FireSIGHT Management Center (FMC) slides
5 likes4,447 views
The FireSIGHT Management Center (FMC) provides concise summaries of security events in 3 sentences or less by leveraging extensive network, endpoint, application and threat intelligence data. It improves security operations by reducing the number of tools needed to understand events, shortening the time to scoping and containment. The FMC also automates the correlation of critical events to identify indicators of compromise and focus security teams on remediation.
![Understanding Impact Flags
Intrusion Events
Source / Destination IP
Protocol (TCP/UDP)
Source / Destination Port
Service
Snort ID
IOC: Predefined Impact
Host Profile
[Outside Profile Range]
[Host not yet profiled]
IP Address
Protocols
Server Side Ports
Client Side Ports
User IDs
Potential Vulnerabilities
Services
Client / Server Apps
Operating System
CVE
0
4
2
3
1
Action Why
General info††
Event outside
profiled networks
Event occurred
outside profiled
networks
Good information
host is currently
not known
Previously unseen
host within
monitored
network
Good information
event may not
have connected
Relevant port not
open or protocol
not in use
Worth
investigation. Host
exposed.
Relevant port or
protocol in use but
no vuln mapped
Act immediately.
Host vulnerable
or compromised.
Host vulnerable to
attack or showing
an IOC.
†† If you have a fully profiled network
this may be a critical event!
Impact Flag](https://image.slidesharecdn.com/fmcvalueslides-151022181224-lva1-app6892/85/FireSIGHT-Management-Center-FMC-slides-4-320.jpg)
FireSIGHT Management Center (FMC) slides
- 1. The Value of FireSIGHT Management Center (FMC)
- 2. Value of Event Data Differentiator Technical Outcome Business Outcome Data, Data, Data – Threat, network, application and endpoint intelligence in one console. • More data than any other single product. • FMC has and leverages context for automation. • Integrated and contextual for better forensics. • Data is automatically organized into useful containers. • FMC improves operational engagement by reducing the number of tools required to understand a security event. • Depth of data shortens time to event scoping and containment. Impact Analysis • Automated correlation to drive events requiring investigation / remediation. • Shortens time to discovery. • Focuses security ops on remediation needs. Indicators of Compromise • Automated integration and elevation of critical events. • Expands the scope of threat vectors. • Shortens time to discovery. • Focuses security ops on remediation needs.
- 3. Context comes from knowing the hosts on your network
- 4. Understanding Impact Flags Intrusion Events Source / Destination IP Protocol (TCP/UDP) Source / Destination Port Service Snort ID IOC: Predefined Impact Host Profile [Outside Profile Range] [Host not yet profiled] IP Address Protocols Server Side Ports Client Side Ports User IDs Potential Vulnerabilities Services Client / Server Apps Operating System CVE 0 4 2 3 1 Action Why General info†† Event outside profiled networks Event occurred outside profiled networks Good information host is currently not known Previously unseen host within monitored network Good information event may not have connected Relevant port not open or protocol not in use Worth investigation. Host exposed. Relevant port or protocol in use but no vuln mapped Act immediately. Host vulnerable or compromised. Host vulnerable to attack or showing an IOC. †† If you have a fully profiled network this may be a critical event! Impact Flag
- 5. Indications of Compromise Leverage correlation of multiple event types, such as: • Impact 1 & 2 events • CNC connection events (IPS) • Compromise events (IPS) • Security Intelligence Events • AMP for Endpoint Events • AMP for Network • Includes some file events • Built in Cisco correlation rules Goal: 1. What needs to be fixed now! 2. Have enough data to know what can be prevented in the future.
- 6. Better Breach Investigations Differentiator Technical Outcome Business Outcome Threat Centric Forensics with Context • Breadth of event data (NGIPS, Application data, OS, File, Malware, Security Intelligence, Connection, etc.) provides more forensic data than any other single provider. • Faster investigation and security decision support. • More accurate event scoping; ie. Easily find every outcome from an event. Event details support your Order of Investigations • Event data interconnects to cross reference from one event to corollary incidents. • Allows security teams to focus on and mature best practice models. Host Profiles • Create a single “source of truth” regarding the outcome and current state of devices during a security event. • Quickly focuses analysts on the devices they are tasked to protect. • Accelerates scoping and remediation.
- 7. Stages of Incident Handling Preparation Identification Containment Eradication Recovery Lessons Learned SANS Institute • Decide on which events to focus on first • Drill into a specific event • Validate the breach • Leverage documentation • Leverage additional forensics • Explore your remediation options • Remediate • Automate as many decisions or actions as possible.
- 8. Order of Investigation† Remediation – Incident Response – Data Collection †may vary based on corporate priority Indication of Compromise You’ve been owned. Under Attack Research & Tuning Impact 0 Impact 1 Impact 2 - 3 Impact 4 “Critical Assets” Not Blocked Internal Source External Source Dropped BDA Correlation Rules Goal: Getting to Remediation
- 9. Identify Where to Start If this is all there was then the “Order of Investigation” is easy. From the FMC Dashboard
- 10. Identify Where to Start Indications of Compromise Is often a better place to start. If it was always so easy. From the FMC Context Explorer
- 11. What too many networks look like Some ways to choose • Look for Malware Executed (Endpoint AMP) • Dropper Infection (Endpoint AMP) • Threat detected in file transfer • CnC Connected Events • Shell Code Executed • Impact 1 (these were probably blocked) • Impact 2 (these were probably blocked) From the FMC Context Explorer Let’s see what these 63 events are all about.
- 12. Busy event. Looks like we’re getting more.
- 13. Seems active across 6 hosts. Let’s drill into one.
- 14. ✔ ✔ ✔ ✔ Looks like Kim Ralls has a lot going on her Windows host. Events from multiple sources: • IPS Engine • File Protection • AMP for Networks
- 15. • .147 Tried to send the file 5 times • .147 was sent the file once • IPS blocked it! (yeah!) • What does Impact 4 mean? • Should we investigate more?
- 16. ✔ Did you forget about these? Let’s see if that file moved around without the IPS seeing it. ✔ ✔ ✔
- 17. Yep. That file is malware We see it in the malware summary, too.
- 18. • A lot more than the 6 file transfers and hosts the IPS engine stopped. • Good thing they have AMP for Endpoints, too. • Bet they wished they enabled quarantining. • Problem scoped. Time to remediate. • Maybe a good time to look at file analysis / Threat Grid to learn what other artifacts are left behind. Take Away Be sure to look at every angle around an event. Try to tell the whole story and find every part of the issue.
- 19. The Impact 1s are gone – Let’s look at something else This looks interesting.
- 20. I know I have an Oracle server. Let’s look at the rule docs.
- 21. Assessment • Impact 2 : Destination host not vulnerable (consistent with the rule docs) • Impact 2 means this was a successful tcp connection • IPS Blocked the event • Source IP could well be compromised or it proxied an attack from another host. • Check out Connection Logs and Source IP Host Profile
- 22. Another Assessment from the other Admin priv attempts • Source IP all internal, Destination IP is external • Impact 3 because there are no Host Profiles on external hosts • Intrusion events SOURCED from my network are more important than Impact Scores • TCP detections means there was at least connection established. • These hosts definitely launched an attack. • Should take a closer look at the Source IP Host Profiles for potential compromise.
- 23. Assessment: This has has to be stopped!
- 24. Try to follow an Order of Investigation. (PICERL) Identification of events around an incident usually have multiple markers. IPS? Malware? Connection? File? Trajectory? Check all the related data. Impact and IOCs, are just a starting points. Keep in mind: Directionality of events (ie. Exfiltrating Events are worth looking at with even Impact 2, 3, and 4. Be sure to consider how the protocols work (ie. TCP – there was a connect, UDP connectionless) Take advantage of the documentation! Packet Data is great but not critical. Scoping a Breach
- 25. Security Automation Differentiation Differentiator Technical Outcome Business Outcome Recommended Rules • Ensures threat visibility specific to the network being monitored and protected. • False Negative Reduction • Reduces “Human Error” in ensuring comprehensive protection. • Automates Correlation Rules • Further reduces events from “requiring investigation” to “requires response” • Automation of event investigation practices. • Integrates business outcome with security practice. • Captures and automates security best practice (raises the level of security support staff) Remediation API • Cross Cisco and 3rd party interconnect • Automation of security response • FMC + ISE becomes the center of security infrastructure. • Automating remediation shortens time to a “return to business” state.
- 26. Recommended Rules alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server; classtype:trojan-activity; sid:33306; rev:1; ) alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE ActiveX installer broker object sandbox escape attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00 00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, service smtp; reference:cve,2014-4123; reference:url,technet.microsoft.com/en-us/security/bulletin/ms14-056; classtype:attempted- user; sid:32265; rev:1; ) Rule that will map to Recommended Rules Some rules will ALWAYS be turned off by Recommended Rules
- 27. Building a Correlation Rule Correlation Rule to: • Ensure only HTTPS traffic • Is used on port 443 • Is being initiated by a Host with a defined Location (host Attribute) is POS • And that the HTTPS traffic from the POS host is received on hosts in the PCI network. • Any traffic outside this profile will generate an event.
- 28. Automating Response – Remediation API Use Case 2 Sample Remediation Modules • Cisco ISE – FIRE & ISE • Guidance Encase • Set Host Attributes • Security Intelligence Blacklisting • Nmap Scan • SSH / Expect Scripts • F5 iRules • Solera DeepSee • Netscaler • PacketFence • Bradford Intrusion Events Discovery Events User Activity Host Inputs Connection Events Traffic Profiles MalwareEvent Correlation Rules Boolean Conditios Correlation Policies Correlation Rules Correlation Events Actions (API, Email, SNMP)
- 29. Reporting Differentiators Differentiator Technical Outcome Business Outcome Work Flows • Pivoting data views improves event investigation. • Custom workflows organizes data in ways that are meaning for to the organization. • Allows security investigations to align with business criticality. • Speeds analytics. Custom Tables • Allows for data integration across event types. • Significantly customizes reporting for different business and security requirements. • Allows sec ops to build comprehensive views into individual events. Dashboard focused reporting • Highly customizable dashboard with 100s of reporting options. • Integrates default and custom tables, workflows, and queries. • Organize event data into locally meaningful segments • Quickly build custom report templates. • Highly customizable reporting.
- 30. Create a Custom Workflow
- 31. Custom Table: Intrusion Event with Host Data
- 32. Not just what’s in the templates Dashboard widgets have almost 120 preset reports Customizing Widgets means thousands of reporting options. Think of the Dashboard as your report designer. Tools: Searches Custom Workflows Custom Tables <-- Data goldmine (can be performance impacting) Default Reports
- 33. Build Reports Straight from the Dashboard