Embed Size (px)
Citation preview
© 2016 Cisco and/or its affiliates. All rights reserved. 1
CiscoConnect
Accelerating Incident Response in organizationsof Any SizeSean EarhardAdvanced Threat Solution Specialist
October, 2017
Jean-Paul KerouantonAdvanced Threat Solution CSE
2© 2016 Cisco and/or its affiliates. All rights reserved.
Sean EarhardAdvanced Threat Solution Specialist
(aka “Today’s Victim)
Jean-Paul KerouantonAdvanced Threat Solution
Specialist
(aka “Our hero”)
Jean-Paul KerouantonAdvanced Threat Solution
Specialist
(aka “The attacker”)
3© 2016 Cisco and/or its affiliates. All rights reserved.
AM
4© 2016 Cisco and/or its affiliates. All rights reserved.
chrome.exe
a273.exe
winword.exe
C&C Connection
5© 2016 Cisco and/or its affiliates. All rights reserved.
How does your current security infrastructure help you respond to incidents?
6© 2016 Cisco and/or its affiliates. All rights reserved.
ANTIVIRUS
ANTIVIRUS
Vendors pumping out update after
update after update after
update…
Firewall
Web filter
Email filter
ANTIVIRUS SERVER
consoles pumping out alert after alert after alert after
alert…
! ! ! !
7© 2016 Cisco and/or its affiliates. All rights reserved.
Security tools
before an incident
Security tools during an incident
© 2016 Cisco and/or its affiliates. All rights reserved. 8
“… organizations should be aware that no matter how much effort they put into malware incident prevention, incidents will still occur…”
Guide to Malware Incident Prevention and Handling for
Desktops and Laptops
© 2016 Cisco and/or its affiliates. All rights reserved. 9
GARTNER
“Organizations should move their investments from 90% prevention and 10% detection and response to a 60/40 split”
Peter Sondergaard,Senior VP and Global Head of
Research
10© 2016 Cisco and/or its affiliates. All rights reserved.
Typical Incident Response workflow
11© 2016 Cisco and/or its affiliates. All rights reserved.
INVESTIGATEINCIDENTS RECOVER IMPROVE
DEFENSE
REDUCE THE ATTACK
SURFACE
ALERTS
SECURITY ARCHITECTURE
BLOCK
12© 2016 Cisco and/or its affiliates. All rights reserved.
Where does Incident Response begin – for you?
© 2016 Cisco and/or its affiliates. All rights reserved. 13
Which of these scenarios is your organizations “this is an incident” starting point?
© 2016 Cisco and/or its affiliates. All rights reserved. 14
chrome.exe
jp2launcher.exe
java.exe
Blocked Payload
chrome.exe
a273.exe
winword.exe
C&C Connection
When?
How?
What?
Business Impacting Event
15© 2016 Cisco and/or its affiliates. All rights reserved.
The problem is a lack of translation between raw events and meaningful intelligence
16© 2016 Cisco and/or its affiliates. All rights reserved.
Wilson-CarterData Source
ApproachQuotient
1The distance
from the sourceof the data
17© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco’s solution to accelerating incident response
© 2016 Cisco and/or its affiliates. All rights reserved. 18
INCIDENT RESPONSE STARTS HERE
chrome.exe
jp2launcher.exe
java.exe
Blocked Payload
chrome.exe
a273.exe
winword.exe
C&C Connection
When?
How?
What?
Business Impacting Event
PROTECT
ACCELERATE
AUTOMATE
AUTOMATE
HUNT
RESPOND
19© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco’s solution to accelerating incident response
20© 2016 Cisco and/or its affiliates. All rights reserved.
PROTECT RESPONDHUNT
INTEGRATE
SIMPLIFY
AUTOMATE
ACCELERATE
TRAJECTORY: 30+ DAY RECORDED HISTORY
CONTINUOUS ANALYSIS OF THAT HISTORY
RETROSPECTIVE DETECTION: IN THAT HISTORY
VISIBILITY & CONTROL: END-TO-END
21© 2016 Cisco and/or its affiliates. All rights reserved.
What we will show today
22© 2016 Cisco and/or its affiliates. All rights reserved.
23© 2016 Cisco and/or its affiliates. All rights reserved.
EmailSecurity
Cisco ISE
ThreatGridUmbrella
SIG
Cisco ISE
NextGenFirewall
EmailSecurity
AMP forEndpoints
CISCOTALOS
AMP
AMP
AMP
AMP
Cisco ISE
UmbrellaInvestigate
AMP AMP
24© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ISENextGenFirewall
Cisco ISE
EmailSecurity
AMP forEndpoints
Cisco ISE
Cisco ISE
ThreatGridUmbrella
SIG
Cisco ISE
NextGenFirewall
EmailSecurity
AMP forEndpoints
CISCOTALOS
AMP
AMP
AMP
AMP
UmbrellaInvestigate
AMP AMP
30+ day recorded history = accelerated IR
Continuous analysis of that recorded history =
automated hunting
25© 2016 Cisco and/or its affiliates. All rights reserved.
WEB
FIREWALL
MERAKI
UMBRELLA
THREATGRID
Blocking
AMP
AMP
COGNITIVETHREATANALYTICS
26© 2016 Cisco and/or its affiliates. All rights reserved.
Today’s IR scenarios
27© 2016 Cisco and/or its affiliates. All rights reserved.
Want to try it out yourself?
28© 2016 Cisco and/or its affiliates. All rights reserved.
Cisco ISENextGenFirewall
Cisco ISE
EmailSecurity
AMP forEndpoints
Cisco ISE
Cisco ISE
ThreatGridUmbrella
SIG
Cisco ISE
NextGenFirewall
EmailSecurity
AMP forEndpoints
CISCOTALOS
AMP
AMP
AMP
AMP
UmbrellaInvestigate
AMP AMP
30+ day recorded history = accelerated IR
Continuous analysis of that recorded history =
automated hunting
29© 2016 Cisco and/or its affiliates. All rights reserved.
30© 2016 Cisco and/or its affiliates. All rights reserved.
AMP for EmailPROTECT
• File Reputation – up to the millisecond • File Behavioral analysis – cloud or appliance
HUNT
• Continuous Analysis – by Cisco TALOS• Retrospective Detection – everywhere
RESPOND
• Message tracking – accelerate IR
31© 2016 Cisco and/or its affiliates. All rights reserved.
AMP ThreatGridPROTECT
• Behavioral Analysis• Integrations with non-Cisco security tools
HUNT
• Confirm threats – Glovebox• Generate Threat Intel – From local to global
RESPOND
• Generate Threat Intel – From local to global
32© 2016 Cisco and/or its affiliates. All rights reserved.
AMP for NetworkPROTECT
• File Analysis – up to the millisecond• Machine Learning Engine – Spero• File Behavioral analysis – cloud or appliance
HUNT
• Continuous Analysis – by Cisco TALOS• Retrospective Detection – everywhere
RESPOND
• File Trajectory – Interactive search
33© 2016 Cisco and/or its affiliates. All rights reserved.
AMP for EndpointPROTECT
• Multi-Engine analysisHUNT
• Low Prevalence Analysis• Continuous Analysis – by Cisco TALOS
• Retrospective Detection – everywhereRESPOND
• Full history of endpoint behavior (30 days)• Elastic Search• IoCs
34© 2016 Cisco and/or its affiliates. All rights reserved.
35© 2016 Cisco and/or its affiliates. All rights reserved.
