A Deep Dive into the Firepower Manager

A Deep Dive into the Firepower Manager William Young, Security Solutions Architect willyou@cisco.com @WilliamDYoung BRKSEC-2058

Just some Security Guy William Young Security Solutions Architect, Cisco 26 Years in Security 13 Years working with Sourcefire / Firepower Focus areas: Security Operations Policy & Compliance Threat Forensics and Investigation Hacker: Or just some guy that breaks stuff BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4

Cisco Firepower Sessions: Building Blocks BRKSEC-2056 Threat Centric Network Security Tuesday 11:15 BRKSEC-2050 ASA Firepower NGFW typical deployment scenarios Tuesday 14:15 BRKSEC-2058 A Deep Dive into using the Firepower Manager Tuesday 16:45 BRKSEC-3032 NGFW Clustering Deep Dive Wednesday 9:00 BRKSEC-3035 Firepower Platform Deep Dive Thursday 9:00 BRKSEC-3455 Dissecting Firepower NGFW (FTD+FPS) Friday 9:00 BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 5

Agenda Introduction Understanding Events in the Firepower Management Center Walking through a Breach Security Automation (Orchestration) Recommended Rules Correlation Rules Automating Remediation (Remediation API) Reporting Matters Workflows Custom Tables Leveraging the Dashboard Close

Do you really know Firepower Manager? More than just: A policy configuration tool for NGFW / NGIPS A quick way to see the context / composition of your network A tool to check-on your intrusion events BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 7

Creating a deeper value than just threat protection Firepower Management Center (FMC) manages threat detection. It also: Puts threat into context within YOUR unique network. Provides actionable security, network, and business data Can allow Security to come out of the Dog House by supporting multiple business outcomes Create automation in your threat hunting Bend itself to your organization s workflow or automate that workflow. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8

Key Takeaways At the end of the session, will start to: understand how automatic correlation REALLY works. Impact Flags & Indications of Compromise (IOCs). know which security events need to be investigated first, and why. begin using correlation policies and system APIs to automate your security workflow understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9

Understanding Events in the Firepower Management Center Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Visual Guide to Firepower Event Sources Security Intelligence Traffic Normalization DNS Sinkhole SSL Decrypt URL Application Detection Network Discovery Identity File Detection AMP IPS Engine (Snort ) Security Intelligence Connection Events Discovery Events Intrusion Events User Activity File Events Malware Events AMP 4 Endpoints Supplemental Data Geo IP Data CVE / Vuln Data IP Reputation Data URL Data Servers Applications Application Details File Info File Trajectory Host Profiles Host Attributes Indications of Compromise BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12

Indications of Compromise Leverages correlation of multiple event types, such as: Impact 1 & 2 events CNC connection events (IPS) Compromise events (IPS) Security Intelligence Events AMP for Endpoint Events AMP for Network Includes some file events Built in Cisco correlation rules Goal: 1. FIX THIS NOW 2. What needs to be fixed 3. How to fix BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13

What makes an Intrusion Event (state established) Structure and Content Testing What makes a Host Profile Passive data collection (network packet analysis) State table based on Discovery Events Server Services: TCP based respond to connections UDP based initiate UDP packets Applications (generally TCP) detected during session initiation from host. Snort rules use variables to determine directionality $EXTERNAL_NET -> $HOME_NET (inbound) $HOME_NET -> $EXTERNAL_NET (outbound) TCP based events from the Snort Engine are based on ESTABLISHED sessions Reduces false positives IPS events are generated when sessions ARE THROUGH the perimeter TCP request responds map to Server Port UDP request sent map to Server Port Understanding directionality is key to Impact Flags BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14

Understanding Impact Flags Intrusion Events Host Profile Impact Flag Action Why Source / Destination IP [Outside Profile Range] [Host not yet profiled] 0 General info Event outside profiled networks Event occurred outside profiled networks Protocol (TCP/UDP) Source / Destination Port IP Address User IDs Protocols Server Side Ports 4 3 Good information host is currently not known Good information event may not have connected Previously unseen host within monitored network Relevant port not open or protocol not in use Service Snort ID IOC: Predefined Impact Client Side Ports Services Client / Server Apps Operating System Potential Vulnerabilities CVE 2 1 Worth investigation. Host exposed. Act immediately. Host vulnerable or compromised. Relevant port or protocol in use but no vuln mapped Host vulnerable to attack or showing an IOC. If you have a fully profiled network this may be a critical event! BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16

Unique Events: Correlation & White List Events FMC Events Correlation Rules Correlation Events Correlation Events: Internal events based on boolean conditions within and across multiple event databases within the FMC. [Tip: Correlation Rules can monitor changes in flow!] Discovery Events Host Profile Changes White List Events White List Events: Internal events based on changes to individual or grouped host Profiles First step in creating automated response! BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17

Walking through a breach Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Stages of Incident Handling SANS Institute Preparation Identification Containment Eradication Recovery Lessons Learned BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19

Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Decide on which events to focus on first Identification BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20

Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22

Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23

Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 24

Stages of Incident Handling SANS Institute Preparation Containment Eradication Recovery Lessons Learned Identification Decide on which events to focus on first Drill into a specific event Validate the breach Leverage documentation Leverage additional forensics Explore your remediation options Remediate Automate as many decisions or actions as possible. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25

Order of Investigation Goal: Getting to Remediation Remediation Incident Response Data Collection Critical Assets You ve been Owned! Under Attack Research & Tuning Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4 Not Blocked Internal Source External Source Dropped Correlation Rules may vary based on corporate priority BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26

This is what most of our networks look like. Some ways to choose Look for Malware Executed (Endpoint AMP) Dropper Infection (Endpoint AMP) Threat detected in file transfer CNC Connected Events Shell Code Executed Impact 1 (these were probably blocked) Impact 2 (these were probably blocked) THEME: Start with what is compromised first. From the FMC Context Explorer Let s see what these 63 events are all about. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28

.147 Tried to send the file 5 times.147 was sent the file once IPS blocked it! (yeah) What does Impact 4 mean? Should we investigate more? BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 36

A lot more than the 6 file transfers and hosts the IPS engine stopped. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39

A lot more than the 6 file transfers and hosts the IPS engine stopped. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue. Good thing they have AMP for Endpoints, too. Bet they wished they enabled quarantining. Problem scoped. Time to remediate. Maybe a good time to look at file analysis / Threatgrid to learn what other artifacts are left behind. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 47

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 48

Looking at an Impact 3 Attempt Source IP: all internal, Destination IP: all external Impact 3: no Host Profiles for external hosts Sourced from my Network = I m the attacker? = Indication of Compromise TCP detection: means established connection These hosts definitely launched an attack. Next Step: Focus on the Source Host. Probably compromised. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49

Breached? Follow an Order of Operations Multiple Event Vectors IPS, Malware, Connection, File, Trajectory, DNS, Context Mission/Op Critical Correlation IOCs, Impact Flags Check all the related data. Leverage Rule Documentation See the big story : Packet not always necessary Build a complete timeline tell a story. Event Directionality Protocol: TCP / UDP? BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52

Automating Security Work Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Recommended Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Workflows Correlation Rules Remediation API Custom Tables The Dashboard Close

False Negatives ensure your NOT protected Too many exploits succeed because: Systems aren t patched Detections aren t enabled Attackers succeed with old exploits Verizon Data Breach Report(s) Cisco Annual Security Report(s) Cause Event Overload! Tuning Failures Detections Disabled Resolution Impact Analysis Understanding Detection Tools Knowing What Needs Protection BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56

Recommended Rules How it works Snort Rules SVID Possible Vuln SID: 24671, 32361 Integer Overflow in Windows Remote exploit 99675 CVE:2012-1528 Remotely exploitable vulnerability SID: 33306 BLACKLIST: Connection to a malware sinkhole. Detection of behavior that comes from a compromised host or one that is about to be compromised. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Recommended Rules the details alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50 "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Not all rules have a CVE! alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Rules disabling by default Some rules will turned off by Recommended Rules BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Recommended Rules alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"browser-ie ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:" 55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50 "; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/enus/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; ) Rule that will map to Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"blacklist Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"sinkholed by abuse.ch 0A "; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/sinkhole_server; classtype:trojan-activity; sid:33306; rev:1; ) Some rules will ALWAYS be turned off by Recommended Rules You may want to uncheck this. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 62

Correlation Rules Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Correlation Rules / Correlation Policy 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Email Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Correlation Rules / Correlation Policy Value: Automate Security Decisions Track Business Outcome Trigger Automated Response to specific conditions 100,000 events 5,000 events 500 events 100 events 20 events Correlation Rules allow for BOOLEAN decisions on one or more sets of data within the Firepower console. Rules can then lead to Actions such as: Email, Syslog, SNMP events or remediation actions. Correlation Policy Correlation Rule Correlation Rule Correlation Event Action 10 events 3 Events Email Syslog SNMP Remediation Module 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Sample Correlation Rule Correlation Rule to: Ensure only HTTPS traffic is used on port 443 Ensure traffic is initiated by a Host within a defined Location (host Attribute) is POS Ensure the HTTPS traffic from the POS host is received on hosts in the PCI network. Any traffic outside this profile will generate an event. 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Some Correlations Rules To Drive Action If an Intrusion Event occurs... A N D O R O R O R Impact Flag is 3 - Yellow Impact Flag is 4 - Blue Source IP is in 192.168.0.0/16 Source IP is in 10.0.0.0/8 Source IP is in 172.16.0.0/12 Destination IP is not in 192.168.0.0/16 Destination IP is not in 10.0.0.0/8 Destination IP is not in 172.16.0.0/12 You have a compromised host attacking systems off your network. If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in 192.168.0.0/16 Sending IP is in 10.0.0.0/8 Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16 Receiving IP is in 10.0.0.0/8 Receiving IP is in 172.16.0.0/12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71

Some Correlations Rules To Drive Action Make it even more actionable based on the file TYPE If a Malware Event occurs by retrospective network-based malware detection O R O R O R Sending IP is in 192.168.0.0/16 Sending IP is in 10.0.0.0/8 Sending IP is in 172.16.0.0/12 Receiving IP is in 192.168.0.0/16 Receiving IP is in 10.0.0.0/8 Receiving IP is in 172.16.0.0/12 A recently seen file has been retrospectively determined to be malware! Go Stop it NOW! Just add another Boolean Condition BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72

Remediation API Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Automating Response Remediation API Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles Malware Event Boolean Conditions Correlation Rules Correlation Policies Correlation Rules Actions (API, Email, SNMP) Correlation Events Sample Remediation Modules Cisco ISE (pxgrid Mitigation) Guidance Encase Set Host Attributes Security Intelligence Blacklisting Nmap Scan SSH / Expect Scripts F5 irules Solera DeepSee Netscaler PacketFence Bradford BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75

ISE + Firepower = Rapid Threat Containment 4. Endpoint Assigned Quarantine + CoA-Reauth Sent WWW NGFW i-net 1. Security Events / IOCs Reported Controller FMC MnT 3. pxgrid EPS Action: Quarantine + Re-Auth 2. Correlation Rules Trigger Remediation Action 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Configure Rapid Threat Containment Open the System:Integration page Enter ISE Server details Be sure to configure your certs for the integration ise-1.mynet.com ise-2.mynet.com BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77

Other Tools" in the Firepower Toolkit White Listing Traffic Profiling Event Analysis Toolset Correlation tool to monitor for host profile changes Monitor behavioral changes in traffic conditions Estreamer API Host Input API Remediation API JDBC Connector REST API Programmatic Interfaces Transmit all event data to an external repository (SEIM, event log, edge) Insert data into Host Profiles from external data sources Programmatically initiate actions on external systems. Directly query FMC database (reporting, SEIM queries, etc) REST interface for FMC query, configuration, and NEW! BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 85

Reporting Matters Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Default Reports Not just what s in the templates Dashboard widgets are mini -reports Over 120 preset reports within a widget Create custom Widgets for more Think of the Dashboard as your unlimited report designer. Tools: Searches Custom Workflows Custom Tables = Data goldmine BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 87

Event Viewing Tables Listing of events with a data set (IPS, Connection, Malware, etc.) Workflows Customized organization of specific column headers Allows Analysts to go straight to meaningful data Filters Custom Tables Search for specific or generalized matches within event tables Each table can have it s own filters Hundreds of filters pre-installed Customizable Join of two or more individual event tables Aggregate useful data for faster decision making and reporting Has it s own Workflows and Filters BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88

Workflows Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Custom Tables Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard

Custom Table: Includes Custom Filters Tables, Custom Tables, and Filters can also be leveraged on the Dashboard. Just choose the 1 column that is most meaningful. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 104

Uses for Tables (standard & custom) and Workflows Having more relevant data on hand when doing event analysis and forensics Reducing the number of clicks to drill into meaningful data Customize prioritization based on local business and security drivers Speed new threat discovery / hunting Combined with Filters allow you to segment information into meaningful chunks, such as: Device functionality Users / Groups Activity / Behavior Trends? Network Zone Country What changed? Operating System Threat Type What s new? Valuable in customizing your dashboard, building reports, documenting compliance. Let the business need feed your creativity. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 105

Examples of possible data to report Security Specific Threats experienced Automated Remediations OS s most compromised App Threat Root Cause Operations New systems on the network New services or applications in use Changes in network behavior OS data Compliance PCI, NERC CIP, HIPPA OS Usage User/Group Access behavior App segmentation Hosts in violation of corporate policy Expanding your reporting to drive business efficiency creates a stronger security practice. BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 106

Interesting Data for Filtering Potential new Threat List Int. Source IP Threat Destinations Top Sec Int. Events with external Dest. IP List Ext. Source IP List Int. Source IP List Int. Source IP List Int. Source IP Top File Sources Top External Source IPs for files Executable Exfil Internal IPs that send files to External Address (esp. exe, jar, pdf, doc, archive, etc.) Odd URLs Internal IPs connecting to URL Categories of concern Retrospective Internal IP addresses Associated with Retrospective Malware List Int. Source IP List Int. Source IP List Int. Source IP DNS Internal IPs generating DNS Sinkhole Events Bad SSL Internal IPs using invalid SSL Certs to external IP Correlation Events Internal IPs sourcing Correlation Events Processes Introducing Malware (prebuilt in FMC, requires AMP 4 Endpoints) Invalid App Usage Internal IPs using Apps on nonstandard protocols * Create Correlation Rules * Leverage Open AppID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 107

Leveraging the Dashboard Introduction Understanding Events Walking the Breach Security Automation Reporting Close Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard

Customize The Dashboard There are a number of default dashboards All of them have customizable widgets Create / Customize your own for better visibility and report designs BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 109

Closing Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close

Key Takeaways By now you hopefully: Have a better understanding of how automated event analysis happens Impact Flags & Indications of Compromise (IOCs). Have a better strategy for examining a security breach. Be able to leverage correlation policies and system APIs to create meaningful security automation. Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise. Introduction Understanding Events Walking the Breach Security Automation Reporting Recommended Rules Correlation Rules Remediation API Workflows Custom Tables The Dashboard Close BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 116

Complete Your Online Session Evaluation Please complete your Online Session Evaluations after each session Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt All surveys can be completed via the Cisco Live Mobile App or the Communication Stations Please leave comments! (and your email if you want a response) Don t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 117

Continue Your Education Demos in the Cisco campus Walk-in Self-Paced Labs Lunch & Learn Meet the Engineer 1:1 meetings Related sessions Presentation ID 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 118

Call to Action Firepower Management Center can be the center of your security operations. Look at FMC as security automation framework. FMC s real value is in how it can merge security operations and business outcome. Look for cross product integration to strengthen FMC s value. Be creative in creating solutions. Look beyond IPS or Threat Protection opportunities. The more you understand about your organization s security practices and business outcome needs, the more you ll find you can deliver with Firepower Management Center. Check out Firepower more at the World of Solutions! What can you make it do?! BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 119

Thank You And remember to fill out your surveys!

Reference Slides

Event Source to Event Type Engine Policy Event Type (Reference) L3 - IP IP Reputation Pre-Processor Security Intelligence (Access Control Policy) Security Intelligence Events L2 L7 Intrusion Prevention (Snort ) Intrusion Policy Intrusion Events L2 L7 Network Discovery Network Discovery Policy Discovery Events, User Activity, Connection Events, Host Profiles, Servers, Applications, Vulnerabilities L3 DNS Sinkhole Processor DNS Policy Connection Events File File Detection Processor File Policy File Events L3-L7 SSL SSL Policy Connection Events L4-L7 Application Detection (AppID) Network Discovery Policy / Access Control Policy Application Detail Events L4-L7 URL Filter Access Control Policy Connection Events Files Advanced Malware Protection (AMP) (Sandbox, Cloud Lookup) File Policy Malware Events, File Trajectory BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 123

Event Sources to Events (Reference) Source / Event Table Security Intelligence Connection Intrusion Detection File Malware User Security Intelligence Normalization Pre-Processors SSL Decryption App Detection App Control Network Detection Non-Auth User Act. User Activity from AD URL Filter File Detection AMP Engine AMP Endpoint Cloud Sort (IPS) Reference Data Geo IP Db URL Rep Db User Db (from AD) BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 124

Correlating Event Data Flow and connection conditions over time or volume. Data from User Table (name, group info, etc) Data from Host Profiles (Reference) When a Intrusion Event Discovery Event Connection Event Host Input Event User Activity Occurs Traffic Profile Changes Malware Event BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 125

Custom Table Matrix (reference) Applicatio n Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Application Details Applications Connection Events Connection Summary Correlation Events Discovery Events Host Attributes Hosts Indications of Compromise Intrusion Events Sec. Int. Events Intrusion Events Servers Sec. Int. Events Servers White List Events White List Events BRKSEC-2058 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 126