《定制的强大功能:在 GCP 中使用思科安全进行高相关性警报.pdf》由会员分享,可在线阅读,更多相关《定制的强大功能:在 GCP 中使用思科安全进行高相关性警报.pdf(71页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveRyan MacLennan Technical Marketing EngineerBRKCLD-2367High Relevance Alerting using Cisco Security in GCPThe Power of Customization:2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex A
2、pp to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.1234https:/ 2023 C
3、isco and/or its affiliates.All rights reserved.Cisco PublicBRKCLD-23673Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicThe“Why”The ProductsThe ArchitectureThe Customizations:Firepower Threat DefenseSecure Cloud InsightsSecure Cloud AnalyticsConclusionBRKCLD-23674The“Why”2023
4、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWithout proper customization,customers dont get the alerts that matter.BRKCLD-23676The Products 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Firewall:Firepower Threat Defense(FTD)Next-generation c
5、apabilitiesCustomizable IPS policyCustomizable file policiesBRKCLD-2367FTDGCP8 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe Insights:Secure Cloud Insights(SCI)Detect configuration issuesConfirm complianceInventory searchingBRKCLD-2367GCPFTDSCI9 2023 Cisco and/or its
6、 affiliates.All rights reserved.Cisco Public#CiscoLiveThe Analytics:Secure Cloud Analytics(SCA)Easy setupAutomatic threat detectionEasily manage alertsBRKCLD-2367GCPFTDSCISCA10The Architecture 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVPC Flow LogsCloud APIsFirewall
7、connectionsHow is everything connected?BRKCLD-236712The Customizations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat should be customized for high relevance alerting?BRKCLD-2367GCPFTDSCISCA14Customizing Firepower Threat Defense(FTD)2023 Cisco and/or its affiliates.A
8、ll rights reserved.Cisco PublicHow is this FTD configured?Cloud ManagedCustom Network DiscoveryCustom IPS PolicyCustom File PolicyBRKCLD-236716 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD Cloud Management Cisco Defense Orchestrator(CDO)BRKCLD-2367Has a Cloud-Delive
9、red Firewall Management CenterNo resource managementAuto-ScalingAutomatic updates17 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFTD Cloud ManagementCloud Delivered-Firewall Management Center(CD-FMC)BRKCLD-2367Devices in CD-FMCDevice about infoModelVersionInspection Eng
10、ineSnort 318 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomizing Network DiscoveryDefaultDiscover ALLInefficientSlowUpdated networksTailored to networkCan use custom IPS rulesBRKCLD-236719 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveD
11、efault IPS PolicyDefault profileMany active rulesNo customizationsBRKCLD-236720 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomizing IPS:Firepower RecommendationsBased on Network DiscoveryDisables rules not neededIncreases processing efficiencyBRKCLD-236721 2023 Cis
12、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomizing IPS:Firepower Recommendations ExampleBRKCLD-236722 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveConfiguring a file policyBRKCLD-2367Choose file type or categoryChoose actionChoose to storeSav
13、e23 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveApplying a file policy to an ACPBRKCLD-2367File policies are assigned per ACP ruleAllow rulesHigh profile rulesExample file policyCloud lookupStore malwareAll file categories24 2023 Cisco and/or its affiliates.All rights
14、reserved.Cisco Public#CiscoLiveAdvanced ACP Settings ExampleChange file size to suit your organizations needsMore settings than just the Dynamic AnalysisBRKCLD-236725 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat should be customized for high relevance alerting?BRKC
15、LD-2367GCPFTDSCISCA28Customizing Secure Cloud Insights(SCI)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat does SCI do?Attack surface visualizationBenchmarkingComplianceAsset visibilityNon-intrusive(read-only)BRKCLD-236730 2023 Cisco and/or its affiliates.All rights r
16、eserved.Cisco Public#CiscoLiveHow is SCI integrated into GCP?Read-only APIPolling intervalAPI key instructionsBRKCLD-236731 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhat will we customize in SCI?EntitiesEntity graphingEntity relationshipsQueryingCreate an alertPolicies&Compli
17、anceAssetsBRKCLD-236732 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntegration calculates entitiesLinks to a queryHow many entities exist in GCP?BRKCLD-236733 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveQuery for how many entities exist
18、in GCPBRKCLD-2367Query creates a listCounts the typesCan be a graph too34 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEntities in GCP in graph view?BRKCLD-2367All entities in GCPNo relationship shown hereDigging down can show a relationship35 2023 Cisco and/or its affi
19、liates.All rights reserved.Cisco Public#CiscoLiveWhat relationship does a GCP network&Firewall have?BRKCLD-2367Drill down to GCP compute networkArrows show a relationshipConnected to a firewall rule36 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat relationship does a
20、 GCP network&Firewall have?BRKCLD-2367Select the compute firewallSee it allows all IP trafficMore fields include:37 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat relationship does a GCP network&Firewall have?BRKCLD-2367Select the compute firewallSee it allows all IP
21、 trafficMore fields include:logConfigEnabledDisabledsourceRanges38 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFind more 0.0.0.0/0 firewall rulesBRKCLD-2367Related finds any resource with 0.0.0.0/0Similar finds only firewall rules with 0.0.0.0/0Creates a new query39 20
22、23 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreate an Alert for new 0.0.0.0/0 rulesBRKCLD-2367Create alertFill in detailsNote the Query40 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveQuery should exclude necessary 0.0.0.0/0 rulesfind Firewal
23、l with sourceRanges=0.0.0.0/0 and and displayNamedisplayName!=brkcld!=brkcld-23672367-outsideoutside-egress”egress”BRKCLD-236741 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveQuery Example:Find users without MFA enabledNatural language queryWhich user accounts do not hav
24、e multi-factor authentication enabled?BRKCLD-236742 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCreating a PolicyBRKCLD-2367Walkthrough wizardAutomatically creates policies based on answers43 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMa
25、king sure you are compliantBRKCLD-2367Can be part of the Policy wizardAdd your own frameworkCan inspect gaps,controls,etcInspecting Controls44 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInspect Controls for complianceMultiple controlsPolicy domain of each controlBRKCL
26、D-236745 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInspect Access ReviewsSelecting Access ReviewsSelect a queryWho has access?BRKCLD-236746 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInspect Access Reviews who has access to what?Query
27、returns some info:Resources the account can accessNameUser nameResource typeFinding problemsBRKCLD-236747 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAssets across all integrated productsBRKCLD-236748 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
28、scoLiveFinding problem assetsClick on Problem section in AssetsBRKCLD-236749 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat should be customized for high relevance alerting?BRKCLD-2367GCPFTDSCISCA50Customizing Secure Cloud Analytics(SCA)2023 Cisco and/or its affiliat
29、es.All rights reserved.Cisco PublicWhat should be setup in SCA?Entity groupsWatchlistsLoggingThird PartyCountryInternal ConnectionsEnabled/disabled alertsBRKCLD-236752 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Entity GroupsBRKCLD-2367Logical groupDefine subnetsEa
30、sier to understand53 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Logging WatchlistChecks changes in static resourcesAdd watchlists to meet your needsBRKCLD-236754 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Third Party WatchlistUp
31、load custom domain/IP listsBRKCLD-236755 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Country WatchlistBRKCLD-236756 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Internal Connection WatchlistWatches two sourcesCan be allowed/deniedB
32、RKCLD-236757 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Customizing AlertsBaseline to alert onEnabled/disabledBRKCLD-236758 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSCA Customizing Alerts-ExampleEnabled disabled ruleMITRE Tactics&
33、TechniquesBRKCLD-236759 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat will you see after these are configured?BRKCLD-236760 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat does an alert look like?BRKCLD-236761 2023 Cisco and/or its af
34、filiates.All rights reserved.Cisco Public#CiscoLiveAlert Type DetailsBRKCLD-236762 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMITRE ATT&CK TacticBRKCLD-236763 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Rule DetailsActs like a tick
35、etFirst seenLast seenWhen alert was generatedBRKCLD-236767 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Supporting ObservationsBRKCLD-236768 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInvestigate Session Traffic in Event ViewerBRKCL
36、D-236769Conclusion 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhy customize these products configurations?Each has a different functionComplement each otherAlert in SCA can lead to an investigationCheck FTD for dataCheck SCI for confirmation of configurationPro-active
37、 remediation with SCI71BRKCLD-2367 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!BRKCLD-2367These po
38、ints help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Game for every survey completed.72 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase fo
39、r related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive75Gamify your
40、 Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123475 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKCLD-2367#CiscoLive