Cognitive Threat AnalyticsTech update
Mikael Grotrian, CISSP, CISM, CCSK, GISF, ITIL, PRINCE2, TOGAF Certified
Consulting Systems Engineer, Cyber Security, Denmark
Cisco WSA (Web Security Appliance)
External Telemetry (BlueCoat Sec. Gatew ay)
Cisco CWS (Cloud Web Security)
Cisco
Cognitive Threat
Analytics (CTA)
Conf irmed Threats
Detected Threats
Threat Alerts
Incident
ResponseHQ
STIX / TAXII API
CTA
CTA
CTA
SIEMs:
Splunk, ArcSight,
Q1 Radar, ...
HQ
Web Security
Gateway s
Cloud
Web Security
Gateway sCTA a-la-carte
ATD bundle = CTA & AMP
WSP bundle = CWS & ATD
CTA a-la-carte
CTA a-la-carte
Web Access Logs (input telemetry)
Breach Detection &Advanced Threat Visibility
Cognitive Threat AnalyticsFor CWS, WSA, and External Telemetry
Breach Detection: Ransomware1
Feb 25 Mar 1 Mar 21 Mar 24 Mar 25 Apr 4
Threat activity continuously detected by CTA !
CTA
Detection
AV removing
trojan
AV signatures
updated & trojan
removed
Worm removed by
daily scan
CryptoLocker
confirmed & endpoint
sent for reimage
Example
< Malware operational for more than 20 days >
Time
AV removing w orm
& signatures found
outdated
CTA presents results in two categoriesConfirmed Threats
Confirmed Threats - Threat
Campaigns• Threats spanning across multiple users
• 100% confirmed breaches
• For automated processing leading to fast reimage / remediation
• Contextualized w ith additional Cisco Collective Security Intelligence
AMP Threat Grid augments CTA reporting
AMP Threat Grid aids forensic work on the endpoint by presenting:
• Associated threat artifacts from AMP Threat Grid, exhibiting network behaviors matching to the CONFIRMED CTA threat
• Content security signatures for these associated threat samples globally
• Insights into exactly what a threat is doing (end-point behaviors)
CTA presents results in two categoriesDetected Threats
Detected Threats – One-off Threats• Unique threats detected for individuals
• Suspected threat confidence and risk levels provided
• For semi-automated processing
• Very little or no additional security context exists
Demo
How CTA analyzes a threat
0
+
Webrep
AV
domain age: 2 weeks
0
domain age: 2 weeks
-domain age: 3 hours
-domain age: 1 day
Domain Generation
Algorithm (DGA)
Data tunneling via
URL (C&C)
DGA
C&C
DGA
DGA
DGA
C&C
Attacker techniques:Active channels
WebPerimeter
CTAAnalyzing
Web Access Logs
Here’s an example of how it works
Near real-time processing
1K-50K incidents per day10B requests per day +/- 1% is anomalous 10M events per day
HTTP(S)Request
Classifier X
Classifier A
Classifier H
Classifier Z
Classifier K
Classifier M
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request HTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Cluster 1
Cluster 2
Cluster 3
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)
Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
Anomaly Detection Trust Modeling Classification Entity Modeling Relationship Modeling
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)RequestHTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
HTTP(S)Request
CONFIRMED threats(spanning multiple users)
DETECTED threats (unique)
Identify anomalous w eb
traff ic and pinpoint data
breaches w ith statistical
modeling
Recognize malicious
attacks by detecting
malicious domain
names on each
HTTP/HTTPS request
Uncover infections
through analyzing w eb
requests
Detect a broad range of
threats by distinguishing
C2 communication from
malicious activity
Distinguish malicious
tunneling from
HTTP/HTTPS requests
through multiple IOCs
Detection and analytics enginesto identify a variety of malicious activity
Data exfiltration Domain Generation Algorithm (DGA)
Exploit KitCommand and Control (C2) Communication
Tunneling through HTTP/S requests
With CTA you get…
Increased Visibility
Gain line-of-sight into C2
communication for rapid
breach identification
Anomaly Detection
Rapidly identify anomalies
in web and network traffic
using advanced analysis
and modeling
Reduced Time to
Remediation (TTR)
Receive alerts of confirmed
threats
Top Related