Executive Summary
The Team
Team Leaders: Christian Clasen, Shaun Coulter
Core Infrastructure and Threat Hunting: Freddy Bello, Luke Hebdich, Justin Murphy, Ryan MacLennan, Adi Sankar, Dinkar Sharma
Threat Hunting: Cam Dunn, Jaki Hasan, Darren Lynn, Ricky Mok, Sandeep Yadav
Build and Operation: Ryan MacLennan, Aditya Sankar, Dinkar Sharma
SOC Architecture
Cisco has a history of providing security services to various events such as Black Hat, RSA conferences, Super Bowl, and the Olympic games. These services include products like Umbrella, XDR, Malware Analytics, and skilled SOC analysts who build and operate infrastructure to hunt for threats within event networks. This year, a team was assembled to support the Cisco Live Melbourne 2023 conference. This report summarizes the design, deployment, operation of the network, and interesting findings from three days of threat hunting.
Security Operation Centers (SOCs) require multiple products to efficiently detect threats. The integration of various products like Secure Network Analytics, Firepower Threat Defense, Firewall Management Center, and others was crucial for data enrichment and accurate detections. The deployment of these products, both on-prem and SaaS, was essential for the success of the SOC.
Cisco Secure Access Enables ZTNA for SOC Admins
Security operators need unique access to network resources to carry out their tasks effectively. Traditional remote access VPN solutions have been used for this purpose, but Zero Trust Access (ZTA) solutions provide a more transparent and efficient way to enable SOC analysts with necessary access without compromising security. Cisco Secure Access was utilized at the Cisco Live Melbourne SOC to provide ZTA and empower analysts to manage infrastructure and hunt threats from anywhere.
ZTA offers several benefits over traditional VPN solutions, including per-application authentication and posture checks, granular control, and logging, and secure connectivity from anywhere. The deployment of ZTA involved setting up a back-haul connection between the SOC infrastructure and Cisco Secure Access using a virtual router and configuring IPsec tunnels for secure connectivity.
Powering XDR with the Cisco Secure Portfolio
XDR is only as effective as the underlying security controls that power it. Cisco XDR at Cisco Live Melbourne was powered by integrations with various Cisco and third-party tools. The integration of tools like Nexus Data Broker, Secure Network Analytics, and Secure Firewall provided deep visibility into network traffic and enhanced XDR capabilities. Security Services Exchange facilitated communication between XDR and the Secure Management center for alert queries, ensuring a robust security posture.
Source link
