Presented at SplunkLive! Zurich 2018

1. Intro to Security Analytics Methods
Samuel Vogel | Senior Sales Engineer | CISSP
8. May 2018

2. During the course of this presentation, we may make forward-looking statements regarding future events or
the expected performance of the company. We caution you that such statements reflect our current
expectations and estimates based on factors currently known to us and that actual events or results could
differ materially. For important factors that may cause actual results to differ from those contained in our
forward-looking statements, please review our filings with the SEC.
The forward-looking statements made in this presentation are being made as of the time and date of its live
presentation. If reviewed after its live presentation, this presentation may not contain current or accurate
information. We do not assume any obligation to update any forward looking statements we may make. In
addition, any information about our roadmap outlines our general product direction and is subject to change
at any time without notice. It is for informational purposes only and shall not be incorporated into any contract
or other commitment. Splunk undertakes no obligation either to develop the features or functionality
described or to include any such feature or functionality in a future release.
Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in
the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. ©2018 Splunk Inc. All rights reserved.
Forward-Looking Statements

3. Personal Introduction
3

4. ▶ A showcase of what’s possible in Splunk
▶ Just uses Splunk Enterprise
Why Are We Talking About an App?
IT’S
QUICK
IT’S
EASY
IT’S
FREE

5. ▶ Maybe a user of Splunk
Security Essentials?
▶ All Levels of Splunk
Experience
▶ Probably like
Security
Who Are You?
Technical Business
New to Splunk
Years of Splunk
YOU

6. ▶ Ability to detect things better
• Not focused on investigation–there’s ransomware nearby!
▶ Learn about free apps with powerful out of the box capabilities
▶ Only one marketing slide!
What Will You Get?

7. © 2018 SPLUNK INC.
1. Splunk Security Essentials Overview
2. SSE Demo
3. End-to-End Scenario
4. Wrap Up
Agenda
7

8. Splunk Security
Essentials Overview

9. The Splunk Portfolio
Rich Ecosystem of
Apps & Add-Ons
Splunk Premium
Solutions
Mainframe
Data
Relational
Databases
MobileForwarders
Syslog/
TCP
IoT
Devices
Network
Wire Data
Hadoop
Platform for Operational Intelligence

10. ▶ Identify bad guys:
• 50+ use cases common in Security Analytics
products, free on Splunk Enterprise
• Target external and insider threats
• Scales from small to massive companies
• Save from app, send hits to ES/UBA
Splunk Security Essentials
https://splunkbase.splunk.com/app/3435/
Solve use cases you can today for free, then
use Splunk UBA for advanced ML detection.

11. What Can I Detect With Splunk Enterprise?
Malicious
Insiders
Advanced
External
Attackers
Commodity
Malware

12. • Access
• Data
• Endpoint
• Network
• Threat
• Any Host Logs
• Electronic Medical
Record System
• Email Logs
• Firewall
• Netflow
• Print Server Logs
• Very Low
• Low
• Medium
• High
• Very High
Splunk Security Essentials App Inventory
“Say, aren’t those all recommended data sources
for Splunk Security in general?”
DOMAINS DATA SOURCES ALERT VOLUME
• Salesforce Event
Log File
• Source Code
Repository Logs
• Splunk Notable
Events

13. First Time Seen
powered by stats
Time Series Analysis
with Standard Deviation
General Security
Analytics Searches
Splunk Security Essentials
Types of Use Cases

14. Where Can I Install Splunk Security Essentials?
Survey Results: Have You Tried to Install the App?
Tried and Failed
Installed in Dev
Installed in Production
Installed in Distributed Environment
Installed in a SHC Environment
Your
Laptop!
Your
Production
Environtment!
All Kinds of
Production
Environtments!
Your Dev
Environment!

15. ▶ Download from apps.splunk.com
▶ Browse use cases that match
your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Getting Started with Splunk Security Essentials

16. SSE Demo
(What will be covered live)

17. Open the Splunk Security Essentials App
First Open Splunk
Security Essentials
Then Open
Use Cases

18. ▶ Read through a few of the use cases
▶ Filter for use cases you care about
Take a Minute to Review Use Cases

19. Let’s Start With a Simple Example
Click on
“Concentration
of Hacker Tools
by Filename”

20. ▶ A search you might not think of,
but is easy to use
▶ Input: CSV file with suspicious
filenames
▶ Input: Process launch logs
(Windows, Sysmon, Carbon
Black, etc.)
▶ Looks for those file names
concentrated in a short
period of time
Concentration of Hacker Tools by Filename

21. Applying to Live Data
Click Live Data
See a Live Search

22. ▶ Phishing is a big risk
▶ Many approaches to
mitigating with Splunk
An Advanced Splunk Search
From Use Cases,
Filter to Email Logs
Click on ‘Emails with
Lookalike Domains’

23. ▶ A very long search you don’t
have to run
▶ Detects typos, like
company.com → campany.com
▶ Supports subdomains for typo
detection
▶ Detects suspicious subdomains,
like company.com →
company.yourithelpdesk.com
A Phishing Search Larger Than Your Pond

24. ▶ DNS exfil detection – tricks of the trade
▶ parse URLs & complicated TLDs
(Top Level Domain)
▶ calculate Shannon Entropy
▶ List of provided lookups
• ut_parse_simple(url)
• ut_parse(url, list) or ut_parse_extended(url, list)
• ut_shannon(word)
• ut_countset(word, set)
• ut_suites(word, sets)
• ut_meaning(word)
• ut_bayesian(word)
• ut_levenshtein(word1, word2)
URL Toolbox
https://splunkbase.splunk.com/app/2734/

25. ▶ Splunk can also build
baselines easily
▶ Let’s look at a Time
Series Spike
▶ This detects anomalies via
Standard Deviation
What About Baselines
From Use Cases,
Filter to Print Server Logs
Then, Increase in Pages Printed

26. ▶ A measure of the variance for a series of numbers
What is Standard Deviation?
26
User Day One Day Two Day Three Day Four Avg Stdev
Jane 100 123 79 145 111.75 28.53
Jack 100 342 3 2 111.75 160.23
User Day Five # StDev Away from Average
… aka How Unusual?
Jane 500 12.6
Jack 500 2.42
SUPER Anomalous!

27. ▶ Our search looks for printer logs
▶ Sums per day, per user
▶ Note the tooltips everywhere!
▶ Our search looks for
printer logs
▶ Sums per day,
per user
▶ Note the tooltips
everywhere!
Increase in Pages Printed
Click “Detect Spikes” to find outliers

28. ▶ Just click Show SPL to see how
the search works
▶ Learn this once… it applies to
all time series spikes!
(Or just use the app)
Want to Learn That SPL for Yourself?

29. ▶ Want to use that search?
▶ Just click Schedule Alert
▶ Searches will auto send to ES
Risk or UBA if you have either
▶ Or just email to yourself
Want to Schedule That Search?

30. ▶ We can use baseline to find
new combinations too
▶ This can help with any noisy
search you have today
What Else Do You Have For Me?
From Use Cases, Filter to All Data Sources
Then, Authentication Against a
New Domain Controller

31. ▶ This search uses stats
earliest() and latest()
per User, DC
▶ If the earliest() is recent,
it’s anomalous
This works for any
combinations!
Authentication Against a New DC
Click “Detect New Values” for outliers

32. ▶ For those just starting out, it can be
hard to know what data you need
▶ Every use case comes with pre-req
checks to show if you have the data
▶ If you don’t, follow the links
One Last Thing: Pre-requisite Checks

33. ▶ Data Source Check tells you what’s possible
▶ Runs all pre-req checks
Or Check EVERYTHING

34. Demo Scenario

35. ▶ Actor:
Malicious Insider (because it’s hardest)
▶ Motivation:
Going to work for competitor
▶ Target:
Accounts, Opportunities, Contacts in Salesforce
▶ Additional Target:
Sales Proposals in Box
▶ Exfiltration:
Upload to a remote server
Apply Splunk to Real Life Scenario
Malicious Insider
Chris Geremy
Director of Finance
* Photo of Splunker, I promise she is not a malicious insider

36. ▶ No proxy
▶ No standard file servers
▶ No agents on laptop
▶ Cloud Services with their own APIs
How would you detect that?
Monitoring Challenges

37. ▶ Ingest Salesforce Event Log File
• https://splunkbase.splunk.com/app/1931/
▶ Ingest Box Data
• https://splunkbase.splunk.com/app/2679/
▶ Install Splunk Security Essentials
• https://splunkbase.splunk.com/app/3435/
▶ Schedule Salesforce use cases
▶ Build a custom Box use case
Set Up Monitoring
About 1 Hour of Work

38. Splunk Security Essentials Demo

39. Slow Response
from Basic Alerts
Fast Response from
Advanced Alerts
Managing Alert Volume vs Value
Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response

40. Use Low
Volume
Searches
Splunk ES
Risk
Framework
Splunk UBA
Threat
Models
UBA + ES
Adaptive
Response
Managing Alert Volume vs Value
Everyone starts here, and spends most of their time here

41. ▶ Enterprise Security has a Risk Framework designed
for aggregating low severity indicators
Aggregate Alerting with ES Risk

42. ▶ Splunk UBA Threat Models leverage
Data Science, Machine Learning
▶ Finds important, inter-related
anomalies that analysts should
actually view
▶ Support more advanced
anomaly detections!
Apply Machine Learning With Splunk UBA

43. ▶ High Confidence alerts from UBA fed into ES
▶ Take actions like
• Box: “Change Permissions”
• AD: “Reset Password” or “Disable Account”
• PAN: Isolate Host
▶ 27 partners!
Respond With ES Adaptive Response

44. ES + UBA + SSE Demo

45. ▶ Do you want to build your own
detections like this?
▶ What if your environment is
totally custom?
▶ No product has ever worked
out of the box, and that’s why
you like Splunk, right?
We’ve got you.
But My Company Is So Custom
Click Assistants, then “Detect Spikes”

46. © 2018 SPLUNK INC.
Use Case
 Our Malicious Insider, Jane Smith, also
downloaded some proposals from Box
 Finding Box downloads spikes is easy,
but we want focus on the Proposal Folder
 We will use the Detect Spikes assistant
to help us
Use Case

47. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations

48. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS”
| bucket _time span=1d | stats count by user _time
▶ Looking for “count” by “user” with “6” standard deviations
Got Her!

49. Wrap Up

50. © 2018 SPLUNK INC.
1. Splunk Security Essentials shows you
new detection use cases
2. Ultimately it just uses Splunk Enterprise –
power of the platform!
3. You can build your own use cases easily!
4. As you advance, look to ES or UBA to
improve threat detection
What Did We
Cover?

51. Technical Components for Successful Security Analytics
Alert Aggregation
AlertCreation
Investigation Investigative
Platform
• Analyst flexibility
• Provide access to data analysis solutions
• Record historical context for everything
Simpler
Detection
• Rules and statistics
• Quick development
• Easy for analysts
ML Based
Detection
• Detect unknown
• New vectors
• Heavy data science
Threat
Detection
• Manage high volume
• Track entity relationships
• Combination ML + Rules

52. Splunk Security Portfolio
Splunk Enterprise
Detection
Human-driven
• Log Aggregation
• Splunk Security Essentials
• Rules, statistics, correlation
Realm of
Known
Enterprise Security
Response
• OOB key security metrics
• Incident response workflow
• Adaptive response
Splunk UBA
Detection
ML-driven
• Risky behavior detection
• Entity profiling, scoring
• Kill chain, graph analysis
Realm of
Unknown

53. ▶ Download from apps.splunk.com
▶ Find use cases that match your needs
▶ Data Source Check shows other use
cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!

54. © 2018 SPLUNK INC.
1. Watch the earlier Ninjutsus when you get
home: dvsplunk.com or conf.splunk.com
2. Grab the PDF Version of this deck and
dig in deeper
Hey, you’re on the PDF version. Look at
you, ahead of the game! You should go
watch the video though –
conf.splunk.com 5-6 weeks after conf.
3. Grab the app(s) and explore examples
Key
Takeaways

55. © 2018 SPLUNK INC.
Don't forget to rate this session in the
SplunkLive! mobile app
Thank You
I get to come back if
you give me good
ratings. Rate high,
early, and often!