Understanding Network Insight Integrations to Automate Containment and Kick Start Response, Stephen Newman SVP Products, Core Security & SecureAuth
0 likes115 views
The document discusses the integration of network insight with SIEM (Security Information and Event Management) systems to enhance incident response and automated containment of compromised devices. It outlines best practices for using built-in integrators, such as syslog and APIs, to facilitate real-time threat detection and response actions. Additionally, the document presents various scenarios and examples that demonstrate how network insight can improve the effectiveness of security operations centers (SOCs).
![Scenario
Data
From
NI
To
SIEM
Example
‘Case’
scenarios
in
SIEM
+
laptop01 |
ThreatX |
Suspected
|
Verdict
Score
10 [CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler
|
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
+
laptop01 |
ThreatX |
Suspected |
Verdict
Score
20
[CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
+
laptop01 |
ThreatX |
Infected
|
Verdict
Score
80 [CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Automation
Profiler
|
Weakly
Automated
|
Link
NI
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Legend:
“+”
means
you
can
expand
the
case
to
get
the
details
of
“Evidence”
below.
[bracket]
means
a
button
that
links
to
either
SIEM
Filtered
Data
or
NI
screens.](https://image.slidesharecdn.com/newman-understandingnetworkinsights-connectatl17-171025150241/85/Understanding-Network-Insight-Integrations-to-Automate-Containment-and-Kick-Start-Response-Stephen-Newman-SVP-Products-Core-Security-SecureAuth-7-320.jpg)
Understanding Network Insight Integrations to Automate Containment and Kick Start Response, Stephen Newman SVP Products, Core Security & SecureAuth
- 1. Understanding Network Insight Integrations to Automate Containment and Kick Start Response Stephen Newman
- 2. L E A R N M O R E Stephen Newman SVP Products Core Security & SecureAuth -‐-‐ ABSTRACT -‐-‐ Whether it’s the revered single plane of glass view in a SIEM or building an auto containment workflow for compromised devices, Network Insight admins can use built-‐in integrators to take action quickly or build their own with the API. With SIEM for instance, what if the view is wrong or incomplete? This can cause the response teams to spend invaluable time looking and or chasing the wrong things. It’s critical to understand how to ingest the NI outputs into your SIEM to keep things flowing smoothly. In this session we will cover how to best integrate Network Insight with your SIEM as well as automate rapid response actions. Also covered will be use cases for Proxies, Next Generation Firewall (NGFW), Endpoint Detection & Response (EDR) solutions.
- 3. AGENDA • Introduction • Communication Types • Definitions • Best Practice Scenarios With SIEM • Response Actions
- 4. Network Insight Interaction Flexibility & Power SYSLOG: Delivers Events In Real-‐time to SIEMs READ Only DB: Alternative mechanism to pull all evidence & context from NI API: REST based API to allow SIEM to both pull deep forensics from NI as well as update ‘State’ on devices within NI from SIEM Network Insight® 6.3 API Guide v.1.00
- 5. Network Insight’s decision if a threat is present on a device or not • Suspected: ‘Evidence’ exists, but not enough to be sure an infection is present • Infected: ‘Evidence’ builds a strong case that an infection is present Ve r d i c t An ability within SIEMs to roll up ‘Evidence’ to a specific ‘Event’. F i l t e r Individual events delivered from Network Insight to a SIEM E v i d e n c e Hi-‐level notifications presented within SIEM C a s e Network Insight Definitions
- 6. SIEM Using a ‘Filter’ > SIEM Creates a ‘Case’ laptop01 laptop01 > ‘Suspected’ of ‘ThreatX’ > Score 10 If SOC clicks on ‘Case’, they see ‘Evidence’ details of the suspicious communication. Evidence 1 laptop01 > badguy.com > ThreatX NI marks laptop01 > Suspected > Verdict 10 Evidence > SIEM > Connection Profiler SIEM Using a ‘Filter’ > SIEM modifies ‘Case’ laptop01 > ‘Suspected’ of ‘ThreatX’ > Score 20 SOC > ‘Case’ > both pieces of ‘Evidence’ in chronological order Evidence 2 laptop01 > terribleguy.com > ThreatX NI marks laptop01 > Suspected > Verdict 20 Evidence > SIEM > Connection Profiler SIEM Using a ‘Filter’ > SIEM modifies ‘Case’ Laptop01 > ‘Infected’ of ‘ThreatX’ > score 80 SOC Notified > Priority > ThreatX on laptop01 SOC > ‘Case’ > all ‘evidence’ in chronologically SOC > hyperlink > NI > forensics. … Evidence 12 Laptop01 > 10 + connections > ThreatX NI > Identities Automation via ML NI marks laptop01 > Infected > Verdict 80 Evidence > SIEM > Connection Profiler Evidence > SIEM > Automation Profiler Scenario Timeline Best Practice: Integrating NI into IR Workflow SOC Not Chasing Until Infection Is Certain
- 7. Scenario Data From NI To SIEM Example ‘Case’ scenarios in SIEM + laptop01 | ThreatX | Suspected | Verdict Score 10 [CONTEXT] [CORRELATION] [FS ASSET] [FS THREAT] Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp + laptop01 | ThreatX | Suspected | Verdict Score 20 [CONTEXT] [CORRELATION] [FS ASSET] [FS THREAT] Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data + laptop01 | ThreatX | Infected | Verdict Score 80 [CONTEXT] [CORRELATION] [FS ASSET] [FS THREAT] Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | badguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Connection Profiler | terribleguy.com | Completed Connection | Data In | Data Out | OS Type | Timestamp | Other NI Data Automation Profiler | Weakly Automated | Link NI | Data In | Data Out | OS Type | Timestamp | Other NI Data Legend: “+” means you can expand the case to get the details of “Evidence” below. [bracket] means a button that links to either SIEM Filtered Data or NI screens.
- 8. Incident Validation Best Practice: Maximizing Strengths of NI & SIEMs INCIDENT SOC Notified > Priority > ThreatX on laptop01 Yes Maybe No SOC Agrees Device Infected Proceeds To Response Actions SOC Unsure Device Infected Correlate With Events From Other Solutions SOC Disagrees Device Infected SOC Closes Case NI Updated, But Keeps History
- 9. Incident: Yes Response Action To Identify The Correct Response Action, SOC Member Needs ‘Context’ SIEM Can Be Setup To Automatically Gather & Present Context When “Infected” Status Achieved From NI From Other Solutions Hostname User / Account Details MAC AV Status / DAT Status List of IP Addresses List of Vulnerabilities on Device Geo Location of C&C Traffic User Group Status of Connections to C&C (Completed, Proxy Blocked, Blocked, Dropped, Failed) Device Location Data in from Threat Actor GRC Policies Data out from Threat Actor Device type Threat Actor TTPs Device OS Device OS Proxy Logs Device Category NI Risk Score Rapid Response
- 10. Incident: Maybe Response Action SOC Member Investigates Further > Hyperlink To NI for In-‐depth Forensics including PCAPs SIEM Can Be Setup To Automatically Gather & Present Context When “Infected” Status Achieved From NI From Other Solutions Hostname User / Account Details MAC AV Status / DAT Status List of IP Addresses List of Vulnerabilities on Device Geo Location of C&C Traffic User Group Status of Connections to C&C (Completed, Proxy Blocked, Blocked, Dropped, Failed) Device Location Data in from Threat Actor GRC Policies Data out from Threat Actor Device type Threat Actor TTPs Device OS Device OS Proxy Logs Device Category NI Risk Score Rapid Investigation
- 11. Incident: No Response Action SOC Member Marks Case Closed SIEM > NI API > Marks Case Closed In NI NI Retains History In Event Other Evidence Becomes Available Rapid Dismissal
- 12. Automated Response Best Practice: Rules of Engagement CONFIDENCE IMPACT / “RISK of DAMAGE”LOW LOWHIGH HIGH NO RESPONSE, CONTINUE MONITORING AUTOMATE RESPONSE, CONTINUE MONITORING AUTOMATE RESPONSE, CONTINUE MONITORING SUSPECTED INFECTED OBSERVED SUSPECTED STATE AUTOMATED ACTIONS q ENFORCE ADAPTIVE AUTHENTICATION FOR ACCOUNTS q RESTRICT DEVICE ACCESS TO SENSITIVE DATA q FORCE AV UPDATE AND SCAN q INITIATE LIGHT FORENSIC SCAN OF DEVICE q INCREASE LOGGING q CREATE WORKFLOW TICKET INFECTED STATE AUTOMATED ACTIONS q REMOVE ENTITLEMENTS q QUARANTINE DEVICE TO SECURITY Z0NE q INITIATE DEEP FORENSIC SCAN OF DEVICE q KILL SUSPECTED PROCESSES q LAUNCH INCIDENT INVESTIGATION
- 13. Network Insight Response Integrations Integration Complete Integrations in Consideration
- 14. Blue Coat Integration Internal Network 1. Network Insight > Discovers infected device, suspected device, or active C+C domains 2. Network Insight > Dynamically publishes CPL file via Management Console URL 3. ProxySG > Automatically checks Damballa CPL file for updated infected, suspected, and C+C domains 4. ProxySG > Enforces policies to take action -‐ Example: Block internet access for infected device, block attempted communications with bad C&C domains by infected device, etc. Proxy SG Network Insight Tap or Span Port Network Insight Tap or Span Port Blue Coat Global Intelligence Network
- 15. Palo Alto Networks Integration Internal Network Tap or Span Port 1. Network Insight > discovers infected device, suspected device, and/or active C&C domains 2. Network Insight > notifies Dynamic Block List of device state and identified C&C communication attempts 3. PAN > implements policies based on device state (suspected or infected) information. (IE: Block infected assets from communicating to internet and/or high-‐value assets, enhance logging on suspected assets) 4. PAN > blocks active C&C communication attempts identified by Network Insight Network Insight
- 16. Carbon Black Integration Internet Endpoints NGFW Carbon Black Network Insight 4. CARBON BLACK IDENTIFIES PROCESS AND CORRESPONDING FILE ON INFECTED HOST FOR BREACH RESPONSE TEAM BREACH RESPONSE TEAM VERDICT: INFECTED 3. NETWORK INSIGHT QUESTIONS CARBON BLACK FOR PROCESS OF OBSERVED NETWORK COMMUNICATIONS 1. NETWORK INSIGHT IDENTIFIES MALICIOUS BEHAVIORS IN C&C ACTIVITY AUTOMATION | FLUXING | P2P | HTTP REQUESTS 1 2. NETWORK INSIGHT PASSES VERDICT OF INFECTED 2 3 4
- 17. THANK YOU