ccgba19 power of cisco advanced threat security a3 tn · cisco threat response in action three...
TRANSCRIPT
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tim Nan
Security Business Group
May 30, 2019
Power of Cisco Advanced Threat Security
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security must work together…but too often it doesn’t...
Security Operations
Is it bad?
Why?
Has it affected us?
How?
SIEM
Security
Malware
Detection
Next- Gen
IPS
Endpoint
Security
Third party
Sources
Network
Analytics
Threat
Intel
Identity
Management
Secure Internet
Gateway
Technologies and Intelligence
Web
Security
Next- Gen
Firewall
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Security Portfolio
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction to Cisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response in the real worldJoin Cisco Security customers who are gaining value from it now
3000+Organizations are using it today
“You cannot hit a target you cannot see. Cisco Threat Response really simplifies security analysis...”
“I like quickly being able to see infections on my network, and this presents them in a really nice fashion…”
BRKSEC-2433 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Cisco Threat ResponseUnleashing the power of the Cisco Integrated Security Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response in actionThree simple ways to get started
• Have we seen these observables? Where?• Which endpoints connected to the domain/URL?
3
2
1
AMP forEndpoints
UmbrellaEmail
Security NGFW/NGIPS
Intelligence Sources
Casebook via Browser Plug-In
High-Fidelity Events
Investigate(search interface)
Incident Manager
• Are these observables suspicious or malicious?
Umbrella Investigate
Threat Grid
Cisco Talos
Observables:
• File hash• IP address• Domain• URL• Email
address• More...
8
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Core Threat Response Terminology and Concepts
1. Modules
2. Observables
3. Investigate UI
4. Judgements
5. Verdicts
6. Sightings
7. Indicators
8. Targets
9. Snapshots
10.Casebooks
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Modules
Cisco Threat Response uses integration modules to integrate with Cisco security products and 3rd party tools.
Integration modules can provide enrichment and response capabilities.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ObservablesCisco Threat Response supports the quick investigation of cyber Observables, which might be domain names, IP addresses, file hashes, PKI certificate serial numbers, and even specific devices or users.
The first thing that Cisco Threat Response does with an observable is determine its disposition by aggregating what is known about that observable from the various enrichment modules configured.
The disposition tells the Incident Responder whether the observable is:
• Clean (explicitly whitelisted)• Malicious (explicitly blacklisted)• Suspicious (potentially harmful)• Unknown (not currently associated with a known disposition)
Unknown observables are not enriched.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Investigate UIEnables an incident responder to copy and paste the contents of an email, or a log message, or an incident ticket into its main search form. Cisco Threat Response will then extract all of the Observables from the supplied text.
Once the investigation is begun, either via the form shown above or via a pivot into Cisco Threat Response from another product, the UI will show the results of that investigation.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Judgement• Associates a disposition with a cyber observable at a point in time, and is valid for an explicit
span of time.• Can optionally be related to Indicators, providing further insight as to why a specific disposition
was associated with that observable.• Are given by configured data source modules, and are shown associated with those data
sources, along with more information including the reason.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
VerdictIndicates the most recent and most relevant disposition for a given cyber observable, as well as the Judgement from which the verdict was derived.
Cisco Threat Response considers a clean verdict to be more reliable than a malicious verdict. The order of precedence for verdicts is as follows:
• Clean• Malicious• Suspicious• Common• Unknown
When an observable has multiple verdicts, Cisco Threat Response computes a final verdict.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SightingA record of the appearance of a cyber observable at a given date and time.
Can optionally be related to Indicators, providing threat intelligence context about the observable.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
IndicatorDescribes a pattern of behavior or a set of conditions which indicate malicious behavior.
Some indicators are more indicative than others of malicious behavior, so knowing exactly which bad behaviors an observable are exhibiting can help an incident responder decide what to do next.
Cisco Threat Response uses a large collection of malware indicators from the AMP Global Intelligence threat archive, Threat Grid, and other sources.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Target
The device, identity, or resource that a threat has targeted.
A Target is identified by one or more Observables. When known, a type, operating system, and other metadata is recorded as well.
Targets are always part of a local Sighting.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
SnapshotSaves the current investigation and graph for subsequent retrieval and analysis.
Includes a unique identifier, and can have a custom Name and Description.
Documents the state of an investigation within a specific organization at a point in time.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CasebookBuilt with APIs hosted in and data stored in CiscoThreat Response.
Available via:• Cisco Threat Response Investigate UI• Other integrated Cisco products and tools• Any web page at all via browser plugin, including
• other Cisco products, integrated or not• existing external Threat Intel sources• existing 3rd party tools
Allow you to:• Gather observables in groups (aka cases).• Assign the case a name and a description• Take and save notes on the case• Add other observables at any time• Immediately see verdicts and take actions• Seamlessly work a case across multiple tools,
even from different vendors• Share cases between staff
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Use Case: Hunt for Infected Hosts
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Typical CIO question to InfoSec
A CIO just asked me about a new banking Trojan… I had no answer…
“I need to know now… are we impacted?”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Investigation Steps
1. Search security blogs for latest threat information
2. Find indicators of compromise (IoCs) to search
3. Search security operations systems looking for activity associated with
IoCs
4. Verify existing threats are blocked
5. Investigate related activity to trace the threat
6. Investigate and block any new threats related to the activity
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Get latest IOCs to search
23
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Search for malicious IP in AMP
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AMP Console shows interaction with IP and malicious hash
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Let’s Conduct the Same Investigation with Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
1. Paste IOCs directly into Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2. Track to Internal Targets
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Click on any of the results to be taken directly to that system in the Relations Graph below it.
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Select items on the graph to pull up further information
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Note the Observables pane and what it tells you about sightings in your environment
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Drill into the observables by clicking on them
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
3. Select the endpoint to investigate it
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
4. Find related file – add to investigation to learn more
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
5. Assess new related files in the map
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Save your work in a snapshot
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Share your work in a casebook
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Add observables to Casebook
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Pivot into investigation from casebook
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
6. Block threats in file blacklist
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
7. Block Domains in Umbrella
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Services: Securing the New Digital Economy
Security Advisory Services
Expert security
guidance to drive
business outcomes
Security Optimization
Service
Maximize
operational
excellence and
performance
Security Managed Services
Experts and
advanced analytics
to lower OpEx
Security Technical Services
Minimize business
disruption
Security Implementation
Services
Maximize solution
value
In Cybersecurity $3.5B Securityinvestment#1 20B Threats
blocked per day
18.5B Malwarequeries daily 60B DNS queries
daily
Advisory Implementation Optimization Managed Technical Training
SecurityCertifications and Learning
Programs
Build skills and
reduce time to value
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Available in Incident Response Retainer Enhanced
I need help right now
Emergency
Incident
Response
Am I currently compromised?(Broad view)
Compromise Assessments
I need to know we will respond
correctly
IR
Tabletop
Exercises
Am I missing anything needed
to respond?
IR Readiness
Assessments
I need a plan for when an incident
occurs
IR Plans &
Playbooks
I need to build skills to combat
cyberthreats
Cyber Range
Workshop
I need help in evaluation of
attack prevention & detection
Purple TeamThreat Hunting
Am I currently compromised?
Focus view)
Incident Response Retainer Enhanced
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Our expertise
+Vertical InsightCisco has set up the world’s +
Innovation
536AS patents
Direct Access to
ProductDevelopment
Supported by 10,000 World-Class Specialists
ExperienceAverage of
10 years per person
3480 CCIE®
certifications
Education
Software and HardwareDevelopers
Largest networks
IoT Labs Herndon and Chicago
Global Innovation CentersAustralia, Barcelona, Berlin,
Houston, London, Paris, Rio de Janeiro, Songdo, Tokyo, Toronto