Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Christopher van der MadeTechnical Solutions Specialist8th of October, 2019
What can Cisco offer for Automating your SOC?Threat Hunting and Incident Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction to Threat Hunting and SOC’s
• Cisco Elements for a SOC• Cisco Talos• Integrated Architecture
• Some concrete examples…
• LIVE DEMO• Wrap Up
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Maturity Model (HMM)
4DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Loop
5DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Pyramid of pain…
DEVNET-2505 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Demand Hunting
7DEVNET-2505
Automated Continuous Hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ProductTelemetry
Endpoint Detection & Response
Mobile Security
Multi-factor authentication
Network
Endpoint
Cloud
DataSharing
VulnerabilityDiscovery
Threat Traps
Firewall
Intrusion Prevention
Web Security
SD Segmentation
Behavioral Analytics
Security Internet Gateway
DNS Security
Email Security
Cisco Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integrated Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019Enterprise Mobility
Management
Network Traffic Security Analytics
Cloud Workload Protection
Web Security
Email Security
Advanced Threat
Defense
Secure SD-WAN / Routers
Identity and Network Access Control
Secure Internet Gateway
Switches and Access Points Enforcement
Next-Gen FW/IPS
Cloud Access Security Broker
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
Integrated Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019Meraki Systems Manager
Tetration
Web Security
Email Security+CLOUD
Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD
THREAT GRID • COGNITIVE
Identity Services Engine +pxGRID (+ DUO)
Umbrella+INVESTIGATE
Firepower NGFW/NGIPS
CloudlockCloudlock
Stealthwatch+CLOUD
Secure SD-WAN / RouterISR • CSR • ASR • vEDGE
MERAKI MX
Cluster 1* Cluster 2*
Integrated Architecture
Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS
AIRONET/WLC • MERAKI MR
Third Party IntegrationsPxGrid • Reporting API’s • Enforcement API’s
Threat Intel API’s • Web Hooks
*WARNING: massive simplification
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Some concrete examples…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
8. Azure Token
Request
4. No Quarantine Policy, Email Delivered
Azure Application Permissions:• Send mail as any user• Read and write mail in all
mailboxes• Read mail in all mailboxes• Full access to all mailboxes
6. Verdict Update:
Malicious
9. Remediation (all mailboxes)
AMP Unity Retrospective Event Flow
Customer
CES
AMP CLOUD
THREAT GRIDCLOUD
2. File Reputation Query (SHA256)
3. AMP Verdict: Unknown
5. User Opens Email Attachment:
IOC Detected and Quarantiend by AMP4E
7. AMP Retrospective Verdict Update: Malicious
Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html
AMP4E
1. Email with attachment arrives
4. File Submission (Actual File)
BRKSEC-3433 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why?
SecOps
How?
Is it bad?Has it
affectedus?
SIEM
Email Security
Web Security
Next-Gen Firewalls
MalwareDetection
Next-Gen IPS
Endpoint Security
Secure Internet Gateway
3rd partySources
NetworkAnalytics Threat Intel Identity
Mgmt
Security that works together is one of top priority for our customers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Cisco Threat ResponseIntegrating security for faster defense
Key pillar of our integrated architecture
• Automates & Orchestrates across security products
• Focuses on security operations functions – Detection, Investigation, and Remediation
• Included as part of NGFW license
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Casebook (plugin)
VirusTotal
Intel sources1
2
• NGFW• AMP• Stealthwatch• API (3rd
Party)
Incidents3
Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?
Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?
ThreatGrid
TalosThreat
Intelligence
AdvancedMalware
Protection
CiscoUmbrella
Cloud EmailSecurity
Stealthwatch(Cloud) Firepower
Cisco Threat Response
ISE
54
6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Demand Hunting
26DEVNET-2505
Automated Continuous Hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LIVE DEMO
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Wrap Up
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Automated CTR script: https://github.com/chrivand/talos_blog_to_casebook
• More CTR demos:https://www.youtube.com/playlist?list=PLmuBTVjNfV0cnORU8f0HwTHvGl91TgoVA
• CTR Dev Center: https://developer.cisco.com/threat-response/
• CTR data sheet:https://www.cisco.com/c/nl_nl/products/security/threat-response.html
More resources
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you!
More questions? -> [email protected]
SECURE PERSONAL DISTINCTIVE
Programma – De Toekomst is Nu
Middag:
15:00 – 16:00 Keynote – Richard van Hooijdonk - Trends 2030 16:00 – 17:00 Afsluiting dagvoorzitter en netwerkborrel
Zaal Auditorium Workshop Klas van ‘45
13:35 Lantech - Hans Willem Verwoerd Amaris Zorggroep - Geert-Jan Schroot Proofpoint - Jim Cox14:25 Lantech - Solutions engineer Extreme Networks - Mathew Edwards