Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
Download as PPTX, PDF1 like341 views
The document discusses security analytics methods for detecting threats using Splunk software. It covers common security challenges, types of analytics methods, and applying analytics to stages of an attack. The agenda includes an introduction to analytics methods, an overview of Splunk Security Essentials, a demo scenario of detecting a malicious insider, and next steps involving Enterprise Security and Splunk UBA. The demo scenario shows detecting large file uploads from Box to detect an insider exporting sales proposals. The summary recommends starting with Splunk Security Essentials, then leveraging Enterprise Security and UBA for advanced machine learning detection and automated response.
![© 2017 SPLUNK INC.
▶ Download from apps.splunk.com
▶ Find use cases that match your
needs
▶ Data Source Check shows other
use cases for your existing data
▶ Evaluate free tools to meet gaps,
such as Microsoft Sysmon
• (links inside the app)
Go Get Started With Splunk Security Essentials!
[01] [01]](https://image.slidesharecdn.com/splunkdiscoverymilan18session3security-180524144612/85/Splunk-Discovery-Milan-2018-Intro-to-Security-Analytics-Methods-35-320.jpg)
Ad
More Related Content
What's hot (20)
Similar to Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods (20)
Ad
More from Splunk (20)
Ad
Recently uploaded (20)
Splunk Discovery: Milan 2018 - Intro to Security Analytics Methods
- 1. © 2017 SPLUNK INC. Intro to Security Analytics Methods Lorenzo INVERNIZZI I Sales Engineer SESSIONE 3
- 2. © 2017 SPLUNK INC. 1. Intro to Analytics Methods 2. Splunk Security Essentials Overview 3. Demo Scenario 4. Next step Agenda
- 3. © 2017 SPLUNK INC. Common Security Challenges Malicious Insiders Advanced External Attackers Commodity Malware
- 4. © 2017 SPLUNK INC. First Time Seen powered by stats Time Series Analysis with Standard Deviation General Security Analytics Searches Analytics Methods Types of Use Cases
- 5. © 2017 SPLUNK INC. Applying to Stages of an Attack HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 6. © 2017 SPLUNK INC. Detection of Suspicious Email Activity
- 7. © 2017 SPLUNK INC. Applying to Stages of an Attack HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 8. © 2017 SPLUNK INC. Verifying Malware Infection
- 9. © 2017 SPLUNK INC. Applying to Stages of an Attack HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 10. © 2017 SPLUNK INC. Identifying Exfiltration and/or Command and Control
- 11. © 2017 SPLUNK INC. Implementation Approach for Security Analytics Alert Aggregation AlertCreation Investigation Investigative Platform • Analyst flexibility • Provide access to data analysis solutions • Record historical context for everything Simpler Detection • Rules and statistics • Quick development • Easy for analysts ML Based Detection • Detect unknown • New vectors • Heavy data science Threat Detection • Manage high volume • Track entity relationships • Combination ML + Rules
- 12. © 2017 SPLUNK INC. The Splunk Portfolio Rich Ecosystem of Apps & Add-Ons Splunk Premium Solutions Mainframe Data Relational Databases MobileForwarders Syslog/ TCP IoT Devices Network Wire Data Hadoop Platform for Operational Intelligence
- 13. © 2017 SPLUNK INC. Splunk Security Essentials Overview
- 14. © 2017 SPLUNK INC. Download Splunk Security Essentials
- 15. © 2017 SPLUNK INC. Where Can I Install Splunk Security Essentials? Survey Results: Have You Tried to Install the App? Tried and Failed Installed in Dev Installed in Production Installed in Distributed Environment Installed in a SHC Environment Your Laptop! Your Production Environment! All Kinds of Production Environments! Your Dev Environment!
- 16. © 2017 SPLUNK INC. ▶ You can think about operational maturity in terms of data ▶ Start with the basics – get your data into a single location ▶ Then work your way up the stack ▶ Not sure how to start? Yes, there is an app for that Looking at Security in Terms of Data
- 17. © 2017 SPLUNK INC. ▶ Identify bad guys: • 300+ security analytics methods • Target external and insider threats • Scales from small to massive companies • Save from app, send hits to ES/UBA Splunk Security Essentials https://splunkbase.splunk.com/app/3435/ Solve use cases you can today for free, then use Splunk UBA for advanced ML detection.
- 18. © 2017 SPLUNK INC. ▶ Download from apps.splunk.com ▶ Browse use cases that match your needs ▶ Data Source Check shows other use cases for your existing data ▶ Evaluate free tools to meet gaps, such as Microsoft Sysmon • (links inside the app) Getting Started with Splunk Security Essentials
- 19. © 2017 SPLUNK INC. Demo Scenario
- 20. © 2017 SPLUNK INC. ▶ No proxy ▶ No standard file servers ▶ No agents on laptop ▶ Cloud Services with their own APIs How would you detect that? Monitoring Challenges
- 21. © 2017 SPLUNK INC. ▶ Actor: Malicious Insider (because it’s hardest) ▶ Motivation: Going to work for competitor ▶ Target: Accounts, Opportunities, Contacts in Salesforce ▶ Additional Target: Sales Proposals in Box ▶ Exfiltration: Upload to a remote server Apply Splunk to Real Life Scenario Malicious Insider Chris Geremy Director of Finance * Photo of Splunker, I promise she is not a malicious insider
- 22. © 2017 SPLUNK INC. ▶ Ingest Salesforce Event Log File • https://splunkbase.splunk.com/app/1931/ ▶ Ingest Box Data • https://splunkbase.splunk.com/app/2679/ ▶ Install Splunk Security Essentials • https://splunkbase.splunk.com/app/3435/ ▶ Schedule Salesforce use cases ▶ Build a custom Box use case Set Up Monitoring About 1 Hour of Work
- 23. © 2017 SPLUNK INC. ▶ Do you want to build your own detections like this? ▶ What if your environment is totally custom? ▶ No product has ever worked out of the box, and that’s why you like Splunk, right? We’ve got you. But My Company Is So Custom Click Assistants, then “Detect Spikes”
- 24. © 2017 SPLUNK INC. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time ▶ Looking for “count” by “user” with “6” standard deviations
- 25. © 2017 SPLUNK INC. ▶ | inputlookup anonymized_box_logs.csv | search folder="PROPOSALS” | bucket _time span=1d | stats count by user _time ▶ Looking for “count” by “user” with “6” standard deviations Got Her!
- 26. © 2017 SPLUNK INC. Next Steps
- 27. © 2017 SPLUNK INC. ▶ Enterprise Security has a Risk Framework designed for aggregating low severity indicators Aggregate Alerting with ES Risk
- 28. © 2017 SPLUNK INC. ▶ Splunk UBA Threat Models leverage Data Science, Machine Learning ▶ Finds important, inter-related anomalies that analysts should actually view ▶ Support more advanced anomaly detections! Apply Machine Learning With Splunk UBA
- 29. © 2017 SPLUNK INC. ▶ High Confidence alerts from UBA fed into ES ▶ Take actions like • Box: “Change Permissions” • AD: “Reset Password” or “Disable Account” • PAN: Isolate Host ▶ 40+ partners! Respond With ES Adaptive Response
- 30. © 2017 SPLUNK INC. Wrap Up
- 31. © 2017 SPLUNK INC. ▶ Splunk Security Essentials shows you new detection use cases ▶ Ultimately it just uses Splunk Enterprise – power of the platform! ▶ You can build your own use cases easily! ▶ As you advance, look to ES or UBA to improve threat detection What Did We Cover?
- 32. © 2017 SPLUNK INC. Splunk Security Portfolio Splunk Enterprise Detection Human-driven • Log Aggregation • Splunk Security Essentials • Rules, statistics, correlation Realm of Known Enterprise Security Response • OOB key security metrics • Incident response workflow • Adaptive response Splunk UBA Detection ML-driven • Risky behavior detection • Entity profiling, scoring • Kill chain, graph analysis Realm of Unknown
- 33. © 2017 SPLUNK INC. Slow Response from Basic Alerts Fast Response from Advanced Alerts Managing Alert Volume vs Value Use Low Volume Searches Splunk ES Risk Framework Splunk UBA Threat Models UBA + ES Adaptive Response
- 34. © 2017 SPLUNK INC. Use Low Volume Searches Splunk ES Risk Framework Splunk UBA Threat Models UBA + ES Adaptive Response Managing Alert Volume vs Value Everyone starts here, and spends most of their time here
- 35. © 2017 SPLUNK INC. ▶ Download from apps.splunk.com ▶ Find use cases that match your needs ▶ Data Source Check shows other use cases for your existing data ▶ Evaluate free tools to meet gaps, such as Microsoft Sysmon • (links inside the app) Go Get Started With Splunk Security Essentials! [01] [01]
- 36. © 2017 SPLUNK INC.© 2017 SPLUNK INC. GRAZIE