Security and Compliance¶
Overview¶
This document outlines the comprehensive security framework and compliance strategy for Webex Contact Center, covering identity management, data protection, network security, compliance requirements, and SIEM integration.
1. Security Architecture¶
1.1 Defense in Depth Strategy¶
┌───────────────────────────────────────────────────────┐
│ LAYER 7: USER AWARENESS & TRAINING │
├───────────────────────────────────────────────────────┤
│ LAYER 6: DATA SECURITY │
│ • Encryption at Rest • Data Classification │
│ • DLP Policies • Tokenization │
├───────────────────────────────────────────────────────┤
│ LAYER 5: APPLICATION SECURITY │
│ • OWASP Top 10 • Code Scanning │
│ • API Security • Input Validation │
├───────────────────────────────────────────────────────┤
│ LAYER 4: HOST SECURITY │
│ • Antivirus/EDR • Patch Management │
│ • Hardening • Privilege Control │
├───────────────────────────────────────────────────────┤
│ LAYER 3: NETWORK SECURITY │
│ • Firewall • IDS/IPS │
│ • Segmentation • VPN │
├───────────────────────────────────────────────────────┤
│ LAYER 2: PERIMETER SECURITY │
│ • Web Application Firewall (WAF) │
│ • DDoS Protection • Border Router ACLs │
├───────────────────────────────────────────────────────┤
│ LAYER 1: PHYSICAL SECURITY │
│ • Data Center Access Control (Cisco Managed) │
│ • Environmental Controls • CCTV Surveillance │
└───────────────────────────────────────────────────────┘
1.2 Zero Trust Architecture¶
Traditional Perimeter:
Corporate Network (Trusted) | Internet (Untrusted)
❌ Obsolete Model
Zero Trust Model:
├─ Never Trust, Always Verify
├─ Least Privilege Access
├─ Assume Breach
├─ Micro-Segmentation
└─ Continuous Monitoring
Implementation:
┌──────────────┐
│ User │
└──────┬───────┘
│
▼
┌──────────────┐ ┌─────────────────┐
│ Identity │───►│ Authentication │
│ Verified │ │ MFA Required │
└──────┬───────┘ └─────────────────┘
│
▼
┌──────────────┐ ┌─────────────────┐
│ Device │───►│ Posture Check │
│ Validated │ │ Compliance Scan │
└──────┬───────┘ └─────────────────┘
│
▼
┌──────────────┐ ┌─────────────────┐
│ Context │───►│ Risk Assessment │
│ Evaluated │ │ Location, Time │
└──────┬───────┘ └─────────────────┘
│
▼
┌──────────────┐
│ Access │
│ Granted │
│ (Limited) │
└──────────────┘
2. Identity and Access Management (IAM)¶
2.1 Authentication Framework¶
Multi-Factor Authentication (MFA):
Authentication Methods (Ranked by Security):
1. FIDO2/WebAuthn (Hardware Token) ⭐ Highest
2. Authenticator App (TOTP)
3. SMS/Text Message ⚠️ Minimum acceptable
4. Email Code ❌ Not recommended
MFA Policy:
├─ All Users: MFA Required
├─ Administrators: FIDO2 or Authenticator App only
├─ Agents: Authenticator App or SMS
├─ API Access: Service accounts with certificate-based auth
└─ Grace Period: 7 days for new users, then mandatory
Single Sign-On (SSO) Integration:
┌──────────────┐
│ User │
│ Opens App │
└──────┬───────┘
│
▼
┌──────────────┐
│ Webex Control│
│ Hub │
└──────┬───────┘
│
│ SAML 2.0 Request
▼
┌──────────────┐
│ Identity │
│ Provider │
│ (Azure AD / │
│ Okta) │
└──────┬───────┘
│
│ SAML Assertion
│ (User Authenticated)
▼
┌──────────────┐
│ Grant │
│ Access │
└──────────────┘
SAML Configuration Example (Azure AD):
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
<SPSSODescriptor>
<AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idbroker.webex.com/idb/saml2/acs/your-org"
index="0"/>
</SPSSODescriptor>
</EntityDescriptor>
Claim Mappings:
├─ Email → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
├─ First Name → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
├─ Last Name → http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
└─ Groups → http://schemas.xmlsoap.org/claims/Group
2.2 Role-Based Access Control (RBAC)¶
Role Hierarchy:
┌─────────────────────────────────────┐
│ Super Admin (Full Platform Access) │
└────────────┬────────────────────────┘
│
┌────────┼────────┐
│ │ │
▼ ▼ ▼
┌──────┐ ┌──────┐ ┌────────┐
│ Admin│ │ Super│ │Premium │
│ │ │visor │ │ Agent │
└───┬──┘ └───┬──┘ └───┬────┘
│ │ │
▼ ▼ ▼
┌──────────────────────┐
│ Standard Agent │
└──────────────────────┘
Permission Matrix:
| Function | Super Admin | Admin | Supervisor | Premium Agent | Agent |
|---|---|---|---|---|---|
| Manage Users | ✅ | ✅ | ❌ | ❌ | ❌ |
| Configure Queues | ✅ | ✅ | ❌ | ❌ | ❌ |
| View All Reports | ✅ | ✅ | ✅ | ❌ | ❌ |
| Monitor Agents | ✅ | ✅ | ✅ | ❌ | ❌ |
| Barge/Whisper | ✅ | ✅ | ✅ | ❌ | ❌ |
| Handle Contacts | ✅ | ✅ | ✅ | ✅ | ✅ |
| View Own Reports | ✅ | ✅ | ✅ | ✅ | ✅ |
| Outbound Dialing | ✅ | ✅ | ✅ | ✅ | ⚠️ Restricted |
Custom Role Example:
{
"roleName": "Quality_Analyst",
"permissions": [
"recordings:read",
"recordings:evaluate",
"agent_performance:read",
"quality_forms:manage",
"reports:quality_view"
],
"restrictions": {
"call_control": false,
"user_management": false,
"system_config": false
}
}
2.3 Session Management¶
Session Security Policies:
| Policy | Configuration |
|---|---|
| Session Timeout | 30 minutes inactivity |
| Max Session Duration | 12 hours |
| Concurrent Sessions | 1 per user (agent), 3 per admin |
| Session Token Rotation | Every 4 hours |
| Force Re-authentication | After role/permission change |
| Logout on Browser Close | Enabled |
3. Data Security¶
3.1 Encryption¶
Encryption at Rest:
Data Type: Call Recordings
├─ Algorithm: AES-256-GCM
├─ Key Management: AWS KMS / Azure Key Vault
├─ Key Rotation: Every 90 days
└─ Access: Encrypted keys separate from data
Data Type: Customer PII
├─ Algorithm: AES-256
├─ Database: Encrypted volumes
├─ Backups: Encrypted before storage
└─ Keys: Hardware Security Module (HSM)
Data Type: Configuration Data
├─ Algorithm: AES-256
├─ Secrets: Never in plaintext
└─ Version Control: Encrypted Git repos
Encryption in Transit:
Protocol Security:
├─ TLS 1.2+ (Minimum)
├─ TLS 1.3 (Preferred)
├─ Strong Cipher Suites:
│ ├─ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
│ ├─ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
│ └─ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
├─ Certificate Pinning: Enabled for mobile apps
└─ HSTS: Enabled (max-age=31536000)
Media Encryption:
├─ Voice: SRTP (AES-128)
├─ Video: SRTP (AES-256)
├─ Screen Share: SRTP + TLS tunnel
└─ Chat/Messaging: TLS 1.3 + E2EE option
3.2 Data Loss Prevention (DLP)¶
PII Detection and Masking:
# Example: Automatic PII masking in logs
def mask_pii(text):
patterns = {
'phone': r'\+?1?\d{10}',
'email': r'[\w\.-]+@[\w\.-]+\.\w+',
'ssn': r'\d{3}-\d{2}-\d{4}',
'credit_card': r'\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}'
}
for pii_type, pattern in patterns.items():
text = re.sub(pattern, f'[{pii_type.upper()}_REDACTED]', text)
return text
# Log entry transformation:
# Original: "Customer called from +1-XX5-0100"
# Masked: "Customer called from [PHONE_REDACTED]"
Data Classification:
| Classification | Examples | Storage | Sharing | Retention |
|---|---|---|---|---|
| Public | Marketing materials | Unencrypted OK | External OK | Indefinite |
| Internal | Agent schedules | Encrypted | Internal only | 1 year |
| Confidential | Customer records | Encrypted + ACL | Need-to-know | 7 years |
| Restricted | Payment data | Encrypted + HSM | PCI-compliant only | Minimized |
3.3 PCI-DSS Compliance¶
Cardholder Data Environment (CDE):
┌───────────────────────────────────────────────────────┐
│ CARDHOLDER DATA ENVIRONMENT (CDE) │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Payment Card Information │ │
│ │ ❌ Never stored in Webex Contact Center │ │
│ └─────────────────────────────────────────────────┘ │
│ │
│ PCI-DSS Controls: │
│ ├─ Recording Pause during payment collection │
│ ├─ DTMF tones suppressed/masked │
│ ├─ Tokenization for any stored references │
│ ├─ Segmented network for payment IVR │
│ └─ Annual PCI audit and certification │
└───────────────────────────────────────────────────────┘
PCI-Compliant Call Flow:
1. Customer calls for payment
↓
2. Agent greets and identifies customer
↓
3. Agent clicks "Pause Recording" button
↓
4. Recording paused (cannot be resumed manually)
↓
5. Transfer to IVR for payment entry
├─ DTMF tones not recorded
├─ Dual-tone scrambling active
└─ Payment gateway tokenizes card
↓
6. IVR returns token to agent
↓
7. Recording automatically resumes
↓
8. Agent completes transaction with token
PCI-DSS SAQ (Self-Assessment Questionnaire):
Applicable SAQ: SAQ D (Service Provider)
Key Requirements:
├─ Requirement 1: Firewall configuration
├─ Requirement 2: No default passwords
├─ Requirement 3: Protect stored cardholder data (N/A - not stored)
├─ Requirement 4: Encrypt transmission (TLS 1.2+)
├─ Requirement 6: Secure systems and applications
├─ Requirement 8: Unique IDs and authentication (MFA)
├─ Requirement 10: Track and monitor all access (Audit logs)
└─ Requirement 12: Information security policy
Annual Compliance:
├─ Internal audit: Q1
├─ External audit: Q2 (QSA certification)
└─ Attestation of Compliance (AOC): Valid for 1 year
4. Network Security¶
4.1 Firewall Configuration¶
Required Ports and Protocols:
| Direction | Protocol | Port | Purpose |
|---|---|---|---|
| Outbound | HTTPS | 443 | Control Hub, APIs |
| Outbound | WSS | 443 | WebSocket (real-time events) |
| Outbound | SIP | 5060-5061 | SIP signaling (TCP/TLS) |
| Bidirectional | RTP/SRTP | 8000-8999 | Voice media streams |
| Outbound | STUN/TURN | 3478, 5349 | NAT traversal |
IP Whitelist (Webex Cloud):
Control Hub/API:
├─ 170.72.0.0/16
├─ 64.68.96.0/19
└─ 66.114.160.0/20
Media (RTP):
├─ Regional data centers (vary by region)
├─ US East: 52.xx.xx.xx/24
├─ US West: 54.xx.xx.xx/24
└─ EU: 18.xx.xx.xx/24
(Full list: https://help.webex.com/article/WBX000028782)
Firewall Rule Example (Cisco ASA):
access-list WEBEX_OUTBOUND extended permit tcp any object-group webex-api-servers eq 443
access-list WEBEX_OUTBOUND extended permit tcp any object-group webex-api-servers eq 5061
access-list WEBEX_OUTBOUND extended permit udp any object-group webex-media-servers range 8000 8999
object-group network webex-api-servers
network-object 170.72.0.0 255.255.0.0
network-object 64.68.96.0 255.255.224.0
network-object 66.114.160.0 255.255.224.0
4.2 Quality of Service (QoS)¶
Traffic Prioritization:
┌───────────────────────────────────────────────────┐
│ Priority 1 (EF) - Expedited Forwarding │
│ • Voice RTP (DSCP 46) │
│ • Guaranteed bandwidth, minimal latency │
├───────────────────────────────────────────────────┤
│ Priority 2 (AF41) - Assured Forwarding │
│ • SIP Signaling (DSCP 24) │
│ • Video conferencing │
├───────────────────────────────────────────────────┤
│ Priority 3 (AF21) │
│ • Agent Desktop (HTTP/HTTPS) │
│ • CRM integrations │
├───────────────────────────────────────────────────┤
│ Priority 4 (Best Effort) │
│ • Email, file transfers │
│ • General web browsing │
└───────────────────────────────────────────────────┘
4.3 DDoS Protection¶
Mitigation Strategy:
Layer 3/4 DDoS (Network/Transport):
├─ Cisco Managed: Cloud-based scrubbing
├─ Rate limiting at edge routers
├─ SYN flood protection
└─ UDP flood mitigation
Layer 7 DDoS (Application):
├─ Web Application Firewall (WAF)
├─ CAPTCHA challenges for suspicious traffic
├─ Geo-blocking for high-risk regions
└─ API rate limiting (per token)
Detection Thresholds:
├─ Baseline: 10,000 requests/minute
├─ Alert: 50,000 requests/minute (5x baseline)
└─ Block: 100,000 requests/minute (10x baseline)
5. Compliance Framework¶
5.1 Regulatory Compliance¶
GDPR (General Data Protection Regulation):
Rights Implementation:
├─ Right to Access: Self-service data export portal
├─ Right to Erasure: 30-day data deletion process
├─ Right to Rectification: CRM data update APIs
├─ Right to Data Portability: Export in standard formats
├─ Right to Object: Opt-out mechanisms
└─ Right to be Informed: Privacy policy + consent forms
Technical Measures:
├─ Data minimization (collect only necessary data)
├─ Purpose limitation (define retention policies)
├─ Privacy by design (default-secure configurations)
└─ Data Protection Impact Assessment (DPIA) annually
CCPA (California Consumer Privacy Act):
Consumer Rights:
├─ Right to Know: Disclose data collected
├─ Right to Delete: 45-day deletion timeline
├─ Right to Opt-Out: "Do Not Sell My Info" link
└─ Right to Non-Discrimination: Equal service regardless
Implementation:
├─ Privacy Notice on website
├─ Toll-free number for requests: 1-800-xxx-xxxx
├─ Email: privacy@company.com
└─ Verification process for requests (2-factor)
HIPAA (Health Insurance Portability and Accountability Act):
PHI Protection (if applicable):
├─ Business Associate Agreement (BAA) with Cisco
├─ Encryption: AES-256 for PHI at rest and in transit
├─ Access Controls: Role-based, audit trails
├─ Breach Notification: Within 60 days of discovery
└─ Annual HIPAA security risk assessment
Technical Safeguards:
├─ Automatic logoff after 15 minutes inactivity
├─ Encrypted storage for all call recordings
├─ Audit logs for all PHI access (who, what, when)
└─ Regular vulnerability scanning
5.2 Industry Standards¶
ISO/IEC 27001 (Information Security Management):
Control Domains:
├─ A.5: Information Security Policies
├─ A.6: Organization of Information Security
├─ A.7: Human Resource Security
├─ A.8: Asset Management
├─ A.9: Access Control
├─ A.10: Cryptography
├─ A.11: Physical and Environmental Security
├─ A.12: Operations Security
├─ A.13: Communications Security
├─ A.14: System Acquisition, Development, Maintenance
├─ A.15: Supplier Relationships
├─ A.16: Incident Management
├─ A.17: Business Continuity
└─ A.18: Compliance
Certification Timeline:
├─ Gap Analysis: Month 1-2
├─ Remediation: Month 3-6
├─ Internal Audit: Month 7
├─ External Audit: Month 8-9
└─ Certification: Month 10
SOC 2 Type II:
Trust Service Criteria:
├─ Security: Protection against unauthorized access
├─ Availability: System available for operation as agreed
├─ Processing Integrity: System processing complete, valid, accurate
├─ Confidentiality: Confidential info protected
└─ Privacy: Personal info collected, used, retained, disclosed per commitments
Audit Scope: Webex Contact Center platform
Audit Period: 12 months
Auditor: Big 4 accounting firm
Report: Available to customers under NDA
6. SIEM Integration¶
6.1 SIEM Architecture¶
Overview:
┌───────────────────────────────────────────────────────┐
│ WEBEX CONTACT CENTER PLATFORM │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Event Sources │ │
│ │ ├─ Authentication logs (success/failure) │ │
│ │ ├─ Access logs (who accessed what) │ │
│ │ ├─ Configuration changes │ │
│ │ ├─ API calls (all requests/responses) │ │
│ │ ├─ System health events │ │
│ │ └─ Security incidents (detected threats) │ │
│ └──────────────────────┬──────────────────────────┘ │
└─────────────────────────┼─────────────────────────────┘
│
│ Syslog (UDP 514 / TCP 514 / TLS 6514)
│ or Webhooks (HTTPS)
│
┌─────────────────────────▼─────────────────────────────┐
│ LOG AGGREGATION LAYER │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Logstash / Fluentd / Splunk HF │ │
│ │ ├─ Parse logs (JSON/Syslog format) │ │
│ │ ├─ Enrich with context │ │
│ │ ├─ Filter noise │ │
│ │ └─ Forward to SIEM │ │
│ └──────────────────────┬──────────────────────────┘ │
└─────────────────────────┼─────────────────────────────┘
│
▼
┌───────────────────────────────────────────────────────┐
│ SIEM PLATFORM │
│ Splunk / QRadar / ArcSight / Sentinel │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Security Analytics Engine │ │
│ │ ├─ Correlation rules │ │
│ │ ├─ Anomaly detection (ML/AI) │ │
│ │ ├─ Threat intelligence integration │ │
│ │ └─ Real-time alerting │ │
│ └─────────────────────────────────────────────────┘ │
│ ┌─────────────────────────────────────────────────┐ │
│ │ Security Operations Center (SOC) │ │
│ │ ├─ Dashboards │ │
│ │ ├─ Incident response │ │
│ │ └─ Forensic investigation │ │
│ └─────────────────────────────────────────────────┘ │
└───────────────────────────────────────────────────────┘
6.2 Supported SIEM Platforms¶
Splunk Integration:
Data Input Configuration:
├─ Input Type: HTTP Event Collector (HEC)
├─ Endpoint: https://splunk-server:8088/services/collector
├─ Token: [Generated in Splunk HEC settings]
├─ Source Type: webex:contactcenter
├─ Index: security
Webex Configuration:
├─ Control Hub → Settings → Security
├─ SIEM Integration → Add Splunk
├─ Enter HEC token and endpoint
├─ Select event types to forward:
│ ├─ ✅ Authentication events
│ ├─ ✅ Access control events
│ ├─ ✅ Configuration changes
│ ├─ ✅ API activity
│ └─ ✅ Security alerts
└─ Test connection → Save
Sample Splunk Query (SPL):
index=security sourcetype="webex:contactcenter"
| stats count by event_type, severity
| where severity="high" OR severity="critical"
| timechart span=1h count by event_type
QRadar Integration:
Log Source Configuration:
├─ Log Source Type: Cisco Webex Contact Center
├─ Protocol: Syslog (TLS preferred)
├─ Identifier: webex-cc-prod
├─ Log Source Group: Cloud Applications
└─ Parsing: Custom DSM (Device Support Module)
Custom QRadar Rule Example:
WHEN event_category = "authentication_failure"
AND count >= 5
WITHIN 5 minutes
FROM same source_ip
THEN
CREATE offense "Brute Force Attack Detected"
SEVERITY: High
ASSIGN TO: SOC_Team
Azure Sentinel Integration:
Data Connector:
├─ Connector Type: Webex Contact Center (Custom)
├─ Method: Azure Logic App + Webex API
├─ Frequency: Every 5 minutes
└─ Storage: Log Analytics Workspace
Logic App Workflow:
1. Trigger: Recurrence (every 5 minutes)
2. Action: HTTP Request to Webex Audit API
3. Parse JSON: Extract log events
4. For Each: Loop through events
5. Send Data: Post to Log Analytics
6.3 Event Types and Severity Levels¶
Event Taxonomy:
| Event Type | Examples | Severity | SIEM Alert |
|---|---|---|---|
| Authentication | Login success/failure, MFA bypass attempts | Info/High | Failed: Yes |
| Authorization | Permission denied, role escalation | Medium/High | Yes |
| Configuration | Queue changes, user provisioning | Info/Medium | Major changes only |
| Data Access | Recording access, report export | Info | Large exports: Yes |
| API Activity | API calls, rate limit exceeded | Info/Medium | Anomalies: Yes |
| Security Incident | Intrusion attempt, malware detected | High/Critical | Always |
| System Health | Service degradation, failover | Medium | Outages: Yes |
| Compliance | Policy violation, data breach | High/Critical | Always |
Severity Definitions:
Critical (Severity 1):
├─ Active security breach
├─ Data exfiltration detected
├─ System compromise
└─ Response: Immediate (< 15 minutes)
High (Severity 2):
├─ Suspicious authentication patterns
├─ Privilege escalation attempt
├─ Unusual data access
└─ Response: Urgent (< 1 hour)
Medium (Severity 3):
├─ Failed login attempts (< threshold)
├─ Minor policy violations
├─ Configuration drift
└─ Response: Standard (< 4 hours)
Low (Severity 4):
├─ Informational events
├─ Routine activities
└─ Response: As needed
6.4 Log Format and Structure¶
JSON Format (Standard):
{
"timestamp": "2024-10-31T14:32:15.123Z",
"event_id": "evt-abc123-xyz789",
"event_type": "authentication",
"event_action": "login_failure",
"severity": "high",
"source": {
"ip": "192.168.1.100",
"user_agent": "Mozilla/5.0...",
"geolocation": {
"city": "San Jose",
"country": "US",
"latitude": 37.3382,
"longitude": -121.8863
}
},
"user": {
"id": "user-123",
"email": "john.doe@company.com",
"role": "agent"
},
"details": {
"reason": "invalid_credentials",
"attempt_count": 3,
"account_locked": false
},
"organization": {
"id": "org-xyz789",
"name": "Acme Corporation"
}
}
Syslog Format (CEF - Common Event Format):
<134>1 2024-10-31T14:32:15.123Z webex-cc-prod WebexCC - authentication_failure -
CEF:0|Cisco|Webex Contact Center|1.0|AUTH-001|Login Failure|8|
src=192.168.1.100
suser=john.doe@company.com
outcome=failure
reason=invalid_credentials
cnt=3
6.5 Use Cases and Detection Rules¶
Use Case 1: Brute Force Attack Detection
Rule Logic:
IF authentication_failure events >= 5
FROM same source_ip
WITHIN 10 minutes
FOR any user_id
THEN
ALERT: "Possible brute force attack"
SEVERITY: High
ACTION: Block source_ip temporarily (30 minutes)
NOTIFY: Security team via email/SMS
Splunk Query:
index=security sourcetype="webex:contactcenter" event_type="authentication" event_action="login_failure"
| stats count by source.ip
| where count >= 5
Use Case 2: Insider Threat - Unusual Data Access
Rule Logic:
IF user accesses > 50 call recordings in 1 hour
AND user.role != "quality_analyst"
AND access_time OUTSIDE business_hours (8 AM - 6 PM)
THEN
ALERT: "Unusual data access pattern"
SEVERITY: High
ACTION: Require re-authentication
NOTIFY: User's manager + Security team
QRadar AQL Query:
SELECT username, QIDNAME(qid) as "Event", COUNT(*) as "Count"
FROM events
WHERE category = 'data_access'
AND LOGSOURCETYPENAME(logsourceid) = 'Webex Contact Center'
AND "Call Recording Access"
GROUP BY username
HAVING COUNT(*) > 50
LAST 1 HOURS
Use Case 3: Privilege Escalation Attempt
Rule Logic:
IF configuration_change event
AND target_resource = "admin_role"
AND actor.role != "super_admin"
THEN
ALERT: "Unauthorized privilege escalation attempt"
SEVERITY: Critical
ACTION: Revert change immediately
NOTIFY: CISO + Security Operations
Azure Sentinel KQL Query:
WebexContactCenter_CL
| where EventType_s == "configuration_change"
| where TargetResource_s == "admin_role"
| where ActorRole_s != "super_admin"
| project TimeGenerated, Actor_s, TargetResource_s, ChangeDetails_s
Use Case 4: Anomalous API Usage
Rule Logic:
IF API calls from user_account > 1000 per minute
OR API error_rate > 20%
OR API calls from new geolocation
THEN
ALERT: "Anomalous API usage detected"
SEVERITY: Medium
ACTION: Rate limit account
NOTIFY: Account owner + API team
Detection Method: Machine Learning baseline
├─ Establish normal API usage pattern (30 days)
├─ Calculate: avg_calls_per_hour, typical_geolocations
├─ Alert when deviation > 3 standard deviations
└─ Auto-adjust baseline weekly
Use Case 5: Data Exfiltration
Rule Logic:
IF bulk_export event
AND export_size > 10,000 records
AND user accessed from:
├─ Non-corporate IP address
├─ New device
└─ Suspicious geolocation
THEN
ALERT: "Potential data exfiltration"
SEVERITY: Critical
ACTION: Block export immediately
NOTIFY: CISO + Legal + HR
Investigation Checklist:
☐ Verify user identity (call user directly)
☐ Review recent access patterns
☐ Check for compromised credentials
☐ Analyze exported data sensitivity
☐ Engage incident response team
6.6 SIEM Dashboard Examples¶
Security Operations Dashboard:
┌─────────────────────────────────────────────────────┐
│ WEBEX CONTACT CENTER - SECURITY SOC │
├─────────────────────────────────────────────────────┤
│ Events Last 24 Hours │
│ ┌──────────────┬───────────┬────────────────────┐ │
│ │ Total Events │ 45,823 │ ▲ 12% from prev │ │
│ ├──────────────┼───────────┼────────────────────┤ │
│ │ Critical │ 7 │ ⚠️ Needs attention │ │
│ │ High │ 34 │ 🟡 Under review │ │
│ │ Medium │ 156 │ ✅ Normal │ │
│ │ Low │ 45,626 │ ✅ Normal │ │
│ └──────────────┴───────────┴────────────────────┘ │
│ │
│ Top Security Events │
│ 1. Failed login attempts: 234 (Top IP: 1.2.3.4) │
│ 2. Unusual data access: 7 users │
│ 3. API rate limit exceeded: 12 accounts │
│ 4. Configuration changes: 45 (Admin actions) │
│ 5. Geo-anomaly logins: 3 users from new countries │
│ │
│ Active Incidents │
│ 🔴 INC-001: Brute force attack (1.2.3.4) │
│ Status: Investigating | Owner: SOC-Analyst-3 │
│ 🟡 INC-002: Unusual recording access (user-789) │
│ Status: Awaiting user contact | Owner: SOC-2 │
└─────────────────────────────────────────────────────┘
Compliance Audit Dashboard:
┌─────────────────────────────────────────────────────┐
│ COMPLIANCE & AUDIT TRAIL DASHBOARD │
├─────────────────────────────────────────────────────┤
│ Access Control Review │
│ ├─ Total Users: 523 │
│ ├─ Privileged Accounts: 12 (2.3%) │
│ ├─ Inactive Users (90+ days): 8 ⚠️ │
│ └─ MFA Adoption: 100% ✅ │
│ │
│ Configuration Changes (Last 7 Days) │
│ ┌─────────────────────┬───────┬─────────────────┐ │
│ │ Change Type │ Count │ Approved │ │
│ ├─────────────────────┼───────┼─────────────────┤ │
│ │ User provisioning │ 15 │ 15/15 ✅ │ │
│ │ Queue modifications │ 8 │ 7/8 ⚠️ │ │
│ │ Role changes │ 3 │ 3/3 ✅ │ │
│ │ Integration updates │ 2 │ 2/2 ✅ │ │
│ └─────────────────────┴───────┴─────────────────┘ │
│ │
│ Data Access Audit │
│ ├─ Call Recordings Accessed: 1,245 │
│ ├─ Reports Exported: 67 │
│ ├─ Customer Records Viewed: 4,567 │
│ └─ Compliance Violations: 0 ✅ │
└─────────────────────────────────────────────────────┘
6.7 Incident Response Integration¶
SOAR (Security Orchestration, Automation, Response) Integration:
┌──────────────────┐
│ SIEM Alert │
│ (High Severity) │
└────────┬─────────┘
│
▼
┌──────────────────┐
│ SOAR Platform │
│ (Palo Alto XSOAR,│
│ Splunk Phantom) │
└────────┬─────────┘
│
┌────┴────┐
│ │
▼ ▼
┌────────┐ ┌─────────┐
│Enrich │ │ Execute │
│Context │ │Playbook │
└────────┘ └────┬────┘
│
┌─────────┼─────────┐
│ │ │
▼ ▼ ▼
┌────────┐ ┌────────┐ ┌──────────┐
│ Block │ │ Notify │ │ Create │
│ IP │ │ SOC │ │ Ticket │
└────────┘ └────────┘ └──────────┘
Automated Response Playbook Example:
playbook: brute_force_response
trigger: SIEM alert "Brute Force Attack Detected"
steps:
1. enrich_alert:
- query_threat_intel_for_source_ip
- check_ip_reputation_score
- get_historical_activity
2. contain_threat:
- IF threat_score > 8 THEN
- block_source_ip_at_firewall
- add_ip_to_deny_list (duration: 24h)
- ELSE
- add_ip_to_watch_list
3. investigate:
- collect_logs_from_last_hour
- identify_affected_user_accounts
- check_for_successful_logins
4. notify:
- send_alert_to_soc_team (Slack + Email)
- create_incident_ticket (ServiceNow)
- IF user_account_compromised THEN
- notify_user_manager
- require_password_reset
5. document:
- log_all_actions_taken
- update_incident_ticket
- generate_forensic_report
6.8 Threat Intelligence Integration¶
Threat Feed Integration:
Threat Intelligence Sources:
├─ Commercial Feeds:
│ ├─ Cisco Talos
│ ├─ Recorded Future
│ └─ CrowdStrike Falcon Intelligence
│
├─ Open Source Feeds:
│ ├─ AlienVault OTX
│ ├─ Abuse.ch
│ └─ MISP (Malware Information Sharing Platform)
│
└─ Government Sources:
├─ US-CERT
├─ CISA Alerts
└─ FBI IC3
Integration Method:
1. Daily feed ingestion (STIX/TAXII format)
2. Enrich SIEM events with threat context
3. Auto-correlate IOCs (IP, domain, hash)
4. Alert on known malicious indicators
IOC Matching Example:
Event: Login from IP 1.2.3.4
↓
Query Threat Intelligence:
├─ IP Reputation: Malicious (Score: 9/10)
├─ Known for: Credential stuffing attacks
├─ First seen: 2024-10-20
└─ Associated campaigns: APT-XYZ
↓
Auto-Response:
├─ Block IP immediately
├─ Notify SOC: "Login from known malicious IP"
├─ Severity: Critical
└─ Recommended action: Force logout, password reset
7. Audit and Logging¶
7.1 Comprehensive Audit Trail¶
Audit Log Categories:
User Actions:
├─ Login/Logout events
├─ State changes (Available, Away, Wrap-up)
├─ Call handling actions
├─ Configuration changes made
└─ Report access and exports
Administrative Actions:
├─ User provisioning/deprovisioning
├─ Role assignments
├─ Queue/skill modifications
├─ Integration configuration
└─ System settings changes
System Events:
├─ Service health changes
├─ Failover events
├─ API rate limiting triggered
└─ Security policy violations
Data Access:
├─ Call recording access
├─ Customer data views
├─ Bulk data exports
└─ API data retrieval
Audit Log Retention:
| Log Type | Retention Period | Storage Location | Access Control |
|---|---|---|---|
| Authentication logs | 1 year | Hot storage | Security team only |
| Configuration changes | 7 years | Warm/cold storage | Admins + Auditors |
| Call detail records | 7 years | Cold storage | Authorized users |
| Data access logs | 3 years | Warm storage | Security + Compliance |
| API logs | 90 days | Hot storage | Admins + Developers |
7.2 Audit Log Query Examples¶
View all admin actions in last 24 hours:
GET /v1/audit-logs
?event_type=administrative
&start_time=2024-10-30T00:00:00Z
&end_time=2024-10-31T00:00:00Z
&severity=medium,high,critical
Response:
[
{
"timestamp": "2024-10-30T14:23:11Z",
"event_type": "user_provisioning",
"actor": "admin@company.com",
"action": "create_user",
"target": "newagent@company.com",
"details": {
"role": "agent",
"skills": ["sales", "english"],
"team": "Sales Team A"
}
},
...
]
Track specific user's activities:
GET /v1/audit-logs
?user_id=user-123
&start_time=2024-10-01T00:00:00Z
&end_time=2024-10-31T23:59:59Z
Timeline View:
2024-10-30 09:00:15 - Login (IP: 192.168.1.50)
2024-10-30 09:05:32 - Status change: Available
2024-10-30 09:07:45 - Call handled (CallID: abc-123)
2024-10-30 09:15:12 - Accessed call recording (RecID: rec-456)
2024-10-30 17:30:00 - Status change: Offline
2024-10-30 17:30:05 - Logout
8. Vulnerability Management¶
8.1 Security Patching¶
Patching Responsibility Matrix:
| Component | Managed By | Patching SLA |
|---|---|---|
| Webex CC Platform | Cisco | Automatic, quarterly |
| Agent Desktop (Browser) | End user | User responsibility |
| Operating System (Agent PCs) | Customer IT | Customer-defined |
| Network Equipment | Customer | Customer-defined |
| Integration Middleware | Customer/Vendor | Vendor-dependent |
Cisco Platform Updates:
Update Schedule:
├─ Major releases: Quarterly (Q1, Q2, Q3, Q4)
├─ Minor updates: Monthly (as needed)
├─ Security patches: Emergency (within 48 hours of critical CVE)
└─ Feature releases: Continuous delivery
Customer Notification:
├─ Maintenance window: 30 days advance notice
├─ Emergency patches: 24 hours notice
├─ Downtime: Typically < 1 hour during maintenance
└─ Communication: Email + Control Hub notifications
8.2 Vulnerability Scanning¶
Continuous Security Monitoring:
Internal Scanning (by Cisco):
├─ Weekly vulnerability scans
├─ Penetration testing: Quarterly
├─ Code security review: Every release
└─ Third-party security audits: Annually
Customer Scanning:
├─ Scan agent endpoints: Weekly (recommended)
├─ Network security scans: Monthly
├─ Application security testing: Per change
└─ Compliance scans: Quarterly
9. Business Continuity and Disaster Recovery¶
9.1 Backup and Recovery¶
Backup Strategy:
Configuration Backups:
├─ Frequency: Daily (automated)
├─ Retention: 30 days
├─ Scope: User config, queues, routing, integrations
└─ Recovery Time: < 1 hour
Call Recording Backups:
├─ Frequency: Real-time replication
├─ Retention: Per compliance policy (7 years)
├─ Scope: All recorded calls
└─ Recovery Time: < 4 hours
Reporting Data:
├─ Frequency: Daily
├─ Retention: 13 months
├─ Scope: Historical reports, analytics
└─ Recovery Time: < 8 hours
9.2 Disaster Recovery Plan¶
RTO and RPO Targets:
| System Component | RTO (Recovery Time) | RPO (Data Loss) |
|---|---|---|
| Contact Center Core | 4 hours | < 15 minutes |
| Agent Desktop | 1 hour | 0 (cloud-based) |
| Call Recordings | 8 hours | < 1 hour |
| Integrations | 4 hours | < 30 minutes |
| Reporting | 24 hours | < 24 hours |
DR Failover Procedure:
Automated Failover (Regional Outage):
1. Health check failure detected
├─ Primary region: US-East down
└─ Detection time: < 1 minute
2. Traffic redirected to secondary region
├─ DNS updated automatically
├─ Calls routed to US-West
└─ Agents automatically reconnect
└─ Failover time: < 5 minutes
3. Validation
├─ Test inbound calls
├─ Verify agent connectivity
└─ Check CRM integrations
4. Customer notification
├─ Status page updated
└─ Email to admins
5. Post-incident review (after failback)
10. Security Awareness and Training¶
10.1 Security Training Program¶
Required Training:
| Role | Training Modules | Frequency | Duration |
|---|---|---|---|
| All Users | Security Awareness 101 | Annual | 30 min |
| Agents | PCI-DSS Compliance | Annual | 1 hour |
| Supervisors | Data Privacy (GDPR/CCPA) | Annual | 1.5 hours |
| Admins | Platform Security Best Practices | Quarterly | 2 hours |
| Developers | Secure Coding & API Security | Semi-annual | 4 hours |
Training Topics:
Security Awareness 101:
├─ Password best practices
├─ Phishing identification
├─ Social engineering tactics
├─ Secure remote work
└─ Incident reporting
PCI-DSS for Contact Centers:
├─ Never ask for full credit card numbers
├─ Recording pause procedures
├─ Secure payment handling
└─ Compliance violations and consequences
Data Privacy Training:
├─ Understanding PII
├─ Customer data rights (GDPR/CCPA)
├─ Data minimization principles
└─ Breach notification procedures
10.2 Phishing Simulation¶
Simulated Phishing Campaign:
Program:
├─ Frequency: Monthly
├─ Target: All users (randomized)
├─ Scenarios:
│ ├─ Fake IT support request
│ ├─ Credential harvesting
│ ├─ Malicious attachment
│ └─ Urgent CEO request
Results Tracking:
├─ Click rate: Target < 5%
├─ Credential entry rate: Target < 1%
├─ Report rate: Target > 70%
└─ Remedial training for failures
Validation Checklist¶
Before go-live:
- All security controls implemented and tested
- IAM policies configured (SSO, MFA, RBAC)
- Encryption enabled (at rest and in transit)
- Firewall rules validated and documented
- SIEM integration configured and alerting
- Compliance requirements mapped and validated
- Audit logging enabled for all critical events
- Incident response procedures documented
- Security training completed for all users
- Vulnerability scanning completed with no critical findings
- DR/BC procedures tested and validated
- Security review and penetration testing completed
- Compliance certifications obtained (SOC 2, ISO 27001)
- Security runbook and escalation procedures documented
Appendix: Security Contacts¶
Escalation Matrix:
| Severity | Contact | Response Time |
|---|---|---|
| Critical | CISO + SOC Lead | 15 minutes |
| High | Security Manager | 1 hour |
| Medium | Security Team | 4 hours |
| Low | Help Desk | Next business day |
24/7 Security Operations: - SOC Hotline: +1-800-xxx-xxxx - Email: security-ops@company.com - Slack: #security-incidents
Cisco Webex Security: - TAC Security Line: 1-800-553-2447 - Email: security@cisco.com - Security Advisories: https://tools.cisco.com/security/center/publicationListing.x