O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

SplunkLive Brisbane Splunk for Operational Security Intelligence

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Carregando em…3
×

Confira estes a seguir

1 de 52 Anúncio

SplunkLive Brisbane Splunk for Operational Security Intelligence

Baixar para ler offline

You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.

You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Diapositivos para si (16)

Anúncio

Semelhante a SplunkLive Brisbane Splunk for Operational Security Intelligence (18)

Mais de Splunk (20)

Anúncio

Mais recentes (20)

SplunkLive Brisbane Splunk for Operational Security Intelligence

  1. 1. Copyright © 2015 Splunk Inc. Splunk for Operational Security Intelligence sob@splunk.com
  2. 2. 2 Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
  3. 3. Agenda • An overview of the Splunk security universe • Using lookup files to enhance your security posture - A.K.A. threat intelligence • The Common information model • 6 windows event ID’s to tackle advanced attacks • "Best of" Security related splunkbase apps
  4. 4. 4 Advanced Threats Are Hard to Find Cyber Criminals Nation States Insider Threats Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
  5. 5. New approach to security operations is needed • Human directed • Goal-oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 5 TECHNOLOGY PEOPLE PROCESS
  6. 6. 6 All Data is Security Relevant = Big Data Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication
  7. 7. 7 The Splunk Platform for Security Intelligence SPLUNK ENTERPRISE (CORE) Copyright © 2014 Splunk Inc. 200+ APPS SPLUNK FOR SECURITY SPLUNK-BUILT APPS … Stream data Cisco Security Suite Windows/ AD/ Exchange Palo Alto Networks FireEye Bit9 DShield DNS OSSEC
  8. 8. 8 Put it All Together – Security Maturity Level q APT detection/hunting (kill chain method) q Counter threat automation q Threat Intelligence aggregation (internal & external) q Fraud detection – ATO, account abuse, q Insider threat detection q Replace SIEM @ lower TCO, increase maturity q Augment SIEM @ increase coverage & agility q Compliance monitoring, reporting, auditing q Log retention, storage, monitoring, auditing q Continuous monitoring/evaluation q Incident response and forensic investigation q Event searching, reporting, monitoring & correlation q Rapid learning loop, shorten discover/detect cycle q Rapid insight from all data q Fraud analyst q Threat research/Intelligence q Malware research q Cyber Security/Threat q Security Analyst q CSIRT q Forensics q Engineering q Tier 1 Analyst q Tier 2 Analyst q Tier 3 Analyst q Audit/Compliance Security Operations Roles/Functions Reactive Proactive Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Real-time Risk Insight
  9. 9. 9 Example of Threat Activities - Zeus HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Conduct Business Create additional environment Gain Access to systemTransaction .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
  10. 10. 10 Use Splunk to Find Evidence Search historically - back in time Watch for new evidence Related evidence from other security devices
  11. 11. Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security 11 Advanced Threat Detection & Response WEB Conduct Business Create additional environment Gain Access to systemTransaction MAIL .pdf Svchost.exeCalc.exe Events that contain link to file Proxy log C2 communication to blacklist How was process started? What created the program/process? Process making C2 traffic Web Portal.pdf
  12. 12. Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Connect the “Data-Dots” to See the Whole Story phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. Threat Intelligence Data Email Data Or Web Data Host or ETDR Data Web or Firewall Data Threat Intelligence Data Identity Data
  13. 13. 13 Connect the “Data-Dots” to See the Whole Story Persist, Repeat Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, Exploit Installation Gain Trusted Access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat • Third-party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
  14. 14. Threat intelligence Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery Accomplish Mission Security Ecosystem for Coverage and Protection Auth - User Roles, Corp Context
  15. 15. Copyright © 2015 Splunk Inc. Threat Intelligence
  16. 16. 16 The Challenge: • Industry says Threat Intel is key to APT Protection • Management wants all threat intel checked against every system, constantly • Don’t forget to keep your 15+ threat feeds updated The Solution:
  17. 17. Verizon 2015 DBIR “…the percentage of indicators unique to only one (outbound destination) feed…is north of 97% for the feeds we have sampled…” Threat list aggregation = more complete intelligence
  18. 18. MORE ABOUT DATA MODELS? So… you have a list (or hopefully many)?
  19. 19. What can you do with it? * | lookup threatlist srcip as clientip OUTPUT srcip as srcip threat_type as threat_type | stats count by clientip srcip threat_type | where clientip=srcip
  20. 20. Break it down by time?
  21. 21. Send me an alert!
  22. 22. Copyright © 2015 Splunk Inc. Demo
  23. 23. Other options? • You could use SA-Splice from splunkbase – deprecated • Use correlation searches to populate lookup files - outputlookup • Leverage KV store lookups • Enterprise Security
  24. 24. 24 Various community threat lists Local ones too TAXII support
  25. 25. Copyright © 2015 Splunk Inc. The common information model
  26. 26. Data comes from…
  27. 27. Data Ingest + Common Information Model ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
  28. 28. Copyright © 2015 Splunk Inc. NORMALIZATION?!?
  29. 29. Copyright © 2015 Splunk Inc. NORMALIZATION?!? Relax. This is therefore, CIM gets applied at SEARCH TIME.
  30. 30. A base Splunk search, done for you… …which returns a bunch of fields
  31. 31. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
  32. 32. Free. Supported. Fully documented.
  33. 33. Lots of apps support CIM.
  34. 34. CIM Compliant!
  35. 35. Click “Data models” under settings
  36. 36. • Pivot is an excellent interface to explore a dataset you don’t know yet – or for a business user • Tstats can search distributed .tsidx files (accelerated DM’s) • Use the search term – FROM datamodel=<datamodelname> • For example: • | tstats avg(foo) FROM datamodel=buttercup_games WHERE bar=valuex • You should expect dramatically faster search results using this method Tstats and/or pivot– use them!
  37. 37. Copyright © 2015 Splunk Inc. Demo
  38. 38. Copyright © 2015 Splunk Inc. Windows events
  39. 39. Copyright © 2015 Splunk Inc. Security apps
  40. 40. • Easily the most underrated app on Splunkbase • Turn every host on your network into a network sniffer! • Rapidly respond to security events by capturing data at the source • Highly configurable to capture only data of interest
  41. 41. Copyright © 2015 Splunk Inc. Demo
  42. 42. • Building block for URL manipulation • Correctly parse URL’s and complicated TLD’s • Explore entropy of data • Also great for DNS investigation • The domain aaaaa.com has a Shannon Entropy score of 1.8 (very low) • The domain google.com has a Shannon Entropy score of 2.6 (rather low) • A00wlkj—(-a.aslkn-C.a.2.sk.esasdfasf1111)- 890209uC.4.com has a Shannon Entropy score of 3 (rather high)
  43. 43. • Check your data aginst a multiude of virus definition DB’s. • Free • Subscription • 4 checks per hour
  44. 44. Copyright © 2015 Splunk Inc. Please join the Splunk Slack channel!!! splunk-usergroups.slack.com #general #apac sob@splunk.com
  45. 45. Copyright © 2015 Splunk Inc. Thankyou! sob@splunk.com

×