind of normalize themselves. Different day now, right that ton of traffic the deed all stuff, while it's still there.
Most attackers are going to be very stealthy and very targeted they know what they want. They know how to get it and they know how to slip in amongst the normalcy of traffic in an environment.
(05:10):
And if they can just get a toe hole. That's all they need to make their pivot into gaining a foothold for persistent to ultimately capture data or systems that are valuable to an enterprise.
So it's innovation that's been somewhat driven by attackers that has made us as defenders have to level up. Some of it has been whack a mole over the years right they do this we do that they do this we do that.
(05:39):
But I think we've reached a point where we're thinking now as defenders, there are better ways to ensure that we are preparing ourselves to get invisibility the visibility our customers will need, or analysts or users will need so that no matter what
an attacker might take the products that are analysts are tasked to use to defend an organization users and systems that those products are ready for those new pivots there will always be new and novel attacks.
(06:10):
And, but there are ways if we understand the systems and networks and environments and users that were tasked to protect their ways that we can get ahead of that.
And so that now comes into systems that now do things like behavior analysis, not just looking at what landed on the system, but how what does the execution chain look like.
What's the process chain lineage from one process to another what command line flags are used for execution, and how does that then turn around to point out attacker motivation which then should inform how we do containment remediation and etc.
(06:48):
So it's ever changing it will continue to change. And I think we may even get into this and a couple questions later there's some things I think we can do to better prepare ourselves for the changes that nobody can guess about.
Excellent. And I guess it.
It definitely becomes more difficult to with like the larger threat surface we have to protect from to like, as you mentioned the attackers are getting smarter and they also have probably I guess more availability to areas that they could attack in the network.
(07:14):
Yeah, so I was, I was privileged to speak and at a summit, a few weeks ago in Boston, and I didn't argue this point heavily, but I just kind of planted a seed with a question of what really is an endpoint, right, what really is an endpoint depends on who you ask.
Certainly there are you know the devices that all of us have in our day to day work. The laptops that we use there the servers that host data or we need to connect to to deliver some outcome, but they're also you know the devices that we love and keep on us.
(07:49):
Every single minute of the day, many of us.
The things that are always connected and have surfaces that are not even well understood in some cases, but I would even say that you know there are other systems that are not necessarily considered an endpoint but in terms of an attacker's operational space are absolutely
endpoints, consider some of the things around the iOS vulnerability right that was announced just a few weeks ago for Cisco not iOS on iPhone iOS Cisco iOS, where routers could be toppled and used for attacker purposes.
(08:25):
And so then that device which is supposed to just be passing bits back and forth can be offering services TFTP services staging for pivot points, etc. There is a command line there that can be used and abused.
And so that becomes an endpoint at some perspective in attackers operational space that has to be considered how you farm for data out of that endpoint might be different than the windows or Mac or Linux devices that we all typically call an endpoint, but everything
(08:55):
in some perspective in the attackers operational space is an endpoint, if they can get a hold to it and use it to their advantage.
Excellent. Absolutely right. Yeah, and that was actually really good.
That that we got into it. We talked about that the guacamole piece that that's pretty cool analogy. Now, for the next question I have for you Chad.
(09:23):
I just wanted to ask you how from from what you've seen in the industry. How successful have been the bad guys, what we call them for endpoint specific attacks recently.
They've been extremely successful, very successful and they are continuing to work on their craft which keeps us busy keeps us in the business, and on the defensive side to making sure we have the protection in place to stop them or at least slow them down.
(09:55):
But as Eric said, it's a it's an ongoing battle. They are continuing to find different tactics and techniques they can use to leverage these vulnerabilities within solutions. And then specifically when we're talking ransomware ransomware is at an all time high right now
and I know a few of us if not all of us are familiar with the colonial pipeline attack and we're also familiar with the MGM attack that took place this year. And, and in terms of MGM they thought they had the right place pieces in place they thought they had they were doing things
(10:26):
the right way with MSA. But as I said, these, these malicious actors are getting creative and within the MGM attack they were able to phone into a help desk and impersonate an admin to get their credentials reset.
So again this, you can, you think you have everything in place when you deploy software out to these machines, but it's a lot more involved in that we have to educate the users the employees, because this was a layer eight issue.
(10:57):
The software was in place, but the people who are in charge of making sure things are working as they should were somewhat slipping they were they were unaware of what was going on and that opened the door for an attacker to get in that in that attack
cost MGM millions of dollars. So, the attackers are extremely successful. And again it's keeping us busy on the defensive side but it's something that we also have to do. We also have to continue to get better on the defensive side so that we're able to better protect
(11:30):
ourselves and patch these vulnerabilities. So yes, to answer your question, extremely successful. Yeah, getting very creative with everything that you know it's coming up and I know Eric mentioned that as well.
It is always a zero day is always something new. It is always something that evolves in that space. So that's good. Thank you for that answer, man.
(11:54):
Eric anything you want to add in that point about specifically some of the success of these attacks, I know.
I love the gamble so I really hope that, you know, that type of attacks not happening and when I'm at MGM but I know that that was a joke inside those $100 million, you know, breach there.
Yeah, no, not a ton to add I think check covered it well. One thing I will say, this is kind of a known thing right that we're defenders, and as defenders, we tend to have you know we lean into the fact that we have to be right.
(12:32):
100% of the time, where we need to be accurate with what we're doing we need to ensure that we are doing it well that our processes line up with the programs that run inside of our organization, and that the systems that we are tasked to protect
are using software that will work there. The attackers only got to be right once, and that kind of, you know, working in that kind of environment can become a thing that weighs on you like man no matter what I do, I could still miss something.
(13:04):
And so, but right that also builds in a great challenge for us as defenders like it gives me a chance to think about this like if they're successful, why are they successful. Was it a product issue, or was it a process issue.
Either way I can address both right if it's a process issue. We do the work, tabletop exercises wherever the case might be to make sure that that process doesn't fail me in the future.
(13:29):
If it's a product issue. I bring in the teams of vendors whomever is necessary to say this is how this happened, we can't have that have this happen again. How do we correct this what's the course correction we need to bring to bear, but we still go to work with the
fact that I got to be right 100% of the time today, because the 1% that the attacker is right and I'm wrong is $100 million. That's crazy. I mean to your point Mike I was trying to book some time.
(14:00):
I had MGM when that thing was going on. And before I even knew that there was something real going on just like why is this so hard what's happening. Why can't I log into like my MGM app on my phone and book a room or something like that.
I got to be right 100% of the time, but that is also the inspiring thing that gives us work to do as defenders that all there's always more space to get better. And so rather than have that way on us right it should inspire us as defenders that I can always be better,
(14:32):
they're going to be better I can be better.
Well in terms of keeping, you know, everyone detecting threats, and especially these, these really successful threats that have a lot of social engineering and have maybe spread laterally.
When I think about stuff like that I think about like the MITRE attack framework.
(14:53):
How important is the MITRE attack framework kind of high level what is it, and how can we use that to defend against these well funded criminal groups.
Yeah, great question. I think that was for me. If not, I got boxed on if it was.
I would like to say, and I'm sure I'm not alone in this and I'm probably not the first one to say it but I'd like to say that the MITRE attack framework has become the link or lingua franca of soft security right it is the common language that helps us connect the dots
(15:28):
and what adversaries need to do, and why they want to do it, and what defenders should be doing, and how they can be successful against those same adversaries, right is a way to describe how an attacker's motivation, and the steps they take to achieve their
desired goals as a defender. I can use that to my advantage if I understand why an attacker does what they do. So, I am one who leans heavily into the field of thought that we should not become incredibly preoccupied with particular techniques
(16:10):
because there are hundreds of techniques in the MITRE attack framework and what a technique is, is a simple description of the steps an attacker will take to achieve something that they want that achieving point is a tactic, it is what I need to get done,
I want to elevate privileges, how do I elevate privileges, there are many techniques or ways or steps I can do to elevate my privileges on a system.
(16:34):
So the tactic would be to elevate system privileges the technique could be right getting the hashes out of Etsy password, or and running through rainbow tables to find weak dictionary style passwords, or pulling Sam hives or whatever the case might be there
are many ways to achieve the tactic of a chain obtaining system privilege escalation many many many ways. What I would lean heavily into is that techniques are important, one, but my MITRE attack framework also presents this notion of how to instrument our
(17:17):
attacks, hosts, networks, cloud services, whatever the case might be to watch for any technique period. So if you go through the MITRE attack framework and you're looking at a particular technique, it'll tell you like the discovery sources the data sources.
And if you look at the data sources the right way, the data sources should give you the telemetry that can then be used to uncover the technique used. And so I think any defender that wants to use MITRE to start with that notion of what are the data sources
(17:50):
that then shows me two things one, where am I blind, what am I not looking at in my environment, or on my systems, what data sources and am I not calling what data sources am I not logging against what data sources, does my security stack miss, but then also shows me
now, what are the techniques, I can catch, knowing what data sources, I have available to me through the instrumentation of my security stack. And so that's what I like to lean MITRE is incredible, it is a great way to explain what an attacker has done and even maybe
(18:26):
explain why they did so. But I like to see us as defenders use it, primarily to get our users ready to make sure their networks are properly instrumented, no matter what a technique might be, or which tactic an attacker might employ.
I'm watching everything, and I'm able to see what they did. Because at some point, I may not have the detection routines available described in some language, if the network on the endpoint, but I got the logs and I can run through that stuff and put the pieces together and tell the story.
(18:57):
Data sources become critical when we look at MITRE as a framework from a defender standpoint.
And to add to that, I know a ton of our customers are thankful that we have tied in the MITRE framework into several of our security products. So if you're unfamiliar with those tactics, those techniques, and you are endpoint customer, whenever there's an event that applies or is associated with a MITRE technique or tactic, it is right there in the dashboard.
(19:26):
So you can go ahead and click on that and learn about it. So you now have an understanding of this tactic, this technique. And then we continue to do that with our NDR solutions, network analytics.
We are tying this together just so we can keep everyone informed on the MITRE attack framework.
(19:49):
That's actually really good. It opens up so many things, so many opportunities from the MITRE framework, just to how to look into an attack, into something that is happening in your network. Pretty cool.
I guess the next one is going to be interesting because we're taking that information, the same information we just talked about. And this question is more about what is, and this is for you Chad and Eric, at the end if you want to add something, of course.
(20:24):
But what is that protection beyond the endpoint? And I know we mentioned it earlier. Further upstream of the network cloud layers, how important is that endpoint security for us, for a company?
What do you think? Got you. So when it comes to upstream protection, a layered approach is necessary. It is necessary. I know with a security stack, there are some features that may overlap with different security solutions, but that's therefore a purpose.
(21:00):
We all have a firewall in place that may be inspecting that north-south traffic. You may have a firewall insider network doing some east-west inspection. You have your email security solution that is inspecting emails that come in.
But there are things that make it, there are attacks that make it through those security measures. And that's why it's super important to have that layered approach.
There are times I talk to customers who maybe are thinking, I don't need to file inspection on my firewall. I have it on my endpoint.
(21:28):
I think you need both. It goes back to like what Eric said. An endpoint is not just your PC, your laptop, your phone, tablet.
An endpoint extends out to the IoT devices. So a thermostat, a printer. And those devices, you're not able to deploy an EDR solution to. So you're not able to perform the same checks, the same inspection of that traffic on those type of devices.
(21:52):
So that is where you have that layered approach. You have maybe an NDR solution inspecting that east-west traffic. That's why you have a security stack that is tightly integrated and on the same page.
So if your EDR solution sees malicious, suspicious activity, why don't we let our NACS solution lock down all the ports in that office across the environment worldwide?
(22:15):
So that if for any chance that that actor is able to get that agent off that PC, we have them protected at the access layer with a NACS solution.
So going with the layered approach is super important and should not be overlooked just because, like I said, they're finding ways in. They're getting creative. They are constantly perfecting their craft and they will find a way in.
(22:40):
So that way we want to have the right security measures in place to prevent that or stop it, stop the bleeding as soon as we can.
That was great. No, thank you for that.
That's a great point about something like a thermostat or a printer. That is just such a vulnerability waiting to happen if you were only reliant on an EDR.
(23:04):
So you do want to have that upstream protection for that. I think that's what, Eric, to your point about getting in the mind of how the attackers are thinking.
I think they're thinking along those lines. Like there's even devices out there that don't have, that are not being examined, don't have endpoint protection on them.
If I could get to those because someone's not, doesn't have layered security, then that's an easy way in.
(23:29):
Without a doubt. I mean, I called out a Cisco router, but to Chad's point, it is all of those little devices that when they wake up, they try to figure out where they are in the world by doing the DNS requests to figure out, you know, what am I talking to?
Can I phone home? Is there a firmware update I need to install? All that kind of stuff. That means that there is some force of some form of host that can be compromised there on those devices.
(23:54):
I think Chad nailed it. Everything needs to be considered. And I don't, you know, I don't want to push too far. I know you guys got another one of these coming up in about a week on XDR.
But this talks about why you need something like XDR, a stack of both network and endpoint to really give visibility and broad protection.
Although I do say, you know, the endpoint is the last best hope, right, of defending a network. That doesn't mean it has to happen on the endpoint itself.
(24:21):
It means that we need to think of everything as an endpoint that needs to be secure and how we get the visibility we need could be, as Chad mentioned, in front of it, up the up the stream somewhere.
I mean, services are being deployed in real time based on need to cloud services. Like on demand, I need to spin up extra resources to handle load. We're headed into the holidays, guys, right?
(24:47):
Cyber Monday's coming. Nobody's running all that stuff in one data center. Nobody's building servers to plan for all of that stuff. They've got stuff that's watching to say when load increases, spin up new instances.
Are you ready for that? Those are new endpoints that I have to be secured and protected maybe at the endpoint within the workload itself or just outside of it.
(25:08):
But you still got to catch those new endpoints as they come online. So, yep.
Exactly. Excellent. Now, Eric, if I'm listening in to the four of us talking and I'm thinking, well, there's a lot of need to secure.
It's not just the users, but also the devices they're on. What recommendation or advice you've been in the industry a long time would you give to someone who maybe was recently tasked by their manager?
(25:34):
Hey, you're now on the security team. I want you to look into how we can begin to secure users and endpoints. Where do you even start?
It hasn't changed from over the years, to be honest. I used to talk a lot about network cartography projects.
Do we have a simple map of what's in the network? Or do we have an understanding of not just the topology of the data center, but the flows of traffic? Have we been able to plot that to see what's normal?
(26:05):
And when I say data center, I mean, our cloud services, our own on-prem stuff, wherever the data lives, wherever the applications are presented, however users connect, right? Do we understand that?
And this cartography project to me is a starting point. It comes from the thought that if I don't know it's there, if there are unknown unknowns, that's the most dangerous stuff to a defender.
(26:31):
Because I can't defend what I don't know needs to be defended. And if I don't understand how it presents itself, I don't know the best means whereby to defend it.
And so how you get there is going to be different based on organizations, right? I've seen customers and users do stuff like network scans to try to hunt through their IP space and see what responds.
(26:56):
That's not going to work everywhere. So I've seen them deploy passive discovery technology in other places that find new hosts that you can't scan into or won't scan into certain environments, but start there.
And nobody, I've talked to many, many, many customers and none of them tend to like their asset inventory software or spreadsheets. No matter what they've done, everybody's got to complain about asset inventory.
(27:21):
But if you don't have some sense of asset inventory, you're starting blind. You're starting blind. You don't know what policies to configure, how to configure them.
You don't even understand the environment and the demands of it for protection. So I start there. No matter the size of the environment, if it's a big, huge enterprise, you got to take it chunk by chunk, segment by segment, maybe even office by office, region by region, continent by continent.
(27:46):
But you've got to get some sense of mapping, be it active or passive, of what's there for me to protect. What's been talking to the Internet?
What has been receiving connections and having a mapping of that begins to help me establish the baselines of normalcy, normal use of the network and the sense of normalcy in terms of protections that I should deploy first.
(28:12):
Most folks are going to start at the network layer. They're going to start with a firewall, maybe an IPS. They're going to start with some network detection pieces because it's just easier.
I've got choke points in the network where I can plug that stuff in. I can tell routers and switches to give me flows, right? That becomes easy to do. Great. Awesome place to start.
Layer that over the network cartography project stuff and begin to say now at the endpoint layer, what are the vulnerabilities that are being presented and the posture of those assets that are making these connections out?
(28:45):
Having a sense of vulnerability of operating systems and applications shows me how to deploy the protections in very specific ways.
IPS, right? As an example, I used to tell the story. I would tell the firepower story along this sign, this analogy of a hole in a roof, right?
(29:06):
You can have a hole in your roof and that presents several areas of risk. What I do to cover that hole will determine what risk I can prevent. If I put a top over the hole in my roof, well, I can keep out precipitation for the most part.
I may be able to keep out birds. I can keep out squirrels. No, you'll never keep out squirrels. Squirrels will always find a way. Insects will make their way in. I can put chicken wire over the hole.
(29:42):
That won't do anything with precipitation. It might keep out some larger insects, maybe birds. Again, squirrels will win, right? The right way to do it is to understand the nature of the vulnerability and then apply the appropriate fixes against that.
It is to rip up all of the shingles, examine the paper, examine the plywood, and figure out how do we appropriately fix this thing. That's why I start with the cartography project. What's really there?
(30:16):
How does it present itself? With knowing the vulnerability to my network, because I know what's there, I can then apply controls in the best way.
A tarp might be necessary for three days until I can get roofers out up there, but I got to know, I probably got to chase a squirrel out of the house in those three days or something like that, right?
Do I have branches hanging over the roof? Something's going to get in, and I need to take care of that also. So, cartography for me is where it starts. Understanding the assets, knowing what's there, how they present themselves, knowing how the applications are presented and what vulnerabilities are mapped there.
(30:53):
And then lastly, the thing next to the endpoint, the user. Chad mentioned this, layer eight problem for MGM, right? What user protections can be put in place right away?
That might even help in the gap between the network and the endpoint pieces. If I can roll out things like multi-factor authentication, if I can do some things that help, the user helps me to ensure that they're not clicking links unnecessarily.
(31:22):
That stuff that can help, even as I'm taking the longer-term approach and making sure the endpoints are secured everywhere they are, no matter how they connect, doing things like VPN for access, zero trust as an architecture topology that lays across it.
You've got a whole lot of stuff to consider. Start with understanding what you have to protect first and foremost.
Excellent. Yeah, you can't protect what you don't know is there. So, go ahead, Chad.
(31:46):
Exactly. Exactly. And to add to that, being an ice guy, a NAC solution, super important, gives you that who, what, when, where, and gives you that visibility into what is on your network.
Using profiling to classify those devices, knowing that we have a user coming in on an Apple iPad versus a Windows 10 or Windows 11 workstation.
Tying that into vulnerability platforms with Threat-Centric NAC. Now we're able to apply vulnerability scores and quarantine these endpoints until we're able to patch those devices.
(32:17):
So, speaking my language, when it comes to protecting these switch ports, protecting the wired and wireless environments, protecting the VPN connectivity, it's all protecting the endpoints along with the users.
That's really good. I love the analogy. Actually, just got me thinking a lot.
(32:39):
And so right about the squirrels, man. Squirrels always win. I say that all the time. Squirrels always win. They will find a way.
Awesome, guys. All right. Next question I have is, I know Cisco launched something at the beginning of the month. I know we've internally been talking about it for a few weeks before that, but tell us a little bit about the user protections with chat.
(33:08):
I think I know we've been talking a lot about this, but if you want to expand a little bit on it, that'll be great for listeners.
Yeah, sure. So, yes, we have a few protection suites. So we have our user protection suite, our breach protection suite, and the cloud protection suite.
But with the user protection suite, this is broken down into our unified license structure with using essentials and advantage. But in the essentials user protection suite that supplies you with our latest SSE offering being secure access.
(33:43):
It gives you access to Duo for MFA, zero trust access for applications, single sign on, email threat defense.
With email threat defense, of course, everyone has a gateway that they're able to get visibility into those incoming outgoing emails. But when you throw in a solution like email threat defense, now we get visibility into those internal messages.
(34:07):
So we're seeing incoming, outgoing, internal messages. And with email threat defense, what we're doing is able to look at the context of the message and actually understand the intent by leveraging AI.
And we're able to apply those advanced analytics to stop threats that maybe your email gateway may miss. So it is complementary or supplemental to your existing email gateway.
(34:31):
And then with our advantage package, it includes those three solutions, but then we extend out to endpoint. As Eric mentioned, endpoint is that last line of defense.
And then when you couple that with something like secure access that has the DNS layer security, that is your first line of defense. So with our user protection suite, we're able to start you on your zero trust journey by protecting that first line with handling the DNS request.
(34:58):
Being able to stop a malicious connection from even happening. But also when we have attackers that are able to slip past that first line of defense, we have you covered with endpoint to cover you.
And that is our user protection suite. And again, it helps you get started on that zero trust journey.
(35:20):
Yeah, I've I've I've demoed some of these kind of, you know, 1 plus 1 equal 3 things in the past. One of the ones I'll bring up that chat just mentioned right there's their cloud. There's cloud to cloud integration between Cisco secure endpoint and duo right now.
So for the user protection suite, that's you've got a great use case whereby if Cisco secure endpoint sees something on a host and it believes it hosted be in a compromised state, the duo cloud gets that information immediately and is able to change access permissions for that user on that device.
(36:01):
So that if they were logging in the old 365, but secure endpoint has seen something that says that systems compromise dual will say, Nope, you don't get to log in anymore. Shut it down.
And once you've then resolve that in the endpoint cloud and set that case to done in the inbox, there's a work box called the inbox. You set that to a resolved state that compromise has been addressed.
Do a lesson authenticate as needed right so that you've got this multi stage view all the way out to the user on a particular device and its state of compromise or non compromise in the network.
(36:33):
But again, that's cloud to cloud. That's not even having to have multiple connectors that you got to make work together. Just the clouds because it's all Cisco.
They work together and understand the state of the system state of the user and drive that outcome that I can have that that first line of that the first kind of dipping my foot into that zero, zero, zero access stance that this is compromised about this user on this compromised device.
(36:59):
Can't get access to key critical resources that they could five minutes before, but once that state's resolve, they can proceed with their work.
I think that is self important point point like that dynamic continuous verification not just when they connected to the network, you know, but Eric like you said like you access some type of malware after the fact, we caught it.
(37:21):
And we're keeping an eye on things. Yeah, we call it you know so if you go to amusement park, there's that you must be this tall right to get on this ride.
But who knows whether once you're on the ride, whether you've taken the safety bars off or wiggle your way out of them, taking the seat belt off you're leaning out of the side of the car, whatever right so there's that initial assessment of you have access, but then
(37:46):
there's the all always watching, you know the visibility that's needed to say, hey, you got access because you're okay, but something's wrong now, I need to inform everything else that you shouldn't you shouldn't be you shouldn't be allowed access anymore.
Excellent. Excellent.
All right, well, we've only got one more question for you guys. Thank you so much for the topics the interaction has been great.
(38:12):
I want to make sure we do have time for the dad jokes, because that's, you know, everybody loves the dad jokes. So, I'll throw this one out there, maybe like a minute maybe minute and a half just response, but this goes back to that user protection sweet Eric and Chad and one of the
products in that that I've been waiting a long time for is the secure access product. So maybe if you could just elaborate just a little bit on Cisco secure access, we advertise that as a turnkey, you know solution so open up maybe a minute minute and a half.
(38:41):
Yeah, Chad, I'll let you go off. I'll come behind you.
All right, sounds good. So, with secure X, that is our latest SSC offering the whole movement with sassy with the convergence of networking and security. We are applying the security controls using secure access.
So, a lot of you may be familiar with umbrella and the features that umbrella has to offer. We've added those into secure X. So, I'm sorry into secure access. So, with secure access, you get that DNS layer security for your users on and off the network.
(39:12):
You have access to the cloud delivered firewall for layer three for seven firewall rules. You have that secure web gateway full web proxy for HTTP and HTTPS your ADM 443 traffic.
But then on top of that you get the casby functionality application control and visibility. So, all of those security solutions are all the security features are there to help extend security pass your perimeter pass your edge.
(39:40):
But what really sets secure access apart from umbrella is now we have zero trust network access built in, where your users are not having to connect to the VPN to access a private application.
We also have VPN as a service included in that so now instead of connecting to a head in at a branch location, a data center or HQ, your users are connected to a VPN head in in our cloud, and all of your branch locations all of your cloud environments are connected to that same cloud, allowing your users to pretty much connect to any network and get access to all the resources they need access to.
(40:20):
And again, that's under one unified dashboard, a policy where you're able to configure those identity based controls. You're able to do some posturing and keeping everyone secure, but also just taking a load off your shoulders where you don't have to worry about maintenance on those head ends.
Cisco take care of that for you. So, yes, that is our SSE solution that I am super excited about them waiting on and glad that we're finally here to showcase that product.
(40:46):
Yeah, from my perspective, right? The client that plugs right into that is Cisco Secure Client, which delivers modular capabilities across the endpoint visibility stack, right? It could be EDR needs.
It could be NVM for the network visibility module that gives us connections between processes that are launched, user information, and the traffic initiated out of those processes or received by those processes.
(41:12):
It's the detail of those individual hosts that are going to be used for these, you know, just workday connections. And it is, you know, it's not it's no longer just kind of the new reality. It's just reality at this point.
Users are going to be everywhere and they're going to need and want to work from everywhere. And so SSE enables that and getting protection all the way down to the endpoint happens through Secure Client, which then makes things like EDR, NVM, and other capabilities available.
(41:41):
And other capabilities across the endpoint visibility stack available. So for us, it's kind of a no brainer, right? Do the SSE stuff because you're going to need endpoint visibility anyway.
Start where you understand, which is typically the network for most of our customers and users. Get those protections built out as they're needed.
(42:03):
And when you're ready, start lighting up the modules inside of Secure Client that give you the deeper visibility, that last line of protection, etc.
Excellent.
That was great. I actually, I don't know, like, we learned so much today.
Yes, I know I have.
It's going to be hard to summarize the whole thing. But yeah, it's a lot of information. But I know we have just a few minutes on the clock and just want to open it up for our super, super fun lighting round.
(42:38):
We actually have a couple questions for each of you. Hopefully, those are fun and I'm going to start with you, Chad.
This one is interesting. What's been more frustrating for you? The Carolina Panthers season or Cisco lighting? What do you think were you put them?
(42:59):
I would have to say the Carolina Panthers let me down this season has been super frustrating.
I traveled down to Charlotte for every home game and that trip to travel down there just to lose is getting rough. I would say that the Panthers have made my Mondays rough.
But I'm on the Cisco licensing side. We've done a lot to improve licensing. I know we've been listening to our customers and the struggles with licensing, but it seems like Cisco has that corrected.
(43:31):
I just need to get my Panthers on board and correct that football team.
All right, great. Eric, let's get on to a really serious topic here. Other than microchips, what is another favorite food of malware?
(43:53):
I saw this and I have no idea. I struggled with how to answer this one. I didn't know if I needed to try to find some way to be serious and continue the analogy and start talking about ransomware and connecting that to a buffet or something like that.
What gets held hostage at restaurants? That kind of stuff. I don't know. I don't know. What other than microchips? I'm going to flip it back on you, Mike.
(44:22):
Other than microchips, what is another favorite food of malware?
Oh man, I can't believe this is happening. I'm also not prepared. I'll go with...
Cookies. Cookies! That's a good one. That's a good one.
Because everybody loves cookies and that's what the attackers are going to go after. What am I going to pay the most for to get those back?
(44:47):
That is a real good one.
We probably got time for one more reach. Andres?
Yeah. All right. So this one, hopefully I don't butcher this one, but probably will do. Is it true that hackers enjoy gardening? After all, they love planting malware.
(45:09):
What do you think about that, Chad?
That's a good one. That's true. They love planting malware. So they are good at gardening in a sense.
So I don't want to do my own gardening, but I don't want those hackers come here planting malware. So I'm going to have to find an alternative.
Eric, if your specific computer or maybe keyboard could talk, what would it say about you?
(45:34):
This guy loves honey barbecue, Frito Twists. That's what it would say. Frito Twists have me in a choke hold right now.
And I don't know if you guys have ever had them. Honey barbecue, Frito Twists. Right?
For sure. Yeah.
And my keyboard will say this guy really loves honey barbecue, Frito Twists.
Great.
(45:55):
And it would be great if he ran a vacuum over me.
Oh, love it. Love it. Okay. Well, we could go on with that, Dukes, all day.
Maybe we'll do an episode just on that. But anyway, let's go ahead, Andres. Let's summarize this up and get out of here.
I got one if you got 30 seconds for me. And this is for anybody that wants to answer. Why did the scarecrow get promoted?
(46:25):
Nope. Outstanding in his field. That's a good one. That's a good one. Love it. Love it. Very good. Very good. Very good.
That was good. Well, we talked about a lot today. I know I have definitely learned a lot.
(46:46):
Andres, big takeaways for me. The endpoint being the device and the user. You know, thinking about maybe posture assessment of the device and then maybe MFA of the user.
So it was cool here in your perspective, Eric, on the history of the endpoint, how that's kind of evolved over time.
(47:08):
I had good examples of the bad guys are in action. Major criminal groups that are well funded. And Eric, to your point, you know, they're also thinking about the MITRE attack framework.
Like, how do we evade detection? So just that back and forth struggle there. And then MITRE being, you know, that tactics, techniques and procedure.
(47:32):
What's the bad guy's goal? How are they attacking? And then kind of what tools are they using? Especially with threats being more sophisticated than ever.
You know, we talked about maybe moving that security in a layered approach. So those were my big takeaways. Andres?
Yeah, for me, a few things that really resonate. I know Chad, you mentioned a few examples about securing beyond the endpoint. For example, keeping an eye on a network detection solution.
(48:06):
Keeping an eye on that traffic coming in from endpoints that don't have, that we cannot install an EDR solution. That was very key and it resonates with a lot of things that people is doing today.
Eric, you had a really good analogy on the cartography of the network. Of all the things that we need to see before we can decide we're going to protect.
(48:34):
So that was great for helping everybody just to make sure that they know where to start from. They know what the moving targets are. Define the undefined on the network. So that was pretty cool.
Asset inventory. That was that that's one of the things that nobody likes, but, you know, it's needed. It's needed. You got to do it. Absolutely.
(48:59):
Chad, the other thing, Zero Trust, wireless VPN. You put in some information about Cisco ISE. That is great. Actually, I love that. And then also the expansion that we got to talk about the user protection suite.
What are the things that are included there? How can help our customers? And last, Eric, you mentioned that integration between products. Good example, Umbrella and Duo. The endpoint protection. That was great.
(49:28):
Mike, give it back to you. Great. Cool. Always.
All right. Well, don't forget to fill out that feedback survey, because even though I can't win the Cisco hoodie, I want, you know, someone to win the Cisco hoodie. So fill out that survey right after the call.
And then we will reach out to you through email if you are the winner. Huge thank you to our guests, Eric, Chad. It's been an absolute pleasure. I would love, Andre, I would love to have you back on the show.
(49:58):
The next call will be December 13th.
And it's on securing the cloud. So that's going to be an outstanding conversation there. Stay secure, and we will see you in December. Thanks, everybody.
Thank you. Thank you guys.
All right, well for everybody on the call, thanks for joining. Good afternoon. Good morning. If you're in the West Coast, it is Thursday, November 16th, and welcome to the security and 45 show no slides just conversation.
(00:16):
That's our motto for the show.
Each episode of the show does cover a different security challenge in the industry, and we talked about how to protect users devices from those challenges. Now, last session was awesome we talked about XDR and what that means and then we also talked about Cisco XDR that recording and all the recordings are available on Cisco com, making it easy to get caught up if you missed anything.
(00:44):
Andres for today, what is on the agenda.
Oh, we have a really nice session today. Very excited to get to talk about user and endpoint protection.
This one feels like it's connected to the previous one and XDR so very happy that we can do that connection as well here but yeah today we're joined by two super special guests.
(01:12):
Chad, he's known as the Iceman here in the team. He has a really good great background Cisco Ice, and then we also have Eric Howard he's a leader and technical manager for the security platform and response group hopefully I got that right.
And we're super excited to have you guys.
(01:34):
At the end, I want to make sure that I mentioned this at the end we have feedback section that soon as you close WebEx is going to ask you a few questions.
This is going to be a survey, just make sure that you fill it out we're with all the participants or everybody that fills it out. We're going to make sure that we select one winner for a really nice Cisco hoodie.
(02:03):
And I like that hoodie first off I'm super pumped about our guests Eric long time it was great getting to catch up with you about your background coming from fire ramp and source fire and just just a lot going on there in terms of technical death.
Chad I've known I've known you for so many years all the way back to the TAC day specializing in Cisco Ice and now just being on a general security team.
(02:24):
Quick question about the hoodie. It is starting to get a little cold here in North Carolina. Am I eligible for the Cisco hoodie?
No Mike this is just for the audience. Just make sure.
All right well I had to ask. We got two great guests on the show and only 45 minutes. So let's kick it off.
And Eric I'll give you the first one here. You know you've got a lot of strong background a lot of different areas in security. Now specific to the end point. Can you talk about what you have seen in your experience about protecting the end point and kind of how that's evolved over time.
(03:01):
Yeah yeah I'm glad to be here. Thanks for the opportunity.
Intro was great Andre except for the manager part. I'm not leading a team anymore. I'm back to being an individual contributor and so I'm actually pretty cool with that.
But right so I have been in security for a little while now and I've seen a few things change.
You know if we if we think back to several years ago where even the motivation behind a lot of attacker stuff was just was vastly different whether it was you know people that had a political message right when the hack a site and post a message like free
(03:38):
to bet or something like that or it was just I want to you know knock a network offline, whatever the case might be there there there wasn't as much. Certainly, you know look at today ransomware reasons to get at data, holding things hostage money behind it.
So the motivations have greatly changed for many who are now involved in attacking networks, the reason why they're doing it is different and that motivation also drives innovation right it's not enough to just knock a network off the internet,
(04:15):
but I want to be able to do something that gives me continued access to the systems that I that are going to then be valuable to me as an attacker. That then means that I as a defender have to be innovative also and what I do in the days of SQL slammer if that was
your threat, right all I really had to do was drop an apple in the router. And if I or if I had a simple packet for the firewall I can block access to a particular port of traffic coming into my network shut it down there.
(04:47):
My network settles down, and things begin to really kind of normalize themselves. Different day now, right that ton of traffic the deed all stuff, while it's still there.
Most attackers are going to be very stealthy and very targeted they know what they want. They know how to get it and they know how to slip in amongst the normalcy of traffic in an environment.
(05:10):
And if they can just get a toe hole. That's all they need to make their pivot into gaining a foothold for persistent to ultimately capture data or systems that are valuable to an enterprise.
So it's innovation that's been somewhat driven by attackers that has made us as defenders have to level up. Some of it has been whack a mole over the years right they do this we do that they do this we do that.
(05:39):
But I think we've reached a point where we're thinking now as defenders, there are better ways to ensure that we are preparing ourselves to get invisibility the visibility our customers will need, or analysts or users will need so that no matter what
an attacker might take the products that are analysts are tasked to use to defend an organization users and systems that those products are ready for those new pivots there will always be new and novel attacks.
(06:10):
And, but there are ways if we understand the systems and networks and environments and users that were tasked to protect their ways that we can get ahead of that.
And so that now comes into systems that now do things like behavior analysis, not just looking at what landed on the system, but how what does the execution chain look like.
What's the process chain lineage from one process to another what command line flags are used for execution, and how does that then turn around to point out attacker motivation which then should inform how we do containment remediation and etc.
(06:48):
So it's ever changing it will continue to change. And I think we may even get into this and a couple questions later there's some things I think we can do to better prepare ourselves for the changes that nobody can guess about.
Excellent. And I guess it.
It definitely becomes more difficult to with like the larger threat surface we have to protect from to like, as you mentioned the attackers are getting smarter and they also have probably I guess more availability to areas that they could attack in the network.
(07:14):
Yeah, so I was, I was privileged to speak and at a summit, a few weeks ago in Boston, and I didn't argue this point heavily, but I just kind of planted a seed with a question of what really is an endpoint, right, what really is an endpoint depends on who you ask.
Certainly there are you know the devices that all of us have in our day to day work. The laptops that we use there the servers that host data or we need to connect to to deliver some outcome, but they're also you know the devices that we love and keep on us.
(07:49):
Every single minute of the day, many of us.
The things that are always connected and have surfaces that are not even well understood in some cases, but I would even say that you know there are other systems that are not necessarily considered an endpoint but in terms of an attacker's operational space are absolutely
endpoints, consider some of the things around the iOS vulnerability right that was announced just a few weeks ago for Cisco not iOS on iPhone iOS Cisco iOS, where routers could be toppled and used for attacker purposes.
(08:25):
And so then that device which is supposed to just be passing bits back and forth can be offering services TFTP services staging for pivot points, etc. There is a command line there that can be used and abused.
And so that becomes an endpoint at some perspective in attackers operational space that has to be considered how you farm for data out of that endpoint might be different than the windows or Mac or Linux devices that we all typically call an endpoint, but everything
(08:55):
in some perspective in the attackers operational space is an endpoint, if they can get a hold to it and use it to their advantage.
Excellent. Absolutely right. Yeah, and that was actually really good.
That that we got into it. We talked about that the guacamole piece that that's pretty cool analogy. Now, for the next question I have for you Chad.
(09:23):
I just wanted to ask you how from from what you've seen in the industry. How successful have been the bad guys, what we call them for endpoint specific attacks recently.
They've been extremely successful, very successful and they are continuing to work on their craft which keeps us busy keeps us in the business, and on the defensive side to making sure we have the protection in place to stop them or at least slow them down.
(09:55):
But as Eric said, it's a it's an ongoing battle. They are continuing to find different tactics and techniques they can use to leverage these vulnerabilities within solutions. And then specifically when we're talking ransomware ransomware is at an all time high right now
and I know a few of us if not all of us are familiar with the colonial pipeline attack and we're also familiar with the MGM attack that took place this year. And, and in terms of MGM they thought they had the right place pieces in place they thought they had they were doing things
(10:26):
the right way with MSA. But as I said, these, these malicious actors are getting creative and within the MGM attack they were able to phone into a help desk and impersonate an admin to get their credentials reset.
So again this, you can, you think you have everything in place when you deploy software out to these machines, but it's a lot more involved in that we have to educate the users the employees, because this was a layer eight issue.
(10:57):
The software was in place, but the people who are in charge of making sure things are working as they should were somewhat slipping they were they were unaware of what was going on and that opened the door for an attacker to get in that in that attack
cost MGM millions of dollars. So, the attackers are extremely successful. And again it's keeping us busy on the defensive side but it's something that we also have to do. We also have to continue to get better on the defensive side so that we're able to better protect
(11:30):
ourselves and patch these vulnerabilities. So yes, to answer your question, extremely successful. Yeah, getting very creative with everything that you know it's coming up and I know Eric mentioned that as well.
It is always a zero day is always something new. It is always something that evolves in that space. So that's good. Thank you for that answer, man.
(11:54):
Eric anything you want to add in that point about specifically some of the success of these attacks, I know.
I love the gamble so I really hope that, you know, that type of attacks not happening and when I'm at MGM but I know that that was a joke inside those $100 million, you know, breach there.
Yeah, no, not a ton to add I think check covered it well. One thing I will say, this is kind of a known thing right that we're defenders, and as defenders, we tend to have you know we lean into the fact that we have to be right.
(12:32):
100% of the time, where we need to be accurate with what we're doing we need to ensure that we are doing it well that our processes line up with the programs that run inside of our organization, and that the systems that we are tasked to protect
are using software that will work there. The attackers only got to be right once, and that kind of, you know, working in that kind of environment can become a thing that weighs on you like man no matter what I do, I could still miss something.
(13:04):
And so, but right that also builds in a great challenge for us as defenders like it gives me a chance to think about this like if they're successful, why are they successful. Was it a product issue, or was it a process issue.
Either way I can address both right if it's a process issue. We do the work, tabletop exercises wherever the case might be to make sure that that process doesn't fail me in the future.
(13:29):
If it's a product issue. I bring in the teams of vendors whomever is necessary to say this is how this happened, we can't have that have this happen again. How do we correct this what's the course correction we need to bring to bear, but we still go to work with the
fact that I got to be right 100% of the time today, because the 1% that the attacker is right and I'm wrong is $100 million. That's crazy. I mean to your point Mike I was trying to book some time.
(14:00):
I had MGM when that thing was going on. And before I even knew that there was something real going on just like why is this so hard what's happening. Why can't I log into like my MGM app on my phone and book a room or something like that.
I got to be right 100% of the time, but that is also the inspiring thing that gives us work to do as defenders that all there's always more space to get better. And so rather than have that way on us right it should inspire us as defenders that I can always be better,
(14:32):
they're going to be better I can be better.
Well in terms of keeping, you know, everyone detecting threats, and especially these, these really successful threats that have a lot of social engineering and have maybe spread laterally.
When I think about stuff like that I think about like the MITRE attack framework.
(14:53):
How important is the MITRE attack framework kind of high level what is it, and how can we use that to defend against these well funded criminal groups.
Yeah, great question. I think that was for me. If not, I got boxed on if it was.
I would like to say, and I'm sure I'm not alone in this and I'm probably not the first one to say it but I'd like to say that the MITRE attack framework has become the link or lingua franca of soft security right it is the common language that helps us connect the dots
(15:28):
and what adversaries need to do, and why they want to do it, and what defenders should be doing, and how they can be successful against those same adversaries, right is a way to describe how an attacker's motivation, and the steps they take to achieve their
desired goals as a defender. I can use that to my advantage if I understand why an attacker does what they do. So, I am one who leans heavily into the field of thought that we should not become incredibly preoccupied with particular techniques
(16:10):
because there are hundreds of techniques in the MITRE attack framework and what a technique is, is a simple description of the steps an attacker will take to achieve something that they want that achieving point is a tactic, it is what I need to get done,
I want to elevate privileges, how do I elevate privileges, there are many techniques or ways or steps I can do to elevate my privileges on a system.
(16:34):
So the tactic would be to elevate system privileges the technique could be right getting the hashes out of Etsy password, or and running through rainbow tables to find weak dictionary style passwords, or pulling Sam hives or whatever the case might be there
are many ways to achieve the tactic of a chain obtaining system privilege escalation many many many ways. What I would lean heavily into is that techniques are important, one, but my MITRE attack framework also presents this notion of how to instrument our
(17:17):
attacks, hosts, networks, cloud services, whatever the case might be to watch for any technique period. So if you go through the MITRE attack framework and you're looking at a particular technique, it'll tell you like the discovery sources the data sources.
And if you look at the data sources the right way, the data sources should give you the telemetry that can then be used to uncover the technique used. And so I think any defender that wants to use MITRE to start with that notion of what are the data sources
(17:50):
that then shows me two things one, where am I blind, what am I not looking at in my environment, or on my systems, what data sources and am I not calling what data sources am I not logging against what data sources, does my security stack miss, but then also shows me
now, what are the techniques, I can catch, knowing what data sources, I have available to me through the instrumentation of my security stack. And so that's what I like to lean MITRE is incredible, it is a great way to explain what an attacker has done and even maybe
(18:26):
explain why they did so. But I like to see us as defenders use it, primarily to get our users ready to make sure their networks are properly instrumented, no matter what a technique might be, or which tactic an attacker might employ.
I'm watching everything, and I'm able to see what they did. Because at some point, I may not have the detection routines available described in some language, if the network on the endpoint, but I got the logs and I can run through that stuff and put the pieces together and tell the story.
(18:57):
Data sources become critical when we look at MITRE as a framework from a defender standpoint.
And to add to that, I know a ton of our customers are thankful that we have tied in the MITRE framework into several of our security products. So if you're unfamiliar with those tactics, those techniques, and you are endpoint customer, whenever there's an event that applies or is associated with a MITRE technique or tactic, it is right there in the dashboard.
(19:26):
So you can go ahead and click on that and learn about it. So you now have an understanding of this tactic, this technique. And then we continue to do that with our NDR solutions, network analytics.
We are tying this together just so we can keep everyone informed on the MITRE attack framework.
(19:49):
That's actually really good. It opens up so many things, so many opportunities from the MITRE framework, just to how to look into an attack, into something that is happening in your network. Pretty cool.
I guess the next one is going to be interesting because we're taking that information, the same information we just talked about. And this question is more about what is, and this is for you Chad and Eric, at the end if you want to add something, of course.
(20:24):
But what is that protection beyond the endpoint? And I know we mentioned it earlier. Further upstream of the network cloud layers, how important is that endpoint security for us, for a company?
What do you think? Got you. So when it comes to upstream protection, a layered approach is necessary. It is necessary. I know with a security stack, there are some features that may overlap with different security solutions, but that's therefore a purpose.
(21:00):
We all have a firewall in place that may be inspecting that north-south traffic. You may have a firewall insider network doing some east-west inspection. You have your email security solution that is inspecting emails that come in.
But there are things that make it, there are attacks that make it through those security measures. And that's why it's super important to have that layered approach.
There are times I talk to customers who maybe are thinking, I don't need to file inspection on my firewall. I have it on my endpoint.
(21:28):
I think you need both. It goes back to like what Eric said. An endpoint is not just your PC, your laptop, your phone, tablet.
An endpoint extends out to the IoT devices. So a thermostat, a printer. And those devices, you're not able to deploy an EDR solution to. So you're not able to perform the same checks, the same inspection of that traffic on those type of devices.
(21:52):
So that is where you have that layered approach. You have maybe an NDR solution inspecting that east-west traffic. That's why you have a security stack that is tightly integrated and on the same page.
So if your EDR solution sees malicious, suspicious activity, why don't we let our NACS solution lock down all the ports in that office across the environment worldwide?
(22:15):
So that if for any chance that that actor is able to get that agent off that PC, we have them protected at the access layer with a NACS solution.
So going with the layered approach is super important and should not be overlooked just because, like I said, they're finding ways in. They're getting creative. They are constantly perfecting their craft and they will find a way in.
(22:40):
So that way we want to have the right security measures in place to prevent that or stop it, stop the bleeding as soon as we can.
That was great. No, thank you for that.
That's a great point about something like a thermostat or a printer. That is just such a vulnerability waiting to happen if you were only reliant on an EDR.
(23:04):
So you do want to have that upstream protection for that. I think that's what, Eric, to your point about getting in the mind of how the attackers are thinking.
I think they're thinking along those lines. Like there's even devices out there that don't have, that are not being examined, don't have endpoint protection on them.
If I could get to those because someone's not, doesn't have layered security, then that's an easy way in.
(23:29):
Without a doubt. I mean, I called out a Cisco router, but to Chad's point, it is all of those little devices that when they wake up, they try to figure out where they are in the world by doing the DNS requests to figure out, you know, what am I talking to?
Can I phone home? Is there a firmware update I need to install? All that kind of stuff. That means that there is some force of some form of host that can be compromised there on those devices.
(23:54):
I think Chad nailed it. Everything needs to be considered. And I don't, you know, I don't want to push too far. I know you guys got another one of these coming up in about a week on XDR.
But this talks about why you need something like XDR, a stack of both network and endpoint to really give visibility and broad protection.
Although I do say, you know, the endpoint is the last best hope, right, of defending a network. That doesn't mean it has to happen on the endpoint itself.
(24:21):
It means that we need to think of everything as an endpoint that needs to be secure and how we get the visibility we need could be, as Chad mentioned, in front of it, up the up the stream somewhere.
I mean, services are being deployed in real time based on need to cloud services. Like on demand, I need to spin up extra resources to handle load. We're headed into the holidays, guys, right?
(24:47):
Cyber Monday's coming. Nobody's running all that stuff in one data center. Nobody's building servers to plan for all of that stuff. They've got stuff that's watching to say when load increases, spin up new instances.
Are you ready for that? Those are new endpoints that I have to be secured and protected maybe at the endpoint within the workload itself or just outside of it.
(25:08):
But you still got to catch those new endpoints as they come online. So, yep.
Exactly. Excellent. Now, Eric, if I'm listening in to the four of us talking and I'm thinking, well, there's a lot of need to secure.
It's not just the users, but also the devices they're on. What recommendation or advice you've been in the industry a long time would you give to someone who maybe was recently tasked by their manager?
(25:34):
Hey, you're now on the security team. I want you to look into how we can begin to secure users and endpoints. Where do you even start?
It hasn't changed from over the years, to be honest. I used to talk a lot about network cartography projects.
Do we have a simple map of what's in the network? Or do we have an understanding of not just the topology of the data center, but the flows of traffic? Have we been able to plot that to see what's normal?
(26:05):
And when I say data center, I mean, our cloud services, our own on-prem stuff, wherever the data lives, wherever the applications are presented, however users connect, right? Do we understand that?
And this cartography project to me is a starting point. It comes from the thought that if I don't know it's there, if there are unknown unknowns, that's the most dangerous stuff to a defender.
(26:31):
Because I can't defend what I don't know needs to be defended. And if I don't understand how it presents itself, I don't know the best means whereby to defend it.
And so how you get there is going to be different based on organizations, right? I've seen customers and users do stuff like network scans to try to hunt through their IP space and see what responds.
(26:56):
That's not going to work everywhere. So I've seen them deploy passive discovery technology in other places that find new hosts that you can't scan into or won't scan into certain environments, but start there.
And nobody, I've talked to many, many, many customers and none of them tend to like their asset inventory software or spreadsheets. No matter what they've done, everybody's got to complain about asset inventory.
(27:21):
But if you don't have some sense of asset inventory, you're starting blind. You're starting blind. You don't know what policies to configure, how to configure them.
You don't even understand the environment and the demands of it for protection. So I start there. No matter the size of the environment, if it's a big, huge enterprise, you got to take it chunk by chunk, segment by segment, maybe even office by office, region by region, continent by continent.
(27:46):
But you've got to get some sense of mapping, be it active or passive, of what's there for me to protect. What's been talking to the Internet?
What has been receiving connections and having a mapping of that begins to help me establish the baselines of normalcy, normal use of the network and the sense of normalcy in terms of protections that I should deploy first.
(28:12):
Most folks are going to start at the network layer. They're going to start with a firewall, maybe an IPS. They're going to start with some network detection pieces because it's just easier.
I've got choke points in the network where I can plug that stuff in. I can tell routers and switches to give me flows, right? That becomes easy to do. Great. Awesome place to start.
Layer that over the network cartography project stuff and begin to say now at the endpoint layer, what are the vulnerabilities that are being presented and the posture of those assets that are making these connections out?
(28:45):
Having a sense of vulnerability of operating systems and applications shows me how to deploy the protections in very specific ways.
IPS, right? As an example, I used to tell the story. I would tell the firepower story along this sign, this analogy of a hole in a roof, right?
(29:06):
You can have a hole in your roof and that presents several areas of risk. What I do to cover that hole will determine what risk I can prevent. If I put a top over the hole in my roof, well, I can keep out precipitation for the most part.
I may be able to keep out birds. I can keep out squirrels. No, you'll never keep out squirrels. Squirrels will always find a way. Insects will make their way in. I can put chicken wire over the hole.
(29:42):
That won't do anything with precipitation. It might keep out some larger insects, maybe birds. Again, squirrels will win, right? The right way to do it is to understand the nature of the vulnerability and then apply the appropriate fixes against that.
It is to rip up all of the shingles, examine the paper, examine the plywood, and figure out how do we appropriately fix this thing. That's why I start with the cartography project. What's really there?
(30:16):
How does it present itself? With knowing the vulnerability to my network, because I know what's there, I can then apply controls in the best way.
A tarp might be necessary for three days until I can get roofers out up there, but I got to know, I probably got to chase a squirrel out of the house in those three days or something like that, right?
Do I have branches hanging over the roof? Something's going to get in, and I need to take care of that also. So, cartography for me is where it starts. Understanding the assets, knowing what's there, how they present themselves, knowing how the applications are presented and what vulnerabilities are mapped there.
(30:53):
And then lastly, the thing next to the endpoint, the user. Chad mentioned this, layer eight problem for MGM, right? What user protections can be put in place right away?
That might even help in the gap between the network and the endpoint pieces. If I can roll out things like multi-factor authentication, if I can do some things that help, the user helps me to ensure that they're not clicking links unnecessarily.
(31:22):
That stuff that can help, even as I'm taking the longer-term approach and making sure the endpoints are secured everywhere they are, no matter how they connect, doing things like VPN for access, zero trust as an architecture topology that lays across it.
You've got a whole lot of stuff to consider. Start with understanding what you have to protect first and foremost.
Excellent. Yeah, you can't protect what you don't know is there. So, go ahead, Chad.
(31:46):
Exactly. Exactly. And to add to that, being an ice guy, a NAC solution, super important, gives you that who, what, when, where, and gives you that visibility into what is on your network.
Using profiling to classify those devices, knowing that we have a user coming in on an Apple iPad versus a Windows 10 or Windows 11 workstation.
Tying that into vulnerability platforms with Threat-Centric NAC. Now we're able to apply vulnerability scores and quarantine these endpoints until we're able to patch those devices.
(32:17):
So, speaking my language, when it comes to protecting these switch ports, protecting the wired and wireless environments, protecting the VPN connectivity, it's all protecting the endpoints along with the users.
That's really good. I love the analogy. Actually, just got me thinking a lot.
(32:39):
And so right about the squirrels, man. Squirrels always win. I say that all the time. Squirrels always win. They will find a way.
Awesome, guys. All right. Next question I have is, I know Cisco launched something at the beginning of the month. I know we've internally been talking about it for a few weeks before that, but tell us a little bit about the user protections with chat.
(33:08):
I think I know we've been talking a lot about this, but if you want to expand a little bit on it, that'll be great for listeners.
Yeah, sure. So, yes, we have a few protection suites. So we have our user protection suite, our breach protection suite, and the cloud protection suite.
But with the user protection suite, this is broken down into our unified license structure with using essentials and advantage. But in the essentials user protection suite that supplies you with our latest SSE offering being secure access.
(33:43):
It gives you access to Duo for MFA, zero trust access for applications, single sign on, email threat defense.
With email threat defense, of course, everyone has a gateway that they're able to get visibility into those incoming outgoing emails. But when you throw in a solution like email threat defense, now we get visibility into those internal messages.
(34:07):
So we're seeing incoming, outgoing, internal messages. And with email threat defense, what we're doing is able to look at the context of the message and actually understand the intent by leveraging AI.
And we're able to apply those advanced analytics to stop threats that maybe your email gateway may miss. So it is complementary or supplemental to your existing email gateway.
(34:31):
And then with our advantage package, it includes those three solutions, but then we extend out to endpoint. As Eric mentioned, endpoint is that last line of defense.
And then when you couple that with something like secure access that has the DNS layer security, that is your first line of defense. So with our user protection suite, we're able to start you on your zero trust journey by protecting that first line with handling the DNS request.
(34:58):
Being able to stop a malicious connection from even happening. But also when we have attackers that are able to slip past that first line of defense, we have you covered with endpoint to cover you.
And that is our user protection suite. And again, it helps you get started on that zero trust journey.
(35:20):
Yeah, I've I've I've demoed some of these kind of, you know, 1 plus 1 equal 3 things in the past. One of the ones I'll bring up that chat just mentioned right there's their cloud. There's cloud to cloud integration between Cisco secure endpoint and duo right now.
So for the user protection suite, that's you've got a great use case whereby if Cisco secure endpoint sees something on a host and it believes it hosted be in a compromised state, the duo cloud gets that information immediately and is able to change access permissions for that user on that device.
(36:01):
So that if they were logging in the old 365, but secure endpoint has seen something that says that systems compromise dual will say, Nope, you don't get to log in anymore. Shut it down.
And once you've then resolve that in the endpoint cloud and set that case to done in the inbox, there's a work box called the inbox. You set that to a resolved state that compromise has been addressed.
Do a lesson authenticate as needed right so that you've got this multi stage view all the way out to the user on a particular device and its state of compromise or non compromise in the network.
(36:33):
But again, that's cloud to cloud. That's not even having to have multiple connectors that you got to make work together. Just the clouds because it's all Cisco.
They work together and understand the state of the system state of the user and drive that outcome that I can have that that first line of that the first kind of dipping my foot into that zero, zero, zero access stance that this is compromised about this user on this compromised device.
(36:59):
Can't get access to key critical resources that they could five minutes before, but once that state's resolve, they can proceed with their work.
I think that is self important point point like that dynamic continuous verification not just when they connected to the network, you know, but Eric like you said like you access some type of malware after the fact, we caught it.
(37:21):
And we're keeping an eye on things. Yeah, we call it you know so if you go to amusement park, there's that you must be this tall right to get on this ride.
But who knows whether once you're on the ride, whether you've taken the safety bars off or wiggle your way out of them, taking the seat belt off you're leaning out of the side of the car, whatever right so there's that initial assessment of you have access, but then
(37:46):
there's the all always watching, you know the visibility that's needed to say, hey, you got access because you're okay, but something's wrong now, I need to inform everything else that you shouldn't you shouldn't be you shouldn't be allowed access anymore.
Excellent. Excellent.
All right, well, we've only got one more question for you guys. Thank you so much for the topics the interaction has been great.
(38:12):
I want to make sure we do have time for the dad jokes, because that's, you know, everybody loves the dad jokes. So, I'll throw this one out there, maybe like a minute maybe minute and a half just response, but this goes back to that user protection sweet Eric and Chad and one of the
products in that that I've been waiting a long time for is the secure access product. So maybe if you could just elaborate just a little bit on Cisco secure access, we advertise that as a turnkey, you know solution so open up maybe a minute minute and a half.
(38:41):
Yeah, Chad, I'll let you go off. I'll come behind you.
All right, sounds good. So, with secure X, that is our latest SSC offering the whole movement with sassy with the convergence of networking and security. We are applying the security controls using secure access.
So, a lot of you may be familiar with umbrella and the features that umbrella has to offer. We've added those into secure X. So, I'm sorry into secure access. So, with secure access, you get that DNS layer security for your users on and off the network.
(39:12):
You have access to the cloud delivered firewall for layer three for seven firewall rules. You have that secure web gateway full web proxy for HTTP and HTTPS your ADM 443 traffic.
But then on top of that you get the casby functionality application control and visibility. So, all of those security solutions are all the security features are there to help extend security pass your perimeter pass your edge.
(39:40):
But what really sets secure access apart from umbrella is now we have zero trust network access built in, where your users are not having to connect to the VPN to access a private application.
We also have VPN as a service included in that so now instead of connecting to a head in at a branch location, a data center or HQ, your users are connected to a VPN head in in our cloud, and all of your branch locations all of your cloud environments are connected to that same cloud, allowing your users to pretty much connect to any network and get access to all the resources they need access to.
(40:20):
And again, that's under one unified dashboard, a policy where you're able to configure those identity based controls. You're able to do some posturing and keeping everyone secure, but also just taking a load off your shoulders where you don't have to worry about maintenance on those head ends.
Cisco take care of that for you. So, yes, that is our SSE solution that I am super excited about them waiting on and glad that we're finally here to showcase that product.
(40:46):
Yeah, from my perspective, right? The client that plugs right into that is Cisco Secure Client, which delivers modular capabilities across the endpoint visibility stack, right? It could be EDR needs.
It could be NVM for the network visibility module that gives us connections between processes that are launched, user information, and the traffic initiated out of those processes or received by those processes.
(41:12):
It's the detail of those individual hosts that are going to be used for these, you know, just workday connections. And it is, you know, it's not it's no longer just kind of the new reality. It's just reality at this point.
Users are going to be everywhere and they're going to need and want to work from everywhere. And so SSE enables that and getting protection all the way down to the endpoint happens through Secure Client, which then makes things like EDR, NVM, and other capabilities available.
(41:41):
And other capabilities across the endpoint visibility stack available. So for us, it's kind of a no brainer, right? Do the SSE stuff because you're going to need endpoint visibility anyway.
Start where you understand, which is typically the network for most of our customers and users. Get those protections built out as they're needed.
(42:03):
And when you're ready, start lighting up the modules inside of Secure Client that give you the deeper visibility, that last line of protection, etc.
Excellent.
That was great. I actually, I don't know, like, we learned so much today.
Yes, I know I have.
It's going to be hard to summarize the whole thing. But yeah, it's a lot of information. But I know we have just a few minutes on the clock and just want to open it up for our super, super fun lighting round.
(42:38):
We actually have a couple questions for each of you. Hopefully, those are fun and I'm going to start with you, Chad.
This one is interesting. What's been more frustrating for you? The Carolina Panthers season or Cisco lighting? What do you think were you put them?
(42:59):
I would have to say the Carolina Panthers let me down this season has been super frustrating.
I traveled down to Charlotte for every home game and that trip to travel down there just to lose is getting rough. I would say that the Panthers have made my Mondays rough.
But I'm on the Cisco licensing side. We've done a lot to improve licensing. I know we've been listening to our customers and the struggles with licensing, but it seems like Cisco has that corrected.
(43:31):
I just need to get my Panthers on board and correct that football team.
All right, great. Eric, let's get on to a really serious topic here. Other than microchips, what is another favorite food of malware?
(43:53):
I saw this and I have no idea. I struggled with how to answer this one. I didn't know if I needed to try to find some way to be serious and continue the analogy and start talking about ransomware and connecting that to a buffet or something like that.
What gets held hostage at restaurants? That kind of stuff. I don't know. I don't know. What other than microchips? I'm going to flip it back on you, Mike.
(44:22):
Other than microchips, what is another favorite food of malware?
Oh man, I can't believe this is happening. I'm also not prepared. I'll go with...
Cookies. Cookies! That's a good one. That's a good one.
Because everybody loves cookies and that's what the attackers are going to go after. What am I going to pay the most for to get those back?
(44:47):
That is a real good one.
We probably got time for one more reach. Andres?
Yeah. All right. So this one, hopefully I don't butcher this one, but probably will do. Is it true that hackers enjoy gardening? After all, they love planting malware.
(45:09):
What do you think about that, Chad?
That's a good one. That's true. They love planting malware. So they are good at gardening in a sense.
So I don't want to do my own gardening, but I don't want those hackers come here planting malware. So I'm going to have to find an alternative.
Eric, if your specific computer or maybe keyboard could talk, what would it say about you?
(45:34):
This guy loves honey barbecue, Frito Twists. That's what it would say. Frito Twists have me in a choke hold right now.
And I don't know if you guys have ever had them. Honey barbecue, Frito Twists. Right?
For sure. Yeah.
And my keyboard will say this guy really loves honey barbecue, Frito Twists.
Great.
(45:55):
And it would be great if he ran a vacuum over me.
Oh, love it. Love it. Okay. Well, we could go on with that, Dukes, all day.
Maybe we'll do an episode just on that. But anyway, let's go ahead, Andres. Let's summarize this up and get out of here.
I got one if you got 30 seconds for me. And this is for anybody that wants to answer. Why did the scarecrow get promoted?
(46:25):
Nope. Outstanding in his field. That's a good one. That's a good one. Love it. Love it. Very good. Very good. Very good.
That was good. Well, we talked about a lot today. I know I have definitely learned a lot.
(46:46):
Andres, big takeaways for me. The endpoint being the device and the user. You know, thinking about maybe posture assessment of the device and then maybe MFA of the user.
So it was cool here in your perspective, Eric, on the history of the endpoint, how that's kind of evolved over time.
(47:08):
I had good examples of the bad guys are in action. Major criminal groups that are well funded. And Eric, to your point, you know, they're also thinking about the MITRE attack framework.
Like, how do we evade detection? So just that back and forth struggle there. And then MITRE being, you know, that tactics, techniques and procedure.
(47:32):
What's the bad guy's goal? How are they attacking? And then kind of what tools are they using? Especially with threats being more sophisticated than ever.
You know, we talked about maybe moving that security in a layered approach. So those were my big takeaways. Andres?
Yeah, for me, a few things that really resonate. I know Chad, you mentioned a few examples about securing beyond the endpoint. For example, keeping an eye on a network detection solution.
(48:06):
Keeping an eye on that traffic coming in from endpoints that don't have, that we cannot install an EDR solution. That was very key and it resonates with a lot of things that people is doing today.
Eric, you had a really good analogy on the cartography of the network. Of all the things that we need to see before we can decide we're going to protect.
(48:34):
So that was great for helping everybody just to make sure that they know where to start from. They know what the moving targets are. Define the undefined on the network. So that was pretty cool.
Asset inventory. That was that that's one of the things that nobody likes, but, you know, it's needed. It's needed. You got to do it. Absolutely.
(48:59):
Chad, the other thing, Zero Trust, wireless VPN. You put in some information about Cisco ISE. That is great. Actually, I love that. And then also the expansion that we got to talk about the user protection suite.
What are the things that are included there? How can help our customers? And last, Eric, you mentioned that integration between products. Good example, Umbrella and Duo. The endpoint protection. That was great.
(49:28):
Mike, give it back to you. Great. Cool. Always.
All right. Well, don't forget to fill out that feedback survey, because even though I can't win the Cisco hoodie, I want, you know, someone to win the Cisco hoodie. So fill out that survey right after the call.
And then we will reach out to you through email if you are the winner. Huge thank you to our guests, Eric, Chad. It's been an absolute pleasure. I would love, Andre, I would love to have you back on the show.
(49:58):
The next call will be December 13th.
And it's on securing the cloud. So that's going to be an outstanding conversation there. Stay secure, and we will see you in December. Thanks, everybody.
Thank you. Thank you guys.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com