A Deep Dive into the Firepower Manager
|
|
- Adam Glenn
- 5 years ago
- Views:
Transcription
1
2 A Deep Dive into the Firepower Manager William Young, Security Solutions BRKSEC-2058
3 Just some Security Guy William Young Security Solutions Architect, Cisco 26 Years in Security 13 Years working with Sourcefire / Firepower Focus areas: Security Operations Policy & Compliance Threat Forensics and Investigation Hacker: Or just some guy that breaks stuff BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4
4 Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat Centric Network Security Tuesday 11:15 BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Tuesday 14:15 BRKSEC-2058 A Deep Dive into using the Firepower Manager Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday 9:00 BRKSEC-3035 Firepower Platform Deep Dive Thursday 9:00 BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5
5 Agenda Introduction Understanding Events in the Firepower Management Center Walking through a Breach Security Automation (Orchestration) Recommended Rules Correlation Rules Automating Remediation (Remediation API) Reporting Matters Workflows Custom Tables Leveraging the Dashboard Close
6 Do you really know Firepower Manager? More than just: A policy configuration tool for NGFW / NGIPS A quick way to see the context / composition of your network A tool to check-on your intrusion events BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7
7 Creating a deeper value than just threat protection Firepower Management Center (FMC) manages threat detection. It also: Puts threat into context within YOUR unique network. Provides actionable security, network, and business data Can allow Security to come out of the Dog House by supporting multiple business outcomes Create automation in your threat hunting Bend itself to your organization s workflow or automate that workflow. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8
8 Key Takeaways At the end of the session, will start to: understand how automatic correlation REALLY works. Impact Flags & Indications of Compromise (IOCs). know which security events need to be investigated first, and why. begin using correlation policies and system APIs to automate your security workflow understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9
9 Understanding Events in the Firepower Management Center Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
10 Event Source Matters Understanding Data Misunderstood Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 11
11 Visual Guide to Firepower Event Sources Security Intelligence Traffic Normalization DNS Sinkhole SSL Decrypt URL Application Detection Network Discovery Identity File Detection AMP IPS Engine (Snort ) Security Intelligence Connection Events Discovery Events Intrusion Events User Activity File Events Malware Events AMP 4 Endpoints Supplemental Data Geo IP Data CVE / Vuln Data IP Reputation Data URL Data Servers Applications Application Details File Info File Trajectory Host Profiles Host Attributes Indications of Compromise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12
12 Indications of Compromise Leverages correlation of multiple event types, such as: Impact 1 & 2 events CNC connection events (IPS) Compromise events (IPS) Security Intelligence Events AMP for Endpoint Events AMP for Network Includes some file events Built in Cisco correlation rules Goal: 1. FIX THIS NOW 2. What needs to be fixed 3. How to fix BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13
13 What makes an Intrusion Event (state established) Structure and Content Testing What makes a Host Profile Passive data collection (network packet analysis) State table based on Discovery Events Server Services: TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected during session initiation from host. Snort rules use variables to determine directionality $EXTERNAL_NET -> $HOME_NET (inbound) $HOME_NET -> $EXTERNAL_NET (outbound) TCP based events from the Snort Engine are based on ESTABLISHED sessions Reduces false positives IPS events are generated when sessions ARE THROUGH the perimeter TCP request responds map to Server Port UDP request sent map to Server Port Understanding directionality is key to Impact Flags BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14
14 The Host Profile: End Point Context Applications BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 15
15 Understanding Impact Flags Intrusion Events Host Profile Impact Flag Action Why Source / Destination IP [Outside Profile Range] [Host not yet profiled] 0 General info Event outside profiled networks Event occurred outside profiled networks Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is currently not known Good information event may not have connected Previously unseen host within monitored network Relevant port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server Apps Operating System Potential Vulnerabilities CVE 2 1 Worth investigation. Host exposed. Act immediately. Host vulnerable or compromised. Relevant port or protocol in use but no vuln mapped Host vulnerable to attack or showing an IOC. If you have a fully profiled network this may be a critical event! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16
16 Unique Events: Correlation & White List Events FMC Events Correlation Rules Correlation Events Correlation Events: Internal events based on boolean conditions within and across multiple event databases within the FMC. [Tip: Correlation Rules can monitor changes in flow!] Discovery Events Host Profile Changes White List Events White List Events: Internal events based on changes to individual or grouped host Profiles First step in creating automated response! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17
17 Walking through a breach Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
18 Stages of Incident Handling SANS Institute Preparation Identification Containment Eradication Recovery Lessons Learned BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 19
19 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Decide on which events to focus on first Identification BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20
20 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21
21 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22
22 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23
23 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24
24 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate Automate as many decisions or actions as possible. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25
25 Order of Investigation Goal: Getting to Remediation Remediation Incident Response Data Collection Critical Assets You ve been Owned! Under Attack Research & Tuning Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4 Not Blocked Internal Source External Source Dropped Correlation Rules may vary based on corporate priority BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26
26 POP QUIZ: Where do I start my Investigation? From the FMC Dashboard From the FMC Context Explorer BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 27
27 This is what most of our networks look like. Some ways to choose Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) THEME: Start with what is compromised first. From the FMC Context Explorer Let s see what these 63 events are all about. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28
28 Drilling into the IOC Busy event. Looks like we re getting more. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 29
29 Digging into the IOC Seems active across 6 hosts. Let s drill into one. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 30
30 Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: IPS Engine File Protection AMP for Networks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
31 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 32
32 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 33
33 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 34
34 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 35
35 .147 Tried to send the file 5 times.147 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36
36 Did you forget about these? Let s see if that file moved around without the IPS seeing it Cisco and/or its affiliates. All rights reserved. Cisco Public
37 Yep. That file is malware We see it in the malware summary, too. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 38
38 A lot more than the 6 file transfers and hosts the IPS engine stopped. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39
39 A lot more than the 6 file transfers and hosts the IPS engine stopped. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40
40 Looking at an Impact 3 Attempt BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 41
41 Looking at an Impact 3 Attempt Source IP: all internal, BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 42
42 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 43
43 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44
44 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45
45 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46
46 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47
47 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48
48 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49
49 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
50 Assessment: This has has to be stopped! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
51 Breached? Follow an Order of Operations Multiple Event Vectors IPS, Malware, Connection, File, Trajectory, DNS, Context Mission/Op Critical Correlation IOCs, Impact Flags Check all the related data. Leverage Rule Documentation See the big story : Packet not always necessary Build a complete timeline tell a story. Event Directionality Protocol: TCP / UDP? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52
52 Automating Security Work Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
53 Recommended Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Workflows Correlation Rules Remediation API Custom Tables The Dashboard Close
54 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55
55 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56
56 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57
57 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58
58 Firepower Recommendations Knows what I Do Not BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 59
59 Recommended Rules How it works Snort Rules SVID Possible Vuln SID: 24671, Integer Overflow in Windows Remote exploit CVE: Remotely exploitable vulnerability SID: BLACKLIST: Connection to a malware sinkhole. Detection of behavior that comes from a compromised host or one that is about to be compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60
60 Recommended Rules the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A A EC 0C A1 20 B C F "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve, ; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Not all rules have a CVE! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Rules disabling by default Some rules will turned off by Recommended Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61
61 Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A A EC 0C A1 20 B C F "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve, ; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Some rules will ALWAYS be turned off by Recommended Rules You may want to uncheck this. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62
62 Correlation Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
63 Correlation Rules / Correlation Policy 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: , Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
64 Correlation Rules / Correlation Policy Value: Automate Security Decisions Track Business Outcome Trigger Automated Response to specific conditions 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: , Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
65 Correlation Rules go into Correlation Policies 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
66 Building a Correlation Rule BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 67
67 Sample Correlation Rule Correlation Rule to: Ensure only HTTPS traffic is used on port 443 Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. Any traffic outside this profile will generate an event Cisco and/or its affiliates. All rights reserved. Cisco Public
68 Correlation Rule example: Production Network Change 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
69 example: Production Network Change is exfiltrating traffic 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
70 Some Correlations Rules To Drive Action If an Intrusion Event occurs... A N D O R O R O R Impact Flag is 3 - Yellow Impact Flag is 4 - Blue Source IP is in /16 Source IP is in /8 Source IP is in /12 Destination IP is not in /16 Destination IP is not in /8 Destination IP is not in /12 You have a compromised host attacking systems off your network. If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in /16 Sending IP is in /8 Sending IP is in /12 Receiving IP is in /16 Receiving IP is in /8 Receiving IP is in /12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71
71 Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in /16 Sending IP is in /8 Sending IP is in /12 Receiving IP is in /16 Receiving IP is in /8 Receiving IP is in /12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! Just add another Boolean Condition BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72
72 Remediation API Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
73 Grand Vision for Integration & Firepower Management Firepower BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 74
74 Automating Response Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware Event Boolean Conditions Correlation Rules Correlation Policies Correlation Rules Actions (API, , SNMP) Correlation Events Sample Remediation Modules Cisco ISE (pxgrid Mitigation) Guidance Encase Set Host Attributes Security Intelligence Blacklisting Nmap Scan SSH / Expect Scripts F5 irules Solera DeepSee Netscaler PacketFence Bradford BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75
75 ISE + Firepower = Rapid Threat Containment 4. Endpoint Assigned Quarantine + CoA-Reauth Sent WWW NGFW i-net 1. Security Events / IOCs Reported Controller FMC MnT 3. pxgrid EPS Action: Quarantine + Re-Auth 2. Correlation Rules Trigger Remediation Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
76 Configure Rapid Threat Containment Open the System:Integration page Enter ISE Server details Be sure to configure your certs for the integration ise-1.mynet.com ise-2.mynet.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77
77 Configure Rapid Threat Containment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
78 Configure Rapid Threat Containment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
79 Configure Rapid Threat Containment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
80 Configure Rapid Threat Containment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
81 Configure Rapid Threat Containment Notice your ISE mitigation actions! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
82 Configure Rapid Threat Containment 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
83 Configure Rapid Threat Containment Be sure to assign the action to a Correlation Rule within a Correlation Policy BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 84
84 Other Tools" in the Firepower Toolkit White Listing Traffic Profiling Event Analysis Toolset Correlation tool to monitor for host profile changes Monitor behavioral changes in traffic conditions Estreamer API Host Input API Remediation API JDBC Connector REST API Programmatic Interfaces Transmit all event data to an external repository (SEIM, event log, edge) Insert data into Host Profiles from external data sources Programmatically initiate actions on external systems. Directly query FMC database (reporting, SEIM queries, etc) REST interface for FMC query, configuration, and NEW! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85
85 Reporting Matters Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
86 Default Reports Not just what s in the templates Dashboard widgets are mini -reports Over 120 preset reports within a widget Create custom Widgets for more Think of the Dashboard as your unlimited report designer. Tools: Searches Custom Workflows Custom Tables = Data goldmine BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87
87 Event Viewing Tables Listing of events with a data set (IPS, Connection, Malware, etc.) Workflows Customized organization of specific column headers Allows Analysts to go straight to meaningful data Filters Custom Tables Search for specific or generalized matches within event tables Each table can have it s own filters Hundreds of filters pre-installed Customizable Join of two or more individual event tables Aggregate useful data for faster decision making and reporting Has it s own Workflows and Filters BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88
88 Workflows Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
89 A Default Event View BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 90
90 A Default View BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 91
91 Changing the view helps focus analysis BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 92
92 Create a Custom Workflow 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
93 Create a Custom Workflow 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
94 How it turned out Build on your order of investigation Actionable Data: Hosts.52,.56, and.111 need to be investigated! 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
95 Custom Tables Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard
96 Building Custom Tables Intrusion Events Host Data Have all the data you need immediately in one view. Custom View BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 97
97 Custom Table: Intrusion Event with Host Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 98
98 Custom Table: Intrusion Event with Host Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 99
99 Custom Table: Intrusion Event with Host Data Custom tables can even have their own workflows BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 100
100 Custom Table: Intrusion Event with Host Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 101
101 Custom Table: Intrusion Event with Host Data BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 102
102 Custom Table: Includes Custom Filters BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 103
103 Custom Table: Includes Custom Filters Tables, Custom Tables, and Filters can also be leveraged on the Dashboard. Just choose the 1 column that is most meaningful. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104
104 Uses for Tables (standard & custom) and Workflows Having more relevant data on hand when doing event analysis and forensics Reducing the number of clicks to drill into meaningful data Customize prioritization based on local business and security drivers Speed new threat discovery / hunting Combined with Filters allow you to segment information into meaningful chunks, such as: Device functionality Users / Groups Activity / Behavior Trends? Network Zone Country What changed? Operating System Threat Type What s new? Valuable in customizing your dashboard, building reports, documenting compliance. Let the business need feed your creativity. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105
105 Examples of possible data to report Security Specific Threats experienced Automated Remediations OS s most compromised App Threat Root Cause Operations New systems on the network New services or applications in use Changes in network behavior OS data Compliance PCI, NERC CIP, HIPPA OS Usage User/Group Access behavior App segmentation Hosts in violation of corporate policy Expanding your reporting to drive business efficiency creates a stronger security practice. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106
106 Interesting Data for Filtering Potential new Threat List Int. Source IP Threat Destinations Top Sec Int. Events with external Dest. IP List Ext. Source IP List Int. Source IP List Int. Source IP List Int. Source IP Top File Sources Top External Source IPs for files Executable Exfil Internal IPs that send files to External Address (esp. exe, jar, pdf, doc, archive, etc.) Odd URLs Internal IPs connecting to URL Categories of concern Retrospective Internal IP addresses Associated with Retrospective Malware List Int. Source IP List Int. Source IP List Int. Source IP DNS Internal IPs generating DNS Sinkhole Events Bad SSL Internal IPs using invalid SSL Certs to external IP Correlation Events Internal IPs sourcing Correlation Events Processes Introducing Malware (prebuilt in FMC, requires AMP 4 Endpoints) Invalid App Usage Internal IPs using Apps on nonstandard protocols * Create Correlation Rules * Leverage Open AppID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
107 Leveraging the Dashboard Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard
108 Customize The Dashboard There are a number of default dashboards All of them have customizable widgets Create / Customize your own for better visibility and report designs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109
109 Customize The Dashboard This is your most powerful widget BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 110
110 Dashboards That Meet Your Needs Threat Focused 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
111 Dashboards That Meet Your Needs Network Focused BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 112
112 Build Reports Straight from the Dashboard BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 113
113 Or Import Dashboards With the Report Builder Import Sections from Dashboards, Summaries, and Workflows BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 114
114 Closing Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close
115 Key Takeaways By now you hopefully: Have a better understanding of how automated event analysis happens Impact Flags & Indications of Compromise (IOCs). Have a better strategy for examining a security breach. Be able to leverage correlation policies and system APIs to create meaningful security automation. Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116
116 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Please leave comments! (and your if you want a response) Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117
117 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
118 Call to Action Firepower Management Center can be the center of your security operations. Look at FMC as security automation framework. FMC s real value is in how it can merge security operations and business outcome. Look for cross product integration to strengthen FMC s value. Be creative in creating solutions. Look beyond IPS or Threat Protection opportunities. The more you understand about your organization s security practices and business outcome needs, the more you ll find you can deliver with Firepower Management Center. Check out Firepower more at the World of Solutions! What can you make it do?! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119
119 Thank You And remember to fill out your surveys!
120
121 Reference Slides
122 Event Source to Event Type Engine Policy Event Type (Reference) L3 - IP IP Reputation Pre-Processor Security Intelligence (Access Control Policy) Security Intelligence Events L2 L7 Intrusion Prevention (Snort ) Intrusion Policy Intrusion Events L2 L7 Network Discovery Network Discovery Policy Discovery Events, User Activity, Connection Events, Host Profiles, Servers, Applications, Vulnerabilities L3 DNS Sinkhole Processor DNS Policy Connection Events File File Detection Processor File Policy File Events L3-L7 SSL SSL Policy Connection Events L4-L7 Application Detection (AppID) Network Discovery Policy / Access Control Policy Application Detail Events L4-L7 URL Filter Access Control Policy Connection Events Files Advanced Malware Protection (AMP) (Sandbox, Cloud Lookup) File Policy Malware Events, File Trajectory BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 123
123 Event Sources to Events (Reference) Source / Event Table Security Intelligence Connection Intrusion Detection File Malware User Security Intelligence Normalization Pre-Processors SSL Decryption App Detection App Control Network Detection Non-Auth User Act. User Activity from AD URL Filter File Detection AMP Engine AMP Endpoint Cloud Sort (IPS) Reference Data Geo IP Db URL Rep Db User Db (from AD) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124
124 Correlating Event Data Flow and connection conditions over time or volume. Data from User Table (name, group info, etc) Data from Host Profiles (Reference) When a Intrusion Event Discovery Event Connection Event Host Input Event User Activity Occurs Traffic Profile Changes Malware Event BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125
125 Custom Table Matrix (reference) Applicatio n Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Application Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Intrusion Events Sec. Int. Events Intrusion Events Servers Sec. Int. Events Servers White List Events White List Events BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Sourcefire Network Security Analytics: Finding the Needle in the Haystack
Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics
More informationCisco Firepower NGIPS Tuning and Best Practices
Cisco Firepower NGIPS Tuning and Best Practices John Wise, Security Instructor High Touch Delivery, Cisco Learning Services CTHCRT-2000 Cisco Spark How Questions? Use Cisco Spark to communicate with the
More informationThreat Centric Network Security
BRKSEC-2056 Threat Centric Network Security Ted Bedwell, Principal Engineer Network Threat Defence Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationDesign and Deployment of SourceFire NGIPS and NGFWL
Design and Deployment of SourceFire NGIPS and NGFWL BRKSEC - 2024 Marcel Skjald Consulting Systems Engineer Enterprise / Security Architect Abstract Overview of Session This technical session covers the
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats Digital Transformation on a Massive Scale 15B Devices Today Attack Surface 500B Devices In 2030 Threat Actors $19T Opportunity Next 10 Years
More informationCisco Firepower NGFW. Anticipate, block, and respond to threats
Cisco Firepower NGFW Anticipate, block, and respond to threats You have a mandate to build and secure a network that supports ongoing innovation Mobile access Social collaboration Public / private hybrid
More informationFirewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků
Firewall nové generace na platformě SF, přístupové politiky, analýza souborů, FireAMP a trajektorie útoků Jiří Tesař, CSE Security, jitesar@cisco.com CCIE #14558, SFCE #124266 Mapping Technologies to the
More informationAgile Security Solutions
Agile Security Solutions Piotr Linke Security Engineer CISSP CISA CRISC CISM Open Source SNORT 2 Consider these guys All were smart. All had security. All were seriously compromised. 3 The Industrialization
More informationAlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment
BRKPAR-2488 AlgoSec: How to Secure and Automate Your Heterogeneous Cisco Environment Edy Almer How to Secure and Automate Your Heterogeneous Cisco Environment Yogesh Kaushik, Senior Director Cisco Doug
More informationCisco Advanced Malware Protection against WannaCry
Cisco Advanced Malware Protection against WannaCry "A false sense of security is worse than a true sense of insecurity" Senad Aruc Consulting Systems Engineer Advanced Threats Group Nils Roald Advanced
More informationAdvanced IPS Deployment
Advanced IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 About your Speaker Gary Halleen gary@cisco.com Technical Solutions Architect Cisco Global Security Sales Organization Oregon
More informationProtection - Before, During And After Attack
Advanced Malware Protection for FirePOWER TM BENEFITS Continuous detection of malware - immediately and retrospectively Inline detection of sophisticated malware that evades traditional network protections
More informationAutomated Response in Cyber Security SOC with Actionable Threat Intelligence
Automated Response in Cyber Security SOC with Actionable Threat Intelligence while its biggest weakness is lack of visibility: SOCs still can t detect previously unknown threats, which is a consistent
More informationFP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer
FP NGIPS Deployment and Operationalisation Mark Pretty, Consulting Systems Engineer Agenda Introduction The Issue of Threats Introduction to IPS Deploying IPS Operationalise IPS Q & A Objectives What will
More informationConnection Logging. Introduction to Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: Introduction to, page 1 Strategies, page 2 Logging Decryptable Connections
More informationOptimizing Security for Situational Awareness
Optimizing Security for Situational Awareness BRIAN KENYON McAfee Session ID: SPO1-106 Session Classification: Intermediate p gg able=network_objects, Operation=Update,Administrator=fwadmin, Machine=cp-mgmt-
More informationConnection Logging. About Connection Logging
The following topics describe how to configure the Firepower System to log connections made by hosts on your monitored network: About, page 1 Strategies, page 2 Logging Decryptable Connections with SSL
More informationCisco Next Generation Firewall and IPS. Dragan Novakovic Security Consulting Systems Engineer
Cisco Next Generation Firewall and IPS Dragan Novakovic Security Consulting Systems Engineer Cisco ASA with Firepower services Cisco TALOS - Collective Security Intelligence Enabled Clustering & High Availability
More informationThe Internet of Everything is changing Everything
The Internet of Everything is changing Everything Intelligent Threat Defense for the Enterprise Mobility Nikos Mourtzinos, CCIE #9763 Global Security Sales Organization Changing Business Models Any Device
More informationThreat Containment and Operations. Yong Kwang Kek, Director of Presales SE, APJ
Threat Containment and Operations Yong Kwang Kek, Director of Presales SE, APJ 2018-07-19 1 1 2017 Infoblox Inc. All Rights 2013 Infoblox Inc. All Reserved. Rights Reserved. Three Aspects of Security #1
More informationCompare Security Analytics Solutions
Compare Security Analytics Solutions Learn how Cisco Stealthwatch compares with other security analytics products. This solution scales easily, giving you visibility across the entire network. Stealthwatch
More informationThe following topics describe how to configure correlation policies and rules.
The following topics describe how to configure correlation policies and rules. Introduction to and Rules, page 1 Configuring, page 2 Configuring Correlation Rules, page 5 Configuring Correlation Response
More information10 FOCUS AREAS FOR BREACH PREVENTION
10 FOCUS AREAS FOR BREACH PREVENTION Keith Turpin Chief Information Security Officer Universal Weather and Aviation Why It Matters Loss of Personally Identifiable Information (PII) Loss of Intellectual
More informationGlobal vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year
Global vision. Local knowledge. Cisco Forum Kyiv Country Day Month Year Firepower Next Generation Firewall Subtitle goes here William Young Security Solutions Architect, Global Security Architecture Team
More informationCisco Cyber Range. Paul Qiu Senior Solutions Architect
Cisco Cyber Range Paul Qiu Senior Solutions Architect Cyber Range Service A platform to experience the intelligent Cyber Security for the real world What I hear, I forget What I see, I remember What I
More informationTHE RSA SUITE NETWITNESS REINVENT YOUR SIEM. Presented by: Walter Abeson
THE RSA NETWITNESS SUITE REINVENT YOUR SIEM Presented by: Walter Abeson 1 Reality Goals GOALS VERSUS REALITY OF SIEM 1.0 Single compliance & security interface Analyze & prioritize alerts across various
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, page 1 Uses for Host, Application, and User Discovery and Identity
More informationSnort: The World s Most Widely Deployed IPS Technology
Technology Brief Snort: The World s Most Widely Deployed IPS Technology Overview Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, created Snort in 1998. Snort is an open-source,
More informationSourcefire and ThreatGrid. A new perspective on network security
Sourcefire and ThreatGrid A new perspective on network security Agenda An overview of traditional IPS solutions Next-Generation IPS Requirements Sourcefire Next-Generation IPS Advanced Malware Protection
More informationAMP for Endpoints & Threat Grid
AMP for Endpoints & Threat Grid Response & Prevention Dean De Beer & Eric Hulse BRKSEC-2029 AMP Threat Grid Malware Analysis Engines & Techniques A little background Malware Analysis & Threat Intelligence
More informationCisco ASA 5500-X NGFW
Cisco ASA 5500-X NGFW Sieťová ochrana pre malé a stredné podniky pred modernými hrozbami Peter Mesjar CCIE 17428, Systémový Inžinier, Cisco What are we going to talk about Problem is THREATS How today
More informationPass4sure q. Cisco Securing Cisco Networks with Sourcefire IPS
Pass4sure.500-285.42q Number: 500-285 Passing Score: 800 Time Limit: 120 min File Version: 6.1 Cisco 500-285 Securing Cisco Networks with Sourcefire IPS I'm quite happy to announce that I passed 500-285
More informationStop Threats Before They Stop You
Stop Threats Before They Stop You Gain visibility and control as you speed time to containment of infected endpoints Andrew Peters, Sr. Manager, Security Technology Group Agenda Situation System Parts
More informationSOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM
SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM OVERVIEW The Verizon 2016 Data Breach Investigations Report highlights that attackers are regularly outpacing the defenders.
More informationCisco Security. Advanced Malware Protection. Guillermo González Security Systems Engineer Octubre 2017
Cisco Security Advanced Malware Protection Guillermo González Security Systems Engineer Octubre 2017 The New Security Model Attack Continuum Before During After Before Discover During Detect After Scope
More informationThe Internet of Everything is changing Everything
The Internet of Everything is changing Everything Next Generation Security John Tzortzakakis Security Solutions Architect, Security Business Group November 2014 Threat Landscape evolution 60% of data is
More informationAgenda. Why we need a new approach to endpoint security. Introducing Sophos Intercept X. Demonstration / Feature Walk Through. Deployment Options
Agenda Why we need a new approach to endpoint security Introducing Sophos Intercept X Demonstration / Feature Walk Through Deployment Options Q & A 2 Endpoint Security has reached a Tipping Point Attacks
More informationSeceon s Open Threat Management software
Seceon s Open Threat Management software Seceon s Open Threat Management software (OTM), is a cyber-security advanced threat management platform that visualizes, detects, and eliminates threats in real
More informationCisco Cyber Threat Defense Solution 1.0
Cisco Cyber Threat Defense Solution 1.0 Contents 1. Introduction to the Cisco Cyber Threat Defense Solution 1.0 2. Technical overview of the Cisco Cyber Threat Defense Solution 1.0 3. Using the Cisco Cyber
More informationSourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data
SEE everything in your environment LEARN by applying security intelligence to data ADAPT defenses automatically ACT in real-time Sourcefire Solutions Overview Security for the Real World Change is constant.
More informationCisco Advanced Malware Protection for Networks
Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: About Security, Internet Access, and Communication
More informationUn SOC avanzato per una efficace risposta al cybercrime
Un SOC avanzato per una efficace risposta al cybercrime Identificazione e conferma di un incidente @RSAEMEA #RSAEMEASummit @masiste75 Mauro Costantini - Presales Consultant Agenda A look into the threat
More informationIntroduction to Network Discovery and Identity
The following topics provide an introduction to network discovery and identity policies and data: Host, Application, and User Detection, on page 1 Uses for Host, Application, and User Discovery and Identity
More informationCloud-Managed Security for Distributed Networks with Cisco Meraki MX
Cloud-Managed Security for Distributed Networks with Cisco Meraki MX Joe Aronow, Product Architect Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Overview: Security, Internet Access, and Communication
More informationHost Identity Sources
The following topics provide information on host identity sources: Overview: Host Data Collection, on page 1 Determining Which Host Operating Systems the System Can Detect, on page 2 Identifying Host Operating
More informationYes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com
Yes, You can protect your endpoints! Szilard Csordas, Security Consultant scsordas [at] cisco.com Endpoint Footprint Problem: TOO MANY AGENTS! Anti-Virus/Anti-Spyware agent IPSec/SSLVPN agent Host IPS/FW
More informationAccess Control Using Intrusion and File Policies
The following topics describe how to configure access control policies to use intrusion and file policies: Intrusions and Malware Inspection Overview, page 1 Access Control Traffic Handling, page 2 File
More informationHow to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption
How to Predict, Detect & Stop threats at the Edge and Behind the Perimeter even in encrypted traffic without decryption Nikos Mourtzinos, CCIE #9763 Cisco Cyber Security Sales Specialist April 2018 New
More informationHow to securely connect user endpoints to network access wireless or wired. Gyorgy Acs Consulting Systems Engineer Cisco
How to securely connect user endpoints to network access wireless or wired Gyorgy Acs Consulting Systems Engineer Cisco Agenda Introduction Using ISE in a Security Ecosystem Anomaly, Vulnerability and
More informationCisco ASA with FirePOWER Services
Cisco ASA with FirePOWER Services TDM Thomas Jankowsky Consulting Systems Engineer May 2015 Introduction Industry s First Threat-Focused Next-Generation Firewall (NGFW) Proven Cisco ASA firewalling Industry-leading
More informationCisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339
Cisco ASA with FirePOWER services Eric Kostlan, Technical Marketing Engineer Security Technologies Group, Cisco Systems LABSEC-2339 Agenda Introduction to Lab Exercises Platforms and Solutions ASA with
More informationCisco Security Exposed Through the Cyber Kill Chain
Cisco Forschung & Lehre Forum für Mecklenburg Vorpommern Cisco Security Exposed Through the Cyber Kill Chain Rene Straube CSE, Cisco Advanced Threat Solutions January, 2017 The Cisco Security Model BEFORE
More informationSpeed Up Incident Response with Actionable Forensic Analytics
WHITEPAPER DATA SHEET Speed Up Incident Response with Actionable Forensic Analytics Close the Gap between Threat Detection and Effective Response with Continuous Monitoring January 15, 2015 Table of Contents
More informationVisibility: The Foundation of your Cybersecurity Infrastructure. Marlin McFate Federal CTO, Riverbed
Visibility: The Foundation of your Cybersecurity Infrastructure Marlin McFate Federal CTO, Riverbed Detection is Only One Part of the Story Planning and Remediation are just as critical 20 18 Hackers Went
More informationHow-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology
How-To Threat Centric NAC Cisco AMP for Endpoints in Cloud and Cisco Identity Service Engine (ISE) Integration using STIX Technology Author: John Eppich Table of Contents About this Document... 3 Introduction
More informationWorkflows. Overview: Workflows. The following topics describe how to use workflows:
The following topics describe how to use workflows: Overview:, page 1 Predefined, page 2 Custom Table, page 10 Using, page 11 Bookmarks, page 38 Overview: A workflow is a tailored series of data pages
More informationWorkflows. Overview: Workflows
The following topics describe how to use workflows: Overview:, on page 1 Predefined, on page 1 Custom Table, on page 11 Using, on page 11 Bookmarks, on page 39 Overview: A workflow is a tailored series
More informationWorkflows. Overview: Workflows
The following topics describe how to use workflows: Overview:, on page 1 Predefined, on page 1 Custom Table, on page 11 Using, on page 11 Bookmarks, on page 38 Overview: A workflow is a tailored series
More informationIntegrated, Intelligence driven Cyber Threat Hunting
Integrated, Intelligence driven Cyber Threat Hunting THREAT INVESTIGATION AND RESPONSE PLATFORM Zsolt Kocsis IBM Security Technical Executive, CEE zsolt.kocsis@hu.ibm.com 6th Nov 2018 Build an integrated
More informationTanium Endpoint Detection and Response. (ISC)² East Bay Chapter Training Day July 13, 2018
Tanium Endpoint Detection and Response (ISC)² East Bay Chapter Training Day July 13, 2018 $> WhoamI 11 Years of Security Experience Multiple Verticals (Technology, Industrial, Healthcare, Biotech) 9 Years
More informationMonitoring the Device
The system includes dashboards and an Event Viewer that you can use to monitor the device and traffic that is passing through the device. Enable Logging to Obtain Traffic Statistics, page 1 Monitoring
More informationKey Technologies for Security Operations. Copyright 2014 EMC Corporation. All rights reserved.
Key Technologies for Security Operations 2 Traditional Security Is Not Working 97% of breaches led to compromise within days or less with 72% leading to data exfiltration in the same time Source: Verizon
More informationCisco Cloud Security. How to Protect Business to Support Digital Transformation
Cisco Cloud Security How to Protect Business to Support Digital Transformation Dragan Novakovic Cybersecurity Consulting Systems Engineer January 2018. Security Enables Digitization Digital Disruption,
More informationA New Security Model for the IoE World. Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization
A New Security Model for the IoE World Henry Ong SE Manager - ASEAN Cisco Global Security Sales Organization Internet of Everything The Internet of Everything brings together people, process, data and
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationCisco pxgrid: A New Architecture for Security Platform Integration
Cisco pxgrid: A New Architecture for Security Platform Integration Brian Gonsalves Product Manager #clmel Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using pxgrid Getting Started Cisco
More informationTrend Micro and IBM Security QRadar SIEM
Trend Micro and IBM Security QRadar SIEM Ellen Knickle, PM QRadar Integrations Robert Tavares, VP IBM Strategic Partnership February 19, 2014 1 Agenda 1. Nature of the IBM Relationship with Trend Micro
More informationUsing Cisco pxgrid for Security Platform Integration
Using Cisco pxgrid for Security Platform Integration Brian Gonsalves Sr. Product Manager Syam Appala Principal Engineer DEVNET-1010 Agenda Cisco pxgrid in Summary pxgrid Use-Cases How to Develop Using
More informationAutomated Context and Incident Response
Technical Brief Automated Context and Incident Response www.proofpoint.com Incident response requires situational awareness of the target, his or her environment, and the attacker. However, security alerts
More informationForeScout ControlFabric TM Architecture
ForeScout ControlFabric TM Architecture IMPROVE MULTI-VENDOR SOLUTION EFFECTIVENESS, RESPONSE AND WORKFLOW AUTOMATION THROUGH COLLABORATION WITH INDUSTRY-LEADING TECHNOLOGY PARTNERS. The Challenge 50%
More informationCisco Advanced Malware Protection for Networks
Data Sheet Cisco Advanced Malware Protection for Networks Product Overview Fighting malware effectively today requires new approaches, strategies, and technologies. Cisco Advanced Malware Protection (AMP)
More informationPSOACI Tetration Overview. Mike Herbert
Tetration Overview Mike Herbert Cisco Spark How Questions? Use Cisco Spark to communicate with the speaker after the session 1. Find this session in the Cisco Live Mobile App 2. Click Join the Discussion
More informationThe following topics describe how to manage various policies on the Firepower Management Center:
The following topics describe how to manage various policies on the Firepower Management Center: Policy Deployment, page 1 Policy Comparison, page 11 Policy Reports, page 12 Out-of-Date Policies, page
More informationMcAfee epolicy Orchestrator
McAfee epolicy Orchestrator Centrally get, visualize, share, and act on security insights Security management requires cumbersome juggling between tools and data. This puts the adversary at an advantage
More informationNext Generation IPS and Advance Malware Protection. Mahmoud Rabi Consulting Systems Engineer - Security
Next Generation IPS and Advance Malware Protection Mahmoud Rabi Consulting Systems Engineer - Security Threat Landscape and Attack Continuum Today s Real World: Threats are evolving and evading traditional
More informationThe following topics describe how to use dashboards in the Firepower System:
The following topics describe how to use dashboards in the Firepower System: About, page 1 Firepower System Dashboard Widgets, page 2 Managing, page 14 About Firepower System dashboards provide you with
More informationCloudSOC and Security.cloud for Microsoft Office 365
Solution Brief CloudSOC and Email Security.cloud for Microsoft Office 365 DID YOU KNOW? Email is the #1 delivery mechanism for malware. 1 Over 40% of compliance related data in Office 365 is overexposed
More informationDeploying Intrusion Prevention Systems
Deploying Intrusion Prevention Systems Gary Halleen Consulting Systems Engineer II Agenda Introductions Introduction to IPS Comparing Cisco IPS Solutions IPS Deployment Considerations Migration from IPS
More informationRSA INCIDENT RESPONSE SERVICES
RSA INCIDENT RESPONSE SERVICES Enabling early detection and rapid response EXECUTIVE SUMMARY Technical forensic analysis services RSA Incident Response services are for organizations that need rapid access
More informationIncident Response Agility: Leverage the Past and Present into the Future
SESSION ID: SPO1-W03 Incident Response Agility: Leverage the Past and Present into the Future Torry Campbell CTO, Endpoint and Management Technologies Intel Security The Reality we Face Reconnaissance
More informationFidelis Overview. ISC 2 DoD and Industry Forum. Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases
Fidelis Overview ISC 2 DoD and Industry Forum Rapid Detection and Automated Incident Response DoD & Commercial Active Defense Use Cases Vince Holtmann-Cyber Subject Matter Expert Vincent.Holtmann@fidelissecurity.com
More informationForeScout Extended Module for Splunk
Enterprise Strategy Group Getting to the bigger truth. ESG Lab Review ForeScout Extended Module for Splunk Date: May 2017 Author: Tony Palmer, Senior Lab Analyst Abstract This report provides a first look
More informationRSA NetWitness Suite Respond in Minutes, Not Months
RSA NetWitness Suite Respond in Minutes, Not Months Overview One can hardly pick up a newspaper or turn on the news without hearing about the latest security breaches. The Verizon 2015 Data Breach Investigations
More informationThe SANS Institute Top 20 Critical Security Controls. Compliance Guide
The SANS Institute Top 20 Critical Security Controls Compliance Guide February 2014 The Need for a Risk-Based Approach A common factor across many recent security breaches is that the targeted enterprise
More informationTechnical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform
Technical Review Managing Risk, Complexity, and Cost with SanerNow Endpoint Security and Management Platform Date: October, 2018 Author: Jack Poller, Sr. Analyst The Challenges Enterprise Strategy Group
More informationNGFW Requirements for SMBs and Distributed Enterprises
White Paper NGFW Requirements for SMBs and Distributed Enterprises The Case for NGFWs for SMBs The need for threat-focused next-generation firewalls (NGFWs) that can effectively mitigate risks that traditional
More informationMcAfee Advanced Threat Defense
Advanced Threat Defense Detect advanced malware Advanced Threat Defense enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike
More informationRSA Security Analytics
RSA Security Analytics This is what SIEM was Meant to Be 1 The Original Intent of SIEM Single compliance & security interface Analyze & prioritize alerts across various sources The cornerstone of security
More informationIpswitch: The New way of Network Monitoring and how to provide managed services to its customers
BRKPAR-2333 Ipswitch: The New way of Network Monitoring and how to provide managed services to its customers Paolo Ferrari, Senior Director Sales Southern Europe, Ipswitch, Inc. WhatsUp Gold Jan 2018 Agenda
More informationImproving Your Network Defense. Joel M Snyder Senior Partner Opus One
Improving Your Network Defense Joel M Snyder Senior Partner Opus One jms@opus1.com Agenda: Improving Your Network Defense What s the Thesis? Intrusion Detection Collecting Information Enabling Features
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationSecurity, Internet Access, and Communication Ports
Security, Internet Access, and Communication Ports The following topics provide information on system security, internet access, and communication ports: Security Requirements Security Requirements, on
More informationAdvanced Firepower IPS Deployment
Advanced Firepower IPS Deployment Gary Halleen, Technical Solutions Architect BRKSEC-3300 Webex Teams Questions? Use Webex Teams to chat with the speaker after the session How 1 2 3 4 Find this session
More informationINCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak
Automate Response Congratulations on selecting IncidentResponse.com to retrieve your custom incident response playbook guide. This guide has been created especially for you for use in within your security
More informationCyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS
Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS Continual disclosed and reported
More informationForeScout Extended Module for Carbon Black
ForeScout Extended Module for Carbon Black Version 1.0 Table of Contents About the Carbon Black Integration... 4 Advanced Threat Detection with the IOC Scanner Plugin... 4 Use Cases... 5 Carbon Black Agent
More informationEnhanced Threat Detection, Investigation, and Response
Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution
More information