A Deep Dive into the Firepower Manager

Size: px

Start display at page:

Download "A Deep Dive into the Firepower Manager"

Adam Glenn
5 years ago
Views:

2 A Deep Dive into the Firepower Manager William Young, Security Solutions BRKSEC-2058

Just some Security Guy William Young Security Solutions Architect, Cisco 26 Years in Security 13 Years working with Sourcefire / Firepower Focus areas: Security Operations

3 Just some Security Guy William Young Security Solutions Architect, Cisco 26 Years in Security 13 Years working with Sourcefire / Firepower Focus areas: Security Operations Policy & Compliance Threat Forensics and Investigation Hacker: Or just some guy that breaks stuff BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat

Firepower NGFW typical deployment scenarios Tuesday 14:15

Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday

BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00

4 Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat Centric Network Security Tuesday 11:15 BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Tuesday 14:15 BRKSEC-2058 A Deep Dive into using the Firepower Manager Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday 9:00 BRKSEC-3035 Firepower Platform Deep Dive Thursday 9:00 BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00 BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 5

5 Agenda Introduction Understanding Events in the Firepower Management Center Walking through a Breach Security Automation (Orchestration) Recommended Rules Correlation Rules Automating Remediation (Remediation API) Reporting Matters Workflows Custom Tables Leveraging the Dashboard Close

6 Do you really know Firepower Manager? More than just: A policy configuration tool for NGFW / NGIPS A quick way to see the context / composition of your network A tool to check-on your intrusion events BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Creating a deeper value than just threat protection Firepower Management Center (FMC) manages threat detection. It also: Puts threat into context within YOUR unique network.

7 Creating a deeper value than just threat protection Firepower Management Center (FMC) manages threat detection. It also: Puts threat into context within YOUR unique network. Provides actionable security, network, and business data Can allow Security to come out of the Dog House by supporting multiple business outcomes Create automation in your threat hunting Bend itself to your organization s workflow or automate that workflow. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 8

8 Key Takeaways At the end of the session, will start to: understand how automatic correlation REALLY works. Impact Flags & Indications of Compromise (IOCs). know which security events need to be investigated first, and why. begin using correlation policies and system APIs to automate your security workflow understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 9

9 Understanding Events in the Firepower Management Center Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Visual Guide to Firepower Event Sources Security Intelligence

Application Detection Network Discovery Identity File

Connection Events Discovery Events Intrusion Events User

Supplemental Data Geo IP Data CVE / Vuln Data IP Reputation

Info File Trajectory Host Profiles Host Attributes

11 Visual Guide to Firepower Event Sources Security Intelligence Traffic Normalization DNS Sinkhole SSL Decrypt URL Application Detection Network Discovery Identity File Detection AMP IPS Engine (Snort ) Security Intelligence Connection Events Discovery Events Intrusion Events User Activity File Events Malware Events AMP 4 Endpoints Supplemental Data Geo IP Data CVE / Vuln Data IP Reputation Data URL Data Servers Applications Application Details File Info File Trajectory Host Profiles Host Attributes Indications of Compromise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Indications of Compromise Leverages correlation of multiple event types, such as: Impact 1 & 2 events CNC connection events (IPS) Compromise events (IPS) Security Intelligence Events AMP for Endpoint

12 Indications of Compromise Leverages correlation of multiple event types, such as: Impact 1 & 2 events CNC connection events (IPS) Compromise events (IPS) Security Intelligence Events AMP for Endpoint Events AMP for Network Includes some file events Built in Cisco correlation rules Goal: 1. FIX THIS NOW 2. What needs to be fixed 3. How to fix BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 13

TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected

Snort rules use variables to determine directionality $EXTERNAL_NET -> $HOME_NET (inbound) $HOME_NET ->

false positives IPS events are generated when sessions ARE THROUGH the perimeter TCP request responds map

13 What makes an Intrusion Event (state established) Structure and Content Testing What makes a Host Profile Passive data collection (network packet analysis) State table based on Discovery Events Server Services: TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected during session initiation from host. Snort rules use variables to determine directionality $EXTERNAL_NET -> $HOME_NET (inbound) $HOME_NET -> $EXTERNAL_NET (outbound) TCP based events from the Snort Engine are based on ESTABLISHED sessions Reduces false positives IPS events are generated when sessions ARE THROUGH the perimeter TCP request responds map to Server Port UDP request sent map to Server Port Understanding directionality is key to Impact Flags BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is

port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server

15 Understanding Impact Flags Intrusion Events Host Profile Impact Flag Action Why Source / Destination IP [Outside Profile Range] [Host not yet profiled] 0 General info Event outside profiled networks Event occurred outside profiled networks Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is currently not known Good information event may not have connected Previously unseen host within monitored network Relevant port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server Apps Operating System Potential Vulnerabilities CVE 2 1 Worth investigation. Host exposed. Act immediately. Host vulnerable or compromised. Relevant port or protocol in use but no vuln mapped Host vulnerable to attack or showing an IOC. If you have a fully profiled network this may be a critical event! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Unique Events: Correlation & White List Events FMC Events Correlation Rules Correlation

multiple event databases within the FMC.

16 Unique Events: Correlation & White List Events FMC Events Correlation Rules Correlation Events Correlation Events: Internal events based on boolean conditions within and across multiple event databases within the FMC. [Tip: Correlation Rules can monitor changes in flow!] Discovery Events Host Profile Changes White List Events White List Events: Internal events based on changes to individual or grouped host Profiles First step in creating automated response! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 17

17 Walking through a breach Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

19 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Decide on which events to focus on first Identification BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 20

20 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 21

21 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 22

22 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 23

23 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 24

24 Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate Automate as many decisions or actions as possible. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Under Attack Research & Tuning Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4 Not

25 Order of Investigation Goal: Getting to Remediation Remediation Incident Response Data Collection Critical Assets You ve been Owned! Under Attack Research & Tuning Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4 Not Blocked Internal Source External Source Dropped Correlation Rules may vary based on corporate priority BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 26

POP QUIZ: Where do I start my Investigation?

Explorer BRKSEC-2058 2017 Cisco and/or its

transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably

27 This is what most of our networks look like. Some ways to choose Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) THEME: Start with what is compromised first. From the FMC Context Explorer Let s see what these 63 events are all about. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 28

Digging into the IOC Seems active across 6 hosts. Let s drill into one.

30 Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: IPS Engine File Protection AMP for Networks 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

35 .147 Tried to send the file 5 times.147 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 36

Yep. That file is malware We see it in the malware summary, too.

38 A lot more than the 6 file transfers and hosts the IPS engine stopped. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 39

Try to tell the whole story and find every part of the issue.

Bet they wished they enabled quarantining. Problem scoped. Time to remediate.

39 A lot more than the 6 file transfers and hosts the IPS engine stopped. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 40

43 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 44

44 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 45

45 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 46

46 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 47

47 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker?

48 Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Mission/Op Critical Correlation IOCs, Impact Flags Check all the related data.

51 Breached? Follow an Order of Operations Multiple Event Vectors IPS, Malware, Connection, File, Trajectory, DNS, Context Mission/Op Critical Correlation IOCs, Impact Flags Check all the related data. Leverage Rule Documentation See the big story : Packet not always necessary Build a complete timeline tell a story. Event Directionality Protocol: TCP / UDP? BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 52

52 Automating Security Work Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

53 Recommended Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Workflows Correlation Rules Remediation API Custom Tables The Dashboard Close

54 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 55

55 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 56

56 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 57

False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco

57 False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 58

Firepower Recommendations Knows what I Do Not BRKSEC-2058 2017

Recommended Rules How it works Snort Rules SVID Possible Vuln SID: 24671, 32361 Integer Overflow in

59 Recommended Rules How it works Snort Rules SVID Possible Vuln SID: 24671, Integer Overflow in Windows Remote exploit CVE: Remotely exploitable vulnerability SID: BLACKLIST: Connection to a malware sinkhole. Detection of behavior that comes from a compromised host or one that is about to be compromised. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Recommended Rules the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.

drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.

60 Recommended Rules the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A A EC 0C A1 20 B C F "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve, ; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Not all rules have a CVE! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Rules disabling by default Some rules will turned off by Recommended Rules BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.

61 Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A A EC 0C A1 20 B C F "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve, ; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Some rules will ALWAYS be turned off by Recommended Rules You may want to uncheck this. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 62

62 Correlation Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

63 Correlation Rules / Correlation Policy 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: , Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Correlation Rules / Correlation Policy Value: Automate Security Decisions Track Business Outcome

20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the

Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions.

64 Correlation Rules / Correlation Policy Value: Automate Security Decisions Track Business Outcome Trigger Automated Response to specific conditions 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: , Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Sample Correlation Rule Correlation Rule to: Ensure only HTTPS traffic is used on port 443 Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS Ensure the

67 Sample Correlation Rule Correlation Rule to: Ensure only HTTPS traffic is used on port 443 Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. Any traffic outside this profile will generate an event Cisco and/or its affiliates. All rights reserved. Cisco Public

Correlation Rule example: Production Network Change 2017

example: Production Network Change is exfiltrating traffic

70 Some Correlations Rules To Drive Action If an Intrusion Event occurs... A N D O R O R O R Impact Flag is 3 - Yellow Impact Flag is 4 - Blue Source IP is in /16 Source IP is in /8 Source IP is in /12 Destination IP is not in /16 Destination IP is not in /8 Destination IP is not in /12 You have a compromised host attacking systems off your network. If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in /16 Sending IP is in /8 Sending IP is in /12 Receiving IP is in /16 Receiving IP is in /8 Receiving IP is in /12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in 192.

71 Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in /16 Sending IP is in /8 Sending IP is in /12 Receiving IP is in /16 Receiving IP is in /8 Receiving IP is in /12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! Just add another Boolean Condition BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 72

72 Remediation API Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Grand Vision for Integration & Firepower Management Firepower

Automating Response Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware

Remediation Modules Cisco ISE (pxgrid Mitigation) Guidance Encase Set Host Attributes Security Intelligence Blacklisting Nmap Scan SSH /

74 Automating Response Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware Event Boolean Conditions Correlation Rules Correlation Policies Correlation Rules Actions (API, , SNMP) Correlation Events Sample Remediation Modules Cisco ISE (pxgrid Mitigation) Guidance Encase Set Host Attributes Security Intelligence Blacklisting Nmap Scan SSH / Expect Scripts F5 irules Solera DeepSee Netscaler PacketFence Bradford BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 75

75 ISE + Firepower = Rapid Threat Containment 4. Endpoint Assigned Quarantine + CoA-Reauth Sent WWW NGFW i-net 1. Security Events / IOCs Reported Controller FMC MnT 3. pxgrid EPS Action: Quarantine + Re-Auth 2. Correlation Rules Trigger Remediation Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

76 Configure Rapid Threat Containment Open the System:Integration page Enter ISE Server details Be sure to configure your certs for the integration ise-1.mynet.com ise-2.mynet.com BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Configure Rapid Threat Containment 2017 Cisco

Configure Rapid Threat Containment Be sure to

Correlation Policy BRKSEC-2058 2017 Cisco and/or

84 Other Tools" in the Firepower Toolkit White Listing Traffic Profiling Event Analysis Toolset Correlation tool to monitor for host profile changes Monitor behavioral changes in traffic conditions Estreamer API Host Input API Remediation API JDBC Connector REST API Programmatic Interfaces Transmit all event data to an external repository (SEIM, event log, edge) Insert data into Host Profiles from external data sources Programmatically initiate actions on external systems. Directly query FMC database (reporting, SEIM queries, etc) REST interface for FMC query, configuration, and NEW! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 85

85 Reporting Matters Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

86 Default Reports Not just what s in the templates Dashboard widgets are mini -reports Over 120 preset reports within a widget Create custom Widgets for more Think of the Dashboard as your unlimited report designer. Tools: Searches Custom Workflows Custom Tables = Data goldmine BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 87

87 Event Viewing Tables Listing of events with a data set (IPS, Connection, Malware, etc.) Workflows Customized organization of specific column headers Allows Analysts to go straight to meaningful data Filters Custom Tables Search for specific or generalized matches within event tables Each table can have it s own filters Hundreds of filters pre-installed Customizable Join of two or more individual event tables Aggregate useful data for faster decision making and reporting Has it s own Workflows and Filters BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 88

88 Workflows Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

A Default Event View BRKSEC-2058 2017 Cisco and/or

Changing the view helps focus analysis BRKSEC-2058 2017

Create a Custom Workflow 2017 Cisco and/or

How it turned out Build on your order of

95 Custom Tables Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard

Custom Table: Intrusion Event with Host Data Custom tables can even have their own

Custom Table: Intrusion Event with Host Data BRKSEC-2058 2017

Custom Table: Includes Custom Filters BRKSEC-2058 2017 Cisco

103 Custom Table: Includes Custom Filters Tables, Custom Tables, and Filters can also be leveraged on the Dashboard. Just choose the 1 column that is most meaningful. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 104

104 Uses for Tables (standard & custom) and Workflows Having more relevant data on hand when doing event analysis and forensics Reducing the number of clicks to drill into meaningful data Customize prioritization based on local business and security drivers Speed new threat discovery / hunting Combined with Filters allow you to segment information into meaningful chunks, such as: Device functionality Users / Groups Activity / Behavior Trends? Network Zone Country What changed? Operating System Threat Type What s new? Valuable in customizing your dashboard, building reports, documenting compliance. Let the business need feed your creativity. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Examples of possible data to report Security Specific Threats experienced Automated

network New services or applications in use Changes in network behavior OS data Compliance

violation of corporate policy Expanding your reporting to drive business efficiency creates

105 Examples of possible data to report Security Specific Threats experienced Automated Remediations OS s most compromised App Threat Root Cause Operations New systems on the network New services or applications in use Changes in network behavior OS data Compliance PCI, NERC CIP, HIPPA OS Usage User/Group Access behavior App segmentation Hosts in violation of corporate policy Expanding your reporting to drive business efficiency creates a stronger security practice. BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 106

106 Interesting Data for Filtering Potential new Threat List Int. Source IP Threat Destinations Top Sec Int. Events with external Dest. IP List Ext. Source IP List Int. Source IP List Int. Source IP List Int. Source IP Top File Sources Top External Source IPs for files Executable Exfil Internal IPs that send files to External Address (esp. exe, jar, pdf, doc, archive, etc.) Odd URLs Internal IPs connecting to URL Categories of concern Retrospective Internal IP addresses Associated with Retrospective Malware List Int. Source IP List Int. Source IP List Int. Source IP DNS Internal IPs generating DNS Sinkhole Events Bad SSL Internal IPs using invalid SSL Certs to external IP Correlation Events Internal IPs sourcing Correlation Events Processes Introducing Malware (prebuilt in FMC, requires AMP 4 Endpoints) Invalid App Usage Internal IPs using Apps on nonstandard protocols * Create Correlation Rules * Leverage Open AppID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

107 Leveraging the Dashboard Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard

108 Customize The Dashboard There are a number of default dashboards All of them have customizable widgets Create / Customize your own for better visibility and report designs BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Customize The Dashboard This is your most powerful widget BRKSEC-2058

Dashboards That Meet Your Needs Threat Focused 2017

Dashboards That Meet Your Needs Network Focused BRKSEC-2058 2017

Build Reports Straight from the Dashboard BRKSEC-2058 2017

114 Closing Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

115 Key Takeaways By now you hopefully: Have a better understanding of how automated event analysis happens Impact Flags & Indications of Compromise (IOCs). Have a better strategy for examining a security breach. Be able to leverage correlation policies and system APIs to create meaningful security automation. Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday)

116 Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Please leave comments! (and your if you want a response) Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 117

117 Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118

118 Call to Action Firepower Management Center can be the center of your security operations. Look at FMC as security automation framework. FMC s real value is in how it can merge security operations and business outcome. Look for cross product integration to strengthen FMC s value. Be creative in creating solutions. Look beyond IPS or Threat Protection opportunities. The more you understand about your organization s security practices and business outcome needs, the more you ll find you can deliver with Firepower Management Center. Check out Firepower more at the World of Solutions! What can you make it do?! BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 119

119 Thank You And remember to fill out your surveys!

120

121 Reference Slides

122 Event Source to Event Type Engine Policy Event Type (Reference) L3 - IP IP Reputation Pre-Processor Security Intelligence (Access Control Policy) Security Intelligence Events L2 L7 Intrusion Prevention (Snort ) Intrusion Policy Intrusion Events L2 L7 Network Discovery Network Discovery Policy Discovery Events, User Activity, Connection Events, Host Profiles, Servers, Applications, Vulnerabilities L3 DNS Sinkhole Processor DNS Policy Connection Events File File Detection Processor File Policy File Events L3-L7 SSL SSL Policy Connection Events L4-L7 Application Detection (AppID) Network Discovery Policy / Access Control Policy Application Detail Events L4-L7 URL Filter Access Control Policy Connection Events Files Advanced Malware Protection (AMP) (Sandbox, Cloud Lookup) File Policy Malware Events, File Trajectory BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 123

123 Event Sources to Events (Reference) Source / Event Table Security Intelligence Connection Intrusion Detection File Malware User Security Intelligence Normalization Pre-Processors SSL Decryption App Detection App Control Network Detection Non-Auth User Act. User Activity from AD URL Filter File Detection AMP Engine AMP Endpoint Cloud Sort (IPS) Reference Data Geo IP Db URL Rep Db User Db (from AD) BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 124

124 Correlating Event Data Flow and connection conditions over time or volume. Data from User Table (name, group info, etc) Data from Host Profiles (Reference) When a Intrusion Event Discovery Event Connection Event Host Input Event User Activity Occurs Traffic Profile Changes Malware Event BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 125

125 Custom Table Matrix (reference) Applicatio n Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Application Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Intrusion Events Sec. Int. Events Intrusion Events Servers Sec. Int. Events Servers White List Events White List Events BRKSEC Cisco and/or its affiliates. All rights reserved. Cisco Public 126

Sourcefire Network Security Analytics: Finding the Needle in the Haystack

Sourcefire Network Security Analytics: Finding the Needle in the Haystack Mark Pretty Consulting Systems Engineer #clmel Agenda Introduction The Sourcefire Solution Real-time Analytics On-Demand Analytics