SlideShare una empresa de Scribd logo

FireSIGHT Management Center (FMC) slides

Amy Gerrie
Amy Gerrie

Dive-In with dCloud: FireSIGHT presentation: 10/21/2015

Tecnología
1 de 33
Descargar para leer sin conexión
The Value of FireSIGHT Management Center (FMC)
Value of Event Data Differentiator Technical Outcome Business Outcome Data, Data, Data – Threat, network, application and endpoint intelligence in one console. • More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful containers. • FMC improves operational engagement by reducing the number of tools required to understand a security event. • Depth of data shortens time to event scoping and containment. Impact Analysis • Automated correlation to drive events requiring investigation / remediation. • Shortens time to discovery. • Focuses security ops on remediation needs. Indicators of Compromise • Automated integration and elevation of critical events. • Expands the scope of threat vectors. • Shortens time to discovery. • Focuses security ops on remediation needs.
Context comes from knowing the hosts on your network
Understanding Impact Flags Intrusion Events Source / Destination IP Protocol (TCP/UDP) Source / Destination Port Service Snort ID IOC: Predefined Impact Host Profile [Outside Profile Range] [Host not yet profiled] IP Address Protocols Server Side Ports Client Side Ports User IDs Potential Vulnerabilities Services Client / Server Apps Operating System CVE 0 4 2 3 1 Action Why General info†† Event outside profiled networks Event occurred outside profiled networks Good information host is currently not known Previously unseen host within monitored network Good information event may not have connected Relevant port not open or protocol not in use Worth investigation. Host exposed. Relevant port or protocol in use but no vuln mapped Act immediately. Host vulnerable or compromised. Host vulnerable to attack or showing an IOC. †† If you have a fully profiled network this may be a critical event! Impact Flag
Indications of Compromise Leverage correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS) • Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
Better Breach Investigations Differentiator Technical Outcome Business Outcome Threat Centric Forensics with Context • Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider. • Faster investigation and security decision support. • More accurate event scoping; ie. Easily find every outcome from an event. Event details support your Order of Investigations • Event data interconnects to cross reference from one event to corollary incidents. • Allows security teams to focus on and mature best practice models. Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event. • Quickly focuses analysts on the devices they are tasked to protect. • Accelerates scoping and remediation.
Stages of Incident Handling Preparation Identification Containment Eradication Recovery Lessons Learned SANS Institute • Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible.
Order of Investigation† Remediation – Incident Response – Data Collection †may vary based on corporate priority Indication of Compromise You’ve been owned. Under Attack Research & Tuning Impact 0 Impact 1 Impact 2 - 3 Impact 4 “Critical Assets” Not Blocked Internal Source External Source Dropped BDA Correlation Rules Goal: Getting to Remediation
Identify Where to Start If this is all there was then the “Order of Investigation” is easy. From the FMC Dashboard
Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
What too many networks look like Some ways to choose • Look for Malware Executed (Endpoint AMP) • Dropper Infection (Endpoint AMP) • Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked) • Impact 2 (these were probably blocked) From the FMC Context Explorer Let’s see what these 63 events are all about.
Busy event. Looks like we’re getting more.
Seems active across 6 hosts. Let’s drill into one.
✔ ✔ ✔ ✔ Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
• .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
✔ Did you forget about these? Let’s see if that file moved around without the IPS seeing it. ✔ ✔ ✔
Yep. That file is malware We see it in the malware summary, too.
• A lot more than the 6 file transfers and hosts the IPS engine stopped. • Good thing they have AMP for Endpoints, too. • Bet they wished they enabled quarantining. • Problem scoped. Time to remediate. • Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
The Impact 1s are gone – Let’s look at something else This looks interesting.
I know I have an Oracle server. Let’s look at the rule docs.
Assessment • Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
Another Assessment from the other Admin priv attempts • Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established. • These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
Assessment: This has has to be stopped!
 Try to follow an Order of Investigation. (PICERL)  Identification of events around an incident usually have multiple markers.  IPS? Malware? Connection? File? Trajectory?  Check all the related data.  Impact and IOCs, are just a starting points. Keep in mind:  Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.  Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)  Take advantage of the documentation!  Packet Data is great but not critical. Scoping a Breach
Security Automation Differentiation Differentiator Technical Outcome Business Outcome Recommended Rules • Ensures threat visibility specific to the network being monitored and protected. • False Negative Reduction • Reduces “Human Error” in ensuring comprehensive protection. • Automates Correlation Rules • Further reduces events from “requiring investigation” to “requires response” • Automation of event investigation practices. • Integrates business outcome with security practice. • Captures and automates security best practice (raises the level of security support staff) Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response • FMC + ISE becomes the center of security infrastructure. • Automating remediation shortens time to a “return to business” state.
Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; ) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted- user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Some rules will ALWAYS be turned off by Recommended Rules
Building a Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a defined Location (host Attribute) is POS • And that the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
Automating Response – Remediation API Use Case 2 Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles MalwareEvent Correlation Rules Boolean Conditios Correlation Policies Correlation Rules Correlation Events Actions (API, Email, SNMP)
Reporting Differentiators Differentiator Technical Outcome Business Outcome Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that are meaning for to the organization. • Allows security investigations to align with business criticality. • Speeds analytics. Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements. • Allows sec ops to build comprehensive views into individual events. Dashboard focused reporting • Highly customizable dashboard with 100s of reporting options. • Integrates default and custom tables, workflows, and queries. • Organize event data into locally meaningful segments • Quickly build custom report templates. • Highly customizable reporting.
Create a Custom Workflow
Custom Table: Intrusion Event with Host Data
 Not just what’s in the templates  Dashboard widgets have almost 120 preset reports  Customizing Widgets means thousands of reporting options.  Think of the Dashboard as your report designer.  Tools:  Searches  Custom Workflows  Custom Tables <-- Data goldmine (can be performance impacting) Default Reports
Build Reports Straight from the Dashboard

Recomendados

Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Linux İşletim Sistemi
Linux İşletim SistemiLinux İşletim Sistemi
Linux İşletim SistemiMurat KARA
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Recomendados

Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
ASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosASA Firepower NGFW Update and Deployment Scenarios
ASA Firepower NGFW Update and Deployment ScenariosCisco Canada
 
Palo alto networks next generation firewalls
Palo alto networks next generation firewallsPalo alto networks next generation firewalls
Palo alto networks next generation firewallsCastleforce
 
Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Cisco Identity Services Engine (ISE)
Cisco Identity Services Engine (ISE)Anwesh Dixit
 
Putting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallPutting Firepower Into The Next Generation Firewall
Putting Firepower Into The Next Generation FirewallCisco Canada
 
01- intro to firewall concepts
01- intro to firewall concepts01- intro to firewall concepts
01- intro to firewall conceptsMostafa El Lathy
 
Linux İşletim Sistemi
Linux İşletim SistemiLinux İşletim Sistemi
Linux İşletim SistemiMurat KARA
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
SD WAN
SD WANSD WAN
SD WANBri Molina
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
EXPLOIT POST EXPLOITATION
EXPLOIT POST EXPLOITATIONEXPLOIT POST EXPLOITATION
EXPLOIT POST EXPLOITATIONBGA Cyber Security
 
Mac address authentication
Mac address authenticationMac address authentication
Mac address authenticationAruba, a Hewlett Packard Enterprise company
 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesJustyna Bak
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Suricata
SuricataSuricata
Suricatatex_morgan
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA FirewallsBryley Systems Inc.
 
Wireshark
WiresharkWireshark
WiresharkKushagra Ganeriwal
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MABEmerson Barros Rivas
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio updateAtanas Gergiminov
 
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı AnaliziKurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı AnaliziBGA Cyber Security
 
checkpoint
checkpointcheckpoint
checkpointMayank Dhingra
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011Xavier Mertens
 

Más contenido relacionado

La actualidad más candente

Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhAurélie Henriot
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config GuideWoo Hyung Choi
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesRoanVillalobos1
 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesJustyna Bak
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introductionJimmy Saigon
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logicAlberto Rivai
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onJustin Henderson
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Belsoft
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio updateAtanas Gergiminov
 
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı AnaliziKurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı AnaliziBGA Cyber Security
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overviewMostafa El Lathy
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationSam Bowne
 

La actualidad más candente (20)

SD WAN
SD WANSD WAN
SD WAN
 
Présentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo WazuhPrésentation ELK/SIEM et démo Wazuh
Présentation ELK/SIEM et démo Wazuh
 
ACI MultiPod Config Guide
ACI MultiPod Config GuideACI MultiPod Config Guide
ACI MultiPod Config Guide
 
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_PracticesCampus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
Campus_Network_Design_with_ArubaOS-CX_-_Leading_Practices
 
EXPLOIT POST EXPLOITATION
EXPLOIT POST EXPLOITATIONEXPLOIT POST EXPLOITATION
EXPLOIT POST EXPLOITATION
 
Mac address authentication
Mac address authenticationMac address authentication
Mac address authentication
 
SDN and NFV: Friends or Enemies
SDN and NFV: Friends or EnemiesSDN and NFV: Friends or Enemies
SDN and NFV: Friends or Enemies
 
F5 - BigIP ASM introduction
F5 - BigIP ASM introductionF5 - BigIP ASM introduction
F5 - BigIP ASM introduction
 
Suricata
SuricataSuricata
Suricata
 
Palo alto networks NAT flow logic
Palo alto networks NAT flow logicPalo alto networks NAT flow logic
Palo alto networks NAT flow logic
 
Cisco ASA Firewalls
Cisco ASA FirewallsCisco ASA Firewalls
Cisco ASA Firewalls
 
Wireshark
WiresharkWireshark
Wireshark
 
EDR vs SIEM - The fight is on
EDR vs SIEM - The fight is onEDR vs SIEM - The fight is on
EDR vs SIEM - The fight is on
 
ISE-802.1X-MAB
ISE-802.1X-MABISE-802.1X-MAB
ISE-802.1X-MAB
 
Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013Palo Alto Networks 28.5.2013
Palo Alto Networks 28.5.2013
 
Cisco Security portfolio update
Cisco Security portfolio updateCisco Security portfolio update
Cisco Security portfolio update
 
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı AnaliziKurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
Kurumsal Ağlarda Log İnceleme Yöntemiyle Saldırı Analizi
 
checkpoint
checkpointcheckpoint
checkpoint
 
3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview3 palo alto ngfw architecture overview
3 palo alto ngfw architecture overview
 
CNIT 123: 6: Enumeration
CNIT 123: 6: EnumerationCNIT 123: 6: Enumeration
CNIT 123: 6: Enumeration
 

Similar a FireSIGHT Management Center (FMC) slides

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsFaithWestdorp
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombPriyanka Aash
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedFalgun Rathod
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesAtif Ghauri
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionDejan Jeremic
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security IntelligenceSplunk
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber AnalyticsNovetta
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsDemetrio Milea
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself Alert Logic
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introductionjagadeesh katla
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring RationaleSam Bowne
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeLancope, Inc.
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...NoNameCon
 

Similar a FireSIGHT Management Center (FMC) slides (20)

EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash PluginsEmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
EmPOW: Integrating Attack Behavior Intelligence into Logstash Plugins
 
InfoSecurity.be 2011
InfoSecurity.be 2011InfoSecurity.be 2011
InfoSecurity.be 2011
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private LimitedThreat Hunting by Falgun Rathod - Cyber Octet Private Limited
Threat Hunting by Falgun Rathod - Cyber Octet Private Limited
 
SplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunkLive! Stockholm 2015 breakout - Analytics based security
SplunkLive! Stockholm 2015 breakout - Analytics based security
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
 
Sasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protectionSasa milic, cisco advanced malware protection
Sasa milic, cisco advanced malware protection
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Operational Security Intelligence
Operational Security IntelligenceOperational Security Intelligence
Operational Security Intelligence
 
Novetta Cyber Analytics
Novetta Cyber AnalyticsNovetta Cyber Analytics
Novetta Cyber Analytics
 
The Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security AnalyticsThe Golden Rules - Detecting more with RSA Security Analytics
The Golden Rules - Detecting more with RSA Security Analytics
 
CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself CyberCrime in the Cloud and How to defend Yourself
CyberCrime in the Cloud and How to defend Yourself
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
Cyber warfare introduction
Cyber warfare introductionCyber warfare introduction
Cyber warfare introduction
 
1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale1. Network Security Monitoring Rationale
1. Network Security Monitoring Rationale
 
Protecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber CrimeProtecting Financial Networks from Cyber Crime
Protecting Financial Networks from Cyber Crime
 
Vapt life cycle
Vapt life cycleVapt life cycle
Vapt life cycle
 
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
Nazar Tymoshyk et al - Night in Defense Workshop: Hunting for a needle in a h...
 

Último

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxfnnc6jmgwh
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

Último (20)

Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptxGenerative AI - Gitex v1Generative AI - Gitex v1.pptx
Generative AI - Gitex v1Generative AI - Gitex v1.pptx
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 

FireSIGHT Management Center (FMC) slides

  • 1. The Value of FireSIGHT Management Center (FMC)
  • 2. Value of Event Data Differentiator Technical Outcome Business Outcome Data, Data, Data – Threat, network, application and endpoint intelligence in one console. • More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful containers. • FMC improves operational engagement by reducing the number of tools required to understand a security event. • Depth of data shortens time to event scoping and containment. Impact Analysis • Automated correlation to drive events requiring investigation / remediation. • Shortens time to discovery. • Focuses security ops on remediation needs. Indicators of Compromise • Automated integration and elevation of critical events. • Expands the scope of threat vectors. • Shortens time to discovery. • Focuses security ops on remediation needs.
  • 3. Context comes from knowing the hosts on your network
  • 4. Understanding Impact Flags Intrusion Events Source / Destination IP Protocol (TCP/UDP) Source / Destination Port Service Snort ID IOC: Predefined Impact Host Profile [Outside Profile Range] [Host not yet profiled] IP Address Protocols Server Side Ports Client Side Ports User IDs Potential Vulnerabilities Services Client / Server Apps Operating System CVE 0 4 2 3 1 Action Why General info†† Event outside profiled networks Event occurred outside profiled networks Good information host is currently not known Previously unseen host within monitored network Good information event may not have connected Relevant port not open or protocol not in use Worth investigation. Host exposed. Relevant port or protocol in use but no vuln mapped Act immediately. Host vulnerable or compromised. Host vulnerable to attack or showing an IOC. †† If you have a fully profiled network this may be a critical event! Impact Flag
  • 5. Indications of Compromise Leverage correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS) • Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
  • 6. Better Breach Investigations Differentiator Technical Outcome Business Outcome Threat Centric Forensics with Context • Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider. • Faster investigation and security decision support. • More accurate event scoping; ie. Easily find every outcome from an event. Event details support your Order of Investigations • Event data interconnects to cross reference from one event to corollary incidents. • Allows security teams to focus on and mature best practice models. Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event. • Quickly focuses analysts on the devices they are tasked to protect. • Accelerates scoping and remediation.
  • 7. Stages of Incident Handling Preparation Identification Containment Eradication Recovery Lessons Learned SANS Institute • Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible.
  • 8. Order of Investigation† Remediation – Incident Response – Data Collection †may vary based on corporate priority Indication of Compromise You’ve been owned. Under Attack Research & Tuning Impact 0 Impact 1 Impact 2 - 3 Impact 4 “Critical Assets” Not Blocked Internal Source External Source Dropped BDA Correlation Rules Goal: Getting to Remediation
  • 9. Identify Where to Start If this is all there was then the “Order of Investigation” is easy. From the FMC Dashboard
  • 10. Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
  • 11. What too many networks look like Some ways to choose • Look for Malware Executed (Endpoint AMP) • Dropper Infection (Endpoint AMP) • Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked) • Impact 2 (these were probably blocked) From the FMC Context Explorer Let’s see what these 63 events are all about.
  • 12. Busy event. Looks like we’re getting more.
  • 13. Seems active across 6 hosts. Let’s drill into one.
  • 14. ✔ ✔ ✔ ✔ Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
  • 15. • .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
  • 16. ✔ Did you forget about these? Let’s see if that file moved around without the IPS seeing it. ✔ ✔ ✔
  • 17. Yep. That file is malware We see it in the malware summary, too.
  • 18. • A lot more than the 6 file transfers and hosts the IPS engine stopped. • Good thing they have AMP for Endpoints, too. • Bet they wished they enabled quarantining. • Problem scoped. Time to remediate. • Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
  • 19. The Impact 1s are gone – Let’s look at something else This looks interesting.
  • 20. I know I have an Oracle server. Let’s look at the rule docs.
  • 21. Assessment • Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
  • 22. Another Assessment from the other Admin priv attempts • Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established. • These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
  • 23. Assessment: This has has to be stopped!
  • 24.  Try to follow an Order of Investigation. (PICERL)  Identification of events around an incident usually have multiple markers.  IPS? Malware? Connection? File? Trajectory?  Check all the related data.  Impact and IOCs, are just a starting points. Keep in mind:  Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.  Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)  Take advantage of the documentation!  Packet Data is great but not critical. Scoping a Breach
  • 25. Security Automation Differentiation Differentiator Technical Outcome Business Outcome Recommended Rules • Ensures threat visibility specific to the network being monitored and protected. • False Negative Reduction • Reduces “Human Error” in ensuring comprehensive protection. • Automates Correlation Rules • Further reduces events from “requiring investigation” to “requires response” • Automation of event investigation practices. • Integrates business outcome with security practice. • Captures and automates security best practice (raises the level of security support staff) Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response • FMC + ISE becomes the center of security infrastructure. • Automating remediation shortens time to a “return to business” state.
  • 26. Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; ) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted- user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Some rules will ALWAYS be turned off by Recommended Rules
  • 27. Building a Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a defined Location (host Attribute) is POS • And that the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
  • 28. Automating Response – Remediation API Use Case 2 Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles MalwareEvent Correlation Rules Boolean Conditios Correlation Policies Correlation Rules Correlation Events Actions (API, Email, SNMP)
  • 29. Reporting Differentiators Differentiator Technical Outcome Business Outcome Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that are meaning for to the organization. • Allows security investigations to align with business criticality. • Speeds analytics. Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements. • Allows sec ops to build comprehensive views into individual events. Dashboard focused reporting • Highly customizable dashboard with 100s of reporting options. • Integrates default and custom tables, workflows, and queries. • Organize event data into locally meaningful segments • Quickly build custom report templates. • Highly customizable reporting.
  • 30. Create a Custom Workflow
  • 31. Custom Table: Intrusion Event with Host Data
  • 32.  Not just what’s in the templates  Dashboard widgets have almost 120 preset reports  Customizing Widgets means thousands of reporting options.  Think of the Dashboard as your report designer.  Tools:  Searches  Custom Workflows  Custom Tables <-- Data goldmine (can be performance impacting) Default Reports
  • 33. Build Reports Straight from the Dashboard