Anúncio
Check these out next
SplunkLive Wellington 2015 - Splunk for Security
2 de Dec de 2015•0 gostou•690 visualizações
3 gostaram
Seja o primeiro a gostar disto
mostrar mais
visualizações
Vistos totais
0
No Slideshare
0
De incorporações
0
Número de incorporações
0
Baixar para ler offline
Denunciar
Dados e análise
Continuous Monitoring and Analytics-driven Security for Modern Threats
SplunkSeguir
SplunkAnúncio
Anúncio
Anúncio
Recomendados
SplunkLive! Stockholm 2015 breakout - Analytics based securitySplunk
Gov Day Sacramento 2015 - User Behavior AnalyticsSplunk
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
Gov & Education Day 2015 - User Behavior AnalyticsSplunk
Enterprise Sec + User Bahavior AnalyticsSplunk
SplunkLive! Splunk for Insider Threats and Fraud DetectionSplunk
SplunkLive Wellington 2015 - Splunk for Security
- Copyright © 2014 Splunk Inc. Splunk for Security Continuous Monitoring and Analytics-‐Driven Security for Modern Threats Simon O’Brien, Security SME, ANZ
- SPLUNK FOR SECURITY Connecting People and Data, with Context and Extended Intelligence
- The Ever-‐Changing Threat Landscape 3 67% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-‐Trends Report 2012/2013/2014
- CYBER CRIMINALS MALICIOUS INSIDERS NATION STATES 4
- New approach to security operation is needed • Human directed • Goal-‐oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 5 TECHNOLOGY PEOPLE PROCESS
- New approach to security operation is needed THREAT Attack Approach Analytics-‐driven Security Security Approach 6 TECHNOLOGY PEOPLE PROCESS • Human directed • Goal-‐oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques
- • Continuously Protect the business against: ê Data Breaches ê Malware ê Fraud ê IP Theft • Comply with audit requirements • Provide enterprise Visibility 7 Security & Compliance Top Splunk Benefits • 70% to 90% improvement with detection and research of events • 70% to 95% reduction in security incident investigation time • 10% to 30% reduction in risks associated with data breaches, fraud and IP theft • 70% to 90% reduction in compliance labor Top Goals
- 8 All Data is Security Relevant = Big Data Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti-‐ Malware Vulnerability Scans Traditional Authentication
- 9 Solution: Splunk, The Engine For Machine Data Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-‐Time Machine Data References – Coded fields, mappings, aliases Dynamic information – Stored in non-‐traditional formats Environmental context – Human maintained files, documents System/application – Available only using application request Intelligence/analytics – Indicators, anomaly, research, white/blacklist
- 10 The Splunk Platform for Security Intelligence SPLUNK ENTERPRISE (CORE) Copyright © 2014 Splunk Inc. 200+ APPS SPLUNK FOR SECURITY SPLUNK-‐BUILT APPS … Stream data Cisco Security Suite Windows/ AD/ Exchange Palo Alto Networks FireEye Bit9 DShield DNS OSSEC
- Connecting the “data-‐dots” via multiple/dynamic relationships Persist, Repeat Threat intelligence Auth -‐ User Roles Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, file hashes, IOC, attack/campaign intent and attribution Where they went, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, exploit installation Gain trusted access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat 11
- Security Intelligence Use Cases SECURITY & COMPLIANCE REPORTING REAL-‐TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Complement, replace and go beyond traditional SIEMs 12
- Splunk Enterprise Security Risk-‐Based Analytics Visualize and Discover Relationships Enrich Security Analysis with Threat Intelligence 13 The artist formerly known as the ‘app for’
- Splunk Enterprise Security – 5 Releases in 21 Months 14 Q3 2014 Q4 2014 Q2 2015 ES 3.1 •Risk Framework •Guided Search •Unified Search Editor •Threatlist Scoring •Threatlist Audit ES 4.0 • Breach Analysis • Integration with Splunk UBA • Splunk Security Framework ES 3.0 ES 3.2 •Protocol Intelligence (Stream capture) •Semantic Search (Dynamic Thresholding) ES 3.3 •Threat Intel framework •User Activity Monitoring •Content Sharing •Data Ingestion Q4 2015
- DEMO!
- PLAY DEMO 16
- 17 https://www.splunk.com/getsplunk/es_sandbox
- 18
- Copyright © 2014 Splunk Inc. Splunk User Behavior Analytics for threat detection
- BIG DATA DRIVEN SECURITY ANALYTICS MACHINE LEARNING A NEW PARADIGM DATA-‐SCIENCE DRIVEN BEHAVIORAL ANALYTICS
- What does Splunk UBA do? 21 SIEM Firewall, AD, DLP AWS, VM Cloud, Mobile End point, Host, App, DB logs Netflow, PCAP Threat Feeds Next-Gen Data Science-driven Threat Detection Application for SOC Analysts Kill Chain Detection Ranked Threat Review Actions & Resolution 99.99% event reduction Security Analytics
- SPLUNK UBA MACHINE LEARNING BEHAVIOR ANALYTICS ANOMALY DETECTION THREAT DETECTION SECURITY ANALYTICS 22
- THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST § Quickly spot threats within your network § Leverage Threat Detection workflow to investigate insider threats and cyber attacks § Act on forensic details – deactivate accounts, unplug network devices, etc.
- SECURITY ANALYTICS KILL-‐CHAIN HUNTER KEY WORKFLOWS -‐ HUNTER § Investigate suspicious users, devices, and applications § Dig deeper into identified anomalies and threat indicators § Look for policy violations
- Threat Example 25 John logs in via VPN from 1.0.63.14 at 3pm John elevates his privileges for the PCI network John performs a remote desktop on a system as Administrator on the PCI network zone John (Admin) performs an ssh as root to a new machine in the BizDev department John (Adminàroot) accesses the folder with all the excel and negotiations documents on the BizDev file shares John (Adminàroot) copies all the negotiation docs to another share on the corpzone John (Adminàroot) uses a set of Twitter handles to chop and copy the data outside the enterprise Time Unusual Geo for John (China) Unusual Activity Time Unusual Zone (CorpàPCI) traversal for John (lateral movement) Unusual Machine Access (lateral movement; individual + peer group) Unusual File Access (individual + peer group) Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIàcorp) for John Multiple Outgoing Connections Unusual VPN session duration (11h) John 3:00 PM 3:05 PM 3:15 PM 3:40 PM 6 PM 11:35 PM Unusual Activity Sequence (AD/DC Privilege Escalation) 3:10 PM User Activities Risk/Threat Detection Areas
- DEMO!
- Thank you! 29 sob@splunk.com
Anúncio