Block Proxy and VPN with Cortex XDR and Cortex XSOAR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
L1 Bithead

In my new video that you can watch below, we walk through the challenges around students who are circumventing content filtering by using evasive proxy or VPN apps. Hit that play button to watch the video, or read on to get an overview of what it covers.

 

 

An Additional Enforcement Layer at Endpoints

While the firewall has some ability to detect and block these apps, this often requires the customers to implement SSL decryption and other complex configurations. Cortex XDR gives us an additional layer of enforcement at the endpoint level, and Cortex XSOAR allows us to tie in the Next-Generation Firewall (NGFW) to enforce other restrictions at the network level and perform additional automations, such as emailing the offending student, an IT group, or any other important individuals.

 

The workflow goes roughly as follows:

 

  1. Student tries to run an evasive proxy app (Psiphon, in the example in my video)
  2. This application is blocked by Cortex XDR
  3. This creates an incident in Cortex XDR which then creates an incident in Cortex XSOAR
  4. Cortex XSOAR pulls in all of the alert details, adds the offending user's IP address to a Dynamic Address Group on the firewall, and emails the user to give them a warning
  5. Both the XSOAR and XDR incidents are then automatically closed, leaving nothing left to manually address

 

The Use Case is Simple, But...

While this is a very specific, introductory use case, I’ve tried to explain throughout the video that the use case can be altered and extended many different ways. The same basic framework could apply to other types of applications, or even other sorts of alerts coming from XDR.

 

Another thing that I didn't mention in my video is that the playbook I'm using in Cortex XSOAR is just a modified version of an out-of-the-box Cortex XDR playbook, so I didn't have to build it completely from scratch. I just made a few changes to add my specific workflow towards the end of the built-in incident handling playbook.

 

Learn More and Share Your Thoughts

Hopefully this blog helps paint the picture of what this video is, why I created it, and how it could be extended to support other, more broad use cases.

 

Make sure that you visit the LIVEcommunity technology pages for Cortex XDR and Cortex XSOAR. There you’ll find more videos and blogs, as well as articles and discussions all about Cortex.

 

Please let me know in the comments below if there's anything else you’d like to see a video about, or how we can help you in your use case.

  • 5441 Views
  • 0 comments
  • 3 Likes
Register or Sign-in
Labels