Tactical FLEX, Inc. Releases Aanval 7 SIEM and IDS Product Technology Brief
Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers...
Transcript of Hoe werkt een aanval en kun je effectief bedreigingen ... · Threat Defense Secure SD-WAN / Routers...
Christopher van der Made
Technical Solutions Specialist
3rd of October, 2019
What Cisco can offer for Threat Hunting and Response
Hoe werkt een aanval en kun je effectiefbedreigingen tegenhouden in 2020?
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction to Threat Hunting and SOC’s
• The Birth of Cisco Security
• Cisco Elements for a SOC
• LIVE DEMO
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Maturity Model (HMM)
4DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Loop
5DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Pyramid of pain…
DEVNET-2505 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Demand Hunting
7DEVNET-2505
Automated Continuous Hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Birth of Cisco Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Birth of Cisco’s Advanced Threat Portfolio…
CiscoSourceFireImmuNet
ThreatGrid
Cognitive
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
The Birth of Cisco’s Security Portfolio…
CiscoSourceFire
ThreatGridOpenDNS
Cloudlock
Duo Security
Lancope
IronPort
Cognitive
Observable
Networks
ImmuNet
AnyConnect
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Elements for a SOC
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ProductTelemetry
Endpoint Detection & Response
Mobile Security
Multi-factor authentication
Network
Endpoint
Cloud
DataSharing
VulnerabilityDiscovery
Threat Traps
Firewall
Intrusion Prevention
Web Security
SD Segmentation
Behavioral Analytics
Security Internet Gateway
DNS Security
Email Security
Cisco Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019
Enterprise Mobility
Management
Network Traffic
Security Analytics
Cloud Workload
Protection
Web Security
Security
Advanced
Threat
Defense
Secure
SD-WAN / Routers
Identity and Network
Access Control
Secure Internet
Gateway
Switches and
Access Points
Enforcement
Next-Gen
FW/IPS
Cloud Access
Security Broker
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
Integrated Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019
Meraki Systems Manager
Tetration
Web Security
Security+CLOUD
Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD
THREAT GRID • COGNITIVE
Identity Services Engine +pxGRID (+ DUO)
Umbrella+INVESTIGATE
Firepower
NGFW/NGIPS
CloudlockCloudlock
Stealthwatch+CLOUD
Secure SD-WAN / RouterISR • CSR • ASR • vEDGE
MERAKI MX
Cluster 1* Cluster 2*
Integrated Architecture
Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS
AIRONET/W LC • MERAKI MR
Third Party IntegrationsPxGrid • Reporting API’s • Enforcement API’s
Threat Intel API’s • W eb Hooks
*WARNING: massive simplification
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
4. No Quarantine Policy,
Email Delivered
Azure Application Permissions:
• Send mail as any user
• Read and write mail in all mailboxes
• Read mail in all mailboxes
• Full access to all mailboxes
9. Remediation
(all mailboxes)
AMP Unity Retrospective Event Flow
Customer
CES
AMP CLOUD
THREAT GRID
CLOUD
2. File Reputation Query (SHA256)
3. AMP Verdict: Unknown
5. User Opens Email
Attachment:
IOC Detected and
Quarantiend by AMP4E
7. AMP Retrospective Verdict
Update: Malicious
Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html
AMP4E
1. Email with
attachment arrives
BRKSEC-3433 20
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why?
SecOps
How?
Is it bad?
Has it
affected
us?
SIEM
SecurityWeb
Security
Next-Gen
Firewalls
Malware
Detection
Next-Gen
IPS
Endpoint
Security
Secure Internet
Gateway
3rd party
Sources
Network
AnalyticsThreat Intel Identity
Mgmt
Security that works together is one of top priority for
our customers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Cisco Threat ResponseIntegrating security for faster defense
Key pillar of our integrated architecture
• Automates & Orchestrates across
security products
• Focuses on security operations
functions – Detection, Investigation,
and Remediation
• Included as part of NGFW license
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Casebook (plugin)
Virus
Total
Intel
sources
1
2
• NGFW
• AMP
• Stealthwatch
• API (3rd
Party)
Incidents3
Threat Intelligence
What do you know about these
observables (IP, Hash, URL, etc.)?
Threat Investigation
• Have we seen these observables?
• Which end-points interacted with the threat?
ThreatGrid
TalosThreat
Intelligence
AdvancedMalware
Protection
CiscoUmbrella
Cloud EmailSecurity
Stealthwatch(Cloud)
Firepower
Cisco Threat Response
ISE
54
6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LIVE DEMO
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you!
More questions?