Ben Greenbaum , Technical Marketing Engineer February 18 th 2020 How to optimize your Cisco Security investments with Threat Response Cisco Community Live event
Ben Greenbaum , Technical Marketing Engineer
February 18th 2020
How to optimize your Cisco Security investments with
Threat Response
Cisco Community Live event
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
News &Upcoming events
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Ask Me Anything following the event
Now through Friday February 21st 2020
http://bit.ly/ama-feb18
With Ben Greenbaum
Ben Greenbaum Technical Marketing Engineer
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Security Community is being Re-Structured
We will be restructuring the Security category to help you find resources and
answers more efficiently.
Lear more: http://bit.ly/restructure-sec
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Become an event Top Contributor!
Participate in Live Interactive Technical Events and much more
http://bit.ly/EventTopContributors
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Rate content at the Cisco Community
Rate documents, Videos & blogs!
Help us to recognize the quality content in the community
Encourage and acknowledge people who generously share their
time and expertise
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Cisco Community Expert
Ben Greenbaum Marketing Technical Engineer
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Question Managers
Ira PivenProduct Manager of Cisco Threat
Response
Adytia Sankar Technical Consulting Engineer
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Download Today’s Presentationhttp://bit.ly/CL-slides-feb18_20
Thank You For
Joining Us Today!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Use the Q&A panel to submit your questions and the panel of experts will respond.
They will be answered eventually
Submit Your Questions Now!
Please take a moment to complete the survey at the end of the event
February 18, 2020
How to optimize your Cisco Security investments with Cisco Threat Response
Ben Greenbaum
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
AGENDA
1
2
4
3
SOC challenges
What’s new in Threat Response
Demo time
5 Resources to get started
The solution
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Threat Investigations are complex
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
SOCs are understaffed
Overwhelmed with alerts from disparate
security products
Unable to keep pacewith current threats
*according to 2019 ((ISC) Cybersecurity Workforce Study
65% of organizations report a shortage of cybersecurity staff, 1.3 million positions
unfulfilled*
Security Operations challenges
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Security Operations
Security must work together
Is this thing bad?
How?
Has it affected us?
Why?
SIEM
Email Security
MalwareDetection
Next-Gen IPS
Endpoint Security
Third partySources
NetworkAnalytics
Threat Intel
Identity Management
Secure Internet Gateway
Technologies and Intelligence
Web Security
Next-Gen Firewall
But too often it doesn’t...
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Network
Endpoint
Cloud
Application
Managementand Response
Continuous Trust
Verification
Constant Threat
Intelligence
Identity
Risk
Protect yourbusiness withthe strongest suite of integrated security solutions
The Cisco Security platform approach
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Cisco Threat Response
SimpleDetect, investigate, and remediate across multiple integrated security technologies
EffectiveAggregate threat intelligence into immediate action
FastReduce time spent on security operations functions up to 85%*
…and it’s FREE with existing Cisco Security licenses
The unifying force powering Cisco’s integrated security architecture
*based on internal simulations
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Backed by the industry’s best threat intelligence
Email Malware/Endpoint Network IntrusionsWeb/URL Network Analysis DNS/IP
III00II I000I0I I000I0I I000I0I II 0I00 I0I000 0II0
II0II0I0I0I I0I0I0I 0I0I0I0I 0I0I00I0 I0I0I0I 0II0I0I0I
00I I0I0I0 I0I0III000 I0I00I0I 0II0I0 I00I0I0I0I 00
0II00 I00I0I0 0I00I0I I00I0I0 I0I0I0I 0I0I0I 0I0I0
III00II 0II00II I0I0II0II0 I0 I0 I00 00I0 I000 0II0 00
III00II 0II00II I0I000 0II0 00I0I00 I0 I000I0I 0II 0I0
00I00 I00I0I II0I0I 0II0I I0I00I0I0 0II0I0II 0I00I0I I0
II0III0I 0II0II0I II00I0I0 0I00I0I00 I0I0 I0I0 I00I0I00
Analyze activity related tosuspicious payloads
Detect and block threats in email messages
Block access to known or suspected malicious web sites
Accurately identify and block known threats
Threat intelligence researchers
Analyze network telemetry
Threat processing centers
Threat intelligence partners
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Polling Question 1
Do you use Cisco Threat Response?
A. Not yet
B. I use it daily
C. I use it at least once a week
D. I use it less than once a week
E. I have, but I no longer use it
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
How Threat Response works
Observables:
• File hash• IP address• Domain
• URL• Email addresses• Etc.
Intelligence, context, and response
Are these observables suspicious or malicious?
Have we seen these observables? Where?
Which endpoints connected to the domain/URL?
Cisco AMP | Threat Grid | Umbrella Investigate
Local security contextIntelligence Response actions
Virus Total and other 3rd
parties (via APIs)
Block files
Isolate hosts
Block domainsAMP forEndpoints
Umbrella
Email Security
NGFW/NGIPS
Stealthwatch Enterprise
Web Security
What can I do about it right now?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Modules CiscoThreat Response
Data Data
Data
Control
Control
Control
Data andControl
Data andControl
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Modules
Cisco Threat Response uses integration modules to integrate with Cisco security products and 3rd party tools.
Integration modules can provide enrichment and response capabilities.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Threat Response use cases
Threat Hunting
Protect your organization against:
• File-less malware • Phishing attacks
• Cryptomining• Server-based attacks
• Ransomware
Incident Response
• Corporate espionage
• IoT attacks
• Data breaches
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Threat Response integrates across Cisco’s security portfolio
Cisco Email
Security
Cisco Threat Grid
Cisco Firepower
Cisco AMP for Endpoints
CiscoUmbrella
…and more integrations to come!
Included FREE with the following licenses
StealthwatchEnterprise
Cisco Web
Security
NEW! NEW!
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Polling Question 2
Which of the following Cisco Security products do you own? Check all that apply.
A. AMP for Endpoints
B. Cisco Umbrella
C. Cisco Email Security
D. Threat Grid
E. Firepower/NGFW
F. Stealthwatch Enterprise
G. Cisco Web Security
H. Other Cisco Security products -please specify
I. I don’t own any Cisco Security products
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Get enterprise-wide network visibility and apply advanced security analytics using a combination of behavioral modelling and machine learning.
Investigate Stealthwatch alarms at multiple layers in an attack's trajectory with enrichment from other integrated security technologies
Triage, prioritize, track, and respond to high-urgency incidents with the Incident Manager
Cisco Threat Response + Stealthwatch Enterprise Integration
New! Stealthwatch Enterprise integration
Integration available with SWE v7.1.2+
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Speed up investigation of web threats with context from multiple security layers
Quickly pivot to Threat Response from your Web Security or Security Management Appliance for more details
Enrich all Threat Response investigations with web security context from the multiple protective and reporting engines in your Web Security Appliances
Cisco Threat Response + Web Security Integration
New! Web Security integration
*Integration available via SMA or direct (AsyncOS12.0 for both)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Demo
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Polling Question 3
Where do you most frequently start your investigations?
A. SIEM
B. Ticketing system
C. Console of security tools (endpoint, firewall, etc.)
D. Threat Response
E. Others – please specify
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Use Cisco Threat Response everywhere
Casebook browser plug-ins
Chrome and Firefoxcs.co/CTR4Chromecs.co/CTR4Firefox
Kick off an investigation from any browser-based console
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
How can I get access to Cisco Threat Response?
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Cisco Threat Response is free...with select Cisco Security product licenses
Cisco Email Security (12.0+)
Cisco Threat Grid
Cisco Firepower (6.3+)
Cisco AMP for Endpoints
Cisco Umbrella
You’re entitled to Threat Response if you own:
Get Started with Threat Response right now at visibility.amp.cisco.com
AMP for Endpoints / Threat Grid
Use your existing admin credentials to log in (AMP customers login at “Cisco Security”)
Firepower / Umbrella/ Email Security/ Stealthwatch Enterprise/Web Security
Create your account to get started. Refer to our configureation guides if you need help:
YouTube: cs.co/ctr_configuration_guides
Webpage: resources section
Stealthwatch Enterprise (7.1.2)
Cisco Web Security (12.0+)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Threat Response in the classroomThreat Hunting Workshops educate your team with real-world scenarioscs.co/cisco-threat-hunting
Featuring Cisco Threat Response and integrations with Cisco security products and threat intelligence
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
3 steps to get startedConduct an investigation today with Cisco Threat Response
2
1 Sign Up or Log In at visibility.amp.cisco.com
Configure a module for the product you already own by pasting your API keys or configuring a device.
3Start your investigation by using the browser plugin, or by pasting any combination of IOCs (IP, domains, SHAs, etc.) from security blogs, alerts from your SIEM, etc.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Additional Resources
• Learn more at cs.co/threat_response
• Join the Community cs.co/ctr_community
• Find us on YouTube cs.co/CTRvideos
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Submit Your Questions Now!
Use the Q&A panel to submit your questions, our expert will respond
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Ask Me Anything following the event
Now through Friday February 21st 2020
http://bit.ly/ama-feb18
With Ben Greenbaum
Ben Greenbaum Technical Marketing Engineer
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
• @Cisco_Support
http://bit.ly/csc-twitter
• Cisco Community
http://bit.ly/csc-facebook
Collaborate within our Social Media
Learn About Upcoming Events
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
We invite you to review ourSocial Media Channels
• Cisco Community
• http://bit.ly/csc-linked-in
• Cisco Technical Support
App
Learn About Upcoming Events
• Cisco Community
• http://bit.ly/csc-youtube
YouTube
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Comunidade da Cisco Portuguese
Сообщество CiscoRussian
Comunidad de Cisco Spanish
シスココミュニティJapanese
思科服务支持社区Chinese
Cisco has support communities in other languages!If you speak Spanish, Portuguese, Japanese, Russian or Chinese we invite you to participate & collaborate
NEWCommunauté Cisco
French
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
More IT Training Videos and Technical Seminars on the Cisco Learning Network
View Upcoming Sessions Schedulehttps://cisco.com/go/techseminars
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you for Your Time!
Please take a moment to complete the survey
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Thank you for participating, you earned a discount!
Redeem your 35% discount offer by entering code: CSC when checking out.
http://bit.ly/Community-CiscoPress2020
Cisco Press
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Thanks For Joining today!