XDR Design Clinic

XDR Design Clinic
Things you should know

Aaron Woland
Rob Gresham
Matt Robertson
October 17, 2023
‣ Understand the value proposition of
Cisco XDR
Learning ‣ How to design a Cisco XDR
Objectives deployment with you customer
‣ What does XDR do?
‣ What does XDR detect?
‣ How does XDR respond?

Changing how we look at detection & response
The XDR Promise

• Collection of telemetry from key D&R
tools + high-value sources
• Analytics to the collected &
homogenized data to arrive at a
detection of maliciousness
• Response & remediation of that
maliciousness
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Cisco’s XDR
• Only XDR in market that doesn’t require use of

our own EDR
• You could start with Crowdstrike’s EDR
• Add NVM
• Add NetFlow / IPFIX
• BAM!

Cisco XDR is a SOC Productivity Tool

SoC / CSIRT Productivity Tool
Sam Remi
(Security Analyst) (Incident Responder)
My job is to prioritize risks, When a security incident occurs I

remediate vulnerabilities, and focus on finding the proper security
proactively avoid attacks. I’m data and determining the “why,
constantlyTier 1 / Tier 2 and
multitasking what, and when” of what
reordering myAnalyst
priorities. happened. Tier
Then3 IAnalyst
come up with
(Expert)
recommendations for future
(Junior or Jack of all Trades) prevention.
“Did a security event happen, and “How did the security incident happen,
should I be taking action?” and what more do I need to know?”

XDR is focused on the attacks that got
past the protection products
Not a Single Pane of Glass / not a MoM

/ not a dashboard to see all the things
that have already been blocked.
Not a tool for PCI Compliance or

Reporting
Investigation Timeline – what happened & when?
SOC / Admin
Responder typically
builds out a timeline
when investigation
Lateral
Movement
Initial Data
Probing Initial
Exfiltration
Compromise
Timeline
Pre-Exploitation Exploitation Post-Exploitation
?
IP Address
Mac Address
Failed Privilege
GUID(s) Activity
Exploit Escalation
Attempts
Starting Here, look forward & backwards for

correlation to build the timeline / attack graph
of “what happened”
So… if you have an EDR, how much of
the timeline can you build?
Very sophisticated types of attacks that can
ONLY be detected & understood by combining
data from Network, Endpoint & more.
It takes multiple intelligent tools to put
together the entire timeline. Especially when
not every endpoint has the EDR agent
installed.
Aren’t SIEM & SOAR all we need?
• SOCs make big investments in SIEM to store raw logs & allow query
• Organizations will have extensive custom queries to hunt
• Invest $$$ into performing asset resolution between disparate systems
• Data must be in data-store; how do you determine when enough is enough?
• SOCs make big investments in SOAR for custom playbooks
• These are per-playbook & per-integration; which make them very complex
• If the investment in asset resolution wasn’t made, responses fail
• It’s all custom.
• Must be tuned & re-tuned & tailored per environment
• Very few tier-3 investigators skilled enough to run & keep them up.
• Requires big investment in training of the custom playbooks
• Personnel turnover is very costly

“The need for XDR is driven by the
market not meeting the needs of
the SOC”
- Large Financial Customer

Detection and Response and the SOC XDR
Correlated/Prioritised Events
• Not enough creativity
Sam • Not enough time
• Too much work
Remi
SOC Staff SIEM SOAR

• Not enough people • Too expensive • This never actually worked
• Not enough talent • Too much data
• Not enough time
NGFW/IPS/IDS/WSA EDR
• Encryption NDR Email IaaS
• Limited
• Too noisy • Too many alerts • Phishing • Not enough
coverage
• Not actionable • Not actionable • BEC visibility
• Too many alerts
• Remote workers
Timeline from multiple sources
XDR Should Build out the Timeline
XDRs need other high-

value sources
EDR
EVENT
Credential Theft
IP Address
Mac Address - AD Find
GUID(s) Activity - Rubeus
Vic01
Random mac-address
DHCP Assigned IP
EDR Installed
1. EDR event, detects Kerberos attack to harvest credentials.

Is this enough information to act?
The XDR should be automagically
looking for how the event
happened.. Stitching together other
key events that might not be as
critical to generate an Alert!

Integration Sources
Integration Sources for Success

XDR
EDR NDR ITDR CNDR
BYO EDR Native to Cisco XDR Included w/ XDR Native to Cisco XDR
Secure Endpoint { NVM + Netflow }* Devices** Azure
Crowdstrike SNA Users AWS
MS Defender ExtraHop ISE GCP
Sentinel1 Darktrace
CyberReason
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l *put NVM everywhere!

**integrate the MDMs
EDR as an XDR Source

Integration Sources
An EDR is key for XDR Success

• EDR is the original detection & The session activity is
response tool for visibility and
actions against the attacks that visible on the endpoint –
get past our perimeter who, application,
• This tool is VERY focused on the PowerShell commands,
Endpoint’s view. what spawned the
• Some have network telemetry process, etc...
from the endpoint’s perspective
• Only helps with attacks involving
the endpoints managed by the
EDR

Vic01
AD3
Discovery commands AD2
- systeminfo.exe AD
- netstat.exe
- net.exe EVENT
- ipconfig.exe
- nltest.exe
Impact: Crypto
- whoami.exe
- ryuk.exe
starts encrypting
Executes
Bazar
EDR
EDR EDR EDR
EVENT
Credential Theft
Vic01
- AD Find
Activity - Rubeus
Vic01
Random mac-address
DHCP Assigned IP
EDR Installed
4. EDR: First System (AD) was Ransomed! How did this happen?
5. EDR: Endpoint Vic01 was sending out discovery commands previously, what else was seen for Vic01?
12. Bazar executable XYZ was downloaded by Kevin Smith
NVM & NetFlow as Sources

Integration Sources
Think of NVM as the “XDR Agent”

• The flows are NOT used like • Couple it with NetFlow to get the
NetFlow NDR signatures in XDR Analytics
fire
• NVM is a cross between NDR &
EDR – and acts as the glue • NVM is the glue that stitches many
binding detections together telemetry sources together
• NVM has its very-own detections
engine in XDR

Integration Sources
Network is key for XDR Success

• XDR provides some NDR • XDR is not an enterprise-grade
capabilities natively NDR
• Not all EDRs include network • Most enterprise’s have more
telemetry requirements for their NDR than
can be met with native XDR
• Not all devices run the EDR agent
network analytics:
• NDR is critical to detect TTPs
• Ex. policy monitoring, traffic monitoring
commonly used by attackers like
BlackTech, Volt Typhoon, & Jaguar or more advanced customization
Tooth. • Position SNA for these scenarios
• Ex. Lateral movement, Living off the land, (Breach Advantage!)
etc. • Integrate XDR with (lesser) third-party
NDRs (ex. Extrahop, Darktrace)


Vic01
AD
AD3
Discovery commands Network Conn: AD2
- systeminfo.exe ldap://ad:389 AD
- netstat.exe AD AD2 AD2
smb tcp/445
- net.exe EVENT
Downloads - ipconfig.exe Lateral Movement
xyz.exe - rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Vic01 Roams Open C2 starts encrypting
Executes AD
Bazar & gets new IP Channel
EDR
NDR EDR NDR EDR NDR NDR EDR
NVM
Opens email EVENT

Follows Link to Open C2 Network Conn:
a-p-p-i-e.com Channel Credential Theft Lateral Movement
Vic01 ftp of harvested
- AD Find creds to C2 - smb tcp/445
Activity - Rubeus
Vic01 Vic01
Random mac-address
AD AD3
DHCP Assigned IP
EDR Installed
7. NDR / DNS / Proxy: XYZ on Vic01 was communicating encrypted TLS w/ a potentially risky site before the commands
8. NDR: Vic01 does first lateral move to AD via RDP
9. NDR: AD Establishes C2 channel
10. NDR: AD moves laterally to other AD servers via SMB
11. Vic01 had roamed & gotten a new IP Address (so much more important than you know)
DNS (Umbrella) as a Source

Integration Sources
Umbrella adds context to EDR & NDR

• Much like NDR, adds a layer of • NVM includes all DNS lookups in
visibility to the timeline that adds the flow data sent to XDR & can
great value be leveraged for correlation
• What other machines have tried to
resolve the same domain
• Verdicts, Judgements from Umbrella

Email as an XDR Source

Integration Sources
Email is also a key telemetry source

• #1 Attack Vector (Still) • ETD included in Breach & User
• Really important for response actions to Suites
remove the email from any mailboxes
that contain a copy • SMA for the ”other email” solution
• Timeline would be incomplete without • If you can’t use ETD (you should)
the email telemetry then
• MSFT 365 (Q2FY24)
• Proofpoint (roadmap)


Vic01
AD
Email to Kevin Smith AD3
Contains Link to appIe.com/xyz.exe Discovery commands Network Conn: AD2
a-p-p-i-e.com (looks alike) - systeminfo.exe ldap://ad:389 AD
- netstat.exe smb tcp/445
AD AD2 AD2
- net.exe EVENT
Downloads - ipconfig.exe Lateral Movement
xyz.exe - rdp tcp/3389 Lateral Movement
- nltest.exe
- smb tcp/445 Impact: Crypto
- whoami.exe
- ryuk.exe
Vic01 Roams starts encrypting
Executes
Bazar & gets new IP
EDR
ETD NDR EDR NDR EDR NDR NDR EDR
NVM
Opens email EVENT Open C2

Follows Link to Open C2 Network Conn: Channel
a-p-p-i-e.com Channel Credential Theft Lateral Movement
Vic01 ftp of harvested
- AD Find AD - smb tcp/445
creds to C2
Activity - Rubeus
Vic01 Vic01
Random mac-address
AD AD3
DHCP Assigned IP
EDR Installed
13. Kevin Smith received an email w/ a look-alike domain in the URL & he clicked it to download that executable

Demo – the Timeline in Cisco XDR

XDR is incomplete without Identity

Integration Sources
Identity is also a key telemetry source

• Can use ISE integration today w/ • Coming Soon: Identity Detection &
XDR analytics (NDR capabilities) Response with Oort
• ONA required for pxGrid to ISE (today) • Part of the Breach & User Suites
• Included with Duo Advantage & XDR
• User Insights
Essentials*
• Provides user context
• That context will be in the incidents &
investigations soon

Coming Soon**: User context in an Investigation / Incident Management
Details for User “Assets”

Becomes the User Object,
instead of generic data
Progressive Disclosure
Clicking the user in the graph
would display the User Details
”drawer” within the window
** this is wireframe to describe an intended result, not a delivered feature

Coming Soon: Identity Threat Detection & Response

Don’t forget that XDR has built-in Cloud
Native Detection & Response

Integration Sources
Cloud Native Detection & Response (CNDR)

• XDR has native integrations with:
• Azure
• AWS
• Google Cloud
• Full set of detections specific to

cloud native environments
• Note: CNDR is not the same as
CSPM

RX for Success
• Power the native NDR capabilities w/

Flow Logs
• Highly recommend EDR
• Install NVM where possible

• Highly recommend ETD or SMA
(email)
• DNS is very good
• Power the native CNDR

• Integrate Device Managers & CMDB
where possible
Follow-up
• Rob Gresham’s session on building

Workflows
• Watch out for the ATT&CK! with Matt
and Mike
• Threat Hunting Workshops
• See session: Enhanced Identity
Security Posture Management with
Duo

Incident Creation:
Data, Analytics and Detection

XDR Outcome: Analytics to the collected & homogenized data
to arrive at a detection of maliciousness
How do we
get incidents?
Cisco Confidential
Methods of Incident Creation: Current Status
XDR Analytics
Individual and/or correlated alerts
API
For workflows and custom integrations
Cisco Secure
Endpoint
- Critical and High Events automatically promoted Once an Incident is created it
- this will evolve in the next quarter
is enriched with data from
supported integrations
Correlation Enrichment
Pre-Incident Creation Post-Incident Creation
Data from multiple security tools is A detection of maliciousness is further
analysed to arrive at a detection of enhanced with data from integrated
maliciousness security tools.

Recall: Data Analytics Pipeline
Data Acquisition Analytics Stack
P(A|B) Alert(s)
Acquisition Observation(s)
Data Incident
Source and We believe this is
Normalisation Warehouse We saw something(s) Created
important
Attack Chain
These alerts correlate

New Incident Generation
Telemetry is ingested into the data warehouse, analyzed and correlated with other data in the
data model, where it serves as an input to a net new incident candidates for Cisco XDR
Current – 6 Sources Q1 FY24 2H FY24

Cisco 3rd Party Cisco 3rd Party
• Identity Service Engine • CrowdStrike • Meraki** • Checkpoint
• Network Telemetry • Oort • Cybereason
• NGFW via SAL Logging • Secure Access • Darktrace
• Public Cloud Infrastructure • ExtraHop
• Secure Client NVM
Q2 FY24 • Fortinet
• Secure Endpoint* Cisco • Microsoft Defender
• Secure Email • Microsoft O365
• Secure Endpoint*
Important! • Secure Network Analytics
• Palo Alto Cortex
• Palo Alto NGFW
At least one of • SentinelOne
3rd Party:
these is required • Proofpoint
• Trend Micro Vision One
to get an
incident today! *Cisco Secure Endpoint auto-promotes incidents
**Meraki NetFlow today is ingested into
Cisco XDR; a significantly enhanced
today. Q2 plan is to move through new data and
integration between XDR and Meraki is
© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l logic path for correlation with other data sets
underway
Observations to Alert
Data
Model P(A|B)
Observation(s)
Alert
We saw something(s)
We believe this is important
44
A note about data science
There is a complex AI/ML data
model behind the alerting engine
What moves a set of observations to an

alert can be situational dependent for
certain alert types
For some alerts predicting their

future appearance in the UI is not
always deterministic
Practical terms:
• Small labs are not ideal proof of concept scenarios
• Single test scenarios are also not cool
• You might not get alerts (incidents) for some data sources
Alerts Require (Specific) Data Plan
Accordingly
Familiarise yourself with the observations, data and history for specific alerts
Reconstructing the attack timeline
Alert Correlation (AKA Attack Chains)

Alert0
Alert1 Device1 Device2 Device3
Alert3 Alert2 Alert4

Don’t publish all the alerts
and the attack chains. It
could be too noisy.

Endpoint Data Analytics Pipeline (ex. Crowdstrike)
Data Acquisition Analytics Stack
P(A|B) Alert(s)
Acquisition Observation(s)
Data Incident
Source and We believe this is
Normalisation Warehouse We saw something(s) Created
important
Attack Chain
These alerts correlate
• Observation created for Endpoint sightings

• Call API every 1 minute
• Suspicious Endpoint Security Finding
• Ingest Critical and High detections
• 12 New Endpoint Alerts
• Normalise and store data in Data
• Aligned to MITRE ATT&CK Tactics
Warehouse • Correlated into Attack Chains
• Promoted as Incident into XDR UI

Detection Engine Demo

Detection without response is
insufficient!
Automation is essential.
5
Response is more than isolate,
block or quarantine
• Response includes:
• Triage / Investigation / Identification
• Containment
• Eradication
• Recovery
• Lessons Learned
Responses must be modular,

repeatable and eventually
automatable.
5
Response has its own processes…
Investigate +
Triage Respond Manage Incidents
• Reviews events, initial correlations • Reviewing triage data for • Manages Major incidents /
• Close / Ignore false-positives false positives Breaches
• Gather required data as requested • Investigate and validate scope of • Ensures proper threat hunting and
Informational, Functional and scoping
• Validate enrichment or conduct Recovery Impact
manual enrichment • Creates Detections
• Deep knowledge of tools and data • Deep forensics, threat intelligence,
• Assess against runbook processes
• Understands adversary actions malware understanding
• Swivel chair correlates • Creates Playbooks and Runbooks

Mapping the Process to Legacy Roles
Tier 1 Tier 2 Tier 3

Triage Investigate + Respond Manage Incidents
• Reviews events, initial correlations • Reviewing triage data for false • Manages Major incidents /
• Close / Ignore false-positives
positives Breaches
• Gather required data as requested

• Investigate and validate scope of • Ensures proper threat hunting and
Events Incident Breach

Without XDR…
Sam Remi Talos CTIR

false positives Breaches

• Investigate and validate scope of • Ensures proper threat hunting and
Events Incident Breach

…With XDR
Sam Sam / Remi Remi / Talos CTIR

false positives Breaches

• Assess against runbook processes • Ensures proper threat hunting and
• Investigate and validate scope of scoping
• Validate enrichment or conduct
manual enrichment Informational, Functional and • Creates Detections
Recovery Impact • Deep forensics, threat intelligence,
• Explains adversary actions malware understanding
• Deep knowledge of tools and data • Creates Playbooks and Runbooks
• Swivel chair correlates.
Incident Breach
XDR Response Value
• Decreases Time to complete investigation

• Provides contextual breadcrumbs for investigation
• Reduces swivel chair correlation
• Guided Response Actions as a “playbook”

• Standardizes SOC tasks and methods
• Focuses on SOC outcomes not Integrations, but uses integrations
Learn how to take use cases and turn them into playbooks by attending my
tech talk: “How to develop playbooks from a use case” this afternoon.

Investigate and Respond Demo
Cisco Confidential
Review: the "should's" of any XDR
• Should work with your existing tools & not require a lift & shift to a single
vendor.
• Should be able to extend the detections without having to store all
telemetry & events in its own Data store
• Should enable the junior analyst to perform a much more senior level
• Should be able to respond quickly without additional configuration
• Should be able to create gap integrations with XDR Automate
• Integrate & work with your SIEM investments without having to replace
them.
5
Follow-up
• Rob Gresham’s session on building

Workflows
• Watch out for the ATT&CK! with Matt
and Mike
• Threat Hunting Workshops
• See session: Enhanced Identity
Security Posture Management with
Duo

XDR Design Clinic

Uploaded by

Copyright:

Available Formats

You might also like

XDR Design Clinic

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

XDR Design Clinic

Uploaded by

Copyright:

Available Formats

XDR Design Clinic

Things you should know

‣ What does XDR do?

‣ What does XDR detect?

‣ How does XDR respond?

The XDR Promise

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

• Only XDR in market that doesn’t require use of

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

My job is to prioritize risks, When a security incident occurs I

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Not a Single Pane of Glass / not a MoM

Not a tool for PCI Compliance or

Starting Here, look forward & backwards for

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

- Large Financial Customer

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

SOC Staff SIEM SOAR

XDR Should Build out the Timeline

XDRs need other high-

1. EDR event, detects Kerberos attack to harvest credentials.

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Integration Sources for Success

EDR NDR ITDR CNDR

Secure Endpoint { NVM + Netflow }* Devices** Azure

Crowdstrike SNA Users AWS

MS Defender ExtraHop ISE GCP

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l *put NVM everywhere!

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

An EDR is key for XDR Success

XDR Should Build out the Timeline

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Think of NVM as the “XDR Agent”

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Network is key for XDR Success

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

XDR Should Build out the Timeline

Opens email EVENT

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Umbrella adds context to EDR & NDR

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Email is also a key telemetry source

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

XDR Should Build out the Timeline

Opens email EVENT Open C2

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Identity is also a key telemetry source

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Details for User “Assets”

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

** this is wireframe to describe an intended result, not a delivered feature

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

© 2 0 2 3 C is c o a n d / o r its a ffilia te s . A ll r ig h ts r e s e r v e d . C is c o C o n fid e n tia l

Cloud Native Detection & Response (CNDR)

• Full set of detections specific to