Because Anti-Virus Isn’t Enough: Beat Today’s Threats with Cisco Security Platform’s Holistic Approach
The moment came in 2016, back in the days when ransomware was still new. The email subjects seemed urgent: “You’ve missed a delivery!” or “Please open this important document now.” People opened the emails, and nothing happened—not at first. But soon, we started to get calls: Our clients couldn’t access their files, or they couldn’t open an application. At the time, we had around 2,000 clients, and each week, we’d get a call with the same complaint. Our service desk would offer to take a look, and sure enough, when they looked into our clients’ machines they would find a ransomware note alongside encrypted files.
It’s terrifying to find that note. At Missing Piece, my team and I knew that something had to change.
Located in the heart of the Netherlands, Missing Piece is a Desktop as a Service (DaaS) company that specializes in small- and medium-sized clients in the financial, accountancy, and business industries. We operate on the private cloud—when we started, the public cloud didn’t exist—and we run everything in our own data centers. For the clients we serve, the private cloud meets their regulatory needs and gives them peace of mind.
Monitoring map of all Missing Piece’s customer locations within The Netherlands
I started with the company 12 years ago, and I’ve watched our client base grow to more than 6,000 end users. We’re still growing, at a rate of 40% year over year. As I watched that growth, I became increasingly interested in security—not just as a box to tick but as a matter of value to our clients. When the company reorganized two years ago, I became team lead, networking and security. Now was the chance to put my security interests front and center.
The World of Modern Ransomware
In the early aughts, cybersecurity was a different ballgame. If anybody copied a file or started an application, security software would check it against a list of programs known to be malicious. If the application was on that “naughty list,” it wouldn’t be allowed to execute. If you had anti-virus software, you felt safe. From a security perspective, those were the good old days.
Today, cyber attacks occur on every level. They act as a hobby for mischievous teenagers, a billion-dollar revenue tool for organized crime, and full-blown warfare by state actors. Attackers generally don’t care who gets caught in the crossfire. You don’t have to be the target to become a victim, and no one is too small to be affected. The infamous NotPetya attack resulted in billions of dollars in damages—vaccines not produced, global shipping ground to a halt, factories at a standstill—and that’s just from the biggest companies. Networks don’t care about national borders, and attacks like NotPetya can quickly escalate to a global scale. The only way to stop a ransomware attack is to tell it to stop.
When we realized we’d become the victim of a malware attack, we flew into action, even knowing that we were already too late. If a user clicks a link and it doesn’t do what they expect, most people just ignore it and go back to their work. By the time anyone realizes they’ve been infiltrated with malware, it’s had a lot of time to work its way into a system and do a lot of damage. When we got called in, we often found the ransomware had been active for anywhere between one and eight hours.
From the moment that ransomware was confirmed, everyone had to stop working and log off the network. Then we had to investigate where the problem originated, who launched it, and whether it was still active. Only after we had answered those questions did we get to start the 10 hours’ work to restore files from the backups. So not only did employees have to stop working, but they lost work from before the attack took place, depending on when the last backup occurred.
We went through this process at least a dozen times. Enough was enough. I realized we needed a system that was proactive in searching for and identifying threats. It needed to automatically take action, not wait for a client to call us with a problem. And it needed to be integrated with our other systems.
An Integrated, Proactive Solution
I have a long history with Cisco. I brought it to Missing Piece when I started there, and our first Cisco security solution was Email Security Appliance (ESA), which we put into place about 10 years ago. It’s a tiny device that went from keeping a couple of users secure through checking a few thousand emails a day to handling well over a million emails a day right now.
Improving email security had helped a lot, but during the ransomware cleanup, the worst part for us was that we couldn’t be entirely sure we’d caught everything. Once ransomware has been activated on your network, how do you know there isn’t some booby trap or time bomb left behind, waiting for you in the future?
At the time I was focusing on email security, but I didn’t know a lot about Cisco’s other security options. It wasn’t until I attended Cisco Live that I came across their Advanced Malware Protection for Endpoints solution and I realized this would give us the protection we needed. What I especially liked was that it not only featured anti-malware protection, but strong recovery tools as well.
The reality of these threats we’re seeing is that there is no 100% protection anymore, no matter how strict your policy is. Sooner or later something bad is going to happen, so your tools need to focus on more than preventing something nasty from happening. They need to help you recover after something nasty has happened.
Cisco Advanced Malware Protection dashboard for Missing Piece
AMP for Endpoints logs everything and creates a time machine from those logs that shows everything that’s happened on your system. It takes the guesswork out of understanding how an infection happened, because you can see, minute by minute, how that file got there, how it got executed, and which user executed it. From there, you can pivot to look at the entire environment to stop the spread. Most importantly, because you know the root cause and can trace how malware moves through the environment, you can know for certain when you’ve eliminated it completely.
When I returned from Cisco Live, I told my Cisco account manager that AMP for Endpoints looked great in presentations, but I wanted to see how it worked in our environment. He set me up with what they call a Proof of Value—essentially a 60–90 day test run. We were looking for company-wide coverage and visibility and were very happy with how all our Cisco tools fed back into the dashboard. When I saw how much we could now control, we were sold.
This marked a shift for Missing Piece. Security strategy was no longer a necessary but annoying cost. Instead, taking a more proactive stance would add additional value to our customers.
From Pandemic to the New Normal: The Solutions We’re Using to Work from Home
The coronavirus pandemic has been a big shock for every organization, especially if the vast majority of your workforce was previously working from the same place five days a week. Now, employees are likely scattered elsewhere, which presents a different kind of security concern.
We don’t have to worry about emails, because the ESA is located in the data center. But with so many employees taking a work laptop home, it's been a challenge to perform regular updates. AMP for Endpoints is the only thing that kept working without any reconfiguration throughout this huge workforce shift, because devices only need an internet connection for me to push an update. We have all these machines that have missed weeks of program updates, but I know security is the one thing that isn’t lagging behind. AMP for Endpoints is our only solution that is 100% corona-proof. And once we return to the office, Cisco’s solutions like AMP for Endpoints and Umbrella will help us secure our remote employees to ensure that remote work doesn’t affect business continuity.
As long as a machine is connected to the internet, I still have my security intelligence. It’s all there on my dashboard.
Cisco SecureX Threat Response dashboard for Missing Piece
We are also taking advantage of Cisco’s free add-ons. These include workshops on advanced malware protection strategies such as threat-hunting, which teaches a proactive approach to security. I sent at least half of our technical staff to that specific workshop, because a 100-page instructional PDF is never going to replicate a hands-on, in-person workshop with someone from Cisco.
The freebies also include Threat Grid, which is a live analysis of any unknown file that is not already on an “allow” or “block” list. So, you’re not just protecting yourself against known malware, but also the unknown. And the Cisco SecureX Threat Response dashboard itself has several add-ons, like that featuring Talos, Cisco’s security organization, where I can get intel about any file that’s new to my environment.
I’m also a fanboy for the collaborative Threat Response Casebook. Anything I want to investigate further—a file, machine, email address, or whatever—I add it to the casebook and my colleagues will see it, wherever they are in the world. It allows us to perform our detective work as a team, without ever having to leave that console. The casebook is also available as a browser plugin so you can add information from any webpage or web console to your ongoing investigation.
You Don’t Know What You’re Missing Until It’s Too Late
Users are everywhere, data is everywhere, and therefore protection needs to be everywhere too. Attacks are coming from all different angles, so point solutions are no longer enough. Installing traditional anti-virus software on your laptop will not protect your tablet or your iPhone. You need a solution that not only covers various entry points, but is integrated, active in identifying problems, and automatically isolates that suspicious activity. Without the proper tools, that’s impossible.
Cisco provides a holistic, robust suite of solutions that give us the kind of coverage that anti-virus options of decades past could only dream of. But I know that for many security managers looking at this, it can be hard to know where to start. For that, I recommend Umbrella, Cisco’s DNS protection. Cisco Umbrella examines and categorizes each request from a machine trying to find something on the internet. It’s an easy way to take a temperature check and find out how healthy your environment really is.
The truth is, until you start using more advanced malware protection, you have no idea how much information you’re not seeing. If you’ve ever gotten a virus or ransomware infection, how do you ever know that everything is completely gone? If you don’t have that full network security picture, you really don’t know.
Security might not be top of mind for 90% of your organization. Our users don’t see all the nastiness out there beyond their screen. When they get that ransomware note, however, they’ll know—and by then it’s too late. Taking an active approach to your security with tools that are integrated and automated, such as Cisco Security Platform, is the only way to mount a defense against the threats we all face today.