This document provides an overview of a presentation on security monitoring and analytics using Splunk. The presentation covers using Splunk Enterprise for security operations like alert management and incident response. It also covers using Splunk User Behavior Analytics to detect anomalies and threats using machine learning. The presentation highlights new features in Splunk Enterprise Security 4.1 like prioritizing investigations and expanded threat intelligence, and new features in Splunk UBA 2.2 like enhanced security analytics and custom threat modeling. It demonstrates integrating UBA results into the Splunk Enterprise Security workflow for faster investigation of advanced threats.

1. Copyright © 2015 Splunk Inc.
Splunk: All Things Security
splunklive San Diego 2016
Mark Bonsack, Staff SE
Matt Poland, Senior SE

2. 2
Agenda
Security: Starts with Splunk Enterprise
Enterprise Security 4.1/UBA 2.2
RSA 2016 Review

3. Security: Starts with Splunk
Enterprise

4. 4
Story 1 - Web
The VP of Pouet Inc calls you to complain about
issues on the website and asks you to
investigate what’s going on.
Data used in examples is actual Defcon data!
4

5. 5
Web vulnerability data has a wealth of clues
index=web_vuln
5

6. 6
Cross Site Scripting (XSS) attacks
Cross Site Scripting (XSS) attacks are a type of injection, in which
malicious scripts are injected into otherwise benign and trusted web
sites.
Example:
http://vulnerable-site.com/non_existing_page => “Not Found: /non_existing_page”
http://vulnerable-site.com/<script>alert(‘Whoops’);</script> => “Not Found: /”
But the pop-up ‘Whoops’ appears on user’s screen, the JavaScript code is not escaped by the
server so the code is executed.
6

7. 7
Find a XSS
index=web_vuln script OR alert OR cookie
7

8. 8
SQL Injection
A SQL injection attack consists of insertion of a SQL query via the input data from the
client to the application. A successful SQL injection exploit can read sensitive data from
the database, modify database data (Insert/Update/Delete), execute administration
operations, etc...
Example:
http://vuln-site.com/login.php?user=admin’ OR 1=1;--&pass=camembert
 SELECT * FROM users WHERE user=‘admin’ OR 1=1;-- AND password=‘camembert’;
 SELECT * FROM users WHERE user=‘admin’ OR 1=1;
 Successful login as ‘admin’ without knowing the password.
 The ‘OR 1=1’ is optional here for the success of the attack.
8

9. 9
Find a successful SQLi
index=web_vuln SELECT AND FROM OR WHERE OR “OR” OR “AND” status < 400
| stats count by clientip status
| sort – count
Tip: To decode URI’s you can use | eval u = urldecode(field)
9

10. 10
Web Shell
Web Shells are installed by the attackers after compromising legitimate Web applications
on a server, using techniques such as SQL injection, Remote File Inclusion, unvalidated file
upload, valid user's stolen credentials, etc.
A Web shell is an executable code running on a server that gives attackers remote access
to a variety of critical functions. It can be seen as a Remote Access Tool (RAT) or a
backdoor. It can be a full featured product with a WebUI or a single script of few lines of
code.
Popular webshells: c99, b374k, c100, r57, 12309, ….
Example of request: POST /c99.php?cmd=uname%20-ra
10

11. 11
Are we hosting a Web Shell?
NO !
(see next slide)
11

12. 12
Are we hosting a Web Shell?
Splunk Search:
index=web_vuln c99 OR b374k OR c100 OR r57 OR 12309
We can see a request for the R57 webshell from
177.105.146.205
R57.txt exactly
Don’t be confused with the “.txt”, it’s a lure this file is a PHP
script.
Nothing to worry much about, status code is 404/Not Found.
12

13. 13
Directory traversal
Directory Traversal is a type of HTTP exploit that is used by attackers to gain
unauthorized access to restricted directories and files. It can be used to un OS level
commands or access sensitive files.
Example (Linux)
GET ../../../../../../../../../etc/passwd HTTP/1.0rn
Example (Windows)
http://server.com/scripts/..%5c../Windows/System32/cmd.exe?/c+dir+c:
%5c =
13

14. 14
How many IPs successfully exploited
a Directory Traversal vulnerability?
8 clientip
(see next slide)
14

15. 15
Directory Traversal
index=web_vuln status<400 uri="*..*"
| stats dc(uri) as n_pages count(_raw) as
n_attempts by clientip
| sort - n_attempts
15

16. 16
Are we the target of Bruteforce? Which page(s)?
YES !
Admin page: /administrator/index.php
(see next slide)
16

17. 17
Bruteforce
Many requests on few pages from the same source = suspicious.
index=web_vuln
| stats dc(uri) as req_pages_per_client count(_raw) as
n_requests by clientip
| sort req_pages_per_client - n_requests
This also identifies recurring requests to access to /logs/access*.log.
TOP Bruteforcers are: 108.171.217.244 & 37.9.53.57
17

18. 18
Story 2 – HTTP/DNS
You are part of the DEFCON organization and
you are monitoring the network with Bro IDS.
Hackers are everywhere…
18

19. 19
Is there any Data Exfiltration? To where?
Yes! Look at Bro IDS data
These were the real culprits:
chickenkiller.com
mooo.com
19

20. 20
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| search ut_domain!="None"
| `ut_shannon(ut_subdomain)`
| eval subdomain_length = length(ut_subdomain)
| stats count(ut_subdomain) as count avg(ut_shannon) as avg_sha stdev(ut_shannon) as stdev_sha
avg(subdomain_length) as avg_sublen stdev(subdomain_length) as stdev_sublen by ut_domain
| eval avg_sha = round(avg_sha, 1)
| eval avg_sublen = round(avg_sublen, 1)
| eval stdev_sha = round(stdev_sha, 2)
| eval stdev_sublen = round(stdev_sublen, 1)
| where avg_sha > 2 AND avg_sublen > 15 | sort - count avg_sha avg_sublen stdev_sha stdev_sublen
20
Count, Subdomain Length, Entropy = Good indicators to start digging

21. 21
Count, Subdomain length, Entropy = Good indicators to start digging
21

22. 22
Could you find any domain that looks like a DGA ?
(Domain Generation Algorithm)
t3l4fw-jjy5gcurq5e.com
(This is not the only one in the dataset)
cloudfront.net hosts are False Positives.
22

23. 23
DGA domains
index=bro sourcetype=bro_dns
| `ut_parse(query)`
| lookup cdn_lookup domain as ut_domain
| where isnull(cdn_provider)
| stats count by ut_domain
| `ut_shannon(ut_domain)`
| eval ut_shannon=round(ut_shannon,1)
| sort - ut_shannon count
23

24. Enterprise Security 4.1/UBA 2.2

25. Analytics-driven Security
Risk-Based Context and Intelligence
Connecting Data
and People
25

26. 26
Enterprise Security
Provides support for security operations/command centers
Functions: alert management, detects using correlation rules
(pre-built), incident response, security monitoring, breach
response, threat intelligence automation, statistical analysis,
reporting, auditing
Persona service: SOC Analyst, security teams, incident
responders, hunters, security managers
Detections: pre-built advanced threat detection using
statistical analysis, user activity tracking, attacks using
correlation searches
26

27. 27
User Behavior Analytics
Provides advanced threat detection using unsupervised machine
learning – complements SIEMs (if any)
Functions: baselines behavior from log data to detect anomalies and
threats
Persona service: SOC Analyst, hunters
Detections: threat detection (cyber attacker, insider threat) using
unsupervised machine learning and data science.
27

28. 28
What’s New ?
28
UBA Results Across
SIEM Workflow
Rapid Investigation of
Advanced Threats
Enhanced
Insider Threat &
Cyber Attack
Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

29. Integration of Splunk UBA with
Splunk ES

30. Splunk UBA and Splunk ES Integration
SIEM, Hadoop
Firewall, AD, DLP
AWS, VM,
Cloud, Mobile
End-point,
App, DB logs
Netflow, PCAP
Threat Feeds
DATA SOURCES
DATA SCIENCE DRIVEN
THREAT DETECTION
99.99% EVENT REDUCTION
UBA
MACHINE LEARNING IN
SIEM WORKFLOW
ANOMALY-BASED CORRELATION
101111101010010001000001
111011111011101111101010
010001000001111011111011

31. 31
Behavioral Analytics in SIEM Workflow
• All Splunk UBA results available in Enterprise Security
• Workflows for SOC Manager, SOC analyst and Hunter/Investigator
• Splunk UBA can be purchased/operated separately from Splunk Enterprise Security
31
ES 4.1 and UBA 2.2

32. Splunk Enterprise Security 4.1

33. 33
Prioritize and Speed Investigations
Centralized incident review combining risk and
quick search
Use the new risk scores and quick searches to
determine the impact of an incident quickly
Use risk scores to generate actionable alerts to
respond on matters that require immediate
attention.
ES 4.1

34. 34
Expanded Threat Intelligence ES 4.1
Supports Facebook ThreatExchange
An additional threat intelligence
feed that provides following threat
indicators - domain names, IPs and
hashes
Use with ad hoc searches and
investigations
Extends Splunk’s Threat Intelligence Framework

35. Splunk UBA 2.2

36. 36
Detection : Enhanced Security Analytics
Visibility and
baseline metrics
around user,
device, application
and protocol
30+
new metrics
USER CENTRIC DEVICE CENTRIC
APPLICATION CENTRIC PROTOCOL CENTRIC
Detailed Visibility, Understand Normal Behavior
UBA 2.2

37. 37
Create custom threats using 60+
anomalies.
Create custom threat scenarios on top of anomalies
detected by machine learning.
Helps with real-time threat detection and leverage to
detect threats on historical data.
Analysts can create many combinations and
permutations of threat detection scenarios along with
automated threat detection.
Detection : Custom Threat Modeling Framework UBA 2.2

38. 38
Summary
38
UBA Results Across
SIEM Workflow
Rapid Investigation of
Advanced Threats
Enhanced
Insider Threat &
Cyber Attack
Detection
ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2

39. UBA and ES Demo

40. Copyright © 2015 Splunk Inc.
• September 26-29, 2016
• The Disney Swan and Dolphin, Orlando
• 5000+ IT & Business Professionals
• 3 days of technical content
• 165+ sessions
• 3 days of Splunk University
• Sept 24-26, 2016
• Get Splunk Certified for FREE!
• Get CPE credits for CISSP, CAP, SSCP
• Save thousands on Splunk education!
• 80+ Customer Speakers
• 35+ Apps in Splunk Apps Showcase
• 75+ Technology Partners
• 1:1 networking: Ask The Experts and
• Security Experts, Birds of a Feather and Chalk Talks
• NEW hands-on labs!
• Expanded show floor, Dashboards Control Room &
Clinic, and MORE!
.conf2016: The 7th Annual
Splunk Worldwide Users’ Conference

41. Thank You!