SplunkLive! London 2017 - An End-To-End Approach: Detect via Behavious and Respond vis SIEM

Editor's Notes

• #2: Hello All Welcome, thanks for coming today and choosing to listen in to this session. MY name is Robert Farnod I'm a security Specialist in the for Splunk and tMark is one of our top security SE’s who will be showing you hands on some of our securty products today. So, today we will be speaking to you about how splunk provide -An End-To-End security Approach: Detect via Behavior and Respond via SIEM We have had a slight name change to the session you signed up to but the content is mostly the same!
• #3: So the goals of the session Tody wewill highlight how splunks core SPL language allows you to detect behavior based monitoring and alerting and feed that into a ML solution Detect anomalies and identify data exfiltration using ML, translate those anomalies to real threats and visualize over the kill chain. Showcase how to use security essitials app, UBA product and ES working together, use contextual information and ultimately stop data exfiltration.
• #4: Not only external acttacks you need to be worried about. Insider threat is very real, and you need to be proactive to gain visibility of what’s happening in your organisation. Employees best assets and weakest link.
• #6: The majority of successful compromises need some form of privileged corporate access at some point. This means the keys of the kingdom, Your highly privileged accounts, should be closely monitored.
• #7: Why ? Because its difficult to detect some of these attacks, especially the llong and and slow attacks. How can you do it? Traditional alerting may not have the scope to put an event from 3 months ago with an event that juts happened today. If you try you’ll end up either alertng on far too much and taking too much resource or not alerting on anything at all. By the time it takes to realize a breach, a lot of damaged has likely already been done.
• #8: This slide shows the trend of how the industry is transforming - moving to a deeper more analytical approach. Siem ++, analyzing Packet data then just responding to tradition ids alarms, focusing on automating or preparing to implement fast response procedures.
• #9: WHAT IS AN ENTITY? An entity can be a user, device, application, service account, file and so on. WHAT IS BEHAVIOR CENTRIC DETECTION? Learning from entity’s activity and calling it ‘Normal’. Then observing deviation from this Normal and alerting on it. The deviations can be off an entity’s baseline or its peer group baseline.
• #10: 1)What use cases do you want to address? Do these align to to your business objectives? What uses cases does any product you are looking at deliver? 2) What data sources are needed to solve these use cases? Info must exist! 3) what techniques /methods are being employed, how far to the methods really go?
• #11: High level uses cases we have grouped together here: 5)Provide a platform for incident investigation
• #12: User identity and Device info from CMDB for example Drop Box, Box are examples of Cloud App and so is Office 365. We detect anomalies and threats against those, login failure, email to self, etc. Apllication logs DNS, DNS tunneling link back?? Essentaiil All Dat is sceutitu relevant
• #13: Stats vs ML explanation High level Methods? First is the traditional alerting ,thresholds, custom reporting Next level is starting to look for anomalous behaviour using staticitcs like standard dev. The most advanced method is to start using machine learning to to start finding the unknown threats that deviate from the baseline of normal.
• #14: This is a high level overview of the Splunk security portfolio which we will be discussing today. The realm of known Splunk Enterprise core platform Human driven, you decide what to look for. Rules and statistical analysis. Including Sec essentials which we will discuss in a bit The realm of unknown Splunk UBA which is unsupervised Machine Learning Driven analysis Entity Baselining Anomalous behavior These both feed into Enterprise Sec which is your premium SIEM ++ security platform provides management dashboard to understand your risk, workflow to track your investigations, enrichment data to give further insight adaptive repsonse to automate and integrate with partners.
• #15: So now we move on to talk about that Sec Ess app I mentioned earlier and goal 1!
• #16: Start our first goal! Highlight the ability to write a SPL and feed it to a Machine Learning solution
• #17: So what is it The app provides over 50 working examples of User and entity behavior analysis just using core Splunk SPL, Also included is demo data so you can understand how these work straight away. It does things like First Time analysis. – IS this the first time this user has ever logged on to a specific server? Time series analysis, is one of the bad guys changing many more file names than usual to evade detection? You can use all of these working examples to learn from and writie simialr queries. Another great feature that Mark will show is it will analyze your data which has beeen aligned to a CIM and tell you which ones you can enable straight away! And what is missing if not. What is the public description of the app? Detect insiders and advanced attackers in your environment with the free Splunk Security Essentials app. This app uses only Splunk Enterprise to show 40+ working examples of the most common user and entity behavior analysis (UEBA) based where possible on Splunk's Common Information Model (CIM). Each use case also includes example demo data so you can see results immediately. The use cases leverage analytics to give analysts the ability to detect unusual activities like users who print more pages than usual (spike detection) or logon to new servers (first seen behavior), the ability to see when adversaries change file names to evade detection, and many more. Each use case includes the expected alert volume, an explanation of how the search works, description of the security impact, and you can save searches directly from the app to leverage any alert actions you have installed such as creating a Notable Event or Risk Indicator in Splunk ES, an External Alarm in Splunk UBA, or just sending email for review.   What is the mission of the app? Provide working examples of the most common use cases in the UEBA space, that can be built out on Splunk Enterprise for free. These proof points / examples are akin to much of what other, lesser vendors are claiming as UBA, which are actually just basic analytics that can be done easily with Splunk Enterprise and do not require the advanced machine learning of a full featured User Behavioral Analytics solution like Splunk UBA. The examples in the app can be used as is, and are also fully documented so they can be customized for more specific end-user scenarios.   What use-cases does this app offer? The use-cases are generic search builders for doing time series analysis and first time analysis, which you can apply to any data you have in Splunk, for any use case you might desire. The app includes many pre-built reports based on Common Information Model data, and includes demo data as examples. Each use case includes the expected alert volume -- for "low" you can expect the alert to fire rarely, probably only every few weeks if that, whereas high volume alerts are likely to fire multiple times per day and should be sent into some upstream processing such as the Splunk ES or Splunk UBA. To make the examples easy to follow, they are organized by Security Domain. Select the Security Domain you're interested in (or just select All Examples) below.
• #18: No over to Mark who will give you an overview of the app, buthas probably hidden all his own suspicious activity already.
• #19: Thanks Mark. So lets quickly recap what Sec Essnetialas provides. Its free! IT utiises some of the most common security data tyoes, and provides ove 50 working examples of UEBA like detection using core splunk finding human driven outliers .. But what if you don’t know what your looking for? What about the unknown anmolies? And how do you verify if these anomalies are threats? And how do you visualise these over a kill chain?????
• #20: These questions tie nicely back into our 2nd goal.
• #21: SO this is where our Slunk UBA platform comes to the fore.
• #22: Splunk UBA leverages unsupervised machine learning algorithms to detect anomalous behavior and unknown attack or insider threats
• #23: Lets say it analyses 10 billion raw events It may find 10 million anomalies through its unsupervised machine learning anomalies. UBA then takes those anomalies and determines how those anomalies are related into sequences of patterns to create threats. Thread modeling It uses graph analysis to then map these threat sequences of events onto the kill chain.
• #24: So this slide is similar to security essentials which generates also generates anomaly classifications but you can see these anomalies are less specific, Unusual behavior here is undefined but they are still ver interesting. The Second layer of thread modeling ML then turns these into threats. Lets say mark and filip both start generating some anomalies related to simlar entities,servers or data being touched. UBA will link these together , maybe the account is compromised? But there is no obvious intrusion phase? This is starting to look like an inseider threat.
• #26: To combat or solve this complex space of these sort of attacks there are 5 core pillars, which are the secret sauce to our Splunk UBA solution. It is a A solution that is real-time, and leverages a big data architecture to achieve this, ingetsing data from splunk core platform. multi entitity behavour modelling and baselining. Algorthms using an unsupervised machine learning approach That then creates anomaly detection and the second layer tuns into Threats,, In addition, a multi-layered ML models stitches these anomalies into different threat patterns. -------
• #28: Detects these unknown threats which tradition sec products cant find. - BETTER DETECTION Reduce anayst time but stitiching these anmolies together for you into single threats _SOC PRODUCTIVITY visualize over kill chain – faster insight and interpretation
• #30: We havent spoken much about this yet, but hopefully you were all in the last session….
• #32: It sits on top of Splunk and provides 4 types of functionality Monitor and reports – predefined dashboard views and reports Detect and Alert – out of the box correlation rules and threshold alerts, providing a framework to add more. A platform to analyze and investigate the alerts, adding an abundance of enrichment data and analysis tools. Response platform for you to easily take the right actions quick or even automatically, with Adaptive response letting you integrate with many other security tools you may have.
• #33: Sec essentials – free app using statists to find targeted anomalies. UBA to find unknown anomalies ES where it is all put together. As you’ve seen Sec essential can send alarms into UBA to increase criticality of threats. IT can also send directly to ES if you don’t have UBA yet. UBA also can send its threats into ES, but provide a nice easy mechanism to switch back between the products as part of your investigation. And remember its not just Sec essentials , any other customer alert you write can be fed into UBA and or ES for investigation
• #34: 1 - Heimdal Security – 10 Surprising Cyber Security Facts That May Affect Your Online Safety – Andra Zaharia – 2016
• #36: We can find them and stop them!
• #37: You can detect and respond
• #38: Leader in innovation
• #40: Doesn’t matter if you’re just getting started with Splunk or are a veteran user, everyone learns something and gets reenergized at .conf. 4 inspired Keynotes 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended so many like minded guys will be there. REGISTRATION IS OPEN now , sessions will be posted by end of June
• #42: Don’t forget to complete today’s survey at ponypoll.com/slsf for your chance to win a .conf2017 pass. A winner will be identified tomorrow through a random drawing from completed surveys and will be notified via email.