Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers...

20
Christopher van der Made Technical Solutions Specialist 3 rd of October, 2019 What Cisco can offer for Threat Hunting and Response Hoe werkt een aanval en kun je effectief bedreigingen tegenhouden in 2020?

Transcript of Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers...

Page 1: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

Christopher van der Made

Technical Solutions Specialist

3rd of October, 2019

What Cisco can offer for Threat Hunting and Response

Hoe werkt een aanval en kun je effectiefbedreigingen tegenhouden in 2020?

Page 2: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Introduction to Threat Hunting and SOC’s

• The Birth of Cisco Security

• Cisco Elements for a SOC

• LIVE DEMO

Agenda

Page 3: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Introduction

Page 4: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Hunting Maturity Model (HMM)

4DEVNET-2505

Source: “A framework for Cyber Threat hunting” by Sqrrl

https://virtualizationandstorage.files.wordpress.com/2018/08/framework-for-threat-hunting-whitepaper.pdf
Page 5: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Hunting Loop

5DEVNET-2505

Source: “A framework for Cyber Threat hunting” by Sqrrl

https://virtualizationandstorage.files.wordpress.com/2018/08/framework-for-threat-hunting-whitepaper.pdf
Page 6: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Pyramid of pain…

DEVNET-2505 6

Page 7: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

On-Demand Hunting

7DEVNET-2505

Automated Continuous Hunting

Page 8: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Birth of Cisco Security

Page 9: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Birth of Cisco’s Advanced Threat Portfolio…

CiscoSourceFireImmuNet

ThreatGrid

Cognitive

Page 10: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

The Birth of Cisco’s Security Portfolio…

CiscoSourceFire

ThreatGridOpenDNS

Cloudlock

Duo Security

Lancope

IronPort

Cognitive

Observable

Networks

ImmuNet

AnyConnect

Page 11: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Elements for a SOC

Page 12: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ProductTelemetry

Endpoint Detection & Response

Mobile Security

Multi-factor authentication

Network

Endpoint

Cloud

DataSharing

VulnerabilityDiscovery

Threat Traps

Firewall

Intrusion Prevention

Web Security

SD Segmentation

Behavioral Analytics

Security Internet Gateway

DNS Security

Email Security

Cisco Talos

Page 13: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Automated Policy

Context Awareness

Event Visibility

Threat Intel/Enforcement

Cisco Security 2019

Enterprise Mobility

Management

Network Traffic

Security Analytics

Cloud Workload

Protection

Web Security

Email

Security

Advanced

Threat

Defense

Secure

SD-WAN / Routers

Identity and Network

Access Control

Secure Internet

Gateway

Switches and

Access Points

Enforcement

Next-Gen

FW/IPS

Cloud Access

Security Broker

Cisco Threat Intelligence

Cisco Platform Exchange

Cisco Threat Response

Integrated Architecture

Page 14: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Automated Policy

Context Awareness

Event Visibility

Threat Intel/Enforcement

Cisco Security 2019

Meraki Systems Manager

Tetration

Web Security

Email

Security+CLOUD

Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD

THREAT GRID • COGNITIVE

Identity Services Engine +pxGRID (+ DUO)

Umbrella+INVESTIGATE

Firepower

NGFW/NGIPS

CloudlockCloudlock

Stealthwatch+CLOUD

Secure SD-WAN / RouterISR • CSR • ASR • vEDGE

MERAKI MX

Cluster 1* Cluster 2*

Integrated Architecture

Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS

AIRONET/W LC • MERAKI MR

Third Party IntegrationsPxGrid • Reporting API’s • Enforcement API’s

Threat Intel API’s • W eb Hooks

*WARNING: massive simplification

Cisco Threat Intelligence

Cisco Platform Exchange

Cisco Threat Response

Page 15: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

4. No Quarantine Policy,

Email Delivered

Azure Application Permissions:

• Send mail as any user

• Read and write mail in all mailboxes

• Read mail in all mailboxes

• Full access to all mailboxes

9. Remediation

(all mailboxes)

AMP Unity Retrospective Event Flow

Customer

CES

AMP CLOUD

THREAT GRID

CLOUD

2. File Reputation Query (SHA256)

3. AMP Verdict: Unknown

5. User Opens Email

Attachment:

IOC Detected and

Quarantiend by AMP4E

7. AMP Retrospective Verdict

Update: Malicious

Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html

AMP4E

1. Email with

attachment arrives

BRKSEC-3433 20

https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html
Page 16: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Why?

SecOps

How?

Is it bad?

Has it

affected

us?

SIEM

Email

SecurityWeb

Security

Next-Gen

Firewalls

Malware

Detection

Next-Gen

IPS

Endpoint

Security

Secure Internet

Gateway

3rd party

Sources

Network

AnalyticsThreat Intel Identity

Mgmt

Security that works together is one of top priority for

our customers

Page 17: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Introducing Cisco Threat ResponseIntegrating security for faster defense

Key pillar of our integrated architecture

• Automates & Orchestrates across

security products

• Focuses on security operations

functions – Detection, Investigation,

and Remediation

• Included as part of NGFW license

Page 18: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Casebook (plugin)

Virus

Total

Intel

sources

1

2

• NGFW

• AMP

• Stealthwatch

• API (3rd

Party)

Incidents3

Threat Intelligence

What do you know about these

observables (IP, Hash, URL, etc.)?

Threat Investigation

• Have we seen these observables?

• Which end-points interacted with the threat?

ThreatGrid

TalosThreat

Intelligence

AdvancedMalware

Protection

CiscoUmbrella

Cloud EmailSecurity

Stealthwatch(Cloud)

Firepower

Cisco Threat Response

ISE

54

6

Page 19: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

LIVE DEMO

Page 20: Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers Identity and Network Access Control Secure Internet Gateway Switches and Access

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thank you!

More questions?

-> [email protected]

mailto:[email protected]

Tactical FLEX, Inc. Releases Aanval 7 SIEM and IDS Product Technology Brief

Tactical FLEX, Inc. Releases Aanval 7 SIEM and IDS Product Technology Brief

threat to their Copyrights. This document is made ...nederlands.yeoldeinn.com/downloads/cards/dock-assassina-aanval... · 'Oe assassina kan I keerper Wontuur een plaatsen. 'Oit kan

threat to their Copyrights. This document is made ...nederlands.yeoldeinn.com/downloads/cards/dock-assassina-aanval... · 'Oe assassina kan I keerper Wontuur een plaatsen. 'Oit kan

Statistiek : een aanval van gezond verstand · Statistiek : een aanval van gezond verstand Citation for published version (APA): Sander, P. C. (1978). Statistiek : een aanval van

Statistiek : een aanval van gezond verstand · Statistiek : een aanval van gezond verstand Citation for published version (APA): Sander, P. C. (1978). Statistiek : een aanval van

From Secure Coding to Secure Software

From Secure Coding to Secure Software

HOW WILL THE FUTURE AFFECT YOUR IT SECURITY?...spionage en cybercriminaliteit op dit moment de grootste bedreigingen zijn voor het bedrijfsleven en de overheid. Hij betoogt dat cybersecurity

HOW WILL THE FUTURE AFFECT YOUR IT SECURITY?...spionage en cybercriminaliteit op dit moment de grootste bedreigingen zijn voor het bedrijfsleven en de overheid. Hij betoogt dat cybersecurity

Secure Distributed Time for Secure Distributed Protocols

Secure Distributed Time for Secure Distributed Protocols

Secure, Local, Innovative - Local, Secure, Innovative

Secure, Local, Innovative - Local, Secure, Innovative

Secure Food Secure Community - Oxy

Secure Food Secure Community - Oxy

SECURE MESSAGING SECURE MESSAGING

SECURE MESSAGING SECURE MESSAGING

20120905 sociale media kansen en bedreigingen voor syntra

20120905 sociale media kansen en bedreigingen voor syntra

THE REPUBLIC OF SOUTH AFRICA (Boernment Staa ts hoera n t · rig om ongediertes uit te roei, 'n dier loslaat op so 'n wyse of plek dat hy aan onmiddellike aanval of gevaar van aanval

THE REPUBLIC OF SOUTH AFRICA (Boernment Staa ts hoera n t · rig om ongediertes uit te roei, 'n dier loslaat op so 'n wyse of plek dat hy aan onmiddellike aanval of gevaar van aanval

Secure boot Secure software update - iot.bzh - Homeiot.bzh/download/.../publications/SecureBoot-SecureSoftwareUpdates.pdf · Secure boot Secure software update Yannick Gicquel ...

Secure boot Secure software update - iot.bzh - Homeiot.bzh/download/.../publications/SecureBoot-SecureSoftwareUpdates.pdf · Secure boot Secure software update Yannick Gicquel ...

Lab Mannual For secure Coding & Secure Engineering

Lab Mannual For secure Coding & Secure Engineering

Non-Secure Item***Non-Secure Item***Non-Secure Item ......Non-Secure Item***Non-Secure Item***Non-Secure Item***Non-Secure Item ISTEP+ Applied Skills Sample for Classroom Use 1. Lynn

Non-Secure Item***Non-Secure Item***Non-Secure Item ......Non-Secure Item***Non-Secure Item***Non-Secure Item***Non-Secure Item ISTEP+ Applied Skills Sample for Classroom Use 1. Lynn

Secure Programming Lecture 9: Secure Development · Secure Programming Lecture 9: Secure Development David Aspinall, Informatics @ Edinburgh 17th February 2017

Secure Programming Lecture 9: Secure Development · Secure Programming Lecture 9: Secure Development David Aspinall, Informatics @ Edinburgh 17th February 2017

Pulse Policy Secure - Pulse Secure

Pulse Policy Secure - Pulse Secure

Samen beter, samen sterker? › sites › default › files › atoms › files › fusi… · 3/ Analyse van de kansen en bedreigingen van fusie 7 3.1 Beleidsvisie en -realisatie

Samen beter, samen sterker? › sites › default › files › atoms › files › fusi… · 3/ Analyse van de kansen en bedreigingen van fusie 7 3.1 Beleidsvisie en -realisatie

Digitale innovatie in de bancaire sector in Nederland: kansen en bedreigingen. Tony de Bree

Digitale innovatie in de bancaire sector in Nederland: kansen en bedreigingen. Tony de Bree

Feeling Secure about the SECURE Act

Feeling Secure about the SECURE Act

Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???

Secure File Transfer Protocol (SFTP) With Secure Copy (SC) What is a Secure File Transfer Protocol with Secure Copy???