2. Deloitte at a Large State HHS Agency
Top IT Initiatives
Security Monitoring
– Looking for SIEM replacement
– Technical security
Compliance
– Subject to multiple yearly audits
– CMS, IRS, PCI
Healthcare Program Integrity
– Internal & external monitoring
– Looking for high-risk behaviors and activities – indicators
2
3. IT Challenges
Incident investigation/Incident Response:
– Tough to correlate events across infrastructure
– Time consuming process
– Low visibility into what’s actually going on in environment
Data Correlation:
– Other departments with relevant security data were creating a bottleneck
– Stove piped applications – hard to integrate applications
Program Integrity Issue detection:
– Need to detect high risk behaviors and activities proactively
Remaining compliant:
– Compliance reporting automation
– Splunk & Archer Integration
3
4. Improved Agency Efficiency
With Splunk:
Ingesting security data
– Couple of hours
Reporting & dashboard set-up
– 1-2 days
Incident investigation
– Days
Compliance reports
– Minutes
Program Integrity set-up
– 1-2 months
4
Without Splunk:
Ingesting security data
– 3-5 days
Reporting & dashboard set-up
– 1-2 weeks
Incident investigation
– 2-4 weeks
Compliance reports
– Days
Program Integrity set-up
– 6 months
5. Program Integrity
Agency defined 6 priority use cases to detect program integrity violations
within individuals benefits programs
Ingesting application, endpoint, backend and mainframe data to detect high
risk behaviors and activities
Monitoring external program integrity issues:
Individuals doubling up on monthly benefits
Multiple families receiving benefits under one household
Monitoring internal program integrity issues:
Agency caseworkers approving inappropriate transactions
5
6. Use Case: Program Integrity analysis
6
Insert Screenshot – can be dashboard, report, etc. Can add
as many as needed to explain how you’re using Splunk Dashboard to
identify repeated
issuances of
benefits within a
timeframe
7. Use Case: Database Audit
7
Insert Screenshot – can be dashboard, report, etc. Can add
as many as needed to explain how you’re using Splunk Dashboard to
analyze audit
logs from
multiple Oracle
database servers
8. Use Case: Access Logs
8
Insert Screenshot – can be dashboard, report, etc. Can add
as many as needed to explain how you’re using Splunk
Dashboard
provides
overview of
authentication
and
authorization
actions by
applications
9. Why Splunk?
Cost savings:
– One solution for security investigation, compliance
reporting and program integrity issue detection
Increased visibility
Flexibility:
– Ability to integrate data sources without help of an
application development team
– 450 custom reports
Fast time to value:
– Only took 4-6 months to implement
9
“Our client is very
happy with the results.
It would be hard to
convince them to get
rid of Splunk – they are
very, very impressed. ”
12. Advanced Threats Are Hard to Find
“Another Day, Another Retailer in a Massive
Credit Card Breach”
– Bloomberg Businessweek, March 2014
“Edward Snowden Tells SXSW He'd Leak
Those Secrets Again”
– NPR, March 2014
“Banks Seek U.S. Help on Iran Cyber attacks”
– Wall Street Journal, Jan 2013
Cyber Criminals
Nation States
Insider Threats
12
Source: Mandiant M-Trends Report 2012/2013/2014
100%
Valid credentials were used
40
Average # of systems accessed
229
Median # of days before detection
67%
Of victims were notified by
external entity
13. Attackers & Threats Have Changed & Matured
13
• Goal-oriented
• Human directed
• Multiple tools, steps & activities
• New evasion techniques
• Coordinated
• Dynamic, adjust to changes
People
• Outsider (organized crime, competitor,
nation/state)
• Insiders (contractor, disgruntled employee)
Technology
• Malware, bots, backdoors, rootkits, zero-day
• Exploit kits, password dumper, etc.
Threat
Process
• Attack Lifecycle, multi-stage, remote controlled
• Threat marketplaces – buy and rent
14. Modern Security Program Needs More than Technology
14
People
• Outsider (organized crime, competitor,
nation/state)
• Insiders (contractor, disgruntled employee)
Technology
• Malware, bots, backdoors, rootkits, zero-day
• Exploit kits, password dumper, etc.
Threat
Technology
• Firewall, Anti-malware, AV, IPS, etc.
• Anti-spam, etc.
Solution
Process
• Attack Lifecycle, multi-stage, remote controlled
• Threat marketplaces – buy and rent
Human
Intuition and Observation
Coordination, Collaboration
and Counter Measures
15. New Approach to Security Operations is Needed
15
• Goal-oriented
• Human directed
• Multiple tools & activities
• New evasion techniques
• Coordinated
• Dynamic (adjust to changes)
Threat
• Analyze all data for relevance
• Contextual and behavioral
• Rapid learning and response
• Leverage IOC & Threat Intel
• Share info & collaborate
• Fusion of technology, people
& process
16. From Alert Based to Analytics Driven Security
16
Traditional Alert-based Approach
Time & Event based
Data reduction
Event correlation
Detect attacks
Needle in a haystack
Power Users, Specialist
Additional Analysis Approach
..and phase, location, more…
Data inclusion
Multiple/dynamic relationships
Detect attackers
Hay in a haystack
Everyone - Analytics-enabled Team
17. Splunk software complements, replaces and goes beyond traditional SIEMs.
Moving Past SIEM to Security Intelligence
Small Data. Big Data. Huge Data.
SECURITY &
COMPLIANCE
REPORTING
REAL-TIME
MONITORING OF
KNOWN THREATS
DETECTING
UNKNOWN
THREATS
INCIDENT
INVESTIGATIONS
& FORENSICS
FRAUD
DETECTION
INSIDER
THREAT
18. Machine Data Enables Security and Business Insights
18
Order ID
Customer’s Tweet
Time Waiting On Hold
Product ID
Company’s Twitter ID
Order ID
Customer ID
Twitter ID
Customer ID
Customer ID
Twitter
Care IVR
Middleware
Error
Order Processing
Sources
21. Insider Threat
21
The CERT Top 10 List for Winning the Battle Against Insider Threats
Dawn Cappelli, Software Engineering Institute, Carnegie Mellon University, 2012
Non-tech indicators
HR
HDFS
SAP
Time
Management
Asset DB
Dunn &
Bradstreet
Lexus
Nexus
Traditional Data
Threat
Intelligence
User &
Identity
Network &
malware
Host &
Application
22. Human expertise fused with the power of
correlation and visualization technology are
key to detecting the unknowns
22
23. Visual Investigations for All Users
Visually organize and fuse any
data to discern any context
Giving users the ability to find
relationships visually
23
24. Enhance Security Analysis with Threat Intelligence
Integrate high fidelity and
complex URL’s and domain
names into threat
intelligence
Aggregation, de-duplication
and prioritization of
multiple feeds
Assign weights to the
business value of the feeds
24
29. Leverage a Rich Eco System
29
Security Intelligence platform
200+
SECURITY APPS/ADD-ONS
SPLUNK FOR
ENTERPRISE SECURITY
Cisco
WSA, ESA,
ISE, SF
Palo Alto
Networks
FireEye DShield
DNS
OSSEC
VENDOR COMMUNITY
CUSTOM APPS
Symantec
ADDITIONAL
SPLUNK APPS
…
Threat
Stream
30. Analytics Driven Security –
Empowering People and Data
A security intelligence platform should enable
any Security Program to leverage Technology,
Human Expertise, and Business/IT Processes in
the most effective way to deliver on security
30
31. 31
Why Splunk?
Integrated, Holistic & Open
• Single product & data store
• All original machine data is
indexed and searchable
• Open platform with API, SDKs,
+500 Apps
Flexible & Empowering
• Schema on read
• Search delivers accurate, faster
investigations and detection
• Powerful visualizations and
analytics help identify outliers
Simplicity, Speed and Scale
• Fast deployment + ease-of-
use = rapid time-to-value
• Runs on commodity hardware,
virtualized and/or in the cloud
• Scales as your needs grow
All Your Data in One Place:
Increases Collaboration and Partnership, Eliminates Silos & Delivers Proven ROI
Glenn – can you please update your title and add anyone else presenting with you?
You can add as many screen shots as you like – this is where you’d discuss your specific use case(s)
The number of threats is increasing and also becoming more advanced. Today’s advanced threats are stealthy and sophisticated and evade detection from traditional, point security products that look for specific threat signatures. Above are 3 types of advanced threats. They are good at stealing confidential data, whether it be credit cards or IP, and many of their victims unfortunately end up in the headlines.
Cyber criminals include the credit card theft at Target and Neiman Marcus. Nation state attacks include Iran and China attacking governments and private sector companies to steal intellectual property and/or national secrets.
FYI these advanced threats are also commonly called APTs, or Advanced Persistent Threats.
APT are hard to detect because they are not signature-based and hide behind legitimate credentialed activity to evade detection from traditional, point security products. Every year companies like Mandiant produce reports that describe the trends identified based on the breach investigation work that they do as part of their consulting practices. There are a couple metrics that I found interesting reading their recent reports.
100% is often via stealing password hashes or using keyloggers. Often they steal admin-level credentials so they can access many other systems and not be detected.
The 40 implies that even if you see malware in one place, you need to look much further as there are likely multiple infected machines and backdoors
243 days shows how they can evade detection for months at a time. They move slow and low and do not set off alarms from point, signature-based security products like anti-malware solutions.
63% of victims were notified by an external entity. Notification usually starts with customer complaints like bank account drained or credit card maxed out. Often FBI informs them.
Concept is that NEW analysis is required – beyond simple event correlation – this is why SIEMs are not solving the problem – the requires have changed
Phase, location, etc. – speak to additional attributes are required to both understand and to defend against attacks
Data inclusion – core splunk message – don’t filter/tune out noise/false positive, look at all data, collect so it’s available when needed
Multiple/dynamic relationships – the event chain and bits of any attack are scattered, and cannot be detected using pre-defined correlation rules – example of multiple login failure with success and then access to internal resources – great for gaining an advantage, but then what happens when they download additional malware – how does static correlation rules help find the new malware, or how does it look for potential data that is accessed/stolen.
Detect attackers – main concept is there is an attacker directing the malware (once internal access is established via valid credentials, therefore the attacker must be deduced from activities associated with normal activities from those trusted credentials) - once the malware is delivered, the additional attack tools and activities will not be “attacks” anymore, then are activities of the attacker
Hay in a haystack – needle is a different object from hay – but now, since trusted credential are used, and often in normal, good traffic – the analysis is to look for particular attributes and characteristics of the hay to determine good/bad – this applies to concepts like insider threat is an insider with access (account privileges, etc.), and fraud uses good access (credit card, accounts, etc.) – the identifiable traits are their activities, characteristics, etc.
Make sure to stress we are a Security Intelligence Platform and we can meet their needs these use cases plus more. We are more than a SIEM in that we are much more flexible and also can be used for use cases outside of security. Do not go into detail on the 5 use cases because the next few slides detail each of them. And highlight that many customers already have a SIEM and are generally happy with it. But they do have some pain with current SIEM….maybe it struggles getting in non-security data, maybe it has limited search/reporting capabilities, etc. In these cases, Splunk can happily complement their SIEM. They perhaps use their existing SIEM for alerting, and they then log into Splunk to do the investigation, etc. But key point is that we can easily complement or replace a SIEM.
Key part of IT security is protecting confidential data. Which means detecting advanced threats, like cybercriminals or malicious insiders, before they can steal your data. To detect or investigate them, you need non-security and security data because advanced threats avoid detection from signature-based security products; the fingerprints of an advanced threat often are in the “non-security” data. Most traditional SIEMs just focus on gathering signature-based threats which do *not* have the fingerprints of advanced threats.
Also the above scenario is worse if there is no SIEM. Instead point UIs and grep are used and aggregating data is very manual and time consuming.
Insight for Insider threats comes both traditional data sources used for security AS WELL AS FROM non-traditional, often from HR, personnel and other “people-oriented” data.
1 solution for Splunk for Security, but 3 offerings. At bottom is Splunk Enterprise, our core product. Every Splunk deployment includes this as this is where the core indexing and searching resides. Many customers build their own searches/reports/dashboards on top of it.
On top of it, optional Apps can be installed. Apps are basically a collection of reports, dashboards, and searches purpose-built for a specific use case or product. Can be built by Splunk, customer, partners and all but a few are free on Splunkbase. Apps are great for customers who want out-of-the-box content and do want to have to build it themselves, and want to extend point solutions. One key App is the Splunk-built Enterprise Security app with the arrow pointing at it. It is basically an out-of-the-box SIEM with reports, dashboards, correlation rules, and workflow for security use cases. (It does have a cost though) Besides this app there are over 80 security-centric free Apps on Splunkbase. These are offering 3.
The majority of Splunk security customers do Splunk Enterprise and the free apps. Also customers do leverage the API and SDKs that come with Splunk to further extend the platform.
3:45pm – Bert: Moderate Q&A
REMEMBER: Check the presenter pod to ensure Deloitte has not asked you to skip any questions
NEXT:
3:55pm – Close session:
Thank our presenters
Hand it over to Alicia to close and mention Splunk’s upcoming events
3:55pm – Close session:
Thank our presenters
Hand it over to Alicia to close and mention Splunk’s upcoming events