Brksec 1023
Brksec 1023
Brksec 1023
#CiscoLiveAPJC
$ whoami Cisco role: Distinguished Engineer,
Threat Detection & Response
Unofficial title:
“Cisco History Professor”
Experience: Old enough to wonder
how I have been doing this for ~30
years
Fun fact 1: Father of 5 daughters
Fun fact 2: Oldest works for Cisco
now! Youngest is 18 months!
Fun fact 3: Working through his
Cyber Security Master’s Degree
from SANS Institute (~04/24)
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Sarcasm
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex App
Questions?
Use Cisco Webex App to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
3 Install the Webex App or go directly to the Webex space Enter your personal notes here
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Please fill out the survey
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Agenda
• Intro to XDR
• Outcomes
• Features
• Resources
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Intro to XDR
Protection isn’t
Enough
© 2023 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
What is XDR?
Collection of telemetry
from multiple security tools
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
We Are Here
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Is XDR different than all the other things?
*not to scale
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Without XDR, how can we detect and respond to all of this?
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Telemetry data source importance
The top six data sources that customers believe are essential for an XDR are
Endpoint, Network, Firewall, Identity, Email, and DNS
Essential
Count Share
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
The Cisco approach to XDR
Detect more, act faster, elevate productivity, build resilience
Detect
the most Act on
sophisticated what truly Elevate
threats matters, faster productivity Build resilience
• Multi-vector detection: • Prioritize threats by • Focus on what matters • Close security gaps
network, cloud, endpoint, greatest material risk and filter out the noise • Anticipate what’s next
email, and more • Unified context to • Boost limited resources through actionable intel
• Enriched incidents with streamline investigations for maximum value • Get stronger, everyday
asset insights, threat intel • Evidence-backed • Automate tasks and focus with continuous,
• Optimized for multi-vendor recommendations on, strategic tasks quantifiable improvement
environments
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Investigation Timeline – what happened & when?
SOC / Admin
Responder typically
builds out a timeline
when investigation
Lateral
Movement
Initial Data
Probing Initial
Exfiltration
Compromise
Timeline
Pre-Exploitation Exploitation Post-Exploitation
?
IP Address
Mac Address
Failed Privilege
GUID(s) Activity
Exploit Escalation
Attempts
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public
Outcomes
Detect sooner
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
A vast ecosystem of integrations
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Enhanced detections with diverse intelligence
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Prioritize by impact
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Reduce
investigation time
• Interactive, visual representations of
incidents
• Event correlation and attack chaining
to group related intelligence
• Automated enrichment for the most
critical incidents, ensuring intelligence
is gathered immediately
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
How true simplicity is experienced
Without XDR: 32 minutes With XDR: five minutes
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Confirm attacks sooner with alert correlation
Correlate alerts through time
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Accelerate
response
• Ability to respond throughout the
interface
• Simplified response workflows
available from within incidents
• Broad set of workflows to achieve a
variety of outcomes
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Powerful, flexible automation
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Extend asset
context
• Detailed asset information aggregated
from multiple sources
• Combines asset inventory with
security context
• Allows for more accurate incident
prioritization based on asset value
• Distinguish between targets and
assets
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Features
Timeline from multiple sources
XDR Should Build out the Timeline
AD
EDR
EVENT
IP Address
Credential Theft
Mac Address - AD Find
GUID(s) Activity - Rubeus
Vic0
1 Acti it
Random mac-address
DHCP Assigned IP
EDR Installed
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Timeline from multiple sources
XDR Should Build out the Timeline
AD AD
AD
Network Conn: 3
2
ldap://ad:389 AD
smb tcp/445
EVENT
Impact: Crypto
- ryuk.exe
starts encrypting
EVENT
Network Conn:
Vic01
Credential Theft ftp of harvested
- AD Find creds to C2
Activity - Rubeus
Vic0
1 Acti it
Random mac-address
DHCP Assigned IP
EDR Installed
2. NDR: Endpoint Vic01 connected via LDAP & SMB to the AD server for the kerberoast to be successful
3. NDR: Endpoint Vic01 sent the harvested creds out to the C2 server
4. EDR: First System (AD) was Ransomed! How did this happen?
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Timeline from multiple sources
5. EDR: Endpoint Vic01 was sending out discovery commands previously, what else was seen for Vic01?
6. EDR: Endpoint Vic01 Executed an unknown binary before those commands were run
7. NDR / DNS / Proxy: XYZ on Vic01 was communicating encrypted TLS w/ a potentially risky site before the commands
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Timeline from multiple sources
XDR Should Build out the Timeline
Vic0
1 Acti it
AD AD
AD
Discovery commands Network Conn: 3
- systeminfo.exe AD AD 2
- netstat.exe
ldap://ad:389
AD AD
- net.exe
smb tcp/445 2 2
EVENT
- ipconfig.exe Lateral Movement
- rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Open C2 starts encrypting
Executes AD
Bazar Channel
ED ND EDR
EDR NDR NDR EDR
R R NDR
EVENT
Open C2 Network Conn:
Vic01
Channel Credential Theft ftp of harvested Lateral Movement
- AD Find creds to C2 - smb tcp/445
Activity - Rubeus
Vic0 Vic0
AD
Random mac-address
1 Acti it 1 Acti it
AD
3
DHCP Assigned IP
EDR Installed
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Timeline from multiple sources
Email EDR
NDR EDR NDR EDR NDR NDR EDR
Defense NDR
Opens email EVENT
Follows Link to Open C2 Network Conn:
Vic01 a-p-p-i-e.com Channel Credential Theft ftp of harvested Lateral Movement
- AD Find creds to C2 - smb tcp/445
Activity - Rubeus
Vic0 Vic0
AD
Random mac-address
1 Acti it 1 Acti it
AD
3
DHCP Assigned IP
EDR Installed
11. Vic01 had roamed & gotten a new IP Address (so much more important than you know)
12. Bazar executable XYZ was downloaded by Kevin Smith
13. Kevin Smith received an email w/ a look-alike domain in the URL & he clicked it to download that executable
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Timeline in Cisco XDR
Interactive Graph
Interactive Graph displays
& groups the entities
involved in the incident
Timeline
Interactive: drag it, select a
portion, zoom in & out
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Incident manager
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Incident manager
Automated prioritization
Risk- and asset-based prioritization, so you know what to investigate first
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Walk through incidents step by step
Progressive disclosure
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Identify the most impactful incidents based on risk
736
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Investigate
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Investigate
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Automation
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Automation
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Devices
BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Devices
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Supported sources
M
Duo Access Secure Endpoint Umbrella (DNS) Meraki SM Secure Client Orbital
Duo Beyond Windows / macOS
Third Party
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
One more
thing…
XDR has a robust set of APIs!
• We have APIs for:
• Threat intelligence
• Private and public databases of threat intel
• Investigation
• Inspect content for observables
• Enrich data using your integrated products
• Response
• Act on observables you know to be dangerous
• Automation
• Trigger workflows in XDR to do just about anything you want
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
To summarize
Shift the focus to outcomes
XDR-driven outcomes
Detect Accelerate
sooner response
Where are we Prioritize Speed up How fast can we
most exposed by impact investigations confidently respond?
to risk?
Are we prioritizing How quickly are we able How much can
How good are we the attacks that to understand the full SecOps automate?
at detecting represent the largest scope and entry
attacks early? material impacts to vectors of attacks? Are we quantifiably
our business? getting better?
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Stop advanced threats like ransomware
Most attacks use a sequence like this…
Email DNS
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Quickly position teams to achieve incremental
XDR milestones
Integrate
Orchestrate Optimize
Consolidate solutions
and technology with an Enable prioritized detection and Evolve, and fine tune security
integrated platform response using AI & ML by proactively executing against
that baseline
Unify Automate
Build an ecosystem that Automate detection and
aggregates, enriches data response workflows
and telemetry from all part that require minimal
of your environment human intervention
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Resources
Other XDR sessions
Extended Detection with Cisco's Unified Agent: Cisco XDR - Making sense
Cisco XDR: Security Cisco Secure Client. of the Solution and how it's
analytics across the Bringing AMP, a Security Productivity Tool
enterprise AnyConnect, Orbital &
Umbrella together
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
https://cisco.com/go/xdr
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Participating in user research gives you a
place to share your thoughts and
experiences to influence the future of
Cisco Secure products.
• You'll hear from us at most once every 90 days.
• Participation is completely optional, and you can
opt out at any time.
Session Surveys
We would love to know your feedback on this session!
• Complete a minimum of four session surveys and the overall event surveys to claim
a Cisco Live T-Shirt
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Getting started
Where can you learn more about Cisco XDR?
• Cisco XDR At a Glance
• An XDR Primer: The Promise of Simplifying
Security Operations Position Paper
• Cisco XDR: Security Operations Simplified eBook
• Five Ways to Experience XDR eBook
• Cisco XDR Overview Video
• XDR Bu er’s Guide
#CiscoLiveAPJC BRKSEC-1023 © 2023 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Thank you
#CiscoLiveAPJC
#CiscoLiveAPJC
#CiscoLiveAPJC