《思科 XDR 扩展检测:整个企业的安全分析.pdf》由会员分享,可在线阅读,更多相关《思科 XDR 扩展检测:整个企业的安全分析.pdf(43页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveMatt RobertsonDistinguished EngineerBRKSEC-2178Security analytic across the enterpriseExtended Detection with Cisco XDR 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App 4Questions?Use Cisco Webex App to chat
2、with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/o
3、r its affiliates.All rights reserved.Cisco PublicBRKSEC-2178#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgenda5BRKSEC-2178Cisco XDR:Understanding XDR AnalyticsAgenda:What is Cisco XDRArchitecture and Telemetry Extended Detection and ResponseSummary 2023 Cisco and/or i
4、ts affiliates.All rights reserved.Cisco Public#CiscoLiveAbout Me6BRKSEC-2178Matt RobertsonDistinguished Technical Marketing EngineerExtended Threat Detection and Security AnalyticsCisco Live Distinguished Speaker15 years at Cisco:Development,TME,LancopeCanadian ehWhat is Cisco XDR?2023 Cisco and/or
5、its affiliates.All rights reserved.Cisco Public#CiscoLiveA brand new solution to the Cisco PortfolioCisco XDR8BRKSEC-2178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Extended Detection and Response?9BRKSEC-2178Application of analytics to the collected and homog
6、enized data to arrive at a detection of maliciousnessResponse and remediation of that maliciousnessCollection of telemetry from multiple security tools 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetection and Response and the SOCNGFW/IPS/IDS/WSAEncryption Too noisyNot
7、 actionableRemote workersEDRLimited coverageToo many alertsNDRToo many alertsNot actionableEmailPhishing BEC IaaSNot enough visibilitySIEMToo expensiveToo much data SOC StaffNot enough people Not enough talentNot enough time Correlated/Prioritised EventsNot enough creativityNot enough time Too much
8、workSOARThis never actually workedXDRBRKSEC-217810 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAn XDR speeds up the OODA LoopInputCorpusOutputObserveOrientDecideActData Sources Data RepoAnalyticsDetectionsResponseFinBRKSEC-217811Architecture and Telemetry 2023 Cisco an
9、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveArchitecture:Today Asset resolution with device insightsAsset enrichmentObservable enrichmentScoringRecommend ActionsIntegration ModulesData Sourcevia APIsIncident StoreCurated Data SourceWith or without detection engineIngestDetection Lo
10、gicTelemetry to Security EventsAlert Correlation(Attack Chain)TelemetrySecurity EventsSecurity EventsXDR AnalyticsData Storage LayerIncident EnrichmentIncident CreationSelected Data SourceWith detection engineBRKSEC-217813 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive14
11、Integrations Make XDR Possible BRKSEC-2178Cisco Integrations IncludeCisco Integrations Include(but not limited to):(but not limited to):User/EndpointUser/EndpointSecure Endpoint Secure Client Network:Network:Secure Network Analytics Secure Firewall Meraki Identity Services Engine Defense Orchestrato
12、r CloudCloudEmail Threat Defense UmbrellaSecure Cloud Insights EDREDR:CrowdStrike Falcon InsightSentinelOne Endpoint SecurityMicrosoft DefenderTrend Micro Vision OneCybereason Endpoint SecurityPalo Alto Networks Cortex XDREmailEmail:Proofpoint Email ProtectionMicrosoft O365CloudCloudAWS GCP AzureThi
13、rd Party Integrations IncludeNGFWNGFW:Check Point Security GatewayFortinet FortiGatePalo Alto Networks NGFWApplication and Identity:Application and Identity:Microsoft Azure AD 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnderstanding the Integration SurfacesData wareho
14、use and Data warehouse and AnalyticsAnalyticsCurated data goes into data warehouse and analytical modelsEnrichmentEnrichmentData held at integrated product,pulled in via API for Incident Enrichment/InvestigationDevice InsightsDevice InsightsSources that create/enrich device details.Ex.EDRs.Incidents
15、IncidentsFrom XDR Analytics,selected integration or API ResponseResponseBuilt in Response actions and/or workflowsAny integration can be one or more of theseControl CenterUI widget ActionBRKSEC-2178BRKSEC-2113 Cisco SecureX XDR:Making sense of all the parts&pieces-Aaron Woland,Wednesday 1:00 pm 15Ex
16、tended Detection and Response 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample Detection and Response ScenarioDataData:NVM logsNetFlowFirewall LogsISE logs Detection AnalyticsEnrichmentPrioritisationResponseIsolation of host/userExtended Threat Detection and Respons
17、e17BRKSEC-2178Darrin Miller:Beer ThiefMalicious insider 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCurated Data Sources and DeliveryXDR AnalyticsNetFlow/IPFIXCTBSNA FCNVMNGFWSSX*CDO requirement will be removed at some point XDR supports NVM direct-to-cloud only+Predom
18、inantly legacy CTB preferred methodCloud Logs AWSGCPAzureHTTPSCRWDETDUnder dev this cycleCompleteISEpxGridONA+BRKSEC-217818 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive19Outcomes are driven by DataBRKSEC-2178You need to have certain sets of data to achieve certain outc
19、omesStart TimeEnd TimeSource IPCMIDCMIDProcess AccountProcess AccountProcess NameProcess NameProcess HashProcess HashParent Parent ProcessProcess NameNameParent Process HashParent Process HashMoreMoreStart TimeEnd TimeSource IPSource PortDestination IPDestination PortBytes SentBytes ReceivedPacket C
20、ount(derived)Protocolmore 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive20Data:CSC NVM BRKSEC-2178Start TimeEnd TimeSource IPSource PortDestination IPDestination PortBytes SentBytes ReceivedPacket Count(derived)ProtocolCUMIDCUMIDProcess AccountProcess AccountProcess Name
21、Process NameProcess HashProcess HashParent Process NameParent Process NameParent Process HashParent Process HashOS VersionOS VersionUDID and HostnameUDID and HostnameSystem Manufacture and typeSystem Manufacture and typeMAC AddressMAC AddressMoreMoreEndpoint flow logs are sent direct to XDR Analytic
22、s in near real time Both on and off network Export is configured in the XDR console At GA it will not be possible to send NVM logs to XDR and use legacy IPFIX export simultaneously CSC NVM:The XDR Endpoint Agent Unique visibility with flow logs from an endpoint enhanced with endpoint specific teleme
23、try 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAny object upon which we can make an observationAutomatic correlation of related alertsConfig that influences the modelFunctional classification of an entity based on observed attributesNotification of something of potent
24、ial interest21XDR Analytics PipelineBRKSEC-2178Data Data Warehouse:Warehouse:Flow DataNVM logsCloud logsNGFW logsISE logsEtc.EntityEntityIP AddressIP AddressHostnameHostnameUsernameUsernameInstance IDInstance IDEtc.Etc.RoleRulesObservationsTelemetryAn activity that we are watching forAlertAttack Cha
25、in 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveObservations to Alert ObservationWe saw a thing AlertWe believe this is importantData ModelP(A|B)2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive23XDR Analytics AlertBRKSEC-2178Entity details Ale
26、rt Type DetailsAlert Occurrence DetailsSupporting ObservationsManual post to Incident ManagerNew alerts are frequently published into production 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive24Aside:NVM Alerts BRKSEC-2178Active area of research:this number will changeAle
27、rts that leverage the uniqueness of NVM data to create new behavioural alarms 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Analytics:Attack ChainCorrelated leveraging common observablesTimeline view of alert typesChained leveraging MITRE ATT&CK dataAutomatic correla
28、tion of related alerts 25 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive26Alert Chaining Common ObservablesBRKSEC-2178NVMIPS,MalwareCloudNetFlowEtc.Alert Data SourceAlert Data SourceIP AddressesHostnamesDevicesUsernamesAWS ResourcesCIDRCMUIDProcessesURLsASNsObservablesOb
29、servables 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Chaining-Example Chain CreationWatch List HitWatch List HitWatch List HitWatch List Hit1.2.3.4T0,Watch List Hit,Command and Control,device1,1.2.3.4T1,Watch List Hit,Command and Control,device2,1.2.3.4T2,IP Sca
30、n,Recon,device2,10.10.10.0/24T2,IP Scan,Recon,device2,10.10.11.0/24T2,IP Scan,Recon,device2,10.10.12.0/24IP ScanIP ScanDevice2IP ScanIP ScanIP ScanIP ScanPort ScanPort Scan10.10.12.1T3,Port Scan,Discovery,device2,10.10.12.1Command and Control(2)Reconnaissance(3)DiscoveryBRKSEC-217827 2023 Cisco and/
31、or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Incident Manager Detections promoted into Incident in XDR UIPrioritisationOriginal incident sourceIncidents are further extended with data from other integrated data sources28BRKSEC-2178 2023 Cisco and/or its affiliates.All rights reser
32、ved.Cisco Public#CiscoLiveA Note About IncidentsSecureX has two incident queues:High Impact:High Impact:-Auto-enriched-Sources:SCA,CSEOtherOther:-NGFW,SNA,etc.-API-Many workflowsXDR Incident Queue is built on the High Impact Incident Queue(with significant enhancements)29BRKSEC-2178 2023 Cisco and/o
33、r its affiliates.All rights reserved.Cisco Public#CiscoLiveTo be leveraged for workflows and custom integrations30Incident CreationBRKSEC-2178(1)Attack Chains posted to XDR automatically(2)Promotion of other alerts is off by default(3)Manual post at anytime XDR AnalyticsCisco Secure EndpointAPI-Crit
34、ical and High Events automatically promoted-Eventually will become a curated data source 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive31Prioritise by Impact BRKSEC-2178Incidents prioritized by business impact and asset valueTotal priority score used to prioritize incide
35、nts User Defined Asset Value represent the value of the asset involved in the incidentPriority Score=Detection Risk x Asset Value0-10000-1000-10Detection Risk computed using data model leveraging multiple value including:MITRE TTP Financial RiskNumber of MITRE TTPsSource Severity 2023 Cisco and/or i
36、ts affiliates.All rights reserved.Cisco Public#CiscoLive32Asset Value ConfigurationBRKSEC-2178Configured on device page Default is 10 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe process of consulting all integrations to find out what any of them know about the obse
37、rvable(s).EnrichmentEndpointCloudAnalyticsFirewallMalwareAnalyticsSentinelOneCrowdStrikeIntelligenceIP ReputationDomain ReputationFile AnalysisEmail ReputationAnd moreXDRCisco ProductsAnd many othersAnalystAutomationDefender33BRKSEC-2178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub
38、lic#CiscoLiveThe process of consulting all integrations to find out what any of them know about the observable(s).EnrichmentIntelligenceIP ReputationDomain ReputationFile AnalysisEmail ReputationAnd moreXDRAnalystAutomationEndpointCloudAnalyticsFirewallMalwareAnalyticsSentinelOneCrowdStrikeCisco Pro
39、ductsAnd many othersDefender34BRKSEC-2178 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive35Enriched Incident BRKSEC-2178DemoSummary 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your
40、one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive39Learning Map BRKSEC-2178SecurityThreat Detection&R
41、esponseLearn how SecureX Threat Response is aninvestigation and remediation application thatdramatically simplifies security by cutting the timeand manual effort required for threat hunting andincident response.Monday,June 5|1:00 p.m.STARTBRKSEC-1639An Introduction to Risk-BasedVulnerability Managem
42、entMonday,June 5|3:00 p.m.BRKMER-2003Meraki with Secure NetworkAnalytics and XDR:ThreatDetection for the Rest of UsMonday,June 5|4:00 p.m.BRKSEC-1023Accelerate your SOC with CiscoXDRTuesday,June 6|1:00 p.m.BRKSEC-2084Seeing is Believing:UnlockingXDR Outcomes with VisibilityTuesday,June 6|2:30 p.m.BR
43、KSEC-2101Malware Execution As A Service:a Deep Dive into CSMA AdvancedFile AnalysisWednesday,June 7|10:30 a.m.BRKSEC-2095Cisco XDR with Email:Protect,Analyze and Evolve the SMTPConversationWednesday,June 7|1:00 p.m.BRKSEC-2113Cisco XDR-Making sense of theSolution and how its a SecurityProductivity T
44、oolThursday,June 8|9:30 a.m.BRKSEC-2178Extended Detection with CiscoXDR:Security analytics across theenterpriseThursday,June 8|10:30 a.m.BRKSEC-2931Building,Proving,and ExtendingDetections in Secure AnalyticsThursday,June 8|1:00 p.m.FINISHBRKSEC-3116Automating your Cisco XDRWorkflows:from Threat Hun
45、ting,toFinding and Confirming Incidents,to Responding!If you are unable to attend a live session,you can watch it in the On-Demand Library after the event.https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParting ThoughtsKeep your eyes openand dont have your beer sto
46、len.BRKSEC-217840Behaviour-based detections are a critical component of the modern security operations centerSimplify your security operations with Cisco XDR!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of f
47、our session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!41BRKSEC-2178These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every surve
48、y completed.Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive43Gamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123443 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2178#CiscoLive