Most individuals understand that any link they click on that was received via email or posted on a social networking site could lead to an unwanted malicious infection. All it takes is one click for an intruder to start the process of spreading an infection onto the internal network. Due to the onslaught of constant emails and numerous links presented, the chances of catching a victim with their guard down is increasing.
Coca cola lost out on a 2.4 billion dollar acquisition of a Chinese juice company after details about the purchase were electronically stolen from a top official. Guess how: they were originally compromised through the use of a phishing attack. From there the attack spread quickly throughout the organization. source
In all likelihood, the future of cyber threat detection will operate on the assumption that the network is forever carrying infections. The concept of proactively preventing 100% of malware such as Advanced Persistent Threats from ever entering the network is not a reasonable approach to Internet security.
Every day, employees authenticate onto the network with devices that freely roam the internet. What applications have they installed? What sites have they accidently visited? Either of these activities could lead to malware. Once they are infected, what resources are they accessing on the corporate network?
It gets worse. The malware these machines are infected with is intelligent. It reaches out to sites on the internet with the employees permission. It makes encrypted connections which deep packet inspection security appliances (E.g. firewalls) may not be able to can’t decipher - signature matching doesn’t work. And the malware does all this during the day, right under our noses making sure its traffic volume is low, normal looking and stealthy.
These types of threats are difficult to detect partly due to the outbound nature of the connections which are made by authenticated users as once an employee has authenticated onto the network, any website they visit will generally pass through most security mechanisms. NetFlow and IPFIX are one of the best ways to monitor outbound connections from within the company.
The Cisco ASA at many companies is the primary appliance relied upon for protection against intellectual property theft. It is also often the best defense against malware introduced by end users. How is your company integrating the ASA into the overall security defense strategy? What specific configuration strategies are you incorporating? Are you leveraging NetFlow Security Event Logs (NSEL) for some type of behavioral analysis? If not consider reading our Cisco ASA Guide to NetFlow Security Event Logging and Cyber Threat Detection which discusses the 3 primary ways the ASA detects threats and how to leverage NSEL with host reputation to provide an additional layer of internal threat detection.
What are you doing with your ASA to pay more attention to outbound connections?
Dear Experts, One of our customer is evaluating DCI to connect 2 sites across L3 mpls circuit. For DCI they are considering Vxlan (only open standard no OTV or juniper specific etc). From design perspective what i dont understand is, its easy t...
Hi all, we've been using a hardware version of the ACI Simulator for quite some time and really grew fond of it for testing automation solutions we developed for our production fabric. Recently we decided to switch to VM. Our Production-Fabric runs o...
Hello, We would like to change the airflow direction (and thus the fan module) on a CISCO C3850-24-XS-S switch.Is it possible on this type of switch ? We have also seen that the CISCO C3850-48-XS-S had two fan modules (FAN-T3-R= & FAN-T3-F=)...
Hello ACI Gurus. I am currently migrating a two sets of Palo Alto Physical firewalls directly counted to old Cisco 6509 switches to ACI. The way current environment is communicating between ACI and legacy 6509 switches is via a L2 link with a S...