Scribd Logo
Upload

Welcome to Scribd!

  • 194 views

    Threat Hunting With Cortex XDR: Jani Haapio Channel SE

    Uploaded by

    ep230842

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Threat Hunting With Cortex XDR: Jani Haapio Channel SE

    Uploaded by

    ep230842
    194 views32 pages

    Original Title

    Threat_Hunting_with_Cortex_XDR_v2.pdf

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    194 views32 pages

    Threat Hunting With Cortex XDR: Jani Haapio Channel SE

    Uploaded by

    ep230842

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 32

    Threat Hunting with Cortex XDR

    Jani Haapio
    jhaapio@paloaltonetworks.com
    Channel SE

    1 | © 2019 Palo Alto Networks. All Rights Reserved.


    The world’s leading cybersecurity company

    85 #1 60,000+
    of Fortune 100 in enterprise customers
    rely on Palo Alto Networks in 150+ countries
    security
    Revenue trend 40% CAGR
    FY14 ‒ FY18

    FY14 FY15 FY16 FY17 FY18

    63% of the Global 2K 28% year over year 9.1/10


    are Palo Alto Networks customers revenue growth* average CSAT score

    Q4FY2018. Fiscal year ends July 31


    Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018

    2 | © 2019 Palo Alto Networks. All Rights Reserved.


    Securing Your Transformed Enterprise

    Hybrid data center SECURE SECURE


    THE ENTERPRISE THE CLOUD Secure access
    Internet Perimeter
    SaaS
    Branch & mobile
    Public cloud
    DATA LAKE
    5G & IoT

    Endpoint

    SECURE
    THE FUTURE
    Detection & Automation & Network traffic & Threat
    response orchestration behavioral analytics intelligence

    3 | © 2019 Palo Alto Networks. All Rights Reserved.


    Advanced Attacks Require Detection & Response

    Known Evasive Zero-day Fileless attacks • Targeted attacks


    threats malware attacks • Low and slow
    • Insider threats

    99%+ of attacks can be prevented <1% require analysis over time &
    with the right tools across layers with machine learning

    4 | © 2019, Palo Alto Networks. All Rights Reserved.


    4 | © 2019 Palo Alto Networks. All Rights Reserved.
    What Is Threat Hunting?

    Manually searching for threats rather than waiting for technology to alert you

    Hunt for IoCs Search for Attack Hypothesis Driven


    Behaviors

    Search for known malicious Look for attacker tactics, Driven from a basic
    file hashes, IP addresses, techniques and procedures understanding or lead from
    other IoCs based on news new information

    5 | © 2019 Palo Alto Networks. All Rights Reserved.


    As threats escalate, SecOps is more important than ever
    150M 147M records
    412M records
    143M records records stolen
    stolen stolen
    stolen

    2B records 2M records
    stolen stolen
    145M records
    200M records stolen 500M
    stolen 110M records guest
    stolen records
    2.9M records stolen
    77M
    records stolen
    stolen
    134M credit
    cards stolen
    925M +
    New Malicious
    1.6M records 600M programs
    stolen
    New Malicious registered

    Space 95M records


    182M programs
    registered
    agency stolen New Malicious
    breach 47M programs
    Morris Worm
    New Malicious registered
    programs
    registered

    1998 2004 2007 2010 2013 2016 Present


    Malicious code Identity theft DNS attacks Social engineering Banking malware Ransomware Cyberwarfare
    Trojans Phishing Botnets DDos attacks Keyloggers Cryptominer Fileless attacks
    Worms Mobile viruses Sabotage Malicious email Ransomware Certificate attacks Automated & AI attacks
    Viruses Anti-spam Ransomware Botnets Bitcoin wallet Cloud migration
    SQL attacks Botnets Android hacks S3 buckets
    Insider threats

    6 | © 2019 Palo Alto Networks. All Rights Reserved.


    Why security teams struggle

    Gaps in Prevention Lack of Time Limited Context

    Legacy tools generate too Manual tasks across siloed It takes days to
    many alerts tools take too long investigate threats

    174k 30+ 4+ days


    alerts per week point products to complete an investigation

    7 | © 2019 Palo Alto Networks. All Rights Reserved.


    The reality (and complexity) of security operations

    NEWS & ALERTS

    8 | © 2019 Palo Alto Networks. All Rights Reserved.


    How SecOps must transform to reduce risk
    EFFICIENCY

    MTTR/MTTD &
    RISK

    Low High
    Maturity Medium
    (Reactive) (Proactive)
    Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED

    Context LOG AGGREGATION SILOED DATA COLLECTION INTEGRATED RICH DATA

    Automation NONE PARTIAL FULL

    9 | © 2019 Palo Alto Networks. All Rights Reserved.


    Use Case:
    Endpoint
    Protection

    10 | © 2019 Palo Alto Networks. All Rights Reserved.


    The Problem: Endpoint infections continue despite best efforts

    Legacy Endpoint Siloed Network & Endpoint Detection &


    Security Has Failed Endpoint Protection Response is Limited

    Legacy EPPs can’t keep up Current approaches do not EDR is locked to the endpoint
    with advanced threats and share protections between and lacks a solution for
    burden local systems different parts of the unmanaged devices
    enterprise

    11 | © 2019 Palo Alto Networks. All Rights Reserved.


    Best-in-class prevention with Traps

    Prevent all malware Block exploits Analyze suspicious patterns

    High fidelity local detection Block exploits based Behavioral Threat Protection
    trained by WildFire on techniques analyzes multiple behaviors
    together to flag complex
    attacks

    12 | © 2019 Palo Alto Networks. All Rights Reserved.


    Use Case:
    Threat
    Detection

    13 | © 2019 Palo Alto Networks. All Rights Reserved.


    The Problem: Too many false positives and missed attacks

    You Can’t Prevent Detection Yields Too Anomaly Detection is


    All Attacks Many False Positives not a “Human” Job

    Sophisticated attacks Teams waste time and miss Detecting anomalies requires
    & insider abuse can bypass threats chasing low-context analyzing a comprehensive
    controls false positive alerts data set

    14 | © 2019 Palo Alto Networks. All Rights Reserved.


    Our Approach: Threat detection
    Before After

    Endpoint
    Data Data
    Cloud Detection
    Detection
    Data

    Cloud
    Data Endpoint High-signal Alerts

    ML-based
    Custom Rules
    Behavior Analytics
    Human Correlation Integrated data

    Detection
    Data Data Data
    Data
    Data Network
    Network
    Endpoint Cloud Network

    15 | © 2019 Palo Alto Networks. All Rights Reserved.


    Use Case:
    Threat
    Containment

    16 | © 2019 Palo Alto Networks. All Rights Reserved.


    The Problem: Threat containment takes too long

    Limited Context Across Investigations Are Finding Root Cause


    Multiple Alerts Highly Manual Takes Too Long

    Analysts have to review each Teams must manually piece By the time you find root
    alert individually together data from siloed cause, the attack has
    tools & data sources progressed

    17 | © 2019 Palo Alto Networks. All Rights Reserved.


    Our Approach: Investigation & response
    Before After

    EPP NTA

    Phishing alert

    TI

    Chrome.exe 7zFM.exe cmd.exe powershell.exe wscript.exe

    NGFW UEBA
    Related alerts grouped into Incidents

    NTA EPP TI UBEA NGFW

    18 | © 2019 Palo Alto Networks. All Rights Reserved.


    Stitching of Network (NGFW Logs) and Endpoint Data (Traps Logs)

    19 | © 2019 Palo Alto Networks. All Rights Reserved.


    Investigate in timeline

    20 | © 2019 Palo Alto Networks. All Rights Reserved.


    Determining Root Cause of Security Events

    Causality Group: All processes, files, and


    threads involved as a part of the security event

    Clicks on URL in Default browser is Downloads 7zip file 7zip runs *.pdf.bat *pdf.bat file creates Attempts C2
    phishing email opened file in zip Virtual basic script for connection
    Windows script
    engine
    Causality Group Owner (CGO): The
    process that initiated the chain of events
    21 | © 2019 Palo Alto Networks. All Rights Reserved. 21
    Integrated response via live terminal

    22 | © 2019 Palo Alto Networks. All Rights Reserved.


    Key Differentiators: Find advanced attacks with analytics

    Full Visibility To Detect Industry-leading Attack Patented Behavioral


    Complex Threats Coverage Analytics Technology

    Eliminate blind spots across Detect the most attack Find hidden threats with
    network, endpoint, and cloud techniques according to Machine Learning running
    MITRE ATT&CK evaluations across all data

    23 | © 2019 Palo Alto Networks. All Rights Reserved.


    MITRE ATT&CK – ATTACK TECHNIQUES COVERAGE

    24 | © 2018, Palo Alto Networks, Inc. All Rights Reserved.


    MITRE ATT&CK – REAL TIME ALERTS

    25 | © 2018, Palo Alto Networks, Inc. All Rights Reserved.


    Use Case:
    Threat Hunting

    26 | © 2019 Palo Alto Networks. All Rights Reserved.


    Create your queries

    27 | © 2019 Palo Alto Networks. All Rights Reserved.


    Create your own Behavioral Indicators Of Compromise

    28 | © 2019 Palo Alto Networks. All Rights Reserved.


    The industry's best security data asset

    Cortex XDR

    Cortex Data Lake

    Network Endpoint Cloud

    29 | © 2019 Palo Alto Networks. All Rights Reserved.


    Cortex XDR Capabilities

    Rich data collection Behavioral analytics and Custom rules based on


    machine learning behaviors and IOCs

    Root cause analysis Threat hunting Integrated response

    30 | © 2019 Palo Alto Networks. All Rights Reserved.


    Cortex XDR Makes Detection & Response Accessible to All Analysts

    Reduce risk of data Increase security Maximize detection


    breach operations efficiency & response investments

    Cut detection & Reduce alert Lower TCO by


    response times fatigue & turnover 44%

    31 | © 2019 Palo Alto Networks. All Rights Reserved.


    Thank You
    paloaltonetworks.com
    Email: jhaapio@paloaltonetworks.com
    Twitter: @PaloAltoNtwks

    32 | © 2019 Palo Alto Networks. All Rights Reserved.

    You might also like