Scribd
Upload
592 views32 pages

Threat Hunting With Cortex XDR: Jani Haapio Channel SE

Uploaded by

ep230842
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
592 views32 pages

Threat Hunting With Cortex XDR: Jani Haapio Channel SE

Uploaded by

ep230842
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 32

Threat Hunting with Cortex XDR

Jani Haapio
[email protected]
Channel SE

1 | © 2019 Palo Alto Networks. All Rights Reserved.


The world’s leading cybersecurity company

85 #1 60,000+
of Fortune 100 in enterprise customers
rely on Palo Alto Networks in 150+ countries
security
Revenue trend 40% CAGR
FY14 ‒ FY18

FY14 FY15 FY16 FY17 FY18

63% of the Global 2K 28% year over year 9.1/10


are Palo Alto Networks customers revenue growth* average CSAT score

Q4FY2018. Fiscal year ends July 31


Gartner, Market Share: Enterprise Network Equipment by Market Segment, Worldwide, 1Q18, 14 June 2018

2 | © 2019 Palo Alto Networks. All Rights Reserved.


Securing Your Transformed Enterprise

Hybrid data center SECURE SECURE


THE ENTERPRISE THE CLOUD Secure access
Internet Perimeter
SaaS
Branch & mobile
Public cloud
DATA LAKE
5G & IoT

Endpoint

SECURE
THE FUTURE
Detection & Automation & Network traffic & Threat
response orchestration behavioral analytics intelligence

3 | © 2019 Palo Alto Networks. All Rights Reserved.


Advanced Attacks Require Detection & Response

Known Evasive Zero-day Fileless attacks • Targeted attacks


threats malware attacks • Low and slow
• Insider threats

99%+ of attacks can be prevented <1% require analysis over time &
with the right tools across layers with machine learning

4 | © 2019, Palo Alto Networks. All Rights Reserved.


4 | © 2019 Palo Alto Networks. All Rights Reserved.
What Is Threat Hunting?

Manually searching for threats rather than waiting for technology to alert you

Hunt for IoCs Search for Attack Hypothesis Driven


Behaviors

Search for known malicious Look for attacker tactics, Driven from a basic
file hashes, IP addresses, techniques and procedures understanding or lead from
other IoCs based on news new information

5 | © 2019 Palo Alto Networks. All Rights Reserved.


As threats escalate, SecOps is more important than ever
150M 147M records
412M records
143M records records stolen
stolen stolen
stolen

2B records 2M records
stolen stolen
145M records
200M records stolen 500M
stolen 110M records guest
stolen records
2.9M records stolen
77M
records stolen
stolen
134M credit
cards stolen
925M +
New Malicious
1.6M records 600M programs
stolen
New Malicious registered

Space 95M records


182M programs
registered
agency stolen New Malicious
breach 47M programs
Morris Worm
New Malicious registered
programs
registered

1998 2004 2007 2010 2013 2016 Present


Malicious code Identity theft DNS attacks Social engineering Banking malware Ransomware Cyberwarfare
Trojans Phishing Botnets DDos attacks Keyloggers Cryptominer Fileless attacks
Worms Mobile viruses Sabotage Malicious email Ransomware Certificate attacks Automated & AI attacks
Viruses Anti-spam Ransomware Botnets Bitcoin wallet Cloud migration
SQL attacks Botnets Android hacks S3 buckets
Insider threats

6 | © 2019 Palo Alto Networks. All Rights Reserved.


Why security teams struggle

Gaps in Prevention Lack of Time Limited Context

Legacy tools generate too Manual tasks across siloed It takes days to
many alerts tools take too long investigate threats

174k 30+ 4+ days


alerts per week point products to complete an investigation

7 | © 2019 Palo Alto Networks. All Rights Reserved.


The reality (and complexity) of security operations

NEWS & ALERTS

8 | © 2019 Palo Alto Networks. All Rights Reserved.


How SecOps must transform to reduce risk
EFFICIENCY

MTTR/MTTD &
RISK

Low High
Maturity Medium
(Reactive) (Proactive)
Detection RULE-BASED CORRELATED RULE-BASED ANALYTICS-BASED

Context LOG AGGREGATION SILOED DATA COLLECTION INTEGRATED RICH DATA

Automation NONE PARTIAL FULL

9 | © 2019 Palo Alto Networks. All Rights Reserved.


Use Case:
Endpoint
Protection

10 | © 2019 Palo Alto Networks. All Rights Reserved.


The Problem: Endpoint infections continue despite best efforts

Legacy Endpoint Siloed Network & Endpoint Detection &


Security Has Failed Endpoint Protection Response is Limited

Legacy EPPs can’t keep up Current approaches do not EDR is locked to the endpoint
with advanced threats and share protections between and lacks a solution for
burden local systems different parts of the unmanaged devices
enterprise

11 | © 2019 Palo Alto Networks. All Rights Reserved.


Best-in-class prevention with Traps

Prevent all malware Block exploits Analyze suspicious patterns

High fidelity local detection Block exploits based Behavioral Threat Protection
trained by WildFire on techniques analyzes multiple behaviors
together to flag complex
attacks

12 | © 2019 Palo Alto Networks. All Rights Reserved.


Use Case:
Threat
Detection

13 | © 2019 Palo Alto Networks. All Rights Reserved.


The Problem: Too many false positives and missed attacks

You Can’t Prevent Detection Yields Too Anomaly Detection is


All Attacks Many False Positives not a “Human” Job

Sophisticated attacks Teams waste time and miss Detecting anomalies requires
& insider abuse can bypass threats chasing low-context analyzing a comprehensive
controls false positive alerts data set

14 | © 2019 Palo Alto Networks. All Rights Reserved.


Our Approach: Threat detection
Before After

Endpoint
Data Data
Cloud Detection
Detection
Data

Cloud
Data Endpoint High-signal Alerts

ML-based
Custom Rules
Behavior Analytics
Human Correlation Integrated data

Detection
Data Data Data
Data
Data Network
Network
Endpoint Cloud Network

15 | © 2019 Palo Alto Networks. All Rights Reserved.


Use Case:
Threat
Containment

16 | © 2019 Palo Alto Networks. All Rights Reserved.


The Problem: Threat containment takes too long

Limited Context Across Investigations Are Finding Root Cause


Multiple Alerts Highly Manual Takes Too Long

Analysts have to review each Teams must manually piece By the time you find root
alert individually together data from siloed cause, the attack has
tools & data sources progressed

17 | © 2019 Palo Alto Networks. All Rights Reserved.


Our Approach: Investigation & response
Before After

EPP NTA

Phishing alert

TI

Chrome.exe 7zFM.exe cmd.exe powershell.exe wscript.exe

NGFW UEBA
Related alerts grouped into Incidents

NTA EPP TI UBEA NGFW

18 | © 2019 Palo Alto Networks. All Rights Reserved.


Stitching of Network (NGFW Logs) and Endpoint Data (Traps Logs)

19 | © 2019 Palo Alto Networks. All Rights Reserved.


Investigate in timeline

20 | © 2019 Palo Alto Networks. All Rights Reserved.


Determining Root Cause of Security Events

Causality Group: All processes, files, and


threads involved as a part of the security event

Clicks on URL in Default browser is Downloads 7zip file 7zip runs *.pdf.bat *pdf.bat file creates Attempts C2
phishing email opened file in zip Virtual basic script for connection
Windows script
engine
Causality Group Owner (CGO): The
process that initiated the chain of events
21 | © 2019 Palo Alto Networks. All Rights Reserved. 21
Integrated response via live terminal

22 | © 2019 Palo Alto Networks. All Rights Reserved.


Key Differentiators: Find advanced attacks with analytics

Full Visibility To Detect Industry-leading Attack Patented Behavioral


Complex Threats Coverage Analytics Technology

Eliminate blind spots across Detect the most attack Find hidden threats with
network, endpoint, and cloud techniques according to Machine Learning running
MITRE ATT&CK evaluations across all data

23 | © 2019 Palo Alto Networks. All Rights Reserved.


MITRE ATT&CK – ATTACK TECHNIQUES COVERAGE

24 | © 2018, Palo Alto Networks, Inc. All Rights Reserved.


MITRE ATT&CK – REAL TIME ALERTS

25 | © 2018, Palo Alto Networks, Inc. All Rights Reserved.


Use Case:
Threat Hunting

26 | © 2019 Palo Alto Networks. All Rights Reserved.


Create your queries

27 | © 2019 Palo Alto Networks. All Rights Reserved.


Create your own Behavioral Indicators Of Compromise

28 | © 2019 Palo Alto Networks. All Rights Reserved.


The industry's best security data asset

Cortex XDR

Cortex Data Lake

Network Endpoint Cloud

29 | © 2019 Palo Alto Networks. All Rights Reserved.


Cortex XDR Capabilities

Rich data collection Behavioral analytics and Custom rules based on


machine learning behaviors and IOCs

Root cause analysis Threat hunting Integrated response

30 | © 2019 Palo Alto Networks. All Rights Reserved.


Cortex XDR Makes Detection & Response Accessible to All Analysts

Reduce risk of data Increase security Maximize detection


breach operations efficiency & response investments

Cut detection & Reduce alert Lower TCO by


response times fatigue & turnover 44%

31 | © 2019 Palo Alto Networks. All Rights Reserved.


Thank You
paloaltonetworks.com
Email: [email protected]
Twitter: @PaloAltoNtwks

32 | © 2019 Palo Alto Networks. All Rights Reserved.

You might also like