1
00:00:06,810 --> 00:00:08,670
- There are tons of elements

2
00:00:08,670 --> 00:00:11,080
and sources of security
event information, right?

3
00:00:11,080 --> 00:00:13,880
So here I'm actually showing a list

4
00:00:13,880 --> 00:00:16,740
of the most common artifact elements found

5
00:00:16,740 --> 00:00:18,380
in security events, right.

6
00:00:18,380 --> 00:00:22,060
Now, source and destination
IP addresses are usually shown

7
00:00:22,060 --> 00:00:23,350
in network security events, right?

8
00:00:23,350 --> 00:00:27,400
So here I'm actually showing
the intrusion events panel

9
00:00:27,400 --> 00:00:29,070
of the summary dashboard

10
00:00:29,070 --> 00:00:32,680
of the Cisco FirePOWER
Management Center or the FMC.

11
00:00:32,680 --> 00:00:35,490
And here, you can actually
see the top attackers

12
00:00:35,490 --> 00:00:40,490
and the top IP targets or
the top target IP addresses.

13
00:00:40,670 --> 00:00:43,090
Now here, I'm actually
showing a more detailed list

14
00:00:43,090 --> 00:00:47,600
of events in the Cisco
FMC showing the source

15
00:00:47,600 --> 00:00:49,210
and destination IP addresses

16
00:00:49,210 --> 00:00:52,070
of each system involved
in each event, right?

17
00:00:52,070 --> 00:00:54,197
So that's one of the
beauties of the FMC is that

18
00:00:54,197 --> 00:00:56,710
you know, of course you
can actually drill down

19
00:00:57,590 --> 00:01:02,080
through any events that
you actually may see

20
00:01:02,080 --> 00:01:05,692
and, you know, get more
detailed information

21
00:01:05,692 --> 00:01:07,630
you know, about those events, right, so.

22
00:01:07,630 --> 00:01:09,830
Now here I'm actually showing
something different, right?

23
00:01:09,830 --> 00:01:13,160
So here I'm showing the Cisco ASA logs

24
00:01:13,160 --> 00:01:17,100
in the Cisco Adaptive Security
Device Manager or ASDM right.

25
00:01:17,100 --> 00:01:20,100
So it's one of the legacy
tools for the Cisco ASA

26
00:01:20,980 --> 00:01:23,980
that you know, it can be used to configure

27
00:01:23,980 --> 00:01:27,223
and also to monitor
the specific Cisco ASA.

28
00:01:28,240 --> 00:01:30,720
Now you can see that all
the logs are actually mostly

29
00:01:30,720 --> 00:01:32,700
around the five tuple concept, right?

30
00:01:32,700 --> 00:01:35,210
So source destination, IP addresses,

31
00:01:35,210 --> 00:01:38,740
source destination ports, and protocols.

32
00:01:38,740 --> 00:01:43,300
Now services are also part
of many security event logs.

33
00:01:43,300 --> 00:01:44,880
Here, I'm actually showing

34
00:01:44,880 --> 00:01:47,740
the Cisco ASDM firewall dashboard

35
00:01:47,740 --> 00:01:51,440
and you can see statistics
about the top services

36
00:01:51,440 --> 00:01:54,950
and top destinations under attack, right.

37
00:01:54,950 --> 00:01:59,370
Now, security threat
intelligence is extremely useful

38
00:01:59,370 --> 00:02:03,950
when correlating events and
also for you to gain an insight

39
00:02:03,950 --> 00:02:06,520
of what known threats are in your network.

40
00:02:06,520 --> 00:02:09,420
Now here, you can actually
see different security threat

41
00:02:09,420 --> 00:02:12,370
intelligence events in
the Cisco FMC, right?

42
00:02:12,370 --> 00:02:14,150
And all this threat intelligence

43
00:02:14,150 --> 00:02:16,030
is actually provided by Cisco

44
00:02:16,030 --> 00:02:20,580
and specifically the Cisco
Talos Research Organization.

45
00:02:20,580 --> 00:02:23,550
Now, DNS intelligence and URL reputation

46
00:02:23,550 --> 00:02:25,880
is also used in many security solutions

47
00:02:25,880 --> 00:02:28,130
like the FirePOWER appliances, right.

48
00:02:28,130 --> 00:02:31,470
It also is actually used in
FirePOWER Threat Defense,

49
00:02:31,470 --> 00:02:33,740
which is actually that
combined image between the ASA

50
00:02:33,740 --> 00:02:37,210
and the legacies of four plus
more and also the Cisco web

51
00:02:37,210 --> 00:02:38,800
and email security appliances as well.

52
00:02:38,800 --> 00:02:41,370
Right? So then there's
several other entities

53
00:02:41,370 --> 00:02:43,420
within Cisco that actually, you know,

54
00:02:43,420 --> 00:02:48,050
uses DNS intelligence and
URL reputation as well.

55
00:02:48,050 --> 00:02:50,910
Here I'm actually showing
many security events

56
00:02:50,910 --> 00:02:54,860
in the Cisco FMC that lists
several communications

57
00:02:54,860 --> 00:02:56,320
to non malicious command

58
00:02:56,320 --> 00:02:59,620
and control servers, or what we call CNCs,

59
00:02:59,620 --> 00:03:02,680
based on DNS intelligence.

60
00:03:02,680 --> 00:03:06,050
Now file hashes are also part
of many security event logs.

61
00:03:06,050 --> 00:03:09,190
For example, the Cisco
advanced malware protection

62
00:03:09,190 --> 00:03:13,660
or AMP for networks and
Cisco AMP for Endpoints,

63
00:03:13,660 --> 00:03:17,120
they examine records and tracks, right?

64
00:03:17,120 --> 00:03:20,370
And even send files to the Cloud

65
00:03:20,370 --> 00:03:23,300
to actually know what is
actually the disposition

66
00:03:23,300 --> 00:03:24,670
of that file to see if actually

67
00:03:24,670 --> 00:03:27,020
that file is actually malware.

68
00:03:27,020 --> 00:03:30,830
So the Cisco AMP for network
actually creates a SHA-256

69
00:03:30,830 --> 00:03:32,530
hash of the file

70
00:03:32,530 --> 00:03:35,710
and then it compares it
to the local file cache.

71
00:03:35,710 --> 00:03:40,110
Now, if the hash is actually
not in the local cache,

72
00:03:40,110 --> 00:03:44,320
then it queries the Cisco, you know, FMC.

73
00:03:44,320 --> 00:03:47,730
And the Cisco FMC
actually has its own cache

74
00:03:47,730 --> 00:03:49,610
of all these hashes, you know

75
00:03:49,610 --> 00:03:52,250
all the hashes that
actually has seen before.

76
00:03:52,250 --> 00:03:55,770
And if it actually hasn't
seen that F hash or that file,

77
00:03:55,770 --> 00:03:57,290
then it queries the Cloud, right?

78
00:03:57,290 --> 00:03:59,560
So it queries the Cisco Cloud.

79
00:03:59,560 --> 00:04:03,250
Now this a little bit different
than AMP for Endpoints.

80
00:04:03,250 --> 00:04:06,260
So AMP for Endpoints when a new,

81
00:04:06,260 --> 00:04:07,800
when a file is actually new,

82
00:04:07,800 --> 00:04:09,510
it can be analyzed locally

83
00:04:09,510 --> 00:04:11,760
and doesn't have to be
actually sent to the Cloud

84
00:04:11,760 --> 00:04:13,080
for analysis, right?

85
00:04:13,080 --> 00:04:16,950
Also the file is examined
and stop in flight, right?

86
00:04:16,950 --> 00:04:19,350
As it actually traverses the appliance

87
00:04:19,350 --> 00:04:21,510
it is very important to note

88
00:04:21,510 --> 00:04:25,310
that only the SHA-256
hash is actually sent

89
00:04:26,160 --> 00:04:27,930
unless you actually configure a policy

90
00:04:27,930 --> 00:04:30,887
to actually send the
file for further analysis

91
00:04:30,887 --> 00:04:35,170
and specifically to be sent to a sandbox.

92
00:04:35,170 --> 00:04:36,400
And you know, this capability

93
00:04:36,400 --> 00:04:40,180
for sandboxing is now a
possible at Cisco because

94
00:04:40,180 --> 00:04:43,710
of an acquisition of a company
called Threat Grid, right?

95
00:04:43,710 --> 00:04:45,500
That's just for your reference.

96
00:04:45,500 --> 00:04:47,400
Now here I'm actually showing

97
00:04:47,400 --> 00:04:50,380
the Cisco AMP for Endpoints console.

98
00:04:50,380 --> 00:04:52,160
You can see a file

99
00:04:52,160 --> 00:04:55,390
which is actually determined
to be malware, right?

100
00:04:55,390 --> 00:04:59,070
There you can actually
see that SHA-256 hash

101
00:04:59,070 --> 00:05:03,120
or the fingerprint of
the actual file itself.

102
00:05:03,120 --> 00:05:08,120
Now Cisco AMP can also provide
retrospective analysis.

103
00:05:08,160 --> 00:05:13,160
The Cisco AMP for networks
appliance keeps data

104
00:05:13,310 --> 00:05:15,600
from what actually occur in the past

105
00:05:15,600 --> 00:05:19,790
and when a file this position
is changed, the, you know

106
00:05:19,790 --> 00:05:23,050
Cisco AMP provides a historical analysis

107
00:05:23,050 --> 00:05:24,970
of what actually happens, right?

108
00:05:24,970 --> 00:05:29,130
And also traces back the
incident and the infection

109
00:05:29,130 --> 00:05:32,420
you know, throughout the network
and throughout the systems.

110
00:05:32,420 --> 00:05:35,820
Now with the help of the
Cisco AMP for Endpoints,

111
00:05:35,820 --> 00:05:39,920
retrospection can actually
reach out to that host

112
00:05:39,920 --> 00:05:43,600
and then remediate the
bad file even though

113
00:05:43,600 --> 00:05:45,740
the file was actually
permitted in the past, right?

114
00:05:45,740 --> 00:05:48,500
So that's actually a
beauty of the combination

115
00:05:48,500 --> 00:05:52,360
of Cisco AMP for networks
and Cisco AMP for Endpoints

116
00:05:52,360 --> 00:05:55,400
to actually be able to do
that type of remediation.

117
00:05:55,400 --> 00:05:57,750
And this is a lot different

118
00:05:57,750 --> 00:06:02,060
and a lot better than
traditional antivirus

119
00:06:02,060 --> 00:06:06,080
and even network antivirus
technologies in the past, right?

120
00:06:06,080 --> 00:06:07,410
Here I'm actually showing

121
00:06:07,410 --> 00:06:09,180
the retrospective analysis capabilities

122
00:06:09,180 --> 00:06:12,360
of the Cisco FirePOWER management console.

123
00:06:12,360 --> 00:06:16,920
And you can actually see
the network file trajectory

124
00:06:16,920 --> 00:06:19,150
as I'm actually showing in here as well.

125
00:06:19,150 --> 00:06:21,080
And to view this screen,
you can just, you know,

126
00:06:21,080 --> 00:06:25,810
navigate to analysis files,
network file trajectory, right?

127
00:06:25,810 --> 00:06:28,440
You can also access a file trajectory

128
00:06:28,440 --> 00:06:31,910
from the actually context
explorer dashboard

129
00:06:31,910 --> 00:06:34,130
or event views in, you know, in,

130
00:06:34,130 --> 00:06:35,530
within the file information, right?

131
00:06:35,530 --> 00:06:38,330
So now you can also search

132
00:06:38,330 --> 00:06:42,190
for a specific SHA-256 hash value.

133
00:06:42,190 --> 00:06:44,250
You can also search by host IP addresses

134
00:06:44,250 --> 00:06:47,990
or the name of a file that
you actually want to track.

135
00:06:47,990 --> 00:06:49,880
Now on the trajectory map,

136
00:06:49,880 --> 00:06:53,650
you can locate the first
time a file event occur

137
00:06:53,650 --> 00:06:55,830
evolving an IP address, right?

138
00:06:55,830 --> 00:06:58,760
This highlights a path to that data point

139
00:06:58,760 --> 00:07:02,320
as well as any intervening,
you know, file events

140
00:07:02,320 --> 00:07:06,810
and IP addresses related
to the first file event.

141
00:07:06,810 --> 00:07:09,180
You can also click on any data point

142
00:07:09,180 --> 00:07:11,650
to highlight a path that includes

143
00:07:11,650 --> 00:07:14,310
all data points related
to the selected path

144
00:07:14,310 --> 00:07:18,070
or to the selected data point tracking

145
00:07:18,070 --> 00:07:21,560
the actual file progress
through the network, right?

146
00:07:21,560 --> 00:07:24,110
Now another thing that you may have

147
00:07:24,110 --> 00:07:27,540
to become familiar with
is to actually parse data

148
00:07:27,540 --> 00:07:32,540
and to perform incident analysis
with regular expressions.

149
00:07:33,630 --> 00:07:35,180
So again, for your reference,

150
00:07:35,180 --> 00:07:38,170
if you're not familiar
with the basic concepts

151
00:07:38,170 --> 00:07:41,580
of regular expressions,
I definitely, you know,

152
00:07:41,580 --> 00:07:44,130
invite you to actually visit, you know,

153
00:07:44,130 --> 00:07:47,150
these resources and I'm
including just a few here.

154
00:07:47,150 --> 00:07:49,030
There are many, many others, you know,

155
00:07:49,030 --> 00:07:51,110
out in, of course, in the internet.

156
00:07:51,110 --> 00:07:54,600
The first one here is actually
the MIT's regex Cheat Sheet

157
00:07:54,600 --> 00:07:56,920
which is actually, you
know, fairly useful.

158
00:07:56,920 --> 00:07:57,990
There's another, you know,

159
00:07:57,990 --> 00:08:02,990
Regexp Security Cheat
Sheet available in GitHub,

160
00:08:04,780 --> 00:08:08,060
and also, you know,
the third link actually

161
00:08:08,060 --> 00:08:09,610
including some other information

162
00:08:09,610 --> 00:08:11,510
about the regular expressions as well.