眼見為實：通過可見性解鎖 XDR 成果.pdf

《眼見為實：通過可見性解鎖 XDR 成果.pdf》由會員分享，可在線閱讀，更多相關《眼見為實：通過可見性解鎖 XDR 成果.pdf（73頁珍藏版）》請在三個皮匠報告上搜索。

1、#CiscoLive#CiscoLiveMike McPhee,Multi-Domain Cybersecurity ArchitectBRKSEC-2084Improving XDR Outcomes with VisibilitySeeing is Believing 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveC BD L FP T E OF Z B D EO F L C T BS E E N O E V I LL P C T X B D F E O ZH E A R N O E V

2、 I LBRKSEC-20843 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEnter your personal notes hereCisco Webex App Questions?Use Cisco Webex App to chat with the speaker after the sessionFind this session in the Cisco Live Mobile AppClick“Join the Discussion”Install the Webex

3、App or go directly to the Webex spaceEnter messages/questions in the Webex spaceHowWebex spaces will be moderated by the speaker until June 9,2023.12344https:/ 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-20844 2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

4、lic#CiscoLiveAbout meRochester NY(Garbage Plates and Kristen Wig!)10 years with Cisco12+years designing C2 systems6 years in US Navy “Bubblehead”GSE#339&SANS MSISE CCIE 41663(R&S,Sec)&CCDE 20180018homebrewer,woodworkerBRKSEC-20845 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Cis

5、coLiveWhat is this session about?Background:Breaches are acceleratingDefenders seem to be falling behindProblem:We dont truly understand what our environments are doing,becauseWeve all focused on the wrong part of the equationSolution:Well,were going to have to wait and see on that;)Dall-Es Attempt

6、at depicting Hear No Evil,See no Evil,Speak No EvilBRKSEC-20846Agenda 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicWhy are we in pain?Where did we go wrong?What can we do about it?How can visibility help?BRKSEC-20847Why are we in pain?2023 Cisco and/or its affiliates.All rights r

7、eserved.Cisco Public#CiscoLiveBreaking news!BLUF:Cybersecurity is a mess out thereBRKSEC-20849 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCustomers have made huge investments in security.yet threats are getting through.Have you been compromised?How and when would you

8、know?BRKSEC-208410 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWho gets the blameTenure of a CISO:Solutions in security stack:Unfilled security roles in US:Leading investment areas:The only thing getting more efficient is identifying scapegoats1:https:/ years2 years(CI

9、Os 4.3,CEOs 8.1)5050-6060(medium-sized companies)715,000715,000(Expect$1.75T(Expect$1.75T by 2025 vs.$10.5T loss)1.Services:50%,or almost$900B 18.Cyber Insurance:$15B Last:Security Awareness Training:$8BBRKSEC-208411Where did we go wrong?2023 Cisco and/or its affiliates.All rights reserved.Cisco Pub

10、lic#CiscoLiveSecurity and Network folks share similar scars and war stories!Pay for the mistakes and decisions of othersComplexity of domains lacks or obscures critical informationForced to be reactive and work under significant pressureTarget of frustration,fury,or panicNebulous workload and scope

11、of responsibilities “utility players”BRKSEC-208413 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveIs there a root problem?Fog of War=massive drain and slow responseCant defend against unseen threats(just ask Yamamoto!)Technology stacks add to thisGetting 100%of what you p

12、ay for?Staff to operate the stack effectively?Fuse information?Or confuse Ops?Lack of visibility slowed or impaired responseFixes happen later,if at allUncovered by law enforcement()Events leading to and during the Battle of Midway 4-7 June 1942BRKSEC-208414 2023 Cisco and/or its affiliates.All righ

13、ts reserved.Cisco Public#CiscoLiveHow can you segment without context&visibility?EmployeesEmployeesCommon servicesCommon servicesBuilding managementBuilding managementContractorsContractorsPrintersPrintersEmployeesEmployeesCommon servicesCommon services?ExpectationExpectationRealityRealityBRKSEC-208

14、415 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveData Center trends render traditional detection&segmentation approaches mootVirtual machinesContainers/KubernetesPhysical servers Abstract infrastructureServerlessReducing costsContainerized ApplicationsDockerHost Operati

15、ng SystemInfrastructureApp AApp BApp CApp DApp EApp FIncreasing compute flexibilityIncreasing attack surfaceHypervisorInfrastructureVirtual MachineVirtual MachineApp CGuest Operating SystemVirtual MachineApp BGuest Operating SystemVirtual MachineApp AGuest Operating SystemBRKSEC-208416 2023 Cisco an

16、d/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThreat actors are getting smarterMotivated andtargeted adversariesInsider ThreatsIncreased attacksophisticationState sponsoredFinancial/espionage motives$1T cybercrime marketCompromised credentialsDisgruntled employeesAdmin/privileged acc

17、ountsAdvanced persistent threatsEncrypted malwareZero-day exploitsIndustry average detection time for a breachIndustry average time to contain a breachAverage cost of a data breachSource:Ponemon 2020 Cost of a Data Breach Study$3.86M20773DAYSDAYSBRKSEC-208417 2023 Cisco and/or its affiliates.All rig

18、hts reserved.Cisco Public#CiscoLiveThe Fallacy of Recent Security Strategiest tP P t tD D+t tR R,whereP=Time prevention offers youD=Time to detect the attackR=Time to respond and mitigatePrevention!=permanentPrevention buys time for D&R to occurAttackers will persist and overcomeEventually,we must d

19、etect and respond“You must prevent everything!”or“I bought plenty of visibility!”BRKSEC-208418 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAnd you cant protect what you dont seeIgnorance is not bliss,it turns out!Were not using what weve purchasedInfrastructure offers

20、significant visibility featuresLack of standards within org makes every part uniqueWe act without awarenessTeams dont know what normal isActions mask adversarys behavior or alert themCan taint or ruin forensic evidenceMay open additional vectors for exploitWeve focused too long on Protection and Pol

21、icy at expense of VisibilityBRKSEC-208419What can we do about it?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUse what youve got!Baked-in visibility throughout architecture enables security outcomesNetwork infrastructureFlexible Netflow,ETA&IPFIXAAA EventsDevice fingerp

22、rintingBasic servicesDHCP&DNS logs&activityUser mappings(login/logoff events)Integrate solutions and collect logsMaybe consider an XDR?BRKSEC-208421 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEffective security depends on total visibility Seeevery conversationUndersta

23、nd what is normalBe alerted tochangeKnowevery entityRespond to threats quicklyAdminData centerNetworkUsersMobile UsersOn-premises networkBRKSEC-208422 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat does visibility have to do with XDR?A real XDR uses visibility and co

24、ntext to simplify security operationsMany definitions of XDR,but in general,they help answer:What really happened?Why should we care?What should we do about it?All of these questions require true situational awarenessVisibility=discern which behaviors are normal vs.anomalousContext=understand concer

25、n and priorityXDR should only consume data that can immediately improve detections,add context,or guide responseBRKSEC-208423 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR AnalyticsCisco XDR ArchitectureSo how do we get visibility and context into XDR?3 main XDR Inte

26、gration PointsResponse&Orchestration(via Module Integrations)Incident Creation-Offered Detections(CTIM Sources)Data Source-Raw Telemetry(Into XDR Analytics)XDR Incident EnrichmentAsset Resolution(Device Insights)Asset EnrichmentObservable EnrichmentScoringAction RemediationsData Storage LayerIngest

27、ETLNormalization&DecorationDetection LogicTelemetry Security EventsTelemetrySecurity EventsModule IntegrationsIncident CreationExternal or OrchestrationData SourceWith or Without DetectionEnrichment SourcesAPIsCTIM IncidentTelemetry andSecurity EventsIncident StoreAlert CorrelationAlert ChainingCTIM

28、 IncidentDevice InsightsResponseBRKSEC-208424 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveA quick primer on semanticsWere dealing with varying levels of visibility hereTelemetry:Raw flow or events,usually comes from willing sourcesXDR applies analytics and provides new

29、 detectionsEnd goal for entire Cisco portfolioIncidents:Pre-detected and escalated events gathered from other sourcesXDR can still enrich these eventsMost likely approach for 3rdparty integrationsEnrichment:Data that brings color to the aboveSome sources can serve multiple rolesAdditional context en

30、hances situational awareness and improves confidenceBRKSEC-208425 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveMost telemetry directly attaches to XDR AnalyticsStrong use of SCA only adds to the rich telemetry consumedSensor pod in K8Public CloudsVPC,GCP,NSG flow logs(C

31、loudTrail,Cloudwatch,Advisor,GuardDutyand dozens more)Serverlesscontainer virtualizationPrivateCloudAdminData centerNetworkUsersOn-premises networkSecure Analytics Sensor Mirror/SPANFirewall/SyslogNetFlow/IPFIXISECisco Telemetry BrokerCatalyst9200/9300/9800XDR XDR AnalyticsAnalyticsSecure FirewallSe

32、curity Analytics&LoggingDefense OrchestratorSecure Client(NVM)BRKSEC-208426 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEDR:CrowdStrike Falcon InsightSentinel Endpoint SecurityMicrosoft DefenderTrend Micro Vision OneCybereason Endpoint SecurityPalo Alto Networks Cortex

33、 EDREmail:Proofpoint Email ProtectionMicrosoft MS365Cloud Logs:AWSMicrosoft AzureGoogle Cloud PlatformThird Party Integrations offering visibility to Cisco XDRNGFW:Checkpoint Security Gateway&ManagementFortinet FortiGatePalo Alto Networks Next-Generation FirewallNDR:Darktrace RespondExtraHop RevealS

34、IEM:Microsoft SentinelApplication&Identity:Microsoft Azure ADBRKSEC-208427 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveModule integrations offer response&enrichment through AutomationCisco Security Technical Alliance has cultivated a large variety of integrations that

35、enrich the telemetry received further upstream.ACIUCS DirectorCloudCenterOperational tools,intelligence sources,infrastructure protections and visibilityThird-partysecurityNetworking,collaboration,server/app,and multicloudmanagement platformsCisco infrastructureIT service management,and cloud/virtua

36、l andDevOp platformsThird-party infrastructureScripting/dev tools,system interfaces,data exchanges,and messaging protocolsGeneralinfrastructureHTTP SMTP SNMPBRKSEC-208428 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSome potential sources come in elsewhereMore will migr

37、ate to XDR Analytics over timeCTIM SourceCisco Secure Endpoint(CSE)Module Integration used for enrichment&responseOrbital(from CSE)UmbrellaSecure EmailXDR Incident EnrichmentAsset Resolution(Device Insights)Asset EnrichmentObservable EnrichmentScoringAction RemediationsModule IntegrationsIncident Cr

38、eationExternal or OrchestrationData SourceWith or Without DetectionEnrichment SourcesAPIsCTIM IncidentTelemetry andSecurity EventsIncident StoreXDR AnalyticsData Storage LayerIngest ETLDetection LogicAlert CorrelationCTIM IncidentDevice InsightsResponseSecure Endpoint(&3rdParty EDR)OrbitalUmbrellaSe

39、cure EmailBRKSEC-208429Individual Integrations 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAutomatic IntegrationsSome integrations automatically configured as XDR tenant is createdActivation of Cisco XDR will automatically create integrations with core capabilities:Cor

40、e XDR to XDR Analytics(formerly Secure Cloud Analytics)Device InsightsSecure ClientSecure Endpoint to XDR Incident Enrichment(skips XDR Analytics)Integrations in Cisco SecureX will also carry overModule Integrations(in SecureX Integrations tab)Pre-existing SCA integrations(Public cloud,webhooks,etc.

41、)Pre-existing Device Insights integrations Cisco Secure Client profilesBRKSEC-208431 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLivePublic Cloud IntegrationsNetwork Traffic data ingested via direct integrationsAWS:1.Create IAM Role2.Add credentials3.Configure VPC Flow Log

42、s4.Configure S3 Bucket5.Add Flow Logs to XDRDetails:http:/cs.co/9002OlORqXDR XDR AnalyticsAnalyticsAzure:1.Retrieve Azure AD URL2.Create Azure AD Application3.Grant Access to Application4.Grant Storage Access5.Enable Azure Network Watcher6.Register Insights Provider7.Enable Azure NSG Flow Logs8.Conf

43、igure in XDR AnalyticsDetails:http:/cs.co/9001OlORUGCP:1.Configure Service Account2.Configure GCP to generate VPC Flow Logs3.Enable StackdriverMonitoring API4.Upload Credentials to XDR AnalyticsDetails:http:/cs.co/9003OlORSKubernetes(non-GCP):1.Create Service Account2.Create DaemonSet3.Verify Integr

44、ationBRKSEC-208432 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBringing On-Premises NDR TelemetryFor Cisco Secure Network Analytics(SNA)Recommend Cisco Telemetry Broker(CTB)Scales bestEntitlement included with XDROffers increasing transform and filter capabilitiesMay a

45、lso use SNA Flow Collector(FC),SCA Private Network Monitor(PNM)or Observable Network Appliance(ONA)Eventually CTB will offer the superset of features.Darktrace and Extrahop NDR integrationsFlow forwarding directly from their FC equivalents or via CTB as relayOn-premises NDR can ship flows to XDR Ana

46、lyticsBRKSEC-208433 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSNA still critical in offering Extensive Telemetry IngestCisco Secure ClientIdentity Services EngineAHGA/ADC*Proxy Integration*SecureWebApplianceOtherWeb ProxiesETA Capable DevicesSecure FirewallFlowSensor

47、NetFlow Enabled DevicesIPAM DBThreat IntelNetworkTelemetry*Delivered through Advanced ServicesHTTP(S)RequestsHTTP(S)ResponsesHTTP(S)URLCustom HTTP(S)HeadersUsernameTLS VersionKey ExchangeAuthentication Alg.MACUsernameMAC AddressTrustSec Groups OS TypeProcess nameProcess hashProcess accountParent pro

48、cess nameParent process hashOS VersionConnected interface.Flow Action Translated Port/IPSYSLOGMalware eventsFile eventsL7 ApplicationHTTP RequestsHTTP Responses SRT/RTTTCP Flags PayloadSRC/DST IP AddressSRC/DST PortBytes/Pkts SentBytes/Pkts Received(Netflow,IPFIX)Host GroupsVPC flow log trans-format

49、ion via CTBBRKSEC-208434 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBuilding an end-to-end visibility infrastructure involves using what you have wiselyNetFlow Export is available across the Cisco portfolioThe above is a non-exhaustive list of Cisco exporters.For indi

50、vidual platform features,reference the Cisco feature navigator:http:/ Flow Sensor(v9/IPFIX ETA)Cisco UCS VIC(v9/IPFIX)SwitchCatalyst 2960-X(v9/IPFIX)Catalyst 3650/3850(v9/IPFIX)Catalyst 4500E(v9/IPFIX)Catalyst 6500E(v9/IPFIX)Catalyst 6800(v9/IPFIX)Catalyst 9200(v9/IPFIX)Catalyst 9300/9400(v9/IPFIX E

51、TA)Catalyst 9500(v9/IPFIX)Catalyst 9600(v9/IPFIX)IE3000(v9/IPFIX)IE4000(v9/IPFIX)IE5000(v9/IPFIX)RouterCisco ISR 4000(v9/IPFIX ETA)Cisco CSR 1000v(v9/IPFIX ETA)Cisco ASR 1000(v9/IPFIX ETA)Cisco ASR 9000(v9/IPFIX)Cisco WLC 5520,8510,8540(v9 Enhanced)Catalyst 9800(v9/IPFIX ETA)FirewallASA 5500-X(NSEL)

52、FTD(NSEL,Syslog)Meraki MX/Z(v9 Enhanced v14.5)Data center switchNexus 1000v(v9/IPFIX)Nexus 3000(sFlow)Nexus 7000(M Series modules (v9/IPFIX)Nexus 7000(F Series modules (v9/IPFIX sampled)Nexus 9000 Series(sFlow)Nexus 9000 Series EX/FX(v9)SwitchRouterRouterFirewallData center switchServerUserIdentity

53、ServicesEngineCloudServerDeviceCloudAWSAzure(VPC Flow Logs via CTB)EndpointAnyConnect(IPFIX)BRKSEC-208435 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNDR analytics dynamically maps entities by role,benefitting other detectors in environmentFunctional modelingType based

54、 modelingAndroid AWS lambda Wireless LAN controller Citrix PVS server Windows workstationKerberos nodeMail serverMedical imaging clientRemote desktop serverAzure virtual machineDNS serverVolP clientDomain controllerApple iOS GCP compute instanceWeb server over 70+entity roles are supported!Cloud spe

55、cific modelingRoles include:Portals report all observed device types as wells as device types not seen for a comprehensive view of environmentsBRKSEC-208436 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSummary of aggregated host informationObserved communication pattern

56、sHistorical alarming behaviorHost investigation in SNA contributes to the Cisco XDRs awareness of on-premises entitiesHost summaryHostname:Host group:Location:First Seen:Last Seen:Policies:QuarantineUnquarantineFlowsHistory12-Jan13-Jan14-Jan15-Jan16-JanAlarms by TypeData HoardingPacket FloodHigh Tra

57、fficData Exfiltration10.201.3.149WithinorganizationOutsideorganizationTraffic by peer host group10.201.3.18Insider Threat Event,Client IP Policy6/1/21 8:31 AM1/25/20 1:52 AMDesktops,SalesAtlanta,GAdhcp-atl-4-BRKSEC-208437 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveRol

58、e mapping allows entity modeling to baseline behavior and detect anomaliesCollect inputDraw conclusionsPerform analysisWhat ports/protocols does the device continually access?Do other similar roles do the same?What connections does it continually make?What is the reputation of the IPs it connects to

59、?Does it communicate internally only?What geographies does it normally talk to?How much data does the device normally send/receive?Is it consistent with expectations?What is the role of the device?Is its behavior consistent with that type of role?GroupConsistencyRulesForecastRoleEnhanced NetFlowIden

60、tity Services Engine user dataDNS SnoopingExternal threat intelSystem/Account logsEndpoint metadataIP TelemetryDynamic entity modelingBRKSEC-208438 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSecurity Analytics and Logging OptionsSaaS-delivered SAL offers quickest NGFW

61、 telemetry integrationOn-premises SAL not yet integratedDetections in Cisco XDR leverage SCA rootscloud-delivered FMCOn-premises Logging and StorageCloud Logging and StoreFTDFTDSftunnelSftunnelEventsEventsEvent ViewerOnOn-premises FMCpremises FMCSecurity Analytics and Logging On-Premises(Optional)cl

62、oud-delivered FMCFTDFTDSftunnelEvent ViewerSecurity Analyticsand Logging SaaSEventsBRKSEC-208439 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBridging NGFW Telemetry with CDO&SALCurrently supports SaaS-delivered SALSecure Firewall(FTD)sends events via Secure Services Ex

63、change(SSX,formerly SSE)SAL connection to XDR Analytics currently requires Cisco Defense Orchestrator(CDO)https:/ XDR AnalyticsAnalyticsSecure FirewallSecurity Analytics&LoggingDefense OrchestratorBRKSEC-208440 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFirewalls can

64、now offer visibility without decryption,with Encrypted Visibility Engine(EVE)Encrypted Visibility Engine(EVE):Generates unique fingerprints for client applications based on outer packet fields,and use for policy matching and context enrichmentTLS Client HelloTCP/TLS 192.168.2.110/34624-172.16.45.200

65、/443 TCP/TLS 192.168.2.110/21013-203.0.113.154/443 Confidence:99.94%Process:firefox.exeVersion:76.0.1Category:browserOS:Windows 10 19041.329Destination FQDN:https:/ 10 19041.329Destination FQDN:nsksdlkoup.meTLS Client HelloBRKSEC-208441 2023 Cisco and/or its affiliates.All rights reserved.Cisco Publ

66、ic#CiscoLiveThey can also implement TLS 1.3 DecryptionThis upstream Visibility in NGFW Benefits the entire XDR EcosystemTLS hardware acceleration delivers high-performance encrypted traffic inspectionCentralized TLS policies enforcement Examples:Blocking self-signed encrypted traffic,exclusions for

67、banking,health care,etc.,reputation-based rulesLogTLS decryption engineFirewall/IPSEnforcement decisionsAVCillicitgamblinghttps:/https:/Decrypt traffic in hardware or softwareInspect deciphered packetsTrack and log all TLS sessionshttps:/https:/https:/https:/https:/https:/https:/Encrypted TrafficBRK

68、SEC-208442 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe importance of visibility in encrypted trafficThreat detections discovered in encrypted traffic were directly proportional to the customers encrypted traffic analytics coverage.That is,the higher the coverage,th

69、e more threat detections were found.Ciscos ETA(Secure Analytics)and EVE(Secure Firewall)have you covered76%of critical or high-risk threats were discovered in encrypted traffic63%of all threat detections were discovered in encrypted traffic63%76%BRKSEC-208443 2023 Cisco and/or its affiliates.All rig

70、hts reserved.Cisco Public#CiscoLiveThis baseline in entity modeling helps detect abnormal activityClassify roles Dynamically assign roles to entities 36 day baselinemonitor and model behaviorAlert triggers for database exfiltration Database server identified IP address detectedCommunicateswith set o

71、f IPsData access from regular locationExisting IP accessesdatabase serverData stays withinenvironmentNew external connection osbservationNew high throughput connection30+detections active on day zero130+availablealertsBRKSEC-208444 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#Ci

72、scoLiveNVM Telemetry sheds light into of-premises or non-NDR covered eventsRe-invented for XDR,with more fields,easily extended records,etc.Ingest via Cisco Security Cloud NVM BrokerSubscribed to by XDR AnalyticsViewable in XDR Analytics Event ViewerA critical link between what happens in the box an

73、d over the networkBRKSEC-208445 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveComplete and continuous remote worker visibilityWeb TrafficIoT&AppsSocialMediaNon-VPN flow telemetry is storednvzFlow for current and stored connectionsVPN Tunnel to CorpEndpoint and Remote wor

74、ker visibilityDiscover and monitor remote worker traffic Identify unwanted applicationDetect threats and malicious processesIdentify assets and applications running on the networkVisibility Independent of locationworking on-network,full tunnelon&off-network,split tunneloff-network,without VPNBRKSEC-

75、208446 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveNVM links highly detailed endpoint information with highly trusted network behaviorsNew tab in XDR AnalyticsValuable Threat Hunting data linking flows to processesBRKSEC-208447 2023 Cisco and/or its affiliates.All righ

76、ts reserved.Cisco Public#CiscoLiveEDR Telemetry is treated as a CTIM sourceSecure Endpoint integration is automatic3rdParty EDR is via Module Integration CrowdStrike Falcon InsightSentinel Endpoint SecurityMicrosoft DefenderTrend Micro Vision OneCybereason Endpoint SecurityPalo Alto Networks Cortex

77、EDREDR-created incidents can then be enriched by EDRBRKSEC-208448 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveEDR still offers the best malware-focused visibility,whether file,script,or memoryEDR IOCsBRKSEC-208449 2023 Cisco and/or its affiliates.All rights reserved.Ci

78、sco Public#CiscoLiveVisibility can extend to contextual insights contextual insights into devicesHardware IDSpreadsheetsDifferent kinds of data from multiple sources Before:Before:Multiple spreadsheets,no combined view of the denominatorAfter:After:Gain unified visibility and contextual awareness to

79、 help you act on potential threats faster!Host nameOS versionSerialIMEI nosDevice Insights Device Insights Data processingData correlationData retentionData sourcesData sourcesSolution:Solution:Comprehensive device inventory all in one place!REST APIREST APIREST APIWebhook event streamingBRKSEC-2084

80、50 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveWhat is Device Insights?With Device Insights,youll be able to answer these all-important questions:What types of devices are connected to our network?What users have been accessing those devices?Where are those devices loc

81、ated?What vulnerabilities are associated with those devices?Which security agents are installed?Is our security software up to date?What context do we have from technologies beyond the endpoint?Device Insights is a feature in Cisco XDR that unifies multiple device managers,endpoint detection and res

82、ponse tools,AV,and other endpoint security products and then brings the details those tools and solutions provide into a unified view within Cisco XDR.BRKSEC-208451 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveThe power of User&Device ContextBrings a ton of context:User

83、s using the endpointLocation(s)the endpoint was seenIP Addresses(both Local and Global)MAC Addresses(seen per NIC)Windows Security Center StatusVulnerabilities(as fed by applicable Products)Best covered by Aaron Wolandsawesome BRKSEC-2754https:/ AccessDuo BeyondSecure EndpointUmbrella(DNS)Win/macOS

84、onlyMicrosoft InTuneMobile IronAirwatchJamf ProSecure ClientMeraki SMCustom CSVsOrbitalBRKSEC-208452How can visibility help?2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR shifts the architectures focus to outcomes,not just latent capabilityXDR-Driven OutcomesWhe

85、re are we most exposedto risk?How good are we at detectingattacks early?DetectsoonerAre we prioritizing the attacks that representthe largest material impacts to our business?Prioritizeby impactHow quickly are we able tounderstand thefull scope and entry vectors of attacks?Compressinvestigation time

86、How fast can we confidently respond?How much can SecOps automate?Are we quantifiablygetting better?AccelerateresponseBRKSEC-208454 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveHow do we accelerate detection,improve awareness,and reduce alert fatigueVisibility&context le

87、ad to richer and more complete observations,accelerating the OODA Loops execution&reducing iterationsJohn Boyds OODA LoopBRKSEC-208455 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveTelemetry from the network and cloud provides up to layer 4 traffic visibilityCommunicatio

88、n VisibilityTelemetryWho is behind the discovered IP?What device are they using?Where are they located?IdentityWho:UserWhat:Device typeWhen:Login timeWhere:LocationHow:Security postureProcess:Endpoint processWhat type of traffic an IP is sending?What layer 7 app is used?Which URL is accessed?Context

89、Application:Layer 7 AppWeb:URL identificationNAT:NAT informationCrypto:TLS versionTraffic Status:Traffic Status:Firewall blockIntrusion:Intrusion:Malware or File eventTraffic visibilityEndpoint attributionTraffic indicationEnriched TelemetryVisibility is key to understanding the networks normal beha

90、vior and validating endpoint sourcesBRKSEC-208456 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco detection-enabled solutions perform anomaly detection using behavioral modelingComprehensive data set optimized to remove redundanciesCollect andanalyze telemetrySecurit

91、y events to detect anomalies and known bad behavior Create a baselineof normal behaviorAlarm categories for high-risk,low-noise alerts for faster responseAlarm on anomalies and behavioral changesExchange ServersThresholdAnomaly detected in host behaviorNumber of concurrent flowsTime of dayBits per s

92、econdPacket per secondNumber of SYNs sentNew flows createdNumber of SYNs receivedRate of connection resetsDuration of the flowSecurity ObservationsFlowsBRKSEC-208457 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveBy correlating alerts and events into incidents,Alert Chain

93、s focus the investigationCorrelated events arranged as a tactically-oriented timelineBrings clarity to IRWeighs telemetry with context.BRKSEC-208458 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAlert Chaining correlates using an increasing list of Common IndicatorsNVMIP

94、S,MalwareCloudNetFlowAlertsAlerts IP Addresses Hostnames Devices Usernames AWS Resources CIDR Processes URLs ASNsIndicatorsIndicatorsBRKSEC-208459 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveXDR combines available telemetry to create richer situational awarenessHelps c

95、orollate,ID behaviors,and recommend responseSources tracked,used to spur further enrichment and Alert ChainingBRKSEC-208460 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveAfter XDR Analytics or another CTIM source escalates,enrichment completes the pictureEnsure the impac

96、t and scale are clearCTI sources help categorize external actorsUser&Device context help assess risk and urgencyCTI,Device/User insights,other integrated modules enhance observationsBRKSEC-208461 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveVisibility is used by Cisco X

97、DR to guide and simplify response plansVisibility used to select MDR/CX/IR-recommended response actionsSANS“PICERL”IR Framework guides responseEnriched telemetry also delivered to Automation playbooks as neededBRKSEC-208462 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveE

98、arlier,more accurate Detection=Cheaper MitigationBetter to be“left of boom”tackle problems before becoming acute!Earlier&effective controls=better performance,lower pressure/cost,preserved reputationIntel&Visibility relieves pressure!Not just for Global corporations/governmentswe all need it!Breach

99、Detected!(“Boom”)Cost,Value,Productivity,etc.IF IF Recovery Possible(Potential Extinction)Cheaper,easier,and less stressful to fix issues hereBreach!BRKSEC-208463 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveDetect the most sophisticated threatsMulti-vector detection:ne

100、twork,cloud,endpoint,email,and moreEnriched incidents with asset insights,threat intelOptimized for multi-vendor environmentsBuild resilienceClose security gapsAnticipate whats next through actionable intel Get stronger,everyday with continuous,quantifiable improvementAct on what trulytrulymatters,f

101、asterPrioritize threats by greatest material riskUnified context to streamline investigationsEvidence-backed recommendationsElevate productivityFocus on what matters and filter out the noiseBoost limited resources for maximum valueAutomate tasks and focus on,strategic tasksThe Cisco approach to XDRD

102、etect more,act faster,elevate productivity,build resilienceBRKSEC-208464 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveSource:TEI(Total Economic Impact)study of Ciscos integrated security platformThe value of getting XDR rightFaster ResponseBetter SecurityHigher Performa

103、nce50%Decreased risk and cost of data breach90%Reduction of analyst effort per incident90%Increase in SecOps efficiency85%Reduction of attack dwell timesBetter Detection“It will make things easier,It will make things easier,faster,and we will see much morefaster,and we will see much more going on in

104、 our environment than evergoing on in our environment than ever before.”before.”-Michael Degroote,Mohawk IndustriesBRKSEC-208465 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveUnlock the telemetry you already own!Netflow/IPFIX,NBAR/AVC,device tracking,packet captures,etc.

105、Team with NetOps:same efforts can improve network outcomesSecurity context helps shed light on endpoints,users,and applicationsLatent visibility is critical to seeing many XDR focus areas:Exfiltration,Command&ControlInsider ThreatDoS/DDoSCisco XDRs focus on visibility closes the OODA loop and enhanc

106、es remediationCybersecurity is risk-reduction why not actually focus on reducing risk rather than addressing impact?Putting it all together!BRKSEC-208466 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveCisco XDR Main Page:https:/ XDR Primer:https:/ XDR Webinars,Blogs,etc.:

107、https:/ Conference 2023 XDR Product Launch Keynote:https:/ Demo of Cisco XDR:https:/cs.co/xdr-product-tourCisco XDR At-A-Glance:https:/ XDR Security Operations Simplified E-Book:https:/ more High LevelBRKSEC-208467 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveReferences

108、:MITREs 11 Strategies of a World-Class SOC:https:/www.mitre.org/sites/default/files/2022-04/11-strategies-of-a-world-class-cybersecurity-operations-center.pdfRelated Training:Cisco Secure Analytics Training portal(mostly free!):https:/ SecureX Training Portal(much of the integrations,orchestration&a

109、utomation content will still apply!):https:/ Security Technical Alliance(CSTA):https:/ SecureX Code Exchange repository(much of it should carry over!):https:/ more Related Training&ReferencesBRKSEC-208468 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveFill out your sessio

110、n surveys!Attendees who fill out a minimum of four session surveys and the overall event survey will get Cisco Live-branded socks(while supplies last)!These points help you get on the leaderboard and increase your chances of winning daily and grand prizesAttendees will also earn 100 points in the Ci

111、sco Live Challenge for every survey completed.BRKSEC-208469 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicContinue your educationVisit the Cisco Showcase for related demosBook your one-on-oneMeet the Engineer meetingAttend the interactive education with DevNet,Capture the Flag,and

112、 Walk-in LabsVisit the On-Demand Library for more sessions at www.CiscoL you#CiscoLive 2023 Cisco and/or its affiliates.All rights reserved.Cisco Public#CiscoLiveGamify your Cisco Live experience!Get points Get points for attending this session!for attending this session!Open the Cisco Events App.Click on Cisco Live Challenge in the side menu.Click on View Your Badges at the top.Click the+at the bottom of the screen and scan the QR code:How:123472 2023 Cisco and/or its affiliates.All rights reserved.Cisco PublicBRKSEC-208472#CiscoLive