At a glanceWannaCry

Rapid Threat Containment

Asset Visibility and Compliance

Software-Defined Segmentation

‘WannaCry’ Emphasizes the Threat of Ransomware: Cisco ISE Covers You Every Step of the Way

In case you missed the massive WannaCry ransomware attack, the researchers at Cisco TALOS have you covered with this blog. WannaCry has affected computers in thousands of locations across the world. The malware spreads as a worm, scanning for and infecting other vulnerable machines on the network. The demands? Infected users are instructed to pay $300 USD in Bitcoin within six hours or the ransom amount increases.

Customers who have Cisco ISE can get protected from such attacks. In fact, ISE will protect you in numerous ways to prevent, stop, or even mitigate the threat of ransomware.

© 2017 Cisco and/or its affiliates. All rights reserved.

Cisco ISE for RansomwareLearn more about what you can do with Cisco ISE for Ransomware at cisco.com/go/ise.

At a glanceWannaCry

Asset Visibility and Compliance:The ability to actually see what devices are even on the network can’t be overlooked, because you can’t protect what you can’t see. This means not only seeing user and device details, but also the actual state of a given device’s operating system, anti-virus, applications, hardware, firewall coverage, etc.

In the case of Wannacry, Cisco ISE could determine based on what patches have been applied, whether the user is vulnerable to such an attack. Following proper patch compliance policy would be enforced accordingly based on this visibility.

You can even specifically write a posture policy that looks for the initial file drop of “C:\Windows\mssecsvc.exe” and then quarantine that device off the network immediately.

At a glanceWannaCry

Rapid Threat Containment:ISE gets threat and vulnerability intelligence from other Cisco security products and 3rd-party solutions to control an endpoint’s level of access. Cisco AMP and CTA can provide endpoint’s threat rating in STIX format, based on its behavior and ISE can contain the infected endpoints from further network access. Integration with Vulnerability Assesment vendors, such as Qualys, Rapid7, and Tenable, means the endpoint gets scanned for vulnerabilities to find out if WannaCry could leverage the ETERNALBLUE exploit. If affirmed, ISE gets automatically alerted and reflects the endpoint’s vulnerability status with a ‘high’ CVSS score and blocks the device.

ISE can also simply get alerts that will quarantine a compromised device. Whether ISE is integrated with Cisco Firepower or Stealthwatch or any of the many Cisco Technology Partners, you can automatically react and contain threats immediately. For example Stealthwatch would trigger a

security event from WannaCry depending on the stage of the attack: Addr_Scan on port 445/tcp, High SMB Peers, Worm Activity, Worm Propagation and Connection to Tor. Once it’s determined to be malicious, simply the click of a button tells ISE to quarantine the offender device from your network.

At a glanceWannaCry

Software-Defined Segmentation:The likelihood of a breach is very high. And whether a Day Zero Attack or one such as “Wanna Cry” which exploits known vulnerabilities on un-patched systems, extensible, scalable network segmentation is critical to reduce if not altogether eliminate the spread of ransomware between systems. Cisco TrustSec is a game-changer in enabling software-defined segmentation for quick, agile group-based policy enforcement. It makes lateral movement restriction feasible for networks of any size and can even achieve microsegmentation of users/devices of the same classification. See how.

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

DEFCON policy sets powerfully enhance your incident response playbook with the ability to move to pre-defined responses to systemic attacks. Rather than changing the authorization of individual users and devices, or implementing policy changes manually, changing DEFCON state changes the TrustSec policies defining how users, devices, and systems can talk to others — essentially raising the “network drawbridges” to protect your critical data and maintaining essential services. For example, you could define DEFCON 4 to kick all guests off the network, DEFCON 3 to

kick all BYOD users off the network, DEFCON 2 to restrict peer-to-peer traffic, and DEFCON 1 to severely limit access to your “crown jewels.”

You can see there’s many ways to deal with ransomware attacks through Cisco ISE. There’s no silver bullet given the scale and complexity of today’s threat landscape. That’s why Cisco offers a portfolio of solutions for effective security that’s simple, open, and automated.

Learn more about what you can do with Cisco ISE for Ransomware at cisco.com/go/ise.