Christopher van der MadeTechnical Solutions Specialist8th of October, 2019

What can Cisco offer for Automating your SOC?Threat Hunting and Incident Response

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Introduction to Threat Hunting and SOC’s

• Cisco Elements for a SOC• Cisco Talos• Integrated Architecture

• Some concrete examples…

• LIVE DEMO• Wrap Up

Agenda

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Introduction

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Hunting Maturity Model (HMM)

4DEVNET-2505

Source: “A framework for Cyber Threat hunting” by Sqrrl

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Hunting Loop

5DEVNET-2505

Source: “A framework for Cyber Threat hunting” by Sqrrl

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

The Pyramid of pain…

DEVNET-2505 6

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

On-Demand Hunting

7DEVNET-2505

Automated Continuous Hunting

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Cisco Talos

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ProductTelemetry

Endpoint Detection & Response

Mobile Security

Multi-factor authentication

Network

Endpoint

Cloud

DataSharing

VulnerabilityDiscovery

Threat Traps

Firewall

Intrusion Prevention

Web Security

SD Segmentation

Behavioral Analytics

Security Internet Gateway

DNS Security

Email Security

Cisco Talos

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Integrated Architecture

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Automated Policy

Context Awareness

Event Visibility

Threat Intel/Enforcement

Cisco Security 2019Enterprise Mobility

Management

Network Traffic Security Analytics

Cloud Workload Protection

Web Security

Email Security

Advanced Threat

Defense

Secure SD-WAN / Routers

Identity and Network Access Control

Secure Internet Gateway

Switches and Access Points Enforcement

Next-Gen FW/IPS

Cloud Access Security Broker

Cisco Threat Intelligence

Cisco Platform Exchange

Cisco Threat Response

Integrated Architecture

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Automated Policy

Context Awareness

Event Visibility

Threat Intel/Enforcement

Cisco Security 2019Meraki Systems Manager

Tetration

Web Security

Email Security+CLOUD

Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD

THREAT GRID • COGNITIVE

Identity Services Engine +pxGRID (+ DUO)

Umbrella+INVESTIGATE

Firepower NGFW/NGIPS

CloudlockCloudlock

Stealthwatch+CLOUD

Secure SD-WAN / RouterISR • CSR • ASR • vEDGE

MERAKI MX

Cluster 1* Cluster 2*

Integrated Architecture

Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS

AIRONET/WLC • MERAKI MR

Third Party IntegrationsPxGrid • Reporting API’s • Enforcement API’s

Threat Intel API’s • Web Hooks

*WARNING: massive simplification

Cisco Threat Intelligence

Cisco Platform Exchange

Cisco Threat Response

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Some concrete examples…

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS

8. Azure Token

Request

4. No Quarantine Policy, Email Delivered

Azure Application Permissions:• Send mail as any user• Read and write mail in all

mailboxes• Read mail in all mailboxes• Full access to all mailboxes

6. Verdict Update:

Malicious

9. Remediation (all mailboxes)

AMP Unity Retrospective Event Flow

Customer

CES

AMP CLOUD

THREAT GRIDCLOUD

2. File Reputation Query (SHA256)

3. AMP Verdict: Unknown

5. User Opens Email Attachment:

IOC Detected and Quarantiend by AMP4E

7. AMP Retrospective Verdict Update: Malicious

Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html

AMP4E

1. Email with attachment arrives

4. File Submission (Actual File)

BRKSEC-3433 22

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Why?

SecOps

How?

Is it bad?Has it

affectedus?

SIEM

Email Security

Web Security

Next-Gen Firewalls

MalwareDetection

Next-Gen IPS

Endpoint Security

Secure Internet Gateway

3rd partySources

NetworkAnalytics Threat Intel Identity

Mgmt

Security that works together is one of top priority for our customers

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Introducing Cisco Threat ResponseIntegrating security for faster defense

Key pillar of our integrated architecture

• Automates & Orchestrates across security products

• Focuses on security operations functions – Detection, Investigation, and Remediation

• Included as part of NGFW license

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Casebook (plugin)

VirusTotal

Intel sources1

2

• NGFW• AMP• Stealthwatch• API (3rd

Party)

Incidents3

Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?

Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?

ThreatGrid

TalosThreat

Intelligence

AdvancedMalware

Protection

CiscoUmbrella

Cloud EmailSecurity

Stealthwatch(Cloud) Firepower

Cisco Threat Response

ISE

54

6

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public

On-Demand Hunting

26DEVNET-2505

Automated Continuous Hunting

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

LIVE DEMO

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Wrap Up

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

• Automated CTR script: https://github.com/chrivand/talos_blog_to_casebook

• More CTR demos:https://www.youtube.com/playlist?list=PLmuBTVjNfV0cnORU8f0HwTHvGl91TgoVA

• CTR Dev Center: https://developer.cisco.com/threat-response/

• CTR data sheet:https://www.cisco.com/c/nl_nl/products/security/threat-response.html

More resources

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

Thank you!

More questions? -> chrivand@cisco.com

SECURE PERSONAL DISTINCTIVE

Programma – De Toekomst is Nu

Middag:

15:00 – 16:00 Keynote – Richard van Hooijdonk - Trends 2030 16:00 – 17:00 Afsluiting dagvoorzitter en netwerkborrel

Zaal Auditorium Workshop Klas van ‘45

13:35 Lantech - Hans Willem Verwoerd Amaris Zorggroep - Geert-Jan Schroot Proofpoint - Jim Cox14:25 Lantech - Solutions engineer Extreme Networks - Mathew Edwards