Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Just Some Security Guy
• William Young
• Security Solutions Architect, Cisco
• 27 Years in Security
• 14 Years working with “Sourcefire” / “Firepower”
• Focus areas:
• Security Operations
• Policy & Compliance
• Threat Forensics and Investigation
• Hacker: Or just some guy that breaks stuff
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Cisco Firepower Sessions
BRKSEC-2050 BRKSEC-2051
Deploying AnyConnect
BRKSEC-2058
Tuesday Firepower NGFW
Internet Edge
SSL VPN with ASA A Deep Dive into using
(and Firepower Threat the Firepower Manager
Deployment Scenarios
Defense)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Do You Really Know Firepower Manager?
• A policy configuration tool for NGFW / NGIPS
• A quick way to see the context / composition
of your network
• A tool to “check-on” your threat events
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Data Correlation & Organisation is Critical
OS
DNS
All Intrusion Local
IOCs Version
Activity
Events Events Vuln
Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Data Correlation & Organisation is Critical
Analysis
Organisation
Filtration
WHY? Correlation
• Most SOCs fail or keep getting Relatedness
“re-invented” Intelligence
• Good Security Analysts are hard Integration
to find/keep and are expensive
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Firepower Is More Than Just “Threat Protection”
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Event Security
Why FMC Reporting
Context Investigation
Healthy
Integration Automation Closing
Deployments
Event Source Matters
Understanding Data
Misunderstood Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Visual Guide to Firepower Event Sources
Servers File
Info
Supplemental Data
• Geo IP Data Applications
File
• CVE / Vuln Data Trajectory
• IP Reputation Data Application
Details
• URL Data
Host Indications of
Host Profiles Compromise
Attributes
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
The Host Profile: End Point Context
Applications
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Host Profile: Under the Hood
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Host Profile: Network Discovery Placement
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Host Profile: Create Your Own Attributes
• Text Label
Update • URL
• Manually • Integer Range
• Via Host Input API • List of Labels based on current IP
• Via Remediation API
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Host Profile: Tuning IOCs
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Host Profile: Vulnerability Mappings
IPS Events
(Snort®)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Myth: “Vuln Scans make better Impact Scores”
Host Profiles
Informs
Impact Analysis
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
IPS (Snort®) Events & Impact
Analysis
Understand How Intrusion Events Work
Understanding Detection Conditions is Important
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Understanding Snort® Rule Directionality
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS
(msg:"MALWARE-CNC SambaCry ransomware download attempt";
flow:to_server,established; urilen:9; content:"/minerd32"; Outbound:
fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-
ips drop, policy security-ips drop, service http; Indication of
reference:url,www.virustotal.com/en/file/ef7ee620ce09cd8edca81dc786
6fbe87405c4a8ac88f985ac350269d8d081073/analysis/; Compromise
classtype:trojan-activity; sid:45472; rev:1; gid:1; )
NOTE: Make sure your $Variables are appropriate for where your detection is placed.
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP General info†† Event occurred
IP Address
Protocol (TCP/UDP) Good information
Previously
User IDs
4 host is currently
unseen host
within monitored
not known
network
Source / Destination Protocols
Port Good information Relevant port not
CVE
Snort ID Client / Server Apps
Act immediately. Host vulnerable
Operating System
1 Host vulnerable to attack or
or compromised. showing an IOC.
IOC: Predefined Impact
Potential Vulnerabilities †† If you have a fully profiled network
this may be a critical event!
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Understanding Impact Flags
Intrusion Events Host Profile Impact Flag Action Why
[Outside Profile Range]
Source / Destination IP
[Host not yet profiled]
0
Ignore Impact Flag
Protocol (TCP/UDP) IP Address Definitions in the Docs
User IDs
4
Source / Destination Protocols
Port Impact Flag Logic
Server Side Ports
3
+
Service Client Side Ports Snort® Config
Services
2 +
Your Network =
CVE
Snort ID Client / Server Apps
1 Better Threat Hunting
Operating System
IOC: Predefined Impact
Potential Vulnerabilities †† If you have a fully profiled network
this may be a critical event!
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Event Security
Why FMC Reporting
Context Investigation
Healthy
Integration Automation Closing
Deployments
Sample Mapping of FMC Events to Kill Chain
Command
Recon Weaponise Deliver Exploit Install Action
& Control
Intrusion Custom
User Activity Connection Security
Events Correlation
Events Intelligence
Order of Investigation†
Remediation – Incident Response – Data Collection
You’ve been Owned! Under Attack Research & Tuning
Indication of Compromise Impact 0 Impact 1 Impact 3 (then 2) Impact 4
“Critical Assets”
Not Blocked
Internal Source
External
Source
Correlation
Dropped
Rules
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
This Is What Most Of Our Networks Look Like.
Some ways to choose
• Look for Malware Executed (Endpoint AMP)
• Dropper Infection (Endpoint AMP)
• Threat detected in file transfer
• CNC Connected Events
• Shell Code Executed
• Impact 1 (these were probably blocked)
• Impact 2 (these were probably blocked)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Drilling into the IOC
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Digging into the IOC
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Looks like Kim
Ralls has a lot
going on her
Windows host.
✔
✔
✔
✔
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
• .147 Tried to send the file 5 times
• .147 was sent the file once
• IPS blocked it! (yeah)
• What does Impact 4 mean?
• Should we investigate more?
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Did you forget
about these?
✔
✔
✔
✔
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Yep. That file is
malware
We see it in the
malware
summary, too.
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
• A lot more than the 6
file transfers and hosts
the IPS engine
stopped.
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Good SecOps is Thorough
OODA Loop
Remediate Capture
Events
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Looking at an Impact 3 Attempt
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Breached? Follow an Order of Operations
Multiple Event Vectors Mission/Op Critical
Event
Check all the related data. Directionality
Protocol: TCP / UDP?
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Event Security
Why FMC Reporting
Context Investigation
Healthy
Integration Automation Closing
Deployments
Default Reports
• Not just what’s in the templates
• Dashboard widgets are “mini”-reports
• Over 120 preset reports within a widget
• Create custom Widgets for more
• Think of the Dashboard as your
unlimited report designer.
• Tools:
• Searches
• Custom Workflows
• Custom Tables = Data goldmine
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Event Viewing
Tables • Listing of events with a data set (IPS, Connection, Malware, etc.)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Workflows
A Default Event View
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
A Default View
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Changing The View Helps Focus Analysis
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Create a Custom Workflow
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Create a Custom Workflow
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
How It Turned Out GEEK Tip: Bookmark these in your browser!
Remember order
of investigation
Actionable Data:
Hosts .52, .56, and .111
need to be investigated!
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Custom Tables
Building Custom Tables Intrusion Events Host Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Custom Table: Intrusion Event with Host Data
Custom tables can even
have their own workflows
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Custom Table: Intrusion Event with Host Data
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Custom Table: Includes Custom Filters
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Custom Table: Includes Custom Filters
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Leveraging the Dashboard
Customise The Dashboard
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Custom Analysis Widget
This is your
most powerful
widget
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Dashboards That Meet Your Needs Threat Focused
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Dashboards That Meet Your Needs
Network Focused
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Build Reports Straight from the Dashboard
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Interesting Data for Filtering Potential ”new” Threat
List Int. Source IP List Ext. Source IP List Int. Source IP List Int. Source IP List Int. Source IP
Healthy
Integration Automation Closing
Deployments
APIs Open Firepower to Orchestration
3rd Party Threat
Intelligence 3rd Party Vuln Data
Firepower Management
Centre ISE Stealthwatch
NGIPS
NGFW
AD
Tetration
AMP Threatgrid
Data
Web Security
AMP for
Endpoints
Logging
DNS
SEIM
Orchestration
Sending Data Umbrella
to SEIM Email Investigate
API transaction Security
Identity from ISE
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
API’s For Firepower
API Description
E-Streamer Transmission of 100% of FMC event database to SEIM. Sensor (generates events) ->
FMC -> FMC additional analytics / aggregation / custom correlation events -> all
original and additional events SEIM. Much richer data than syslog.
Host Input Customise Host Profile data, policy oriented labels, CVE data, etc. Programmatically
insert data into FMC for use with Impact Analysis and Firepower recommendations.
JDBC Direct query access to event database, rule documentation, host profile tables, etc.
Allows for external system to supplement data available in FMC for a common or
central dashboard (Splunk).
Remediation Programmatic interface for FMC to initiate command instructions to other devices.
Threat-Centric NAC (with ISE), Host Profile modification, 3rd party product introduction.
REST Programmatic interface for GET, PUT, and PUSH command with Firepower devices.
Command summary on next slide.
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Estreamer API
Estreamer: Easy Setup
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Estreamer: Easy Setup
SEIM
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Host Input API
Enabling a Host Input
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
JDBC Connector
JDBC Connector
• Programatic integration:
• Splunk, Huntsman
• Phantom Cyber
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Remediation API
Automating Response
Automating Response – Remediation API
Boolean
Intrusion Events Correlation Rules
Conditios
Discovery Events
User Activity
Host Inputs
Connection Events Correlation Policies
Traffic Profiles
Malware Event Actions
Correlation Rules Correlation Events
(API, Email, SNMP)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
ISE + Firepower = Rapid Threat Containment
WWW
4. Endpoint
Assigned Quarantine
+ CoA-Reauth Sent
Controller MnT
3. pxGrid EPS
1. Security Action: Quarantine
Events / IOCs + Re-Auth
NGFW Reported
2. Correlation
FMC
Rules Trigger
i-Net Remediation Action
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Remediation Modules
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Configure Rapid Threat Containment
Open the
System:Integration
page
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Configure Rapid Threat Containment
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Configure Rapid Threat Containment
Be sure to assign
the action to a
Correlation Rule
within a
Correlation Policy
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
REST API
REST: Turning It On
• Platform Status
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Explore REST: https:<FMC_IP>:443/api/api-explorer>
Tip:
This is a great
way to update
firewall objects!
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
Integration Example: Working with Splunk
Syslog:
Event messages Splunk
System level information
Health Events
(FMC & Sensor)
E-streamer:
Contextualised event messages JDBC
AMP for Endpoints Events Snort Rule Docs Syslog:
Host Profile, Misc Event messages **
DB Queries System level information
FMC REST API
get, pull, post, delete
instructions
Sensor-FMC
Event messages
healthdata
FP Sensors
FP Sensors
FP Sensors
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
Event Security
Why FMC Reporting
Context Investigation
Healthy
Integration Automation Closing
Deployments
Recommended Rules
False Negatives Means You Are NOT Protected
Too many exploits succeed because: Cause Resolution
• Systems aren’t patched Event Overload! Impact Analysis
• Detections aren’t enabled Tuning Failures Understanding Detection Tools
Attackers succeed with “old” exploits Detections Disabled Knowing What Needs Protection
Verizon Data Breach Report(s)
Cisco Annual Security Report(s)
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Firepower Recommendations Knows What I Do Not
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Recommended Rules – How It Works
Snort Rules SVID Possible Vuln
SID: 33306
BLACKLIST: Connection to
a malware sinkhole.
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Recommended Rules – The Details
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en- Not all
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
rules
have a
Rule that will map to
CVE!
Recommended Rules
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLACKLIST Connection to
malware sinkhole"; flow:to_client,established; dsize:22; content:"Sinkholed by
abuse.ch|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy
security-ips drop, service http; reference:url,en.wikipedia.org/wiki/Sinkhole_Server;
classtype:trojan-activity; sid:33306; rev:1; ) Rules disabling
by default
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Recommended Rules
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE
ActiveX installer broker object sandbox escape attempt"; flow:to_server,established;
flowbits:isset,file.exe; file_data; content:"|55 8B EC 6A FF 68 A8 31 01 10 64 A1 00 00
00 00 50 83 EC 0C A1 20 B0 01 10 33 C5 89 45 F0 56 50|"; fast_pattern:only;
metadata:policy balanced-ips drop, policy security-ips drop, service smtp;
reference:cve,2014-4123; reference:url,technet.microsoft.com/en-
us/security/bulletin/ms14-056; classtype:attempted-user; sid:32265; rev:1; )
10 events Email
Syslog
SNMP
Remediation Module
3 Events
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Correlation Rules Go Into Correlation Policies
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Building a Correlation Rule
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Sample Correlation Rule
Correlation Rule to:
• Ensure only HTTPS traffic is
used on port 443
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Correlation Rule Example: Production Network Change
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Example: Production Network Change is Exfiltrating Traffic
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
Some Correlations Rules To Drive Action
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Some Correlations Rules To Drive Action
Sending IP is in 192.168.0.0/16
O
Sending IP is in 10.0.0.0/8
R
Sending IP is in 172.16.0.0/12
O
R Receiving IP is in 192.168.0.0/16
O
Receiving IP is in 10.0.0.0/8
R
Receiving IP is in 172.16.0.0/12
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
White Listing
Whitelisting
• Tool to profile/snapshot a host or network segment to monitor for change.
• Changes generation a correlation event
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Whitelisting
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
Whitelisting
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Whitelisting
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Whitelisting
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Traffic Profiling
Traffic Profiles
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Traffic Profiles
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Traffic Profiles: Automate Alert w/ Correlation
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Event Security
Why FMC Reporting
Context Investigation
Discovery
SI:
NAP App
SI (IP) SSL Pre-proc DNS ID L7 ACL File/AMP IPS
IPS Pasv ID
URL
Host
Firepower
SSL Network DNS Identity Intrusion Network Access Malware Intrusion
Policy Analysis Policy Policy Policy Discovery Control & File Policy
Policy (NAP) Policy Policy Policy
$VAR
$VAR Objects
Knowing your detection process impacts:
• How you analyse the data
• How you tune your security appliance Element Enabled in AC Policy
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Access Policy Tips
• Rule not turning off? Check your Network Analysis Policy
• Putting a monitor rule at the top of your AC Policy can impact performance.
• Be careful of overly precise rules
• Defining Zone AND Network AND VLAN (or SGT) can potentially lead to event duplication or
skipped threat detections
• FMC automatically checks rules for problems, leverage it, but don’t rely on it.
• Nothing beats reviewing connection and intrusion events for duplication
Healthy
Integration Automation Closing
Deployments
Call to Action
• Firepower Management Centre can be the centre of your security operations.
• Look at FMC as security automation framework -> Automate Threat Hunting
• Don’t ”hunt the same problem twice” – Use Correlation Rules
• Look for cross product integration to strengthen FMC’s value.
• Be creative in creating solutions. Look beyond “IPS” or “Threat Protection” opportunities.
• FMC’s real value is in how it can merge security operations and business outcome.
• Look for additional consumers of FMC data.
• Security will have greater value as a business enabler.
• Check out Firepower more at the World of Solutions! What can you make it do?!
BRKSEC-2058 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Thank you
And remember to fill out your surveys!
Q&A
Complete Your Online
Session Evaluation
• Give us your feedback and
receive a Cisco Live 2018 Cap
by completing the overall event
evaluation and 5 session
evaluations.
• All evaluations can be completed
via the Cisco Live Mobile App.
Don’t forget: Cisco Live sessions will be
available for viewing on demand after the
event at www.CiscoLive.com/Global.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you