SplunkLive Melbourne Splunk for Operational Security Intelligence
•
4 likes•691 views
This document provides an overview and agenda for a Splunk presentation on operational security intelligence. The presentation covers Splunk security capabilities including threat intelligence via lookups, the common information model for normalizing security data from multiple sources, and analyzing advanced Windows attacks via specific event IDs. It also discusses using security-related apps from Splunkbase. The document contains several legal disclaimers about forward-looking statements and roadmap information.
Recommended
Recommended
More Related Content
What's hot
What's hot (13)
Viewers also liked
Viewers also liked (20)
Similar to SplunkLive Melbourne Splunk for Operational Security Intelligence
Similar to SplunkLive Melbourne Splunk for Operational Security Intelligence (14)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
SplunkLive Melbourne Splunk for Operational Security Intelligence
- 2. 2 2 > James Overman joverman@splunk.com • Splunk Sales Engineer • Over 20 years in IT infrastructure & security • CISSP • Worked for leading security integrators and vendors whoami
- 3. 3 LEGAL NOTICE During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward- looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release.
- 6. New approach to security operation is needed • Human directed • Goal-oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques • Fusion of people, process, & technology • Contextual and behavioral • Rapid learning and response • Share info & collaborate • Analyze all data for relevance • Leverage IOC & Threat Intel THREAT Attack Approach Security Approach 6 TECHNOLOGY PEOPLE PROCESS
- 7. New approach to security operation is needed THREAT Attack Approach Analytics-driven Security Security Approach 7 TECHNOLOGY PEOPLE PROCESS • Human directed • Goal-oriented • Dynamic (adjust to changes) • Coordinated • Multiple tools & activities • New evasion techniques
- 9. 9 Splunk Solutions VMware Platform for Machine Data Exchange PCISecurity Across Data Sources, Use Cases and Consumption Models IT Svc Int Splunk Premium Solutions Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 10. 10 Put it All Together – Security Maturity Level q APT detection/hunting (kill chain method) q Counter threat automation q Threat Intelligence aggregation (internal & external) q Fraud detection – ATO, account abuse, q Insider threat detection q Replace SIEM @ lower TCO, increase maturity q Augment SIEM @ increase coverage & agility q Compliance monitoring, reporting, auditing q Log retention, storage, monitoring, auditing q Continuous monitoring/evaluation q Incident response and forensic investigation q Event searching, reporting, monitoring & correlation q Rapid learning loop, shorten discover/detect cycle q Rapid insight from all data q Fraud analyst q Threat research/Intelligence q Malware research q Cyber Security/Threat q Security Analyst q CSIRT q Forensics q Engineering q Tier 1 Analyst q Tier 2 Analyst q Tier 3 Analyst q Audit/Compliance Security Operations Roles/Functions Reactive Proactive Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Real-time Risk Insight
- 11. Fraud Detection Insider Threat Advanced Threat Detection Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting Security Intelligence Use Cases Splunk provides solutions that address SIEM use cases and more Security & Compliance Reporting Incident Analysis & Investigations Real-time Monitoring & Alerting
- 12. 12 Example of Advanced Threat Activities HTTP (web) session to command & control server Remote control, Steal data, Persist in company, Rent as botnet WEB Conduct Business Create additional environment Gain Access to system Transaction .pdf .pdf executes & unpacks malware overwriting and running “allowed” programs Svchost.exeCalc.exe Attacker hacks website Steals .pdf files Web Portal.pdf Attacker creates malware, embed in .pdf, Emails to the target MAIL Read email, open attachment Threat intelligence Auth - User Roles Host Activity/Security Network Activity/Security
- 13. Aug 08 06:09:13 acmesep01.acmetech.com Aug 09 06:17:24 SymantecServer acmesep01: Virus found,Computer name: ACME-002,Source: Real Time Scan,Risk name: Hackertool.rootkit,Occurrences: 1,C:/Documents and Settings/smithe/Local Settings/Temp/evil.tmp,"""",Actual action: Quarantined,Requested action: Cleaned, time: 2009-01-23 03:19:12,Inserted: 2009-01-23 03:20:12,End: 2009-01-23 03:19:12,Domain: Default,Group: My CompanyACME Remote,Server: acmesep01,User: smithe,Source computer: ,Source IP: 10.11.36.20 Aug 08 08:26:54 snort.acmetech.com {TCP} 10.11.36.20:5072 -> 10.11.36.26:443 itsec snort[18774]: [1:100000:3] [Classification: Potential Corporate Privacy Violation] Credit Card Number Detected in Clear Text [Priority: 2]: 20130806041221.000000Caption=ACME-2975EBAdministrator Description=Built-in account for administering the computer/domainDomain=ACME-2975EB InstallDate=NULLLocalAccount = IP: 10.11.36.20 TrueName=Administrator SID =S-1-5-21-1715567821-926492609-725345543 500SIDType=1 Status=Degradedwmi_ type=UserAccounts 13 Monitoring & Alerting Sources All three occurring within a 24-hour period Example Correlation – Data Loss Source IP Source IP Source IP Data Loss Default Admin Account Malware Found Time Range Intrusion Detection Endpoint Security Windows Authentication
- 15. 15 Incident Analysis & Investigation • Often initiated by an alert in another product • Investigation requiring rapid ad hoc searching across data over time • Need all the original data in one place and a fast way to search it to answer: – What happened and was it a false positive? – How did the threat get in, where have they gone and did they steal any data? – Has this occurred elsewhere in the past? • Take results and turn them into a real-time search/alert if needed client=unknown[9 9.120.205.249]<1 60>Jan 2616:27 (cJFFNMS DHCPACK =ASCII from host=85.19 6.82.110 truncating integer value > 32 bits <46>Jan ASCII from client=unknown January February March April
- 18. Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security 18 Advanced Threat Detection & Response WEB Conduct Business Create additional environment Gain Access to system Transaction MAIL .pdf Svchost.exeCalc.exe Events that contain link to file Proxy log C2 communication to blacklist How was process started? What created the program/process? Process making C2 traffic Web Portal.pdf
- 19. 19 Connect the “Data-Dots” to See the Whole Story Persist, Repeat Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Attacker, know relay/C2 sites, infected sites, IOC, attack/campaign intent and attribution Where they went to, who talked to whom, attack transmitted, abnormal traffic, malware download What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility Access level, privileged users, likelihood of infection, where they might be in kill chain Delivery, Exploit Installation Gain Trusted Access ExfiltrationData GatheringUpgrade (escalate) Lateral movement Persist, Repeat • Third-party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
- 20. Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Connect the “Data-Dots” to See the Whole Story phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. Threat Intelligence Data Email Data Or Web Data Host or ETDR Data Web or Firewall Data Threat Intelligence Data Identity Data
- 21. Threat intelligence Auth - User Roles, Corp Context Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery MAIL WEB WEB FW Accomplish Mission Start Anywhere, Analyze Up-Down-Across-Backwards-Forward phishing Download from infected site 1 2 5 6 7 8 3 4 Identity, Roles, Privileges, Location, Behavior, Risk, Audit scope, Classification, etc. • Third-Party Threat Intel • Open source blacklist • Internal threat intelligence • Firewall • IDS / IPS • Vulnerability scanners • Web Proxy • NetFlow • Network • Endpoint (AV/IPS/FW) • Malware detection • PCLM • DHCP • OS logs • Patching • Active Directory • LDAP • CMDB • Operating System • Database • VPN, AAA, SSO
- 22. Threat intelligence Host Activity/Security Network Activity/Security Command & ControlExploitation & InstallationDelivery Accomplish Mission Security Ecosystem for Coverage and Protection Auth - User Roles, Corp Context
- 24. 24Attack Map The Challenge: • Industry says Threat Intel is key to APT Protection • Management wants all threat intel checked against every system, constantly • Don’t forget to keep your 15+ threat feeds updated The Solution:
- 27. What can you do with it? Souretype=access_combined clientip=* | lookup threatlist srcip as clientip OUTPUT srcip as srcip threat_type as threat_type | stats count by clientip srcip threat_type | where clientip=srcip
- 31. Other options? • You could use SA-Splice from splunkbase • Use correlation searches to populate lookup files - outputlookup • Leverage KV store lookups • Enterprise Security
- 35. Data Ingest + Common Information Model ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
- 42. CIM Compliant!
- 44. • Tstats can search distributed .tsidx files • Use the search term – FROM datamodel=<datamodelname> • For example: • | tstatsavg(foo) FROM datamodel=buttercup_games WHERE bar=valuex • You should expect dramatically faster search results using this method Tstats and/or pivot– use them!
- 54. • Easily the most underrated app on Splunkbase • Turn every host on your network into a network sniffer! • Rapidly respond to security events by capturing data at the source • Highly configurable to capture only data of interest
- 57. • Check your data against a multitude of virus definition DB’s. • Free • Subscription • 4 checks per hour
- 60. 60 SEPT 26-29, 2016 WALT DISNEY WORLD, ORLANDO SWAN AND DOLPHIN RESORTS • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! The 7th Annual Splunk Worldwide Users’ Conference PLUS Splunk University • Three days: Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education!
- 61. Thank You!