Skip to content

Security and Compliance

Overview

This document outlines the comprehensive security framework and compliance strategy for Webex Contact Center, covering identity management, data protection, network security, compliance requirements, and SIEM integration.


1. Security Architecture

1.1 Defense in Depth Strategy

┌───────────────────────────────────────────────────────┐
│           LAYER 7: USER AWARENESS & TRAINING          │
├───────────────────────────────────────────────────────┤
│           LAYER 6: DATA SECURITY                      │
│  • Encryption at Rest  • Data Classification          │
│  • DLP Policies        • Tokenization                 │
├───────────────────────────────────────────────────────┤
│           LAYER 5: APPLICATION SECURITY               │
│  • OWASP Top 10        • Code Scanning                │
│  • API Security        • Input Validation             │
├───────────────────────────────────────────────────────┤
│           LAYER 4: HOST SECURITY                      │
│  • Antivirus/EDR       • Patch Management             │
│  • Hardening           • Privilege Control            │
├───────────────────────────────────────────────────────┤
│           LAYER 3: NETWORK SECURITY                   │
│  • Firewall           • IDS/IPS                       │
│  • Segmentation       • VPN                           │
├───────────────────────────────────────────────────────┤
│           LAYER 2: PERIMETER SECURITY                 │
│  • Web Application Firewall (WAF)                     │
│  • DDoS Protection    • Border Router ACLs            │
├───────────────────────────────────────────────────────┤
│           LAYER 1: PHYSICAL SECURITY                  │
│  • Data Center Access Control (Cisco Managed)         │
│  • Environmental Controls  • CCTV Surveillance        │
└───────────────────────────────────────────────────────┘

1.2 Zero Trust Architecture

Traditional Perimeter:
Corporate Network (Trusted) | Internet (Untrusted)
           ❌ Obsolete Model

Zero Trust Model:
├─ Never Trust, Always Verify
├─ Least Privilege Access
├─ Assume Breach
├─ Micro-Segmentation
└─ Continuous Monitoring

Implementation:
┌──────────────┐
│    User      │
└──────┬───────┘
┌──────────────┐    ┌─────────────────┐
│ Identity     │───►│ Authentication  │
│  Verified    │    │ MFA Required    │
└──────┬───────┘    └─────────────────┘
┌──────────────┐    ┌─────────────────┐
│ Device       │───►│ Posture Check   │
│  Validated   │    │ Compliance Scan │
└──────┬───────┘    └─────────────────┘
┌──────────────┐    ┌─────────────────┐
│ Context      │───►│ Risk Assessment │
│  Evaluated   │    │ Location, Time  │
└──────┬───────┘    └─────────────────┘
┌──────────────┐
│ Access       │
│  Granted     │
│ (Limited)    │
└──────────────┘

2. Identity and Access Management (IAM)

2.1 Authentication Framework

Multi-Factor Authentication (MFA):

Authentication Methods (Ranked by Security):
1. FIDO2/WebAuthn (Hardware Token) ⭐ Highest
2. Authenticator App (TOTP)
3. SMS/Text Message ⚠️ Minimum acceptable
4. Email Code ❌ Not recommended

MFA Policy:
├─ All Users: MFA Required
├─ Administrators: FIDO2 or Authenticator App only
├─ Agents: Authenticator App or SMS
├─ API Access: Service accounts with certificate-based auth
└─ Grace Period: 7 days for new users, then mandatory

Single Sign-On (SSO) Integration:

┌──────────────┐
│    User      │
│  Opens App   │
└──────┬───────┘
┌──────────────┐
│ Webex Control│
│     Hub      │
└──────┬───────┘
       │ SAML 2.0 Request
┌──────────────┐
│  Identity    │
│  Provider    │
│  (Azure AD / │
│   Okta)      │
└──────┬───────┘
       │ SAML Assertion
       │ (User Authenticated)
┌──────────────┐
│   Grant      │
│   Access     │
└──────────────┘

SAML Configuration Example (Azure AD):

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
  <SPSSODescriptor>
    <AssertionConsumerService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://idbroker.webex.com/idb/saml2/acs/your-org"
      index="0"/>
  </SPSSODescriptor>
</EntityDescriptor>

Claim Mappings:
├─ Email  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
├─ First Name  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
├─ Last Name  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
└─ Groups  http://schemas.xmlsoap.org/claims/Group

2.2 Role-Based Access Control (RBAC)

Role Hierarchy:

┌─────────────────────────────────────┐
│  Super Admin (Full Platform Access) │
└────────────┬────────────────────────┘
    ┌────────┼────────┐
    │        │        │
    ▼        ▼        ▼
┌──────┐ ┌──────┐ ┌────────┐
│ Admin│ │ Super│ │Premium │
│      │ │visor │ │ Agent  │
└───┬──┘ └───┬──┘ └───┬────┘
    │        │        │
    ▼        ▼        ▼
┌──────────────────────┐
│   Standard Agent     │
└──────────────────────┘

Permission Matrix:

Function Super Admin Admin Supervisor Premium Agent Agent
Manage Users
Configure Queues
View All Reports
Monitor Agents
Barge/Whisper
Handle Contacts
View Own Reports
Outbound Dialing ⚠️ Restricted

Custom Role Example:

{
  "roleName": "Quality_Analyst",
  "permissions": [
    "recordings:read",
    "recordings:evaluate",
    "agent_performance:read",
    "quality_forms:manage",
    "reports:quality_view"
  ],
  "restrictions": {
    "call_control": false,
    "user_management": false,
    "system_config": false
  }
}

2.3 Session Management

Session Security Policies:

Policy Configuration
Session Timeout 30 minutes inactivity
Max Session Duration 12 hours
Concurrent Sessions 1 per user (agent), 3 per admin
Session Token Rotation Every 4 hours
Force Re-authentication After role/permission change
Logout on Browser Close Enabled

3. Data Security

3.1 Encryption

Encryption at Rest:

Data Type: Call Recordings
├─ Algorithm: AES-256-GCM
├─ Key Management: AWS KMS / Azure Key Vault
├─ Key Rotation: Every 90 days
└─ Access: Encrypted keys separate from data

Data Type: Customer PII
├─ Algorithm: AES-256
├─ Database: Encrypted volumes
├─ Backups: Encrypted before storage
└─ Keys: Hardware Security Module (HSM)

Data Type: Configuration Data
├─ Algorithm: AES-256
├─ Secrets: Never in plaintext
└─ Version Control: Encrypted Git repos

Encryption in Transit:

Protocol Security:
├─ TLS 1.2+ (Minimum)
├─ TLS 1.3 (Preferred)
├─ Strong Cipher Suites:
│   ├─ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
│   ├─ TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
│   └─ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
├─ Certificate Pinning: Enabled for mobile apps
└─ HSTS: Enabled (max-age=31536000)

Media Encryption:
├─ Voice: SRTP (AES-128)
├─ Video: SRTP (AES-256)
├─ Screen Share: SRTP + TLS tunnel
└─ Chat/Messaging: TLS 1.3 + E2EE option

3.2 Data Loss Prevention (DLP)

PII Detection and Masking:

# Example: Automatic PII masking in logs
def mask_pii(text):
    patterns = {
        'phone': r'\+?1?\d{10}',
        'email': r'[\w\.-]+@[\w\.-]+\.\w+',
        'ssn': r'\d{3}-\d{2}-\d{4}',
        'credit_card': r'\d{4}[\s-]?\d{4}[\s-]?\d{4}[\s-]?\d{4}'
    }

    for pii_type, pattern in patterns.items():
        text = re.sub(pattern, f'[{pii_type.upper()}_REDACTED]', text)

    return text

# Log entry transformation:
# Original: "Customer called from +1-XX5-0100"
# Masked:   "Customer called from [PHONE_REDACTED]"

Data Classification:

Classification Examples Storage Sharing Retention
Public Marketing materials Unencrypted OK External OK Indefinite
Internal Agent schedules Encrypted Internal only 1 year
Confidential Customer records Encrypted + ACL Need-to-know 7 years
Restricted Payment data Encrypted + HSM PCI-compliant only Minimized

3.3 PCI-DSS Compliance

Cardholder Data Environment (CDE):

┌───────────────────────────────────────────────────────┐
│         CARDHOLDER DATA ENVIRONMENT (CDE)             │
│  ┌─────────────────────────────────────────────────┐  │
│  │        Payment Card Information                 │  │
│  │  ❌ Never stored in Webex Contact Center       │  │
│  └─────────────────────────────────────────────────┘  │
│                                                       │
│  PCI-DSS Controls:                                    │
│  ├─ Recording Pause during payment collection        │
│  ├─ DTMF tones suppressed/masked                     │
│  ├─ Tokenization for any stored references           │
│  ├─ Segmented network for payment IVR                │
│  └─ Annual PCI audit and certification               │
└───────────────────────────────────────────────────────┘

PCI-Compliant Call Flow:

1. Customer calls for payment
2. Agent greets and identifies customer
3. Agent clicks "Pause Recording" button
4. Recording paused (cannot be resumed manually)
5. Transfer to IVR for payment entry
   ├─ DTMF tones not recorded
   ├─ Dual-tone scrambling active
   └─ Payment gateway tokenizes card
6. IVR returns token to agent
7. Recording automatically resumes
8. Agent completes transaction with token

PCI-DSS SAQ (Self-Assessment Questionnaire):

Applicable SAQ: SAQ D (Service Provider)
Key Requirements:
├─ Requirement 1: Firewall configuration
├─ Requirement 2: No default passwords
├─ Requirement 3: Protect stored cardholder data (N/A - not stored)
├─ Requirement 4: Encrypt transmission (TLS 1.2+)
├─ Requirement 6: Secure systems and applications
├─ Requirement 8: Unique IDs and authentication (MFA)
├─ Requirement 10: Track and monitor all access (Audit logs)
└─ Requirement 12: Information security policy

Annual Compliance:
├─ Internal audit: Q1
├─ External audit: Q2 (QSA certification)
└─ Attestation of Compliance (AOC): Valid for 1 year

4. Network Security

4.1 Firewall Configuration

Required Ports and Protocols:

Direction Protocol Port Purpose
Outbound HTTPS 443 Control Hub, APIs
Outbound WSS 443 WebSocket (real-time events)
Outbound SIP 5060-5061 SIP signaling (TCP/TLS)
Bidirectional RTP/SRTP 8000-8999 Voice media streams
Outbound STUN/TURN 3478, 5349 NAT traversal

IP Whitelist (Webex Cloud):

Control Hub/API:
├─ 170.72.0.0/16
├─ 64.68.96.0/19
└─ 66.114.160.0/20

Media (RTP):
├─ Regional data centers (vary by region)
├─ US East: 52.xx.xx.xx/24
├─ US West: 54.xx.xx.xx/24
└─ EU: 18.xx.xx.xx/24

(Full list: https://help.webex.com/article/WBX000028782)

Firewall Rule Example (Cisco ASA):

access-list WEBEX_OUTBOUND extended permit tcp any object-group webex-api-servers eq 443
access-list WEBEX_OUTBOUND extended permit tcp any object-group webex-api-servers eq 5061
access-list WEBEX_OUTBOUND extended permit udp any object-group webex-media-servers range 8000 8999

object-group network webex-api-servers
 network-object 170.72.0.0 255.255.0.0
 network-object 64.68.96.0 255.255.224.0
 network-object 66.114.160.0 255.255.224.0

4.2 Quality of Service (QoS)

Traffic Prioritization:

┌───────────────────────────────────────────────────┐
│  Priority 1 (EF) - Expedited Forwarding           │
│  • Voice RTP (DSCP 46)                            │
│  • Guaranteed bandwidth, minimal latency          │
├───────────────────────────────────────────────────┤
│  Priority 2 (AF41) - Assured Forwarding           │
│  • SIP Signaling (DSCP 24)                        │
│  • Video conferencing                             │
├───────────────────────────────────────────────────┤
│  Priority 3 (AF21)                                │
│  • Agent Desktop (HTTP/HTTPS)                     │
│  • CRM integrations                               │
├───────────────────────────────────────────────────┤
│  Priority 4 (Best Effort)                         │
│  • Email, file transfers                          │
│  • General web browsing                           │
└───────────────────────────────────────────────────┘

4.3 DDoS Protection

Mitigation Strategy:

Layer 3/4 DDoS (Network/Transport):
├─ Cisco Managed: Cloud-based scrubbing
├─ Rate limiting at edge routers
├─ SYN flood protection
└─ UDP flood mitigation

Layer 7 DDoS (Application):
├─ Web Application Firewall (WAF)
├─ CAPTCHA challenges for suspicious traffic
├─ Geo-blocking for high-risk regions
└─ API rate limiting (per token)

Detection Thresholds:
├─ Baseline: 10,000 requests/minute
├─ Alert: 50,000 requests/minute (5x baseline)
└─ Block: 100,000 requests/minute (10x baseline)

5. Compliance Framework

5.1 Regulatory Compliance

GDPR (General Data Protection Regulation):

Rights Implementation:
├─ Right to Access: Self-service data export portal
├─ Right to Erasure: 30-day data deletion process
├─ Right to Rectification: CRM data update APIs
├─ Right to Data Portability: Export in standard formats
├─ Right to Object: Opt-out mechanisms
└─ Right to be Informed: Privacy policy + consent forms

Technical Measures:
├─ Data minimization (collect only necessary data)
├─ Purpose limitation (define retention policies)
├─ Privacy by design (default-secure configurations)
└─ Data Protection Impact Assessment (DPIA) annually

CCPA (California Consumer Privacy Act):

Consumer Rights:
├─ Right to Know: Disclose data collected
├─ Right to Delete: 45-day deletion timeline
├─ Right to Opt-Out: "Do Not Sell My Info" link
└─ Right to Non-Discrimination: Equal service regardless

Implementation:
├─ Privacy Notice on website
├─ Toll-free number for requests: 1-800-xxx-xxxx
├─ Email: privacy@company.com
└─ Verification process for requests (2-factor)

HIPAA (Health Insurance Portability and Accountability Act):

PHI Protection (if applicable):
├─ Business Associate Agreement (BAA) with Cisco
├─ Encryption: AES-256 for PHI at rest and in transit
├─ Access Controls: Role-based, audit trails
├─ Breach Notification: Within 60 days of discovery
└─ Annual HIPAA security risk assessment

Technical Safeguards:
├─ Automatic logoff after 15 minutes inactivity
├─ Encrypted storage for all call recordings
├─ Audit logs for all PHI access (who, what, when)
└─ Regular vulnerability scanning

5.2 Industry Standards

ISO/IEC 27001 (Information Security Management):

Control Domains:
├─ A.5: Information Security Policies
├─ A.6: Organization of Information Security
├─ A.7: Human Resource Security
├─ A.8: Asset Management
├─ A.9: Access Control
├─ A.10: Cryptography
├─ A.11: Physical and Environmental Security
├─ A.12: Operations Security
├─ A.13: Communications Security
├─ A.14: System Acquisition, Development, Maintenance
├─ A.15: Supplier Relationships
├─ A.16: Incident Management
├─ A.17: Business Continuity
└─ A.18: Compliance

Certification Timeline:
├─ Gap Analysis: Month 1-2
├─ Remediation: Month 3-6
├─ Internal Audit: Month 7
├─ External Audit: Month 8-9
└─ Certification: Month 10

SOC 2 Type II:

Trust Service Criteria:
├─ Security: Protection against unauthorized access
├─ Availability: System available for operation as agreed
├─ Processing Integrity: System processing complete, valid, accurate
├─ Confidentiality: Confidential info protected
└─ Privacy: Personal info collected, used, retained, disclosed per commitments

Audit Scope: Webex Contact Center platform
Audit Period: 12 months
Auditor: Big 4 accounting firm
Report: Available to customers under NDA

6. SIEM Integration

6.1 SIEM Architecture

Overview:

┌───────────────────────────────────────────────────────┐
│       WEBEX CONTACT CENTER PLATFORM                   │
│  ┌─────────────────────────────────────────────────┐  │
│  │          Event Sources                          │  │
│  │  ├─ Authentication logs (success/failure)       │  │
│  │  ├─ Access logs (who accessed what)             │  │
│  │  ├─ Configuration changes                       │  │
│  │  ├─ API calls (all requests/responses)          │  │
│  │  ├─ System health events                        │  │
│  │  └─ Security incidents (detected threats)       │  │
│  └──────────────────────┬──────────────────────────┘  │
└─────────────────────────┼─────────────────────────────┘
                          │ Syslog (UDP 514 / TCP 514 / TLS 6514)
                          │ or Webhooks (HTTPS)
┌─────────────────────────▼─────────────────────────────┐
│               LOG AGGREGATION LAYER                   │
│  ┌─────────────────────────────────────────────────┐  │
│  │  Logstash / Fluentd / Splunk HF                 │  │
│  │  ├─ Parse logs (JSON/Syslog format)             │  │
│  │  ├─ Enrich with context                         │  │
│  │  ├─ Filter noise                                │  │
│  │  └─ Forward to SIEM                             │  │
│  └──────────────────────┬──────────────────────────┘  │
└─────────────────────────┼─────────────────────────────┘
┌───────────────────────────────────────────────────────┐
│               SIEM PLATFORM                           │
│  Splunk / QRadar / ArcSight / Sentinel                │
│  ┌─────────────────────────────────────────────────┐  │
│  │  Security Analytics Engine                      │  │
│  │  ├─ Correlation rules                           │  │
│  │  ├─ Anomaly detection (ML/AI)                   │  │
│  │  ├─ Threat intelligence integration             │  │
│  │  └─ Real-time alerting                          │  │
│  └─────────────────────────────────────────────────┘  │
│  ┌─────────────────────────────────────────────────┐  │
│  │  Security Operations Center (SOC)               │  │
│  │  ├─ Dashboards                                  │  │
│  │  ├─ Incident response                           │  │
│  │  └─ Forensic investigation                      │  │
│  └─────────────────────────────────────────────────┘  │
└───────────────────────────────────────────────────────┘

6.2 Supported SIEM Platforms

Splunk Integration:

Data Input Configuration:
├─ Input Type: HTTP Event Collector (HEC)
├─ Endpoint: https://splunk-server:8088/services/collector
├─ Token: [Generated in Splunk HEC settings]
├─ Source Type: webex:contactcenter
├─ Index: security

Webex Configuration:
├─ Control Hub → Settings → Security
├─ SIEM Integration → Add Splunk
├─ Enter HEC token and endpoint
├─ Select event types to forward:
│   ├─ ✅ Authentication events
│   ├─ ✅ Access control events
│   ├─ ✅ Configuration changes
│   ├─ ✅ API activity
│   └─ ✅ Security alerts
└─ Test connection → Save

Sample Splunk Query (SPL):

index=security sourcetype="webex:contactcenter"
| stats count by event_type, severity
| where severity="high" OR severity="critical"
| timechart span=1h count by event_type

QRadar Integration:

Log Source Configuration:
├─ Log Source Type: Cisco Webex Contact Center
├─ Protocol: Syslog (TLS preferred)
├─ Identifier: webex-cc-prod
├─ Log Source Group: Cloud Applications
└─ Parsing: Custom DSM (Device Support Module)

Custom QRadar Rule Example:
WHEN event_category = "authentication_failure"
  AND count >= 5
  WITHIN 5 minutes
  FROM same source_ip
THEN
  CREATE offense "Brute Force Attack Detected"
  SEVERITY: High
  ASSIGN TO: SOC_Team

Azure Sentinel Integration:

Data Connector:
├─ Connector Type: Webex Contact Center (Custom)
├─ Method: Azure Logic App + Webex API
├─ Frequency: Every 5 minutes
└─ Storage: Log Analytics Workspace

Logic App Workflow:
1. Trigger: Recurrence (every 5 minutes)
2. Action: HTTP Request to Webex Audit API
3. Parse JSON: Extract log events
4. For Each: Loop through events
5. Send Data: Post to Log Analytics

6.3 Event Types and Severity Levels

Event Taxonomy:

Event Type Examples Severity SIEM Alert
Authentication Login success/failure, MFA bypass attempts Info/High Failed: Yes
Authorization Permission denied, role escalation Medium/High Yes
Configuration Queue changes, user provisioning Info/Medium Major changes only
Data Access Recording access, report export Info Large exports: Yes
API Activity API calls, rate limit exceeded Info/Medium Anomalies: Yes
Security Incident Intrusion attempt, malware detected High/Critical Always
System Health Service degradation, failover Medium Outages: Yes
Compliance Policy violation, data breach High/Critical Always

Severity Definitions:

Critical (Severity 1):
├─ Active security breach
├─ Data exfiltration detected
├─ System compromise
└─ Response: Immediate (< 15 minutes)

High (Severity 2):
├─ Suspicious authentication patterns
├─ Privilege escalation attempt
├─ Unusual data access
└─ Response: Urgent (< 1 hour)

Medium (Severity 3):
├─ Failed login attempts (< threshold)
├─ Minor policy violations
├─ Configuration drift
└─ Response: Standard (< 4 hours)

Low (Severity 4):
├─ Informational events
├─ Routine activities
└─ Response: As needed

6.4 Log Format and Structure

JSON Format (Standard):

{
  "timestamp": "2024-10-31T14:32:15.123Z",
  "event_id": "evt-abc123-xyz789",
  "event_type": "authentication",
  "event_action": "login_failure",
  "severity": "high",
  "source": {
    "ip": "192.168.1.100",
    "user_agent": "Mozilla/5.0...",
    "geolocation": {
      "city": "San Jose",
      "country": "US",
      "latitude": 37.3382,
      "longitude": -121.8863
    }
  },
  "user": {
    "id": "user-123",
    "email": "john.doe@company.com",
    "role": "agent"
  },
  "details": {
    "reason": "invalid_credentials",
    "attempt_count": 3,
    "account_locked": false
  },
  "organization": {
    "id": "org-xyz789",
    "name": "Acme Corporation"
  }
}

Syslog Format (CEF - Common Event Format):

<134>1 2024-10-31T14:32:15.123Z webex-cc-prod WebexCC - authentication_failure - 
CEF:0|Cisco|Webex Contact Center|1.0|AUTH-001|Login Failure|8|
src=192.168.1.100 
suser=john.doe@company.com 
outcome=failure 
reason=invalid_credentials 
cnt=3

6.5 Use Cases and Detection Rules

Use Case 1: Brute Force Attack Detection

Rule Logic:
IF authentication_failure events >= 5
   FROM same source_ip
   WITHIN 10 minutes
   FOR any user_id
THEN
   ALERT: "Possible brute force attack"
   SEVERITY: High
   ACTION: Block source_ip temporarily (30 minutes)
   NOTIFY: Security team via email/SMS

Splunk Query:
index=security sourcetype="webex:contactcenter" event_type="authentication" event_action="login_failure"
| stats count by source.ip
| where count >= 5

Use Case 2: Insider Threat - Unusual Data Access

Rule Logic:
IF user accesses > 50 call recordings in 1 hour
   AND user.role != "quality_analyst"
   AND access_time OUTSIDE business_hours (8 AM - 6 PM)
THEN
   ALERT: "Unusual data access pattern"
   SEVERITY: High
   ACTION: Require re-authentication
   NOTIFY: User's manager + Security team

QRadar AQL Query:
SELECT username, QIDNAME(qid) as "Event", COUNT(*) as "Count"
FROM events
WHERE category = 'data_access'
  AND LOGSOURCETYPENAME(logsourceid) = 'Webex Contact Center'
  AND "Call Recording Access"
GROUP BY username
HAVING COUNT(*) > 50
LAST 1 HOURS

Use Case 3: Privilege Escalation Attempt

Rule Logic:
IF configuration_change event
   AND target_resource = "admin_role"
   AND actor.role != "super_admin"
THEN
   ALERT: "Unauthorized privilege escalation attempt"
   SEVERITY: Critical
   ACTION: Revert change immediately
   NOTIFY: CISO + Security Operations

Azure Sentinel KQL Query:
WebexContactCenter_CL
| where EventType_s == "configuration_change"
| where TargetResource_s == "admin_role"
| where ActorRole_s != "super_admin"
| project TimeGenerated, Actor_s, TargetResource_s, ChangeDetails_s

Use Case 4: Anomalous API Usage

Rule Logic:
IF API calls from user_account > 1000 per minute
   OR API error_rate > 20%
   OR API calls from new geolocation
THEN
   ALERT: "Anomalous API usage detected"
   SEVERITY: Medium
   ACTION: Rate limit account
   NOTIFY: Account owner + API team

Detection Method: Machine Learning baseline
├─ Establish normal API usage pattern (30 days)
├─ Calculate: avg_calls_per_hour, typical_geolocations
├─ Alert when deviation > 3 standard deviations
└─ Auto-adjust baseline weekly

Use Case 5: Data Exfiltration

Rule Logic:
IF bulk_export event
   AND export_size > 10,000 records
   AND user accessed from:
      ├─ Non-corporate IP address
      ├─ New device
      └─ Suspicious geolocation
THEN
   ALERT: "Potential data exfiltration"
   SEVERITY: Critical
   ACTION: Block export immediately
   NOTIFY: CISO + Legal + HR

Investigation Checklist:
☐ Verify user identity (call user directly)
☐ Review recent access patterns
☐ Check for compromised credentials
☐ Analyze exported data sensitivity
☐ Engage incident response team

6.6 SIEM Dashboard Examples

Security Operations Dashboard:

┌─────────────────────────────────────────────────────┐
│         WEBEX CONTACT CENTER - SECURITY SOC         │
├─────────────────────────────────────────────────────┤
│  Events Last 24 Hours                               │
│  ┌──────────────┬───────────┬────────────────────┐ │
│  │ Total Events │  45,823   │ ▲ 12% from prev    │ │
│  ├──────────────┼───────────┼────────────────────┤ │
│  │ Critical     │    7      │ ⚠️ Needs attention │ │
│  │ High         │    34     │ 🟡 Under review    │ │
│  │ Medium       │   156     │ ✅ Normal          │ │
│  │ Low          │ 45,626    │ ✅ Normal          │ │
│  └──────────────┴───────────┴────────────────────┘ │
│                                                     │
│  Top Security Events                                │
│  1. Failed login attempts: 234 (Top IP: 1.2.3.4)   │
│  2. Unusual data access: 7 users                    │
│  3. API rate limit exceeded: 12 accounts           │
│  4. Configuration changes: 45 (Admin actions)       │
│  5. Geo-anomaly logins: 3 users from new countries │
│                                                     │
│  Active Incidents                                   │
│  🔴 INC-001: Brute force attack (1.2.3.4)          │
│      Status: Investigating | Owner: SOC-Analyst-3   │
│  🟡 INC-002: Unusual recording access (user-789)   │
│      Status: Awaiting user contact | Owner: SOC-2   │
└─────────────────────────────────────────────────────┘

Compliance Audit Dashboard:

┌─────────────────────────────────────────────────────┐
│       COMPLIANCE & AUDIT TRAIL DASHBOARD            │
├─────────────────────────────────────────────────────┤
│  Access Control Review                              │
│  ├─ Total Users: 523                                │
│  ├─ Privileged Accounts: 12 (2.3%)                  │
│  ├─ Inactive Users (90+ days): 8 ⚠️                │
│  └─ MFA Adoption: 100% ✅                          │
│                                                     │
│  Configuration Changes (Last 7 Days)                │
│  ┌─────────────────────┬───────┬─────────────────┐ │
│  │ Change Type         │ Count │ Approved        │ │
│  ├─────────────────────┼───────┼─────────────────┤ │
│  │ User provisioning   │  15   │ 15/15 ✅       │ │
│  │ Queue modifications │   8   │  7/8 ⚠️        │ │
│  │ Role changes        │   3   │  3/3 ✅        │ │
│  │ Integration updates │   2   │  2/2 ✅        │ │
│  └─────────────────────┴───────┴─────────────────┘ │
│                                                     │
│  Data Access Audit                                  │
│  ├─ Call Recordings Accessed: 1,245                 │
│  ├─ Reports Exported: 67                            │
│  ├─ Customer Records Viewed: 4,567                  │
│  └─ Compliance Violations: 0 ✅                    │
└─────────────────────────────────────────────────────┘

6.7 Incident Response Integration

SOAR (Security Orchestration, Automation, Response) Integration:

┌──────────────────┐
│  SIEM Alert      │
│  (High Severity) │
└────────┬─────────┘
┌──────────────────┐
│  SOAR Platform   │
│ (Palo Alto XSOAR,│
│  Splunk Phantom) │
└────────┬─────────┘
    ┌────┴────┐
    │         │
    ▼         ▼
┌────────┐ ┌─────────┐
│Enrich  │ │ Execute │
│Context │ │Playbook │
└────────┘ └────┬────┘
    ┌─────────┼─────────┐
    │         │         │
    ▼         ▼         ▼
┌────────┐ ┌────────┐ ┌──────────┐
│ Block  │ │ Notify │ │  Create  │
│  IP    │ │  SOC   │ │  Ticket  │
└────────┘ └────────┘ └──────────┘

Automated Response Playbook Example:

playbook: brute_force_response
trigger: SIEM alert "Brute Force Attack Detected"
steps:
  1. enrich_alert:
      - query_threat_intel_for_source_ip
      - check_ip_reputation_score
      - get_historical_activity

  2. contain_threat:
      - IF threat_score > 8 THEN
          - block_source_ip_at_firewall
          - add_ip_to_deny_list (duration: 24h)
      - ELSE
          - add_ip_to_watch_list

  3. investigate:
      - collect_logs_from_last_hour
      - identify_affected_user_accounts
      - check_for_successful_logins

  4. notify:
      - send_alert_to_soc_team (Slack + Email)
      - create_incident_ticket (ServiceNow)
      - IF user_account_compromised THEN
          - notify_user_manager
          - require_password_reset

  5. document:
      - log_all_actions_taken
      - update_incident_ticket
      - generate_forensic_report

6.8 Threat Intelligence Integration

Threat Feed Integration:

Threat Intelligence Sources:
├─ Commercial Feeds:
│   ├─ Cisco Talos
│   ├─ Recorded Future
│   └─ CrowdStrike Falcon Intelligence
├─ Open Source Feeds:
│   ├─ AlienVault OTX
│   ├─ Abuse.ch
│   └─ MISP (Malware Information Sharing Platform)
└─ Government Sources:
    ├─ US-CERT
    ├─ CISA Alerts
    └─ FBI IC3

Integration Method:
1. Daily feed ingestion (STIX/TAXII format)
2. Enrich SIEM events with threat context
3. Auto-correlate IOCs (IP, domain, hash)
4. Alert on known malicious indicators

IOC Matching Example:

Event: Login from IP 1.2.3.4
Query Threat Intelligence:
   ├─ IP Reputation: Malicious (Score: 9/10)
   ├─ Known for: Credential stuffing attacks
   ├─ First seen: 2024-10-20
   └─ Associated campaigns: APT-XYZ
Auto-Response:
   ├─ Block IP immediately
   ├─ Notify SOC: "Login from known malicious IP"
   ├─ Severity: Critical
   └─ Recommended action: Force logout, password reset

7. Audit and Logging

7.1 Comprehensive Audit Trail

Audit Log Categories:

User Actions:
├─ Login/Logout events
├─ State changes (Available, Away, Wrap-up)
├─ Call handling actions
├─ Configuration changes made
└─ Report access and exports

Administrative Actions:
├─ User provisioning/deprovisioning
├─ Role assignments
├─ Queue/skill modifications
├─ Integration configuration
└─ System settings changes

System Events:
├─ Service health changes
├─ Failover events
├─ API rate limiting triggered
└─ Security policy violations

Data Access:
├─ Call recording access
├─ Customer data views
├─ Bulk data exports
└─ API data retrieval

Audit Log Retention:

Log Type Retention Period Storage Location Access Control
Authentication logs 1 year Hot storage Security team only
Configuration changes 7 years Warm/cold storage Admins + Auditors
Call detail records 7 years Cold storage Authorized users
Data access logs 3 years Warm storage Security + Compliance
API logs 90 days Hot storage Admins + Developers

7.2 Audit Log Query Examples

View all admin actions in last 24 hours:

GET /v1/audit-logs
?event_type=administrative
&start_time=2024-10-30T00:00:00Z
&end_time=2024-10-31T00:00:00Z
&severity=medium,high,critical

Response:
[
  {
    "timestamp": "2024-10-30T14:23:11Z",
    "event_type": "user_provisioning",
    "actor": "admin@company.com",
    "action": "create_user",
    "target": "newagent@company.com",
    "details": {
      "role": "agent",
      "skills": ["sales", "english"],
      "team": "Sales Team A"
    }
  },
  ...
]

Track specific user's activities:

GET /v1/audit-logs
?user_id=user-123
&start_time=2024-10-01T00:00:00Z
&end_time=2024-10-31T23:59:59Z

Timeline View:
2024-10-30 09:00:15 - Login (IP: 192.168.1.50)
2024-10-30 09:05:32 - Status change: Available
2024-10-30 09:07:45 - Call handled (CallID: abc-123)
2024-10-30 09:15:12 - Accessed call recording (RecID: rec-456)
2024-10-30 17:30:00 - Status change: Offline
2024-10-30 17:30:05 - Logout

8. Vulnerability Management

8.1 Security Patching

Patching Responsibility Matrix:

Component Managed By Patching SLA
Webex CC Platform Cisco Automatic, quarterly
Agent Desktop (Browser) End user User responsibility
Operating System (Agent PCs) Customer IT Customer-defined
Network Equipment Customer Customer-defined
Integration Middleware Customer/Vendor Vendor-dependent

Cisco Platform Updates:

Update Schedule:
├─ Major releases: Quarterly (Q1, Q2, Q3, Q4)
├─ Minor updates: Monthly (as needed)
├─ Security patches: Emergency (within 48 hours of critical CVE)
└─ Feature releases: Continuous delivery

Customer Notification:
├─ Maintenance window: 30 days advance notice
├─ Emergency patches: 24 hours notice
├─ Downtime: Typically < 1 hour during maintenance
└─ Communication: Email + Control Hub notifications

8.2 Vulnerability Scanning

Continuous Security Monitoring:

Internal Scanning (by Cisco):
├─ Weekly vulnerability scans
├─ Penetration testing: Quarterly
├─ Code security review: Every release
└─ Third-party security audits: Annually

Customer Scanning:
├─ Scan agent endpoints: Weekly (recommended)
├─ Network security scans: Monthly
├─ Application security testing: Per change
└─ Compliance scans: Quarterly

9. Business Continuity and Disaster Recovery

9.1 Backup and Recovery

Backup Strategy:

Configuration Backups:
├─ Frequency: Daily (automated)
├─ Retention: 30 days
├─ Scope: User config, queues, routing, integrations
└─ Recovery Time: < 1 hour

Call Recording Backups:
├─ Frequency: Real-time replication
├─ Retention: Per compliance policy (7 years)
├─ Scope: All recorded calls
└─ Recovery Time: < 4 hours

Reporting Data:
├─ Frequency: Daily
├─ Retention: 13 months
├─ Scope: Historical reports, analytics
└─ Recovery Time: < 8 hours

9.2 Disaster Recovery Plan

RTO and RPO Targets:

System Component RTO (Recovery Time) RPO (Data Loss)
Contact Center Core 4 hours < 15 minutes
Agent Desktop 1 hour 0 (cloud-based)
Call Recordings 8 hours < 1 hour
Integrations 4 hours < 30 minutes
Reporting 24 hours < 24 hours

DR Failover Procedure:

Automated Failover (Regional Outage):
1. Health check failure detected
   ├─ Primary region: US-East down
   └─ Detection time: < 1 minute

2. Traffic redirected to secondary region
   ├─ DNS updated automatically
   ├─ Calls routed to US-West
   └─ Agents automatically reconnect
   └─ Failover time: < 5 minutes

3. Validation
   ├─ Test inbound calls
   ├─ Verify agent connectivity
   └─ Check CRM integrations

4. Customer notification
   ├─ Status page updated
   └─ Email to admins

5. Post-incident review (after failback)

10. Security Awareness and Training

10.1 Security Training Program

Required Training:

Role Training Modules Frequency Duration
All Users Security Awareness 101 Annual 30 min
Agents PCI-DSS Compliance Annual 1 hour
Supervisors Data Privacy (GDPR/CCPA) Annual 1.5 hours
Admins Platform Security Best Practices Quarterly 2 hours
Developers Secure Coding & API Security Semi-annual 4 hours

Training Topics:

Security Awareness 101:
├─ Password best practices
├─ Phishing identification
├─ Social engineering tactics
├─ Secure remote work
└─ Incident reporting

PCI-DSS for Contact Centers:
├─ Never ask for full credit card numbers
├─ Recording pause procedures
├─ Secure payment handling
└─ Compliance violations and consequences

Data Privacy Training:
├─ Understanding PII
├─ Customer data rights (GDPR/CCPA)
├─ Data minimization principles
└─ Breach notification procedures

10.2 Phishing Simulation

Simulated Phishing Campaign:

Program:
├─ Frequency: Monthly
├─ Target: All users (randomized)
├─ Scenarios:
│   ├─ Fake IT support request
│   ├─ Credential harvesting
│   ├─ Malicious attachment
│   └─ Urgent CEO request

Results Tracking:
├─ Click rate: Target < 5%
├─ Credential entry rate: Target < 1%
├─ Report rate: Target > 70%
└─ Remedial training for failures

Validation Checklist

Before go-live:

  • All security controls implemented and tested
  • IAM policies configured (SSO, MFA, RBAC)
  • Encryption enabled (at rest and in transit)
  • Firewall rules validated and documented
  • SIEM integration configured and alerting
  • Compliance requirements mapped and validated
  • Audit logging enabled for all critical events
  • Incident response procedures documented
  • Security training completed for all users
  • Vulnerability scanning completed with no critical findings
  • DR/BC procedures tested and validated
  • Security review and penetration testing completed
  • Compliance certifications obtained (SOC 2, ISO 27001)
  • Security runbook and escalation procedures documented

Appendix: Security Contacts

Escalation Matrix:

Severity Contact Response Time
Critical CISO + SOC Lead 15 minutes
High Security Manager 1 hour
Medium Security Team 4 hours
Low Help Desk Next business day

24/7 Security Operations: - SOC Hotline: +1-800-xxx-xxxx - Email: security-ops@company.com - Slack: #security-incidents

Cisco Webex Security: - TAC Security Line: 1-800-553-2447 - Email: security@cisco.com - Security Advisories: https://tools.cisco.com/security/center/publicationListing.x