Splunk for Enterprise Security and User Behavior Analytics
Denunciar
Compartilhar
•6 gostaram•3,219 visualizações
Splunk for Enterprise Security and User Behavior Analytics
•6 gostaram•3,219 visualizações
Denunciar
Compartilhar
This session will review Splunk’s two premium solutions for information security organizations: Splunk for Enterprise Security (ES) and Splunk User Behavior Analytics (UBA). Splunk ES is Splunk's award-winning security intelligence solution that brings immediate value for continuous monitoring across SOC and incident response environments – allowing you to quickly detect and respond to external and internal attacks, simplifying threat management while decreasing risk. Splunk UBA is a new technology that applies unsupervised machine learning and data science to solving one of the biggest problems in information security today: insider threat. You’ll learn how Splunk UBA works in tandem with ES, or third-party data sources, to bring significant automated analytical power to your SOC and Incident Response teams. We’ll discuss each solution and see them integrated and in action through detailed demos.
Mais conteúdo relacionado
Mais procurados
Mais procurados(20)
Destaque
Destaque(20)
Similar a Splunk for Enterprise Security and User Behavior Analytics
Similar a Splunk for Enterprise Security and User Behavior Analytics(20)
Mais de Splunk
Mais de Splunk(20)
Último
Último(20)
Splunk for Enterprise Security and User Behavior Analytics
- 1. Copyright © 2016 Splunk Inc. Splunk Security Analytics, SIEM & UBA Overview SplunkLive Austin 2016 Muddu Sudhakar VP & GM Security & IoT Splunk Twitter: @smuddu
- 2. 2 Legal Notices During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 3. 3 Agenda Splunk Portfolio Update User Behavior Analytics Enterprise Security
- 4. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 5. 5 App Servers Network Threat Intelligence Firewall Web Proxy Internal Network Security Endpoints Splunk as the Security Nerve Center Identity
- 6. 6 Splunk Solutions > Easy to Adopt VMware Platform for Machine Data Exchange PCISecurity Across Data Sources, Use Cases & Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 7. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 8. 8 All Data is Security Relevant Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti-Malware Vulnerability Scans Traditional SIEM Authentication
- 9. 9 Splunk Solutions > Easy to Adopt VMware Platform for Machine Data Exchange PCISecurity Across Data Sources, Use Cases & Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 10. Splunk for Security, Compliance & Fraud Platform for Machine Data Security & Compliance Reporting Monitor & Detect Known/Unknown Threats Fraud Detection Insider Threat Incident Investigations & Forensics Security Analytics
- 11. Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 12. 12 Adaptive Response Initiative – RSA 2016 12 App workflow Network Threat Intelligence Firewall Web Proxy Internal Network Security Identity Endpoints Mission: Bring together the best security technologies to help combat advanced attacks Challenge: Gather / analyze, share, act based on end- to-end context, across security domains Approach: Connect intelligence across best-of-breed: • improve security posture • quickly validate threats • systematically disrupt kill chain
- 13. Splunk Enterprise Security SplunkLive Austin 2016 Muddu Sudhakar VP & GM Security & IoT Splunk Twitter: @smuddu
- 14. Splunk Enterprise Security Incident Investigations & ManagementAlerts & Dashboards & Reports Statistical Outliers & Risk Scoring & User Activity Threat Intel & Asset & Identity Integration Pre-built searches, alerts, reports, dashboards, incident workflow, and threat intelligence feeds 14
- 15. What’s new in Splunk Enterprise Security?
- 16. 16 Behavioral Analytics in SIEM Workflow • All Splunk UBA results available in Enterprise Security • Workflows for SOC Manager, SOC analyst and Hunter/Investigator • Splunk UBA can be purchased/operated separately from Splunk Enterprise Security 16 ES 4.1 and UBA 2.2
- 17. 17 Prioritize and Speed Investigations Centralized incident review combining risk and quick search Use the new risk scores and quick searches to determine the impact of an incident quickly Use risk scores to generate actionable alerts to respond on matters that require immediate attention. ES 4.1
- 18. 18 Expanded Threat Intelligence ES 4.1 Supports Facebook ThreatExchange An additional threat intelligence feed that provides following threat indicators - domain names, IPs and hashes Use with ad hoc searches and investigations Extends Splunk’s Threat Intelligence Framework
- 19. 19 Replacing a SIEM @ Cisco Challenges • SIEM could not meet security needs • Very difficult to index non-security or custom app log data • Serious scale and speed issues. 10GB/day and searches took > 6 minutes • Difficult to customize, reliance on pre-built rules which generated false positives Splunk Solution • Easy to index any type of machine data from any source • Over 60 simultaneous users, correlations, reporting, advanced threat detection • Use all data + flexible searches and reporting = empowered team • 900 GB/day and searches take < minute. 7 global data centers with 350TB store • Estimated that Splunk is 25% the cost of a traditional SIEM “We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. “ - Gavin Reid, Leader, Cisco Computer Security Incident Response Team
- 20. Must read for anyone operating a SOC Cisco CSIRT playbook
- 21. What is Splunk UBA?
- 22. 22 FAMILIAR WITH THESE BREACHES? January 2015 February 2015 February 2015 Morgan Stanley 730K PII Records Anthem Insurance 80M Patient Records Office of Personal Management 22M PII Records July 2015 Pentagon Unclassified Email System 4K PII Records
- 23. 23 WHAT IS THE COMPROMISED / MISUSED CREDENTIALS OR DEVICES LACK OF RESOURCES (SECURITY EXPERTISE) LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES PROBLEM?
- 24. Splunk User Behavioral Analytics Automated Detection of INSIDER THREATS AND CYBER ATTACKS Cyber Attack Detection Insider Threat Detection Security Analytics Platform for Machine Data
- 25. Splunk User Behavioral Analytics Automated Detection of INSIDER THREATS AND CYBER ATTACKS Platform for Machine Data Behavior Baselining & Modelling Unsupervised Machine Learning Real-Time & Big Data Architecture Threat & Anomaly Detection Security Analytics
- 26. A Few CUSTOMER FINDINGS Malicious Domain Beaconing Activity Malware: Asprox Webshell Activity Pass The Hash Attack Suspicious Privileged Account activity Exploit Kit: Fiesta Lateral Movement Unusual Geo Location Privileged Account Abuse Access Violations IP Theft RETAIL HI-TECH MANUFACTURING FINANCIAL
- 27. 27 WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather than the traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of this solution as it makes the life of our SOC analysts’ way better. Mark Grimse, VP IT Security, Rambus A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insider threats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found Splunk UBA to be one of the most advanced technologies within the behavioral analytics space. Randolph Barr, CSO, Saba
- 28. 28 What’s THE LATEST? 28 UBA Results Across SIEM Workflow Rapid Investigation of Advanced Threats Enhanced Insider Threat & Cyber Attack Detection ES 4.1 + UBA 2.2 ES 4.1 UBA 2.2
- 29. Splunk UBA and Splunk ES Integration SIEM, Hadoop Firewall, AD, DLP AWS, VM, Cloud, Mobile End-point, App, DB logs Netflow, PCAP Threat Feeds DATA SOURCES DATA SCIENCE DRIVEN THREAT DETECTION 99.99% EVENT REDUCTION UBA MACHINE LEARNING IN SIEM WORKFLOW ANOMALY-BASED CORRELATION 101111101010010001000001 111011111011101111101010 010001000001111011111011
- 30. PROXY SERVER FIREWALL WHAT DOES SPLUNK UBA NEED? ACTIVE DIRECTORY / DOMAIN CONTROLLER DNS, DHCP SPLUNK ENTERPRISE AT A MINIMUM
- 31. What’s New in UBA 2.2
- 32. 32 Enhanced Insider Threat and Cyber Attack Detection DETETION Threat Detection Framework • Custom threat modeling with anomalies Expanded Attack Coverage • Data access and physical data loss New Viewpoint • Precision, prioritization and correlation of alerts with anomalies UBA 2.2
- 33. 33 Create custom threats using 60+ anomalies. Create custom threat scenarios on top of anomalies detected by machine learning. Helps with real-time threat detection and leverage to detect threats on historical data. Analysts can create many combinations and permutations of threat detection scenarios along with automated threat detection. Detection : Custom Threat Modeling Framework UBA 2.2
- 34. 34 Detection : Enhanced Security Analytics Visibility and baseline metrics around user, device, application and protocol 30+ new metrics USER CENTRIC DEVICE CENTRIC APPLICATION CENTRIC PROTOCOL CENTRIC Detailed Visibility, Understand Normal Behavior UBA 2.2
- 35. 35 Context Enrichment Citrix NetScaler (AppFlow) FireEye Email (EX) Symantec DLP Bit9/Carbon Black Digital Guardian And many more…. Improved Precision and Prioritization of Threats Risk Percentile & Dynamic Peer Groups Support for Additional 3rd Party Devices UBA 2.2
- 36. ES & UBA Demo
- 37. 37 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
- 38. Thank You!
Notas do Editor
- Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything. . There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
- The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – log search and analytics for small IT environments Hunk – for analytics on data in Hadoop The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- At Splunk our mission is to Make Machine Data, accessible, usable and valuable to everyone. Splunk excels at creating a data fabric. Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. IN TODAY’S WORLD, WE NEED TO ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- Big data approach to security; when you have a breach, people will want to know where did they go, what did they see, what was compromised? Let me speak about interesting cyber security use case to demonstrate the power of correlating data from multiple non-traditional sources. Verizon 2016 Data Breach Digest Report. They have a security team to hire called RISK. This document presents 18 actual cybercrime cases. Scenario #4 Inside threat Bob the force multiplier is highly interesting.
- The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – log search and analytics for small IT environments Hunk – for analytics on data in Hadoop The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
- Adaptive Response was conceived as a result of the successes of existing Splunk customers who compelled Splunk and partners to form the initiative. Core capabilities include elimination of manual data gathering steps, and ability to apply appropriate actions (or range of actions), specific to each security domain. One key benefit is improved ability to respond and adapt – actions can be manual, approval-triggered, or analytics-driven Examples of possible actions: Quarantine a session, kill a connection, closing a port, block IP, terminate process associated with traffic, capture memory dump or host specific wire data, isolate host from network.
- Over 45 pre-built searches 37 predefined dashboards 160 reports Supporting common security metrics Manage and investigate incidents by correlating event data and contextual information from any data source Pre-built statistical capabilities identify unusual activity and reduce false positives Automated Threat Intel Integration ensures that new information is rapidly integrated into alerts and investigations
- Operational issues and challenges. Use dashboards, alert (correlation), correlate against observables Use them for adhoc searching and swimlanes
- a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available b. Describe the solution. Value of ES, Notable Events…IR. Add context C. Increasing Threat Intel... Mention leadership and WP. Coverage.
- a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available b. Describe the solution. Value of ES, Notable Events…IR. Add context C. Increasing Threat Intel... Mention leadership and WP. Coverage.
- Cisco is a great story. Their traditional SIEM had issues getting in any kind of data source. It was hard to customize. It had scale and speed issues, which we will detail on the next slide. They literally looked at 9 other SIEMs/logging tools and Splunk was the clear winner. So they use us now for incident investigations, correlations, reporting. Worldwide, they are indexing over 1 terabyte (TB) a day. They have over 150 TBs stored in Splunk, 25 indexers, in 7 locations across the world. And they estimate it is 25% of the SIEM cost. So great value for Cisco.
- It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the… -Date and Time ISO 8601 (clocks synchronized to central time service NTP) -Type of action performed -Subsystem performing the action -Identifiers for the object requesting the action -Identifiers for the object providing the action -Status, outcome, or result of the action So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
- Let’s start by simplifying the problem that Splunk UBA is addressing for our customers. Whether it be a spearphising campaign, a watering-hole attack, a drive-by download, or social engineering, the goal of the attacks is to gain access of user’s credential or user’s device, however, in case of an insider, it’s your very own employee misusing his or her credential or access privileges to gather confidential information. Rules and signatures aren’t designed to solve a complex problem such as this. We label this problem as finding the Unknowns. Second, our customers have people constraints. Customers complain about the lack of availability of security expertise from a budget and skillset availability standpoint. With resources hard to find and budget scarce, they really can’t fill their SOC and incident response teams with more people. Throwing people at the problem isn’t going to solve the issue. Third, there are alert prioritization problems. Just adding more tools that are disparate and continuing to use island-like approaches are not going to help customer’s problems either. The number of signals, alerts, and false positives emanating from all that is huge. That makes it very hard to wade through and apply intelligence. ------------ To combat or solve this complex space of these sort of attacks. The foundation that is necessary, are basically these 5 pillars, which are the secret sauce to our Splunk UBA solution. Customers need A solution that is real-time, and leverages a big data foundation The ability to model behavior on a multi-entity basis. A set of algorithms which can look at the behavior taking an unsupervised machine learning approach And creating flags for anomalies that are detected. In addition, a multi-layered ML models stitches these anomalies into different threat patterns. ------- From a foundation perspective, Splunk UBA is unique and we actually invested completely on a new thing - leveraging unsupervised machine learning algorithms. The platform has large set of algorithms to detect cyber-attacks and insider threats, a few things that the product can detect would be – beaconing, webshell attacks, exploits, suspicious file access, unusual AD sequence, data exfiltration, etc. There are over thirty algorithms can provide customer with broad coverage to only detect cyber-attacks but also insider threats. And there are close to forty anomaly classifications for a hunter centric persona to look into. And over 30 aggregates across multiple entities (user, device, application, protocol) help with customer gaining the visibility into an organization state.
- Highlights… Custom threat modelling Data access Easier Leadership, innovation
- Remind what UBA Highlight the pics on right…custom threat Point out the fact that we now have Rules now with ML. Competitors have rules with Stats
- We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!