《Meraki 与安全网络分析和 XDR:我们其他人的威胁检测.pdf》由会员分享,可在线阅读,更多相关《Meraki 与安全网络分析和 XDR:我们其他人的威胁检测.pdf(62页珍藏版)》请在三个皮匠报告上搜索。
1、#CiscoLive#CiscoLiveAlex Burger Senior Technical Marketing Engineeraaburger85BRKMER-2003Threat Detection for the Rest of UsMeraki with Secure Network Analytics and XDRMatt Robertson Distinguished Engineermattrobertson25 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter
2、 your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces w
3、ill be moderated by the speaker until June 9,2023.12343https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKMER-20033#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicAgendaAgenda:Agenda:IntroductionSecure Network Analytics and XDRTelemetry from the M
4、eraki NetworkAdaptive PolicyThreat Detection and Response SummaryWatch out for this guy!ISEBRKMER-20034 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAbout UsAlex BurgerSr.Technical Marketing EngineerMatt RobertsonDistinguished EngineerBRKMER-20035Cisco Secure Network An
5、alytics&Cisco XDR 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEvidenceWhat did they get?When did they get it?Where did they go?Are they still here?Who is they?Security Operations:Detect,Investigate&RespondObserveOrientDecideActBRKMER-20037 2023 Cisco and/or its affilia
6、tes.All rights reserved.Cisco Public#CiscoLiveInvestigating with OODAObservation:Missing BeerOrient:Gather dataActDarrin Miller:Beer ThiefOrient:ConvictDecideBRKMER-20038 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveObservation to ActionPast Exposure:Past Exposure:Missi
7、ng BeerOngoing Exposure:Ongoing Exposure:Recover missing Beer Prevent Darrin from taking my beer.1.Understand past exposure2.Monitor&control ongoing exposureConviction:Who,what,when,where why,howBRKMER-20039 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAccelerating the
8、SOCs OODA LoopEnsure all the relevant data is available to an analyst for observation and orientationPrioritize&Accelerate orientation and decision making in the context of the business Execute a decisionInputCorpusOutputObserveOrientDecideAct10BRKMER-2003 2023 Cisco and/or its affiliates.All rights
9、 reserved.Cisco Public#CiscoLiveSNA&XDR11CiscoXDRCiscoSNASecure Network Analytics is a collector and aggregator of network telemetry for the purposes of security analysis and monitoringOn premises appliances with optional cloud assistCisco XDR is a collector and aggregator of multiple telemetry sour
10、ces for the purposes of threat detection and responseSaaS DeliveredTelemetryNetworkMore TelemetryBRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePowering Visibility&Analytics with Telemetry Nouns VerbsData CollectionAnalysisOutcomesOutcomesTelemetry:Telemetry:A
11、ny data that is useful in powering the analytical outcomeStorage12This is whats important.BRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTelemetry in SNANetFlow/IPFIX Network Traffic13Other telemetry:NetFlow/IPFIX,Weblogs,vpc flow logsCisco Telemetry BrokerFlo
12、w CollectorCentral Data StoreManagerFlow SensorpxGridThreat IntelConfigTelemetry is collected,synthesized,correlated and stored in the“Flow Table”.Conceptual bi-directional conversation created.Known as the“bi-flow”.NVM logs*Firewall Logs(SAL)*BRKMER-2003 2023 Cisco and/or its affiliates.All rights
13、reserved.Cisco Public#CiscoLiveAnalytics PipelineGlobal Threat AlertsXDR Analytics14Custom EventsCore EventsRelationship EventsNetwork VisibilityPolicy AnalyticsFlow CollectorCentral Data StoreManagerSecureXThreat IntelAnalytics NodeIncident CreationNorth-south biflowFlow dataAnalytics are run again
14、st the collected dataBRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive15Example Analytical Outcomes Security Policy:Security Policy:Analyse network behaviour to design,implement and validate security policyThreat Detection:Threat Detection:Analyse network behavi
15、our to infer the presence of a threat actorNetwork Visibility:Network Visibility:Analyse network behaviour to design,implement and validate network operationsBRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive16A Note about Data and Analytics Analytical outcomes a
16、re driven by data:Meaning to get specific analytical outcomes,specific data is required Not all data exporters are created equal:Data(ex.NetFlow fields)can vary between devicesSNA data processing attempts to capture unique dataBRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pu
17、blic#CiscoLive17Understanding Bi-Flow EnrichmentHTTP(S)RequestsHTTP(S)ResponsesHTTP(S)URLCustom HTTP(S)HeadersUsernameTLS VersionKey ExchangeAuthentication Alg.MACUsernameMAC AddressTrustSec InfoOSProcess nameProcess hashProcess accountParent process nameParent process hashFlow Action Translated Por
18、t/IPL7 ApplicationHTTP RequestsHTTP Responses SRT/RTTTCP Flags PayloadSRC/DST IP AddressSRC/DST PortBytes/Pkts SentBytes/Pkts ReceivedHost GroupsAnyConnect Secure MobilityClientIdentity Services EngineAHGA/ADC*Proxy Integration*Web SecurityApplianceOtherWeb ProxiesETA Capable DevicesSecure FirewallF
19、lowSensorand some AVC Enabled DevicesNetFlow Enabled DevicesIPAM DBThreat IntelNetworkBRKMER-2003Telemetry from the Meraki Network 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki NetFlow Exporters Meraki MXMeraki MS390&C9300-MNetFlow v9IPFIX enriched with Applicatio
20、n and ETABRKMER-200319 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMS NetFlow v10(IPFIX)DetailsNetFlowMatchMatchCollectCollectApplicationSecurity Group TagSRC/DST IPConnection Client Location(IP,Port,Direction,VLAN,Observation Point)SRC InterfaceConnection Client Count
21、ers(Bytes,Packets,Timestamps,TCP flags)SRC/DST PortConnection State(Server,Source Port,Dest Port,Initiator)ProtocolEncrypted Traffic AnalyticsEncrypted Traffic AnalyticsInitial Data PacketSequence of Packets Lengths and TimesByte DistributionBRKMER-200320 2023 Cisco and/or its affiliates.All rights
22、reserved.Cisco Public#CiscoLiveTransactional Telemetry with NetFlow10.2.2.2port 102410.1.1.1port 80eth0/1eth0/2Start TimeStart TimeInterfaceInterfaceSrcSrc IPIPSrcSrcPortPortDestDest IPIPDestDestPortPortProtoProtoPktsPktsSentSentBytes Bytes SentSentSGTSGTDGTDGTTCP FlagsTCP Flags10:20:12.221eth0/110.
23、2.2.2102410.1.1.180TCP5SYN,ACK,PSH10:20:12.871eth0/210.1.1.18010.2.2.21024TCP100SYN,ACK,FINNetFlow is a protocol.The MetadataMetadata and sample rate is whats important.BRKMER-200321 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnhanced Telemetry f
24、or Encrypted Traffic AnalyticsInitial Data PacketIP HeaderIP HeaderTCP HeaderTCP HeaderTLS HeaderTLS HeaderTLS versionTLS versionSNISNICiphersuitesCiphersuitesCertificatateCertificatateOrganisationIssuerIssuedExpiresInitial data packetInitial data packetFirst application layer message.In TLSTLS this
25、 is the Client Hello Client Hello and Server Hello Server Hello Sequence of Packet Lengths and Time(SPLT)Flow startTimeEncrypted traffic flowsSize and timing of the first packets of a flowUseful in identifying application,data types and characterizing the source BRKMER-200322 2023 Cisco and/or its a
26、ffiliates.All rights reserved.Cisco Public#CiscoLiveCisco HardwareMeraki CloudManagement+Modular Uplinks8 x 10G2 x 40GStacking480Gbps mGig24 x 10Gbps48 x 5GbpsPoE24/48 port802.3btRedundancyStack PowerHot-Swap fansThe Meraki MS390&C9300-MBRKMER-200323 2023 Cisco and/or its affiliates.All rights reser
27、ved.Cisco Public#CiscoLiveValidated NetFlow export to SNA or SCA Rapid,one-click,config&deploymentThe Meraki MS390&C9300-M:Flow ConfigurationBRKMER-200324 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNetFlow&Encrypted Traffic AnalyticsIPFIX with IPv4/IPv6/Adaptive Polic
28、y/NBAR/ETA*should work with any standard up-to-date collector*When integrated with Cisco Secure Network and/or Cloud AnalyticsRequires Advanced LicensingAVC NetFlow*AVC NetFlow*IPv4 and v6 records built for Cisco Secure AnalyticsNetFlow and ETANetFlow and ETAon every port on every supported switch i
29、n the networkEncrypted Traffic Encrypted Traffic Analytics*Analytics*for in-depth analysis of traffic without MiTM decryptionAdaptive Policy*Adaptive Policy*Export of Source Security Group Tags(SGTs)BRKMER-200325 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMS NetFlow v
30、10 DetailsNetFlow/IPFIXMatchMatchCollectCollectApplicationSecurity Group TagSRC/DST IPConnection Client Location(IP,Port,Direction,VLAN,Observation Point)SRC InterfaceConnection Client Counters(Bytes,Packets,Timestamps,TCP flags)SRC/DST PortConnection State(Server,Source Port,Dest Port,Initiator)Pro
31、tocolEncrypted Traffic AnalyticsEncrypted Traffic AnalyticsInitial Data PacketSequence of Packets Lengths and TimesByte DistributionBRKMER-200326 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMS390&C9300-M is an ideal SNA telemetry sourceETA“Encryption fields”Application
32、(NBAR)dataLine rate,hardware supported telemetry Deep packet inspection enables application recognitionTelemetry for advanced encrypted traffic analyticsOne click deployment to all devicesBRKMER-200327How to enable Netflow/IPFIX/ETA on Meraki-DEMOAdaptive Policy 2023 Cisco and/or its affiliates.All
33、rights reserved.Cisco Public#CiscoLiveAdaptive PolicyMicro-Segmentation and Context with Security Group TagsContext shared over the dataContext shared over the data-plane plane providing identical policy for wired and wireless accessUtilizing inline Security Group Tags Security Group Tags(SGTs)Organ
34、izationOrganization-Wide Wide intent-based policyBRKMER-200330 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFlexible Group AssignmentHosted Servers10.10.10.0/24Static port assignmentFixed wired devices without a supplicantStatic SSID assignmentSingle-use SSIDs like gues
35、tDynamic via RADIUS Wired and Wireless MAB/802.1X&iPSKw/RADIUSIP Prefix to SGT MapLast resort traffic match based on IP/SubnetBRKMER-200331 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Group Based Policies(Adaptive Policy)Up to 16 ACE Entries7x SGACLs TCP SRC/D
36、ST rangesUDP SRC/DST rangesICMPACLs processed in direction of source to destination at the destination egress*working on support for TCP states for semi stateful processingBRKMER-200332 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveOne Consistent Policy Across NetworksSR
37、C|DSTEmployeeIoTIoT ServerEmployeeIoTIoT ServerMMMMPolicy&Groups are configured in dashboard and pushed to Adaptive Policy nodes like any other Meraki configuration changeBRKMER-200333 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAPI First!All configuration available vi
38、a APIMMMSRC|DSTSRC|DSTEmployeeIoTIoT ServerEmployeeIoTIoT ServeradaptivePolicy/|_ groups|_ acls|_ bindings|_ settingsMBRKMER-200334 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNative Policy Syncing to Dashboard in ISE 3.2 P1ISESRC|DSTEmployeeIoTIoT ServerEmployeeIoTIoT
39、 ServerUsing Dashboard APIsPushed directly from ISESingle Source of TruthMBRKMER-200335Setting up Adaptive Policy and ISE-DEMO 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveScalable Identity and ContextSharing information over the dataplane,in every packetIPCMDSGT=5MIPCM
40、DSGT=510.0.0.5SGT=5 EmployeesThis Packet is from an EmployeePacketBRKMER-200337 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAdaptive Policy&Secure Network AnalyticsCell DetailsUp to 90 Days of Historical dataInformed policy creation and validationGroup based policy and
41、 traffic flow trackingGlobal flow visibility and contextBRKMER-200338 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLive39SNA:Adaptive Policy Analytics ReportDesigned to help verify correctness and adherence to Adaptive policy:Is my security policy being enforced as intended
42、?Is my security policy correct?Policy Analysis:Triangle-Potential policy violation Question Mark Unsupported policy Gray no trafficGreen there is traffic and a permit IP ACL existsRed there is traffic and a deny IP ACL existsBlue there is traffic and an ACL other than permit IP or deny IP existsBRKM
43、ER-2003(Extended)Detection and Response4 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveLayers of Detection in SNACore EventsCore EventsRun on each flow collector98+tunable behavioural algorithms:Statistical anomaly detection Policy based detection“Analytics”Node(“Analyti
44、cs”Node(NewNew)Runs on Manager,requires central data store Common network flow analytics with Secure Cloud Analytics 41Relationship EventsRelationship EventsInteraction between host groups that violate a policy setting Directly created or automatically created from network diagram Custom Security Ev
45、entsCustom Security EventsUser Defined PolicyGenerate an alarm based on flow attributesGlobal Threat Alerts Global Threat Alerts(Cognitive Intelligence)(Cognitive Intelligence)Multi-layer Machine LearningMalware classification in encrypted and un-encrypted trafficGlobal campaign correlation to local
46、 incidentsThreat IntelligenceThreat IntelligenceC&C,Bogon,Tor Entry/Exit NodesPowered by Cisco TalosCloud EnabledOn BoxXDR AnalyticsXDR AnalyticsComprehensive entity modelling140+(and growing)network and IaaS and Endpoint behaviour alarmsAttack ChainingAdditional license requiredBRKMER-2003 2023 Cis
47、co and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Cisco XDRCollect telemetry from multiple data sourcesAnalyse telemetry to detect threatsFacilitate response and remediation of threatsExtend/Enhance and prioritise threatsBRKMER-200342 2023 Cisco and/or its affiliates.All r
48、ights reserved.Cisco Public#CiscoLiveCisco XDR Integration SurfacesData warehouse and Data warehouse and AnalyticsAnalyticsCurated data goes into data warehouse and analytical modelsEnrichmentEnrichmentData held at integrated product,pulled in via API for Incident Enrichment/InvestigationDevice Insi
49、ghtsDevice InsightsSources that create/enrich device details.Ex.EDRs.IncidentsIncidentsFrom XDR Analytics,selected integration or API ResponseResponseBuilt in Response actions and/or workflowsAny integration can be one or more of theseControl CenterUI widgetRibbon ActionBRKMER-200343 2023 Cisco and/
50、or its affiliates.All rights reserved.Cisco Public#CiscoLiveMeraki&XDR Integration SurfacesData warehouse and Data warehouse and AnalyticsAnalyticsNetFlow/IPFIX ingested for network detections EnrichmentEnrichmentLeveraging an API moduleDevice InsightsDevice InsightsSources that create/enrich device
51、 details.Ex.EDRs.IncidentsIncidentsFrom XDR Analytics,selected integration or API ResponseResponseReponses workflows available for integrationControl CenterUI widget through module ActionBRKMER-200344 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAny object upon which we
52、 can make an observationAutomatic correlation of related alertsConfig that influences the modelFunctional classification of an entity based on observed attributesNotification of something of potential interestXDR Analytics PipelineData Data Warehouse:Warehouse:Flow DataNVM logsCloud logsNGFW logsISE
53、 logsEtc.EntityEntityIP AddressIP AddressHostnameHostnameUsernameUsernameInstance IDInstance IDEtc.Etc.RoleRulesObservationsTelemetryAn activity that we are watching forAlertAttack Chain45BRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR Analytics:Attack Chai
54、nCorrelated leveraging common observablesTimeline view of alert typesChained leveraging MITRE ATT&CK dataAutomatic correlation of related alerts 46BRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExample Detection and Response ScenarioDataData:NVM logsNetFlowFir
55、ewall LogsCloud logsDetection AnalyticsEnrichmentPrioritisationResponseExtended Threat Detection and ResponseMulti stage attack with response on Meraki Network47BRKMER-2003Threat Detection ExamplesResponse with Adaptive Network Control 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publi
56、c#CiscoLiveMS390 with Secure Network Analytics&ISEAutomated threat response and alertingRADIUS CoANetFlow&ETAISE PxGrid ANCTrigger CoA via ISETelemetry provided by MS390 to SNAFlexible outcomes:Flexible outcomes:Policy ViolationBRKMER-200350 2023 Cisco and/or its affiliates.All rights reserved.Cisco
57、 Public#CiscoLiveA true multi-domain zero-trust frameworkCisco SGT-Based Security DomainSGT TrustMeraki Adaptive Policy DomainISEBRKMER-200351 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveExport:alarm response rules&actions52Create rules to automate response/export on o
58、ccurrence of an alarmLeverage built-in Tiered Alarm Severity rulesDefine automated actions when alarm rule is hit:ISE ANC,syslog,etc.Create SecureX Threat Response incident BRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRemediating Action with ISE532.Define a
59、response Rule that invokes the defined Action 1.Create a“ISE ANC Policy”Action rule and associate a configured ISE cluster.BRKMER-2003Setting up ANC policies with Meraki,ISE,and SNASummary 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcas
60、e for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSome Related Sessions57
61、Zero Trust:Securing the Evolving WorkplaceBRKSEC-2053Monday 1:00 PMMeraki MS Security:A Deep-Dive into Cloud Managed Switching Security Solution and Best Practices BRKMER-2010Wednesday 10:30 AMAlex burgerSenior TMEDarrin MillerDistinguished TMEExtended Detection with Cisco XDR:Security analytics acr
62、oss the enterpriseBRKSEC-2178Thursday 9:30 AMMatthew RobertsonDistinguished TMEBRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your session surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Liv
63、e-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Cisco Live Challenge for every survey completed.BRKMER-200358 2023 Cisco and/or its affiliates.All rights reserved.C
64、isco Public#CiscoLiveComplete your Online Session Evaluation5959BRKMER-2003 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveParting Thoughts 60BRKMER-2003Keep your eyes openand dont have your beer stolen.Meraki is heavily integrated with Cisco SNA and XDR Simplify your security operations with security analytics and XDR!Thank you#CiscoLive#CiscoLive