91% of the organisations claim that manual identification and remediation of security incidents affect their speed of reaction. Considering that attacks continuously grow in number and complexity, the automation of security measures provided by Datanet Systems by the means of Cisco technologies can help you be much more efficient and proactive.

In recent years, companies have been relying more and more on automation in order to protect themselves against the increasing number of security risks. According to Cisco’s 2018 Annual Cybersecurity Report, 39% of the organisations have already implemented solutions which integrate automation elements. The growing trust in automation is justified by a number of risk factors which cannot be ignored without repercussions:

  • Continuous improvement of the attackers’ ability.Hackers are increasingly experienced in “tricking” the classic protection solutions. This phenomenon is linked to an increased volume and complexity of threats, as well as an ascending evolution of encrypted traffic used for malware infections (which has increased more than three times in the past 12 months);
  • Increased detection and remediation time for security breaches. In 2017, the average time for detecting a security breach was 191 days, with other 66 days being needed to solve it (Ponemon Institute – 2017 Cost of Data Breach Study);
  • Heterogeneous security environments.In 2017, 25% of the companies were relying on up to 20 providers for security solutions (Cisco 2018 Security Capabilities Benchmark Study). The result: critical integration issues, configuration and management issues and impossibility to efficiently identify and solve the genuinely dangerous security alerts;
  • Constant growth of the attack area.The extended adoption of Cloud services and mobility in the enterprise environment forces organisations to find new solutions of monitoring, identifying and solving threats. As early as 2016, 41% of the companies complained about facing increased difficulty in providing network security due to the intensive use of Cloud services (Enterprise Strategy Group – Network Security Monitoring Trends);
  • Predominance of manual processes in the remediation of security issues.SANS Institute analysed organisations’ responses when faced with security incidents and found that many processes were still performed manually. Top places in the hierarchy are occupied by: • isolating infected machines from the network (66.6%); • shutting down compromised systems and/or placing them off-line (66.6%); • restoring infected machines (63.3%); • restarting operations using external storage media (61.1%); • updating security policies and rules, based on IOC indicators (55.4%); • removing compromised files and folders without reinstalling the entire system (53.3%); • placing affected workstations in quarantine (51.8%) • identifying similar compromised systems (50.3%).

Considering the speed of emergence of the new types of security threats, attacks, <Zero day> type breaches, etc., people can no longer be quick enough to take the necessary steps to detect, block and remediate an incident. A company faced last year a ransomware attack leaving 10,000 machines encrypted in just 10 minutes. It is impossible for any team to block on time a cyber attack of such size and speed,” said Jamey Heary, Cisco Distinguished Systems Engineer, in Cisco Connect 2017, in Bucharest

 

Integration, the essence of automation strategy

Datanet Systems’s response to these challenges is an integrated security architecture  allowing the capitalisation of automation capabilities provided by Cisco solutions:

  • Cisco Umbrella ensures the first level of protection against online threats, thus blocking threats before they affect end-points and/or penetrate the network. This solution, delivered as a Cloud service, ensures visibility for activities carried out on the Internet, regardless of the user’s location and type of device used. Umbrella analyses DNS requests, determines if the requests are safe and if they are dangerous blocks them before a connection is ever made. Potentially risky addresses are analysed by Cisco’s Proxy service provided in Cloud and, if they present infection risks, they are blocked for all Umbrella users. If a compromised domain is accessed before blocking, Umbrella identifies the users who accessed it and automatically places them in quarantine and the address is “blacklisted”.
  • Cisco Advanced Malware Protection for Endpoints ensures advanced protection of (fixed or mobile) workstations. The AMP solution uses Cloud Cisco Threat Grid platform, where it automatically sends certain categories of executable files to be analysed in a Sandbox solution. (Administrators establish what types of files are sent.) If the file is listed as a threat, all workstations who accessed it are identified and the file is automatically placed in quarantine, thus containing the spread of infection. The solution also works proactively – once a file issue is identified, the file is automatically blocked when a user from another organisation attempts to download it.
  • Cisco Cloudlock secures Cloud environments, regardless of the user’s identity, how the access is made and user location. Cloudlock, like Umbrella, is delivered as a service, does not require a big integration – configuration effort and has no limitations regarding number of end users. Cloudlock detects abnormal behaviours, monitoring all Cloud activities, traffic between on-premises infrastructures and Cloud environments and also Cloud-to-Cloud environment. In addition, Cisco solution identifies critical data and signals access attempts of unauthorised users. Cloudlock also provides protection against security breaches caused by the use of Cloud applications, by using reputational analyses and risk assessments provided by Cisco’s Security Intelligence services.
  • Cisco Stealthwatch extends the visibility and control over the network, by advanced analysis and Security Intelligence functionalities. Based on the metadata traffic collected and stored, Stealthwatch sets a series of patterns based on which detects abnormal behaviours in the network, which may signal an attack (also analysing encrypted traffic flows). To achieve this, the Cisco solution collects information from the network equipment (agents for Cloud hosting may be also defined), swiftly processing and analysing it. Stealthwatch can process information provided by up to 50,000 sources (controllers, switches, routers, firewalls, devices on which AnyConnect agents are installed, etc.) and up to 6 million data flows per second.
  • Cisco Identity Services Engine is the main element of Datanet Systems’ security architecture, increasing the efficiency of the above-mentioned automation elements. ISE delivers information about the user identity, devices used, device locations, accessed services, etc., which are correlated through integration with the ones delivered by the other applications and serve as a basis for the automated pre-set decision-making process. Thus, by integrating ISE-Umbrella, upon their discovery, users that have accessed a compromised domain can be identified and automatically placed in quarantine. Similarly, by integrating ISE-AMP, if the malware protection solution finds an infected device, ISE automatically places it in quarantine. By integrating Cloudlock, unauthorized access of Cloud data and applications is identified and blocked. The StealthWatch-ISE integration correlates traffic data with data on users and equipment – once the users generating suspicious traffic or an abnormal behaviour are identified in the network, predefined actions can be automatically applied to them (alerting administrators, notifications send to end users, blocking access, placing in quarantine, etc.)

The results obtained by integrating all these functionalities and by automating the detection and response measures are: • improving the protection level throughout the organisation; • limiting the impact of security events; • reducing security incidents reaction time and • increasing the operational efficiency. (The last two effects are mainly provided by reducing the number of manual operations needed.)

To benefit all these advantages, the solutions mentioned must act in a complementary manner, must be easily managed, scaled and mapped, according to each company’s needs. This involves an integration effort that only some organisations can support with internal resources. Therefore, the large majority needs to resort to the services of a system integrator, like Datanet Systems, with experience both in security solutions and also Cisco technologies.

Datanet Systems’ recommendations on the market can be easily proven:

  • It is Cisco’s main partner in Romania
  • It has the largest local team of specialists certified in Cisco technology
  • It has numerous security projects implemented in critical infrastructures
  • It is a reliable partner, with abilities and competences proven in its 20 years of activity.

For more information, contact office@datanets.ro