Cisco Connect Toronto 2017 - Accelerating Incident Response in Organizations of Any Size - final

Preview:

Citation preview

© 2016 Cisco and/or its affiliates. All rights reserved. 1

CiscoConnect

Accelerating Incident Response in organizationsof Any SizeSean EarhardAdvanced Threat Solution Specialist

October, 2017

Jean-Paul KerouantonAdvanced Threat Solution CSE

2© 2016 Cisco and/or its affiliates. All rights reserved.

Sean EarhardAdvanced Threat Solution Specialist

(aka “Today’s Victim)

Jean-Paul KerouantonAdvanced Threat Solution

Specialist

(aka “Our hero”)

Jean-Paul KerouantonAdvanced Threat Solution

Specialist

(aka “The attacker”)

3© 2016 Cisco and/or its affiliates. All rights reserved.

AM

4© 2016 Cisco and/or its affiliates. All rights reserved.

chrome.exe

a273.exe

winword.exe

C&C Connection

5© 2016 Cisco and/or its affiliates. All rights reserved.

How does your current security infrastructure help you respond to incidents?

6© 2016 Cisco and/or its affiliates. All rights reserved.

ANTIVIRUS

ANTIVIRUS

Vendors pumping out update after

update after update after

update…

Firewall

Web filter

Email filter

ANTIVIRUS SERVER

consoles pumping out alert after alert after alert after

alert…

! ! ! !

7© 2016 Cisco and/or its affiliates. All rights reserved.

Security tools

before an incident

Security tools during an incident

© 2016 Cisco and/or its affiliates. All rights reserved. 8

“… organizations should be aware that no matter how much effort they put into malware incident prevention, incidents will still occur…”

Guide to Malware Incident Prevention and Handling for

Desktops and Laptops

© 2016 Cisco and/or its affiliates. All rights reserved. 9

GARTNER

“Organizations should move their investments from 90% prevention and 10% detection and response to a 60/40 split”

Peter Sondergaard,Senior VP and Global Head of

Research

10© 2016 Cisco and/or its affiliates. All rights reserved.

Typical Incident Response workflow

11© 2016 Cisco and/or its affiliates. All rights reserved.

INVESTIGATEINCIDENTS RECOVER IMPROVE

DEFENSE

REDUCE THE ATTACK

SURFACE

ALERTS

SECURITY ARCHITECTURE

BLOCK

12© 2016 Cisco and/or its affiliates. All rights reserved.

Where does Incident Response begin – for you?

© 2016 Cisco and/or its affiliates. All rights reserved. 13

Which of these scenarios is your organizations “this is an incident” starting point?

© 2016 Cisco and/or its affiliates. All rights reserved. 14

chrome.exe

jp2launcher.exe

java.exe

Blocked Payload

chrome.exe

a273.exe

winword.exe

C&C Connection

When?

How?

What?

Business Impacting Event

15© 2016 Cisco and/or its affiliates. All rights reserved.

The problem is a lack of translation between raw events and meaningful intelligence

16© 2016 Cisco and/or its affiliates. All rights reserved.

Wilson-CarterData Source

ApproachQuotient

1The distance

from the sourceof the data

17© 2016 Cisco and/or its affiliates. All rights reserved.

Cisco’s solution to accelerating incident response

© 2016 Cisco and/or its affiliates. All rights reserved. 18

INCIDENT RESPONSE STARTS HERE

chrome.exe

jp2launcher.exe

java.exe

Blocked Payload

chrome.exe

a273.exe

winword.exe

C&C Connection

When?

How?

What?

Business Impacting Event

PROTECT

ACCELERATE

AUTOMATE

AUTOMATE

HUNT

RESPOND

19© 2016 Cisco and/or its affiliates. All rights reserved.

Cisco’s solution to accelerating incident response

20© 2016 Cisco and/or its affiliates. All rights reserved.

PROTECT RESPONDHUNT

INTEGRATE

SIMPLIFY

AUTOMATE

ACCELERATE

TRAJECTORY: 30+ DAY RECORDED HISTORY

CONTINUOUS ANALYSIS OF THAT HISTORY

RETROSPECTIVE DETECTION: IN THAT HISTORY

VISIBILITY & CONTROL: END-TO-END

21© 2016 Cisco and/or its affiliates. All rights reserved.

What we will show today

22© 2016 Cisco and/or its affiliates. All rights reserved.

23© 2016 Cisco and/or its affiliates. All rights reserved.

EmailSecurity

Cisco ISE

ThreatGridUmbrella

SIG

Cisco ISE

NextGenFirewall

EmailSecurity

AMP forEndpoints

CISCOTALOS

AMP

AMP

AMP

AMP

Cisco ISE

UmbrellaInvestigate

AMP AMP

24© 2016 Cisco and/or its affiliates. All rights reserved.

Cisco ISENextGenFirewall

Cisco ISE

EmailSecurity

AMP forEndpoints

Cisco ISE

Cisco ISE

ThreatGridUmbrella

SIG

Cisco ISE

NextGenFirewall

EmailSecurity

AMP forEndpoints

CISCOTALOS

AMP

AMP

AMP

AMP

UmbrellaInvestigate

AMP AMP

30+ day recorded history = accelerated IR

Continuous analysis of that recorded history =

automated hunting

25© 2016 Cisco and/or its affiliates. All rights reserved.

EMAIL

WEB

FIREWALL

MERAKI

UMBRELLA

THREATGRID

Blocking

AMP

AMP

COGNITIVETHREATANALYTICS

26© 2016 Cisco and/or its affiliates. All rights reserved.

Today’s IR scenarios

27© 2016 Cisco and/or its affiliates. All rights reserved.

Want to try it out yourself?

28© 2016 Cisco and/or its affiliates. All rights reserved.

Cisco ISENextGenFirewall

Cisco ISE

EmailSecurity

AMP forEndpoints

Cisco ISE

Cisco ISE

ThreatGridUmbrella

SIG

Cisco ISE

NextGenFirewall

EmailSecurity

AMP forEndpoints

CISCOTALOS

AMP

AMP

AMP

AMP

UmbrellaInvestigate

AMP AMP

30+ day recorded history = accelerated IR

Continuous analysis of that recorded history =

automated hunting

29© 2016 Cisco and/or its affiliates. All rights reserved.

30© 2016 Cisco and/or its affiliates. All rights reserved.

AMP for EmailPROTECT

• File Reputation – up to the millisecond • File Behavioral analysis – cloud or appliance

HUNT

• Continuous Analysis – by Cisco TALOS• Retrospective Detection – everywhere

RESPOND

• Message tracking – accelerate IR

31© 2016 Cisco and/or its affiliates. All rights reserved.

AMP ThreatGridPROTECT

• Behavioral Analysis• Integrations with non-Cisco security tools

HUNT

• Confirm threats – Glovebox• Generate Threat Intel – From local to global

RESPOND

• Generate Threat Intel – From local to global

32© 2016 Cisco and/or its affiliates. All rights reserved.

AMP for NetworkPROTECT

• File Analysis – up to the millisecond• Machine Learning Engine – Spero• File Behavioral analysis – cloud or appliance

HUNT

• Continuous Analysis – by Cisco TALOS• Retrospective Detection – everywhere

RESPOND

• File Trajectory – Interactive search

33© 2016 Cisco and/or its affiliates. All rights reserved.

AMP for EndpointPROTECT

• Multi-Engine analysisHUNT

• Low Prevalence Analysis• Continuous Analysis – by Cisco TALOS

• Retrospective Detection – everywhereRESPOND

• Full history of endpoint behavior (30 days)• Elastic Search• IoCs

34© 2016 Cisco and/or its affiliates. All rights reserved.

35© 2016 Cisco and/or its affiliates. All rights reserved.

Recommended