Because Anti-Virus Isn’t Enough: Beat Today’s Threats with Holistic Security Solutions

CISCO

The moment came in 2016, back in the days when ransomware was still new. The email subjects seemed urgent: “You’ve missed a delivery!” or “Please open this important document now.” People opened the emails and nothing happened—not at first. But soon, we started to get calls: Our clients couldn’t access their files, or they couldn’t open an application. At the time, we had around 2,000 clients, and each week, we’d get a call with the same complaint. Our service desk would offer to take a look, and sure enough, when they looked into our clients’ machines they would find a ransomware note alongside encrypted files.


It’s terrifying to find that note. At Missing Piece, my team and I knew that something had to change. 


Located in the heart of the Netherlands, Missing Piece is a Desktop as a Service (DaaS) company that specializes in small- and medium-sized clients in the financial, accountancy, and business industries. We operate on the private cloud—when we started, the public cloud didn’t exist—and we run everything in our own data center. For the clients we serve, the private cloud meets their regulatory needs and gives them peace of mind. 


Monitoring map of all Missing Piece’s customer locations within The Netherlands 


I started with the company 12 years ago, and I’ve watched our client base grow to more than 6,000 end users. We’re still growing, at a rate of 40% year over year. As I watched that growth, I became increasingly interested in security—not just as a box to tick but as a matter of value to our clients. When the company reorganized two years ago, I became team lead, networking and security. Now was the chance to put my security interests front and center.

The World of Modern Ransomware

In the early aughts, cybersecurity was a different ballgame. If anybody copied a file or started an application, security managers would check it against a list of programs known to be malicious. If the application was on that “naughty list,” we wouldn’t execute it. If you had anti-virus software, you felt safe. From a security perspective, those were the good old days.

The NotPetya attack caused billions of dollars in damage, proving that you don’t have to be the target to be a victim of #ransomware.


Today, cyber attacks occur on every level. They act as a hobby for mischievous teenagers, a billion-dollar revenue tool for organized crime, and full-blown warfare by state actors. Attackers generally don’t care who gets caught in the crossfire. You don’t have to be the target to become a victim, and no one is too small to be affected. The infamous NotPetya attack resulted in billions of dollars in damages—vaccines not produced, global shipping ground to a halt, factories at a standstill—and that’s just from the biggest companies. Networks don’t care about national borders, and attacks like NotPetya can quickly escalate to a global scale. The only way to stop a ransomware attack is to tell it to stop. 


When we realized we’d become the victim of a malware attack, we flew into action, even knowing that we were already too late. If a user clicks a link and it doesn’t do what they expect, most people just ignore it and go back to their work. By the time anyone realizes they’ve been infiltrated with malware, it’s had a lot of time to work its way into a system and do a lot of damage. When we got called in, we often found the ransomware had been active for anywhere between six and eight hours. 


From the moment that ransomware was confirmed, everyone had to stop working and log off the network. Then we had to investigate where the problem originated, who launched it, and whether it was still active. Only after we had answered those questions did we get to start the 10 hours’ work to restore files from the backups. So not only did employees have to stop working, but they lost work from before the attack took place, depending on when the last backup occurred.


We went through this process at least a dozen times. Enough was enough. I realized we needed a system that was proactive in searching for and identifying threats. It needed to automatically take action, not wait for a client to call me with a problem. And it needed to be integrated with our other systems. 

An Integrated, Proactive Solution

I have a long history with Cisco. I brought it to Missing Piece when I started there, and our first Cisco security solution was Email Security Appliance (ESA), which we put into place about 10 years ago. It’s a tiny device that went from keeping a couple of users secure through checking a few thousand emails a day to handling well over a million emails a day right now. 


Improving email security had helped a lot, but during the ransomware cleanup, the worst part for us was that we couldn’t be entirely sure we’d caught everything. Once ransomware has been activated on your network, how do you know there isn’t some booby trap or time bomb left behind, waiting for you in the future?

Cleaning up after a #ransomware attack involves a loss of time and productivity. The worst part is, you can rarely be sure you’ve gotten everything.

  

At the time I was focusing on email security, but I didn’t know a lot about Cisco’s other security options. It wasn’t until I attended Cisco Live that I came across their Advanced Malware Protection(AMP) for Endpoints solution and I realized this would give us the protection we needed. What I especially liked was that it not only featured anti-malware protection, but strong recovery tools as well. 


The reality of these threats we’re seeing is that there is no 100% protection anymore, no matter how strict your policy is. Sooner or later something bad is going to happen, so your tools need to focus on more than preventing something nasty from happening. They need to help you recover after something nasty has happened. 


Cisco Advanced Malware Protection dashboard for Missing Piece   


AMP for Endpoints logs everything and creates a time machine from those logs that shows everything that’s happened on your system. It takes the guesswork out of understanding how an infection happened, because you can see, minute by minute, how that file got there, how it got executed, and which user executed it. From there, you can pivot to look at the entire environment to stop the spread. Most importantly, because you know the root cause and can trace how malware moves through the environment, you can know for certain when you’ve eliminated it completely.


When I returned from Cisco Live, I told my Cisco account manager that AMP for Endpoints looked great in presentations, but I wanted to see how it worked with my system. He set me up with what they call a Proof of Value—essentially a 30-60-day test run. We were looking for system-wide coverage and visibility and were very happy with how all our Cisco tools fed back into the dashboard. When I saw how much we could now control, we were sold. 


This marked a shift for Missing Piece. Security strategy was no longer a necessary but annoying cost. Instead, taking a more proactive stance would add additional value to our customers. 

A Pandemic-Proof Solution

The coronavirus pandemic has been a big shock for every organization, especially if the vast majority of your workforce was previously working from the same place five days a week. Now employees are likely scattered elsewhere, which presents a different kind of security concern. 


We don’t have to worry about emails, because the ESA is located in the data center. But with so many employees taking a work laptop home, we haven’t been able to perform regular updates. AMP for Endpoints is the only thing that kept working throughout this huge workforce shift, because devices only need an internet connection for me to push an update. We have all these machines that have missed weeks of program updates, but I know security is the one thing that isn’t lagging behind. AMP for Endpoints is our only solution that is 100% corona-proof. 

  

And as long as a machine is connected to the internet, I still have my security intelligence. It’s all there on my dashboard. Cisco Secure Firewalls are built for the cloud, but they have the consistency and visibility that a lot of cloud solutions lack. 


Cisco SecureX Threat Response dashboard for Missing Piece

A Security Package with Added Value

This year, we added another layer to our security portfolio. SecureX is a built-in platform experience included with any Cisco Security product. We implemented SecureX two months ago and have already gotten a lot of value in terms of simplicity, visibility, and efficiency.


The fact that you can have any number of integrations in the platform was a big draw for me. I never expected anyone to make a platform like SecureX because it’s not product-centric. Normally, if a company makes a product, they make add-ons geared toward that particular product, without incorporating third parties. But Cisco made it possible to see multiple feeds in one place at no additional cost. In addition to keeping up to date on information from Microsoft Security, I can also follow the cybercrime tracker, news from Talos (Cisco’s threat intelligence organization), and many other sources. Instructions for adding new integrations are right there in the dashboard.


SecureX brings everything together in one environment that I’d normally have in six different screens and systems. I can see every threat that’s been discovered over a period of time, whether we’ve executed any actions, or whether we’ve stopped any information from leaving the company. It’s a great feature for me, but also for collaboration with other team members. 


Our company has a compliance and security officer who needs a helicopter view of our environment. I can provide them with access to dashboards, and they can see everything for themselves at any given time. They don’t have to go through me to get that information, which removes a barrier to access and saves us all time.


Another benefit of SecureX is orchestration. Not only can I see all of our different security solutions in one place, but they can interact with each other. With SecureX, I can basically make a playbook of sorts: If X happens, it will automatically trigger a Y response. And automated workflows are key—when your systems are running 24/7, you need to have responses in place 24/7. Simply setting up an alert for suspicious activity still requires someone to log in and decide what action to take, and even then, the issue might need to be escalated to others. 


This process can take a lot of time, and if the alert happens after hours, a response could take a day or more. When we're talking about your network security, faster is always better. And with SecureX automated workflows, actions take place within minutes.


There’s no risk and zero programming required to configure SecureX. You can create your own SecureX dashboard—or even multiple dashboards if you manage multiple organizations or different products. Everyone who uses SecureX can make their own view based on what’s important for them and their job. It is very low effort for a lot of visibility. And I've already seen new integrations becoming available.

  

More freebies include Threat Grid, which is included as part of the Advanced Malware Protection for Endpoints Advantage package, provides a live analysis of any unknown file that is not already on an “allow” or “block” list. This means you’re not just protecting yourself against known malware, but also the unknown. I’m also a fanboy for the collaborative casebook feature in SecureX for case documentation. Anything I want to investigate further—a file, machine, email address, or whatever—I add it to the casebook and my colleagues will see it, wherever they are in the world. It allows us to perform our detective work as a team, without ever having to leave that console. 


In addition to these specific features, we’ve taken advantage of Cisco-provided workshops on advanced malware protection strategies such as threat-hunting, which provides a baseline understanding your network’s normal operation. I sent at least half of our technical staff to that specific workshop, because a 100-page instructional PDF is never going to replicate a hands-on, in-person workshop with someone from Cisco. 

You Don’t Know What You’re Missing Until It’s Too Late

Users are everywhere, data is everywhere, and therefore protection needs to be everywhere too. Attacks are coming from all different angles, so point solutions are no longer enough. Installing McAfee on your laptop will not protect your tablet or your iPhone. You need a solution that not only covers various entry points, but is integrated, active in identifying problems, and automatically isolates that suspicious activity. Without the proper tools, that’s impossible.

Users are everywhere, data is everywhere, and therefore protection against #cyberattacks needs to be everywhere too.


Cisco provides a holistic, robust suite of solutions that give us the kind of coverage that anti-virus options of decades past could only dream of. But I know that for many security managers looking at this, it can be hard to know where to start. For that, I recommend Umbrella, Cisco’s DNS protection. Cisco Umbrella examines and categorizes each request from a machine trying to find something on the internet. It’s an easy way to take a temperature check and find out how healthy your environment really is.


The truth is, until you start using more advanced malware protection, you have no idea how much information you’re not seeing. If you’ve ever gotten a virus or ransomware infection, how do you ever know that everything is completely gone? If you don’t have that full network security picture, you really don’t know. 


Security might not be top of mind for 90% of your organization. Our users don’t see all the nastiness out there beyond their screen. When they get that ransomware note, however, they’ll know—and by then it’s too late. Taking an active approach to your security with tools that are integrated and automated is the only way to mount a defense against the threats we all face today.