2. Value of Event Data
Differentiator Technical Outcome Business Outcome
Data, Data, Data –
Threat, network,
application and
endpoint intelligence in
one console.
• More data than any other single product.
• FMC has and leverages context for automation.
• Integrated and contextual for better forensics.
• Data is automatically organized into useful
containers.
• FMC improves operational
engagement by reducing the
number of tools required to
understand a security event.
• Depth of data shortens time to
event scoping and containment.
Impact Analysis • Automated correlation to drive events requiring
investigation / remediation.
• Shortens time to discovery.
• Focuses security ops on
remediation needs.
Indicators of
Compromise
• Automated integration and elevation of critical
events.
• Expands the scope of threat
vectors.
• Shortens time to discovery.
• Focuses security ops on
remediation needs.
4. Understanding Impact Flags
Intrusion Events
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination Port
Service
Snort ID
IOC: Predefined Impact
Host Profile
[Outside Profile Range]
[Host not yet profiled]
IP Address
Protocols
Server Side Ports
Client Side Ports
User IDs
Potential Vulnerabilities
Services
Client / Server Apps
Operating System
CVE
0
4
2
3
1
Action Why
General info††
Event outside
profiled networks
Event occurred
outside profiled
networks
Good information
host is currently
not known
Previously unseen
host within
monitored
network
Good information
event may not
have connected
Relevant port not
open or protocol
not in use
Worth
investigation. Host
exposed.
Relevant port or
protocol in use but
no vuln mapped
Act immediately.
Host vulnerable
or compromised.
Host vulnerable to
attack or showing
an IOC.
†† If you have a fully profiled network
this may be a critical event!
Impact Flag
5. Indications of Compromise
Leverage correlation of multiple event types, such as:
• Impact 1 & 2 events
• CNC connection events (IPS)
• Compromise events (IPS)
• Security Intelligence Events
• AMP for Endpoint Events
• AMP for Network
• Includes some file events
• Built in Cisco correlation rules
Goal:
1. What needs to be fixed now!
2. Have enough data to know what
can be prevented in the future.
6. Better Breach Investigations
Differentiator Technical Outcome Business Outcome
Threat Centric Forensics with
Context
• Breadth of event data (NGIPS,
Application data, OS, File, Malware,
Security Intelligence, Connection, etc.)
provides more forensic data than any
other single provider.
• Faster investigation and security
decision support.
• More accurate event scoping; ie.
Easily find every outcome from an
event.
Event details support your Order
of Investigations
• Event data interconnects to cross
reference from one event to corollary
incidents.
• Allows security teams to focus on
and mature best practice models.
Host Profiles • Create a single “source of truth”
regarding the outcome and current
state of devices during a security event.
• Quickly focuses analysts on the
devices they are tasked to protect.
• Accelerates scoping and
remediation.
7. Stages of Incident Handling
Preparation Identification Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first
• Drill into a specific event
• Validate the breach
• Leverage documentation
• Leverage additional forensics
• Explore your remediation options
• Remediate
• Automate as many decisions or actions as
possible.
8. Order of Investigation†
Remediation – Incident Response – Data Collection
†may vary based on corporate priority
Indication of Compromise
You’ve been owned. Under Attack Research & Tuning
Impact 0 Impact 1 Impact 2 - 3 Impact 4
“Critical
Assets”
Not Blocked
Internal
Source
External
Source
Dropped
BDA
Correlation Rules
Goal: Getting to Remediation
9. Identify Where to Start
If this is all there was then the “Order of
Investigation” is easy.
From the FMC Dashboard
10. Identify Where to Start
Indications of Compromise
Is often a better place to start.
If it was always so easy.
From the FMC Context Explorer
11. What too many networks look like
Some ways to choose
• Look for Malware Executed (Endpoint AMP)
• Dropper Infection (Endpoint AMP)
• Threat detected in file transfer
• CnC Connected Events
• Shell Code Executed
• Impact 1 (these were probably blocked)
• Impact 2 (these were probably blocked)
From the FMC Context Explorer
Let’s see what these 63
events are all about.
14. ✔
✔
✔
✔
Looks like Kim Ralls
has a lot going on
her Windows host.
Events from multiple
sources:
• IPS Engine
• File Protection
• AMP for Networks
15. • .147 Tried to send the file 5 times
• .147 was sent the file once
• IPS blocked it! (yeah!)
• What does Impact 4 mean?
• Should we investigate more?
16. ✔
Did you forget
about these?
Let’s see if that file
moved around
without the IPS
seeing it.
✔
✔
✔
17. Yep. That file is
malware
We see it in the
malware summary,
too.
18. • A lot more than the 6
file transfers and hosts
the IPS engine stopped.
• Good thing they have
AMP for Endpoints, too.
• Bet they wished they
enabled quarantining.
• Problem scoped. Time
to remediate.
• Maybe a good time to
look at file analysis /
Threat Grid to learn
what other artifacts are
left behind.
Take Away
Be sure to look at every angle around
an event. Try to tell the whole story
and find every part of the issue.
19. The Impact 1s are gone – Let’s look at something else
This looks interesting.
20. I know I have an Oracle server.
Let’s look at the rule docs.
21. Assessment
• Impact 2 : Destination host not vulnerable (consistent with the rule docs)
• Impact 2 means this was a successful tcp connection
• IPS Blocked the event
• Source IP could well be compromised or it proxied an attack from another host.
• Check out Connection Logs and Source IP Host Profile
22. Another Assessment from the other Admin priv attempts
• Source IP all internal, Destination IP is external
• Impact 3 because there are no Host Profiles on external hosts
• Intrusion events SOURCED from my network are more important than Impact Scores
• TCP detections means there was at least connection established.
• These hosts definitely launched an attack.
• Should take a closer look at the Source IP Host Profiles for potential compromise.
24. Try to follow an Order of Investigation. (PICERL)
Identification of events around an incident usually have multiple markers.
IPS? Malware? Connection? File? Trajectory?
Check all the related data.
Impact and IOCs, are just a starting points. Keep in mind:
Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.
Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)
Take advantage of the documentation!
Packet Data is great but not critical.
Scoping a Breach
25. Security Automation Differentiation
Differentiator Technical Outcome Business Outcome
Recommended Rules • Ensures threat visibility specific to the
network being monitored and
protected.
• False Negative Reduction
• Reduces “Human Error” in ensuring
comprehensive protection.
• Automates
Correlation Rules • Further reduces events from “requiring
investigation” to “requires response”
• Automation of event investigation
practices.
• Integrates business outcome with security
practice.
• Captures and automates security best
practice (raises the level of security
support staff)
Remediation API • Cross Cisco and 3rd party interconnect
• Automation of security response
• FMC + ISE becomes the center of security
infrastructure.
• Automating remediation shortens time to
a “return to business” state.
26. Recommended Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware
sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|";
fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop,
service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity;
sid:33306; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer
broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe;
file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01
10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy
security-ips drop, service smtp; reference:cve,2014-4123;
reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-
user; sid:32265; rev:1; )
Rule that will map to
Recommended Rules
Some rules will
ALWAYS be
turned off by
Recommended
Rules
27. Building a Correlation Rule
Correlation Rule to:
• Ensure only HTTPS traffic
• Is used on port 443
• Is being initiated by a Host with a
defined Location (host Attribute)
is POS
• And that the HTTPS traffic from
the POS host is received on hosts
in the PCI network.
• Any traffic outside this profile
will generate an event.
28. Automating Response – Remediation API
Use Case 2
Sample Remediation Modules
• Cisco ISE – FIRE & ISE
• Guidance Encase
• Set Host Attributes
• Security Intelligence Blacklisting
• Nmap Scan
• SSH / Expect Scripts
• F5 iRules
• Solera DeepSee
• Netscaler
• PacketFence
• Bradford
Intrusion Events
Discovery Events
User Activity
Host Inputs
Connection Events
Traffic Profiles
MalwareEvent
Correlation Rules
Boolean
Conditios
Correlation Policies
Correlation Rules Correlation Events
Actions
(API, Email, SNMP)
29. Reporting Differentiators
Differentiator Technical Outcome Business Outcome
Work Flows • Pivoting data views improves event investigation.
• Custom workflows organizes data in ways that
are meaning for to the organization.
• Allows security investigations to align
with business criticality.
• Speeds analytics.
Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for
different business and security
requirements.
• Allows sec ops to build
comprehensive views into individual
events.
Dashboard focused
reporting
• Highly customizable dashboard with 100s of
reporting options.
• Integrates default and custom tables, workflows,
and queries.
• Organize event data into locally meaningful
segments
• Quickly build custom report
templates.
• Highly customizable reporting.
32. Not just what’s in the templates
Dashboard widgets have almost 120 preset
reports
Customizing Widgets means thousands of
reporting options.
Think of the Dashboard as your report
designer.
Tools:
Searches
Custom Workflows
Custom Tables <-- Data goldmine
(can be performance impacting)
Default Reports