Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktionalitäten in Splunk Enterprise Security und UBA
2 likes964 views
The document discusses the features and benefits of Splunk Enterprise Security and User Behavioral Analytics, emphasizing their role in improving security operations and incident detection. It also highlights the importance of data analytics, threat intelligence, and real-time monitoring in combating various cyber threats. Furthermore, it provides examples of successful implementations by organizations such as John Lewis and MBDA Germany, illustrating significant improvements in operational efficiency and threat response times.
Splunk Webinar: Webinar: Die Effizienz Ihres SOC verbessern mit neuen Funktionalitäten in Splunk Enterprise Security und UBA
- 1. Copyright © 2016 Splunk Inc. Verbessern Sie die Effizienz Ihres SOC mit den neuen Funktionalitäten von Splunk Enterprise Security und UBA
- 2. Legal Notices During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 3. Today’s Speakers Rene Siekermann – Sales Engineer – Splunk Matthias Maier • Product Marketing Manager • Splunk
- 4. General Information about Webinars • After the webinar you’ll get an E-Mail containing: • Recording of the Webinar • Link to Slideshare with this Presentation • Ask your questions during the Webinar and we will go through them in a Q&A Session at the End
- 6. The Ever-Changing Threat Landscape 53% Victims notified by external entity 100% Valid credentials were used 229 Median # of days before detection Source: Mandiant M-Trends Report 2012-2016
- 7. Splunk – Analytics-Driven Security • APT detection/hunting (kill chain method) • Counter threat automation • Threat Intelligence aggregation (internal & external) • Fraud detection – ATO, account abuse • Insider threat detection • Replace SIEM @ lower TCO, increase maturity • Augment SIEM @ increase coverage & agility • Compliance monitoring, reporting, auditing • Log retention, storage, monitoring, auditing • Continuous monitoring/evaluation • Incident response and forensic investigation • Event searching, reporting, monitoring & correlation • Rapid learning loop, shorten discover/detect cycle • Rapid insight from all data • Fraud analyst • Threat Research/Intelligence • Malware research • Cyber Security/Threat • Security Analyst • CSIRT • Forensics • Engineering • Tier 1 Analyst • Tier 2 Analyst • Tier 3 Analyst • Audit/Compliance Security Operations Roles/Functions Reactive Proactive Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Real-time Risk Insight
- 8. Analytics-Driven Security Risk- Based Context and Intelligence Connecting Data and People
- 9. Turning Machine Data Into Business Value Index Untapped Data: Any Source, Type, Volume Online Services Web Services Servers Security GPS Location Storage Desktops Networks Packaged Applications Custom ApplicationsMessaging Telecoms Online Shopping Cart Web Clickstreams Databases Energy Meters Call Detail Records Smartphones and Devices RFID On- Premises Private Cloud Public Cloud Ask Any Question Application Delivery Security, Compliance and Fraud IT Operations Business Analytics Industrial Data and the Internet of Things
- 10. Security Intelligence Use Cases SECURITY & COMPLIANCE REPORTING REAL-TIME MONITORING OF KNOWN THREATS DETECTING UNKNOWN THREATS INCIDENT INVESTIGATIONS & FORENSICS FRAUD DETECTION INSIDER THREAT Complement, replace and go beyond traditional SIEMs
- 11. Splunk Enterprise Security & UBA with Demo’s
- 13. What is Splunk UBA?
- 14. SO, WHAT IS THE COMPROMISED / MISUSED CREDENTIALS OR DEVICES LACK OF RESOURCES (SECURITY EXPERTISE) LACK OF ALERT PRIORITIZATION & EXCESSIVE FALSE POSITIVES PROBLEM?
- 15. Splunk User Behavioral Analytics Automated Detection of INSIDER THREATS AND CYBER ATTACKS Platform for Machine Data Behavior Baselining & Modelling Unsupervised Machine Learning Real-Time & Big Data Architecture Threat & Anomaly Detection Security Analytics
- 16. MULTI-ENTITY BEHAVIORAL MODEL Temporal Window USER HOST NETWORK APPLICATION DATA Activity A Activity N Activity A Activity N Activity A Activity N Activity A Activity N Activity A Activity N ACTIVITY A ACTIVITY C ACTIVITY F ACTIVITY B ACTIVITY L
- 17. INSIDER THREAT Day 1 . . Day 2 . . Day N John connects via VPN Administrator performs ssh (root) to a file share - finance department John executes remote desktop to a system (administrator) - PCI zone John elevates his privileges root copies the document to another file share - Corporate zone root accesses a sensitive document from the file share root uses a set of Twitter handles to chop and copy the data outside the enterprise USER ACTIVITY Unusual Machine Access (Lateral Movement; Individual & Peer Group) Unusual Zone (CorpPCI) traversal (Lateral Movement) Unusual Activity Sequence Unusual Zone Combination (PCICorp) Unusual File Access (Individual & Peer Group) Multiple Outgoing Connections & Unusual SSL session duration
- 18. PROXY SERVER FIREWALL WHAT DOES SPLUNK UBA NEED? ACTIVE DIRECTORY / DOMAIN CONTROLLER DNS, DHCP SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
- 19. What is Splunk ES?
- 20. Platform for Machine Data Splunk Enterprise Security Advancing analytics-driven security Security and Compliance Reporting Monitor and Detect Investigate Threats and Incidents Analyze and Optimize Response
- 21. What’s new in Splunk Enterprise Security 4.1 ?
- 22. Prioritize and Speed Investigations Centralized incident review combining risk and quick search Use the new risk scores and quick searches to determine the impact of an incident quickly Use risk scores to generate actionable alerts to respond on matters that require immediate attention. ES 4.1
- 23. Enhanced Investigation Timeline Add file attachments to Investigation Timeline Export Investigation Timeline as PDF
- 24. Behavioral Analytics in SIEM Workflow • All Splunk UBA results available in Enterprise Security • Workflows for SOC Manager, SOC analyst and Hunter/Investigator • Splunk UBA can be purchased/operated separately from Splunk Enterprise Security ES 4.1 and UBA 2.2
- 25. Expanded Threat Intelligence ES 4.1 Supports Facebook ThreatExchange An additional threat intelligence feed that provides following threat indicators - domain names, IPs and hashes Use with ad hoc searches and investigations Extends Splunk’s Threat Intelligence Framework
- 26. Splunk Enterprise Security Customer Use Cases
- 27. Thousands of Global Security Customers
- 28. Replacing a legacy SIEM with Splunk Enterprise Security at John Lewis • Replaced legacy SIEM for PCI compliance and reusing compliance investments for security and IT-Opps use cases • Single Pains of Glass/Centralized Security Visibility on their operations bridge, DDOS reporting, Privileged user monitoring, Application level security monitoring • Identify incidents more quickly and take appropriate automated action where required • Empowering users to make operational risk management decisions “Empower the users – send alerts and reports straight to them. Don’t let the security team be a bottleneck”
- 29. MBDA Germany Drives Security Intelligence With Splunk Enterprise Security • Enabling the security operations center (SOC) team to work very efficiently • Since deploying ES, the average time to analyze a CERT message has been reduced from an average of 372 minutes to just 15. • Real-time alerts identify attacks that would previously have gone undetected • Analysis of historical data informs future security measures, resulting in a more resilient security posture overall ““Splunk dramatically reduces security risks at MBDA Germany. The software helps us to work much more efficiently, gain visibility across our entire network, react more quickly to security breaches and use insights from our data analysis to inform our future security strategy.”.” — Head of IT and Project Manager Information Technology, MBDA Germany
Editor's Notes
- #6: Let’s start with today’s ever changing threat landscape: With all the news on cyber attacks and security breaches, you know we are constantly up against 3 very sophisticated adversaries: the cyber criminals, the nation states and also the malicious Insiders; All going after major stakes of our life, our company and our nation.
- #7: There are three numbers in the cyber security statistics are very telling, and we should pay close attention to: 100% of breaches are done using valid credentials; And it still takes average 229 days to detect a breach; With all security technologies deployed in the enterprises, there are still 53% of breaches are first reported to the enterprise by a 3rd parties (FBI, SS)
- #9: People are the most important part of your business. Splunk empowers your security teams with data. Your security teams perform a number of tasks <next slide>
- #10: Splunk products are being used for data volumes ranging from gigabytes to hundreds of terabytes per day. Splunk software and cloud services reliably collects and indexes machine data, from a single source to tens of thousands of sources. All in real time. Once data is in Splunk Enterprise, you can search, analyze, report on and share insights form your data. The Splunk Enterprise platform is optimized for real-time, low-latency and interactivity, making it easy to explore, analyze and visualize your data. This is described as Operational Intelligence. The insights gained from machine data support a number of use cases and can drive value across your organization. [In North America] Splunk Cloud is available in North America and offers Splunk Enterprise as a cloud-based service – essentially empowering you with Operational Intelligence without any operational effort.
- #15: What are the challenges we see and what can we do about them? In most of the attacks we are seeing compromised or misued credentials. (Top right) On top of that we have all of the security devices, IDS, Firewall, Endpoint monitoring systems and they all create alerts and its very hard to prioritize because there are not alert that says ”you are breached”. Its all about prioritization and by removing false positives. You might not have people to review the alerts. There are just not enough security people in your company and also not in the industry as a whole. In 2019 there are 1.5million people missing. Its good for us but for you company this is not good. Conclusion – We need to work smarter and we need to automate things.
- #16: The foundation is a real time big data architecture. All of the data you send to it will be analyzed and behaviors of the data will be analyzed using models. This is all done with unsupervised machine learning. If you familiar with ML you know there are supervised and unsupervised. With supervised the system flags up things and you need to typically says yes or no if this is bad or not. With unsupervised the system learns on its own. We need about two weeks for a user and about 10k-20k data points, and from this we automatically learn the bevaiour to see if it is wrong or right. Based on this bevahiour we find any outlier to see if anything is wrong. There are hundreds of types of Anomalies – somebody signs on at a strange time. Somebody signs into a system they usually don’t sign into. Somebody sends data to a system they don’t usually send data to.
- #17: We are doing behaviour modeling on all the data that is being sent in. The product is called User Behaviour Analytics however we don’t just focus on the user. There are other products that just focus on the user. We could call the product User and Entity Behaviour Analytics as we analyze all behaviour from all entities. This means from Host, from Network, (Segments, Ips…), Applications, Data. All of this is then joined together. One user, on a specific host, within the office network is doing an SSH connection or Win file transfer. SFDC, SNOW etc is accessing a specific data on a specific host. For each such entity we create such a relationship model. A behaviour model.
- #18: If we look at the previous chain of events for the malicious insider, this is how UBA would aid in preventing that from happening. We can see Join connected with VPN and elevates his privileges. This means there is an unusual sequence of events for that user. We also see that he is connecting to an unusual zone (Corp->PCI). Everyone one of these are all anomalies are joined together to one threat which the SOC analyst can review.
- #19: What kind of data of we need? As we are profiling user behavior we will need data to do that profiling. The classic and most important sources are from your Domain Controllers. Where are they logging in from and when. The second on the list is DNS,DHCP where they are being used what. Which hosts are which, laptops in your organization whether they are connected and the traffic. We also need network information to know which systems are communicating with which. Particularly when we are going out to the Internet we want information from things like your proxy server to see which sites are being accessed to potentially see beaconing hosts for instance.
- #23: a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available b. Describe the solution. Value of ES, Notable Events…IR. Add context C. Increasing Threat Intel... Mention leadership and WP. Coverage.
- #24: Now you can track your investigations into security incidents on an investigation timeline. This tool allows you to visualize and document the progression of an incident and the steps you take during your investigation. Add notable events, Splunk events, and add information from your investigator journal, which logs items in your action history.
- #25: UBA has been integrated into Enterprise Security and you will see Key Security Indicators, risk scoring and notable events from UBA in Enterprise Security.
- #26: a. Continuation of integration….enabled in depth investigation bring UBA anomaly as sourcetype. Significant because all field in ES is available b. Describe the solution. Value of ES, Notable Events…IR. Add context C. Increasing Threat Intel... Mention leadership and WP. Coverage.
- #28: Over 4000 security/compliance customers worldwide. Customers cover all sizes and verticals, and are all over the world. While not listed here, hundreds of SMBs and individuals also use for security/compliance.
- #29: Industry • Retail and eCommerce Splunk Use Cases • Security (Phishing, Centralized Visiblity, automated actions) SplunkLive Session: http://de.slideshare.net/Splunk/splunklive-london-john-lewis
- #30: Industry • Manufacturing Splunk Use Cases Security Incident Investigation Threat Intelligence Correlation of CERT Tickets Challenges Lack of visibility across entire infrastructure Undetected security threats in the network Splunk Products • Splunk Enterprise • Splunk Enterprise Security Data Sources Network logs Endpoint logs Server logs Data from switches Data from gateways Authentication logs Case Study http://www.splunk.com/en_us/customers/success-stories/mbda.html