firesight management center (fmc) slides
TRANSCRIPT
The Value of FireSIGHT Management Center
(FMC)
Value of Event Data Differentiator Technical Outcome Business Outcome
Data, Data, Data – Threat, network, application and endpoint intelligence in one console.
• More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful
containers.
• FMC improves operational engagement by reducing the number of tools required to understand a security event.
• Depth of data shortens time to event scoping and containment.
Impact Analysis • Automated correlation to drive events requiring investigation / remediation.
• Shortens time to discovery. • Focuses security ops on
remediation needs.
Indicators of Compromise
• Automated integration and elevation of critical events.
• Expands the scope of threat vectors.
• Shortens time to discovery. • Focuses security ops on
remediation needs.
Context comes from knowing the hosts on your network
Understanding Impact Flags
Intrusion Events
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination Port
Service
Snort ID
IOC: Predefined Impact
Host Profile
[Outside Profile Range]
[Host not yet profiled]
IP Address
Protocols
Server Side Ports
Client Side Ports
User IDs
Potential Vulnerabilities
Services
Client / Server Apps
Operating System
CV
E
0
4
2
3
1
Action Why
General info†† Event outside
profiled networks
Event occurred outside profiled
networks
Good information host is currently
not known
Previously unseen host within monitored
network
Good information event may not
have connected
Relevant port not open or protocol
not in use
Worth investigation. Host
exposed.
Relevant port or protocol in use but
no vuln mapped
Act immediately. Host vulnerable
or compromised.
Host vulnerable to attack or showing
an IOC.
†† If you have a fully profiled network this may be a critical event!
Impact Flag
Indications of Compromise
Leverage correlation of multiple event types, such as: • Impact 1 & 2 events
• CNC connection events (IPS) • Compromise events (IPS)
• Security Intelligence Events • AMP for Endpoint Events • AMP for Network
• Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
Better Breach Investigations Differentiator Technical Outcome Business Outcome
Threat Centric Forensics with Context
• Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider.
• Faster investigation and security decision support.
• More accurate event scoping; ie. Easily find every outcome from an event.
Event details support your Order of Investigations
• Event data interconnects to cross reference from one event to corollary incidents.
• Allows security teams to focus on and mature best practice models.
Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event.
• Quickly focuses analysts on the devices they are tasked to protect.
• Accelerates scoping and remediation.
Stages of Incident Handling
Preparation Identification Containment Eradication Recovery Lessons Learned
SANS Institute
• Decide on which events to focus on first • Drill into a specific event • Validate the breach
• Leverage documentation • Leverage additional forensics
• Explore your remediation options • Remediate • Automate as many decisions or actions as
possible.
Order of Investigation†
Remediation – Incident Response – Data Collection
†may vary based on corporate priority
Indication of Compromise
You’ve been owned. Under Attack Research & Tuning
Impact 0 Impact 1 Impact 2 - 3 Impact 4
“Critical Assets”
Not Blocked
Internal Source
External Source
Dropped
B D A
Correlation Rules
Goal: Getting to Remediation
Identify Where to Start
If this is all there was then the “Order of Investigation” is easy.
From the FMC Dashboard
Identify Where to Start
Indications of Compromise Is often a better place to start. If it was always so easy.
From the FMC Context Explorer
What too many networks look like
Some ways to choose
• Look for Malware Executed (Endpoint AMP)
• Dropper Infection (Endpoint AMP)
• Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked)
• Impact 2 (these were probably blocked)
From the FMC Context Explorer
Let’s see what these 63 events are all about.
Busy event. Looks like we’re getting more.
Seems active across 6 hosts. Let’s drill into one.
✔
✔
✔
✔
Looks like Kim Ralls has a lot going on
her Windows host.
Events from multiple sources:
• IPS Engine • File Protection • AMP for Networks
• .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
✔
Did you forget about these?
Let’s see if that file
moved around without the IPS
seeing it.
✔
✔
✔
Yep. That file is malware
We see it in the malware summary,
too.
• A lot more than the 6 file transfers and hosts the IPS engine stopped.
• Good thing they have AMP for Endpoints, too.
• Bet they wished they enabled quarantining.
• Problem scoped. Time to remediate.
• Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind.
Take Away Be sure to look at every angle around an event. Try to tell the whole story
and find every part of the issue.
The Impact 1s are gone – Let’s look at something else
This looks interesting.
I know I have an Oracle server. Let’s look at the rule docs.
Assessment
• Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
Another Assessment from the other Admin priv attempts
• Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established.
• These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
Assessment: This has has to be stopped!
Try to follow an Order of Investigation. (PICERL)
Identification of events around an incident usually have multiple markers.
IPS? Malware? Connection? File? Trajectory?
Check all the related data.
Impact and IOCs, are just a starting points. Keep in mind:
Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4.
Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless)
Take advantage of the documentation!
Packet Data is great but not critical.
Scoping a Breach
Security Automation Differentiation
Differentiator Technical Outcome Business Outcome
Recommended Rules • Ensures threat visibility specific to the network being monitored and protected.
• False Negative Reduction • Reduces “Human Error” in ensuring
comprehensive protection. • Automates
Correlation Rules • Further reduces events from “requiring investigation” to “requires response”
• Automation of event investigation practices.
• Integrates business outcome with security practice.
• Captures and automates security best practice (raises the level of security support staff)
Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response
• FMC + ISE becomes the center of security infrastructure.
• Automating remediation shortens time to a “return to business” state.
Recommended Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; )
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
Rule that will map to Recommended Rules
Some rules will ALWAYS be turned off by Recommended Rules
Building a Correlation Rule
Correlation Rule to:
• Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a
defined Location (host Attribute) is POS
• And that the HTTPS traffic from the POS host is received on hosts in the PCI network.
• Any traffic outside this profile will generate an event.
Automating Response – Remediation API
Use Case 2
Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford
Intrusion Events Discovery Events
User Activity Host Inputs
Connection Events Traffic Profiles Malware Event
Correlation Rules Boolean Conditios
Correlation Policies
Correlation Rules Correlation Events Actions
(API, Email, SNMP)
Reporting Differentiators Differentiator Technical Outcome Business Outcome
Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that
are meaning for to the organization.
• Allows security investigations to align with business criticality.
• Speeds analytics.
Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements.
• Allows sec ops to build comprehensive views into individual events.
Dashboard focused reporting
• Highly customizable dashboard with 100s of reporting options.
• Integrates default and custom tables, workflows, and queries.
• Organize event data into locally meaningful segments
• Quickly build custom report templates.
• Highly customizable reporting.
Create a Custom Workflow
Custom Table: Intrusion Event with Host Data
Not just what’s in the templates
Dashboard widgets have almost 120 preset reports
Customizing Widgets means thousands of reporting options.
Think of the Dashboard as your report designer.
Tools: Searches
Custom Workflows
Custom Tables <-- Data goldmine
(can be performance impacting)
Default Reports
Build Reports Straight from the Dashboard