4. ▶ A showcase of what’s possible in Splunk
▶ Just uses Splunk Enterprise
Why Are We Talking About an App?
IT’S
QUICK
IT’S
EASY
IT’S
FREE
5. ▶ Maybe a user of Splunk
Security Essentials?
▶ All Levels of Splunk
Experience
▶ Probably like
Security
Who Are You?
Technical Business
New to Splunk
Years of Splunk
YOU
6. ▶ Ability to detect things better
• Not focused on investigation–there’s ransomware nearby!
▶ Learn about free apps with powerful out of the box capabilities
▶ Only one marketing slide!
What Will You Get?
9. The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence
10. ▶ Identify bad guys:
• 50+ use cases common in Security Analytics
products, free on Splunk Enterprise
• Target external and insider threats
• Scales from small to massive companies
• Save from app, send hits to ES/UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.
11. What Can I Detect With Splunk Enterprise?
Malicious
Insiders
Advanced
External
Attackers
Commodity
Malware
12. • Access
• Data
• Endpoint
• Network
• Threat
• Any Host Logs
• Electronic Medical
Record System
• Email Logs
• Firewall
• Netflow
• Print Server Logs
• Very Low
• Low
• Medium
• High
• Very High
Splunk Security Essentials App Inventory
“Say, aren’t those all recommended data sources
for Splunk Security in general?”
DOMAINS DATA SOURCES ALERT VOLUME
• Salesforce Event
Log File
• Source Code
Repository Logs
• Splunk Notable
Events
13. First Time Seen
powered by stats
Time Series Analysis
with Standard Deviation
General Security
Analytics Searches
Splunk Security Essentials
Types of Use Cases
14. Where Can I Install Splunk Security Essentials?
Survey Results: Have You Tried to Install the App?
Tried and Failed
Installed in Dev
Installed in Production
Installed in Distributed Environment
Installed in a SHC Environment
Your
Laptop!
Your
Production
Environtment!
All Kinds of
Production
Environtments!
Your Dev
Environment!
15. ▶ Download from apps.splunk.com
▶ Browse use cases that match
your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials
17. Open the Splunk Security Essentials App
First Open Splunk
Security Essentials
Then Open
Use Cases
18. ▶ Read through a few of the use cases
▶ Filter for use cases you care about
Take a Minute to Review Use Cases
19. Let’s Start With a Simple Example
Click on
“Concentration
of Hacker Tools
by Filename”
20. ▶ A search you might not think of,
but is easy to use
▶ Input: CSV file with suspicious
filenames
▶ Input: Process launch logs
(Windows, Sysmon, Carbon
Black, etc.)
▶ Looks for those file names
concentrated in a short
period of time
Concentration of Hacker Tools by Filename
22. ▶ Phishing is a big risk
▶ Many approaches to
mitigating with Splunk
An Advanced Splunk Search
From Use Cases,
Filter to Email Logs
Click on ‘Emails with
Lookalike Domains’
23. ▶ A very long search you don’t
have to run
▶ Detects typos, like
company.com → campany.com
▶ Supports subdomains for typo
detection
▶ Detects suspicious subdomains,
like company.com →
company.yourithelpdesk.com
A Phishing Search Larger Than Your Pond
24. ▶ DNS exfil detection – tricks of the trade
▶ parse URLs & complicated TLDs
(Top Level Domain)
▶ calculate Shannon Entropy
▶ List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)
URL Toolbox
https://splunkbase.splunk.com/app/2734/
25. ▶ Splunk can also build
baselines easily
▶ Let’s look at a Time
Series Spike
▶ This detects anomalies via
Standard Deviation
What About Baselines
From Use Cases,
Filter to Print Server Logs
Then, Increase in Pages Printed
26. ▶ A measure of the variance for a series of numbers
What is Standard Deviation?
26
User Day One Day Two Day Three Day Four Avg Stdev
Jane 100 123 79 145 111.75 28.53
Jack 100 342 3 2 111.75 160.23
User Day Five # StDev Away from Average
… aka How Unusual?
Jane 500 12.6
Jack 500 2.42
SUPER Anomalous!
27. ▶ Our search looks for printer logs
▶ Sums per day, per user
▶ Note the tooltips everywhere!
▶ Our search looks for
printer logs
▶ Sums per day,
per user
▶ Note the tooltips
everywhere!
Increase in Pages Printed
Click “Detect Spikes” to find outliers
28. ▶ Just click Show SPL to see how
the search works
▶ Learn this once… it applies to
all time series spikes!
(Or just use the app)
Want to Learn That SPL for Yourself?
29. ▶ Want to use that search?
▶ Just click Schedule Alert
▶ Searches will auto send to ES
Risk or UBA if you have either
▶ Or just email to yourself
Want to Schedule That Search?
30. ▶ We can use baseline to find
new combinations too
▶ This can help with any noisy
search you have today
What Else Do You Have For Me?
From Use Cases, Filter to All Data Sources
Then, Authentication Against a
New Domain Controller
31. ▶ This search uses stats
earliest() and latest()
per User, DC
▶ If the earliest() is recent,
it’s anomalous
This works for any
combinations!
Authentication Against a New DC
Click “Detect New Values” for outliers
32. ▶ For those just starting out, it can be
hard to know what data you need
▶ Every use case comes with pre-req
checks to show if you have the data
▶ If you don’t, follow the links
One Last Thing: Pre-requisite Checks
33. ▶ Data Source Check tells you what’s possible
▶ Runs all pre-req checks
Or Check EVERYTHING
35. ▶ Actor:
Malicious Insider (because it’s hardest)
▶ Motivation:
Going to work for competitor
▶ Target:
Accounts, Opportunities, Contacts in Salesforce
▶ Additional Target:
Sales Proposals in Box
▶ Exfiltration:
Upload to a remote server
Apply Splunk to Real Life Scenario
Malicious Insider
Chris Geremy
Director of Finance
* Photo of Splunker, I promise she is not a malicious insider
36. ▶ No proxy
▶ No standard file servers
▶ No agents on laptop
▶ Cloud Services with their own APIs
How would you detect that?
Monitoring Challenges
37. ▶ Ingest Salesforce Event Log File
• https://splunkbase.splunk.com/app/1931/
▶ Ingest Box Data
• https://splunkbase.splunk.com/app/2679/
▶ Install Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
▶ Schedule Salesforce use cases
▶ Build a custom Box use case
Set Up Monitoring
About 1 Hour of Work
39. Slow Response
from Basic Alerts
Fast Response from
Advanced Alerts
Managing Alert Volume vs Value
Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response
41. ▶ Enterprise Security has a Risk Framework designed
for aggregating low severity indicators
Aggregate Alerting with ES Risk
42. ▶ Splunk UBA Threat Models leverage
Data Science, Machine Learning
▶ Finds important, inter-related
anomalies that analysts should
actually view
▶ Support more advanced
anomaly detections!
Apply Machine Learning With Splunk UBA
43. ▶ High Confidence alerts from UBA fed into ES
▶ Take actions like
• Box: “Change Permissions”
• AD: “Reset Password” or “Disable Account”
• PAN: Isolate Host
▶ 27 partners!
Respond With ES Adaptive Response
45. ▶ Do you want to build your own
detections like this?
▶ What if your environment is
totally custom?
▶ No product has ever worked
out of the box, and that’s why
you like Splunk, right?
We’ve got you.
But My Company Is So Custom
Click Assistants, then “Detect Spikes”
47. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
48. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
Got Her!
51. Technical Components for Successful Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules
53. ▶ Download from apps.splunk.com
▶ Find use cases that match your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!