SlideShare a Scribd company logo

FireSIGHT Management Center (FMC) slides

Amy Gerrie
Amy Gerrie

The FireSIGHT Management Center (FMC) provides concise summaries of security events in 3 sentences or less by leveraging extensive network, endpoint, application and threat intelligence data. It improves security operations by reducing the number of tools needed to understand events, shortening the time to scoping and containment. The FMC also automates the correlation of critical events to identify indicators of compromise and focus security teams on remediation.

1 of 33
Downloaded 213 times
The Value of FireSIGHT Management Center (FMC)
Value of Event Data Differentiator Technical Outcome Business Outcome Data, Data, Data – Threat, network, application and endpoint intelligence in one console. • More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful containers. • FMC improves operational engagement by reducing the number of tools required to understand a security event. • Depth of data shortens time to event scoping and containment. Impact Analysis • Automated correlation to drive events requiring investigation / remediation. • Shortens time to discovery. • Focuses security ops on remediation needs. Indicators of Compromise • Automated integration and elevation of critical events. • Expands the scope of threat vectors. • Shortens time to discovery. • Focuses security ops on remediation needs.
Context comes from knowing the hosts on your network
Understanding Impact Flags Intrusion Events Source / Destination IP Protocol (TCP/UDP) Source / Destination Port Service Snort ID IOC: Predefined Impact Host Profile [Outside Profile Range] [Host not yet profiled] IP Address Protocols Server Side Ports Client Side Ports User IDs Potential Vulnerabilities Services Client / Server Apps Operating System CVE 0 4 2 3 1 Action Why General info†† Event outside profiled networks Event occurred outside profiled networks Good information host is currently not known Previously unseen host within monitored network Good information event may not have connected Relevant port not open or protocol not in use Worth investigation. Host exposed. Relevant port or protocol in use but no vuln mapped Act immediately. Host vulnerable or compromised. Host vulnerable to attack or showing an IOC. †† If you have a fully profiled network this may be a critical event! Impact Flag
Indications of Compromise Leverage correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS) • Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
Better Breach Investigations Differentiator Technical Outcome Business Outcome Threat Centric Forensics with Context • Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider. • Faster investigation and security decision support. • More accurate event scoping; ie. Easily find every outcome from an event. Event details support your Order of Investigations • Event data interconnects to cross reference from one event to corollary incidents. • Allows security teams to focus on and mature best practice models. Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event. • Quickly focuses analysts on the devices they are tasked to protect. • Accelerates scoping and remediation.
Stages of Incident Handling Preparation Identification Containment Eradication Recovery Lessons Learned SANS Institute • Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible.
Order of Investigation† Remediation – Incident Response – Data Collection †may vary based on corporate priority Indication of Compromise You’ve been owned. Under Attack Research & Tuning Impact 0 Impact 1 Impact 2 - 3 Impact 4 “Critical Assets” Not Blocked Internal Source External Source Dropped BDA Correlation Rules Goal: Getting to Remediation
Identify Where to Start If this is all there was then the “Order of Investigation” is easy. From the FMC Dashboard
Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
What too many networks look like Some ways to choose • Look for Malware Executed (Endpoint AMP) • Dropper Infection (Endpoint AMP) • Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked) • Impact 2 (these were probably blocked) From the FMC Context Explorer Let’s see what these 63 events are all about.
Busy event. Looks like we’re getting more.
Seems active across 6 hosts. Let’s drill into one.
✔ ✔ ✔ ✔ Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
• .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
✔ Did you forget about these? Let’s see if that file moved around without the IPS seeing it. ✔ ✔ ✔
Yep. That file is malware We see it in the malware summary, too.
• A lot more than the 6 file transfers and hosts the IPS engine stopped. • Good thing they have AMP for Endpoints, too. • Bet they wished they enabled quarantining. • Problem scoped. Time to remediate. • Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
The Impact 1s are gone – Let’s look at something else This looks interesting.
I know I have an Oracle server. Let’s look at the rule docs.
Assessment • Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
Another Assessment from the other Admin priv attempts • Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established. • These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
Assessment: This has has to be stopped!
 Try to follow an Order of Investigation. (PICERL)  Identification of events around an incident usually have multiple markers.  IPS? Malware? Connection? File? Trajectory?  Check all the related data.  Impact and IOCs, are just a starting points. Keep in mind:  Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.  Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)  Take advantage of the documentation!  Packet Data is great but not critical. Scoping a Breach
Security Automation Differentiation Differentiator Technical Outcome Business Outcome Recommended Rules • Ensures threat visibility specific to the network being monitored and protected. • False Negative Reduction • Reduces “Human Error” in ensuring comprehensive protection. • Automates Correlation Rules • Further reduces events from “requiring investigation” to “requires response” • Automation of event investigation practices. • Integrates business outcome with security practice. • Captures and automates security best practice (raises the level of security support staff) Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response • FMC + ISE becomes the center of security infrastructure. • Automating remediation shortens time to a “return to business” state.
Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; ) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted- user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Some rules will ALWAYS be turned off by Recommended Rules
Building a Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a defined Location (host Attribute) is POS • And that the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
Automating Response – Remediation API Use Case 2 Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles MalwareEvent Correlation Rules Boolean Conditios Correlation Policies Correlation Rules Correlation Events Actions (API, Email, SNMP)
Reporting Differentiators Differentiator Technical Outcome Business Outcome Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that are meaning for to the organization. • Allows security investigations to align with business criticality. • Speeds analytics. Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements. • Allows sec ops to build comprehensive views into individual events. Dashboard focused reporting • Highly customizable dashboard with 100s of reporting options. • Integrates default and custom tables, workflows, and queries. • Organize event data into locally meaningful segments • Quickly build custom report templates. • Highly customizable reporting.
Create a Custom Workflow
Custom Table: Intrusion Event with Host Data
 Not just what’s in the templates  Dashboard widgets have almost 120 preset reports  Customizing Widgets means thousands of reporting options.  Think of the Dashboard as your report designer.  Tools:  Searches  Custom Workflows  Custom Tables <-- Data goldmine (can be performance impacting) Default Reports
Build Reports Straight from the Dashboard
Ad

Recommended

Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1Introduction to IDS & IPS - Part 1
Introduction to IDS & IPS - Part 1
whitehat 'People'
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Fortinet security fabric
Fortinet security fabricFortinet security fabric
Fortinet security fabric
ANSItunCERT
 
Active Directory
Active DirectoryActive Directory
Active Directory
Hameda Hurmat
 
Network administration and Management
Network administration and ManagementNetwork administration and Management
Network administration and Management
Bry Cunal
 
2 what is the best firewall (sizing)
2 what is the best firewall (sizing)2 what is the best firewall (sizing)
2 what is the best firewall (sizing)
Mostafa El Lathy
 
N map presentation
N map presentationN map presentation
N map presentation
ulirraptor
 
10 palo alto nat policy concepts
10 palo alto nat policy concepts10 palo alto nat policy concepts
10 palo alto nat policy concepts
Mostafa El Lathy
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
bilal anjum
 
Fortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdfFortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069
William Lee
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
Syed fawad Gillani
 
Lattice-based Signatures
Lattice-based SignaturesLattice-based Signatures
Lattice-based Signatures
OnBoard Security, Inc. - a Qualcomm Company
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
Open Networking Summits
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Abhishek Gupta
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
Ad

More Related Content

What's hot (20)

Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
bilal anjum
 
Fortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdfFortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069
William Lee
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
Syed fawad Gillani
 
Lattice-based Signatures
Lattice-based SignaturesLattice-based Signatures
Lattice-based Signatures
OnBoard Security, Inc. - a Qualcomm Company
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
Open Networking Summits
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Abhishek Gupta
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation Firewall
Cisco Canada
 
20 palo alto site to site
20 palo alto site to site20 palo alto site to site
20 palo alto site to site
Mostafa El Lathy
 
LDAP
LDAPLDAP
LDAP
Khemnath Chauhan
 
Deep Packet Inspection technology evolution
Deep Packet Inspection technology evolutionDeep Packet Inspection technology evolution
Deep Packet Inspection technology evolution
Daniel Vinyar
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
Mostafa El Lathy
 
Ssl in a nutshell
Ssl in a nutshellSsl in a nutshell
Ssl in a nutshell
Frank Kelly
 
LDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access ProtocolLDAP - Lightweight Directory Access Protocol
LDAP - Lightweight Directory Access Protocol
S. Hasnain Raza
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment Scenarios
Cisco Canada
 
Ldap intro
Ldap introLdap intro
Ldap intro
yousry ibrahim
 
SD-WAN PROTOCOLS
SD-WAN PROTOCOLSSD-WAN PROTOCOLS
SD-WAN PROTOCOLS
bilal anjum
 
Fortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdfFortinet_ProductGuide_NOV2021_R127.pdf
Fortinet_ProductGuide_NOV2021_R127.pdf
AlonzoJames2
 
DNS Security
DNS SecurityDNS Security
DNS Security
inbroker
 
IPS (intrusion prevention system)
IPS (intrusion prevention system)IPS (intrusion prevention system)
IPS (intrusion prevention system)
Netwax Lab
 
Secure shell ppt
Secure shell pptSecure shell ppt
Secure shell ppt
sravya raju
 
Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069Introdunction to Network Management Protocols - SNMP & TR-069
Introdunction to Network Management Protocols - SNMP & TR-069
William Lee
 
Iptables the Linux Firewall
Iptables the Linux Firewall Iptables the Linux Firewall
Iptables the Linux Firewall
Syed fawad Gillani
 
Lattice-based Signatures
Lattice-based SignaturesLattice-based Signatures
Lattice-based Signatures
OnBoard Security, Inc. - a Qualcomm Company
 
Security Onion
Security OnionSecurity Onion
Security Onion
johndegruyter
 
A Software Defined WAN Architecture
A Software Defined WAN ArchitectureA Software Defined WAN Architecture
A Software Defined WAN Architecture
Open Networking Summits
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Abhishek Gupta
 

Similar to FireSIGHT Management Center (FMC) slides (20)

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Security Operation Center : Le Centre des Opérations de Sécurité est une div...Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Khaledboufnina
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
Dejan Jeremic
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
Gurvinder Singh, CISSP, CISA, ITIL v3
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
FaithWestdorp
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
Xavier Mertens
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
Priyanka Aash
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Falgun Rathod
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
Splunk
 
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Security Operation Center : Le Centre des Opérations de Sécurité est une div...Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Security Operation Center : Le Centre des Opérations de Sécurité est une div...
Khaledboufnina
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Sergey Soldatov
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
Dejan Jeremic
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
TechBiz Forense Digital
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
Splunk
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
Novetta
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
Demetrio Milea
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
Alert Logic
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
Gurvinder Singh, CISSP, CISA, ITIL v3
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
jagadeesh katla
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
Sam Bowne
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
Lancope, Inc.
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
penetration Tester
 
Ad

Recently uploaded (20)

AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
AI Changes Everything – Talk at Cardiff Metropolitan University, 29th April 2...
Alan Dix
 
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Massive Power Outage Hits Spain, Portugal, and France: Causes, Impact, and On...
Aqusag Technologies
 
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-UmgebungenHCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
HCL Nomad Web – Best Practices und Verwaltung von Multiuser-Umgebungen
panagenda
 
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdfSAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
SAP Modernization: Maximizing the Value of Your SAP S/4HANA Migration.pdf
Precisely
 
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptxIncreasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Increasing Retail Store Efficiency How can Planograms Save Time and Money.pptx
Anoop Ashok
 
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager APIUiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPath Community Berlin: Orchestrator API, Swagger, and Test Manager API
UiPathCommunity
 
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath MaestroDev Dives: Automate and orchestrate your processes with UiPath Maestro
Dev Dives: Automate and orchestrate your processes with UiPath Maestro
UiPathCommunity
 
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
#StandardsGoals for 2025: Standards & certification roundup - Tech Forum 2025
BookNet Canada
 
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In FranceManifest Pre-Seed Update | A Humanoid OEM Deeptech In France
Manifest Pre-Seed Update | A Humanoid OEM Deeptech In France
chb3
 
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Enhancing ICU Intelligence: How Our Functional Testing Enabled a Healthcare I...
Impelsys Inc.
 
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
Transcript: #StandardsGoals for 2025: Standards & certification roundup - Tec...
BookNet Canada
 
Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025Splunk Security Update | Public Sector Summit Germany 2025
Splunk Security Update | Public Sector Summit Germany 2025
Splunk
 
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptxSpecial Meetup Edition - TDX Bengaluru Meetup #52.pptx
Special Meetup Edition - TDX Bengaluru Meetup #52.pptx
shyamraj55
 
AI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global TrendsAI and Data Privacy in 2025: Global Trends
AI and Data Privacy in 2025: Global Trends
InData Labs
 
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdfComplete Guide to Advanced Logistics Management Software in Riyadh.pdf
Complete Guide to Advanced Logistics Management Software in Riyadh.pdf
Software Company
 
Linux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdfLinux Professional Institute LPIC-1 Exam.pdf
Linux Professional Institute LPIC-1 Exam.pdf
RHCSA Guru
 
HCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser EnvironmentsHCL Nomad Web – Best Practices and Managing Multiuser Environments
HCL Nomad Web – Best Practices and Managing Multiuser Environments
panagenda
 
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul Shares 5 Steps to Implement AI Agents for Maximum Business Efficien...
Noah Loul
 
Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.Greenhouse_Monitoring_Presentation.pptx.
Greenhouse_Monitoring_Presentation.pptx.
hpbmnnxrvb
 
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven InsightsAndrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell: Transforming Business Strategy Through Data-Driven Insights
Andrew Marnell
 
Ad

FireSIGHT Management Center (FMC) slides

  • 1. The Value of FireSIGHT Management Center (FMC)
  • 2. Value of Event Data Differentiator Technical Outcome Business Outcome Data, Data, Data – Threat, network, application and endpoint intelligence in one console. • More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful containers. • FMC improves operational engagement by reducing the number of tools required to understand a security event. • Depth of data shortens time to event scoping and containment. Impact Analysis • Automated correlation to drive events requiring investigation / remediation. • Shortens time to discovery. • Focuses security ops on remediation needs. Indicators of Compromise • Automated integration and elevation of critical events. • Expands the scope of threat vectors. • Shortens time to discovery. • Focuses security ops on remediation needs.
  • 3. Context comes from knowing the hosts on your network
  • 4. Understanding Impact Flags Intrusion Events Source / Destination IP Protocol (TCP/UDP) Source / Destination Port Service Snort ID IOC: Predefined Impact Host Profile [Outside Profile Range] [Host not yet profiled] IP Address Protocols Server Side Ports Client Side Ports User IDs Potential Vulnerabilities Services Client / Server Apps Operating System CVE 0 4 2 3 1 Action Why General info†† Event outside profiled networks Event occurred outside profiled networks Good information host is currently not known Previously unseen host within monitored network Good information event may not have connected Relevant port not open or protocol not in use Worth investigation. Host exposed. Relevant port or protocol in use but no vuln mapped Act immediately. Host vulnerable or compromised. Host vulnerable to attack or showing an IOC. †† If you have a fully profiled network this may be a critical event! Impact Flag
  • 5. Indications of Compromise Leverage correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS) • Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
  • 6. Better Breach Investigations Differentiator Technical Outcome Business Outcome Threat Centric Forensics with Context • Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider. • Faster investigation and security decision support. • More accurate event scoping; ie. Easily find every outcome from an event. Event details support your Order of Investigations • Event data interconnects to cross reference from one event to corollary incidents. • Allows security teams to focus on and mature best practice models. Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event. • Quickly focuses analysts on the devices they are tasked to protect. • Accelerates scoping and remediation.
  • 7. Stages of Incident Handling Preparation Identification Containment Eradication Recovery Lessons Learned SANS Institute • Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible.
  • 8. Order of Investigation† Remediation – Incident Response – Data Collection †may vary based on corporate priority Indication of Compromise You’ve been owned. Under Attack Research & Tuning Impact 0 Impact 1 Impact 2 - 3 Impact 4 “Critical Assets” Not Blocked Internal Source External Source Dropped BDA Correlation Rules Goal: Getting to Remediation
  • 9. Identify Where to Start If this is all there was then the “Order of Investigation” is easy. From the FMC Dashboard
  • 10. Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
  • 11. What too many networks look like Some ways to choose • Look for Malware Executed (Endpoint AMP) • Dropper Infection (Endpoint AMP) • Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked) • Impact 2 (these were probably blocked) From the FMC Context Explorer Let’s see what these 63 events are all about.
  • 12. Busy event. Looks like we’re getting more.
  • 13. Seems active across 6 hosts. Let’s drill into one.
  • 14. ✔ ✔ ✔ ✔ Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
  • 15. • .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
  • 16. ✔ Did you forget about these? Let’s see if that file moved around without the IPS seeing it. ✔ ✔ ✔
  • 17. Yep. That file is malware We see it in the malware summary, too.
  • 18. • A lot more than the 6 file transfers and hosts the IPS engine stopped. • Good thing they have AMP for Endpoints, too. • Bet they wished they enabled quarantining. • Problem scoped. Time to remediate. • Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
  • 19. The Impact 1s are gone – Let’s look at something else This looks interesting.
  • 20. I know I have an Oracle server. Let’s look at the rule docs.
  • 21. Assessment • Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
  • 22. Another Assessment from the other Admin priv attempts • Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established. • These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
  • 23. Assessment: This has has to be stopped!
  • 24.  Try to follow an Order of Investigation. (PICERL)  Identification of events around an incident usually have multiple markers.  IPS? Malware? Connection? File? Trajectory?  Check all the related data.  Impact and IOCs, are just a starting points. Keep in mind:  Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.  Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)  Take advantage of the documentation!  Packet Data is great but not critical. Scoping a Breach
  • 25. Security Automation Differentiation Differentiator Technical Outcome Business Outcome Recommended Rules • Ensures threat visibility specific to the network being monitored and protected. • False Negative Reduction • Reduces “Human Error” in ensuring comprehensive protection. • Automates Correlation Rules • Further reduces events from “requiring investigation” to “requires response” • Automation of event investigation practices. • Integrates business outcome with security practice. • Captures and automates security best practice (raises the level of security support staff) Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response • FMC + ISE becomes the center of security infrastructure. • Automating remediation shortens time to a “return to business” state.
  • 26. Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; ) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted- user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Some rules will ALWAYS be turned off by Recommended Rules
  • 27. Building a Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a defined Location (host Attribute) is POS • And that the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
  • 28. Automating Response – Remediation API Use Case 2 Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles MalwareEvent Correlation Rules Boolean Conditios Correlation Policies Correlation Rules Correlation Events Actions (API, Email, SNMP)
  • 29. Reporting Differentiators Differentiator Technical Outcome Business Outcome Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that are meaning for to the organization. • Allows security investigations to align with business criticality. • Speeds analytics. Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements. • Allows sec ops to build comprehensive views into individual events. Dashboard focused reporting • Highly customizable dashboard with 100s of reporting options. • Integrates default and custom tables, workflows, and queries. • Organize event data into locally meaningful segments • Quickly build custom report templates. • Highly customizable reporting.
  • 30. Create a Custom Workflow
  • 31. Custom Table: Intrusion Event with Host Data
  • 32.  Not just what’s in the templates  Dashboard widgets have almost 120 preset reports  Customizing Widgets means thousands of reporting options.  Think of the Dashboard as your report designer.  Tools:  Searches  Custom Workflows  Custom Tables <-- Data goldmine (can be performance impacting) Default Reports
  • 33. Build Reports Straight from the Dashboard