New Cisco CCNA Cyber Ops : Are You Ready for Security Analysis ?

Written by Meena. Posted in IT & Networking Blog

In the intensely competitive environment, startups and agile firms are overturning incumbents with digital business models, products, and services. In the 'Digital Era', we are observing the exponential growth in the data over internet. Simultaneously, organizations are facing mounting challenges from cybercrime, cyber-espionage, insider threats, and advanced persistent threats (APT).

As per the Verizon 2015 Data Breach Investigation Report (DBIR), 60 percent of businesses being breached happened within minutes or less and half of these incidents took anywhere from months to even years before being uncovered. We safely can derive inference that breaches tend to happen very quickly and on average take a long time to be detected by the targeted organization. These organizations can be divide into two types: 1) those who have been hacked, and 2) those who don’t yet know that they have been hacked.

Even after the tremendous efforts by the IT security vendors, the below questions still exist:

  1. Aren’t governments and big businesses investing significant amounts of money already into developing countermeasures to cyberattacks?
  2. Why are existing security products unable to stop these threats?

Attackers & Defenders have both become highly sophisticated.
Just like IT security solution providers, attackers also have labs for researching products. Hackers test various exploits against the new product until one succeeds, and then either sell the exploit on underground markets, weaponize it for less-skilled attackers, or use it for some other malicious purpose.

Anxiety Is Growing on Boards and in the C-Suite
Most C-suite leaders are still thinking about 'stopping threats' when they could be thinking about the tangible growth that 'cybersecurity excellence' makes possible. Cybersecurity weakness is a “silent disease” that impedes firms’ ability to innovate at precisely the time they can least afford it—when they are being drawn into the Digital Vortex, where digitization, disruption, and exponential changes are the “new normal.” Many companies suffer from this malady, but few are aware that they have it. Left unattended, cybersecurity weakness can be fatal in the Digital Vortex.

Below-par cybersecurity leaves companies in the worst possible competitive position: not innovating fast enough to compete, yet not safe enough from cyberattack despite delaying digital innovations.

In Search of Cybersecurity Excellence

Firms that turn cybersecurity excellence into true competitive advantage can innovate faster and more fully pursue the sort of digital transformation that allows them to respond nimbly to rapidly changing markets. This agility makes them more effective and drives enhanced financial performance.

Cybersecurity excellence also gives firms the opportunity to differentiate their brands by conveying a strong perception of customer trust and this is one of the many reasons organizations develop a Security Operation Center (SOC). They are establishing SOC teams of security professionals who can secure information systems through effective monitoring, detecting, investigating, analyzing, and responding to security events, thus protecting systems from cybersecurity risks, threats, and vulnerabilities.

  • Cisco's Worldwide Security Operation Centers
  • soc2
  • soc3
  • Cisco Security Operation Centers - Threat Intelligence
  • Cisco Security Operation Centers - On-Premise Solutions

NOTE: Cybersecurity operations jobs are also among the fastest-growing roles in IT, as organizations set up security operations centers (SOCs), and establish teams to monitor and respond to security incidents. Security is a fundamental requirement for all SOC environments. There are many ways to build in security to a network environment, and it should be a continuous process. One popular saying within Cisco Systems that describes this concept is this: Security is a journey, not a destination.

Cisco is introducing a new $ 10 Million Global Cybersecurity Scholarship program and enhancing its security certification portfolio. Cisco will invest $10 million over a two-year period, to establish a scholarship program with the specific goal of increasing the cybersecurity talent pool. Through the program, Cisco will offer training, mentoring, and certification aligned with the Security Operations Center Analyst role.

Additionally, Cisco will be working with a comprehensive variety of organizations to leverage this scholarship as a platform to spur career interest and jump-start their employees’ careers in information security. This includes diversity organizations, veterans’ groups, and early-in-career audiences. By launching this new scholarship program, Cisco is playing a significant leadership role, helping the industry meet the current and future challenges of network security. In fact, Cisco is offering a practical and valuable solution to address the global shortage of highly-trained IT security experts.

A note in 2018:

Cybersecurity ScholarshipsThere are some great scholarship opportunities available for future information security professionals in both the US and the UK.  Sam Cook of Comparitech has written a great piece of article on

How and where to get a scholarship in cybersecurity ?

While not every potential scholarship you might find is listed here, Sam Cook gives some useful advice on how to find scholarships and other free training opportunities.


Observing the demand for a newly-skilled cybersecurity professional, Cisco is introducing a new CCNA, i.e. CCNA Cyber Ops.

New CCNA Cyber Ops

The new CCNA Cyber Ops certification would prepare candidates to begin a career working with associate-level cybersecurity analysts within security operations centers offered by Cisco to its clients. They will learn how to detect and respond to security threats using the latest technology, as such jobs require the knowledge of basic cybersecurity and principles.  

It assesses individuals on the skills needed to assist with monitoring IT security systems, detecting cyber-attacks, gathering and analyzing evidence, correlating information, and coordinating responses to cyber incidents.

Benefits of CCNA Cyber Ops:

  1. Begin a career in the rapidly growing area of cybersecurity operations at the Associate level, working in or with a Security Operations Center (SOC)
  2. Gain the foundational knowledge and skills to prepare for more advanced job roles in Cybersecurity Operations, working with Security Operations team
  3. Gain a basic understanding of how a SOC team detects and responds to security incidents, and how they protect their organization's information from modern threats
  4. Understand further how modern organizations are dealing with detecting and responding to cybercrime, cyberespionage, insider threats, advanced persistent threats, regulatory requirements, and other information security issues facing their organizations and their customers

CCNA Cyber Ops

Likely skill-set for new CCNA Cyber Ops

Since the detailed Exam Syllabus is not available for both exams as of now, we have attempted to make an intelligent guess of likely skills which might be embed in new CCNA Cyber Ops.

Featured Article

Some Features To Watch Out In CCNA: Cyber Ops

Cisco Advanced Malware Prevention (AMP)

Advanced Malware Prevention can be used for network and endpoints. Network AMP is enabled on an appliance running FirePOWER services and continuously evaluates all files seen on all networks being monitored. AMP uses a multisource indication of compromise approach, leveraging both network intelligence and cloud security research, which includes sandboxing files of interest and comparing hashes of files with data from other networks.

AMP for endpoints requires a lightweight connector to be installed on host devices such as laptops and mobile tablets, providing visibility of all applications and process. Like AMP for networks, the goal is to detect malware and retrospectively identify where it came from. AMP for endpoints can also offer auto-remediation of threats seen by AMP for network and by the AMP for endpoint client. The below figure shows AMP for endpoint quarantining multiple malicious files on an Apple laptop of a user.

CCNA Cyber Ops 3

Next-Generation Encryption Protocols

The industry is always looking for new algorithms for encryption, authentication, digital signatures, and key exchange to meet escalating security and performance requirements. The U.S. government selected and recommended a set of cryptographic standards called 'Suite B' because it provides a complete suite of algorithms that are designed to meet future security needs. Suite B has been approved for protecting classified information at both the secret and top secret levels. Cisco participated in the development of some of these standards. The Suite B next-generation encryption (NGE) includes algorithms for authenticated encryption, digital signatures, key establishment, and cryptographic hashing.

CCNA Cyber Ops 4

Host-based Security Analysis

Host-based IPS and IDS technology typically complements antivirus with signature detection, along with adding some additional behavior detection capabilities. Typically, host-based security software packages offer a combination of antivirus, firewall, and IPS features as one application installed to monitor all traffic coming/leaving the system. Some common examples of vendors offering host security software packages are Symantec, Sophos, and McAfee, etc. Other examples are open-source host firewalling such as using IPTables or IPCop, both used in Linux environments. The logs generated by host device can be and should be use for host-based security analysis. With the help of Syslog server can be used, to collect the logs from the different device for monitoring purpose.

Security Monitoring Procedures

Processes and procedures under security monitoring address how commonly occurring events and incident reports should be examined, assessed, and escalated if necessary. This can include some or all of the following:

CCNA Cyber Ops 5

Telemetry Data: Network Flows

Every network connection attempt is transported by one or more physical or virtual network devices, presenting you with an opportunity to gain vital visibility and awareness of traffic and usage patterns.

CCNA Cyber Ops 6
Depending on your platform, a router (or any other flow-collection device) can support sampled/unsampled flow collection, as shown in figure respectively. In the case of sampled flow collection, to update its flow records, the router looks at every n'th packet (for example, 1 in every 128) rather than at every packet that traverses it. This behavior introduces probabilistic security threat detection, meaning some flows might be missed. In unsampled flow collection, every packet undergo the threat detection system and this provide more details which are much more valuable, and best practice is using the most current version if possible.

DoS & DDoS Attacks

DoS attacks attempt to consume all of a critical computer or network resource in order to make it unavailable for valid use. A TCP SYN Flood attack is a classic example of a DoS attack. When a DoS attempt derives from a single host of the network, it constitutes a DoS attack.

CCNA Cyber Ops 7


Malicious hosts can also coordinate to flood a victim with an abundance of attack packets, so that the attack takes place simultaneously from potentially thousands of sources. This type of attack is called a DDoS attack. DDoS attacks typically emanate from networks of compromised systems that are known as botnets.

Common Vulnerability Scoring System (CVSS) v3

The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability, and produce a numerical score reflecting its severity, as well as a textual representation of that score. The numerical score can then be translated Into a qualitative representation (such as low, medium high, and critical) to help organizations properly assess and prioritize their vulnerability management processes.

 CCNA Cyber Ops 8

Endpoint Breach Detection

The security products which are found in the operating systems, are capable to stop the many attacks but these are unable to detect the advanced persistent threats (APT) e.g. modifying boot records or file polymorphism. Features for endpoint breach detection should include tactics to identify day-zeros and auto remediation, track modifications, verify files against external reputation sources, and export threats for further analysis.

Most endpoint breach-detection products include a centralized manager that should be able to export logs to the SOC centralized data-collection tool. The below figure shows the Cisco AMP for endpoint dashboards showing the capture of six Trojans on a Mac laptop running McAfee antivirus and the Cisco AMP agent.

CCNA Cyber Ops 9

Cisco FirePOWER Services

Cisco first introduced application layer firewall capabilities as a software option that could be installed on the second-generation ASA or ASA-X series using the internal virtualized security module space. Cisco’s application layer firewall offering is known as FirePOWER services. The below figure shows various Cisco FirePOWER-capable devices.

CCNA Cyber Ops 10

All modules offer the same features based on three different license options. FirePOWER license options are as follows:

All versions of FirePOWER, regardless of whether run on an ASA or as a dedicated physical or virtual appliance, are managed by a centralized physical or virtual manager known as FirePOWER Management Center (FMC).

CCNA Cyber Ops 11

The FMC can generate an e-mail, SNMP trap (SNMPv1, SNMPv2, or SNMPv3), or syslog.

Incident Response

CCNA Cyber Ops 12

Information Security Incident Response
Detecting and responding to information security incidents is at the core of security operations. The team assigned to security operations is expected to monitor the organization’s assets within scope and react to security events and incidents, including the detection and investigation of what would be considered indicators of compromise (IOC). IOCs are technical and nontechnical security compromise signals that could be detected with technology, processes, and people. For example, detecting a user accessing files from a USB memory device on an enterprise desktop machine can indicate that a policy related to restricting the use of USB memory devices has been violated and that a security control has been circumvented. Another example is detecting the IP address of an Internet botnet command-and-control server inside your network probably indicates that one or more of your systems have been compromised.

CCNA Cyber Ops 13

Here’s how to quickly establish an incident response program:

  1. Identify an incident response leader who has good knowledge of your business and who is an effective and responsible problem solver.
  2. Assemble and empower a team of critical stakeholders, with clearly defined roles and responsibilities.
  3. Draft your incident response process and establish documentation standards. The key is consistency in how you respond to incidents. There’s no need for a complicated plan. Just make sure it works for your organization’s culture.
  4. Connect people and tools with the needed capabilities from around your organization. Chances are, much of what you need is already in place.
  5. Understand the most significant capability gaps relative to your draft incident response process and build a plan to address those gaps. Start with a minimum viable process, and then enhance it over time.

“When you launch a new initiative, cybersecurity is included in your business case and project management process. You’ve got to hit all the buttons. You’ll have milestones for data security. You’ll have compliance people involved. Everyone has to sign off.”

 —Former VP of Human Resources, Fortune 100 Bank





This article is written & published by Ms. Meena, Senior Manager - IT, at Luminis Consulting Services Pvt Ltd, India. She can be reached at Email:  and/or Linkedin: 






Blog Subscription Image





I want to subscribe to following blogs: *

IT & Networking Blog
Process Improvement Blog
Leadership Management Blog
Education Training Blog