《郑聿铭-从EDR到XDR构建主动防御体系(22页).pdf》由会员分享,可在线阅读,更多相关《郑聿铭-从EDR到XDR构建主动防御体系(22页).pdf(22页珍藏版)》请在三个皮匠报告上搜索。
1、郑聿铭从EDR到XDR,构建主动防御体系2021 FireEye2021 FireEye2021 FireEye2021 FireEye关于EDR与XDR2021 FireEye2021 FireEyeThe EDR market is defined as solutions that record endpoint-system-level behaviorsand events(for example user,file,process,registry,memory and network events),and store this information either locall
2、y on the endpoint or in a centralized database.Databases of known IOCs and behavior analytics techniques are then used to continually search the data to identify early identification of breaches(including insider threats),and to rapidly respond to those attacks.These tools also help with rapid inves
3、tigation into the scope of attacks,and provide response capability;EDR市场被定义为记录终端系统级行为和事件的解决方案(例如用户、文件、进程、注册表、内存和网络事件),并将此信息存储在本地的端点上或集中的数据库中。然后使用已知IOC的数据库和行为分析技术不断搜索数据,以识别早期入侵(包括内部威胁),并快速应对这些攻击。这些工具还有助于快速调查攻击范围,并提供响应能力。Endpoint Detection&Response(EDR)的定义2021 FireEye2021 FireEyeEDR的三个特征记录终端行为(Telemet
4、ry)识别早期入侵(IOCs)确认入侵范围(Investigation)2021 FireEye2021 FireEyeEDR时间线- Market Guide for EDR Solutions2016 Market Guide for EDR Solutions2019 Market Guide for EDR Solutions2016-06Comparison of EDR Technologies&Solutions2010-10Mandiant Intelligent Response IntroducedWhich Evolved
5、into FireEye Endpoint Security“At one time,Mandiant Consulting(now part of FireEye),with its Mandiant Intelligent Response(MIR)commercial tool(and its freeware cousin,called Redline),was the only one playing that game”有一段时间,只有Mandiant Consulting(现在是FireEye的一部分)和它的Mandiant Intelligent Response(MIR)商业
6、工具(以及它的免费软件“Redline”)是唯一的玩家“2021 FireEye2021 FireEyeExtended detection and response(XDR)is a vendor-specific,threat detection and incident response tool that unifies multiple security products into a security operations system.Primary functions include centralization and normalization of data in a r
7、epository for analysis and query,improved protection and detection sensitivityresulting from simplified configuration and security product coordination.The incident response capability can change the state of individual security products as part of the recovery process.XDRs are similar in function t
8、o security information and event management(SIEM)and security orchestration,automation and response(SOAR)tools.扩展检测和响应(XDR)是特定于供应商的威胁检测和事件响应工具,它将多个安全产品统一为一个安全操作平台。主要功能包括数据的集中化和规范化存储,用于分析和查询,通过简化配置和安全产品协调而提供增强的保护和检测灵敏度。作为恢复过程的一部分,事件响应能力可以更改单个安全产品的状态。XDR在功能上与安全信息和事件管理(SIEM)以及安全编排、自动化和响应(SOAR)工具类似。Exte
9、nded Detection&Response(XDR)的定义Source:Gartner-Hype Cycle for Endpoint Security,2020 2021 FireEye2021 FireEyeXDR的三个特征集中来自多个源的数据功能类似增强的保护和检测灵敏度2021 FireEye2021 FireEyeEDR与XDR在安全运营体系建设中的定位Network visibilityEndpoint visibilityAuthenticationBasic cloud visibilityVulnerability identificationCriticality cl
10、assificationLog management strategy Fast retravel for investigationsUse case developmentBusiness specific logicIndicator searchFundamentalAdvancedAutomated security monitoringAutomated case building and scopingOrchestrated response actionsWorkflow and case mgmt.Deception Decoys and LuresEDR alert an
11、d recordingAdvanced cloud visibilitySpecialized controls(e.g.ICS)Data Lake,SIEM&CorrelationControl Fabric&Sensor GridSecurity Automation&WorkflowAdvanced Sensor Grid2021 FireEye2021 FireEye88%认为降低假阳性误报是soc的最高优先级痛点53%评价他们的SOC在检测攻击中是有效的64%组织说有太多的警报需要追踪5&35 2021年将被雇佣的分析师数3-2021年将辞职或被解雇的分析师数量实际反馈如何2021
12、FireEye2021 FireEye安全分析师 海量告警数量和繁琐的取证分析事件响应人员 假阳性误报和不足的证据支持安全工程师/架构师 不断优化规则和更新内容SOC经理 员工流失和工作满意度为何SOC会这样2021 FireEye2021 FireEyeSIEM与SOAR之间的距离Where it came up short:What we learned and used:Inability to consider dozens to hundreds of factors for decision makingNot a solution that can reason by provi
13、ng or disproving a hypothesisRequires time and expertise to build rulesDifficult to use for full decision making unless very simplisticRequires time and expertise to build programmed playbooksLimited event volume ingestion rates result in difficulty scalingSimple logic can be used to gather evidence
14、,but not make a complex decisionAdditional context is crucial in decision makingCreate an application,not a platformDecision trees alone do not equal the equivalent reasoning of a first line analystAgain,create an application,not a platformWhat it brought us:Centralized log collectionNormalized even
15、tsCorrelation logic and alertingEnrichment of an event for an analystSimple decision tree reasoningSIEMSOAR2021 FireEye2021 FireEyeEDR与XDR在安全运营体系建设中的定位(续)Network visibilityEndpoint visibilityAuthenticationBasic cloud visibilityVulnerability identificationCriticality classificationLog management stra
16、tegy Fast retravel for investigationsUse case developmentBusiness specific logicIndicator searchFundamentalAdvancedAutomated security monitoringAutomated case building and scopingOrchestrated response actionsWorkflow and case mgmt.Deception Decoys and LuresEDR alert and recordingAdvanced cloud visib
17、ilitySpecialized controls(e.g.ICS)Automated integrated reasoningML and anomaly detectionThreat huntingInsider threat detectionData Lake,SIEM&CorrelationControl Fabric&Sensor GridSecurity Automation&WorkflowAdvanced Sensor GridAdvanced SecurityAnalytics2019 FireEye|Private&Confidential 2019 FireEyeFi
18、reEye XDR 方案愿景加快安全运营中的人机合作,更快地捕捉更多攻击CONSISTENCYDEPTHACCURACYMEMORYSCALABILITYCOVERAGECURIOSITYCREATIVITYCOLLABORATIONCARETASK VALUEFACTSCONTEXTJUDGEMENTREASONINGREACTLEARNIMPROVEMONITORUNDERSTANDEXPLAINESCALATEHUNT FOR NOVELINVESTIGATERESPONDCOORDINATE人IQ100!#?机器MIPS300K执行力洞察力2021 FireEye2021 FireEy
19、e2016年成立,2020年被收购Mandiant Defense不是SIEM,也不是SOAR,而是二者的补充Mandiant Defense是一个开放的XDR引擎Mandiant Defense是一个开箱即用的分析调查取证专家,自动筛选海量数据,确定可能的误报和真实威胁,并从反馈中持续学习FireEye XDR 解决方案-Mandiant Defenseaka Respond Software162021 FireEye2021 FireEyeFEEDBACKMANDIANTMANAGED DEFENSEFireEye Mandiant Defense在SOC中的位置QUERYSTREAMP
20、otentialIncidentsInvestigation ModelsPOLLData RepositoryCompany Context/EnrichmentNIDSEPP/EDRWFData ProcessorsFEEDBACKThreat IntelSensor GridFireEye EndpointFireEye HelixNotification ServicesCase Mgmt/SOARSyslog/App IntegrationOperations ManagementMandiantThreat intelMandiant Defense2021 FireEye2021
21、 FireEye灵活的部署架构Mandiant Defense CloudMandiant DefenseCustomer InstanceCustomer PremisesData SourcesNIDS,ICS,EPP,WF,AD,DHCP,Scanners,SIEM,Data LakeCustomer PremisesAdvantages:1.Network bandwidth concerns2.Integration with on-premises sources of data3.Integration with on-premises incident management4.
22、Privacy mattersOVA/Software/AMIAnalyst Server(Controller)StreamPoll2021 FireEye2021 FireEyeQuestionHuman AnalystMandiant DefenseHow suspicious is the pattern of events?Best guess,instinct,researchAsk for more informationIs the signature related to command-and-control malware?Signature mapping/catego
23、rization,google,wiki.Observe categorizationHas the same sig been seen multiple times same source and destination?Search logs via SIEM or IPS console with filter set?(sig=x,source=y&dest=y)Observe pattern table factsHas the same source and same signature been seen on 30+dests?Search logs (sig=x and s
24、ource=y where distinct(dest)=30)Observe pattern table factsHave multiple sources used a single signature repeatedly over the past 15 days?Search logs via SIEM or IPS console(unique source for signature where count1 and time=last15dObserve pattern table facts for the past 15 days.Has the source been
25、a destination in a previous event with the same signature?Search logs via SIEM or IPS console,sort output,filter again.Sort again.Good Luck.Observe pattern table facts to find matching condition.Have multiple sources used a single signature for the first time in the past 1 daySearch logs via SIEM or
26、 IPS console(unique source for signature where time=last24h)Observe pattern table facts for the last 24 hours.Integrated Reasoning 智能决策引擎2019 FireEye|Private&Confidential 2021 FireEye2021 FireEyeThe eXtended Detection&Response(XDR)EngineFireEye Mandiant Defense开箱即用的安全分析专家SENSORSCONTEXTIntegratedReas
27、oningBenefits Leaves data where it isAccurate and consistentMassive reduction in false positivesFast investigation-to-escalationRules not required reducing engineering time and costsControls agnostic-leverage best-of-breed solutionsWhat It DoesGathers evidence from siloed sensorsAutomatically incorp
28、orates company specific contextTriages 100%of alertsGroups all events and alerts into one incidentTakes feedback and adjusts automatically 2019 FireEye|Private&Confidential 2021 FireEye22FireEye Mandiant APT防护整体解决方案防护整体解决方案Mandiant Threat IntelligenceFireEye Endpoint Security HXMandiant Automated Defense(Respond)Mandiant Managed ValidationMandiant Managed DefenseExpertise and ServicesTechnologyIntelligence