SplunkSummit 2015 - ES Hands On Workshop
1 like498 views
This document discusses an overview of Splunk's Enterprise Security (ES) product. It begins with a disclaimer about forward-looking statements and outlines the agenda for the presentation. The presentation then discusses what a sandbox is and how the attendee can create their own ES sandbox to experiment with. It provides demonstrations of some basic tasks in the sandbox like configuring time zones and enabling scheduled searches. The document also provides high-level information about what ES is and how it can be used to analyze security-related machine data from different sources. It highlights ES's capabilities for security posture monitoring, data ingestion, and using common data models.
Ad
More Related Content
What's hot (20)
Viewers also liked (20)
Ad
Similar to SplunkSummit 2015 - ES Hands On Workshop (20)
Ad
More from Splunk (20)
Recently uploaded (20)
SplunkSummit 2015 - ES Hands On Workshop
- 1. Your very own ES Sandbox! Simon O’Brien Sales Engineer/Security SME, Splunk [email protected]
- 2. 2 Disclaimer During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-‐looking statements, please review our filings with the SEC. The forward-‐looking statements made in the this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not, be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 5. 5 What’s a sandbox?• A 100% free, fully featured 15 day trial of Splunk products: Cloud, Light, or ES • Hosted in AWS • Authenticates off of your Splunk account • Has sample data for you to play with • Supports onboard of your own data Today’s session: A hands-‐on activity with your very own Enterprise Security sandbox!
- 6. 6
- 7. Let’s create a sandbox
- 8. 8
- 9. 9
- 10. 10
- 11. 11
- 12. 12
- 13. 13
- 14. 14
- 15. 15 Let’s fix a few things!
- 16. 16 Let’s fix a few things! • Choose a timezone • Correlation search enablement • Scheduled search enablement
- 17. 17 Click Here
- 18. 18 Pick “Hobart”, and save
- 19. 19
- 20. 20 Click Here
- 21. 21 Click Here
- 22. 22 Click Here
- 23. 23 Type “High” to filter
- 24. 24 Click “Enable” for “High or Critical Priority Host with Malware Detected”
- 25. 25 Click Here
- 26. 26
- 27. 27 Click Here
- 29. 29 Enable the two disabled rules
- 30. 30
- 32. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 33. Mainframe Data VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Relational Databases MobileForwarders Syslog / TCP / Other Sensors & Control Systems Across Data Sources, Use Cases & Consumption Models Wire Data Mobile Intel Splunk Premium Apps Rich Ecosystem of Apps MINT
- 34. Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-‐2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 35. 35 App Servers Network Threat Intelligence Firewall Web Proxy Internal Network Security Endpoints Splunk as the Security Nerve Center
- 36. ES Fast Facts ● Current version: 3.3, 4.0 just recently announced! ● Two releases per year ● Content comes from industry experts, market analysis, but most importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and customizable ● ES has its own development team, dedicated support, services practice, and training courses 4.0 not in sandbox…yet
- 37. 37 WARNING: It’s really rich! You can’t eat all of ES in one sitting, so we won’t.
- 38. Security Posture
- 39. 39 Security Posture How do you start and end your day?
- 41. HOW DO WE GET DATA IN?
- 42. Data comes from… You can actually do this in the sandbox, if you want.
- 43. Data Ingest + Common Information Model ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-‐zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
- 44. NORMALIZATION?!?
- 45. NORMALIZATION?!? Relax. This is therefore, CIM gets applied at SEARCH TIME.
- 46. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
- 48. Free. Supported. Fully documented.
- 49. Lots of apps support CIM.
- 50. CIM Compliant!
- 51. Click “Data models” under settings
- 52. Click “>” next to Malware
- 53. Data Models are Accelerated
- 54. Let’s Pivot! Click Malware Pivot allows non-‐ technical interaction with data models.
- 55. Let’s Pivot! Click Malware Attacks Change to “Last 24 hours” Total # attacks 1 2
- 56. Let’s Pivot! Click Area Chart
- 58. Let’s Pivot! SCROLL and find Signature, and click
- 59. Let’s Pivot! You can save as reports and dash panels…
- 60. Let’s Pivot!
- 61. Let’s Pivot! Click “Malware Attacks” and then Edit Object
- 62. Data Models map to CIM-‐compliant tagged data SCROLL to see more Fields relevant to Malware data source Appropriate tags
- 63. So what? Click to return to Enterprise Security
- 64. So what? Security Domains, then Endpoint, then Malware Center
- 65. KSI specific to malware
- 66. Let’s drill into two examples Click “Hacktool.Rootkit” bar
- 67. Normalized fields to CIM from Symantec
- 68. Click browser back button… We know about this.
- 70. Normalized fields to CIM from Sophos
- 71. Where are my gaps in coverage? Click Audit and then “Content Profile” – takes about 30s
- 72. Which models could I be using, but I’m not?
- 73. QUESTIONS ON CIM/DATA MODELS?
- 75. 75Attack Map The Challenge: • Industry says Threat Intel is key to APT Protection • Management wants all threat intel checked against every system, constantly • Don’t forget to keep your 15+ threat feeds updated The Solution:
- 76. Verizon 2015 DBIR “…the percentage of indicators unique to only one (outbound destination) feed…is north of 97% for the feeds we have sampled…” Threat list aggregation = more complete intelligence
- 77. 77 Under Advanced Threat click “Threat Activity”
- 78. 78 SCROLL KSIs specific to threat
- 80. 80 Click Configure, “Data Enrichment” and then “Threat Intelligence Downloads”
- 81. 81 Various community threat lists Local ones too TAXII support
- 83. 83 Various community threat lists Local ones too TAXII support Weight used for risk scoring Interval SCROLL for additional config
- 84. 84 Various community threat lists Local ones too TAXII support Hit “back” button twice
- 85. QUESTIONS ON THREAT INTEL?
- 87. 87 STIX/TAXII feed Browse through the tabs… Investigate on your own time: Advanced Threat capabilities worth your while…and all areas under Security Domains
- 89. 89 Auditors / Management / Compliance Says… ● Can you show me <Typical Report>? ● Reporting is easy in Splunk ● But we have more than 300 standard reports too
- 90. 90 Click “Reports” under Search
- 91. 91 Almost 330 reports to use/customize
- 93. 93 Click “High or Critical Priority Host with Malware Detected”
- 94. 94 Checkbox Select the Critical Event Highly filterable and tag-‐able
- 95. 95 Click “Edit All Selected”
- 96. 96 Fill out Status/Owner/Comment, Click Save Would contain all of your users
- 97. 97 Confirm that event updates Click “>” under Actions to see what you can do with the event
- 98. 98 Click “>” to view more details on the event
- 99. 99 Last comment and link to review all activity Every field “pivot-‐able”
- 100. 100 Automatic attribution for asset data
- 101. 101 Pivot internally within ES, or externally. Customizable. Drill to Asset Investigator
- 102. 102 Asset data Customizable Swimlanes Selectable Time
- 103. 103 Hold down CTRL or CMD and click multiple bars aligned vertically
- 104. 104 Summarized info from “candlesticks” selected Drill to search, make a notable event, share a link
- 105. 105 Select one or two red “Malware Attacks” bars
- 106. 106 Drill to search
- 107. 107 Raw log data in the Search interface is only a click away.
- 108. 108 “Browser Tab” back to Incident Review
- 109. 109 Edit the event again and add some more comments…
- 110. 110 Feel free to add whatever you wish here…click save
- 111. 111 View the review activity for the event
- 112. 112
- 113. 113 Click on “Incident Review Audit” under Audit Many aspects of ES are audited within the product
- 114. 114 More users will make this more interesting…
- 115. 115 Click on Identity Investigator
- 116. 116 Type “htrapper” in search and click search Set to “Last 24 hours” 2 1
- 117. 117 Information about this identity
- 118. QUESTIONS ABOUT INCIDENT RESPONSE?
- 119. LOOKUPS AND CORRELATION SEARCHES
- 120. 120 Select “Data Enrichment”, “Lists and Lookups” under Configure
- 121. 121 Many lookups to provide additional context to your data
- 122. 122 Click on “Demonstration Identities”
- 123. 123 We want to add “naughtyuser” to this list because it is showing up in our data. SCROLL
- 124. 124 Select last row, right click, and choose “Insert row below.” Add whatever you want, but make sure the first column says “naughtyuser” When done click save Extra credit: Check your work in Identity Center 2 1
- 125. 125 Click on “General”, “Custom Searches” under Configure
- 126. 126 Click “New”
- 128. 128 Fill in Search Name, App Context, and Description
- 129. 129 Click “Edit search in guided mode” You could simply type a Splunk search in here if you wanted.
- 130. 130 Click “Next”
- 131. 131 Select “Data Model”, “Authentication”, “Failed_Authentication” and click Next
- 132. 132 Select “Last 60 minutes” and click Next
- 133. 133 Observe search and click Next Optional: You can “Run search” at this point and see the events that will return.
- 134. 134 Click “Add a new aggregate”
- 135. 135 Choose “count” and then alias it as “failedlogincount” and click Next
- 136. 136 Click Next
- 137. 137 SCROLL to select “Authentication.user” and click Next
- 138. 138 Type “user” in the Alias field and click Next
- 139. 139 Lets match on “failedlogincount” being greater than 1000
- 140. 140 Click “run search” to test the search.
- 141. 141 This should create two notable events…so let’s make sure that happens. Make sure this is over 60 minutes, not “all time”.
- 142. 142 Fill in “cron” style schedule – every 5 minutes
- 143. 143 Put “86400” as the window duration. Put “user” as the field to throttle by.
- 144. 144 Check the “notable event” box and fill in the fields as shown. Note the “$” signs around the variables!
- 145. 145 Let’s assign risk to the user. Check the box and fill in the three fields as shown.
- 146. 146 Save the search and go back to Incident Review.
- 147. 147 Put “86400” as the window duration. Put “user” as the field to throttle by. As long as you have waited 5 minutes you should have new notable events!
- 148. 148 Expand your new event Variable substitution working
- 149. 149 Launch Identity Investigator against “naughtyuser”
- 150. 150 Data you added to the lookup Notable Events and Risk Bonus: Go find “naughtyuser” in Risk Analysis dashboard…
- 151. Final Questions?
- 152. 152 Next Steps… • Play in your ES Sandbox for 15 days • Explore some of the areas we didn’t get to cover today • Ask questions of your sales team • Once ES 4.0 releases, help yourself to another sandbox to see the new features • TELL YOUR FRIENDS!