A Deep Dive into the Firepower - Amazon Web Servicesclnv.s3.amazonaws.com/2017/eur/pdf/BRKSEC-2058.pdf · Visual Guide to Firepower Event Sources ... Network Discovery URL Identity

A Deep Dive into the Firepower Manager

William Young, Security Solutions [email protected]@WilliamDYoung

BRKSEC-2058

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

Just some Security Guy

• William Young

• Security Solutions Architect, Cisco

• 26 Years in Security

• 13 Years working with “Sourcefire” / “Firepower”

• Focus areas:

• Security Operations

• Policy & Compliance

• Threat Forensics and Investigation

• Hacker: Or just some guy that breaks stuff

BRKSEC-2058 4


Cisco Firepower Sessions: Building Blocks

BRKSEC-2058

A Deep Dive into using the Firepower

Manager

Tuesday 16:45

BRKSEC-2056

Threat Centric Network Security

Tuesday 11:15

BRKSEC-3032

NGFW Clustering Deep Dive

Wednesday 9:00

BRKSEC-3035

Firepower Platform Deep Dive

Thursday 9:00

BRKSEC-2050

ASA Firepower NGFW typical deployment

scenarios

Tuesday 14:15

BRKSEC-3455

Dissecting Firepower NGFW (FTD+FPS)

Friday 9:00

BRKSEC-2058 5

• Introduction

• Understanding Events in the Firepower Management Center

• Walking through a Breach

• Security Automation (Orchestration)

• Recommended Rules

• Correlation Rules

• Automating Remediation (Remediation API)

Agenda

• Reporting Matters

• Workflows

• Custom Tables

• Leveraging the Dashboard

• Close


Do you really know Firepower Manager?

• More than just:• A policy configuration tool for NGFW / NGIPS

• A quick way to see the context / composition of your network

• A tool to “check-on” your intrusion events

BRKSEC-2058 7


Creating a deeper value than ”just threat protection”

Firepower Management Center (FMC) manages threat detection. It also:

• Puts threat into context within YOUR unique network.

• Provides actionable security, network, and business data

• Can allow “Security” to come out of the “Dog House” by supporting multiple business outcomes

• Create automation in your ”threat hunting”

• Bend itself to your organization’s workflow

or automate that workflow.

BRKSEC-2058 8


Key TakeawaysAt the end of the session, will start to:

• understand how automatic correlation REALLY works.

• Impact Flags & Indications of Compromise (IOCs).

• know which security events need to be investigated first, and why.

• begin using correlation policies and system APIs to automate your security workflow

• understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise.

Introduction Understanding Events Walking the Breach Security Automation Reporting

➥Recommended Rules

➥Correlation Rules

➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close

BRKSEC-2058 9

Understanding Eventsin theFirepower Management Center




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Event Source Matters

Understanding Data

Misunderstood Data

BRKSEC-2058 11


Visual Guide to Firepower Event Sources

Security

Intelligence

Security

Intelligence

IPS Engine

(Snort®)

Traffic

NormalizationDNS

Sinkhole

SSL

Decrypt

File

Detection

Application

Detection

Network

DiscoveryAMPURL Identity

Intrusion

Events

File

Events

Malware

EventsUser Activity

Host Profiles

Applications

Application

Details

Host

Attributes

Servers

File

Trajectory

File Info

AMP 4 Endpoints

Discovery

Events

Connection

Events

Indications of

Compromise

Supplemental Data

• Geo IP Data

• CVE / Vuln Data

• IP Reputation Data

• URL Data

BRKSEC-2058 12


Indications of Compromise

Leverages correlation of multiple event types, such as:

• Impact 1 & 2 events• CNC connection events (IPS)

• Compromise events (IPS)

• Security Intelligence Events

• AMP for Endpoint Events

• AMP for Network

• Includes some file events

• Built in Cisco correlation rules

Goal:

1. FIX THIS NOW

2. What needs to be fixed

3. How to fix

BRKSEC-2058 13


What makes an Intrusion Event

(state established)

Structure and Content Testing

What makes a Host Profile• Passive data collection (network packet analysis)

• “State” table based on Discovery Events

• Server Services: TCP based respond to connections

UDP based initiate UDP packets

• Applications (generally TCP)

detected during session initiation from host.

TCP request responds map to Server Port

UDP request sent map to Server Port

• Snort® rules use variables to determine “directionality”

• $EXTERNAL_NET -> $HOME_NET (inbound)

• $HOME_NET -> $EXTERNAL_NET (outbound)

• TCP based events from the Snort® Engine are based on ESTABLISHED sessions

• Reduces false positives

★ IPS events are generated when sessions ARE THROUGH the perimeter

Understanding directionality

is key to Impact Flags

BRKSEC-2058 14


The Host Profile: End Point Context Applications

BRKSEC-2058 15


Understanding Impact Flags

Intrusion Events

Source / Destination IP

Protocol (TCP/UDP)

Source / Destination

Port

Service

Snort ID

IOC: Predefined Impact

Host Profile

[Outside Profile Range]

[Host not yet profiled]

IP Address

Protocols

Server Side Ports

Client Side Ports

User IDs

Potential Vulnerabilities

Services

Client / Server Apps

Operating System

CV

E

0

4

2

3

1

Action Why

General info††

Event outside

profiled networks

Event occurred

outside profiled

networks

Good information

host is currently

not known

Previously

unseen host

within monitored

network

Good information

event may not

have connected

Relevant port not

open or protocol

not in use

Worth

investigation.

Host exposed.

Relevant port or

protocol in use

but no vuln

mapped

Act immediately.

Host vulnerable

or compromised.

Host vulnerable

to attack or

showing an IOC.

†† If you have a fully profiled network

this may be a critical event!

Impact Flag

BRKSEC-2058 16


Unique Events: Correlation & White List Events

Correlation

Events

Correlation Events:

Internal events based on

boolean conditions within

and across multiple event

databases within the FMC.

[Tip: Correlation Rules can

monitor changes in flow!]

FMC Events Correlation

Rules

Discovery

Events

Host Profile

Changes

White List Events:

Internal events based on

changes to individual or

grouped host Profiles

White List

Events

First step in creating automated

response!

BRKSEC-2058 17

Walking through a breach




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Stages of Incident Handling

Preparation Identification Containment Eradication Recovery Lessons Learned

SANS Institute

BRKSEC-2058 19



Preparation

Identification

Containment Eradication Recovery Lessons Learned

SANS Institute

• Decide on which events to focus on first

BRKSEC-2058 20



Preparation

Identification


SANS Institute


• Drill into a specific event

BRKSEC-2058 21



Preparation

Identification


SANS Institute



• Validate the breach

• Leverage documentation

• Leverage additional forensics

BRKSEC-2058 22



Preparation

Identification


SANS Institute






• Explore your remediation options

BRKSEC-2058 23



Preparation

Identification


SANS Institute







• Remediate

BRKSEC-2058 24



Preparation

Identification


SANS Institute







• Remediate

• Automate as many decisions or actions as

possible.

BRKSEC-2058 25


Order of Investigation†

Remediation – Incident Response – Data Collection

†may vary based on corporate priority

Indication of Compromise

You’ve been Owned! Under Attack Research & TuningImpact 0 Impact 1 Impact 3 (then 2) Impact 4

“Critical Assets”

Not Blocked

Internal Source

External Source

DroppedCorrelation

Rules

Goal: Getting to Remediation

BRKSEC-2058 26


POP QUIZ: Where do I start my Investigation?

From the FMC Dashboard From the FMC Context Explorer

BRKSEC-2058 27


This is what most of our networks look like.

Some ways to choose• Look for Malware Executed (Endpoint AMP)

• Dropper Infection (Endpoint AMP)

• Threat detected in file transfer

• CNC Connected Events

• Shell Code Executed

• Impact 1 (these were probably blocked)

• Impact 2 (these were probably blocked)

From the FMC Context Explorer

Let’s see what these 63

events are all about.

THEME: Start with what is compromised first.

BRKSEC-2058 28


Drilling into the IOC

Busy event. Looks like

we’re getting more.

BRKSEC-2058 29


Digging into the IOC

Seems active across 6

hosts. Let’s drill into one.

BRKSEC-2058 30


✔

✔

✔✔

Looks like Kim

Ralls has a lot

going on her

Windows host.

Events from multiple

sources:

• IPS Engine

• File Protection

• AMP for Networks

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKSEC-2058 32





• .147 Tried to send the file 5 times

• .147 was sent the file once

• IPS blocked it! (yeah)

• What does Impact 4 mean?

• Should we investigate more?

BRKSEC-2058 36


✔

Did you forget

about these?

Let’s see if that

file moved around

without the IPS

seeing it.

✔

✔✔


Yep. That file is

malware

We see it in the

malware

summary, too.

BRKSEC-2058 38


• A lot more than the 6

file transfers and hosts

the IPS engine

stopped.

• Good thing they have

AMP for Endpoints,

too.

• Bet they wished they

enabled quarantining.

• Problem scoped. Time

to remediate.

• Maybe a good time to

look at file analysis /

Threatgrid to learn

what other artifacts are

left behind.

BRKSEC-2058 39


• A lot more than the 6

file transfers and hosts

the IPS engine

stopped.

• Good thing they have

AMP for Endpoints,

too.

• Bet they wished they

enabled quarantining.

• Problem scoped. Time

to remediate.

• Maybe a good time to

look at file analysis /

Threatgrid to learn

what other artifacts are

left behind.

Take Away

Be sure to look at every angle

around an event. Try to tell the

whole story and find every part of

the issue.

BRKSEC-2058 40


Looking at an Impact 3 Attempt

BRKSEC-2058 41



• Source IP: all internal,

BRKSEC-2058 42




• Destination IP: all external

BRKSEC-2058 43





• Impact 3: no Host Profiles for external hosts

BRKSEC-2058 44






• Sourced from my Network = I’m the attacker? = Indication of Compromise

BRKSEC-2058 45







• TCP detection: means established connection

BRKSEC-2058 46








• These hosts definitely “launched” an attack.

BRKSEC-2058 47









• Next Step: Focus on the Source Host. Probably compromised.

BRKSEC-2058 48









• Next Step: Focus on the Source Host. Probably compromised.

BRKSEC-2058 49



Assessment:

This has has to be

stopped!


Multiple Event Vectors Mission/Op Critical

IPS, Malware, Connection, File, Trajectory, DNS,

ContextCorrelation IOCs,

Impact Flags

Check all the related data. Event Directionality

Protocol: TCP / UDP?

Leverage Rule Documentation

“See the big story” : Packet not always necessary

Build a complete timeline – tell a story.

Breached? Follow an Order of Operations

BRKSEC-2058 52

Automating Security Work




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close

Recommended Rules




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


False Negatives ensure your NOT protected

BRKSEC-2058 55

Too many exploits succeed because:

• Systems aren’t patched

• Detections aren’t enabled

Attackers succeed with “old” exploitsVerizon Data Breach Report(s)

Cisco Annual Security Report(s)



BRKSEC-2058 56






Cause Resolution

Event Overload! Impact Analysis

Tuning Failures Understanding Detection Tools

Detections Disabled Knowing What Needs Protection



BRKSEC-2058 57






Cause Resolution






BRKSEC-2058 58






Cause Resolution





Firepower Recommendations Knows what I Do Not

BRKSEC-2058 59


Recommended Rules – How it works

CVE:2012-1528

Snort Rules

SID: 24671, 32361

Integer Overflow in Windows

Possible Vuln

99675

SVID

Remote exploitRemotely exploitable

vulnerability

SID: 33306

BLACKLIST: Connection to

a malware sinkhole.

Detection of behavior that comes from a

compromised host or one that is about to

be compromised.

BRKSEC-2058 60


Recommended Rules – the details

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to

malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by

abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy

security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;

classtype:trojan-activity; sid:33306; rev:1; )

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE

ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;

flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00

00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;

metadata:policy balanced-ips drop, policy security-ips drop, service smtp;

reference:cve,2014-4123; reference:url,technet.microsoft.com/en-

us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )

Rule that will map to

Recommended Rules

Rules disabling

by default

Some rules will

turned off by

Recommended

Rules

Not all

rules

have a

CVE!

BRKSEC-2058 61


Recommended Rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to

malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by

abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy

security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;

classtype:trojan-activity; sid:33306; rev:1; )

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE

ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;

flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00

00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;

metadata:policy balanced-ips drop, policy security-ips drop, service smtp;

reference:cve,2014-4123; reference:url,technet.microsoft.com/en-

us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )

Rule that will map to

Recommended

Rules

You may want to uncheck this.

Some rules will

ALWAYS be

turned off by

Recommended

Rules

BRKSEC-2058 62

Correlation Rules




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Correlation Rules / Correlation PolicyCorrelation Rules allow for

BOOLEAN decisions on one or

more sets of data within the

Firepower console.

Rules can then lead to Actions

such as: Email, Syslog, SNMP

events or remediation actions.

Email

Syslog

SNMP

Remediation Module

100,000 events

5,000 events

500 events

20 events

10 events

3 Events

Correlation Policy

Correlation Rule

Correlation Rule

Correlation Event

Action

100 events


Correlation Rules / Correlation PolicyCorrelation Rules allow for

BOOLEAN decisions on one or

more sets of data within the

Firepower console.

Rules can then lead to Actions

such as: Email, Syslog, SNMP

events or remediation actions.

Email

Syslog

SNMP

Remediation Module

100,000 events

5,000 events

500 events

20 events

10 events

3 Events

Correlation Policy

Correlation Rule

Correlation Rule

Correlation Event

Action

100 events

Value:

• Automate Security Decisions

• Track Business Outcome

• Trigger Automated Response to

specific conditions


Correlation Rules go into Correlation Policies


Building a Correlation Rule

BRKSEC-2058 67


Sample Correlation Rule

Correlation Rule to:• Ensure only HTTPS traffic is

used on port 443

• Ensure traffic is initiated by a

Host within a defined Location

(host Attribute) is POS

• Ensure the HTTPS traffic from

the POS host is received on

hosts in the PCI network.

• Any traffic outside this profile

will generate an event.


Correlation Rule example: Production Network Change


example: Production Network Change is exfiltrating traffic


Some Correlations Rules To Drive Action

Source IP is in 192.168.0.0/16



OR

Destination IP is not in 192.168.0.0/16



OR

Impact Flag is 3 - Yellow

Impact Flag is 4 - Blue

OR

AND

If “an Intrusion Event occurs”. . .

You have a compromised host “attacking” systems off your network.

Sending IP is in 192.168.0.0/16



OR

Receiving IP is in 192.168.0.0/16



OR

If “a Malware Event occurs”

“by retrospective network-based malware detection”

OR

A recently seen file has been retrospectively determined to be malware!

Go Stop it NOW!

BRKSEC-2058 71


Some Correlations Rules To Drive Action




OR




OR

If “a Malware Event occurs”

“by retrospective network-based malware detection”

OR

A recently seen file has been retrospectively determined to be malware!

Go Stop it NOW!

Make it even more actionable based on the file TYPE

Just add another Boolean Condition

BRKSEC-2058 72

Remediation API




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Grand Vision for Integration & Firepower Management

Firepower

BRKSEC-2058 74


Automating Response – Remediation API

Sample Remediation Modules

• Cisco ISE (pxGrid Mitigation)

• Guidance Encase

• Set Host Attributes

• Security Intelligence Blacklisting

• Nmap Scan

• SSH / Expect Scripts

• F5 iRules

• Solera DeepSee

• Netscaler

• PacketFence

• Bradford

Intrusion Events

Discovery Events

User Activity

Host Inputs

Connection Events

Traffic Profiles

Malware Event

Correlation RulesBoolean

Conditions

Correlation Policies

Correlation Rules Correlation EventsActions

(API, Email, SNMP)

BRKSEC-2058 75


MnT

FMC

ISE + Firepower = Rapid Threat Containment

Controller

WWW

NGFW

2. Correlation

Rules Trigger

Remediation Action

3. pxGrid EPS

Action: Quarantine

+ Re-Auth

4. Endpoint

Assigned Quarantine

+ CoA-Reauth Sent

1. Security

Events / IOCs

Reported

i-Net


Configure Rapid Threat Containment

Open the System:Integration page

Enter ISE Server details

Be sure to configure your certs for the integration

ise-1.mynet.com

ise-2.mynet.com

BRKSEC-2058 77











Notice your ISE

mitigation actions!





Be sure to assign

the action to a

Correlation Rule

within a

Correlation Policy

BRKSEC-2058 84


Other ”Tools" in the Firepower Toolkit

Event Analysis Toolset

White Listing Correlation tool to monitor for host profile changes

Traffic Profiling Monitor behavioral changes in traffic conditions

Programmatic Interfaces

Estreamer API Transmit all event data to an external repository (SEIM, event log, edge)

Host Input API Insert data into Host Profiles from external data sources

Remediation API Programmatically initiate actions on external systems.

JDBC Connector Directly query FMC database (reporting, SEIM queries, etc)

REST API REST interface for FMC query, configuration, and

NEW!

BRKSEC-2058 85

Reporting Matters




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Not just what’s in the templates

Dashboard widgets are “mini”-reports

Over 120 preset reports within a widget

Create custom Widgets for more

Think of the Dashboard as your unlimited report designer.

Tools:

Searches

Custom Workflows

Custom Tables = Data goldmine

Default Reports

BRKSEC-2058 87


• Listing of events with a data set (IPS, Connection, Malware, etc.)Tables

• Customized organization of specific column headers

• Allows Analysts to go straight to meaningful dataWorkflows

• Search for specific or generalized matches within event tables

• Each table can have it’s own filters

• Hundreds of filters pre-installed

• Customizable

Filters

• Join of two or more individual event tables

• Aggregate useful data for faster decision making and reporting

• Has it’s own Workflows and Filters

Custom Tables

Event Viewing

BRKSEC-2058 88

Workflows




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


A Default Event View

BRKSEC-2058 90


A Default View

BRKSEC-2058 91


Changing the view helps focus analysis

BRKSEC-2058 92


Create a Custom Workflow


Create a Custom Workflow


How it turned out

Build on your order

of investigation

Actionable Data:Hosts .52, .56, and .111

need to be investigated!

Custom Tables




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Have all the data you need immediately in one view.

Building Custom TablesIntrusion Events Host Data

Custom View

BRKSEC-2058 97


Custom Table: Intrusion Event with Host Data

BRKSEC-2058 98



BRKSEC-2058 99


Custom Table: Intrusion Event with Host Data Custom tables can even

have their own workflows

BRKSEC-2058 100



BRKSEC-2058 101



BRKSEC-2058 102


Custom Table: Includes Custom Filters

BRKSEC-2058 103


Custom Table: Includes Custom Filters

Tables, Custom Tables, and Filters can also be leveraged on the

Dashboard. Just choose the 1 column that is most meaningful.

BRKSEC-2058 104


Uses for Tables (standard & custom) and Workflows• Having more relevant data on hand when doing event analysis and forensics

• Reducing the “number” of clicks to drill into meaningful data

• Customize prioritization based on local business and security drivers

• Speed new threat discovery / hunting

• Combined with Filters allow you to segment information into meaningful chunks, such as:

• Device functionality

• Network Zone

• Operating System

• Users / Groups

• Country

• Threat Type

Valuable in customizing your dashboard,

building reports, documenting compliance.

Let the business need feed your creativity.

• Activity / Behavior Trends?

• What changed?

• What’s new?

BRKSEC-2058 105


Examples of possible data to report

Security• Specific Threats experienced

• Automated Remediations

• OS’s most compromised

• App Threat Root Cause

Operations• New systems on the

network

• New services or

applications in use

• Changes in network

behavior

• OS data

Compliance• PCI, NERC CIP, HIPPA…

• OS Usage

• User/Group Access behavior

• App segmentation

• Hosts in violation of corporate policy

Expanding your reporting to drive business efficiency creates a stronger

security practice.

BRKSEC-2058 106


Interesting Data for Filtering Potential ”new” Threat

Threat

Destinations

Top Sec Int.

Events with

external Dest. IP

Top File

Sources

Top External

Source IPs for

files

Executable Exfil

Internal IPs that

send files to

External Address

(esp. exe, jar, pdf,

doc, archive, etc.)

Odd URLs

Internal IPs

connecting to

URL Categories

“of concern”

Retrospective

Internal IP

addresses

Associated with

Retrospective

Malware

DNS

Internal IPs

generating DNS

Sinkhole Events

Bad SSL

Internal IPs using

invalid SSL Certs

to external IP

Correlation

Events

Internal IPs

sourcing

Correlation

Events

Processes

Introducing

Malware

(prebuilt in FMC,

requires AMP 4

Endpoints)

Invalid App

Usage

Internal IPs using

Apps on non-

standard

protocols

* Create Correlation Rules

* Leverage Open AppID

List Int. Source IP List Int. Source IPList Ext. Source IP List Int. Source IP List Int. Source IP

List Int. Source IP List Int. Source IP List Int. Source IP

107

Leveraging the Dashboard




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


There are a number of default dashboards

All of them have customizable widgets

Create / Customize your own for better visibility and report designs

Customize The Dashboard

BRKSEC-2058 109


Customize The Dashboard

This is your

most powerful

widget

BRKSEC-2058 110


Dashboards That Meet Your Needs Threat Focused


Dashboards That Meet Your NeedsNetwork Focused

BRKSEC-2058 112


Build Reports Straight from the Dashboard

BRKSEC-2058 113


Or Import Dashboards With the Report Builder

Import Sections from

Dashboards, Summaries, and

Workflows

BRKSEC-2058 114

Closing




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close


Key TakeawaysBy now you hopefully:

• Have a better understanding of how automated event analysis happens

• Impact Flags & Indications of Compromise (IOCs).

• Have a better strategy for examining a security breach.

• Be able to leverage correlation policies and system APIs to create meaningful security automation.

• Understand the full breadth of reporting capabilities to support BOTH security and business interests for your enterprise.




➥Remediation API

➥Workflows

➥Custom Tables

➥The Dashboard

Close

BRKSEC-2058 116


Complete Your Online Session Evaluation

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online

• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Please leave comments!(and your email if you want a response)

BRKSEC-2058 117

CiscoLive.com/Online


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

118Presentation ID


Call to Action• Firepower Management Center can be the center of your security operations.

• Look at FMC as security automation framework.

• FMC’s real value is in how it can merge security operations and business outcome.

• Look for cross product integration to strengthen FMC’s value.

• Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.

• The more you understand about your organization’s security practices and business outcome needs, the more you’ll find you can deliver with Firepower Management Center.

• Check out Firepower more at the World of Solutions! What can you make it do?!

BRKSEC-2058 119

Thank You And remember to fill out your surveys!

Reference Slides


Event Source to Event TypeEngine Policy Event Type

L3 - IP IP Reputation Pre-Processor Security Intelligence (Access Control Policy) Security Intelligence Events

L2 – L7 Intrusion Prevention (Snort®) Intrusion Policy Intrusion Events

L2 – L7 Network Discovery Network Discovery Policy

Discovery Events, User Activity,

Connection Events, Host Profiles,

Servers, Applications,

Vulnerabilities

L3 DNS Sinkhole Processor DNS Policy Connection Events

File File Detection Processor File Policy File Events

L3-L7 SSL SSL Policy Connection Events

L4-L7 Application Detection (AppID) Network Discovery Policy / Access Control Policy Application Detail Events

L4-L7 URL Filter Access Control Policy Connection Events

FilesAdvanced Malware Protection (AMP)

(Sandbox, Cloud Lookup)File Policy Malware Events, File Trajectory

(Reference)

BRKSEC-2058 123


Event Sources to EventsSource / Event Table Security Intelligence Connection Intrusion Detection File Malware User

Security Intelligence ✔

Normalization Pre-Processors ✔

SSL Decryption ✔

App Detection ✔ ✔

App Control ✔

Network Detection ✔ ✔

Non-Auth User Act. ✔ ✔

User Activity from AD ✔

URL Filter ✔

File Detection ✔

AMP Engine ✔

AMP Endpoint Cloud ✔

Sort® (IPS) ✔

“Reference Data”

Geo IP Db ✔ ✔ ✔ ✔ ✔ ✔ ✔

URL Rep Db ✔

User Db (from AD) ✔ ✔ ✔ ✔ ✔ ✔ ✔

(Reference)

BRKSEC-2058 124


Correlating Event Data

Intrusion Event ✔ ✔ ✔

Discovery Event ✔ ✔ ✔

Connection Event ✔ ✔ ✔

Host Input Event ✔ ✔ ✔

User Activity Occurs ✔ ✔

Traffic Profile Changes

Malware Event

When a…

Flow and connection conditions

over time or volume.

Data from User Table (name,

group info, etc) Data from Host Profiles

(Reference)

BRKSEC-2058 125


Custom Table Matrix

Applicatio

n Details

Applications Connection

Events

Connection

Summary

Correlation

Events

Discovery

Events

Host

Attributes

Hosts Indications of

Compromise

Intrusion

Events

Sec. Int.

Events

Servers White List

Events

Application

Details ✔ ✔ ✔ ✔ ✔

Applications ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Connection

Events ✔ ✔ ✔ ✔ ✔ ✔

Connection

Summary ✔ ✔ ✔ ✔ ✔ ✔

Correlation

Events ✔ ✔ ✔ ✔ ✔

Discovery Events✔ ✔ ✔ ✔ ✔

Host Attributes ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Hosts ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Indications of

Compromise ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Intrusion Events ✔ ✔ ✔ ✔ ✔ ✔

Sec. Int. Events ✔ ✔ ✔ ✔ ✔ ✔

Servers ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

White List Events✔ ✔ ✔ ✔ ✔

(reference)

BRKSEC-2058 126

Documents

A Deep Dive into the Firepower - Amazon Web Servicesclnv.s3.amazonaws.com/2017/eur/pdf/BRKSEC-2058.pdf · Visual Guide to Firepower Event Sources ... Network Discovery URL Identity