Thoughts on Cisco's 2018 Annual CyberSecurity Report

When I started in networking, I never would have thought that security would be such an important part of my job. However, it has become something that I’m involved with almost every day – tasks like applying security configurations, participating in audits, or spending a day chasing down the latest vulnerabilities. It’s already become second nature to watch for what’s new in the security realm, so that I’ll be more prepared when someone asks about it.

Earlier today, Cisco released their 2018 Annual Cyber Security Report. I’ve spent some time digging through the report and thinking about what they’ve written. It’s interesting to read through the trends and survey results, and try to get an idea of where security efforts should be focused for the coming year.

This post is going to cover just a subset of what’s in the complete report. I’ll be covering the topics that I found particularly interesting, and give my own thoughts/views on them.

The Encrypted Web is Great….. For Attackers.

Unsurprisingly, Cisco reports a growing trend in attacks and exploits that are taking advantage of encrypted transport. As a lot of large companies and Internet bodies are pushing for a 100% encrypted web, should we be surprised? Nah, it’s the logical next step. Users want encryption because it means privacy – but that privacy also brings a method of concealing attacks.

New exploits and malware are heavily leveraging encrypted transport to bypass all of the security we put in place to detect them. Typical defense technologies like intrusion prevention systems (IPS) are fantastic, but only when they can actually read the data. If a user download’s malware through an HTTPS call, IPS won’t usually catch it. And when that malware can now take advantage of SSL to reach back out to a command & control server? Yeah, IPS might not help us there either.

There are technologies out there that allow enterprises to see this traffic – but maybe not enough of us are adopting it yet. A forward proxy for outbound web filtering is great. One that implements SSL decryption and inspection is even better. If your company isn’t already decrypting outbound web traffic, then this needs to be a priority.

Inbound web traffic can be just as dangerous. New IIS vulnerability? Sure, let’s grab the latest IPS signatures and … Oh wait, our IPS runs on our edge firewall, which sits in front of those web servers – which are all using SSL for encryption. That means any malicious traffic is going to slide right through our IPS undetected and land on our unpatched web servers. Get a Web Application Firewall (WAF), and let it front-end your SSL traffic. These things can be expensive and a nightmare to configure and tune properly, but right now they are one of your best options for inspecting web traffic.

Old Attacks Aren’t Going Away – They’re Just Getting an Upgrade

This year’s report highlighted that much of the older attacks are still here, and they’re not giving up yet. Attacks via email are still present and doing more damage than you would hope. We’re certainly getting better about implementing spam filters with reputation filtering, but attackers aren’t giving up yet.

Email attacks are relying more on social engineering and targeted phishing. These messages are also utilizing SSL to encrypt the malicious links within the emails. Infected attachments are surprisingly still a big issue, with Microsoft Office and PDF files still being the worst offenders.

Just because attackers are finding new and exciting ways to hit us doesn’t mean they’re giving up on the tried and true methods. We still need to focus on all the standard attack vectors, like email. Implementing intelligent email/spam filters and providing user awareness training are the primary methods we have to combat this.

The Cloud is Secure! … We Think…

This one I found particularly fun. Out of all the companies surveyed by Cisco for this report, 57% of them said they believe the cloud offers better security. Wait – Did I misread that? More than half of respondents think that the cloud offers better security than their own infrastructure! This makes me wonder…

From my perspective, a cloud service provider is just another company. In most cases, they run just another network and hit a lot of the same challenges that non-cloud companies are facing. And we can only assume that cloud providers are prioritizing security and not just trying to turn a quick profit. Cloud companies have the advantage of being able to hire a dedicated security team that their customers can leverage. However, enterprises are complaining about lack of skilled security engineers, and I’ll bet it’s not because cloud providers are picking them all up.

Cloud definitely offers benefits – but this needs to be a well-calculated risk. For a smaller company without dedicated IT staff, a cloud solution would most likely offer security improvements over their own infrastructure. As companies scale, however, their security requirements do too. We need to make sure that the cloud providers we choose are also capable of adhering to those standards. Before you move to the cloud: ask questions about their security practices, get answers, and demand more information on the parts that are important to your business.

Another fun note from Cisco – some of the damage done by cloud providers is a simple mis-understanding of ownership. If you subscribe to a complete Software as a Service (SaaS) provider, chances are good that the provider worries about all of the critical security configurations. However, if you’re going to a cloud provider just for infrastructure (like AWS), then you are likely responsible. In the case of AWS, you’re being provided a server – and that’s where Amazon’s responsibilities end. It’s up to the enterprise to still make sure that those servers are patched, hardened, and audited. Treat the cloud as an extension of your own infrastructure and polices, not a separate entity.

Diversifying Risks? Maybe not.

It used to be a somewhat well-established security practice to use multiple vendors. Have a need for two sets of firewalls? Make sure you use two vendors, so that a vulnerability in one doesn’t affect the other. Seems like sounds logic – until you have to train staff to be experts on multiple platforms, and keep up to date on all the latest patches from each vendor.

Cisco is finding that the more vendors a company has in their environment, the more problem we have maintaining everything. From my own experiences, I can say this is certainly a problem. In environments where I’ve had up to four vendors for firewalls and switching, it becomes difficult to work with. It’s hard on IT staff to maintain knowledge of configuration and best practices for each different vendor – and when a new vulnerability comes out, we end up spending way more time trying to track down each vendor’s responses and patches.

It makes sense that companies who have a more tightly integrated infrastructure might have an easier time managing it. Cisco might want you to buy 100% into their ecosystem (of course), but I do think there is value in consolidating your infrastructure. One or two vendors will be much easier to establish relationships with than half a dozen of them. Your IT staff can dedicate their focus to mastering only a couple of technologies, rather than spreading themselves over a dozen different platforms. And when that new vulnerability is released? It should be much more straightforward to patch all of your systems quickly.

There’s That Automation Thing Again…

I think we’re finally beginning to reach a point where automation is really showing it’s value in the security realm. A typical company is going to have so many different systems and alerts that it doesn’t make sense for someone to manually review and act upon every one. This is where automation really begins to shine.

Cisco’s report shows that more companies are relying heavily on automation. This can be used for alert response, reporting, and behavioral analytics. Especially when I keep hearing that there is a skills shortage in security, we need to take advantage of what automation can offer. This doesn’t always have to be home-grown scripts either – there are a number of offerings already available.

Take a second look this year. Try to see where automation can fit into your infrastructure to help improve both operations and security.

Thanks for reading! Just as a friendly reminder – All of the opinions stated in this post (and all others here) are 100% my own, and do not represent any vendor or employer. Since security has become more of an important part of my job, reports like this are always very interesting to read. I’ve only covered a handful of what was in the report – just what was particularly interesting to me. If you’re interested in reading more, check out the full report here: