The IT Nerd

From the “this isn’t good” department comes news from Cisco who have issued a warning about a vulnerability in the WebVPN login page of their Cisco Adaptive Security Appliance (ASA) Software. This flaw could enable an unauthenticated remote attacker to launch a cross-site scripting (XSS) attack against a WebVPN user on the Cisco ASA.

The issue stems from inadequate input validation for a specific parameter. An attacker could exploit this weakness by persuading a user to click on a malicious link.

Here’s why this isn’t good. Cisco states “There are no workarounds that address this vulnerability.”

It’s actually worse than that, Cisco also states that it has become aware of “additional attempted exploitation” of the vulnerability in the wild.

Lawrence Pingree, Vice President, Dispersive

  “It’s prudent that organizations continuously uplift their Network and VPN infrastructure. Outdated and especially unsupported systems can become a very big problem from a security perspective, adding insult to injury since the technology’s intent is to add security.”

There’s a lot of ASA boxes out there. Which means that this is a today problem for many organizations. Given what could happen,  Cisco ASA are highly recommended to keep their installations up-to-date to avoid being pwned.

Cisco and the University of Ottawa have announced a partnership to better prepare students for careers in the technology industry.

Funded by Cisco’s Country Digital Acceleration (CDA) program, Cisco will integrate industry-recognized Cisco Certified Network Associate (CCNA) certification into the university’s Computer and Software Engineering curriculum. The CCNA certification validates a broad range of fundamentals for all IT careers — from networking technologies, to security, to software development — proving that the holder has the skills businesses want and candidates need to meet market demands.

Building Canada’s Digital Skills Capacity
ICTC projections indicate a need for 250,000 additional jobs within the technology industry by 2025. Addressing a shortage of skilled talent is a strategic imperative for companies to innovate, sustain growth, and compete globally, and it requires collaboration between the public and private sector to build a robust pipeline of networking, AI and cybersecurity talent.

As part of this partnership, Cisco is also providing equipment to the university’s Cyber Range to support cyber-research initiatives. The Cyber Range is a unique training, learning and research facility where individuals and organizations can practice comprehensive cybersecurity crisis management in a realistic and immersive environment to learn how to anticipate, respond to, manage, contain and remediate cyber-attacks.

Students enrolled in the Computer and Software Engineering programs can expect to take the CCNA certification as part of their third-year courses starting in the Winter 2025 semester.

Digital Skills for All
Cisco is committed to inclusive access to digital skills training and supporting those who use technology to educate. Through programs like Cisco Networking Academy and CDA, Cisco leverages its technology and expertise to create opportunities for individuals to thrive and supports Canada’s digital leadership on the global stage. Since its inception in Canada, Networking Academy has trained over 340,000 Canadians with industry-recognized credentials and courses.

By Gregg Ostrowski, CTO Advisor, Cisco Observability

Across the world, government agencies continue to be a highly attractive target for cybercriminals. These malicious entities are aware of the vast amounts of sensitive data stored by federal, state, and local institutions, and recognize the limited resources many of these have to protect legacy applications and infrastructure. 

Whether it’s geopolitical strategy and cyber war through state sponsored attacks (a growing possibility with the number of countries with major elections this year) or one-off ransomware and phishing attacks, government agencies are threatened like never before. In Canada, 11 per cent of all cyberattacks were aimed at the public sector last year, with attackers looking to exploit vulnerabilities to access huge volumes of personal data for fraud, identity theft, and account takeovers. 

Unfortunately, many government IT teams are struggling to handle an increasingly dynamic and sophisticated threat landscape. They simply don’t have the tools and insights needed to detect and address threats in a timely way. Unless addressed, this issue represents a huge challenge for government agencies, and for citizens around the world. The likelihood of serious security breaches will continue to rise, with all the subsequent effects to reputation, trust, and citizen engagement.  

While IT teams across vast industries rely on cloud-native and SaaS-based observability tools to address security threats, public sector agencies face unique challenges. Federal, state, and local government institutions often operate in air-gapped environments with strict data privacy and security rules, limiting their access to these solutions. 

Fortunately, more government institutions are now turning to self-hosted observability solutions. This shift allows them to leverage advanced AI-powered tools to enhance their security posture and proactively manage application availability, performance, and security. 

Self-hosted observability is vital to protect on-premises environments 

Observability offers technologists unified visibility across the IT stack, allowing them to identify vulnerabilities, understand root causes and dependencies, and address issues promptly. Additionally, it provides business context to security findings, helping IT teams assess the potential impact of vulnerabilities in cloud-native technologies and prioritize mitigation efforts based on customer and business outcomes.  

Unfortunately, however, the reality is that most observability solutions only run in cloud or SaaS environments – making them unsuitable for organizations maintaining applications and infrastructure on-premises. On-premises observability has largely been overlooked, with only one or two comprehensive solutions on the market. The result is that many on-premises IT teams are struggling to respond to increasing levels of complexity and overwhelming volumes of data, and to respond to an increasingly more sophisticated threat landscape.  

Fortunately, though, there is now a new breed of observability solutions which are delivering innovative functionality within on-premises environments and helping government IT teams mitigate risk and deliver secure and seamless citizen experiences. 

Across federal, state, and local government, a growing number of agencies are embracing self-hosted application observability solutions to monitor their most critical business systems, end-to-end. 

Self-hosted observability – or customer-managed observability – includes on-premises deployments or cloud-based deployments where the organization maintains control of all the data and associated operations. It enables technologists to proactively manage the performance, availability, and security of mission-critical applications and, in turn, delivers market-differentiating digital experiences to end users. 

With observability, IT teams gain a unified view of their applications, infrastructure, and data, allowing them to monitor, manage, and optimize applications in real-time. It integrates seamlessly into the data centre while adhering to compliance, security, and operational policies.  

Modernizing the on-premises control to leverage AI capabilities 

IT teams managing on-premises environments need an observability solution that modernizes their installation and operates effectively within a Kubernetes environment.  

Upgraded observability controls provide government agencies with the same comprehensive capabilities as cloud-native solutions, including AI-powered anomaly detection, root cause analysis, and automated transaction diagnostics. Self-hosted observability enhances security by identifying application vulnerabilities within context and offering automated business risk scores. This helps IT teams prioritize responses based on potential impact.  

With the threat landscape likely to become even more severe over the coming months and years, government agencies urgently need to ensure their IT teams have access to the latest AI-powered functionality that self-hosted observability can deliver. Only with the right capabilities and insights will IT teams be able to counter rising threats and deliver the seamless and secure experiences that are now so crucial in driving improved citizen outcomes.  

Today at Cisco Live, the company unveiled the first of its innovative observability integrations with Splunk, a Cisco Company, as the organizations combine their industry-leading technologies to accelerate full-stack observability (FSO) for the entire enterprise. 

Building on the recent landmark acquisition, Cisco and Splunk are now launching an integrated full-stack observability experience for the enterprise, enabling unparalleled visibility and real-time insights to standardize observability in one solution. The new integrations and innovations are designed to help customers unlock unified visibility across any environment and any stack while harnessing powerful real-time analytics for faster, more accurate detection, investigation and response. 

Key Announcements include: 

• Splunk Log Observer Connect for Cisco AppDynamics: Combines the power of Splunk Platform with Cisco AppDynamics Application Performance Monitoring (APM) to drive faster, in-context troubleshooting across on-premises and hybrid environments. 
• Cisco AppDynamics integration with Splunk Enterprise / Splunk Cloud and Splunk ITSI: Reduce alert noise, improve troubleshooting and gain exec-level visibility via integration across Cisco AppDynamics, Splunk Enterprise / Splunk Cloud and Splunk ITSI. 
• Cisco AppDynamics on Microsoft Azure: Expansion of cloud-hosted observability offerings now brings Cisco AppDynamics APM services to SaaS-hosted Microsoft Azure, fostering the support of multi-cloud strategies across new regions. 
• Cisco AI Assistant for Cisco AppDynamics: Integrated into the AppDynamics Help Center, the new AI assistant empowers users with meaningful guidance and insights to make informed, intelligent decisions faster and more accurately than ever before. 
• Advanced AI in Splunk IT Service Intelligence (ITSI): Leverages advanced AI and machine learning capabilities to help teams quickly and easily configure and implement dynamic, adaptive thresholds, manage and optimize configurations, and proactively surface insights into the health of ITSI knowledge objects, such as KPIs, services and entities. 

You can read through the full overview of Cisco Live announcements here.

Cisco today announced a new virtual appliance for its AppDynamics On-Premises application observability offering, enabling customers to use a self-hosted observability solution built on AI-powered intelligence for anomaly detection and root cause analysis, application security, and SAP monitoring. The latest innovations allow IT operations teams to detect application performance anomalies faster and with greater accuracy, protect against security vulnerabilities and attacks, and maintain the performance of SAP applications and business processes, all while retaining full control of their observability deployment. Cisco also announced AppDynamics Flex, a new licensing model that provides optionality for customers to choose between self-hosted and Software-as-a-Service (SaaS) observability offerings and support them through the transition from self-hosted to SaaS when the time is right for their business.

While there has been a significant increase in demand for SaaS observability solutions in recent years, for many organizations, self-hosted observability solutions remain in high demand. Self-hosted observability – also referred to as customer-managed observability – includes on-premises deployments or cloud-based deployments where the customer retains control of all the data and associated operations. These needs are typically driven by regulations for data residency and sensitive data protection, and in geographies without a local SaaS point-of-presence. For companies in industries including the public sector, finance, manufacturing, healthcare and retail, the option to have cutting-edge, self-hosted application observability solutions ensures that they can continue to provide end-to-end monitoring of their most critical business systems, in turn, enabling them to deliver market-differentiating digital experiences to their customers and users.

The new innovations include:

• AI-Powered Detection and Remediation with Cognition Engine: Improve the accuracy of anomaly detection by leveraging dynamic baseline performance to understand what normal looks like against historical trend data, in turn reducing the mean time to identify (MTTI) for application performance issues. Performance issues can then be resolved faster with root cause analysis and automated transaction diagnostics – analyzing a continuous stream of transaction snapshots that capture events used in proactive performance troubleshooting. This enables IT operations to home in on the problem area and make use of intelligent suggestive issue identification.
• Application Security: Cisco Secure Application allows customers to locate and highlight application security vulnerabilities with application context, and then leverage an automated business risk score that combines application intelligence and security intelligence, allowing them to prioritize their response by business impact. The addition of Runtime Application Self-Protection (RASP) enables organizations to defend the business from exploits that target application vulnerabilities.
• A Resilient SAP Landscape: Customers can ensure service availability and performance with full-stack observability for on-premises SAP and non-SAP environments, surfacing insights to address performance issues before they impact the business. Cisco brings resiliency into the SAP landscape with application performance, augmented by AI-powered intelligence for the Java stack, enabling SAP developers and BASIS admins to ensure service availability, align performance with SAP business outcomes, and discover SAP related security vulnerabilities to mitigate risk.
• Self-Hosted Offerings in Amazon Web Services (AWS) and Microsoft Azure: In addition to on-premises deployments, customers can manage their own observability deployments in AWS or Microsoft Azure by using the Amazon Machine Instance (AMI) or Virtual Hard Disk (VHD) images of the virtual appliance. This is valuable when a SaaS instance is not available in the country where a sensitive workload needs to be monitored, or when a customer wants to retain full control of the observability solution.

The Transition to SaaS
As digital transformation strategies mature and the nature of observable workloads change, some IT teams will find themselves looking to garner operational efficiency by moving some or all of their observed workloads from the purview of a self-hosted observability solution to a SaaS solution. To help customers on this journey, Cisco is introducing AppDynamics Flex Licensing, designed to simplify the transition to AppDynamics SaaS. Cisco AppDynamics Flex Licensing allows organizations to value-shift their chosen on-premises observability investments to the corresponding SaaS offer as their requirements evolve, while reusing the same agent fleet.

Availability:

• The virtual appliance for Cisco AppDynamics On-Premises will be generally available in May 2024.
• The Automated Transaction Diagnostics feature will be available in Q3 CY2024.
• The AMI and VHD packages for self-hosted cloud-based deployments will be available in Q3 CY2024.
• Please refer to the pricing guidelines or contact them for more information.

Additional Resources:

• Blog: Cisco AppDynamics modernizes Self-Hosted Observability for hybrid application monitoring
• Upcoming webinar: Cisco Unlocks AI-Powered Intelligence for Self-Hosted Observability

Cisco today unveiled findings from a survey that details how software developers are spending more than 57% of their time being dragged into ‘war rooms’ to solve application performance issues, rather than investing their time developing new, cutting-edge software applications as part of their organization’s innovation strategy.  

Software developers play a critical role in building, launching and maintaining the applications and digital services that are essential to the way modern organizations operate today, and the pressure on them has never been higher. Globally, 85% of those surveyed report encountering increased pressure to accelerate release velocity, while 77% point to mounting pressure to deliver seamless and secure digital experiences.  

But while developers are being expected to deliver new tools and functionality at ever faster speeds, they also find themselves on the receiving end of endless demands to help Site Reliability Engineers (SREs) and IT operations teams manage the ongoing availability and performance of applications. The result is teams of developers spending hours in war room meetings and debugging applications, instead of creating code and building new applications.  

 
Lack of Critical Insight into Application Performance 
 

Developers report that the issue is down to their organizations not having the right tools and visibility required to understand the root cause of application issues. They believe this stems from IT departments lacking a full and unified view into applications and the supporting IT stack. Developers are acutely concerned about the potential consequences this could have, with three quarters (75%) of those surveyed fearing that the lack of visibility and insight into IT performance is increasing the chances of their organization suffering downtime and disruption to business-critical applications. 

The situation is significantly affecting morale amongst developers, with 82% admitting that they feel frustrated and demotivated, and 54% increasingly inclined to leave their current job. These findings should ring alarm bells for organizations who are now dependent on developers to create the compelling, intuitive digital experiences that customers and users expect. With demand for developer skills at an all-time high and a finite pool of talent, businesses cannot afford an exodus of talent simply because their IT teams don’t have the tools they need to do their jobs.  

The Potential for Full-Stack Observability 

Encouragingly, developers are acutely aware that there are solutions available to address these concerns, and as many as 91% feel that they should be playing a bigger role in shaping and deciding on the solutions needed within their organization. Above all else, developers point to full-stack observability as being a potential game changer, providing SREs and IT operations teams with unified visibility into applications and supporting infrastructure, across both cloud-native and on premises environments. 

While developers themselves may not be the primary users of full-stack observability solutions – focusing instead on their specific areas of domain expertise – 78% believe that implementing full-stack observability within their organization would be beneficial. Developers recognize the benefits of having unified visibility across the IT estate and acknowledge that full-stack observability would make it much easier and quicker for operations teams to identify issues, understand root causes, and carry out necessary remediation. In turn, this would result in fewer technologists from multiple domain teams being required to attend war room sessions, and free up that talent – including developers – to focus on their day jobs. 

76% of developers went so far as to state that it’s becoming impossible for them to do their job because SREs and IT operations teams don’t have the insights they need to effectively manage IT performance. This explains why 94% point to full-stack observability as the single thing that would most help them to escape war rooms and focus on innovation. 

The Role of AI 

Alongside full-stack observability, many developers (39%) also feel that their organization (and they themselves) would benefit from deploying AI to automate application issue detection and resolution. Rather than relying on manual processes, AI can enable IT teams to cut through overwhelming volumes of application data to identify the most serious issues and apply fixes in real-time.  

In addition, developers are ready to embrace new ways of working within the IT department to drive greater efficiency and productivity, and a more streamlined approach to managing application performance. The majority (57%) believe that there needs to be greater ongoing collaboration between developers and IT teams. This is already being seen in shift left testing and widespread adoption of DevOps and DevSecOps methodologies, so that application availability, performance and security considerations are embedded into the development lifecycle from the outset. 

The research can be found here.

From the “OMFG this is HUGE!” department comes this warning from networking gear company Cisco. In short, their gear along with other vendors gear are being attacked by state sponsored actors:

ArcaneDoor is a campaign that is the latest example of state-sponsored actors targeting perimeter network devices from multiple vendors. Coveted by these actors, perimeter network devices are the perfect intrusion point for espionage-focused campaigns. As a critical path for data into and out of the network, these devices need to be routinely and promptly patched; using up-to-date hardware and software versions and configurations; and be closely monitored from a security perspective. Gaining a foothold on these devices allows an actor to directly pivot into an organization, reroute or modify traffic and monitor network communications. In the past two years, we have seen a dramatic and sustained increase in the targeting of these devices in areas such as telecommunications providers and energy sector organizations — critical infrastructure entities that are likely strategic targets of interest for many foreign governments.  

Cisco’s position as a leading global network infrastructure vendor gives Talos’ Intelligence and Interdiction team immense visibility into the general state of network hygiene. This also gives us uniquely positioned investigative capability into attacks of this nature. Early in 2024, a vigilant customer reached out to both Cisco’s Product Security Incident Response Team (PSIRT) and Cisco Talos to discuss security concerns with their Cisco Adaptive Security Appliances (ASA). PSIRT and Talos came together to launch an investigation to assist the customer. During that investigation, which eventually included several external intelligence partners and spanned several months, we identified a previously unknown actor now tracked as UAT4356 by Talos and STORM-1849 by the Microsoft Threat Intelligence Center. This actor utilized bespoke tooling that demonstrated a clear focus on espionage and an in-depth knowledge of the devices that they targeted, hallmarks of a sophisticated state-sponsored actor. 

UAT4356 deployed two backdoors as components of this campaign, “Line Runner” and “Line Dancer,” which were used collectively to conduct malicious actions on-target, which included configuration modification, reconnaissance, network traffic capture/exfiltration and potentially lateral movement.  

The reason why this is huge is that Cisco is by far the number one vendor of networking gear. Thus it perhaps isn’t shocking that they will be the number one target for threat actors wanting to find vulnerabilities to exploit. Yes, this warning makes mention of “network devices from other vendors”, but what that means is that everyone regardless of whether they use Cisco gear or not should be very, very concerned.

Now this warning has some mitigation steps that Cisco customers and others should read:

Working with victims and intelligence partners, Cisco uncovered a sophisticated attack chain that was used to implant custom malware and execute commands across a small set of customers. While we have been unable to identify the initial attack vector, we have identified two vulnerabilities (CVE-2024-20353 and CVE-2024-20359), which we detail below. Customers are strongly advised to follow the guidance published in the security advisories discussed below.  

Further, network telemetry and information from intelligence partners indicate the actor is interested in — and potentially attacking — Microsoft Exchange servers and network devices from other vendors. Regardless of your network equipment provider, now is the time to ensure that the devices are properly patched, logging to a central, secure location, and are configured to have strong, multi-factor authentication (MFA). Additional recommendations specific to Cisco are available here.  

Thus this is a great time to patch all the things and implement some sort of MFA or paswordless authentication system to protect yourself. Because this is a today problem which requires a today solution to avoid getting pwned by whomever this threat actor is.

By Gregg Ostrowski, CTO Advisor, Cisco Observability 

These days, applications serve as the main gateway for organizations across multiple sectors. The need to deliver seamless and secure digital experiences is crucial, as businesses are aware that even the slightest mistake in application performance can have negative consequences, including a loss of customers, revenue, and reputation. 

Technologists are recognizing the need for innovative approaches and new tools to manage and optimize their applications. Many IT departments are suffering from ‘tool sprawl,’ where IT teams are using separate and siloed monitoring solutions to manage different aspects of their IT estate – including applications, network and infrastructure. 

The problem is this approach doesn’t provide unified visibility across cloud native and on-premises environments and it doesn’t enable teams to quickly identify issues and understand their root causes up and down the application path. And of course, this inability to isolate issues increases the likelihood of costly application downtime and disruption. 

This is why we’re now seeing a major shift from application performance monitoring (APM) to full-stack observability. Cisco research, found that for 85 per cent of global technologists, observability is now a strategic priority for their organization. 

The benefits of full-stack observability 

With observability, Canadian IT teams can achieve comprehensive and unified visibility into the availability, performance, and security of their applications, extending down to the core network and infrastructure levels. This allows them to monitor and manage performance in real-time, quickly pinpointing issues, mapping dependencies, and applying fixes. Metrics like Mean Time to Resolution (MTTR) improve, optimizing the digital experience, and allowing technologists to allocate less time to troubleshooting, which fosters more innovation. 

It sounds simple but the shift from APM to FSO is more complicated than just flicking a switch and implementing a single new tool overnight. It’s a journey which takes time (often two to three years for large enterprises) and involves significant technical, cultural, and structural change. The starting point for most organizations will be an existing APM approach, built around multiple monitoring tools, but every organization will take a different route to achieving observability, depending on its own specific business needs. 

Advantages of an open platform approach 

Starting out on their journey, organizations need to establish an open and adaptable platform as the foundation for building their capabilities. Consolidating tools may bring on resistance from teams accustomed to specific solutions and hesitant to accept enforced tool restrictions. However, adopting an open platform bypasses this issue by allowing integration and correlation of signals from various tools. For example, an organization might employ separate solutions for network monitoring, application monitoring, and security. All these solutions provide signals which can be aggregated and sent to an alerting system. 

If these signals are all directed to an open, centralized platform for correlation, it enables rapid root cause analysis and provides a single source of truth for issue detection and streamlining operational efficiency.  

Three milestones for organizations on the journey to observability 

While each organization will follow its own unique path to get from APM to full-stack observability, there are some key steps every organization will take (in the most appropriate order), which brings significant benefits to Canadian IT teams: 

1. Expanding visibility across domains 

Regularly, the first step for organizations is to add infrastructure visibility (such as Kubernetes and hosted environments) and network visibility into their monitoring approach. This means that rather than just focusing on the application itself, IT teams can monitor the different domains which are required to make the application function – such as network and infrastructure.  

2. Building security into the monitoring strategy 

By integrating security monitoring into their observability capabilities, organizations can ensure complete protection for applications, from development through to production, across code, containers, and Kubernetes. 

With continuous runtime application self-protection (RASP), technologists can protect applications from the inside out, wherever they live and however they are deployed. They can see what is happening inside the code to prevent known exploits and simplify vulnerability fixes. Developers can generate targeted insights into their application environments which allow them to respond to threats at scale – whether that’s in containers, on-premises, or in the cloud – and integrate security throughout the entire application lifecycle. 

Crucially, adding security into observability enables much greater collaboration between security and application teams, facilitating the shift to DevSecOps methodologies. 

3. Generating an end user view 

By implementing digital experience monitoring (DEM), organizations can start to look at application performance from the customer perspective, understanding and analyzing the experiences end users are enjoying when using an application or digital service. Functionality such as Session Replay enables IT teams to visualize how customers are behaving and engaging. Digital experience monitoring tends to be prioritized within industries which are very consumer-driven, retail but also financial services. This is where delivering an optimized digital experience is crucial. 

Canadian IT leaders must develop a holistic strategy for observability 

As organizations urgently look to expand their visibility into cloud native technologies, the shift to full-stack observability is gathering speed. IT leaders are recognizing the benefits and they’re eager to start taking full advantage. 

However, they need to take the time to ensure they have the right strategy and approach from the start, giving just as much consideration to the cultural and process changes required for success as the implementation of the observability platform itself. 

Finally, IT leaders need to understand there is never really an end to the journey to full-stack observability. As new technologies emerge, there will always be a need to add new layers of monitoring and visibility. This is why a platform approach is beneficial, with open standards enabling organizations to plug in new tools and solutions. This way, observability provides the foundation for rapid and sustainable innovation into the future.

Yesterday, Cisco announced its new security architecture, Cisco Hypershield, designed to address the increasing demands of AI-scale data centers and cloud environments, ensuring that security measures can be implemented flexibly across various locations and platforms, such as data centers, factory floors, or hospital imaging rooms, whether on premises or in the cloud.

Steven Aiello, field chief information security officer at enterprise IT solutions provider AHEAD had this comment:

“We believe cybersecurity should be integrated into everything we do. Bolted-on security is more expensive and less effective. Cisco Hypershield ensures that cyber protections are included into the fabric of the enterprise. Distributed Exploit Protection will be a massive win for blue teams – legacy synthetic patching was primarily limited to edge devices, allowing lateral movement once an attacker breached the perimeter. It’s a great day for cyber-defenders!”

Cisco’s move to make cybersecurity more agile and more integrated into everything an enterprise does is brilliant. I will be watching closely to see what positive effects come from this move over the long term.