Splunk products provide a flexible and fast security intelligence platform that makes security personnel and processes more efficient by providing quick and flexible access to all of the data and information needed to detect, investigate and remediate threats. This presentation will discuss best practices for building out or enhancing an analytics based security strategy and how Splunk products can make people, process, and technology work better together.
2. 2
Today’s
Specials
• Advanced
Threats
are
hard
to
find
• How
to
use
Splunk
for
Security?
• Add
value
to
exis>ng
data
• Detect
new
threats
• Splunk
Enterprise
Security
4.0
• User
Behavior
Analy>cs
15
October
3. 3
Advanced
Threats
Are
Hard
to
Find
Cyber
Criminals
Na>on
States
Insider
Threats
Source:
Mandiant
M-‐Trends
Report
100%
Valid
creden>als
were
used
40
Average
#
of
systems
accessed
205
Median
#
of
days
before
detec>on
67%
Of
vic>ms
were
no>fied
by
external
en>ty
4. 4
Tradi>onal
approaches
are
not
good
enough
• Preven>on
of
breaches
will
fail!
• Invest
more
in
detec>on
• Gather
all
data
in
one
place
• Enrich
data
with
context
• Make
it
easy
to
search
in
the
data
• Make
it
easy
to
do
advanced
analy>cs
4
5. 5
SPLUNK FOR SECURITY
“Connects People and Data with Context and Extended Intelligence”
6. 6
Monitoring,
Correla>ons,
Alerts
Ad
Hoc
Search
&
Inves>gate
Custom
Dashboards
And
Reports
Analy>cs
And
Visualiza>on
Developer
PlaQorm
All
SOC
Needs
&
Personnel
Security
Intelligence
Pla]orm
6
Real-‐>me
Machine
Data
Cloud
Apps
Servers
Email
Web
Network
Flows
DHCP/
DNS
Custom
Apps
Badges
Intrusion
Detec>on
Firewall
Data
Loss
Preven>on
An>-‐Malware
Vulnerability
Scans
Authen>ca>on
Storage
Industrial
Control
Mobile
Security
Intelligence
PlaQorm
Threat
Feeds
Asset
Info
Employee
Info
Data
Stores
Applica>ons
External
Lookups
/
Enrichment
7. 7
Enables
Many
Security
Use
Cases
SECURITY
&
COMPLIANCE
REPORTING
REAL-‐TIME
MONITORING
OF
KNOWN
THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
&
FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
Security
Intelligence
PlaQorm
7
8. 8
Is
there
a
real
danger?
Adding
Value
to
exis>ng
Data
10. 10
Context
=
Knowledge
around
the
Data
" Is
this
a
bad
known
ip/domain/e-‐mail?
" Should
user
access
the
SQL
server?
" Should
server
communicate
X?
" Importance
of
assets
and
iden>>es
" Make
data
easier
to
understand
11. 11
Data
from
An>-‐Virus/An>-‐Malware
" No
need
to
act
if
removed
" But
what
if;
– The
hosts
are
re-‐infected?
– Mul>ple
hosts
are
infected
in
short
>me
– If
the
CEO/CFO/CSIO
computer
are
infected?
– Hosts
are
the
web
shop/e-‐bank/important
system
– Other
sources
alert
within
short
>meframe
11
16. Threat
intelligence
Auth
-‐
User
Roles,
Corp
Context
Host
Ac>vity/Security
Network
Ac>vity/Security
16
How
to
find
new
Threats
?
WEB
Conduct
Business
Create
addi>onal
environment
Gain
Access
to
system
Transac>on
MAIL
.pdf
Svchost.exe
Calc.exe
Events
that
contain
link
to
file
Proxy
log
C2
communica>on
to
blacklist
How
was
process
started?
What
created
the
program/process?
Process
making
C2
traffic
Web
Portal
.pdf
17. Threat
intelligence
Auth
-‐
User
Roles,
Corp
Context
Host
Ac>vity/Security
Network
Ac>vity/Security
Command
&
Control
Exploita>on
&
Installa>on
Delivery
MAIL
WEB
WEB
FW
Accomplish
Mission
Start
Anywhere,
Analyze
Up-‐Down-‐Across-‐Backwards-‐Forward
phishing
Download
from
infected
site
1
2
5
6
7
8
3
4
Iden>ty,
Roles,
Privileges,
Loca>on,
Behavior,
Risk,
Audit
scope,
Classifica>on,
etc.
• Third-‐Party
Threat
Intel
• Open
source
blacklist
• Internal
threat
intelligence
• Firewall
• IDS
/
IPS
• Vulnerability
scanners
• Web
Proxy
• NetFlow
• Network
• Endpoint
(AV/IPS/FW)
• Malware
detec>on
• PCLM
• DHCP
• OS
logs
• Patching
• Ac>ve
Directory
• LDAP
• CMDB
• Opera>ng
System
• Database
• VPN,
AAA,
SSO
18. 18
New
Features
in
Enterprise
Security
4.0
Optimize multi-step
analyses to improve breach
detection and response
Extensible Analytics &
Collaboration
INVESTIGATION
COLLABORATION
• Inves>gator
Journal
• Aoack
&
Inves>ga>on
Timeline
• Open
Solu>ons
Framework
• Framework
App
:
PCI
19. 19
Aoack
&
Inves>ga>on
Timeline
Same
events
can
have
different
security
meanings,
based
on
sequence:
Track Actions
1" 3"2"
Analyst /
Investigator
Event 1 … 13:01:21
Event 2 … 13:42:17
Action 3
Note “Windows event”
What happened?
If event 1, then
event 2, then…
Ah – ha, that’s
how they got in.
Now what infected
the host?
Brute
Force
= Exfiltration
Login
Failure
Proxy
Event
Brute
Force
= Recon, Lateral Movement
Login
Failure
Login
Failure
Brute
Force
= Forgotten Password
20. 20
Aoack
&
Inves>ga>on
Timeline
Methods
to
add
contents
into
>meline
:
Action History
Actions :
• Search Run
• Dashboard Viewed
• Panel Filtered
• Notable Status Change
• Notable Event
Suppressed
Investigator Memo
Notes:
Investigator’s notes inserted
in timeline
Track Actions
1" 3"2"
Incident Review
Incident :
Notable events from
Incident Review
Analyst /
Investigator
21. 21
Aoack
&
Inves>ga>on
Timeline
Allows
collabora>on
between
mul>ple
analysts
UI Action History :
Search
UI Action History :
Viewed Dashboard
Edit Entry :
Analyst’s Memo
Collaborator entry
Tier 1
Tier 2
Analyst
Tier 2
Analyst
Collaborate
One Holistic view from
Collective Knowledge
24. 24
Extensible
Analy>cs
&
Collabora>on
Open Solutions Framework
• Create, access and extend ES
functionality
– Notable event framework
– Risk framework
– Threat intelligence framework
– Identity & asset framework
• Apps and content can be
imported and exported at any
time
24
Collaborate
28. MAPPING
RATs
TO
ACTIONABLE
KILL-‐CHAIN
A
W
N
O
M
A
L
I
E
S
H
R
E
A
T
29. 29
CYBER
ATTACK
29
USER ACTIVITIES! RISK/THREAT DETECTION AREAS!
Mark and Fred access a malicious website. A
backdoor gets installed on their computers!
Malicious Domain (AGD)!
Unusual Browser Header!Nov 15!
Unusual Machine Access for Mark!
(lateral movement; individual + peer group)!Dec 10!The attacker logs on to Domain Controller via
VPN with Mark’s stolen credentials from 1.0.63.14 !
Unusual Browser Header for Mark
and Fred!Nov 16!
The attacker uses Mark and Fred's backdoors to
download and execute WCE to crack their password!
Nov 16! Beacons for Mark and Fred to
www.byeigs.ddns.com!
Mark and Fred's machines are communicating
with www.byeigs.ddns.info!
Unusual Machine Access for Fred!
Unusual File Access for Fred !
(individual + peer group))!
Dec 10!
The attacker logs in as Fred and accesses all excel
and negotiations docs on the BizDev shares!
Unusual Activity Sequence of Admin for
Fred (AD/DC Privilege Escalation)!Dec 10!
The attacker steals the admin Kerberos ticket from
admin account and escalates the privileges for
Fred.!
Excessive Data Transmission for Mark"
Unusual VPN session duration!Jan 14!The attacker VPNs as Mark, copies the docs to an
external staging IP and then logs out after 3 hours.!
30. 30
Splunk
User
Behavior
Analy>cs
(formerly
Caspida)
Advanced
Security
Analy0cs
UBA
SPLUNK
Data
Science
&
Decision
Engine
Automated
Threat
Detec>on
AD,
SSO
App,
DB
logs
Firewall,
IPS,
DLP
Ne]low,
PCAP
Threat
Feeds
UBA
threat
results
fed
into
Splunk
ES
Security
Analy>cs
&
Event
Repository
33. 33
UBA
vs
ES
4.0
UBA
Enterprise
Security
• Keep
all
data
• Will
require
tuning
• Easy
to
create
new
searches,
dashboards,
correla>ons
etc
• Will
require
analy>c
resources
to
map
events
to
threats
• Possible
to
further
inves>gate
• Only
keep
data
around
anomaly
• Automa>cally
baseline
• Not
possible
to
customize
in
the
same
way
as
Enterprise
Security
• Will
map
anomalies
to
threats
• Limited
possibility
to
do
further
inves>ga>on
33
34. 34
Key
takeaways
• Preven>on
of
breaches
will
fail!
• Invest
more
in
detec>on
• Splunk
can
help
– Faster
– Easier
– More
– Less
labor
34