Back to BlogAutomating Detection and Response With Cisco Firewalls & VPN
A number of security and collaboration tools are enabling the widespread work-from-home reality, allowing for secure remote access as your employees work from their own personal or corporate-managed devices, from distributed locations.
One of those includes virtual private networks (VPNs) to securely send or receive data across public networks. Your firewalls also provide network security around your perimeter by monitoring network traffic and allowing you to prevent unauthorized access to or from your network.
Firewall and VPN Logging for Threat Analysis
Blumira’s security platform easily integrates with Cisco ASA firewall and FTD (FirePower Threat Defense) to stream and centralize security event logs, including those from Cisco AnyConnect VPN. Then, Blumira’s platform parses and analyzes those logs, automating threat detection and surfacing the most important security findings. Finally, we provide different options for response, with guided playbooks to walk you through remediation.
Threat Detected: Anomalous VPN Access Attempt
One example of a type of finding that Blumira’s platform alerts on is password spraying. In this type of attack, an attacker tries to log in by using a large number of usernames and a single password – this method avoids password lockouts and can often be more effective at uncovering weak passwords than targeting specific users, according Blumira’s Incident Response Engineer Nick Brigmon.
The above depicts the Responder view within Blumira’s platform, listing out the number of events detected and analyzed, as well as how many suspects and threats have been identified.
A ‘suspect’ is a finding that cannot be verified as a threat due to lack of information surrounding the event; they require further investigation in order to determine if it should be escalated. A ‘threat’ is an event that poses an immediate and real threat to the security of data or resources; detected with a very high level of confidence, according to Blumira’s Sr. Incident Response Engineer Amanda Berlin.
The detection includes an analysis of password spraying against specific users on a Cisco AnyConnect VPN device, as well as relevant source and destination IP addresses. In addition to an analysis of the detection, Blumira provides guided steps to mitigate or remediate a threat, available to the designated Responder within the platform through workflow questions.
In this case, we recommend blocking the source IPs of the password spraying attack. Other examples of Blumira’s findings are similar to those detected across other firewalls, such as Palo Alto Network’s Next-Generation Firewalls, including reconnaissance scanning and data exfiltration.
Detecting Common Misconfigurations to Reduce Risks
Blumira can also detect and provide contextual information about common misconfigurations within your environment. One example is any public connections to your network via RDP (Remote Desktop Protocol), which should never be left internet-facing, as it can result in malware infection, including ransomware.
Our own internal honeypot detected a 85% spike in attacks from across the globe against RDP since December 2019, showing the need for additional security measures, such as using virtual private networks (VPNs) for secure remote access and protecting all logins with two-factor authentication.
Another example is detecting public IP connections via SSH to your network – another example of misconfigurations that can leave your organization open to risk. SSH connections should be made via VPN in most cases. Blumira can detect and notify your team of any access attempts that could indicate attacker activity.
See our video walkthrough of Blumira’s integration with Cisco Next-Generation Firewalls ASA & FTD, and Cisco AnyConnect VPN to learn more:
Schedule a live demo, or join our webinar next Thursday at 1pm ET | 10am PT for a product demo of how to automate your threat detection and response with Blumira.
Additional Resources
Here are additional Cisco + Blumira integrations and configuration instructions:
Learn about how to replace your SIEM with an automated detection and response platform in How to Replace Your SIEM, and join us for a live demo, overview and Q&A during our webinar, Automating Threat Detection & Response.