Cybersecurity is a continuously evolving landscape. We constantly see new threats, and threat vectors, come and go; which puts a tremendous strain on the InfoSec teams that have to protect organizations and businesses from these threats. This year we saw the reemergence of old vectors: from ransomware & trojans, to supply chain attacks. At the same time companies saw security resources in their organizations dwindle, leaving defenders to cope up with the onslaught of attacks. To help cut through all the noise, we see cybersecurity companies produce newer security tools to help sift through the noise and pinpoint actionable alerts. While these tools are impressive individually, a powerful tool that one cannot wield is useless. Only by integrating these tools into your larger security reporting and analytics infrastructure, and by leveraging actionable responses, can one reduce the threat risk to an organization.
We here in the Cisco Secure Technical Alliance (CSTA) live by that principle. Our ever-growing ecosystem is in its eight-year, facilitating open, multivendor product integrations; which improve security effectiveness and help solve unique customer security challenges, through automation and operational simplicity. Cisco Secure products are adopting an API-first approach to allow more integrations, both internal within Cisco and with third-party products. Due to this API approach, security practitioners are able to build new solutions in a shorter period of time; using already existing components instead of creating a code for new ones from scratch.
Rounding up our Cisco fiscal year 2021, we added a whole bunch of integrations into our program. Today we are excited to welcome 26 net new industry partners with 48 new product integrations to the CSTA program. With the addition of Kenna Security into our program we now have over 250 technology partners and over 400 integrations for our mutual customers to utilize. This exponential growth, from when we began this journey not so long ago, shows why our customers care about security product integrations and the intangible benefits they bring.
Here's a quick summary of what's new:
New Cisco Secure Endpoint integration (Formerly known as AMP for Endpoints)
Using the Cisco Secure Endpoint APIs, partner integrations provide analysts with rich threat information and actions on endpoint events; like retrieving endpoint information, hunting indicators on endpoints, searching events, etc. An integration with Cigent Technology is now available for Secure Endpoint customers to integrate with. This integration collects all Secure Endpoint event data via the streaming API, for correlation or other uses.
New Cisco Cloud Security Integrations
Cisco Cloud Security leverages robust APIs from Umbrella and Investigate to provide threat protection amplification to technology partners. New integrations were added to a growing ecosystem. There is a new Cloud Security app for Splunk that integrates cloud security data with event data from Splunk. ArticWolf, BlueCat and Varonis ingest Umbrella data to enrich data being analyzed. The integration with Torq and Umbrella provides automation and remediation and response.
Cisco Secure Firewall integrations
Cisco Secure Firewall has several new partner integrations. CyberArk reduces VPN risk with MFA enforcement on any VPN client that supports RADIUS; including Cisco Secure Firewall. HashiCorp (Terraform) provides infrastructure automation and now supports Secure Firewall ASA. Graylog, a centralized log management solution built to open standards, has connectors for Secure Firewall. The Secure Firewall app for Splunkhas been updated. Qmulos's next-gen compliance product now supports Secure Firewall and Nutanix AHV now has support for both Secure Firewall and Secure Firewall Threat Defense.
New Cisco ISE Ecosystem Partners
Cisco ISE has a mature ecosystem of technology partners and adds a few more integrations to its fold. Certego, ExtraHop and Link Shadow integrated with ISE, to take Adaptive Network Containment (ANC) actions. DF Labs, Splunk Phantom and Threat Connect are all SOARs, that integrate with ISE to take automation orchestration actions. Cyber Observer, which provides continuous controls monitoring, now supports ISE as well.
Cisco Secure Endpoint for iOS (formerly Cisco Security Connector)
Cisco Secure Endpoint for iOS provides organizations with the visibility and control they need, to confidently accelerate deployment of mobile devices running Apple iOS. CSC is the only Apple approved security application for supervised iOS devices and integrates with best-in-class MDM/EMM platforms. CSC now adds support for Clomo MDM. Cisco Meraki System Manager, with Secure Endpoint for iOS, is now the official MDM of the Black Hat global conferences.
Cisco SecureX threat response Integrations
Cisco SecureX threat response automates integrations across select Cisco Security products and accelerates key security operations functions: detection, investigation, and remediation. It also has support for 3rd Party products through its API. Since our last announcement in Summer 2020, SecureX Threat Response adds 16 new integrations including Akamai Network Lists, alphaMountain.ai, Amazon GuardDuty, Bastille Networks, Cybersixgill Darkfeed, Devo, Graylog, IBM QRadar, IBM X-Force Exchange, MISP, Palo Alto Networks AutoFocus, Recorded Future, Splunk CIM , CESA Splunk, Sumo Logic Log Management and Vade Secure IsItPhishing.
Cisco SecureX orchestration Integrations
Cisco SecureX orchestration provides a no-to-low code approach for building automated workflows. These workflows can interact with various types of resources and systems, whether they're from Cisco or a third-party. We have a wide variety of atomic actions and workflows that can be imported into SecureX orchestration including Atlassian Jira, BMC Helix (Remedy), ManageEngine Service Desk, Microsoft Azure Graph, Microsoft Online, Microsoft Teams, ServiceNow, Slack, Tufin and ZenDesk.
Cisco Duo Security
At Cisco Duo, we strive to secure and seamlessly integrate with our customers' existing IT investments. We work with vendors across every category to solve new customer challenges and provide zero trust access and insights for everyone. As we launch new products simplifying the end-user experience and providing improved developer tooling for our partners, here are some of the latest partner integrations in the IAM/SSO, Endpoint, SIEM & Analytics categories: Microsoft, F5, Ping Identity, AWS, Unicon, Blumira, Cigent, SailPoint, Keeper Security and Obsidian Security.
Cisco Kenna Security
This year we also welcomed Kenna Security to Cisco and the CSTA. Kenna has a healthy 3rd Party ecosystem of technology partners. Please visit the Kenna ecosystem page here to browse through the available integrations here.
For more details on each partner integration in this announcement, please read through the individual partner highlights below.
Happy integrating!
More details about our partners and their integrations:
[1] New Cisco Secure Endpoint Integrations
The Cigent D3E integration with Cisco Secure Endpoint provides a highly effective automated response mechanism to threats detected on Windows 10 endpoints. The D3E cloud-based management console ingests security events from the Secure Endpoint console and triggers Active Lock on the local device through the D3E Windows client. Active Lock protects individual files by requiring step-up authentication until the threat is cleared. This integration ensures sensitive files are protected during periods of elevated risk. There are many options for step-up authentication, including Cisco Duo OTP and push notifications. Also have a look at a webinar recording about the D3E technology here.
[2] New Cisco Secure Endpoint for iOS (formerly CSC) Integrations
CLOMO a leading MDM vendor in Japan, is now part of the Cisco Secure Endpoint for IOS ecosystem. The integration allows you to upload Umbrella and Clarity profiles output from the Cisco Umbrella administration panel to the CLOMO panel. By embedding the device serial information in the uploaded profile and installing the profile on the device, you can connect to the Cisco Umbrella service. Similar to Cisco Umbrella, you can upload the Clarity profile output from the Cisco Clarity administration panel to CLOMO panel. By embedding the device serial information and MAC address information in the uploaded profile and installing the profile on the device, you can connect to the Cisco Clarity service. Read more about the integration here.
[3] New Cisco Cloud Security Integrations
After a couple years of development, our Splunk application for Cloud Security has arrived. Supported in both Enterprise Security and Splunk Cloud, the cloud application and updated add-on allow for the seamless integration of Cisco Umbrella into any customers existing deployment leveraging Splunk's CIM. Included in the application are dashboards for all the major SIG components, with advanced capabilities including real time domain-based threat mitigation with Umbrella's enforcement API and on the fly (right-click) threat intelligence enrichment with Cisco Umbrella investigate. App here.
Varonis is a pioneer in data security and analytics, specializing in software for data protection, threat detection and response, and compliance. Varonis protects enterprise data by analyzing data activity, perimeter telemetry, and user behavior; prevents disaster by locking down sensitive data; and efficiently sustains a secure state with automation. Varonis integrates with Cisco Umbrella to provide a holistic picture of an attack throughout the kill chain-how attackers get into an organization, how they interact with data once inside, and any data exfiltration.
Organizations achieve the best protection when security data generated across their environment is ingested centrally and analyzed holistically. Arctic Wolf is vendor neutral, meaning that they leverage existing tools. Security data from Cisco Umbrella is ingested, enriched, and analyzed by the Arctic Wolf Platform, and acted upon by the Concierge Security team. Arctic Wolf monitors customer environments for cyberattacks and alerts only when incidents are confirmed. Best of all, there is no incremental cost based on the volume of data collected.
In an update to our current integration, BlueCat has added the ability to provide East to West traffic analysis any time Cisco Umbrella identifies a potential threat, providing a full complement to Cisco Umbrella's North to South protection. This will give customers the ability to, if needed, search for additional infected devices related to the Umbrella alert (patient zero).
Torq is a no-code automation platform for security and operations teams. Frontline security professionals use Torq's easy workflow designer, limitless integrations and pre-built templates; to deliver stronger security in minutes. By integrating Cisco Umbrella with Torq, users can accelerate threat response, automatically remediate risks, and automate away manual security tasks.
[4] New Cisco Firepower Next-Gen Firewall Integrations
Cisco Secure Firewall version 7.0 has been validated to run on Nutanix's popular AHV hypervisor. The Nutanix AHV provides customers with a native no-charge hypervisor as part of their Nutanix hyperconverged infrastructure platform, allowing Secure Firewall Virtual customers to provision a fault tolerant next-generation firewall that protects East-West, as well as North-South connections and service chains. Read more here
CyberArk reduces VPN risk with MFA enforcement on any VPN client that supports RADIUS; including Cisco. The team validated Multi factor Authentication (MFA) for Cisco ASA VPN via RADIUS using the CyberARK Connector. CyberArk can be integrated to perform MFA with Cisco ASA VPN via RADIUS to authenticate AnyConnect VPN users. In this scenario, your Cisco ASA VPN is the RADIUS client, and the CyberArk Identity Connector is the RADIUS server. Read more here.
Terraform by HashiCorp is an open-source infrastructure as code (IaaS) software tool that enables you to provision infrastructure and configures it. "Terraform Cisco ASA Provider" developed by HashiCorp has been tested, validated and documented. Read more here.
Graylog is a leading centralized log management solution for capturing, storing, and enabling real-time analysis of terabytes of machine data. The team has validated two connectors -Secure Firewall FTD LINA connector used in collecting legacy ASA (LINA) events from Secure Firewall and the Secure Firewall SYSLOG connector to receive events from Secure Firewall's SYSLOG output when forwarding to a Graylog cloud instance. Read more here.
The popular Splunk app for Secure Firewall has been enhanced to properly display syslog-based data, in addition to eStreamer. Users can also look up Intrusion Events by CVE reference. A new panel with VPN metrics has been added. Read more details here.
Cisco and Qmulos provide a comprehensive solution for cybersecurity risk management and compliance. It comprises of Cisco's suite of security products and Qmulos's next generation compliance product, Q-Compliance, that can identify compliance gaps that Cisco products can address for multiple frameworks (e.g., CMMC, NIST 800-53). Read more about how Cisco and Q-Compliance are collaborating here.
5] New Cisco ISE Ecosystem Integrations
Certego, a Managed Detection and Response Service Provider, recently completed an integration with Cisco ISE and their Tactical Response service. This integration leverages pxGrid ANC to take remediation actions. More details on the integration available here.
Cyber Observer's partnership with Cisco enables CISOs to manage and monitor their cybersecurity eco-system posture. The solution built using the Cisco ISE ERS API now also monitors Cisco ISE rules, policies, settings, and alerts on key aspects and issues that could affect the entire organization. Cyber Observer offers CxOs a single pane of glass view into the application and security effectiveness of the Cisco solution as well as validation with respect to compliance and controls that apply to the organization. Lear more here.
ExtraHop Reveal(x) is a cloud-native, SaaS delivered network detection and response (NDR) solution that delivers 84% faster resolution of advanced threats. With Reveal(x), security teams achieve complete east-west visibility, real-time threat detection, and intelligent response at scale. Reveal(x) securely decrypts TLS 1.3 to detect hidden threats, critical CVEs, and to provide instant network forensics. Reveal(x) integrates with Cisco ISE to enable automated, dynamic response actions based on early detection of network threats. When Reveal(x) detects a threat, it can notify Cisco ISE to quarantine affected endpoints, preventing attackers from expanding their footprint, moving laterally, and ultimately exfiltrating data. Read more about the integration here.
LinkShadow joins the growing list of pxGrid partners. The integration with the LinkShadow Cybersecurity Analytics Platform and Cisco ISE automates threat containment removes complexity to save organizational resources, all while preventing security incidents from turning into breaches. Read more about the integration here.
Splunk SOAR (formerly Splunk Phantom) combines security infrastructure orchestration, playbook automation, case management capabilities and integrated threat intelligence to streamline your team, processes and tools. The Splunk SOAR team completed their integration with Cisco ISE. Their app supports actions like listing sessions, quarantining and un-quarantining devices and terminating sessions as well. Read more details on the app here.
Cisco ISE for ThreatConnect Playbooks allows you to use ISE actions as part of a greater security automation or orchestration. Playbooks allow you to respond to events within your environment such as notifications from a SIEM, suspected phishing emails, or alerts from asset monitoring. Additionally, you can also automate tasks as part of an incident response Workflow. These situations provide an excellent opportunity to automatically employ Cisco ISE for Playbooks to take immediate action with your endpoints. Read more details here.
[6] New SecureX threat response Integrations
The Amazon Guard Duty integration provides threat intelligence feeds, such as lists of malicious IP addresses and domains, and machine learning to identify unexpected and potentially unauthorized and malicious activity within your AWS environment. The integration allows querying IPv4 and IPv6 data types. This integration returns Indicators, Sighting and Relationships. Read more about the integration here.
The Recorded Future integration allows the user to enrich cyber observables with high-confidence intelligence, collected by their research team. It shows how malicious a cyber observable is and indicates that maliciousness based on the Recorded Future combined evidence. The integration allows you to pivot to Recorded Future from an observable, for a broader search. The integration allows users to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, and URL data types. This integration returns verdicts, judgements, indicators, and sightings. Read more here
The alphaMountain.ai integration enables users to conduct an investigation informed by reputation on domains and IP addresses. alphaMountain offers threat intelligence, web reputation, and content categorization collected and processed. The integration allows querying using IPv4, IPv6, domain, and URL data types. This integration returns verdicts, judgements, indicators, and sightings. Read more here.
The Sumo Logic Log Management integration indicates to the user that the observable in an investigation is contained in a log message within Sumo Logic, and that it has been observed within the environment. It provides the user with the date and time the observable was seen in the log, the collector that received the log and the log source that provided the message. The integration allows you to pivot to Sumo Logic Log Management with an observable for a broader search. The integration allows querying using IPv4, IPv6, SHA-1, SHA-256, MD5, domain and URL data types. This integration returns verdict and judgements from Sumo Logic's query to CrowdStrike Intelligence. Additionally, sightings of observable from each log message are returned. Read more here
The Devo integration indicates to the user that the observable in an investigation is contained in a log message within Devo, and that it has been observed within the environment. It provides the user with the date and time the observable was seen in the log, the host that sent the log, and the tag and table names that contain the message. The integration allows querying using IPv4, IPv6, SHA-1, SHA-256, MD5, domain, and URL data types. This integration returns sightings of observable from each log message. Read more here
The Graylog integration empowers users to investigate an observable and determine if it is contained in a log message stored in Graylog. It provides users with the date and time the observable was seen in the log, the node that received the log , the log source and the raw log messages. This integration allows you to query IPv4, IPv6, SHA-1, SHA-256, MD5, domain, URL, file path, user and email data types; and it returns sightings of an observable from each log message. The integration also enables users to pivot into Graylog, to search for an observable in all the log messages. It will open a new browser window in the Graylog user interface, containing the results of the search on the log messages that contain that observable. Read more here.
The SecureX module for IBM QRadar allows you to Query QRadar for IPv4 and IPv6 observables in the last seven days and return Sightings in the SecureX threat response investigation. Module configuration requires firewall access to cloud, so a Cisco CX engagement recommended. Actions include pivoting into QRadar from the IP Sighting in SecureX threat response and adding to a QRadar Reference Set. Read more here
The MISP Open-Source Threat Intelligence Platform & Open Standards For Threat Information Sharing allows SecureX threat response users to add a module for their MISP instance, and see Verdict, Judgement, Indicators and Sightings for hash values, IP addresses and domains, during an investigation. Read more about MISP here. Watch the demo video here.
Radio frequency (RF) network and device data collected by Bastille Networks are available in SecureX threat response as an integrated source. Data includes RF Device location information, RF Device packet information, RF Network connectivity. Data is available on a number of RF protocols including Cellular, Bluetooth, Bluetooth Low Energy, Wi-Fi, and IEEE 802.15.4. RF information can be cross-referenced back to an endpoint on your network using the SecureX Threat Response Bastille integration. Read more here.
IBM X-Force Exchange integration in SecureX threat response enables an investigator to query IBM X-Force Exchange for observables (IP, IPV6, Domain, URL, MD5, SHA1, SHA256) and return verdicts to SecureX threat response, based on the Risk Score. Read more here.
SecureX threat response queries Palo Alto Networks AutoFocus for Sightings, Targets, and Judgements as well as any observable relations (such as name of SHA256, IP hosting a domain, etc.) Investigator has the ability to pivot into AutoFocus for additional context. More details here.
SecureX Threat Response integration with Akamai Network List pulls network application security and disposition data through the Akami APIs, resulting in visualized sightings and judgements visualized. The analyst has the response actions of Add or Remove from Akamai network list as well. Learn more about the SecureX threat response & Akamai integration here.
Block threats and enrich endpoint protection in real-time, straight from the SecureX dashboard with Cybersixgill's Darkfeed. Powered by Cybersixgill's unparalleled deep and dark web automated collection, SecureX users can now perform actions: like Automatically Enrich IOCs from Cisco Secure X, gain unparalleled context with essential explanations of IOCs (hash/URL/domain), enhance Cisco SecureX with seamless integration of real-time contextual data from the most comprehensive coverage of deep and dark underground sources, proactively analyze and investigate new malware threats as they emerge, get actionable insights to effectively mitigate threats, better understand malware TTPs and trends and easily & intuitively visualize your threat map. Read more here.
This module enables SecureX threat response to collect Sightings from many data sources, by using the Splunk CIM as a translation layer between data models. Read more here.
Cisco Endpoint Security Analytics (CESA) delivers Cisco AnyConnect endpoint data to prebuilt Splunk analytics and dashboards. This add-on enables SecureX threat response investigations to access telemetry that has been generated by the AnyConnect Network Visibility Module. Supported observable types include IPv4 addresses, IPv6 addresses, domains, file names and SHA256 file hashes. The extension for Splunk can be downloaded here.
[7] New SecureX Orchestration Integrations
ManageEngine offers enterprise IT management software for service management, operations management, Active Directory and secur