鄭聿銘-從EDR到XDR構建主動防御體系（22頁）.pdf

《鄭聿銘-從EDR到XDR構建主動防御體系（22頁）.pdf》由會員分享，可在線閱讀，更多相關《鄭聿銘-從EDR到XDR構建主動防御體系（22頁）.pdf（22頁珍藏版）》請在三個皮匠報告上搜索。

1、鄭聿銘從EDR到XDR，構建主動防御體系2021 FireEye2021 FireEye2021 FireEye2021 FireEye關于EDR與XDR2021 FireEye2021 FireEyeThe EDR market is defined as solutions that record endpoint-system-level behaviorsand events(for example user,file,process,registry,memory and network events),and store this information either locall

2、y on the endpoint or in a centralized database.Databases of known IOCs and behavior analytics techniques are then used to continually search the data to identify early identification of breaches(including insider threats),and to rapidly respond to those attacks.These tools also help with rapid inves

3、tigation into the scope of attacks,and provide response capability；EDR市場被定義為記錄終端系統級行為和事件的解決方案(例如用戶、文件、進程、注冊表、內存和網絡事件)，并將此信息存儲在本地的端點上或集中的數據庫中。然后使用已知IOC的數據庫和行為分析技術不斷搜索數據，以識別早期入侵(包括內部威脅)，并快速應對這些攻擊。這些工具還有助于快速調查攻擊范圍，并提供響應能力。Endpoint Detection&Response(EDR)的定義2021 FireEye2021 FireEyeEDR的三個特征記錄終端行為(Telemet

4、ry)識別早期入侵(IOCs)確認入侵范圍(Investigation)2021 FireEye2021 FireEyeEDR時間線2015-122016-112019-122015 Market Guide for EDR Solutions2016 Market Guide for EDR Solutions2019 Market Guide for EDR Solutions2016-06Comparison of EDR Technologies&Solutions2010-10Mandiant Intelligent Response IntroducedWhich Evolved

5、into FireEye Endpoint Security“At one time,Mandiant Consulting(now part of FireEye),with its Mandiant Intelligent Response(MIR)commercial tool(and its freeware cousin,called Redline),was the only one playing that game”有一段時間，只有Mandiant Consulting(現在是FireEye的一部分)和它的Mandiant Intelligent Response(MIR)商業

6、工具(以及它的免費軟件“Redline”)是唯一的玩家“2021 FireEye2021 FireEyeExtended detection and response(XDR)is a vendor-specific,threat detection and incident response tool that unifies multiple security products into a security operations system.Primary functions include centralization and normalization of data in a r

7、epository for analysis and query,improved protection and detection sensitivityresulting from simplified configuration and security product coordination.The incident response capability can change the state of individual security products as part of the recovery process.XDRs are similar in function t

8、o security information and event management(SIEM)and security orchestration,automation and response(SOAR)tools.擴展檢測和響應(XDR)是特定于供應商的威脅檢測和事件響應工具，它將多個安全產品統一為一個安全操作平臺。主要功能包括數據的集中化和規范化存儲，用于分析和查詢，通過簡化配置和安全產品協調而提供增強的保護和檢測靈敏度。作為恢復過程的一部分，事件響應能力可以更改單個安全產品的狀態。XDR在功能上與安全信息和事件管理(SIEM)以及安全編排、自動化和響應(SOAR)工具類似。Exte

9、nded Detection&Response(XDR)的定義Source:Gartner-Hype Cycle for Endpoint Security,2020 2021 FireEye2021 FireEyeXDR的三個特征集中來自多個源的數據功能類似增強的保護和檢測靈敏度2021 FireEye2021 FireEyeEDR與XDR在安全運營體系建設中的定位Network visibilityEndpoint visibilityAuthenticationBasic cloud visibilityVulnerability identificationCriticality cl

10、assificationLog management strategy Fast retravel for investigationsUse case developmentBusiness specific logicIndicator searchFundamentalAdvancedAutomated security monitoringAutomated case building and scopingOrchestrated response actionsWorkflow and case mgmt.Deception Decoys and LuresEDR alert an

11、d recordingAdvanced cloud visibilitySpecialized controls(e.g.ICS)Data Lake,SIEM&CorrelationControl Fabric&Sensor GridSecurity Automation&WorkflowAdvanced Sensor Grid2021 FireEye2021 FireEye88%認為降低假陽性誤報是soc的最高優先級痛點53%評價他們的SOC在檢測攻擊中是有效的64%組織說有太多的警報需要追蹤5&35 2021年將被雇傭的分析師數3-2021年將辭職或被解雇的分析師數量實際反饋如何2021

12、FireEye2021 FireEye安全分析師 海量告警數量和繁瑣的取證分析事件響應人員 假陽性誤報和不足的證據支持安全工程師/架構師 不斷優化規則和更新內容SOC經理 員工流失和工作滿意度為何SOC會這樣2021 FireEye2021 FireEyeSIEM與SOAR之間的距離Where it came up short:What we learned and used:Inability to consider dozens to hundreds of factors for decision makingNot a solution that can reason by provi

13、ng or disproving a hypothesisRequires time and expertise to build rulesDifficult to use for full decision making unless very simplisticRequires time and expertise to build programmed playbooksLimited event volume ingestion rates result in difficulty scalingSimple logic can be used to gather evidence

14、,but not make a complex decisionAdditional context is crucial in decision makingCreate an application,not a platformDecision trees alone do not equal the equivalent reasoning of a first line analystAgain,create an application,not a platformWhat it brought us:Centralized log collectionNormalized even

15、tsCorrelation logic and alertingEnrichment of an event for an analystSimple decision tree reasoningSIEMSOAR2021 FireEye2021 FireEyeEDR與XDR在安全運營體系建設中的定位（續）Network visibilityEndpoint visibilityAuthenticationBasic cloud visibilityVulnerability identificationCriticality classificationLog management stra

16、tegy Fast retravel for investigationsUse case developmentBusiness specific logicIndicator searchFundamentalAdvancedAutomated security monitoringAutomated case building and scopingOrchestrated response actionsWorkflow and case mgmt.Deception Decoys and LuresEDR alert and recordingAdvanced cloud visib

17、ilitySpecialized controls(e.g.ICS)Automated integrated reasoningML and anomaly detectionThreat huntingInsider threat detectionData Lake,SIEM&CorrelationControl Fabric&Sensor GridSecurity Automation&WorkflowAdvanced Sensor GridAdvanced SecurityAnalytics2019 FireEye|Private&Confidential 2019 FireEyeFi

18、reEye XDR 方案愿景加快安全運營中的人機合作，更快地捕捉更多攻擊CONSISTENCYDEPTHACCURACYMEMORYSCALABILITYCOVERAGECURIOSITYCREATIVITYCOLLABORATIONCARETASK VALUEFACTSCONTEXTJUDGEMENTREASONINGREACTLEARNIMPROVEMONITORUNDERSTANDEXPLAINESCALATEHUNT FOR NOVELINVESTIGATERESPONDCOORDINATE人IQ100!#?機器MIPS300K執行力洞察力2021 FireEye2021 FireEy

19、e2016年成立，2020年被收購Mandiant Defense不是SIEM，也不是SOAR，而是二者的補充Mandiant Defense是一個開放的XDR引擎Mandiant Defense是一個開箱即用的分析調查取證專家，自動篩選海量數據，確定可能的誤報和真實威脅，并從反饋中持續學習FireEye XDR 解決方案-Mandiant Defenseaka Respond Software162021 FireEye2021 FireEyeFEEDBACKMANDIANTMANAGED DEFENSEFireEye Mandiant Defense在SOC中的位置QUERYSTREAMP

20、otentialIncidentsInvestigation ModelsPOLLData RepositoryCompany Context/EnrichmentNIDSEPP/EDRWFData ProcessorsFEEDBACKThreat IntelSensor GridFireEye EndpointFireEye HelixNotification ServicesCase Mgmt/SOARSyslog/App IntegrationOperations ManagementMandiantThreat intelMandiant Defense2021 FireEye2021

21、 FireEye靈活的部署架構Mandiant Defense CloudMandiant DefenseCustomer InstanceCustomer PremisesData SourcesNIDS,ICS,EPP,WF,AD,DHCP,Scanners,SIEM,Data LakeCustomer PremisesAdvantages:1.Network bandwidth concerns2.Integration with on-premises sources of data3.Integration with on-premises incident management4.

22、Privacy mattersOVA/Software/AMIAnalyst Server(Controller)StreamPoll2021 FireEye2021 FireEyeQuestionHuman AnalystMandiant DefenseHow suspicious is the pattern of events?Best guess,instinct,researchAsk for more informationIs the signature related to command-and-control malware?Signature mapping/catego

23、rization,google,wiki.Observe categorizationHas the same sig been seen multiple times same source and destination?Search logs via SIEM or IPS console with filter set?(sig=x,source=y&dest=y)Observe pattern table factsHas the same source and same signature been seen on 30+dests?Search logs (sig=x and s

24、ource=y where distinct(dest)=30)Observe pattern table factsHave multiple sources used a single signature repeatedly over the past 15 days?Search logs via SIEM or IPS console(unique source for signature where count1 and time=last15dObserve pattern table facts for the past 15 days.Has the source been

25、a destination in a previous event with the same signature?Search logs via SIEM or IPS console,sort output,filter again.Sort again.Good Luck.Observe pattern table facts to find matching condition.Have multiple sources used a single signature for the first time in the past 1 daySearch logs via SIEM or

26、 IPS console(unique source for signature where time=last24h)Observe pattern table facts for the last 24 hours.Integrated Reasoning 智能決策引擎2019 FireEye|Private&Confidential 2021 FireEye2021 FireEyeThe eXtended Detection&Response(XDR)EngineFireEye Mandiant Defense開箱即用的安全分析專家SENSORSCONTEXTIntegratedReas

27、oningBenefits Leaves data where it isAccurate and consistentMassive reduction in false positivesFast investigation-to-escalationRules not required reducing engineering time and costsControls agnostic-leverage best-of-breed solutionsWhat It DoesGathers evidence from siloed sensorsAutomatically incorp

28、orates company specific contextTriages 100%of alertsGroups all events and alerts into one incidentTakes feedback and adjusts automatically 2019 FireEye|Private&Confidential 2021 FireEye22FireEye Mandiant APT防護整體解決方案防護整體解決方案Mandiant Threat IntelligenceFireEye Endpoint Security HXMandiant Automated Defense(Respond)Mandiant Managed ValidationMandiant Managed DefenseExpertise and ServicesTechnologyIntelligence