Splunk for Security Breakout Session
1 like1,845 views
The document discusses security session presented by Philipp Drieger. It begins with a safe harbor statement noting any forward-looking statements are based on current expectations and could differ from actual results. The agenda includes discussing Splunk for security, enterprise security, and Splunk user behavior analytics. It provides examples of how Splunk can be used to detect threats like fraud and advanced persistent threats by analyzing machine data from various sources. It also discusses how threat intelligence can be incorporated using STIX/TAXII standards and open IOCs. Customer examples show how Nasdaq and Cisco have replaced their SIEMs with Splunk to gain better scalability and flexibility.
Ad
More Related Content
What's hot (20)
Viewers also liked (11)
Ad
Similar to Splunk for Security Breakout Session (20)
Ad
More from Splunk (20)
Recently uploaded (20)
Splunk for Security Breakout Session
- 1. Copyright © 2015 Splunk Inc. Security Session Philipp Drieger Sales Engineer
- 2. 2 Safe Harbor Statement During the course of this presentation, we may make forward looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described orto includeany suchfeatureor functionalityina futurerelease.
- 3. 3 Agenda Splunk for Security Enterprise Security Splunk User Behavior Analytics
- 6. 6 Advanced Threats Are Hard to Find 6 Cyber Criminals Nation States Insider Threats Source: Mandiant M-Trends Report 2012/2013/2014 100% Valid credentials were used 40 Average # of systems accessed 229 Median # of days before detection 67% Of victims were notified by external entity
- 7. 7 7 Servers Storage DesktopsEmail Web Transaction Records Network Flows DHCP/ DNS Hypervisor Custom Apps Physical Access Badges Threat Intelligence Mobile CMDB Intrusion Detection Firewall Data Loss Prevention Anti- Malware Vulnerability Scans Traditional Authentication All Data is Security Relevant = Big Data
- 8. 8 Solution: Splunk, The Engine For Machine Data 8 Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom Applications Messaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID Developer Platform Report and analyze Custom dashboards Monitor and alert Ad hoc search Real-Time Machine Data References – Coded fields, mappings, aliases Dynamic information – Stored in non-traditional formats Environmental context – Human maintained files, documents System/application – Available only using application request Intelligence/analytics – Indicators, anomaly, research, white/blacklist
- 9. 9 Fraud Detection Insider Threat Advanced Threat Detection Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting Security Intelligence Use Cases Splunk provides solutions that address SIEM use cases and more Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting
- 10. 10 1 Example Patterns of Fraud in Machine Data Industry Type of Fraud/Theft/Abuse Pattern Financial Services Account takeover Abnormally high number or dollar amounts of wire transfer withdrawals Healthcare Physician billing Physician billing for drugs outside their expertise area E-Tailing Account takeover Many accounts accessed from one IP Telecoms Calling plan abuse Customer making excessive amount of international calls on an unlimited plan Online Education Student loan fraud Student receiving federal loan has IP in “high-risk” overseas country and is absent from online classrooms and forums
- 11. 11 Insider Threat What To Look For Data Source Abnormally high number of file transfers to USB or CD/DVD OS Abnormally large amount of data going to personal webmail account or uploaded to external file hosting site Email / web server Unusual physical access attempts (after hours, accessing unauthorized area, etc) Physical badge records / AD Above actions + employee is on an internal watchlist as result of transfer / demotion / poor review / impending layoff HR systems / above User name of terminated employee accessing internal system AD / HR systems 11
- 12. 12 Example of Advanced Threat Activities 1 HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Conduct Business Create additional environment Gain Access to systemTransaction .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 13. 13 Connect the “Data-Dots” to See the Whole Story 1 Persist, Repeat Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, Exploit Installation Gain Trusted Access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat • Third-party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
- 14. 14 Threat intelligence Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery Accomplish Mission Security Ecosystem for Coverage and Protection Auth - User Roles, Corp Context
- 15. 15 STIX/TAXII and Open IOC 101 • Info sharing across companies and industries • Standardized XML • IOCs include IPs, web/email domains, hashes, processes, registry key, certificates
- 16. 16 Threat Intelligence in Splunk
- 17. 17 Sample TAXII Feeds User Community Organisation Cyber Threat XChange Health Information Trust Alliance Defense Security Information Exchange Defense Industrial Base Information and Sharing and Analysis Organization ICS-ISAC Industrial Control System Information Sharing and Analysis Center NH-ISAC National Health Cybersecurity Intelligence Platform National Health Information and Analysis Center FS-ISAC / Soltra Edge Financial Services Information Sharing and Analyses Center (FS-ISAC) Retail Cyber Intelligence Sharing Center, Intelligence Sharing Portal Retail Information Sharing and Analysis Center (Retail-ISAC) More: http://stixproject.github.io/supporters/
- 18. Customer Example
- 19. 19 Sample Nasdaq - Heartbleed
- 20. 20 20 Splunk Enterprise is a well thought-out solution, designed from the outset for development and operation, and it delivers immediate results in a number of areas. “ SIEM General Project Manager, Finanz Informatik GmbH & Co. KG Challenges: Existing SIEM tools did not meet security needs – Different security information and event management (SIEM) solutions for the mainframe, network, Unix and Windows. – Difficult to correlate Security incidents accross variuos plaforms Enter Splunk: One unified solution – A single solution across platforms and functions means faster and more comprehensive investigation and resolution of security incidents – Guarantee Full protection of its customer data and at the same time reduce complexity, error rates and costs. – Alerts that identify security events, authorization violations or unusual patterns of queries. Splunk at Finanz Informatik “ “
- 21. 21 Replacing a SIEM @ Cisco 21 We moved to Splunk from traditional SIEM as Splunk is designed and engineered for “big data” use cases. Our previous SIEM was not and simply could not scale to the data volumes we have. ““ Gavin Reid, Leader, Cisco Computer Security Incident Response Team Challenges: SIEM could not meet security needs – Very difficult to index non-security or custom app log data – Serious scale and speed issues. 10GB/day and searches took > 6 minutes – Difficult to customize with reliance on pre-built rules which generated false positives Enter Splunk: Flexible SIEM and empowered team – Easy to index any type of machine data from any source – Over 60 users doing investigations, RT correlations, reporting, advanced threat detection – All the data + flexible searches and reporting = empowered team – 900 GB/day and searches take < minute. 7 global data centers with 350TB stored data – Estimate Splunk is 25% the cost of a traditional SIEM
- 23. 23
- 24. 24 1Risk-based security Fast Incident Review and Investigation
- 25. 25 1Risk-based security Continuous Monitoring for Security Domains 2
- 28. 28
- 29. 29
- 30. 30
- 31. 31 Spot Suspicious Access • Simultaneous logins for single user occurring at two distant locations • Concurrent application access – password sharing or theft
- 32. 32
- 33. 33
- 34. 34 Outlook: New Features in Enterprise Security 4.0 Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION COLLABORATION • Investigator Journal • Attack & Investigation Timeline • Open Solutions Framework • Framework App : PCI
- 37. ENTERPRISE CHALLENGES THREATS PEOPLE EFFICIENCY Cyber Attacks, Insider Threats, Hidden, Or Unknown Availability of Security Expertise Too Many Alerts And False Positives
- 38. 38 Majority of the Threat Detection Solutions focus on the KNOWNS. UNKNOWNS? What about the
- 40. DATA-SCIENCE DRIVEN BEHAVIORAL ANALYTICS BIG DATA DRIVEN SECURITY ANALYTICS MACHINE LEARNING A NEW PARADIGM
- 42. ADVANCED CYBER ATTACKS SPLUNK UBA detects & INSIDER THREATS with BEHAVIORAL THREAT DETECTION
- 45. 45 SECURITY ANALYTICS KILL-CHAIN HUNTER KEY WORKFLOWS - HUNTER Investigate suspicious users, devices, and applications Dig deeper into identified anomalies and threat indicators Look for policy violations
- 48. 48 THREAT DETECTION KEY WORKFLOWS – SOC ANALYST SOC ANALYST Quickly spot threats within your network Leverage Threat Detection workflow to investigate insider threats and cyber attacks Act on forensic details – deactivate accounts, unplug network devices, etc.
- 52. 52 INSIDER THREAT 5 USER ACTIVITIES RISK/THREAT DETECTION AREAS John logs in via VPN from 1.0.63.14 Unusual Geo (China) Unusual Activity Time3:00 PM Unusual Machine Access (lateral movement; individual + peer group) 3:15 PMJohn (Admin) performs an ssh as root to a new machine from the BizDev department Unusual Zone (CorpPCI) traversal (lateral movement)3:10 PM John performs a remote desktop on a system as Administrator on the PCI network zone 3:05 PM Unusual Activity Sequence (AD/DC Privilege Escalation) John elevates his privileges for the PCI network Excessive Data Transmission (individual + peer group) Unusual Zone combo (PCIcorp) 6:00 PMJohn (Adminroot) copies all the negotiation docs to another share on the corp zone Unusual File Access (individual + peer group)3:40 PM John (Adminroot) accesses all the excel and negotiations documents on the BizDev file shares Multiple Outgoing Connections Unusual VPN session duration (11h)11:35 PMJohn (Adminroot) uses a set of Twitter handles to chop and copy the data outside the enterprise
- 53. 53 EXTERNAL ATTACK 5 USER ACTIVITIES RISK/THREAT DETECTION AREAS Peter and Sam access a malicious website. A backdoor gets installed on their computers Malicious Domain (AGD) Unusual Browser HeaderNov 15 Unusual Machine Access for Peter (lateral movement; individual + peer group)Dec 10The attacker logs on to Domain Controller via VPN with Peter’s stolen credentials from 1.0.63.14 Unusual Browser Header for Peter and SamNov 16 The attacker uses Peter and Sam’s backdoors to download and execute WCE to crack their password Nov 16 Beacons for Peter and Sam to www.byeigs.ddns.com Peter and Sam’s machines are communicating with www.byeigs.ddns.info Unusual Machine Access for Sam Unusual File Access for Sam (individual + peer group)) Dec 10 The attacker logs in as Sam and accesses all excel and negotiations docs on the BizDev shares Unusual Activity Sequence of Admin for Sam (AD/DC Privilege Escalation)Dec 10 The attacker steals the admin Kerberos ticket from admin account and escalates the privileges for Sam. Excessive Data Transmission for Peter Unusual VPN session durationJan 14The attacker VPNs as Peter, copies the docs to an external staging IP and then logs out after 3 hours.
- 54. Copyright © 2015 Splunk Inc. Thank You! – Q&A