Christopher van der Made Technical Solutions Specialist 8 th of October, 2019 What can Cisco offer for Automating your SOC? Threat Hunting and Incident Response
Christopher van der MadeTechnical Solutions Specialist8th of October, 2019
What can Cisco offer for Automating your SOC?Threat Hunting and Incident Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Introduction to Threat Hunting and SOC’s
• Cisco Elements for a SOC• Cisco Talos• Integrated Architecture
• Some concrete examples…
• LIVE DEMO• Wrap Up
Agenda
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introduction
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Maturity Model (HMM)
4DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Hunting Loop
5DEVNET-2505
Source: “A framework for Cyber Threat hunting” by Sqrrl
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
The Pyramid of pain…
DEVNET-2505 6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Demand Hunting
7DEVNET-2505
Automated Continuous Hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ProductTelemetry
Endpoint Detection & Response
Mobile Security
Multi-factor authentication
Network
Endpoint
Cloud
DataSharing
VulnerabilityDiscovery
Threat Traps
Firewall
Intrusion Prevention
Web Security
SD Segmentation
Behavioral Analytics
Security Internet Gateway
DNS Security
Email Security
Cisco Talos
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Integrated Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019Enterprise Mobility
Management
Network Traffic Security Analytics
Cloud Workload Protection
Web Security
Email Security
Advanced Threat
Defense
Secure SD-WAN / Routers
Identity and Network Access Control
Secure Internet Gateway
Switches and Access Points Enforcement
Next-Gen FW/IPS
Cloud Access Security Broker
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
Integrated Architecture
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automated Policy
Context Awareness
Event Visibility
Threat Intel/Enforcement
Cisco Security 2019Meraki Systems Manager
Tetration
Web Security
Email Security+CLOUD
Advanced ThreatAMP FOR ENDPOINTS • AMP CLOUD
THREAT GRID • COGNITIVE
Identity Services Engine +pxGRID (+ DUO)
Umbrella+INVESTIGATE
Firepower NGFW/NGIPS
CloudlockCloudlock
Stealthwatch+CLOUD
Secure SD-WAN / RouterISR • CSR • ASR • vEDGE
MERAKI MX
Cluster 1* Cluster 2*
Integrated Architecture
Digital Network ArchitectureCATALYST • NEXUS • MERAKI MS
AIRONET/WLC • MERAKI MR
Third Party IntegrationsPxGrid • Reporting API’s • Enforcement API’s
Threat Intel API’s • Web Hooks
*WARNING: massive simplification
Cisco Threat Intelligence
Cisco Platform Exchange
Cisco Threat Response
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Some concrete examples…
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public#CLUS
8. Azure Token
Request
4. No Quarantine Policy, Email Delivered
Azure Application Permissions:• Send mail as any user• Read and write mail in all
mailboxes• Read mail in all mailboxes• Full access to all mailboxes
6. Verdict Update:
Malicious
9. Remediation (all mailboxes)
AMP Unity Retrospective Event Flow
Customer
CES
AMP CLOUD
THREAT GRIDCLOUD
2. File Reputation Query (SHA256)
3. AMP Verdict: Unknown
5. User Opens Email Attachment:
IOC Detected and Quarantiend by AMP4E
7. AMP Retrospective Verdict Update: Malicious
Source: https://www.cisco.com/c/en/us/td/docs/security/esa/esa12-0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_010100.html
AMP4E
1. Email with attachment arrives
4. File Submission (Actual File)
BRKSEC-3433 22
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Why?
SecOps
How?
Is it bad?Has it
affectedus?
SIEM
Email Security
Web Security
Next-Gen Firewalls
MalwareDetection
Next-Gen IPS
Endpoint Security
Secure Internet Gateway
3rd partySources
NetworkAnalytics Threat Intel Identity
Mgmt
Security that works together is one of top priority for our customers
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Introducing Cisco Threat ResponseIntegrating security for faster defense
Key pillar of our integrated architecture
• Automates & Orchestrates across security products
• Focuses on security operations functions – Detection, Investigation, and Remediation
• Included as part of NGFW license
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Casebook (plugin)
VirusTotal
Intel sources1
2
• NGFW• AMP• Stealthwatch• API (3rd
Party)
Incidents3
Threat IntelligenceWhat do you know about these observables (IP, Hash, URL, etc.)?
Threat Investigation• Have we seen these observables? • Which end-points interacted with the threat?
ThreatGrid
TalosThreat
Intelligence
AdvancedMalware
Protection
CiscoUmbrella
Cloud EmailSecurity
Stealthwatch(Cloud) Firepower
Cisco Threat Response
ISE
54
6
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
On-Demand Hunting
26DEVNET-2505
Automated Continuous Hunting
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
LIVE DEMO
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Wrap Up
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Automated CTR script: https://github.com/chrivand/talos_blog_to_casebook
• More CTR demos:https://www.youtube.com/playlist?list=PLmuBTVjNfV0cnORU8f0HwTHvGl91TgoVA
• CTR Dev Center: https://developer.cisco.com/threat-response/
• CTR data sheet:https://www.cisco.com/c/nl_nl/products/security/threat-response.html
More resources
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Thank you!
More questions? -> [email protected]
SECURE PERSONAL DISTINCTIVE
Programma – De Toekomst is Nu
Middag:
15:00 – 16:00 Keynote – Richard van Hooijdonk - Trends 2030 16:00 – 17:00 Afsluiting dagvoorzitter en netwerkborrel
Zaal Auditorium Workshop Klas van ‘45
13:35 Lantech - Hans Willem Verwoerd Amaris Zorggroep - Geert-Jan Schroot Proofpoint - Jim Cox14:25 Lantech - Solutions engineer Extreme Networks - Mathew Edwards