Cisco Security ANZ - Technical Update - October 2024

Written by techies for techies

?Recent Announcements

• Forrester names Cisco a?Leader in Enterprise Firewall Solutions
• Forrester names Cisco a?Leader in Micro-segmentation Solutions
• Miercom SSE Benchmark Report:?Cisco leads in SSE/ZTNA, ahead of Zscaler, Palo Alto Networks, and Netskope.
• Cisco completes the?acquisition of Robust Intelligence, fortifying the future of Security for AI
• In case, you missed you missed the announcements from past few weeks: Cisco Secure Access?has been named an Overall Leader?in the KuppingerCole Zero Trust Network Access?(ZTNA) Leadership Compass Cisco Security Cloud?provides?new capabilities across the Cloud that extend its security architecture in the age of AI - An open security platform that eliminates vendor lock-in Cisco introduces the new?Firewall 1200 Series, which consolidates SD-WAN and advanced security in a single, high-performing, all-in-one firewall. Cisco Hypershield?bolsters hardware?acceleration to analyze and respond to anomalies in application and network behavior, now supporting AMD Pensando Data Processing Units (DPUs) to be available from Cisco's Unified Computing System (UCS) servers and other leading vendors, and in future service-accelerated?switching platforms. Cisco University:?Join for free and?elevate Your Cybersecurity, Network Security, Forensics, and Incident Response Skills

?Upcoming events?

-??????Cisco LIVE - Melbourne?(Nov 11-14, 2024): AI takes centre stage at Cisco Live 2024 Melbourne, empowering you to expand your horizons and immersing you in the next wave of Cisco’s transformative technologies. Learn to work faster, safer, and smarter and become part of the movement that will Go Beyond what’s possible.

-??????Secure Application Access with Phishing-Resistant MFA?(Oct 15, 2024): Learn?from our experts how to secure application access with phishing resistant MFA. You will also understand different ways to protect an application, such as RADIUS, SAML with SSO,? and so on.

-??????Day 2 Operations with Visibility, Analytics and Policies?(Oct 22, 2024): Join us?as our experts cover best practices for operationalizing Secure Network Analytics, or SNA, solution through Day 2 Operations capabilities, and learn how to operationalize SNA Policy Management.

-??????Upgrade Best Practices: The latest and greatest awaits?(Oct 10, 2024): Learn?how to prepare for an SNA upgrade, including reviewing the product compatibility matrix, performing an upgrade analysis, determining system readiness, and following a pre-upgrade checklist. You will also learn about the steps to perform the upgrade together?with the process to validate the upgrade and any other post-upgrade steps.????

-??????ISE Upgrade?(Oct 23, 2024): Learn the steps to prepare, perform, and validate a successful ISE upgrade without headaches. This?session will cover best practices and strategies to minimize downtime, as well as various methods of upgrades for different types of ISE deployments.???????????

?Latest from Cisco Talos?

• Are?hardware supply chain attacks?“cyber attacks?”:?The?recent events in the Middle East?have raised new fears around physical hardware supply chain attacks.?
• Cisco Talos has discovered a financially motivated threat actor, active since 2022, recently observed delivering a?MedusaLocker ransomware?variant
• How threat actors are?abusing third-party infrastructure to send spam
• Government-run water systems and other?critical infrastructure are at risk from state-sponsored actors, according to a?renewed warning?from the U.S. Cybersecurity and Infrastructure Security Agency
• The best and worst ways to?get users to improve their account security
• Project PowerUp?– how Cisco worked with a multi-company, multi-national team to find a way to keep the lights?on in Ukraine in the face of electronic warfare.?
• The 2024 Threat Landscape State of Play:? As we head into the final furlong of 2024, listen to Talos’?Head of Outreach Nick Biasini about what sort of year it’s been so far in the threat landscape.?

For up-to-date security news, latest vulnerability information and interesting blog posts, please visit:?Talos Threat source newsletter??

Interesting Readings

• The Future of Cybersecurity:?AI Does Play a Role
• The?State of Cloud Security Platforms and DevSecOps
• Security, the cloud, and AI:?building powerful outcomes while simplifying your experience
• Re-Imagining Zero Trust With an?In-Office Experience, Everywhere

Cisco Security Advisories and Open Field Notices?

-???????Cisco Nexus Dashboard Fabric Controller?Arbitrary Command Execution Vulnerability

-???????Cisco Smart Licensing Utility Vulnerabilities: Multiple vulnerabilities in Cisco Smart Licensing?Utility could allow an unauthenticated, remote attacker to collect sensitive information

Note: Only critical and most recently published advisories and notices are listed above. Please visit the?list of advisories?for a complete list of affected products and recommended workarounds.? ?

Product Updates?

Cisco Secure Firewall?

• Cisco has released the latest FTD software?version 7.6.0. Below are some highlights of new Management Center Features in Version 7.6.0 Cisco AI Assistant for Security. VMware vSphere/VMware ESXi 8.0 support. Device templates allow you to deploy multiple branch devices with pre-provisioned initial device configurations (zero-touch provisioning) Serial-number registration (zero-touch provisioning) supported from an on-prem management center Multi-instance mode for the Secure Firewall 4200. 16-node clusters for the Secure Firewall 3100/4200. Deploy threat defense virtual clusters across multiple AWS availability zones. Bypass EVE block verdict for trusted traffic. QUIC decryption. Passive identity agent for Microsoft AD.
• Current?Suggested Release: Version 7.4.2: Please note that suggested release is a general suggestion based on a number of criteria, stability, field life, customer feedback etc. A different software version may be more suitable in your environment based on specific?requirements such as software features or the platform(s) in your environment.
• Zero touch provisioning?with Cisco Firewall Management Center Templates - Pre-provision?firewalls with all required pre-configured policies and configurations.
• Previously announced (recent) updates Cisco introduces the new?Firewall 1200 Series, which consolidates SD-WAN and advanced security in a single, high-performing, all-in-one firewall. Suggested release notifications:?The Management Center now notifies you when a new suggested release is available.? Encrypted visibility engine enhancements:?Block malicious communications in encrypted traffic based on threat score.? Migrate from Firepower Management Center 4600 to Secure Firewall Management Center for AWS.?

For all updates and enhancements, please visit:?Cisco Secure Firewall New Features

?Cisco Identity Services Engine (ISE)?

• Cisco ISE 3.4?is now generally available. Below are some highlights from version 3.4: With Common Policy, administrators can send each domain the same user, endpoint, and application workload context so that they have the flexibility to enforce policies on the domain of their?choice.? Dynamic Reauthentication provides the ability to grant access for a determined amount of time. Once that time is complete, the devices are automatically removed. pxGrid Direct Sync Now allows to immediately synchronize data from pxGrid Direct Connectors. pxGrid Direct URL Pusher allows ISE to directly integrate with Configuration Management Data Base (CMDB) servers that support JSON format

For more details and new features included in ISE version 3.4, please visit:https://blogs.cisco.com/security/cisco-ise-3-4-begins-june-with-a-bang

?Cisco Secure Access?and Cisco Umbrella

• Note:?Cisco Umbrella release notes, announcements and OpenDNS discussion forum,?are now?part of Cisco Community
• Umbrella edge data center now?available in Seoul, South Korea
• Umbrella Active Directory Connector - Version 1.14 Introduces Enhanced Authentication for Active Directory Connector. Introduces support for manually-provided LDIFs as an alternate to Active Directory. Includes branding changes that will impact service description, program name, executables, some file/ folders names and locations
• Documentation Assistant for Cisco Security Access: Instant Answers: The Documentation Assistant can interpret your questions typed in natural language and provide immediate answers from our extensive Secure Access documentation.Complex (Composite)? Query Handling: It can manage complex queries that involve looking up multiple documents and pages to deliver comprehensive responses.
• Resource Connectors for Azure?are now available?from the Azure marketplace
• Client-based?Zero Trust Access for iOS Devices: Support for users to access private resources from their Apple iOS mobile devices (iPhone or iPad) using the Zero Trust Access app. This Cisco Secure Client app uses Apple’s platform-native zero trust network access technology.

For?all updates and enhancements, please visit?Cisco Secure Access Release Notes?

?Cisco Multicloud Defense?

• Features and enhancements in Version 24.09 (September 30, 2024) Beta: AWS CLoudWAN Support Enhancement: Network Visibility Report The network visibility report now includes a summary of activity. Enhancment: GCP Load-Balancer GCP now uses a single load-balancer for both TCP and UDP traffic. By streamlining the the work to a single load balancer, configuration and maintenance tasks are simplified which reduces thecomplexity of your network infrastructure and improved resource utilization.?
• Features and enhancements in Version 24.08 (September 3, 2024) Improved FQDN object matching functionality. Improved general performance.
• If you missed updates from past few weeks: You can now create site-to-site VPN tunnel connections with the following cloud service providers and platforms: Amazon Web Services (AWS) Microsoft Azure Google Cloud Platform (GCP) Cisco ASA managed by Cisco Defense Orchestrator Multicloud Defense Gateways Extranet devices

For?all updates and enhancements, please visit?new features and enhancements?

?Cisco Duo?

• Duo Desktop?as an Authentication Method: If your organization wants to use 2FA but your end users don'thave access to a secondary device, Duo Desktop can be used as an authentication method.
• Duo Passport:?Reduce the number of interactive authentications that end users?must complete by extending "remember me" functionality across all applications.?
• Identity Intelligence with Duo: In a world where identity has become the most attacked perimeter, Cisco & Duo are?doubling down on a security-first approach to identity and access management.

?For all updates and enhancements, please visit?most recent updates to Duo?

?Cisco Secure Workload?

• Enhancements in latest? release 3.9.1.52 Number of attribute fields that can be imported from ServiceNow is increased from 10 to 15. You can download the aggregated workload vulnerability information in CSV format from Vulnerabilities > Vulnerability Dashboard page. When you disable or re-enable Enforcement for specific agents from the Agent List page, the operation is logged in the Service > Settings > Change Logs page. LDAP attributes for username-based authentication can now be configured with multiple attributes in the external authentication configuration page. To support external LDAP users, you can nowcreate users without an email address, and users can authenticate using the user login or samAccountName attributes. Alerts generated over Email when configured using the Email Connector are now displayed in a tabular format. AIX Agent now includes a Cisco-provided IPFilter kernel extension. During the transition from enforcement off to on, the agent will unload and uninstall any previously installed non-Cisco IPFilter,then load the Cisco IPFilter extension.

?For?all updates and enhancements, please visit?Cisco Secure Workload Release Notes

?Cisco Secure Email?

• Transitioning from SecureX to XDR: It is essential to integrate your Secure Email Gateway with the new XDR platform
• Identifying Messages that Violate End-Of-Message RFC Standard: Identify and filter the messages that violate the end-of-message RFC standard (that is, ) to detect threats
• Monitoring Vault Service and Sending Alerts: Monitor the Vault service and keeps track of its status, whether it is initialized or not.
• Configuring Threat Scanner for Threat Detection: Enable or disable Threat Scanner for each incoming mail policy
• C5 Nitro-Instance Support for AWS
• TLS 1.3 Support for SSL Services: You can now configure TLS 1.3 for the for GUI HTTPS, Inbound SMTP and Outbound SMTP

For?all updates and enhancements, please visit?Async OS v15??

?Cisco ETD (Email Threat Defense)?

• September 20, 2024 Update: Improved engine classifier responsiveness to messages reclassified as non-threat
• Miscellaneous (recent) updates: QR code analysis is restored for.doc and.docx files. URLs are extracted and sent to engines for analysis Message Search API allow you to filter messages based on Verdict Indicators, Action Indicators, Attachments and Links, and Last Action W3C URLs are no longer extracted from emails and shown on the Secure Email Threat Defense UI. Rate limiting has been implemented on Public APIs.??

?Cisco Vulnerability Management?(formerly Kenna Security)?

• Cisco Vulnerability Management Agent Release – 1.3.2079: For users of the Agent, release 1.3.2079 patches the Agent golang libraries to address CVE-2023-45288
• Dynamic Service Level Agreements (SLA): When creating or editing an SLA, you can now choose to have the SLA due date updated automatically when the Risk Score changes between risk categories: low, medium,high.
• Vulnerability Intelligence+ (VI+) enhancements: The Cisco Vulnerability Management Vulnerability Intelligence+ (VI+) data snapshot now uses large language models (LLMs) and new machine learning (ML). These?techniques are used to generate tags for STRIDE+ threat, outcome, prerequisites, and components for CVEs in the VI+ data feed.?
• Previously announced (recent) updates: CVM now uses centralized user management for credential storage, and management of client authentication CVM now supports ingesting version 5.0 of CVE data from MITRE Corporation, which ensures that there will be no disruption in the data feed. CVM training is included in the Black Belt Fire Jumper Partner Training.

For?all updates and enhancements, please visit?Cisco Vulnerability Management Release Notes

?Cisco Secure Network Analytics?

• Recommended reading:?Leveraging Threat Intelligence in Cisco Secure Network Analytics
• Software updates and recent enhancements Secure Network Analytics version 7.5.1 is now available. The Network Insights dashboard is a customizable dashboard template that contains several reports by default including Firewall Log Collection Trend Report, Flow Collection Trend?by Flow Collector Report, Flow Collection Trend by Exporter Report, Host Group Application Traffic Report, Host Group Flow Traffic Report, Network and Server Performance Report, and NVM Collection Trend Report Gives analysts the ability to schedule customized reports and send those as needed.

For?all updates and enhancements, please visit?Cisco Secure Network Analytics??

?Cisco XDR?

• Recommended reading: Black Hat 2024:?SOC in the NOC
• Software updates and recent enhancements You can now hover over the product badges on the technique cards to display the products that are selected and covered by the technique in a tooltip. Incident Promotion Reason tile removed from dashboards Playbook task status updates on Response page Target selection when integration supports multiple targets The following topics have been added to the Cisco XDR help: Attack Surface Management Integration, Cisco Vulnerability Management Integration, Secure Network Analytics Integration,Secure Workload Integration, Splunk Cloud Integration, and Webex Integration. The links to the topics have been added to the table in the Cisco and Third-Party Integrations and Supported Capabilities topic. If you missed updates from past few months: Risk scores added to MITRE ATT&CK? Coverage Map:?Risk scores indicate the probability of financial impact if the MITRE?ATT&CK?patterns are not mitigated and they are the detection risk used to calculate the priority score for incidents Preview added to Add Note on Response page: The Preview tab has been added to the Add Note text editor when you add notes within tasks in the response playbook on the Responsepage. Exchange workflow notification:?As a content author with the Administrator role, once you’ve submitted a request to publish your workflow to Exchange, you will be notified of whether it was approved or rejected by the content moderator Network Visibility Cloud Module: The Network Visibility Module has been separated into two different versions of the module when creating deployments. When creating a new deployment,?select Network Visibility Module for the on-premises version, or select Network Visibility Cloud Module for the cloud version. The Microsoft Azure Active Directory - Users integration has been renamed to Microsoft Entra ID. Microsoft Azure Active Directory - The Microsoft Azure Active Directory - Users integration has been renamed to Microsoft Entra ID.

For all updates and enhancements, please visit?Cisco XDR release notes?

?Cisco Secure Endpoint?

• Secure Endpoint Windows connector 8.4.1 now includes support for Windows 11 on ARM
• Enhanced efficacy for Behavioral Protection PowerShell script analysis.
• Improved support for Behavioral Protection OS API telemetry.
• Added protection against attempts to block connector communication with Cisco cloud servers.
• Improved PowerShell script exclusions.
• Improved protection against anti-malware scan interface (AMSI) bypass techniques when Exploit Prevention is enabled.
• End of life for SecureX is effective as of 31 July, 2024. At this time users can expect access to SecureX functionality to be disabled, including SecureX Threat Response and SecureX Automation

?For all updates and enhancements, please visit?Cisco Secure Endpoint Release Notes??

?Cisco Secure Client?

• Cisco is proud to release?Cisco Secure Client (formerly AnyConnect)?version 5.1.6.103 (MR6) Support for macOS 15 (Sequoia). Subsequently, we will drop support for macOS 12 (Monterey).
• If you missed updates from last few months: Option to send DART bundle directly to TAC Option to suppress connection retries after a connection failure or disconnection of a VPN session Dual-Home Detection for Windows: Disables untrusted interfaces so that a multi-homed endpoint doesn't switch from a corporate network to a public network, leaking private corporate information. Cisco Secure Client Cloud Management 1.0.3.433 now supports deployment for macOS.

For all updates and enhancements, please visit?Cisco Secure Client Release Notes??

?

?