O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Building an Analytics Enables SOC

Carregando em…3

Confira estes a seguir

1 de 64 Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (20)

Quem viu também gostou (20)


Semelhante a Building an Analytics Enables SOC (20)

Mais de Splunk (20)


Mais recentes (20)

Building an Analytics Enables SOC

  1. 1. Copyright © 2016 Splunk Inc. Building the Analytics Driven SOC Girish Bhat
  2. 2. 2 Safe Harbor Statement During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
  3. 3. 3 3 > Dave Herrald dherrald@splunk.com|@daveherrald - Senior Security Architect, Splunk Security Practice - 20+ years in IT and security -Information security officer, security architect, pen tester, consultant, SE, system/network engineer - GIAC GSE #79, former SANS Mentor # whoami
  4. 4. Agenda 4 A look at traditional security operations 1 Best practices and emerging trends 2 The security ops technology stack 3 Splunk and the Analytics Driven SOC 4
  5. 5. 5 Splunk – Leader in Security Company (NASDAQ: SPLK) • Founded 2004, first software release in 2006 • HQ: San Francisco / Regional HQ: London, Hong Kong • Over 2,000 employees, based in 12 countries Business Model / Products • Free download to massive scale • Splunk Enterprise, Splunk Cloud, Splunk Light • Splunk Enterprise Security, User Behavior Analytics 12,000+ Customers • Customers in 100 countries • 80+ of the Fortune 100 • Largest license: Over 1 Petabyte per day
  6. 6. 6 Splunk: The Platform for Machine Data Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Online Services Web Proxy Data Loss Prevention Storage Desktops Packaged Applications Custom Applications Databases Call Detail Records Smartphones and Devices Firewall Authentication File servers Endpoint Threat Intelligence Asset & CMDB Employee / HR Info Data Stores Applications External Lookups Badging records Email servers VPN
  8. 8. 8 Source : EY Global Information Security Survey 2015
  9. 9. 9 How-to guides…
  10. 10. Traditional Security Operations
  11. 11. 11 Traditional Security Program: The Big Picture 1
  12. 12. 12 Traditional Security Program: The Big Picture 1 It’s complicated…
  13. 13. 13 Traditional Security Critical Path 13 Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC) Security Operations: part of the bigger picture…
  14. 14. 14 Traditional SOC “Alert triage” “Alert pipeline”
  15. 15. 15 What is a SOC? ● A place? ● A person or a team? ● A set of practices? ● A set of tools?
  16. 16. 16 Security Operations The organizational capability to detect and respond to threats.
  17. 17. 17 A SOC by any other name… The organizational capability to detect and respond to threats. ● VSOC ● Cyber Defense Center ● Cyber Fusion Center ● Cybersecurity Operation Center ● Multifunction NOC/SOC ● Command SOC ● Crew SOC? https://www.gartner.com/doc/3479617
  18. 18. 18 Three Interrelated Components of Security 1 Process PeopleTechnology
  19. 19. 19 Bottom Line Technology exists to serve people and processes.
  20. 20. 20 Challenges with the traditional SOC (1) Efficacy
  21. 21. 21 Challenges with the traditional SOC (2) Staffing
  22. 22. 22 Challenges with the traditional SOC (3) Remember this? Risk & Compliance Security Architecture Security Engineering Security Operations (Includes SOC)
  23. 23. 23 Challenges with the traditional SOC (3) Silo-ization
  24. 24. 24 Challenges with the traditional SOC (4) Cost …and opportunity cost
  25. 25. Trends in Security Operations
  26. 26. 26 New Capabilities in the SOC ● Alert Management ● Incident Response ● Toolchain engineering ● Threat intelligence (consumption and creation) ● Threat hunting ● Vulnerability management ● Red team SOC++ Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
  27. 27. 27 What About Managed Security Services? ● Alert Management ● Incident Response ● Toolchain engineering ● Threat intelligence (consumption and creation) ● Threat hunting ● Vulnerability management ● Red team SOC++ Alert Management IR / CSIRT Toolchain Engineering Threat intelHunting Vuln. Management Red Team
  28. 28. 28 Automation in the SOC • Response – maybe • Context gathering – definitely • Automate “Tier 1” • Places a high premium on toolchain integration
  29. 29. 29 Processes in the SOC https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf
  30. 30. 30 Maturing Use of Threat Intelligence Threat list + raw network data = DNS web proxy email endpoint … The “Threat list wind tunnel”
  31. 31. 31 Effective Threat Intelligence Consumption alerts + threat intel = insight Hunting New detection mechanism
  32. 32. 32 Network (Meta)data
  33. 33. 33 Network (Meta)data NetFlow (or variant) Succinct 5-tuple + traffic size Easytm to analyze Good context for buck No payload PCAP Voluminous Ground truth Lots of storage / overhead Ultimate context Full payload Stream / Bro Succinct 5-tuple + traffic size Easily searchable! Tune-able Adaptive fidelity Customizable Payload elements
  34. 34. 34 Threat Hunting (Active Defense) …effort by analysts who purposely set out to identify and counteract adversaries that may already be in the environment. https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785
  35. 35. 35 How are SOC Teams Hunting? https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 ● Start with a hypothesis that considers: § Assets (often crown jewels) § Threats § Vulnerabilities § Countermeasures ● Requires lots of data ● Flexible platform to ask/answer questions ● Data science / ML / Analytics
  36. 36. 36 How are SOC Teams Hunting? https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting-36785 Most important, hunters are innovative analysts who understand their threat landscape and their organization well enough to ask the right questions and find the answers.
  37. 37. 37 Data Science, ML, and Analytics
  38. 38. The Security Operations Toolchain
  39. 39. 39 Log Data Platform • Single source of truth • Retention and integrity • Any data source • Easy correlation • Automation / integration • Performant and scalable • Full fidelity • Normalized? • Hunting • Forensic investigation • Alerting • Dashboards • Visualization • Analytics (ML?)
  40. 40. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
  41. 41. 41 Asset Inventory and Identity Data Often multiple sources of record – that’s OK • CMDB, Vuln scans, Passive detection, DHCP, NAC • Active directory, LDAP, IAM Network diagrams Categorization • PCI, ICS, Administrative, Default, Comprehensive yet lightweight and easy to maintain Must be easy to correlate to log data
  42. 42. 42 Case and Investigation Management • Ticketing system • Workflow • Supports prioritization • Supports collaborative investigation • Provides metrics • Supports automation • Auditable
  43. 43. 43 Common SOC Data Sources • Firewall • Network metadata • Authentication • Server • Windows / Linux • Endpoint • EDR, AV, HD/RAM images • IDS / IPS • VPN • Application • Threat intel • Vulnerability • Assets and Identities
  44. 44. Splunk as the Security Operations Nerve Center
  45. 45. 45 Splunk as the Security Operations Nerve Center
  46. 46. 46 1. Adopt an Adaptive Security Architecture To Prevent, Detect, Respond and Predict need: - Correlation across all security relevant data - Insights from existing security architectures - Advanced analytics techniques such as machine learning Platform for Operational Intelligence 4000+ Apps and Add-Ons Splunk Security Solutions
  47. 47. 47 2. Threat Intelligence – Splunk Threat Intel Framework Automatically collect, aggregate and de-duplicate threat feeds from a broad set of sources Support for STIX/TAXII, OpenIOC, Facebook and more Build your own data to create your own Threat Intel Out of the box Activity and Artifact dashboards Prioritize, contextualize and analyze threats and remediate Law Enforcement Feeds ISAC Feed Agency Feeds Commercial Service Community Feed Open-Source Feed Other Enrichment Services • Monitor and triage alerts • Determine impact on network, assets • Use for analysis / IR • Collect / provide forensics • Use to hunt / uncover /link events • Share info with partners
  48. 48. 48 3. Use Advanced Analytics – Native ML and UBA Simplify detection and focus on real alerts Accelerate anomaly and threat detection – minimize attacks and insider threat Use Machine Learning toolkit - solutions to suit your workflow Premium Machine learning solution - User Behavior Analytics – Flexible workflows for SOC Manager, SOC analyst and Hunter/Investigator within SIEM
  49. 49. 49 4. Proactively Hunt and Investigate - Considerations ● Organizational maturity ● Domain and product experience ● Tools: Network, Endpoint, Threat Intel, Access ● Security relevant data, historical, raw data ● Flexibility and ad hoc
  50. 50. 50 5. Automate whenever feasible App Servers Network Threat Intelligence Firewall Internal Network Security Endpoints Use rules and machine learning to automate routine aspects of detection and investigation Extract insights from existing security stack by use of common interface Take actions with confidence for faster decisions and response Automate any process along the continuous monitoring, response & analytics cycle Splunk Adaptive Response
  51. 51. 51 What is Splunk Enterprise Security? 5 Enterprise Security Asset and Identity Correlation Notable Event Threat Intelligence Risk Analysis Adaptive Response A collection of Frameworks
  52. 52. 52 Splunk Security Partners https://www.splunk.com/partners/
  53. 53. Customer Success
  54. 54. 54 Building an Intelligence Driven SOC Challenges • Existing SIEM not adequate - struggled to bring in appropriate data • Unable to perform advanced investigations, severe scale/performance issues • Looking to build a new SOC with modern solution Customer Solution • Centralized logging of all required machine data at scale and full visibility • Retain all relevant data from 10+ data sources which is used by 25+ SOC/CSIRT users • Tailored advanced correlation searches & IR workflow • Faster and deeper incident investigations • Greater SOC efficiencies - all SOC/CSIRT working off same UI/data • Executive dashboards to measure and manage risk 54
  55. 55. 55 Citywide SOC for situational awareness Challenges • Slow responses to security incidents • Inadequate situational awareness of security events • Limited threat intelligence • Disparate logs from over 40 departments were difficult to aggregate Customer Solution : Splunk Cloud with Enterprise Security • Real-time, citywide, 24/7 network surveillance • Stronger protection of digital assets and infrastructure • Shared threat intelligence with federal agencies • Reduced headcount and lower operational costs
  56. 56. 56 Build an insourced SOC in months Challenges • Wide range of security requirements – Internal audits (financial, PCI) – Protect internal info and assets – Cloud firewall, DDOS • Cultural and Organizational – Security not a priority, Outsourced SecOps – Information hoarding and data silos Customer Solution : Splunk Enterprise Security • Changed culture - security first mindset with controls • Detect, prevent and respond to attacks in own environment, with 24/7 security analysis of customers • Rapid detection and deep investigation • Detect Web App attacks, discover compromised cards
  57. 57. 57 Maturing SOC Challenges • Legacy SIEM : Unstable, Inflexible, Clunky • Limited skilled resources • High false negative and false positive Customer Solution : Splunk Cloud with Enterprise Security • Developed processes : Rule set, naming • SOC process : Playbook, training, automated documentation • Enabled SOC to identify patterns of behavior in a single event rather than be bombarded by thousands of low-value incidents
  58. 58. Wrapping up
  59. 59. Free Cloud Trial Free Software Download Free Enterprise Security Sandbox Get started in minutes – splunk.com 1 32
  60. 60. Copyright © 2016 Splunk Inc. • 5,000+ IT and Business Professionals • 175+ Sessions • 80+ Customer Speakers PLUS Splunk University • Three days: Sept 23-25, 2017 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP SEPT 25-28, 2017 Walter E. Washington Convention Center Washington, D.C. CONF.SPLUNK.COM The 8th Annual Splunk Worldwide Users’ Conference
  61. 61. Copyright © 2016 Splunk Inc.
  62. 62. 62 Can I play BOTS? 62 Yes! • RSA Conference 2017 • Splunk .conf 2017 • Online / continuous? Stay tuned New scenarios and data sets
  63. 63. 63 Resources Cited How to Plan, Design, Operate and Evolve a SOC https://www.gartner.com/doc/3479617 Crafting the InfoSec Playbook https://www.amazon.com/Crafting-InfoSec-Playbook-Security-Monitoring/dp/1491949406 Splunk SOC Advisory Services https://www.splunk.com/pdfs/professional-services/soc-advisory-services.pdf Ten Strategies of a World-Class Cybersecurity Operations Center https://www.mitre.org/sites/default/files/publications/pr-13-1028-mitre-10-strategies-cyber-ops-center.pdf Maturing Workday’s SOC with Splunk https://conf.splunk.com/files/2016/slides/maturing-workdays-soc-with-splunk.pdf The Five Characteristics of an Intelligence Driven Security Operations Center https://www.gartner.com/doc/3160820/characteristics-intelligencedriven-security-operations-center The Who, What, Where, When, Why and How of Effective Threat Hunting https://www.sans.org/reading-room/whitepapers/analyst/who-what-where-when-effective-threat-hunting- 36785 Exploring the Frameworks of Splunk Enterprise Security https://conf.splunk.com/files/2016/slides/exploring-the-frameworks-of-splunk-enterprise-security.pdf
  64. 64. Thank you! dherrald@splunk.com|@daveherrald