cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
712
Views
5
Helpful
7
Replies
Highlighted
Community Manager

Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

This topic is a chance to clarify your questions about Cisco Threat Response, from its components and new features to the resources to get started. During the session, the Threat Response team will answer questions about how Cisco Threat Response can simplify complex threat investigations in order to improve incident response in these ways:
  • Coordination of activities among Firepower, Umbrella, AMP, Email Security, Threat Grid, and Talos in order to improve threat hunting efficiency
  • Reduced adversary dwell times through rapid responses from AMP and Umbrella from a unified response console, in as little as two clicks
  • Simplified access and module configuration

To participate in this event, please use the Join the Discussion : Cisco Ask the Expertbutton below to ask your questions

Ask questions from Tuesday 18th to Friday 21st of February, 2020

Featured Expert
BenG.pngBen Greenbaum is a Technical Marketing Engineer with over twenty years of experience in the Cyber Threat Intelligence field, primarily in the realm of product design and development. His security software career has included roles that span development, architecture, product design, and management of research and development teams. At Cisco, his role is largely to be a liaison between customers and engineering, and to help users get the most from the Cisco Security architecture.
Ben might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security category.

Do you know you  can get answers before opening a TAC case by visiting the Cisco Community.  
SlidesFAQ Video

**Helpful votes Encourage Participation! **
Please be sure to rate the Answers to Questions

7 REPLIES 7
Highlighted
Community Manager

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

Hi Ben, Ira and Adi
Thanks for your great session, we learned a lot last Tuesday. Please help to clarify the remaining questions:


  • If you use the automated tools to apply changes is there a change log? Talking about the click/change is here any way to get a change report each day for example?
Highlighted
Cisco Employee

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

If you use the automated tools to apply changes is there a change log? Talking about the click/change is here any way to get a change report each day for example?

No, this is currently not supported. If detailed journaling is needed, we recommend using the notes features in the casebook tool to track this kind of activity. If you just want to be able to see the list of all things that have been added to a blocklist, the lists themselves are still available in their usual places in each products' own interface. 

Highlighted
Community Manager

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

  • You can see historic activity, but can you see real time activity for a specific issue? For instance, in one scenario you think you have put the resolution in place but management wants to know it has definitely worked
Highlighted
Cisco Employee

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

 


@ciscomoderator wrote:
  • You can see historic activity, but can you see real time activity for a specific issue? For instance, in one scenario you think you have put the resolution in place but management wants to know it has definitely worked

Many sightings will report if the attempt was allowed or not. So for example if you are investigating a domain, and Umbrella returns a sighting on that domain, it may say in the "resolution" column that the connection was allowed. Then if you block that domain in Umbrella, you can pivot into Umbrella to see the blocklist and cofirm that the domain was added, and you can also test a conneciton to that domain and see that it was blocked, and in the Threat Response interface if you investigate the domain again, you will see a new sighting on the domain with a resolution of "blocked". see the example image below:

UMB_blocked.png

Highlighted
Community Manager

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

Another challenge for you guys ‘building a zero downtime network’, I am aware certain devices can but patched/upgraded with zero downtime for example but they are high end devices, others have failover. What are the lower end options or alternatives eg. booting part of a switch stack at a time?

Highlighted
Cisco Employee

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response


@ciscomoderator wrote:

Another challenge for you guys ‘building a zero downtime network’, I am aware certain devices can but patched/upgraded with zero downtime for example but they are high end devices, others have failover. What are the lower end options or alternatives eg. booting part of a switch stack at a time?


Threat Response is a cloud-only service; you do not have to patch it. Problem solved :) 

Highlighted
Community Manager

Re: Ask Me Anything- How to optimize your Cisco Security investments with Threat Response

Thanks for helping to clarify these questions Ben