Whether it’s the revered single plane of glass view in a SIEM or building an auto containment workflow for compromised devices, Network Insight admins can use built-in integrators to take action quickly or build their own with the API. With SIEM for instance, what if the view is wrong or incomplete? This can cause the response teams to spend invaluable time looking and or chasing the wrong things. It’s critical to understand how to ingest the NI outputs into your SIEM to keep things flowing smoothly. In this session we will cover the two different types of feeds and ideas on how to best incorporate them into your SIEM workflow. This session will help responders understand the Network Insight SIEM output so they can quickly understand the output and how to build SIEM workflows and dashboards to get optimal results. Also covered will be use cases for Next Generation Firewall (NGFW), Network Access Control (NAC) and Proxy integrations.
Similar to Understanding Network Insight Integrations to Automate Containment and Kick Start Response, Stephen Newman SVP Products, Core Security & SecureAuth
Splunk Webinar Best Practices für Incident InvestigationGeorg Knon
Similar to Understanding Network Insight Integrations to Automate Containment and Kick Start Response, Stephen Newman SVP Products, Core Security & SecureAuth (20)
2. L E A R N M O R E
Stephen
Newman
SVP
Products
Core
Security
&
SecureAuth
-‐-‐ ABSTRACT
-‐-‐
Whether it’s the revered single plane of glass view in a SIEM or
building an auto containment workflow for compromised
devices, Network Insight admins can use built-‐in integrators to
take action quickly or build their own with the API. With SIEM
for instance, what if the view is wrong or incomplete? This can
cause the response teams to spend invaluable time looking and
or chasing the wrong things. It’s critical to understand how to
ingest the NI outputs into your SIEM to keep things flowing
smoothly.
In this session we will cover how to best integrate Network
Insight with your SIEM as well as automate rapid response
actions. Also covered will be use cases for Proxies, Next
Generation Firewall (NGFW), Endpoint Detection & Response
(EDR) solutions.
4. Network
Insight
Interaction
Flexibility
&
Power
SYSLOG:
Delivers
Events
In
Real-‐time
to
SIEMs
READ
Only
DB:
Alternative
mechanism
to
pull
all
evidence
&
context
from
NI
API:
REST
based
API
to
allow
SIEM
to
both
pull
deep
forensics
from
NI
as
well
as
update
‘State’
on
devices
within
NI
from
SIEM
Network
Insight®
6.3
API
Guide
v.1.00
5. Network
Insight’s
decision
if
a
threat
is
present
on
a
device
or
not
• Suspected:
‘Evidence’
exists,
but
not
enough
to
be
sure
an
infection
is
present
• Infected:
‘Evidence’
builds
a
strong
case
that
an
infection
is
present
Ve r d i c t
An
ability
within
SIEMs
to
roll
up
‘Evidence’
to
a
specific
‘Event’.
F i l t e r
Individual
events
delivered
from
Network
Insight
to
a
SIEM
E v i d e n c e
Hi-‐level
notifications
presented
within
SIEM
C a s e
Network
Insight
Definitions
6. SIEM
Using
a
‘Filter’
>
SIEM
Creates
a
‘Case’
laptop01
laptop01
>
‘Suspected’
of
‘ThreatX’
>
Score
10
If
SOC
clicks
on
‘Case’,
they
see
‘Evidence’
details
of
the
suspicious
communication.
Evidence
1
laptop01
>
badguy.com
>
ThreatX
NI
marks
laptop01
>
Suspected
>
Verdict
10
Evidence
>
SIEM
>
Connection
Profiler
SIEM
Using
a
‘Filter’
>
SIEM
modifies
‘Case’
laptop01
>
‘Suspected’
of
‘ThreatX’
>
Score
20
SOC
>
‘Case’
>
both
pieces
of
‘Evidence’
in
chronological
order
Evidence
2
laptop01
>
terribleguy.com
>
ThreatX
NI
marks
laptop01
>
Suspected >
Verdict
20
Evidence
>
SIEM
>
Connection
Profiler
SIEM
Using
a
‘Filter’
>
SIEM
modifies
‘Case’
Laptop01
>
‘Infected’
of
‘ThreatX’
>
score
80
SOC
Notified
>
Priority
>
ThreatX on
laptop01
SOC
>
‘Case’
>
all
‘evidence’
in
chronologically
SOC
>
hyperlink
>
NI
>
forensics.
…
Evidence
12
Laptop01
>
10
+
connections
> ThreatX
NI
>
Identities
Automation
via
ML
NI
marks
laptop01
>
Infected
>
Verdict
80
Evidence
>
SIEM
>
Connection
Profiler
Evidence
>
SIEM
>
Automation
Profiler
Scenario
Timeline
Best
Practice:
Integrating
NI
into
IR
Workflow
SOC
Not
Chasing
Until
Infection
Is
Certain
7. Scenario
Data
From
NI
To
SIEM
Example
‘Case’
scenarios
in
SIEM
+
laptop01 |
ThreatX |
Suspected
|
Verdict
Score
10 [CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler
|
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
+
laptop01 |
ThreatX |
Suspected |
Verdict
Score
20
[CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
+
laptop01 |
ThreatX |
Infected
|
Verdict
Score
80 [CONTEXT]
[CORRELATION]
[FS
ASSET]
[FS
THREAT]
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
badguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Connection
Profiler |
terribleguy.com |
Completed
Connection
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Automation
Profiler
|
Weakly
Automated
|
Link
NI
|
Data
In
|
Data
Out
|
OS
Type
|
Timestamp
|
Other
NI
Data
Legend:
“+”
means
you
can
expand
the
case
to
get
the
details
of
“Evidence”
below.
[bracket]
means
a
button
that
links
to
either
SIEM
Filtered
Data
or
NI
screens.
8. Incident
Validation
Best
Practice:
Maximizing
Strengths
of
NI
&
SIEMs
INCIDENT
SOC
Notified
>
Priority
>
ThreatX on
laptop01
Yes Maybe No
SOC
Agrees
Device
Infected
Proceeds
To
Response
Actions
SOC
Unsure
Device
Infected
Correlate
With
Events
From
Other
Solutions
SOC
Disagrees
Device
Infected
SOC
Closes
Case
NI
Updated,
But
Keeps
History
9. Incident:
Yes
Response
Action
To
Identify
The
Correct
Response
Action,
SOC
Member
Needs
‘Context’
SIEM
Can
Be
Setup
To
Automatically
Gather
&
Present
Context
When
“Infected”
Status
Achieved
From
NI From
Other
Solutions
Hostname User /
Account
Details
MAC AV
Status
/
DAT Status
List
of
IP
Addresses List
of
Vulnerabilities
on
Device
Geo
Location
of
C&C
Traffic User
Group
Status
of
Connections
to
C&C
(Completed,
Proxy
Blocked,
Blocked,
Dropped,
Failed)
Device
Location
Data
in
from
Threat
Actor GRC
Policies
Data
out
from
Threat Actor Device
type
Threat Actor
TTPs Device
OS
Device OS Proxy Logs
Device
Category
NI
Risk
Score
Rapid
Response
10. Incident:
Maybe
Response
Action
SOC
Member
Investigates
Further
>
Hyperlink
To
NI
for
In-‐depth
Forensics
including
PCAPs
SIEM
Can
Be
Setup
To
Automatically
Gather
&
Present
Context
When
“Infected”
Status
Achieved
From
NI From
Other
Solutions
Hostname User /
Account
Details
MAC AV
Status
/
DAT Status
List
of
IP
Addresses List
of
Vulnerabilities
on
Device
Geo
Location
of
C&C
Traffic User
Group
Status
of
Connections
to
C&C
(Completed,
Proxy
Blocked,
Blocked,
Dropped,
Failed)
Device
Location
Data
in
from
Threat
Actor GRC
Policies
Data
out
from
Threat Actor Device
type
Threat Actor
TTPs Device
OS
Device OS Proxy Logs
Device
Category
NI
Risk
Score
Rapid
Investigation
11. Incident:
No
Response
Action
SOC
Member
Marks
Case
Closed
SIEM
>
NI
API
>
Marks
Case
Closed
In
NI
NI
Retains
History
In
Event
Other
Evidence
Becomes
Available
Rapid
Dismissal
12. Automated
Response
Best
Practice:
Rules
of
Engagement
CONFIDENCE
IMPACT
/
“RISK
of
DAMAGE”LOW
LOWHIGH
HIGH
NO
RESPONSE,
CONTINUE
MONITORING
AUTOMATE
RESPONSE,
CONTINUE
MONITORING
AUTOMATE
RESPONSE,
CONTINUE
MONITORING
SUSPECTED
INFECTED
OBSERVED
SUSPECTED
STATE
AUTOMATED
ACTIONS
q ENFORCE
ADAPTIVE
AUTHENTICATION
FOR
ACCOUNTS
q RESTRICT
DEVICE
ACCESS
TO
SENSITIVE
DATA
q FORCE
AV
UPDATE
AND
SCAN
q INITIATE
LIGHT
FORENSIC
SCAN
OF
DEVICE
q INCREASE
LOGGING
q CREATE
WORKFLOW
TICKET
INFECTED
STATE
AUTOMATED
ACTIONS
q REMOVE
ENTITLEMENTS
q QUARANTINE
DEVICE
TO
SECURITY
Z0NE
q INITIATE
DEEP
FORENSIC
SCAN
OF
DEVICE
q KILL
SUSPECTED
PROCESSES
q LAUNCH
INCIDENT
INVESTIGATION
14. Blue
Coat
Integration
Internal
Network
1. Network
Insight
>
Discovers
infected
device,
suspected
device,
or
active
C+C
domains
2. Network
Insight
>
Dynamically
publishes
CPL
file
via
Management
Console
URL
3. ProxySG >
Automatically
checks
Damballa
CPL
file
for
updated
infected,
suspected,
and
C+C
domains
4. ProxySG >
Enforces
policies
to
take
action
-‐ Example:
Block
internet
access
for
infected
device,
block
attempted
communications
with
bad
C&C
domains
by
infected
device,
etc.
Proxy SG
Network
Insight
Tap or Span
Port
Network
Insight
Tap or Span
Port
Blue Coat Global
Intelligence
Network
15. Palo
Alto
Networks
Integration
Internal
Network
Tap or Span
Port
1. Network
Insight
>
discovers
infected
device,
suspected
device,
and/or
active
C&C
domains
2. Network
Insight
>
notifies
Dynamic
Block
List
of
device
state
and
identified
C&C
communication
attempts
3. PAN
>
implements
policies
based
on
device
state
(suspected
or
infected)
information.
(IE:
Block
infected
assets
from
communicating
to
internet
and/or
high-‐value
assets,
enhance
logging
on
suspected
assets)
4. PAN
>
blocks
active
C&C
communication
attempts
identified
by
Network
Insight
Network Insight
16. Carbon
Black
Integration
Internet
Endpoints
NGFW
Carbon
Black
Network
Insight
4. CARBON BLACK IDENTIFIES PROCESS AND CORRESPONDING FILE ON INFECTED HOST FOR BREACH RESPONSE TEAM
BREACH
RESPONSE
TEAM
VERDICT:
INFECTED
3. NETWORK INSIGHT QUESTIONS CARBON BLACK FOR PROCESS OF OBSERVED NETWORK COMMUNICATIONS
1. NETWORK INSIGHT IDENTIFIES MALICIOUS BEHAVIORS IN C&C ACTIVITY
AUTOMATION | FLUXING | P2P | HTTP REQUESTS
1
2.
NETWORK
INSIGHT
PASSES
VERDICT
OF
INFECTED
2
3
4