《思科 XDR - 了解解决方案及其如何成为安全生产力工具.pdf》由会员分享,可在线阅读,更多相关《思科 XDR - 了解解决方案及其如何成为安全生产力工具.pdf(102页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveAaron T.Woland,CCIE#20113Distinguished Engineer,Threat Detection&R|aaronwolandBRKSEC-2113Making Sense of all the Parts&PiecesCisco XDR 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webe
2、x App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12343https:/ 20
3、23 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-21133 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbstractCisco made a lot of noise at the 2023 RSA Conference announcing the new Cisco XDR.But what is it?What is eXtendedDetection and Response(XDR)?
4、Come join one of Ciscos inaugural Elite Distinguished Speaker Hall of Fame members,Aaron Woland,where he will help answer the following questions and much more!What should an XDR be?Is Cisco XDR a SIEM or a SOAR?Is it something else?Is Cisco XDR just an evolution to Cisco SecureX,or is it different?
5、How does it work,and what is happening behind the scenes?How does Cisco XDR make my Security Response more efficient&effective?What components are critical to make an XDR an effective tool?Come learn from Aaron,the unofficial“Cisco History Professor”,while he sheds light into the inner workings of C
6、iscos incredibly capable Cisco XDR solution,how the industry got to XDR,how this amazing product came to be and how it can be used as a Security Operations&Incident Response“Productivity Tool”.For Your Reference For Your ReferenceBRKSEC-21134 2023 Cisco and/or its affiliates.All rights reserved.Cisc
7、o Public$whoamiCisco role:Distinguished Engineer,Threat Detection&ResponseUnofficial title:“Cisco History Professor”Experience:Old enough to wonder how I have been doing this for 30 years Fun fact 1:Father of 5 daughtersFun fact 2:Oldest works for Ruckus Wireless!Youngest is 18 months!Fun fact 3:Wor
8、king through his Cyber Security Masters Degree from SANS Institute(12/23)BRKSEC-21135 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public“If we cant laugh at ourselves,Then we cannot laugh at anything at all”SarcasmSarcasmBRKSEC-21136Disclaimer:“All Comments are my own,and are not repr
9、esentative of Cisco Any correlation to real live persons or situations was completely unintentional.Blah Blah Blah.”2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlease fill out the surveyDrop your email in the comments I WILL respond!BRKSEC-21138Lets get this road on th
10、e show Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident Management&WorkflowIntegrations&ResponseEndpoint&Network TelemetryThats a wrap!BRKSEC-211310A Little History Lesson 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWay Ba
11、ck in 2017Security Leadership pet Project:“Visibility”Renamed to Cisco Threat Response(2018)Based on history of performing incident responseProductizing the process they followed as practitionersSearch for“observables”and it enriches from all integrated sources(via APIs)with“findings”Note:Cisco acqu
12、ires ObsrvblNetworks in same yearBad thing1,bad thing2123456Have sightings of these observables?BRKSEC-211312Then in 2020 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIntroduced SecureX May of 2020A cloud-native,built-in platform experience within our portfolioBRKSEC-21
13、1314 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicSecureX was to be THE PlatformCisco Secure functionX was to be the central place X leveraged Cisco Threat Response to integrate all Cisco products togetherX adds a full automation engine we“acquired”from the cloud divisionX provid
14、ed the SSO experience for Cisco Security All future UIs to be built in SecureXCisco Threat Response(CTR)ActionOrchestrator(AO)SSODashboard Framework&Ribbon+=BRKSEC-211315In 2021 analysts create a new market category“eXtendeddetection&Response”2023 Cisco and/or its affiliates.All rights reserved.Cisc
15、o Public#CiscoLive-Analysts in 2021“Cisco SecureX is a leader for XDR”BRKSEC-211317 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Former Cisco Executive LeadersUhh.“Yes,we ARE”.Go forth&market it that way BRKSEC-211318Cisco fully embraces the XDR concept;sees it as a ma
16、rket transitionLets go!2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco dives head-on into XDR spaceHired external research and design company to augment usExpanding our User Experience&Interface TeamsCustomers didnt even know they were talking to Cisco(blind)as well
17、as our own customer feedbackBrought in Principal Engineers in key places with tons of incident management/SOC experienceLeveraging the BEST technology to meet the defined experience,not building the experience based on the techInvests millions in researchInvests millions in research1Blind&Sighted In
18、terviewsBlind&Sighted Interviews3Restructured our ProductsRestructured our Products5Invested heavily internallyInvested heavily internally2Extensive Hiring of ExpertsExtensive Hiring of Experts4BRKSEC-211321What did it yield?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive
19、“The need for XDR is driven by the market not meeting the needs of the SOC”-XDR Beta CustomerBRKSEC-211323 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAn XDR is an expression of business needsWhere are we most exposed to risk?How good are we at detecting attacks early?
20、Are we prioritizing the attacks that represent the largest material impacts to our business?How quickly are we able to understand the full scope and entry vectors of attacks?How fast can we confidently respond?How much can SecOps automate?Are we improving our time to respond?Do we have full visibili
21、tyinto all our assets?Can we reliably identify a device and who uses it?Detect SoonerDetect Sooner1Reduce Investigation TimeReduce Investigation Time3Extend Assets ContextExtend Assets Context5Prioritize by ImpactPrioritize by Impact2Accelerate ResponseAccelerate Response4BRKSEC-211324XDR is Time to
22、 Value,which is significantly less than SIEM integrations and leverages NDR/EDR integrations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdversaryTurla/Nickname/NicknameSnake,Venomous Bear,Uroburos,Group 88,WaterbugBRKSEC-211326 2023 Cisco and/or its affiliates.All rig
23、hts reserved.Cisco Public#CiscoLiveThe adversary:What do we know?Estonian intelligence services associate this group with the Russian federal security service(FSB).Does NOT deploy advanced tools unless necessary to compromise the targetMethod:Prefers watering holes and social engineering to manipula
24、te victimsCrafted lures are highly tailored to their targetsExploit themes related to current eventsFirst-stage malware typically acts as a filterBRKSEC-211327 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWithout XDR,How Can We Detect and Respond to All of This?BRKSEC-2
25、11328 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTelemetry data source importanceEssentialEssentialCountCountShareShareEndpoint25585.0%Network22675.3%Firewall20769.0%Identity19163.7%Email17959.7%DNS14046.7%Public Cloud13745.7%Non-Security Sources3612.0%Cisco Secure Cl
26、ientCisco/Meraki(Networking)Firewall Threat Defense(FTD)DuoEmail Threat Defense(ETD)UmbrellaThe top six data sources that customers believe are essential for an XDR are Endpoint,Network,Firewall,Identity,Email and DNSBRKSEC-211329 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis
27、coLiveWhat Are the Building Blocks of an Ideal XDR Solution?Data Repository“Inputs”XDR Portal OutputsManaged Detection&ResponseCustomerManagedAnalytics&Correlation EngineResponse Actions and Workflow AutomationCase ManagementIncident ManagementIncident ResponseThreat HuntingThreat IntelligenceAsset
28、Context(device,user)Native and 3rdParty Telemetry SourcesCustomer ConsumptionBRKSEC-211330How do we accomplish this?Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident Management&WorkflowIntegrations&ResponseEndpoint&Network TelemetryThats a wrap
29、!BRKSEC-211332 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicCloud AnalyticsEvolving IntoCisco XDREvolutionParts of SecureXPlus Secure Cloud AnalyticsPlus Kenna Intellectual Property Plus New TechEQUALS Cisco XDRBRKSEC-211333 2023 Cisco and/or its affiliates.All rights reserved.Ci
30、sco Public#CiscoLiveSecureX is no longer“the platform”The“Cisco Security Cloud”is the platformBRKSEC-211334 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Me“XDR is a Security Operations Productivity Tool”BRKSEC-211335 2023 Cisco and/or its affiliates.All rights reserved
31、.Cisco Public#CiscoLiveAn XDR speeds up the OODA LoopInputCorpusOutputObserveOrientDecideActData Sources Data RepoAnalyticsDetectionsResponseFinBRKSEC-211336Investigators build out a timeline.The XDR automates the timeline creation 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci
32、scoLivePrivilege EscalationTimelineInvestigation Timeline what happened&when?Responder typically builds out a timeline when investigationSOC/AdminIP AddressMac AddressGUID(s)?ActivityPrePre-ExploitationExploitationExploitationExploitationInitialProbingFailed Exploit AttemptsStarting Here,look forwar
33、d&backwards for Starting Here,look forward&backwards for correlation to build the timeline/attack graph correlation to build the timeline/attack graph of“what happened”of“what happened”Initial CompromiseData ExfiltrationLateral MovementPostPost-ExploitationExploitationBRKSEC-211338So how can we get
34、the XDR to work across all those all those attacks/TTPs?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWe need Analytics&Correlation,not just SightingsData RepositoryAnalytics&Correlation EngineResponse Actions and Workflow AutomationCase ManagementThreat IntelligenceAsse
35、t Context(device,user)Native and 3rdParty Telemetry SourcesObsrvbl Analytics EngineSCAs powerful analytics&correlation engine,to bring together much of the missing.SecureX&SCA IntegrationsMerged the integration frameworks from SecureX&Cloud Analytics for a new&improved integration model.External Enr
36、ichmentsThe enrichment protocols from SecureX,without requiring storage of all data in Data Repo(like SIEM would have to do).“Insights”from SecureXBrand-New Data Warehouse.Extensive,Extremely Performant storage for the“right”events&alerts.Not a dumping ground for all logs&events.Re-designed SecureX
37、Orchestration as”XDR Automate”tightly coupled with Incident ManagerBrand-new Incident Manager tight-coupling to all!New(patent-pending)Prioritization AlgorithmsBRKSEC-211340Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident Management&WorkflowIn
38、tegrations&ResponseEndpoint&Network TelemetryThats a wrap!BRKSEC-211341Incident Management&Workflow 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident ManagerPrioritized QueueLeverages (patent pending)advanced algorithm from Kenna Scientist based on Asset V
39、alue+Risk of the TTPsIncident SummaryProgressive Disclosure of more details of the incident Priority Details,Short/Long Descriptions,TTPsBRKSEC-211343 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/OverviewOverviewDiagram to summarize the incide
40、nt.Not the detailed investigative diagram.Assets/Observables&IndicatorsTop active listed with total count called out at the top.BRKSEC-211344 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/DetectionDetectionUsed to show the events that have been
41、 correlated into this incidentTypes of EventsOriginal:the alert sent to XDR Investigated:correlated eventsBRKSEC-211345 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/DetectionDetectionUsed to show the events that have been correlated into this
42、incidentTypes of EventsOriginal:the alert sent to XDR Investigated:correlated eventsBRKSEC-211346 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/DetectionDetectionUsed to show the events that have been correlated into this incidentTypes of Event
43、sOriginal:the alert sent to XDR Investigated:correlated eventsBRKSEC-211347 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/ResponseResponsesContent specific for the TTPs in the incidentStep ThroughIdentification-Containment-Eradication-RecoveryB
44、RKSEC-211348 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Incident Manager/ResponseResponsesContent specific for the TTPs in the incidentStep ThroughIdentification-Containment-Eradication-RecoveryDoesnt ask“which EDR”to isolate with does it all for youBRKSEC-2
45、11349Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident Management&WorkflowIntegrations&ResponseEndpoint&Network TelemetryThats a wrap!BRKSEC-211350Integrations&Response 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicYou see th
46、is with SIEM&SOAREach product views endpoint in its own way.GUID(specific to product)IP Address(ephemeral&changes all the time)Mac Address(ephemeral,private,unavailable,duplicative)Making the products work together is a challengeState of Industry:no common identitiesFAILWe need a common endpoint“obj
47、ect”EndpointEDRFirewallNetwork CTRLREventsMalicious Event,Endpoint XBlock Endpoint XSomething Bad Happened with endpoint XXBlock Endpoint XNo Endpoint X hereXNo Endpoint X hereBRKSEC-2113BRKSEC-211352 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicNote:this is a Generic Example:1.E
48、DR detects malicious activity2.Alerts fired off to an incident management system3.Investigators are notified of new incident4.Investigator takes endpoint details from EDR&runs script5.Script retrieves all IDs from the other sources of telemetry(none are the same)6.Script updates the Incident Manager
49、 with new Observables to enrich investigation withSOC Investigation FlowInvestigatorsIncident Management1234.Got an alert for Endpoint GUID,Hostname,IP What other telemetry is available for that EP that Time?SIGSIGOrigin_IDNDR(Flow NDR(Flow Analysis)Analysis)NDR-GUIDZTNA/ZTNA/VPNVPNZT-GUIDEDREDREDR-
50、GUIDAAAAAAEP_IDForensicsForensicsNode_IDIAMIAMDevice_IDScript56BRKSEC-211353 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicNote:this is a Generic Example:7.Incident Manager churns through new telemetry from sources,for their endpoint identifiers8.Investigator realizes this is bad&
51、initiates the“all powerful”Quarantine option9.Incident Management Tool(s)initiate the playbook to respond in all enforcement points SOC Investigation FlowInvestigatorsIncident ManagementSIGSIGOrigin_IDNDR(Flow NDR(Flow Analysis)Analysis)NDR-GUIDZTNA/ZTNA/VPNVPNZT-GUIDEDREDREDR-GUIDAAAAAAEP_IDForensi
52、csForensicsNode_IDIAMIAMDevice_ID7.Enrich w/Telemetry for endpoints 1,2,3,4,5,69.Initiate“Playbook”to block everywhere,with variables for endpoints 1,2,3,4,5,68.This is bad.“Quarantine”*Someone needed to build these flows BRKSEC-211354 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
53、cNote:this is a Generic Example:a)Playbook initiates isolation via EDR,using the EDR-GUIDb)Playbook blocks domain at SIGc)Playbook disconnects Active Sessions for ZTNA/VPN&AAA sessionsd)Playbook isolates the endpoint when new AAA session begins e)Playbook initiates a new forensic snapshot of the inf
54、ected hostf)Playbook informs IAM solution to deny any future attempts w/User+Device combinationSOC Investigation FlowInvestigatorsIncident ManagementSIGSIGOrigin_IDNDR(Flow NDR(Flow Analysis)Analysis)NDR-GUIDZTNA/ZTNA/VPNVPNZT-GUIDEDREDREDR-GUIDAAAAAAEP_IDForensicsForensicsNode_IDIAMIAMDevice_IDIsol
55、ate:EDR-GUIDBlock DomainDisconnect ActiveSessions for ZT-GUIDDisconnect Active NetworkSessions&Isolate!Get Forensic SnapshotDont allow Device+UserAny Future SSO Access*Someone needed to build these flows BRKSEC-211355 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWith Cisco XDR:1.
56、EDR detects malicious activity2.Alert sent to Cisco XDRDevice Insights has all unique IDs from the Integrated Security Products3.Alert prioritized in XDR Analytics.Incident enriched from each integrated security product&intelligence source4.Investigator can see it all&take action5.Response leverages
57、 the correct ID for each sourceSOC Investigation FlowInvestigatorsIncident Management12SIGSIGOrigin_IDNDR(Flow NDR(Flow Analysis)Analysis)NDR-GUIDZTNA/ZTNA/VPNVPNZT-GUIDEDREDREDR-GUIDAAAAAAEP_IDForensicsForensicsNode_IDIAMIAMNode_IDEnrich34.This is bad.“Quarantine”XDRXDRXDR AnalyticsXDR AnalyticsCis
58、co XDRprovidesAnalytics,Correlation,Automation,Integrations,Intelligence,Investigation&Incident ManagementDevice InsightsDevice Insights(endpoint store)Orchestration Orchestration(automation)Incident Incident ManagerManagerBRKSEC-211356 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ
59、icWith Cisco XDR:1.EDR detects malicious activity2.Alert sent to Cisco XDRDevice Insights has all unique IDs from the Integrated Security Products3.Alert prioritized in XDR Analytics.Incident enriched from each integrated security product&intelligence source4.Investigator can see it all&take action5
60、.Response leverages the correct ID for each sourceSOC Investigation FlowInvestigatorsIncident Management4.This is bad.“Quarantine”Isolate:EDR-GUIDBlock DomainDisconnect ActiveSessions for ZT-GUIDDisconnect Active NetworkSessions&Isolate!Get Forensic SnapshotDont allow Device+UserAny Future SSO Acces
61、sXDRXDRXDR AnalyticsXDR AnalyticsCisco XDRprovidesAnalytics,Correlation,Automation,Integrations,Intelligence,Investigation&Incident ManagementDevice InsightsDevice Insights(endpoint store)Orchestration Orchestration(automation)Incident Incident ManagerManagerSIGSIGOrigin_IDNDR(Flow NDR(Flow Analysis
62、)Analysis)NDR-GUIDZTNA/ZTNA/VPNVPNZT-GUIDAAAAAAEP_IDForensicsForensicsNode_IDIAMIAMNode_IDEDREDREDR-GUIDBRKSEC-211357Lets talk about that prioritization,shall we?2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicIncident PriorityAt its core:Its the combo of:Detection Risk+Asset ValueW
63、here does that value come from?BRKSEC-211359 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Insights in XDR adds some new thingsDevice ValueValue of 1-10.1=least valuable10=most valuableLabelsDescribe/group devices manual and programmaticallyBRKSEC-211360 2023 Cisc
64、o and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Insights in XDR adds some new thingsUpdate in BulkCan update the labels and values of all selected assets in bulk,from inventory screen.Create in-lineCan even create and apply new labels in-line BRKSEC-211361 2023 Cisco and/or
65、its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Insights in XDR adds some new thingsDefault ValueThe default value is 10(most valuable)Manually AssignedThe value is tagged if its manually assigned,which will always“win”in a conflictBRKSEC-211362 2023 Cisco and/or its affiliates.All r
66、ights reserved.Cisco Public#CiscoLiveDevice Insights in XDR adds some new thingsRules EngineBased on Insights“Search”.Apply values/labels when rules are met.BRKSEC-211363 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDevice Insights in XDR adds some new thingsRules Engin
67、eBased on Insights“Search”.Apply values/labels when rules are met.May enable/disable rulesMay change or delete themCan use existing searches or create a new search in the rule editor.Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident Management&
68、WorkflowIntegrations&ResponseEndpoint&Network TelemetryThats a wrap!BRKSEC-211365Telemetry,Telemetry&more Telemetry 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveKey Telemetry SourcesXDR brings together events,alerts&intelligence from multiple sources!BRKSEC-211367 2023
69、Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTelemetry data source importanceEssentialEssentialCountCountShareShareEndpoint25585.0%Network22675.3%Firewall20769.0%Identity19163.7%Email17959.7%DNS14046.7%Public Cloud13745.7%Non-Security Sources3612.0%Cisco Secure EndpointCisco
70、/Meraki(Networking)Firewall Threat Defense(FTD)DuoEmail Threat Defense(ETD)UmbrellaThe top six data sources that customers believe are essential for an XDR are Endpoint,Network,Firewall,Identity,Email and DNSBRKSEC-211368 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAlso 3rdParti
71、esEDR:CrowstrikeSentinel OneMSFT DefenderNDR:Dark TraceExtraHopBRKSEC-211369 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAnd other intel sourcesBRKSEC-211370 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Tom Gillis,SVP&GM Cisco Secure“I think NVM is
72、 Ciscos best kept secret weapon”BRKSEC-211371 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive20080,000+customers worldwidemillion endpoints delivering the most comprehensive set of security services to more thanBRKSEC-211372 2023 Cisco and/or its affiliates.All rights res
73、erved.Cisco Public#CiscoLiveismorethanVPNFor years,weve been preaching:BRKSEC-211373 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnyConnect has been rebranded+=AnyConnectCisco Secure Endpoint(AMP)Cisco Secure ClientBRKSEC-211374 2023 Cisco and/or its affiliates.All rig
74、hts reserved.Cisco Public#CiscoLiveDiskOSProcessSystem MemoryNetworkANYrunningProcessnetwork cardnetwork driverCisco driversStream Level InterceptorStreamLevelInterceptorAnyConnectholistic viewApplicationApplicationTCP/IPTCP/IPPhysicalPhysicalNetworkNetwork The Stream Level Interceptor Stream Level
75、Interceptor included in Secure Client(AnyConnect)enables a full holistic,pre-encrypted view on the endpoint network activity This core function from Cisco Secure Client makes the solution so powerful It enables other modules like the Umbrella Module It enables other modules like the Umbrella Module
76、or/and NVM to workor/and NVM to work11122 This holistic view examines&manipulates information for any network communication from the running applicationfrom the running application to the physical network layerto the physical network layerBRKSEC-211375 2023 Cisco and/or its affiliates.All rights res
77、erved.Cisco Public#CiscoLiveProcessSystem MemoryNetworkANYrunningProcessnetwork cardnetwork driverCisco driversSecure ClientStream-Level InterceptorSecure ClientDiskOS312Stream Level InterceptorDNSUmbrella(DNS)Example:-DNS Request Sent Down the Stack:-DNS identified in the streamFrom ChromeUser was
78、Lee(employee)-Destination checked against Umbrella PolicyInternal Domain Leave untouchedExternal Domain Modify the DNS Traffic-Wrap request in EDNS-Insert Identity Data for Umbrella-Encrypt-Ship it off to the Umbrella Resolver EDNSDestinationInternal DomainNoYesencryptedInternalDNSServerDo not modif
79、y Traffic123BRKSEC-211376 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco AnyConnectVPN Module(Core)Network Access Manager(NAM)Web Security(CWS)PostureUmbrella ModuleHostScan(aka:ASA posture)(No UI)Network Visibility Module(NVM)(No UI)AMP Enabler ModuleDiagnostics an
80、d Reporting Tool(DART)Suite of security service enablement modulesBRKSEC-211377 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure ClientAnyConnect VPN(Core)Network Access Manager(NAM)ISE PostureFirewall Posture(aka:Hostscan)(No UI)Secure Endpoint(AMP)Umbrella Mo
81、duleCloud Management Module(No UI)Network Visibility Module(NVM)(No UI)Diagnostics and Reporting Tool(DART)Suite of security service enablement modulesBRKSEC-211378Why does this matter to the SOC,or for the Cisco XDR?SOC=Security Operations Center 2023 Cisco and/or its affiliates.All rights reserved
82、.Cisco Public#CiscoLive-SANS Instructor SEC530:Defensible Network Architectures“Network Telemetry is Critical to a Defensible Network.Its too bad that we cannot get NetFlow from the Endpoint”BRKSEC-211380 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicNetwork Visibility Module(NVM)
83、Creates a flow record of every network connection from endpointUser,Process,Machine Info,etc.Works On and Off PremSends Data in IPFIX(NetFlow)based“nvzFlow”.Conceived by Vinny Parla back in 2011Been a product almost since then!BRKSEC-211381 2023 Cisco and/or its affiliates.All rights reserved.Cisco
84、Public#CiscoLiveProcessSystem MemoryNetworkANYrunningProcessnetwork cardnetwork driverCisco driversDestinationany possible network communicationNVMNetwork Visibility Module(No UI)NETFLOWNETFLOWCollectorCollector The NVM moduleNVM module records the traffic into a“flow record”(like a phone bill)&forw
85、ards it to a NetflowNetflowCollectorCollector:Analytics Platform,such as Secure Workload,Secure Network Analytics or others Network management and automation platforms,such as Cisco DNA Center Secure Information Event Management(SIEM)platforms Flow Records are metadata only:F The network telemetry d
86、oes not include any The network telemetry does not include any payload!payload!Secure ClientGenerate Flow Record Send to CollectorDiskOSNetwork Visibility ModuleCESACESASE Security AnalyticsSecure Secure WorkloadWorkloadSecure Secure NetworkNetworkAnalyticsAnalyticsBRKSEC-211382 2023 Cisco and/or it
87、s affiliates.All rights reserved.Cisco Public#CiscoLiveNetwork+Endpoint Visibility TogetherNetflow/IPFIXSource IPDestination IPSource PortDestination PortBytes SentBytes ReceivedNVM(IPFIX Formatted)Source IPDestination IPSource PortDestination PortBytes SentBytes ReceivedOS VersionOS VersionOS Editi
88、onOS EditionUDIDUDIDHost NameHost NameLoggedLogged In UserIn UserProcessProcess NameNameProcess HashProcess HashProcessProcess AccountAccountParent Parent ProcessProcess NameNameParent Parent ProcessProcess HashHashParent Process AccountParent Process AccountDNS/Destination HostnameDNS/Destination H
89、ostnameModule Hash ListModule Hash ListSystem System ManufacturerManufacturerSystem TypeSystem TypeMAC MAC AddressAddressInterface NameInterface Name/Type/UID/Type/UIDDeep Endpoint VisibilityUserUserTraffic StatsTraffic StatsProcessesProcessesApplicationsApplicationsSaaS UsedSaaS UsedAccountsAccount
90、sDestinationsDestinationsMachine DetailsMachine DetailsTrue device attribution,True device attribution,Not just“IP Address”Not just“IP Address”BRKSEC-211383Sure,this is cool but why should you care?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive-Michael Scheck,Director Ci
91、sco CSIRT“NVM says:not just this IP is talking to this IP on these ports It actually has this this application is opening thisthis connection”BRKSEC-211385 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveInvestigation TimelineTimelineIncident/EventSomething bad happened wi
92、th endpoint:GUID XGUID X-XXXX-XXXXXXXX-XXXXSecureSecureEndpoint Endpoint(EDR)(EDR)NDRDetects Threat for IP AddressIP AddressNo information for Endpoint OR AssetEndpoint OR AssetX XNVM can be detection source or decoration sourceSOC/Admin.ContainmentBlocks/Detects Threat for Endpoint X/Asset XCertain
93、ty of Correct Asset&User from NVM?ActivityIP AddressMac AddressGUID(s)SecureSecureAnalyticsAnalytics?EventNew IP Address AssignedRandom mac-addressDHCP Assigned IPNVM InstalledSE InstalledCorrelations+AnalyticsStitch together detections from EDR+NDR+Intel+Network Flows+NVM Flows+XDRXDR?XDRXDRNVM Flo
94、wsNVM sending metadataNVM Fills in the Gaps&MoreNVM Fills in the Gaps&MoreBRKSEC-211386 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicNVM is now a key component of the Cisco XDRDefault CSC DeploymentDefault CM ProfileDefault NVM Profile set to the XDR NVM sends direct to cloud Req
95、uires Cloud Managed CSC Provides ID&Secure transportCan be cloud or onPrem,not both(today)BRKSEC-211387 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco Secure Client/XDR ArchitectureCloud InfrastructureEnterpriseNetworkEndpointCloudManagementModuleOrbitalSecEndpoint
96、CloudOrbitalCloudSSE/UmbrellaFlow CollectorASAFTDDownloaderUnified UIVPNPostureUmbrellaNVMDARTPackageManagerIdentity ModuleCisco Secure ClientCisco Secure EndpointConnectorUnified UIPKG MGRID MGRAdminNVM AuthCSC ServicesXDRAnalyticsCTRSxOAutomationIncident MGRDIDataRepoCisco XDRServicesBRKSEC-211388
97、 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNVM Event Viewer in XDR AnalyticsINSTANT FILTERSSearch activity per attribute or many with advanced search.New NVM Flows TabTelemetry DetailsSee the detailed telemetry collected from the flowBRKSEC-211389 2023 Cisco and/or i
98、ts affiliates.All rights reserved.Cisco Public#CiscoLiveSimplicity!NVM ProfilesFrom This:To This:Default XDR Deployment-Default CM Profile-Default NVM ProfileJust download&install,no config neededBRKSEC-211390 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNVM Provides De
99、tections and DecorationsDisplays Lateral MovementProvides the East-West&North-South visibility and correlationDirect source of observablesFor brand-new detections in XDR Analytics BRKSEC-211391Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicA History LessonEvolutionIncident M
100、anagement&WorkflowIntegrations&ResponseEndpoint&Network TelemetryThats a wrap!BRKSEC-211392 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicSo What Happens Now?All existing integrations for SecureX&SCA will continue to work.All existing orchestration workflows will continue to work.
101、SecureX will continue to exist for CSC management&existing customers who did not migrate to XDRNo end-of-life has been announced for SecureX(yet)XDR is a new product,and Cisco is charging for it.SecureX can migrate to Cisco XDR.Secure Cloud Analytics becomes XDR.BRKSEC-211393 2023 Cisco and/or its a
102、ffiliates.All rights reserved.Cisco PublicCisco XDR Public Preview Sign-upBRKSEC-211394 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePlease fill out the surveyDrop your email in the comments I WILL respond!BRKSEC-211395 2023 Cisco and/or its affiliates.All rights reserv
103、ed.Cisco Public#CiscoLiveFill out your session surveys!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.Attendees who fill out a minimum of four session s
104、urveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!BRKSEC-211396 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interacti
105、ve education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL the Flag with XDRStop by Capture the Flag to get some hands-on experience working with XDR as a security analyst on a mission!DayDayHoursHoursMonday8:30 AM to 6 PMTuesday8:30 AM to 5
106、 PMWednesday8:30 AM to 5 PMThursday8:30 AM to 1 PM 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveJun 5|08:00BRKSEC-2834Ciscos Unified Agent:CiscoSecure Client.Bringing AMP,AnyConnect,Orbital&UmbrellatogetherJun 5|15:00BRKMER-2003MerakiwithSecure NetworkAnalyticsandXDR:Th
107、reatDetection for the Rest of UsJun 5|16:00BRKSEC-1023Accelerate your SOC with Cisco XDRJun 5-8LABSEC-2776Cisco Secure Client and Device Insights-better togetherJun 6|08:45BRKSEC-2095Cisco XDR with Email:Protect,Analyzeand Evolve the SMTP ConversationJun 6|13:00BRKSEC-2084Seeing is Believing:Unlocki
108、ng XDR Outcomes with Visibility Jun 7|13:00BRKSEC-2113Cisco XDR-Making sense of the Solution and how its a Security Productivity ToolJun 8|9:30BRKSEC-2178Extended Detection w/Cisco XDR:Security Analysis across the enterpriseJun 8|9:30BRKSEC-2931Building,Proving,and Extending Detections in Secure Ana
109、lyticsJun 8|13:00BRKSEC-3116Automating your Cisco XDR Workflows:from Threat Hunting,to Finding and Confirming Incidents,to Responding!STARTXDR&CSC RelatedRecommendations for learningBased on your attendance in this session,these are some other sessions that have been hand-chosen for you.If you are u
110、nable to attend a live session,you can watch it On Demand after the eventBRKSEC-211399Thank you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:1234101 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-2113101#CiscoLive