Firepower Management Center Overview

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

um states everybody for joining us today um today our presentation and demo is mainly focusing on file management center so we're going to take a deeper dive into the capabilities of file management center my name is 15 Ambani and I'm with Technical Marketing engineer for the next-gen firewall pilot science here at cisco security and i'll be walking you through the demo as well so before I jump into the demo and we know we have a wide audience I just wanted to cover a little bit and give you an overview of why we're going for our management Center so if you've known Cisco for a while we know we have a wide range of platforms all the way from a small you know something that fits in a small SMB environment all the way up to the data centers with a wide range of throughputs that you can pick from and what we recently released our new fire power appliances which is those 2100 series that was the latest and the greatest and we have the 4100 and a 90 300 series and this Hardware kind of runs um if you know our software it runs our AAC as well as what we call a convert software ftv or next-gen firewall so from the software perspective to give you an idea and if you known Cisco in the past cisco has a say which was a stateful firewall and then as we acquired source file and got the capabilities of next-gen firewall next an idea advanced malware protection all your capabilities were integrated with ALC and what we have today is what we call our convert software or the firepower's and defense software and why I wanted to bring this up before I jump into a perk of Management Center demo is mainly what this file manager Center managed to answer that question as well so before I jump into that I want to specify give you a few management options that you have here in your place for managing the various offers that we have running on this hardware just I just spoke about so from the perspective of this unified management approach that we're taking to manage next-gen firewall we've recently launched in our 6.1 babies firepower device managers what is fire powered device manager is an on box man ajma'in soul it sits on the device especially focused on our low and mid-range ASA's and it is an easy box for easy setup it has some initial workflows in place that helps you guide you through common security and policies to help you get set up and running quickly then on the right hand side what I show here is our Cisco defense Orchestrator which is a cloud-based centralized policy management console so it runs in the cloud is now on-premise version but it's centrally manages your policy such as your se rule sets your fire power losses if you were running a say with fire power services and even Open DNS Josette's if you wanted consistent policies and objects across your different types of devices this is a cloud-based management console that you can use but our focus today and what we are going to see in the demo is fire power management center fire power management center is is a more comprehensive on-premise and available in virtual of form factor as well console which helps you not only just your configuration management but it also entails doing device management events and image management as well as built in an hour so it has great power and it also in helps integration with what we call our fiscal infrastructure so we integrate with advanced malware protection cloud environment as well as on-premise or our transcript or dynamic file sandboxing environment which is again a cloud and on-premise version as well as with Cisco identity services engine if you were to use our ice or the prototype to classify your environment from a perspective of structuring and classification we can do much more granular control into file management center and we'll see this in the demo as well so in essence what file management center is it's a multi domain management console with very granular form based access control that manages your firewall next-gen firewall next-gen Ibn advanced malware protection all these capabilities into one centralized console it also came with ap is for automation and integration with other third-party applications as well as Cisco integration which would we saw an abstracted PL script it has capabilities from fire for fire power built-in and if you've heard of our research research environment which is called talas it gets all the security intelligence and plex intelligence based on our research done at house which are continuously kept updated in your environment if you subscribe to these services so it does a control access and set policies crisis response helps with autocorrelation and impact analysis as well as helps you investigate incidents and we walk to one of these use cases during the demo as we move forward so with that you want to just understand one thing before we get into the demo is what does FMC manage so FMC manages anything with fire power so if you have a Cisco firepower defense after image running on your latest and greatest firepower but series appliances it manages the fire fire and defense software if you had fire participants after running on an ANC 5500 - XP appliances then it manages that as well and if you had fire power services running on any of your ASE including 5000 855 85 an X series or any of the legacies our Cisco firepower a GICs only appliances then it manages that as well so hopefully that's clear on what we're talking about where's our management center and taking a deeper dive into that and with that I will be jumping into the demo so what you see cute is my fire power management center console it's sort of divided here in some tab and for the drop downs on the left for more of the control actions in terms of firewall in nature and firewall and on the right here is more in terms of system configuration and integrations and basic system monitoring and health monitoring of these devices each leaving some tools so the structure you see at the bottom over here you will notice that I have something I have my devices which are the firewall divided into separate domains so as you can see I have a total level domain and then I had something called you know we can happen further hierarchy under that up to almost three levels of hierarchy of domains within that and from gear itself you can if you were done in your you know 4100 series or an IV and it's Venus in a questioning mode you can manage your cluster fracture or if you were running this a high availability mode in Egypt and active standby you can manage your to manage your high availability configuration also from here so once I have my device is imported into the domain environment notice that the devices actually live as the leaf domain and you can switch as a global admin I can quickly switch between the domains in which the devices are managed now to create these domains you go to system domains and create the configuration and beyond that if you want to further establish draw based access control to who can access that domain or create some local domain users you can go to users and create the domains users for that particular domain from the user console now we're going to talk more in terms of reducers and user activity but before I jump on to that let's take a look at what we can do in terms of device management so during my devices notice if I trying to edit one of these devices from here it's going to take me to this domain in which the devices live so I have to switch my domain to go into that particular device now from the device perspective this is where you're going to do any device specific configuration so you can see an overview of your devices your licensing your system can come my system level configuration settings helps what is the health policy that's assigned to it and the management similarly you can go into interfaces in configure your devices in terms of interfaces physical and notice your device will be running in terms of because it's an action so I want to be running interrupted or transparent mode but sources on your interfaces have the option that you can run it and you know in in passive mode if you just wanted to run it in Africa s-band for or you can run it as an inline mode in time set configuration now if you were to configure any doubting for the device you would come under the routing tab here and do consecration in terms of the you wanted to do static routing or dynamic routing and resupport very dynamic routing protocols as you see here but will see us with bgp multicast is even supported etc now some if you're coming from the airport and you wanted to do stateful firewall not configuration on the device you will go to our not policy and create a new net policy now or edit or view this one now created the net policy when I was a global admin so as I think new to snack policy but do not edit it if you notice from my local admin location so you can see this is our not configuration you can edit it you can change it you can see it and from that perspective we pretty much covered everything that was supported on the ACA side of things on our next-gen firewall or the firepower current events often image you can create your manual or cotton act from here you can do dynamic or static not configuration etc similarly for VPN we already support an added ordered for site-to-site VPN and in our latest releases the six-to-one which was posted just two days ago we have the mode access we being support for our 2100 platforms out there from the current or rate limiting perspectives you can create now or create your policies and US policy with this information now you're able to create your roles ortho as quality based on different criteria not only just the five couples that were used to but also based on users and applications so if you to limit applications such as multimedia and have a limit on how much your download upload speed could be you can configure all that whole interface on our from a POS policy platform and so forth now after you've done most of the device level settings though ready the next obvious step to do is your access control policies so you can go into policies and access control and for convenience and open the taxes and we'll walk you through this app instead so in access control notice the structure that you see here is because we support what we call policy inheritance for Policy inheritance you'll notice that you can add lineman has a global policy access control policy which is common you know company-wide or organizational wide but at the same time for certain devices you can have your local policy or local rules for that particular local firewall and by the way this can be leveraged in terms of domains as well so you can have a global policy at a global domain level and then you can have your local policies at your local domain level as well so you can notice if I try to edit one of these you will see that it acts L it almost acts as a wrapper behind that but before I jump into editing one of these fat colonies another concept that really helps reuse of these policies and rules across your organization if is obviously with objects with objects with the capability of doing object over life so before I jump into editing this policy let's walk through what we call objects override so if you notice yours I'm going to open my object screen in just a minute and you will see that I have a bunch of objects defines your cell for example Network objects now one of these is over here you see test 2 which is showing that I have an override of one now why was how open I helped in this case is mainly if I try to edit this you will notice that I can go ahead here and say that TechSoup is my object that I want to use across most of your devices or firewalls that are deployed organization-wide but on one particular firewall this same object which is in my case test - or you could call it something like the database server you know has a different value which means organization-wide the content of that object is safe or certain IP address a but on this particular individual which I have somewhere else in my info the environment the content of the object differs and I can define that sure but in my rule and policy I simply use this name called test tube and raising the policies pushed to the devices if in attempt it going to push this value or content on the AGF WB so what it enables is really helps you reuse those reuse those rules or policies across various types of varistor firewalls in your environment that you might have without making different policies for them so now let's go ahead and edit one of these qualities is between notice we can add a rule and this is a unified access control policy screen all the other policies that argument this particular unified access policy screen can be defined in one of these dropdowns so for example if you wanted to create we give you some default options for IDs quality which you can see when you're wandering with editing one of these screens or default action here you see we give you these four IPS quality options but if you wanted to create any users created IPS policy such as these you can go ahead through your ideas for the screen and create one of them one of the key features that we provide you with ICS policy is a firepower recommendation you will notice that when you're trying to create IPS policy that when you're editing an IPS policy you can go into one of these capabilities and say I want to generate firepower recommendations what this essentially does is when your system is running in your environment we can simply discover your network topology so if you have network discovery turned on we will passively discover what are the different hosts that are run in your network what are the server's sugar running what's the operating systems that's running on the box and based on that were able to basically point out what are some of the signature says that you we recommend you turn on in your environment so of course there are a bunch of rules here that you see that you get every you get with every upgrade updates that you get form talents but at the same time you can say okay I wanna see what out of this is relevant to my environment and use that in my IPS policy so you can certainly generate 5000 recommendations and use that on top of that you can really enjoy your own changes as well similarly for now we're in fire you can move on we do we expect that you create a real set of malware and a final policy to either do file type protection or a cloud look up or be able to actually take action on a malware that might be severs into your network DNS policy or protection is something we added with six already and this is sort of becomes like a first line of defense where you can provide based on our DNS protection or security intelligence the capability we've added for our dns protection here is something that we say we can sinkhole so in essence you can define a sinkhole object and for the end the way the DNS protection would work is if you were if you're an item host in your organization tries to go to a bag domain and we detect that it's a bad domain you can define a policy to sinkhole that particular request the next time that particular host then tries to approach the the domain it's going to actually go through the sinkhole and that's how we can mark it as an indication of compromise on that toast once we've confirmed that it is going essentially and I'm going to making a request to a bad domain then we also have identity policy which is mainly your authentication so you can do active or passive authentication using an identity policy and this is where you define whether if you want to authenticate using Cisco identity services engine or we also have support for a fire power user agent that will initiate the available with a fire power ladies similarly for SSL decryption so if you wanted to any will decryption of HTTP traffic for example you can define your rules as to which traffic you want to decrypt and which traffic you do not and if you wanted to exempt such as financial applications from being decrypted all that kind of control you can define in your SSL traffic pre-filtered this is a new capability which was essentially added because of our integration with your when we brought Asin fire power together calling extra then defense unfair image there was an architectural change specifically made for that purpose and that's where we've introduced our pre-filter policies the key advantages of a pre-filter policy is if you wanted a few high traffic running into your network which you completely in hundred percent trust and you don't want to apply any advanced inspections that would be applied in our access control or using our not engine then you can define that traffic in a pre-filter fast transportation the other advantage you get with our free filter policies is tunnel policies so what you can do with our tunnel policies is if you remember from the ASE words we can look at the outer header of the package and apply or apply inspection and advance the policy to that what is on the firepower we used to look at the inner head of header of the package with an applied general policy to the tunnel but now you between the pre-filter you can do that and apply your outer header control as well as an access control we can do the inner hello central so in essence we brought the best of both worlds together into one management console just to be able to apply to this next-gen firewall you can also use P filter for applying control on a tunnel protocol so when we already or define what we are meant again we go back to access control as we were doing looking at before and this is where you'll just bring all these pieces together so you can in a C for this access controller traffic heading into this access control policy notice my three filter here is my SSL and here is my identity policy now along with that we have all the security intelligence which is our first line of defense coming from the spectrum Chanos and then our blacklist or whitelist and here and notice this is for network URL and when we talk about our DNS protection policy that gets applied here as well so this one becomes our first line of defense this will be hit into therefore now once you get into the mood and the traffic traverses through your rule set notice that if I try to edit one of these rules and show you you can apply the following constraints on your traffic traversing the rule set you can do this rule based on all all the way from layer 2 to layer 7 as well as other attribute so you have your VLANs on your network sphere zones as well as if you have our Active Directory integrated you can do based on users and user true applications so you have application visibility and control and notice you can come you know quickly search through here if you want to apply based on applications so you can say I want to just maybe all these EPP applications or be more specific as to what HTTP application or you can even do something like Facebook so if you wanted to block facebook and notice we have granular controls on Facebook as a whole versus something like facebook chat or Facebook message and other things like that course if you wanted to be more specific on within you want to be compliant in one to only allow HTTP on port 80 or HTTPS and code 4 for 3 or you don't specify something like that you can be more specific and granular in terms of that you are loved you can apply policies based on URL URL category and reputation so notice I can put these searched if I wanted to apply a policy to block gambling so I would just search share based on gambling when I select that if there's me an option to pick reputation or I can just go here and you know create of you know search for the URL that might be coming in from intelligence or create my own by entering a URL at this point so I think you say I want to broker I come for instance the capabilities of that now it was integrated with Cisco identity services engine which is a very key integration for are you can get a lot more information of the traffic classification from saccade and notice the three key attributes that we get from them are secure include time so you can see that Isis able to classify and some compute as traffic with a GT group time and then we can just use that on over here to apply very granular control similarly we get device types so it's able to classify devices and now we can face apply policies based on device type and location IP which is where is the switch location on the Asia to the One X locations which behind which the traffic is coming from so what you can essentially do with ice is granular lies the control now I am say that if my HR user is jogging in something somewhere BYOD device I block access to certain finance networks or I can say if my HR user is logged in from his laptop or if on his desktop then only I want to allow him access to a particular pant line so it makes it very granular on how I can apply a falsies by using either security group types or a device types coming in from I on and that's all we control that you can apply in your environment now once you've applied these controls if there were any permitted traffic if you were to say the traffic is allowed into your network then you can say I want to apply for the IPS or five calls the infection choosers so from the inspection you can take your IDs and that could be the system provided ideas or the or the user created ideas that we just talked about and again for the five policy you could you could create a file quality and be able to define what are the files you want to inspect on the file types whether you want to turn on dynamic file analysis and we'll look at those analysis in a few minutes and be able to define that for your traffic once you've saved this into your access control through that's how they work that will be applied now I notice to you you do see a wrapper sure that I have and this is because of quality inheritance in there F if there were any rules that were in the global policy or the global top level hierarchy policy hierarchy you would see that in the mandatory section or the default section over here the reason we have by default the mandatory and the default section is to enable the user to do two things now if I were a local admin and I if somebody at the global admin level wanted to definitely enforce certain rules or company-wide he would put the routes in this global demo quality mandatory section that way when the traffic is getting traverse through your device you would apply on top to bottom and you will be able to you know enjoy the rules that in this manager section will be enforced versus if I were to give the local admin a little bit of flexibility which he the routes are applying but he has the capability to organize that rules for a certain period of time or something I could go ahead and add a rule and the global admin in the default section that way if say for example he wanted to you know ICMP debugger with was block company-wide but for some reason he wanted to just turn it on and debug something in that local branch office he could always add a rule in his mandatory default sections temporarily and be able to do overnight what was written in the default section that's what we have the managing default so you also have the flexibility to go ahead and create your own categories and customize this category up for your own requirement as well as we have something called tools conflicts so when you turn on load conflicts what we see is in there were any rules that were pretty empty or you know redundant or shadowed this would show you there will be an exclamation mark next to the rule which will show you if those rules were redundant or shadow which means it's never going to be hit or whether it's already part of another rule so you can define all those controls from here all set and if you turn on logging here this will block or your events into one of these analysis event app and we'll walk through that in just a minute so default actions again if none of the traffic doesn't hit any of the rules you pick your default action the firewall you're most likely going to do a block versus if you're running this is an idea you're kind of grumpy too and ideas policy or urban and from base policy so that's all about how the controls of things come together now I know I talked about eyes and I wanted to talk about one more thing regarding i/o and which is more if it's a two-way street you may be when we integrate with knife we get information from eyes so we get information that we just saw in our control tears from eyes and we all tend when the ice color eyes authenticate the user so what you'll see essentially is information on user activity so let me just go to the user activity screen here notice on the users user activity and the users you'll see all the information of the users logged in and all the attributes that are kind okay now what we can do also from phifer Management Center is ten eyes to remediate a particular endpoint if we determine that this sub malicious activity going on with that endpoint and you can do this from our positive correlation policies and elimination px read module so if you notice and their actions here you can see we have the mediation module and one of the remediation modules is px script this produces standards remediation modules and it integrates with sulfur Management Center and ice two to tell us that they want to either quarantine unfallen change or shutdown opposite is important for that's connected to the endpoint and the way the correlation policy looks like you'll notice if you go ahead and create the policy and a rule underneath it for example to see my remediation policy here and try to edit this you will notice that you can create multiple rules and time various responses to it the response could be you know according change of the source or the quarantine of the source or the quarantine of open destination based on what the role management phase so your room management can get is really granular and just by the way the correlation policy does not only mean it's integration with height you can perform various other alerts and actions also based on correlation quality it also helps you reduce any false positives in an environment if you were to create a more granular rope management so for example I could say I wanna create a rule for my correlation policy and notice that we have various options we can select the type of event so for example if I say if it's end you know if an intrusion event of course and it meets the following country and you can add a condition or add a complex condition and you can see you know if I'm protecting some critical networks or them you know I have some impact flags of ones and we'll talk about in fact back in just a minute or so we have a sub mentor that we want to protect we can pretty much services the destination IP is or gives in inherently and be able to create a much more granular rule which will specify on what qualification you are in generate or correlation event for an undisguised on that so this is a very key differentiator for traffic management center the correlation engine helps you with a lot of things reduce false positives integrate with ice and remediate with ice there are other remediation modules that the community maintains and you can get this back as well from the correlation policy so the correlation engine really helps your granular control on what you want to do or what action you want to take with your device on your endpoint for that matter so once you want any worse hits the correlation policy like any other event you will see and correlation even generated but notice because if you see any of the other events if example a connection isn't that was like a dump ground with all the possible connection events with correlation events you're making in more specifics to only a load on or event on something very specific or critical in your environment and now they've done this correlation event you can trigger the responses that we had created from the actions to tell us whether you want to quality in that endpoint or unimportant in that endpoint similarly you can do it on any other types of events for connection event IPS malware event any of these based on events you can generate a trigger or correlation in it with the different conditions and traffic profiles as well one of the key other things that we want to talk today is once you have always set up traffic run into a network everything is going great what is the next thing you do when you're when you're monitoring these boxes right is monitoring angel is kind of reporting not monitoring and reporting right so forth monitoring and reporting perspective we have really two main things that were on a point about one is our context exodia context and folders is is a one-stop place a one-stop shop as we call it which gives you an overview of what's happening in your network in say a little time period but in define the time period from here it could be allowed one hour six hours even a year and what you'll see here is more granular control modes of information about what's going on at overall in your environment if you see we have traffic for intrusion events over time and then we also have we also have indications of compromise and so you can notice yes we have what we call you can see in in fact one intrusion event or in in fact two intrusion events that read detective all times or file transfer and you'll also see its full focus now the great point is is from here itself I can simply click on one of these items and do a lot more from here so I can if I know that this particular indication of compromise on this horse is critical I can blacklist him or blacklist that particular goes from doing anything forward I can even write his famous my know that you know I don't need to worry about this horse all I can say them he will host information and this is what we've collected over the period while the traffic's running massively into your network we build what we call the whole profile so the host profile gives you a very detailed information on the particular horse what device it is was holding time what was last seen who is the current user one of the different indications that compromised an accordionist which made them go through like almost the TOC level care for operating systems he's running what applications the user history you know the attributes and host criticality the host protocols whitelist violations any other malware detection that will happen on this particular board and because we know all the information we also know what are the wonders abilities is to that horse so you can you know this really helps give you a picture of what what does your host look like in your environment and how you want to go ahead and patch it fix it indicated now from yourself if you want to go in specific and drill more into their photos you can see go to connection events intrusion events Philemon's now that events for that particular course and if you want to make some changes also you can do take an action from here by ripping the operating system is not quite there is something more customized that you want to do or you know change the host criticality and a lot of times you want to do this if you want to say this is one of my critical course so next time in event of course I can create a correlation tool to trigger on this particular criticality you can get that kind of control from here um the next block here you see is network information and like we mentioned we've learnt all this passively and collected all this information for the operating systems traffic light source IP destination IP by cells by axis control and itself application protocols again you can see most of your traffic by X within applications IPS by the skin applications and all into these charts you can even change the chart to go to client application or web application from there and get more of a different view if you want to do that the other thing you can do is if you can switch between the business element versus risky applications you can switch this graph as well from ship similarly for Security Intelligence you can do by category society or destinations and get more information from there and also intrusion in it now when we say we capitalized intrusion event syndrome fact levels will essentially helping you do other correlation based on what we know from your network and what kind of attack we see and happening for this malicious activity so for example if you were running in Apache web server in your environment and then attack was against in Apache web server we will tag it as an impact one attack or impact one bill in fact one event versus if you were running and a pass you by server and attack was against AI on is web server which you should have the service running but not the exact service we would call it an impact to attack in your control further you know you know how to prioritize the database on what you're looking at in terms of impact levels so we hope you know we have the sauce or enough to basically be able to prioritize the day-to-day activities just like looking into or monitoring from the content exploded as well and then of course you have by priority by target zones etc on event details as well similarly for file if we would monitoring files and tracking files and running is integrated with advanced malware protection cloud or on-premise device which has all the intelligence whether the file is knowing malware or unknown or clean as well as other detection the or running it in our sandbox the environment we would get a disposition from our apps well and you can see that from your in terms of the top view chart and the host and the host receiving those files and sending file so quickly at a glance you can see an hour Oliver was detected in choosing that file and how many hosts of see that file from here as well amenities like geolocation we do have geolocation updates that are provided to us by the subscription and URL updates also provided to us by subscription and in track based on geolocation and shut up now this is to give you a you know from the monitoring perspective once users get to this the next step obviously is our dashboard and reporting so we do have a bunch of - both notice the one that I'm showing you here is not all system provided you probably get about nine or ten meters in provided dashboard but you can go ahead and create your own custom dashboard from this management screen so you can click on management here and from the spheres you can either copy in existing dashboard and then edit it or you can simply create your own - hold so it's a very custom environment you can go ahead and turn the create a dashboard and notice you can say on the copy an existing - also if you were to shape copy like somebody dashboard for instance give it the name changes see how many times you can change it and all the information and create a custom dashboard and that gets synced on to the same overview tab super example you create this custom dashboard now once you created the custom dashboard you can go ahead and edit these widgets you can you know if you don't want something you can just delete it and it will edit that which particular - go to custom dashboard or you can even move these widgets around so you can you know move the widgets around into different apps you can close the bridges and things like that the custom widgets that we provide you also are really configurable if you can see from here you can define which options you want the six pick from and also this table that you defined to pick your widget or you know how you want to you want to define your widgets based on is customizable so we do have custom book those and custom tables that you can create and then use that as part of your custom dashboards so you can basically customize everything you own the monitors as per what is required in your environment and the cool buttons is once you've done all this one is it easy on this any of this can be converted into a report so just like once you created the dashboards that fits your environment you can simply go to this report designer and when you click on this report designer it's going to take you to a way that you can save this particular template you can save the particular template as a reporting template you can even generate a report directly from it as well so very easy to go from custom dashboard to a custom reporting with especially you know personalized for your environment so if you want to do an executive reporting this is a great tool to go in and create an executive reporting control for your executives now if we stay on reporting for just a minute we also do provide a bunch of templates for reporting so if I just go to reporting in general and not to the custom reporting by the way your custom report what we see is that you can view and uh if you open this you'll see how it looks like in the format setup stages in each Emma now the other thing I wanted to point about is the reporting templates that we were just talking about and I'll show you the report in jessamine along with all the others reporting templates what we have is we also provide it called risk reports so this is something which was integrated recently into the product this is also a very great way to provide executive summary to your to a high level and it's comes in three different formats this is an advanced malware is report based on attacks in within your network or in your environment based on idea as well ask your network risk report so that's based on what we've learned from your network what are the vulnerabilities what are the risky the applications on all that information goes in these attacks and so this is another way to do reporting and then along with all the other templates that we've created custom report is what we just talked about creating from a dashboard for instance and the custom report will have everything that we've just saved on from the dashboard so as you can see already good and customized personalized experience for dashboard and reporting now let me take a step further into analytics now if you weren't in the if you were to monitor from RSA one of the dashboard right for instance we were um in the summary dashboard and if you wanted to just know if you were to sell for analysis person monitoring from our somebody Banjos and you see it a new threat activity according into for some reason say let's pick malware but it's been so videos right notice that from here itself I can pretty much say oh I see a new malware coming to an increase in number I can open in context exodor what happens when you open this in context explorers is your entire content Explorer gets freaked out based on that particular threatening or malware spreader we just track and this gives so the cool part is of consequence who has this capability of getting filtered and providing context and information on only what you're looking at at this point so it will give you you know everything that happened in your environment tied to that trick the traffic the the different host that is seen that can affect the destination society of that traffic the application that was used for that particular type of traffic and the final information assume what was the threatening whether it was the malware what are the top file names that are tight shoe that particular threatening because that name is what we're giving you the host sending in the C windows file the different file types and you know the countries that we've seen file ascending those files on a hyper event and the URL information so you saw this context sort of automatically gets filtered providing contextual information around what we wanted to drill into analytics now from here onwards I can say okay I want to go further into this particular threat or malware and I can just say click on this and click on this integral into analysis what this essentially was open is one of our eventing tab which is the files malware event tab but filter that again with the search constraint of that particular thread it gives you a list of files of what are tied to that particular malware and the sha-256 of the file which will you basically choose squarely on amp cloud so squaring our our cloud is what gives you the disposition back based on the shaft in 56 the file type the file cam gives you all that information and if you see anything that's like a red circle here means it's a malware and you want to click to view the file selection now if I click this to view the file trajectory what it essentially opens is a network file trajectory for that show now this is another very great integrative tool in our Management Center just by looking at this tool you can trajectory you can see the Dome of the host or you know the patient zero where the hosts are where the file enters the network and how the file has traveled from that host to the other so forth which are the different files of the scene in for that different force that they have seen this file and basically gives you a view of which whole host in your environment could be compromised because of this file the different file types and gives you more further details into events yours now this is demo data so I have known malware in the file transfers I like from one host to the other but if you if this was a reloading malware and just keep an eye on the notations that you see here because that becomes essential if this was say for example zero they unknown malware you would see something like that for the host entering the network and the fire traverses you know maybe we don't know on day 1 day 2 that this is malware but because we're query against the amp cloud and we have something called continue spreading and retrospection built into an amp environment what essentially is happening is we keep that file even though it's clean in our query list and if for some reason or some other organization finds out that this particular file is now malicious the App Cloud is updated our Dallas's updated and if you were using that the next time due to your environment tries to query for that file we will get a new distribution from our with a set your special retrospection event saying hey the disposition of this file is now changed to malware and I'm going to fight map this file as a malware and all the hosts that have seen the file you'll see a red a circle there on all those files when you get the retrospection event and all these holes that have seen that file we month as an indication of compromise so right from this view you can get all the information that you need to go and take in corrective action on which folks and how and which ones have seen that malware and the different file size have seen and so forth now if you were to use and for endpoints because we do have answered endpoints that is available for the end point and the end point was also talking to the amp cloud and they realized that the file has changed this position Jammal where we would go and quarantine that particular file on the endpoint and you will see and quarantine event from the perspective of campaign point you know come back into file management center so far the management center also integrates with amp and hound for endpoints to join that that particular file was quarantined on that endpoint and you hate yourself file an FIR endpoint event so you could have created a correlation positive to say hey the malware was detected and it was generated by fire and for endpoint then I want to tell is to quarantine that particular endpoint so you can close the loop on how you take an action all the way from detection prevention to detection to closing the loops and in and completely automated fashion now right here on this trajectory if we see we also see something called a thread score now what is this fresco the thread course is something that we define in terms of low medium high very high and it is returned if you run this file through our sandboxing environment so if you have dynamic file analysis checked on your file policy we will submit this file for running in high sandbox environment and we will get a score from them in terms of low medium high very high into fire power management center and notice we by just clicking on these circles here it opens what we call the dynamics file and our somebody reviews you an idea of the very stretch and artifacts that are trying to defile the behavior of the file the process that tree of what how the file is executed in arts and boxing environment and along with all this you can if you are really curious to see what's happening internet grid on the cloud site photo you can do view full report and be able to come this was open basically our sacred portal which is a much more detailed analysis report on that particular file since can you give you your behavioral indicators your you know traffic streams the processes the artifact the registry information is anything with tweet there all this great information that you can learn from you know this is what everyone is called a kind of ransomware attack or a particular known information that you can just short from if you have a threat grid account you can even log in in search based on any of these so categories that you mention over here now talking about it we were talking more in terms of file perspective and how we can do driven intersection for malware and you know with our integration with alpha sacred and I'm for the endpoints but at the same time one of the very key features that time with our threat detection or ICS is also because of our snort engine and IPS policy so symphony does how you can get a high-level view as well as drilling to analytics for file you can get a high-level you and live into analytics for idea you could have started from your you know dashboard or context X go to which one whichever one your Union monitoring and driven to analysis which would take you to this IPS events or IPS screen you can further driven to analysis by going from here to data tableview or by just click and here the table view gives you a little more detailed information on what the particular events or the signature match was look like and it will give you information on a lot more information than Jesus on the impact level that is don't student the source and destination the message all the page information about that particular obvious match or signature list you got into your environment and from here if you were more curious and wanted to really see what happened in store or what John what is that was triggered you can click on the download arrow or if you were to track one particular event or you can even go to the packet level from here which will give you the backdoor information for all that all of these immense joy seeing and when she triggers into that you can drill almost at the packet level for that particular event you can even see what was the snort rule that was she goes and generated that given you can see what actions were taking you have links to all the documentation from here you can set certain threshold in options as well as if you wanted to go take people into the package you have that capability so that is what a fire power management center brings in you from a perspective of configuration eventing analytics we have a lot of stuff and tools built in or videos we have some lookup tool for geolocation who else who is an email also added URL to it we have some great to share buildings for your backup restore import/export scheduling as well as some debugging tools are building to health monitoring screen you'll see for packet tracer and packet capture you can even run some shoulder with the volume command from within firepower management Center so we have great options for you to go ahead and play around with with our Java management center and hope that destroys devices what you're looking for

Info

Channel: Managing Cisco Advanced Security

Views: 31,511

Rating: undefined out of 5

Keywords: firepower management center, fmc, firepower

Id: nFlwYDLMUdE

Channel Id: undefined

Length: 61min 1sec (3661 seconds)

Published: Thu Jun 08 2017