Oxana Sannikova - Defensible Secure Architecture

Perfect. Okay.

I don't think test. Oh, it is on. Okay. Um, thank you, Julian. Okay. Next up, we have Oxana presenting on defensible security architecture. Sorry, secure architecture. Hi everyone. Thank you very much for having me. This is my first time in New Foundland. So I'm very excited and it's my first time presenting at Besides as well. So I'm twice excited and uh I know we're close to the end of the day. So I appreciate everyone staying here and uh listening to this session. So essentially we will be talking today about different frameworks that are available for you to define your security architectures and uh some pros and cons about those frameworks and what is currently becoming a common language

that we see across our customers um um that um we will touch base a little bit more in this presentation. Um a few words about me. Um I am I work for Cisco. I'm multi-dommain architect at Cisco and um I've been with the company for 15 years uh in different countries for the past seven years. I'm based in Canada, got my citizenship last year, so now I'm true Canadian. I also have my cats on the on the on the picture here as well. And um yeah, I um um active coder. My role currently for the past five years is I'm leading security programmability team. You see a bunch of guys here and me in the middle. So, uh, what we do is

we talk to customers about automation and Cisco APIs. When I started 5 years ago, we had, I think, three, um, sets of APIs within Cisco security portfolio. Now, we have over 20 sets of API. So, it's the the job becomes more and more challenging. This is why I need all of those guys that you can see on the picture. Um, anyway, we build some cool stuff. We build MVPs for customers. We talk to them about their automation use cases and we make them uh happen. So essentially what we will talk about today very quickly um we will talk about um different thread hunting frameworks. We will um dive deeper into um miter attack framework and how we see

customers are using this framework and uh how we as vendor use this framework as well. If we have time, we'll dive a little bit into how we use it in our portfolio. If we don't have time, um there has been a QR code on the first page and it will be on the last page as well. So you can uh follow along and um download this presentation and check what we as a vendor doing um um how we align to MITER framework and uh in the end we'll come up with some conclusions and some uh um reference material which is also available in the deck. So let's dive right into it. Um first I wanted to

touch base on some of the uh common frameworks that we see customers are using or have been using over time and essentially where we start when we need to define our security architecture is we need to define our threat model right I think it's probably common knowledge for everyone uh in IT uh this threat model helps us to profile uh potential uh attackers and hackers and also match it to potential targets and the risks that this all presents to our organization. And essentially that helps us uh through these five steps that we can see on the slide, it helps us to focus on what data we need to protect and what resources we need to

protect and define respective measures um detection and protection points and uh other things within our architecture. Right? So um over the years there has been three most commonly um popular used models. The first one is timebased security model. Did anyone use it at all or heard about it? So essentially this model what it allows to uh what it focuses about is um the time component of uh protection mechanisms and then detection and reaction. And the idea behind it is that if your detection and reaction to the threat takes longer than the protection time then this system is cannot be effectively secured. Right? So essentially um what you need to focus is on uh detect as fast as possible and

react as as quickly as possible rather than trying to reach uh 100% protection efficacy because we all know that no system is 100% uh efficient and uh this would be a utopian kind of like idea to try to follow that. So essentially that was an idea behind it. The second very common framework that um companies like to rely on is the Lohe Martin cyber killchain. Well, I think this one is probably known for Romania in this uh in this room I would assume. Um yeah, I see people noting and yeah, so essentially there are seven it defines seven steps of an attack, right? Uh and the killing chain is a military term which defines um the the um the

structure of an attack on its own. And the idea behind this framework is that by disrupting an attacker in one of like breaking one of those chains, right, one of those steps, you will disrupt an attacker and and the attacker will fail and not achieve its uh goal essentially, right? So all the defensive um e efforts were focused around uh trying to disrupt an attacker through this uh killchain frame. Looking at this killchain framework and the last one I wanted to mention that became uh very popular in the recent years right is the zero trust framework. There are multiple different um implementations by NIST and CISA and then every vendor including Cisco has its own interpretation uh you know

laying it over the portfolio that they're offering from technology perspective but there are common things um that you can find such as visibility and analytics right and then automation and orchestration governance they are common across all of them but essentially the key here is there are like four main components or four main activities is you need to establish trust and you need to reinforce um trustbased access and then you need to continuously verify the trust level and respond to any changes in trust level. Um the big problem with all of these frameworks essentially is how to assess the effect efficacy of your architecture according to each of those frameworks because they don't really provide any

guidance on um what uh how effectively to do it and how to effectively understand whether the measures you're using are uh good enough right and they're protecting you to the ex right extent. So this is where attack framework from MITER becomes really um uh handy. I would say we see more and more customers using it. Um Gartner starts using it and evaluating different vendors right we see that being more and more incorporated in the tools that we are using thread intelligence sources breaking up their thread intel matching um attack framework. So essentially what it allows us to do is to define um how to evaluate our defenses. Um does um everyone familiar with MITER? Yeah. Okay. Then I'm not going to

dwell too much on uh you know describing what it is and uh um all of that. We'll go straight at uh how we see customers are using it. Um so essentially I mean the idea behind um this is you need to think I mean the key word here would be behavior right we are trying to um work through this pyramid of pain which everyone I would assume also very familiar with to understand uh how to detect attackers at the TTP's level right tactics and uh techniques that they are using essentially rather than uh some of the artifacts that are re very easy to change and uh offiscate. So um essentially a good example um here would be I mean it would would

be really easy to change any file hashes or addresses they're using. It would be probably uh harder for them to change the tool set that they they're using while conducting attacks. And it will be much harder for them to use to to change their behaviors because they are more embedded into processes and and automated within their organizations. Very similar to uh our organizations as well, right? It's easier to change certain things, but then as we look at processes within our organization, it's much harder to change them. So if we're able to detect those types of behavior then we are much better equipped to be uh successful in uh um coming up with effective secure architecture. So what attack is not is

it's very important to understand what it is not. Um the first thing is uh it's it's not exhaustive. It's built on common public knowledge. It's not a framework and it's not an architecture. Right? So it's not going to provide you prescriptive guidelines on how you need to build the things. Uh and it's not a guarantee of efficacy or success either. Um even if a vendor claims 98% coverage across uh attack framework for certain ATPs, it does not guarantee that that vendor is also as effective in responding to these threats. uh it also does not guarantee that those detections are actually coming from that vendor solutions and not fitted from the OS locks for example that are behind um on

the endpoint as well. So essentially um you have to take that information with a grain of salt as you're evaluating your uh tools against attack framework. That's what I would like to say. Um I think I'll skip this analogy but essentially if you look at u um pre periodic table right then you will see a lot of analogies with um attack framework in terms of uh tactics and techniques would be groups of elements and then the adversaries would be molecular that are using those groups of elements in different shape of form and then like different um connections between them and uh essentially what attack framework work is right now. It takes a lot of open-source um um and as well as

R&D information and then uh it breaks down them into 14 tactics currently. But beneath you see there like almost 200 different techniques and almost 400 different sub techchniques, right? that are uh matched to 133 different advisory groups and almost 700 different types of malware softwares that are being used by these groups. And essentially what they also share is different ways to mitigate those uh techniques um um and um subtechniques. So to give an example of it um we will look at ATP 28. Here we see um which is um which is also known as a um fancy bear. We see that uh the final goal which is like the tactic right uh is to get credential access. The technique

that is being used is credential dumping. The tools that is being used is mimic right which implements credential dumping to accomplish the credential access essentially. So you see how these things are interconnected and how to read that uh uh MITER attack chart and framework. Uh what it gives us it gives us a common language when red teams talk to blue teams when we talk to vendors when we look at thread intelligence sources. It really gives us that common ground between different teams to come together and speak the same language as we are trying to protect our organization. So let's look at how we see that being used. Um first of all you can leverage attacks as a threat intelligence source

crossorrelated through with um thread intel sources within your organization. You can use it uh to identify um evaluate or acquire new detections. You can use it for analytics. You can use it for adver ad adversary emulations uh as an assessment for coverage right to see how well we are covered uh against certain ATPs and uh to prioritize right where you have gaps and uh how you would like to cover those gaps as well. So uh with thread intelligence I want to share a few like free uh u open-source um resources that we see within our um customers being used quite often that are very uh good information. The first one is um uh defir right here uh which

breaks down its thread intelligence information. Here on the slide you will see example for uh emote which essentially breaks it down by uh attacks and techniques and uh you can leverage that information to um focus on like as an additional enrichment source right and uh improve improve your uh detections using that additional thread intelligence source. The next one is um using attack for detection and analytics. And this is another great uh open-source um portal here which is cyber analytics repository which provides um a knowledge base of analysis for different tactics and techniques based on the attack model, right? which with with se soda code and references for different tools how they implemented in different tools such as plunk um and uh

um oquery and other tools as well. So what you can do with that uh essentially to see like more effectively use um lo analysis from the logs that you already see more effectively analyze and process the telemetry that you already see from your organization and uh um like essentially perform a deeper analysis using that information. And um the the next one we will look at is uh using attack for adversary emulation. Essentially you can take the information regard um regarding certain ATPs and try to emulate them within your organization to either perform like improve efficacy of your red teams or to do some common exercises with a like purple team, right? Um and then essentially

um like emulate with inhouse or like leveraging third party resources to assess efficacy of the tools and your architecture um through performing this uh emulation activities. I mean it's much more time consuming what uh we are doing right now. We are starting a project internally is uh we are going to generate um um based on MITER ATP's um certain traffic to do uh firewall performance testing to see how well we are um detecting certain tactics and techniques right using firewall and how we can tune those firewalls so that we can then further share that information with our customers. So the next one is uh probably the most commonly used is for assessment and engineering right uh and um that's

possible for all organizations essentially uh you can start by looking at specific ATPs identify which where you have gaps and identify whether you need additional tools or how you would fill those gaps and etc right we will look at certain tools that will I eat in this as like a navigator tool for example which is a graphic representation uh of MITER attack framework. But essentially what it allows you is to um you know assess your existing infrastructure. And for us as a vendor it allows us to uh assess what um how well our products uh matching the framework and how well we represent the information that we and detections that we discover and provide uh the view at

the bigger picture for our customers. So um essentially attack is becoming a common framework for everyone. Um and there's certain ways that we can use it. Um there are other additional ways that you can use it. Essentially uh what matter also provides is vendor evaluations. I think that's probably an interesting information here for everyone. Um but there are a few things to have in mind as well. First of all, I already mentioned that detection coverage from a vendor perspective not necessarily mean a good response to those detections as well. Uh they are not always available within a single solution, right? Very often you would need to look at detection um and a certain detection right let's say in an

EDR system but then the response would be better taken by another solution. Um so uh let's look at that from a grain of salt. Again, it's not a competitive analysis. It's not a performance uh test and comparison. They don't provide any like ranking or rating information. But in general, it's it's a good source of information um to understand right where a certain vendor stands for. So definitely keep asking from your vendors for that information and keep looking for that information. So I mentioned already uh attack navigator. Um I'm not going to read in for all information on this slide. Essentially it's a graphical representation on um attack framework and I just mention a few specific

examples of uh different companies using it um for um different use cases. The first use case would be identifying vulnerability in software. In um 2018, National Security Agency was using the navigator to come up with the graphical representation uh to identify vulnerabilities in their software systems, right? Um by um by doing that graphical representation, they were able to identify where they need to focus in order to um you know make those systems more secure. Another example would be threat hunting, right? leveraging attack framework for threat hunting to um analyze techniques that are by a given uh certain adversary, right? And then matching it to detection mechanisms that are available in our organization. Um then incident response

obviously is another one where we will be able to match certain detections that we see to the like full framework to get a a larger picture to identify uh where we are vulnerable. And then the final one is uh security assessments, right? uh where we can conduct uh security assessments for uh different uh agencies to create a custom view of the framework to um you know for different attacks and matching it to uh detection and protection mechanisms within our organization. So that would be the main like key uh areas of use for MITER uh attack framework. And then another one I want to mention is uh detect which is more recent but becomes more and more popular as well

which I think provides even uh more analytical information right which allows us to compare visibility detection coverage and threat actor behaviors um and um also provide information about the like platforms how they are covering using different techniques uh uh and they're using different data sources within the organization. So and that's a relatively new um tool but we see that being used more and more with the by by our customers as well. So to sum up this section uh I wanted to say that um in summary when we define an architecture we need to think first about the threat model of course the threats that are relevant to our organization and risk that are relevant to our organization and then we need to

look at the um threats out there right that are matching our threat model and that potentially relevant to our organization and this is where MITER comes into play, right? Because it allows us to define what we need to detect uh define those workflows well and then you either you know ideally using both reactive and proactive uh uh activities to um discover those threats within our organization or not. So essentially there are two key factors as we are defining security architecture right we need to get as much visibility as possible as much collect as much telemetry as possible hopefully in one single place so that we can correlate and match into one single set of events

right using MITER attack framework different artifacts and different detections different events coming from different tools in a multi- vendor environment and uh essentially that will allow us to augment detection improve our detection mechanisms and then like take the full cycle right and then um use um appropriate response actions as well. So that would be the main focus uh for the modern security architectures versus um versus focusing on um efficacy of protection mechanisms, right? Define get as much visibility into what's going on as possible, assume being breached and uh work on uh uh detection and response actions and ideally automate all of that. Um reading son's threat hunting uh report uh from the last year and this

year as well um there was some statistics that shocked me honestly is that more than 60% of the organizations define themselves as immature from threat hunting perspectives and the three main key um areas why they define themselves as immature is lack of training not utilizing the tools tools that they have their exposure to their full potential like full capabilities and the last one is not automating around those capabilities. So I I think those three key factors are also very important to define a a a efficient security architecture right um these are the new features that are coming more and more into the products right uh how we map uh events that we're seeing detections that we are seeing to the uh

MITER attack framework um if this information is available via the API can you automate enrichment and uh correlation of that information in your multi- vendor environment and uh how quickly can you respond ideally in the automated way. So um that's what I think are like the key the key factors everyone should be looking at and what we're trying to look at with our customers. Now really quickly I'm just going to glance through um how we adopt attack framework in Cisco's portfolio. We do have that available in the firewalls, right? Where you can define uh detection rules based on uh attack tactics and techniques to detect certain stuff that is relevant to your organization again uh according to your

threat model. And then um in the 74 release you there is a new um column right like for each event now there is a miter information available and then for secure network analytics um all of the events that are coming from that tool that are detected by this tool which is essentially uh anomaly analysis using preliminary net flow information um aligned to a MITER uh framework. So if you look at this MA matrix, I think according to the latest information I received like 98% of all of the events are matching uh attack uh framework right now and that same goes to our secure cloud analytics platform and uh for Cisco CQ workload again the same you can build reports um

based on alerts using miter attack framework. Uh same goes for Ponoptica as well uh where you can take a look at alerts and vulnerabilities within your environment um from attack framework perspective and um the the last but not least and the clicker isn't working anymore of course um secure malware analytics. This is my favorite tool honestly um which allow it's a sandbox and malware analysis tool and the thread intelligence tool as well kind of like a Wikipedia of malware which allows you to have um uh analytical information about all the samples submitted by your organization within the week within the months within the day and see what tactics from miter attack perspective you you see within

your organization and then you can correlate it with the global threat intel data and see am Am I different than anyone else? Am I being hit by the same ATPs or am I seeing some unusual threats targeted to my organization? And all of that is available via the API. So you can bring that data and make it actionable automate around it. And unfortunately it would be outside of the scope of this small talk as I'm also trying to speed up a little bit. uh but uh that's essentially where my sweet spot where I like to talk right about uh how you can automate this kind of things using the APIs. So the last set is Cisco secure endpoint. We do

provide uh comprehensive attack information with every event that we detect and it's also available via the API and on top of that we have builtin OS query implementation which allows you to run um different OS queries if you're want to drill down and investigate further and look for specific techniques right look for specific behaviors then you can do that as well right with this catalog of things you can look for specific things again going back to the analytics that I mentioned from like the MITER cyber security analytics where you can find uh uh all of that information then you can proactively search for that information using tools like that and then finally this all comes together in

um XDR right and of course I'll be showing Cisco XDR but essentially that's what the XDR should be showing you right uh correlating uh from different data sources, all the events and alerts that you see, uh, stitching them together using attack framework into a pattern so that you can identify how all of the different like little alerts come together and showing you malicious behavior, right? That really identify an attack. Uh, doing that will help to prioritize things that are really like not false positive, but they're actual incidents. And, uh, that's what uh, Cisco XDR does. As you can see, it breaks down by uh like all of the tactics and then specific alerts that match specific uh techniques, right? Um

the the indicators um and um you know, it does all of that like pattern chaining for tactics and techniques as well. So you can see essentially um you can start looking at the pattern of of behavior versus a uh a single artifact that may mean nothing to you as you look at it and which means that you will be become more efficient in your uh triage process in general. Right? So um on top of that uh because um MITER attack is um uh vendor agnostic it allows us to stitch together um telemetry coming from different vendors right because now we will all be able to speak the same language and uh it also allows us to identify response

actions. So within Cisco XDR we are using SAN it's incident response framework which uh uh is matching as you can see um very closely to the MITER attack guidance uh and on top of that you can also create automated rules where you can set certain tactics and techniques as a parameter to trigger automated actions. For example, if you're seeing any tactics related to ATP28, right, um in any of the events coming into your environment, then you will automatically perform certain response and remediation actions, right? With approval if necessary or without if if not. So essentially this is I think kind of like where you need to um where we see our customers trying to bring their organization. This is kind

of like the end of the journey, right? to try to find the common language, try to consolidate all of that like multi- vendor environment. Um, make your thread intelligence actionable because it's very often incomplete or outdated and then u detect and respond to threats faster. Um, and this is where mitro attack framework is the best tool to do so. um you know call to action is uh essentially um if you're not yet let try to leverage that in your organization right and then uh keep uh challenging your vendors to be more attack driven right and bring you those uh outcomes and uh I'll share again the QR code for that um presentation there are a bunch

of hidden slides that go deeper into the API capabilities that we didn't touch on and then some of the reading material and then references to the tools that I mentioned as well. And uh with that I would like to close my uh presentation and open it for questions.