Showing results for 
Search instead for 
Did you mean: 

Cisco ASA and the Cyber Threat Landscape


Most individuals understand that any link they click on that was received via email or posted on a social networking site could lead to an unwanted malicious infection.  All it takes is one click for an intruder to start the process of spreading an infection onto the internal network.  Due to the onslaught of constant emails and numerous links presented, the chances of catching a victim with their guard down is increasing. 

Coca cola lost out on a 2.4 billion dollar acquisition of a Chinese juice company after details about the purchase were electronically stolen from a top official.  Guess how: they were originally compromised through the use of a phishing attack.  From there the attack spread quickly throughout the organization. source

In all likelihood, the future of cyber threat detection will operate on the assumption that the network is forever carrying infections.  The concept of proactively preventing 100% of malware such as Advanced Persistent Threats from ever entering the network is not a reasonable approach to Internet security. 

Every day, employees authenticate onto the network with devices that freely roam the internet.  What applications have they installed?  What sites have they accidently visited?  Either of these activities could lead to malware.  Once they are infected, what resources are they accessing on the corporate network?

It gets worse.  The malware these machines are infected with is intelligent.  It reaches out to sites on the internet with the employees permission. It makes encrypted connections which deep packet inspection security appliances (E.g. firewalls) may not be able to can’t decipher - signature matching doesn’t work.  And the malware does all this during the day, right under our noses making sure its traffic volume is low, normal looking and stealthy.   

These types of threats are difficult to detect partly due to the outbound nature of the connections which are made by authenticated users as once an employee has authenticated onto the network, any website they visit will generally pass through most security mechanisms. NetFlow and IPFIX are one of the best ways to monitor outbound connections from within the company.

The Cisco ASA at many companies is the primary appliance relied upon for protection against intellectual property theft.  It is also often the best defense against malware introduced by end users.  How is your company integrating the ASA into the overall security defense strategy? What specific configuration strategies are you incorporating? Are you leveraging NetFlow Security Event Logs (NSEL) for some type of behavioral analysis?  If not consider reading our Cisco ASA Guide to NetFlow Security Event Logging and Cyber Threat Detection which discusses the 3 primary ways the ASA detects threats and how to leverage NSEL with host reputation to provide an additional layer of internal threat detection.

What are you doing with your ASA to pay more attention to outbound connections?

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey