2. Fill out the Postcard and win a
SONOS Play:1 today
"currentTrack":{
"artist":"College",
"title":"Teenage Color - Anoraak
Remix",
"album":"Nightdrive With You",
"albumArtURI":"/getaa?s=1&u=x-
sonos-spotify%3aspotify%253atrack
%253a3DjBDQs8ebkxMBo2V8V3SH
%3fsid%3d9%26flags%3d32",
"duration":347,
"uri":"x-sonos-spotify:spotify
%3atrack
%3a3DjBDQs8ebkxMBo2V8V3SH?
sid=9&flags=32"
},
6. FAMILIAR WITH THESE THREATS?
January 2015 February 2015 February 2015
Morgan Stanley
730K
PII Records
Anthem Insurance
80M
Patient Records
Office of Personal
Management
22M
PII Records
July 2015
Ashley Madison
37M
PII Records
7. SO, WHAT IS THE COMPROMISED / MISUSED
CREDENTIALS OR DEVICES
LACK OF RESOURCES
(SECURITY EXPERTISE)
LACK OF ALERT PRIORITIZATION &
EXCESSIVE FALSE POSITIVES
PROBLEM?
8. EXTERNAL
ATTACK
USER ACTIVITY
Peter and Sam access a compromised website -
backdoor gets installed
The attacker uses Peter’s stolen credential and VPNs into
Domain Controller
The attacker uses the backdoors to download and execute
WCE – password cracker
Peter’s and Sam’s devices begin communicating with
CnC
The attacker logs in as Sam and accesses sensitive
documents from a file share
The attacker steals the admin Kerberos ticket and
escalates the privileges for Sam
The attacker uses Peter’s VPN credential to connect,
copies the docs to an external staging server, and logs
out after three hours
Day 1
.
.
Day 2
.
.
Day N
9. INSIDER
THREAT
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Day 1
.
.
Day 2
.
.
Day N
15. DESIGNED FOR A
SOC ANALYST
THREAT DETECTION
ML DRIVEN AUTOMATED
ANOMALY CORRELATION
16. INSIDER
THREAT
Day 1
.
.
Day 2
.
.
Day N
John connects via VPN
Administrator performs ssh (root) to a file share -
finance department
John executes remote desktop to a system
(administrator) - PCI zone
John elevates his privileges
root copies the document to another file share -
Corporate zone
root accesses a sensitive document
from the file share
root uses a set of Twitter handles to chop and copy the
data outside the enterprise
USER ACTIVITY
Unusual Machine Access
(Lateral Movement; Individual
& Peer Group)
Unusual Zone (CorpPCI)
traversal (Lateral Movement)
Unusual Activity Sequence
Unusual Zone Combination
(PCICorp)
Unusual File Access
(Individual & Peer Group)
Multiple Outgoing Connections
& Unusual SSL session duration
17. PROXY SERVER
PROXY SERVER
FIREWALL
FIREWALL
WHAT DOES SPLUNK UBA NEED?
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
ACTIVE DIRECTORY /
DOMAIN CONTROLLER
DNS, DHCP
DNS, DHCP
SPLUNK ENTERPRISE ANY SIEM AT A MINIMUM
19. WHY SPLUNK UBA?
THE MOST ADVANCED
UEBA TECHNOLOGY
THE LARGEST INVESTMENT IN
MACHINE LEARNING
A COMPLETE SOLUTION FROM
SPLUNK
DETECT THE UNKNOWNS
IMPROVE SOC & HUNTER EFFICIENCY
20. WHAT CUSTOMERS HAVE TO SAY ABOUT SPLUNK UBA
Splunk UBA is unique in its data-science driven approach to automatically finding
hidden threats rather than the traditional rules-based approaches that doesn’t scale.
We are pleased with the efficacy and efficiency of this solution as it makes the life of
our SOC analysts’ way better.
Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as
cyberattacks and insider threats, and it’s crucial to use a data science driven approach in
order to find unknown patterns. I found Splunk UBA to be one of the most advanced
technologies within the behavioral analytics space.
Randolph Barr, CSO, Saba
21. Fill out the Postcard and win a
SONOS Play:1 today
"currentTrack":{
"artist":"College",
"title":"Teenage Color - Anoraak
Remix",
"album":"Nightdrive With You",
"albumArtURI":"/getaa?s=1&u=x-
sonos-spotify%3aspotify%253atrack
%253a3DjBDQs8ebkxMBo2V8V3SH
%3fsid%3d9%26flags%3d32",
"duration":347,
"uri":"x-sonos-spotify:spotify
%3atrack
%3a3DjBDQs8ebkxMBo2V8V3SH?
sid=9&flags=32"
},
If you look back in the technology evolution
It all started with Antivirus scanners, then network security to segment the networks.
Then we got to early correlation in 2008 with traditional traditional Security Information Event Management stuff like 10 failed logons followed by a successful logon.
After all of these we saw a big trend in object analysis. The sense that you might have with Palo Alto Networks Wildfire sandboxing technology - Analyse a PDF files behaviour when you open it and see if it is malicious or not.
Now we are starting a new era with Machine learning behaviour analytics from big data.
This is from an IDC report. We see that there have been 10 billion spent on firewalls. All sandboxing technologies included. You probably have this today.
The market is about 16 billion dollars but we still need more tools. Why?
Why?
Because we still se breaches happening. If we look back at last year we saw some high profile breaches.
Attacks are more sophisticated and personalised. 100% of breaches use legitimate accounts & credentials.
The available tools are producing way more alerts than any one person or team can cope with and many of them are false positives.
And to compound that problem there is a lack of available security expertise. There is 100% employment amongst security professionals.
“Do not just rely on perimeter security. Use a threat intelligence platform to be able to recognize potential malware activity from multiple threat intelligence sources and act upon it.”
Let’s think about an insider threat.
If somebody is authorized and can access the information. The firewall will not help you, the proxy server will not help you, the IPS will not help you.
You might have a DLP system but it will probably not be implemented properly. They are very difficult configure.
Performs ssh – Lateral movement.
This can happen in any organisation and its difficult to detect these flows as malicious against all the other legitimate flows.
If you define this chain of events and look for it again it might detect it. But, if any of these steps are changed it will not be seen again.
What can we find with the UBA product? The unique is that it is Use Case driven. It can detect those malicious insider threats.
Detect advanced cyber attacks
User activity things
The foundation is a real time big data architecture. All of the data you send to it will be analyzed and behaviors of the data will be analyzed using models.
This is all done with unsupervised machine learning. If you familiar with ML you know there it comes in 2 flavours: supervised and unsupervised.
With supervised the system flags up things and you need to typically says yes or no if this is bad or not.
With unsupervised the system learns on its own. We need about two weeks for a user and about 10k-20k data points, and from this we automatically learn the behavior to see if it is wrong or right. Based on this behavior we find any outlier to see if anything is wrong. There are hundreds of types of Anomalies – somebody signs on at a strange time. Somebody signs into a system they usually don’t sign into. Somebody sends data to a system they don’t usually send data to.
The system is based on a real time data architecture.
Scales in a similar way to Splunk Enterprise and uses the map reduce concepts.
Scales to more than half a billion events per day.
We are doing behaviour modeling on all the data that is being sent in.
The product is called User Behaviour Analytics however we don’t just focus on the user. There are other products that just focus on the user.
We could call the product User and Entity Behaviour Analytics as we analyze all behaviour from all entities. This means from Host, from Network, (Segments, IPs…), Applications, Data.
All of this is then joined together. One user, on a specific host, within the office network is doing an SSH connection or Win file transfer. SFDC, SNOW etc is accessing a specific data on a specific host.
For each such entity we create a relationship model. A behaviour model.
We do a User & Entity Behvaiour Baseline – This is what I just showed you. Consider your system is already compromised when installing UBA. The threat behaviours will seem normal. We might miss a threat.
To get around this we also do a Peer group Analysis. Based on this we will see that users in a specific department in a region might have one guy that is behaving differently to his peers. We will then surface an already infected account.
There many other attack defenses as you can see on the slide here.
Based around all of these behaviour models are anomalies. These anomalies are designed to be used by a Hunter. Somebody who is doing a security analysis and doing research.
This might be a hundreds of even thousands of anomalies that this Hunter will go through to paint a picture of the current status or for investigating an incident or a user or entity.
However this is not something you want to do every day as part of your standard procedures. UBA will also take these Anomalies to the next level by connecting them through visualizations and graphs and so on into Threats.
How did they get in? How did they step through the network? Which systems did they access? If its not too late, which data did they exfiltrate?
SOC analysts want the bigger picture and this will be their way of consuming the output of UBA.
UBA does both Anomaly detection and threat detection out of the box. Speeds up the efficiency of your SOC and security team.
If we look at the previous chain of events for the malicious insider, this is how UBA would aid in preventing that from happening.
We can see Join connected with VPN and elevates his privileges. This means there is an unusual sequence of events for that user.
We also see that he is connecting to an unusual zone (Corp->PCI).
Everyone one of these are all anomalies are joined together to one threat which the SOC analyst can review.
Here are some real world examples that our customer are seeing either in production or in the evaluation process.
A retail customer has detected some lateral movements they did not want.
A high tech company detected some IP theft.
We have also seen in the manufacturing company some Pass the hash attacks for a MS system. You might be familiar with it.
Multiple occurences of malware being detected where the Endpoint protection did not see it, but it was detected through anomalous behaviour of the hosts and users.
You can feed data from Splunk Enterprise or, for that matter, any other SIEM solution.
At a minimum UBA needs information about users, flows and hosts.
UBA does not retain event data pertaining to threats and anomalies – to complete the solution UBA can export its detected threats to Splunk Enterprise Security where they are surfaced as Notable Events.
User details scroll down here
Demo_admin / UBA123
To conclude and then I will point you to where you can find more resources of Splunk UBA.
It is the biggest investment in machine learning in the industry and Splunk gives you a complete and full solution that gives you the end to end visibility and different use cases and the full lifecycle of the machine data from the collection phase to incident investigation to machine learning and then back.
Splunk UBA improves your security operations center and your hunter efficiency.