Splunk for Security: Background & Customer Case Study

Copyright © 2015 Splunk Inc.
Splunk for Security:
Background & Customer Case Study

2
Wipro Technologies
Andrew Gerber

3
Agenda
Background
Why Splunk for Security
Customer Case Study
• Build out and architecture
• Phased approach
• Hybrid Cloud/on-premise solution
Example Security Use Cases
Roadmap & Key Takeaways

4
Wipro Overview
• Wipro Ltd. (NYSE:WIT) is a global information technology, consulting, and outsourcing
company
• 158,000+ employees in 175 cities+ across 6 continents
• Revenues of $7.5 billion for the financial year ended March 31, 2015
• Wipro uses and supports Splunk in many areas for our customers, including:
• transaction analysis
• fraud detection
• business & IT operations monitoring
• process improvement
• information security

5
Speaker Bio
Andrew Gerber: Architect & Consultant, Enterprise Security Solutions, Wipro
– Discovered Splunk about 4 years ago
My mission is to help customers manage their security requirements efficiently and
effectively, and to provide meaningful and measurable benefits while improving their
security posture.

6
Why Splunk for Security
• Slow SIEM platform
• Limited capabilities and limited customization options
• Data source integration and parsing challenges
• Lots of effort to create workarounds instead of creating new capabilities
Customer challenges
• Great user interface and straightforward/flexible SPL
• Fast results
• Ability to scale flexibly and affordably
• Rapid value realization
• Late-binding schema
• API and extensibility
• Higher ROI potential with a competitive TCO
Key reasons we often see Splunk selected for Security use cases over other SIEM tools:

7
Customer Story - Situation
SIEM platform
deployed for
several years
Performance was
limiting (could take
days to search
hours’ worth of
data)
Vendor
announced End of
Life/End of
Support for SIEM
platform
Gap Analysis of
SIEM Platform
Difficulty to gain
insight… limited by
supported functions
(COUNT, AVG, MIN,
MAX, …)
Creation of content
required in-depth
knowledge about
data sources and
vendor parsing
schema
Limited datacenter
capacity to scale the
existing platform

8
Splunk – Phase 1
Hybrid POC/Pilot over
only 12 weeks!
Partnered with Splunk PS
200GB/day On-Premise
Deployment Growing to
400GB/day
Identified key security
data sources to integrate
Initial Content
Development
Dashboards & Demos for
stakeholders at all levels,
including Executives

9
Splunk – Phase 1 Architecture
Handled 200GB/day & 10 users comfortably
Grew to 400GB/day while still providing sufficient performance
>300 Universal Forwarder instances deployed
On-Premise
Cluster
Master
Deployment
Server
300+ Forwarders
Syslog-NG
NAS

10
Splunk – Phase 1 Results
Speed
•Searching performance – went from days to seconds to get results
•Integrating data sources – ingest first, parse later as needed
•Creating searches/dashboards – powerful and straightforward, fast to create
Power
•SPL, stats, subsearches, graphical reporting, mapping, API, Apps
Use cases transformed
•Went from listing top machines by # of malware detection alerts to mapping out trends and identifying
effective points of intervention/remediation
•Went from seeing a list of failed VPN login attempts by user to mapping VPN authentication activity and
identifying anomalous activity for further investigation
Ability to demo dashboards all the way up to executive leadership

11
Scaling successfully: Enter Splunk Cloud
Dynamic
business
context
Rapid pace of acquisitions
Datacenter transformation project underway
Cloud strategy evolving
Flexibility of
Splunk Cloud
was key
Availability, capacity, retention, scalability
Safeguards &
security –
beyond the
basics
Extensive review with Splunk and customer Enterprise Architecture & Security teams
Audited Security: Splunk SOC 2 Type 1 & 2 in addition to AWS controls & attestations
Flexibility to specify geographic restrictions on where data travels/resides
Ability to configure encryption on data at rest
Hybrid search heads – can have indexes reside entirely on-prem as needed, on-prem search heads can search cloud

12
Splunk – Phase 2 (in progress)
Added capacity:
500GB/day Splunk Cloud
+ 200GB/day on-premise
Increasing data
source variety, adding
apps and integrations
(i.e. Remedy for
ticketing)
Accommodate data
center capacity
constraints
(transformation
project underway)
Add and integrate
users across business
units
Create processes
around security
monitoring and SOC
operations
Deploying Splunk App
for Enterprise Security
+

13
Splunk Phase 2 Architecture
On-Premise
AWS
Cluster
Master
Deployment
Server
500+ Forwarders
Syslog-NG
~30%
NAS
S3

14
Example Use Cases
Use Case 1 - VPN Activity Profiling
• Detect inappropriate or malicious remote access
• Profiling of employees, contractors, vendors, and other insiders
Use Case 2 – Malware Analysis
• Detect new signatures & hashes seen
• Enhance information with threat intelligence
• Profile activity by host and user
• Monitor time to resolution
Use Case 3 – Off-Network Jumping
• Detect attempted and actual bypass of network controls
• Detect network jumping and off-network activity

15
Use Case: VPN Activity Profiling
• Find abnormal remote access usage pattern in remote access
– VPN access with valid credentials used in major attacks, including recent healthcare
industry breach
• Profile remote usage by employees, contractors, vendors, and other insiders
• Look for:
– Indicators of Delivery, C2, Exfiltration, as well as employee or insider FTA
– Identify potentially compromised credentials
• Key points to look for:
– Increase in login frequency
– Odd times/locations
– Improbable travel distance between logins or login attempts
(velocity requirements between consecutive geographical login locations too high)

16
User level VPN Trends
• Multiple login failures by count and over time and
successful logins
provide insight into VPN behavior.
• Identify repeat VPN login failure trends by user
Easy to spot outlier and clustered events
Geographic & Network VPN Trends
• At-a-glance profiling of VPN login success and failures
• Geolocation and domain charting identify normal vs.
abnormal access
• Top Level Domains and other domain names to find
anomalies,
i.e. connections from .edu TLD or external VPN services

17
Geographic Analysis with “Traveler” identification
• Per-country trends & users with multiple locations in a
given time period
• Also identify relative distances for users from a relevant
fixed location
“Traveler” mapping & improbable behavior analysis
• Determine unlikely distance/time combinations between
VPN logins
• Identify credential theft and/or sharing

18
Use Case: Malware Analysis
• Understand malware persistence and activity levels
– Identify duration of malware persistence
– Identify malware by activity levels
• Further prioritize remediation
– Identifying hosts of interest
• Review new signatures and hashes
– Understand new threats
– Include data enrichment via threat feeds

19
Max Malware File Duration
• Malware File Duration reflects length of time between first
malware message about a specific file and the last malware
message (a combination of automated and manual
resolution is reflected in this)
Max Malware File Events
• Malware File Events reflects # of events referencing a
specific file (highlights high-activity files)

20
Identifying Outliers
• Mapping # of malware indicators against timeline and
duration of indicator presence allows for easy profiling and
identification of hosts

21
Tracking new signatures & hashes seen
• Understand new threats
• Data enrichment with threat intelligence feeds

22
Use Case: Off-Network Jumping
• Find assets & users jumping from corporate LAN, WLAN to Guest Network
– Detect attempts to bypass security controls
– Detect malware vector of “benign” off-network browsing
1 in 566 websites host malware (Symantec 2014 Internet Security Threat Report)
• Profile jumping behavior to look for patterns and anomalies
– Identify the User, IP address, MAC address
– Identify activity before and after jumping
• Key points to look for include
– Assets and users jumping periodically –
Normal business users should be on corporate network
– Network jumps which don’t appear to be pre-meditated
(i.e. looking for programmatic jumps)
– Volume, periodicity, destination, traffic type can all be
indicators of potential Exfiltration
“40% [of companies] reported
that they had been exposed to a
security threat as a direct
consequence of an off-network
user’s laptop getting compromised
within the last twelve months.”
From Google report, “Off-Network Workers –
The Weakest Link to Corporate Web Security”

23
Key event: Guest network DHCP request
Key search to identify this activity
• Look at guest network firewall logs which logs DHCP requests (IP  MAC  hostname)
• Look at DHCP requests using IP address of one of our corporate networks, and the MAC address.
• Eliminate mobile devices, limit results to our corporate hostname naming convention
• Database of internal IP space, hostnames, and associated MAC addresses is being built to further refine this.

24
Selection to
lookup user
Selection determines drill down
Long/Short Term Off-Net Jumping Trends
• Visual analysis to determine what looks abnormal
• At-a-glance profiling of corporate resources used on guest
network – activity for today, 7-days, etc.
Rapid investigation to identify users of interest
• Selection enables deep investigation via drilldown into user
activity details
• Dynamic drilldown is a key Splunk feature for effective
investigation dashboards

25
Behavior Investigation – Longitudinal Trending
• Patterns identify potential repeat offender, or possible
C2/exfiltration
• Compare to guest network activity trend to identify likely
scenario
Having quickly found a user of interest, we can
now dig into the details of their activity…

26
Overview of behavior before/during/after the jump
• Looking back in time from the jump
• User activity on the corporate network preceding
the jump
• Looking at the jump
• User device mapping to IP address of jumper
• Looking in time after the jump
• User activity on the guest network after the jump
Behavior Investigation – Pre-Jump Activity
• Does the jump make sense? – driven by business logic or
“benign” behavior
• Does the jump look like attacker trying to get out? – more
“random” patterns
• Does the jump look like insider threat? – exfiltration, etc.

27
What’s Next
• SOC Operations with Splunk as core tool
• Splunk Enterprise Security App
• Extreme Search
• D3.js
• Endpoint
• Stream
What excites us about
future projects we are
planning to leverage
our data and Splunk
products?

28
Top Takeaways
You can get
value out of
Splunk
quickly
Splunk Cloud
is a flexible
option for
growth
Basics
matter!
Process,
People,
Technology
in Balance

Splunk for Security: Background & Customer Case Study

Recommended

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Splunk for Security: Background & Customer Case Study (20)

Recently uploaded (20)

Splunk for Security: Background & Customer Case Study