Threat Roundup for August 21 to August 27
August 29, 2020
Salfram: Robbing the place without removing your name tag
September 3, 2020

Crafting a New Universe of Multi-Vendor Security Integrations

When we started the Cisco Security Technology Alliance (CSTA) program years ago we envisaged a robust ecosystem of technology partners integrating with the Cisco Security portfolio to assist our mutual customers in solving complex security problems, reacting to threats, and increasing availability of their IT systems. At the outset, we took the approach of opening our security platform with APIs and advanced data sharing frameworks so that we could create meaningful and functional technology integrations.  The underlying principle was that when we integrate, we offer our customers solutions that are greater than the sum of their parts.

Today we have integration APIs & SDKs across 9 product families in the Cisco Security portfolio – from network access and firewalls to endpoint, and from advanced threat to cloud security. Our latest addition is the API that enables our SecureX Threat Response customers to make the most of their existing investments in both their Cisco Security products and technology partners adopting the API.

Today we are excited to welcome 30 new industry partners with 55 new product integrations to the CSTA program. This is our largest number of partner integrations announced in the 7-year history of the program. A key driver for this has been the launch of our SecureX platform and the large Threat Response ecosystem arising from it.

CSTA has now grown to over 200 partners representing over 350 product-to-product integrations.  We have accomplished this together with our vendor partners by creating developer-friendly integration frameworks. By leveraging Cisco Developer Network, it allows our technology partners to rapidly build integrations with Cisco products, platforms, and APIs. It also provides SDKs, tutorials, learning labs, and sandbox environments to accelerate integration efforts.

Globally organizations face unprecedented change, security executives have to quickly adapt to ensure business continuity, integrity, and availability. By working together to take a coordinated and collaborative approach with our integrations, our mutual customers can rise to the challenge and solve security problems more effectively and more efficiently.  See details of the new partners and product integrations below.

Please read more about the SecureX Threat Response ecosystem announcement Here


Here’s a summary of what’s new:

New Cisco Advanced Malware Protection (AMP) for Endpoints Integrations

Using the Cisco AMP for Endpoints APIs partner integrations provide analysts with rich threat information and actions on endpoint events like retrieving endpoint information, hunting indicators on endpoints, searching events, etc. Arctic Wolf Networks, Exabeam, IBM Qradar, LogicHub, Perch Security, RSA NetWitness, ServiceNow, and TheHive Project are 8 integrations that are now available for AMP for Endpoint customers to integrate with. These integrations collect all AMP for Endpoint event data via the streaming API for correlation or other uses.

New Cisco Cloud Security Integrations

The Cisco Cloud Security ecosystem also expands with more integrations. eSecure integrates with Cisco Umbrella to streamline incident response and risk management with automated threat categorization and log analysis. D3 and LogicHub integrate with Cisco Umbrella to provide playbook-based automation and threat enrichment, allowing for the real time threat triage and prioritization.

Multi-Vendor Threat Event & Platform Management for Cisco Next-Gen Firewall and ASA

Cisco Firepower and ASA have new partner integrations. BackBox’s Intelligent Automation helps Firepower and ASA customers centralize and automate backup of their deployments. UBiqube provides firewall management solution. eSECURE SecureVisio integrates with Firepower enriching it with complete Security Operations Center (SOC) functionality, including SIEM and SOAR. Varonis integrates with Firepower and ASA to augment its behavioral analytics platform. Cyber Observer provides visibility to CISOs to ensure Firepower and ASA are running and configured correctly. FS Group provides threat intelligence feed for Firepower users to act upon.

Cisco ISE Partners being added

The Cisco pxGrid ecosystem is adding to its growing list of partner integrations. Asimily, Culinda and Cylera join the IoT visibility partners providing enhanced visibility of IoT devices on the network and leverage ISE to take remediation actions.  BluSapphire a Unified Cyber Defense solution enriches its platform from the contextual information from ISE and takes containment actions. The ISE MDM/UEM partner ecosystem adds 42Gears to its exhaustive list.

Cisco Security Connector (CSC) Integrations

Cisco Security Connector for Apple iOS provides organizations with the visibility and control they need to confidently accelerate deployment of mobile devices. CSC is the only Apple approved security application for supervised iOS devices, and integrates with best-in-class MDM/EMM platforms. CSC now adds support for Microsoft inTune.

Cisco Threat Grid Threat Integrations

Using the powerful and insightful Cisco Threat Grid API, a new integration in the Cisco Threat Grid ecosystem being announced with TheHive Project. This integration simplifies threat investigation for our joint customers by incorporating Threat Grid threat intelligence directly into the TheHive Project platform.

Cisco SecureX Threat Response Integrations

Cisco SecureX Threat Response automates integrations across select Cisco Security products and accelerates key security operations functions: detection, investigation, and remediation. It also has support for 3rd Party products through its API. Earlier this month we announced 31 new integrations as part of the SecureX Threat Response announcement.

Please read more about the SecureX Threat Response ecosystem announcement Here

 For details on each partner integration in this announcement, please read through the individual partner highlights below.

Happy integrating!


More details about our new partners and their integrations:

New Cisco Advanced Malware Protection (AMP) for Endpoints Integrations

  • The Arctic Wolf Platform seamlessly ingests and parses actionable events from Cisco AMP4EP environments. With an out-of-the-box API integration, mutual customers benefit from the additional forensic investigation’s context provided by Cisco AMP4EP telemetry. Arctic Wolf collects, enriches, and correlates Cisco telemetry with various other endpoint, network, and cloud indicators, and then performs analysis with multiple detection engines. The Concierge Security® Team delivers personalized 24×7 eyes-on-glass coverage, with customized detection and reporting, remediation guidance, and audit support.
  • Exabeam provides advanced threat detection, by integrating data from Cisco solutions like AMP for Endpoints, within a customer environment. Exabeam builds behavioral baselines for user and machine behavior, using this integrated data and patented machine learning techniques. As a result, Exabeam can indicate user behavior that is both unusual and risky, quickly enough to take effective action. For example, Exabeam can ingest log data from Cisco AMP, and link that activity to other behavior, such as source code access in GitHub or customer data access in Salesforce.
  • IBM MaaS360 with Watson delivers a cognitive/AI approach to unified endpoint management (UEM) to enable endpoints, end users and everything in between – including apps, content and data. Offering an open platform, MaaS360 makes integration with existing apps and systems seamless and straightforward, including AMP for Endpoints.
  • LogicHub automatically enriches, investigates and scores a malicious binary alert from AMP for Endpoints based on organizational variables. If the score is high enough, LogicHub automatically use AMP to quarantine the binary across the network. Security analysts can require one-click authorization for any quarantine, or it can be configured based on device type, risk rating, etc. Security analysts can also execute an ad hoc search within AMP, Umbrella, Threat Grid, any SIEM or against any other data from directly within the case to further investigate prior to executing any actions.
  • Perch Security’s SIEM can ingest all events from Cisco AMP for Endpoints. Perch SOC services will correlate AMP for Endpoints event review into threat management activity involving IDS and logs. Store Cisco AMP for Endpoint logs as long as is required. Search through the Cisco AMP for Endpoint data and filter on any field. Create visualizations and scheduled reports with data from Cisco AMP.
  • The RSA NetWitness Cisco AMP plugin collects the events generated by AMP for Endpoints (Audit, Domain Controller, IP Blocking Group, Protect, Server and Triage groups). AMP for Endpoints prevents threats at point of entry, then continuously tracks every file it lets onto your endpoints.
  • The AMP for Endpoints App on ServiceNow, provides users with the ability to integrate event data from the AMP for Endpoints into ServiceNow by creating ITSM incidents. The app automates the collection of events from AMP for Endpoints and groups them into single incidents.
  • TheHive Project is a scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. The Cisco AMP for Endpoints responder includes the following features: add a SHA256 to a Simple Custom Detection List, the Hive Case ID and Description are appended to the description, remove a SHA256 from a Simple Custom Detection List, move a connector GUID to a new group, start Host Isolation, set a custom unlock code and stop Host Isolation.

New Cisco Cloud Security Integrations

  • D3’s next-generation SOAR platform integrates with seven Cisco tools: Umbrella, Threat Grid, Firepower Next-Gen Firewall, ESA, ISE, Meraki, and Duo. D3 ingests security alerts, enriches them with intelligence from sources like Cisco Umbrella, and orchestrates codeless response playbooks to eliminate the threat.
  • eSecure SecureVisio provides a single platform to detect and manage incidents, vulnerabilities, and risks.  Events from Cisco Umbrella are correlated by SecureVisio SIEM rules with other events as well as electronic documentation of networks and IT systems, and automated algorithms for cyber threat likelihood / risk assessment and business impact analysis. While handling an incident in the SecureVisio SOAR interface an operator can modify policy for Cisco Umbrella.  Policy changes might include adding or removing an IP address or URL to a block list.
  • LogicHub delivers intelligent automated threat detection, alert triage and incident response at scale. Automated playbooks within LogicHub can be initiated via Umbrella integration or any other security alert. LogicHub automatically investigates each alert, submitting relevant data to Umbrella for additional analysis and using the data to triage alerts, enrich confirmed threat cases, and then update Umbrella for future enforcement.

New Cisco Firepower Next-Gen Firewall Integrations

  • eSecure SecureVisio integrates with Cisco security products including Firepower NGFW and Umbrella and enriches it with complete Security Operations Center (SOC) functionality, including SIEM and SOAR.  ESECURE can make policy changes through Firepower’s REST API in response to critical security events.
  • BackBox’s Intelligent Automation helps Cisco Firepower and ASA customers centralize and automate backup of their deployments as well and drive rapid restoration in a disaster recovery situation.  Because configuration and initialization functionality for Cisco deployments as well as the customer’s other technologies is centralized on a single console, customers do not have to familiarize themselves with dozens of unique processes, increasing speed and accuracy.
  • UBiqube MSActivatorTM is a simple-to-use software platform that integrates multiple infrastructure domains – devices, environments, applications – and automates their end-to-end lifecycles. Service providers, cities, manufacturers and other enterprises worldwide use the platform integrate networking and server devices including Cisco security products into complex, multi-domain, multi-vendor solutions.
  • Varonis uses sophisticated behavioral analytics to catch suspicious activity at any point in the kill chain resulting in fewer, but more meaningful alerts with additional context. Delivered with all of the context you need to act decisively, slashing response times.  Varonis collects billions of events from multiple data sources including Cisco Firepower, Cisco ASA, without the use of endpoint agents, and applies machine learning to build behavioral profiles for every user and device.
  • Cyber Observer gives visibility to CISOs and senior stakeholders to manage tool status and cyber security posture.  CISOs can see if firewalls, including Cisco ASA and Firepower, antivirus, intrusion prevention, VPN, anti-malware software and other tools are running and configured correctly. By year’s end Cyber Observer will support a total of 7 Cisco products.
  • Cisco Firepower users can collect FS Group’s threat intelligence feed with Cisco’s Threat Intelligence Director and immediately block and alert on potentially risky connections. In addition to providing a feed to government agencies, private companies the company collaborates hand-in-hand with international organizations and is actively involved with reforming national legislation aimed at the regulation of the IT market.

New Cisco pxGrid & Cisco ISE MDM Integrations

  • ASIMILY INSIGHT is a comprehensive inventory, lifecycle & risk management, cybersecurity orchestration platform for healthcare’s connected devices. ASIMILY’s best-of-breed exploit analysis & risk profiling enabled by passive monitoring capabilities creates a strategic & tactical protection framework for healthcare organizations. ASIMILY INSIGHT’s integration with Cisco ISE via pxGrid provides a seamless integration into the customer’s cybersecurity and risk management workflows to rapidly mitigate and protect in today’s dynamic vulnerability/threat environment.
  • BluSapphire Unified Cyber Defense Platform Integrates with Cisco ISE using Cisco Platform Exchange Grid (pxGrid) to enrich sensor and log data with contextual information like asset identity, asset location, asset posturing and currently logged on user(s). BluSapphire also uses pxGrid to orchestrate rapid threat containment enabling asset isolation/quarantine or disconnecting the asset from the network. With pxGrid integration, BluSapphire empowers customers with rich contextual information enabling faster triage and real time threat response for managed and un-managed assets on the network, all within the context of BluSapphire console, seamlessly integrating customer’s cybersecurity workflow.
  • Culinda is the world’s first IoT/IoMT security platform with blockchain enabled asset inventory, network threat detection and prevention. By integrating Culinda with Cisco ISE via pxGrid, customers can benefit tremendously from discovery to prevention. By utilizing Culinda’s unique combination of AI and human intelligence, threat landscape of medical and IoT devices across organizations can be drastically reduced.
  • Cylera’s platforms and solutions empower healthcare providers to protect the safety of their patients, assets, and clinical workflows from cyberattacks. Cylera provides clinical engineering and information security teams with a unified solution to manage and protect the entire connected HIoT environment including medical devices, enterprise IoT, and operational technology. Cylera integrates with Cisco ISE over pxGrid to bring medical IoT visibility into ISE.
  • 42Gears a leading unified endpoint management (UEM)solution provider joins CSTA by integrating Cisco ISE with SureMDM. The integration via the ISE MDM API allows Cisco ISE to leverage 42Gears’ management and security capabilities to support network access control and dynamically update network privileges based on the state of a given device. As a result, users bringing personal devices to work can join the company’s network and be brought into compliance with corporate security policies without the need for IT intervention.

New Cisco Security Connector Integration

  • Manage apps and settings on all your Windows and iOS devices easily with the Microsoft Intune simple, unified web-based console. Add Cisco Security Connector device management and security capabilities to dedicated devices from the Intune console, where you manage the rest of your identity-driven endpoints. 

New Cisco Threat Grid Integration

  • TheHive Project is a scalable, open source and free Security Incident Response Platform, tightly integrated with MISP (Malware Information Sharing Platform), designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly. The Cisco Threat Grid analyzer features include: submit a `file` for analysis, submit a `url` for analysis, query Threat Grid for a `hash` (MD5, SHA1, SHA256) and get the highest scoring analysis results, pivot into Threat Grid report to view the analysis, pivot into Threat Grid report to a specific Behavioral Indicator and pivot into Threat Grid report to a specific TCP/IP Stream.

The post Crafting a New Universe of Multi-Vendor Security Integrations appeared first on Cisco Blogs.