SlideShare a Scribd company logo
1 of 29
Download to read offline
Understanding	
  Security	
  Issues	
  as
                                                             	
  
                                       Pa2erns	
  in	
  Data 	
  




Mark	
  Seward,	
  Director,	
  Security	
  and	
  Compliance	
  Marke=ng	
  
A	
  ShiA	
  in	
  A2ack	
  Vectors	
  

                                                                                                               Unknown	
  
                                                                                                            Splunk	
  meets	
  
                             Data	
  Explosion	
                                                            behavior	
  based	
  
                                                                                                            the	
  challenge	
  
Data Volume




                             (‘Big-­‐data’)	
                                                                      a2acks	
  
                                                                                                             of	
  detec=ng	
  	
  
                                                                                                            pa2ern-­‐based	
  
                                                                                                            behaviors	
  in	
  a	
  
                                                                                                                   Known	
  
                                                                                                              ‘Big-­‐data’	
  
                                                                                                              signatures	
  
                                                                  The	
  increasing	
  number	
  
                                                                                                                context	
  
                                                                                                             based	
  threats	
  
                                                                  of	
  a2ack	
  signatures	
                  and	
  a2acks	
  

       1998              1998                        Time        2005                               Today

              The 2nd Annual Splunk Worldwide Users Conference                    2	
                         © Copyright Splunk 2011
Beyond	
  Signatures	
  and	
  Rules:	
  
                 People	
  Trump	
  Technology	
  in	
  a	
  Behavioral	
  Approach	
  
ü  A	
  move	
  to	
  a	
  behavioral	
  approach	
  demands	
  more	
  emphasis	
  on	
  people	
  and	
  
    less	
  on	
  pure	
  technology	
  
ü  Behavioral	
  approaches	
  to	
  security	
  require	
  a	
  con=nuous	
  applica=on	
  of	
  
    human	
  observa=on	
  and	
  judgment	
  
ü  Allows	
  the	
  analyst	
  is	
  to	
  take	
  the	
  “actor	
  view”	
  to	
  understanding	
  the	
  goals	
  and	
  
    methods	
  of	
  persistent	
  adversaries	
  
ü  Requires	
  you	
  to	
  baseline	
  pa2erns	
  of	
  normal	
  or	
  expected	
  behavior;	
  select	
  
    thresholds	
  and	
  triggers	
  that	
  will	
  alert	
  administrators	
  to	
  suspicious	
  ac=vi=es	
  

              The 2nd Annual Splunk Worldwide Users Conference                      3	
                     © Copyright Splunk 2011
Implemen=ng	
  a	
  	
  
Pa2ern-­‐based	
  Strategy	
  
     for	
  Security	
  
Enabling	
  a	
  Pa2ern-­‐based	
  Strategy	
  for	
  Security	
  
ü    Splunk	
  supports	
  pa2ern	
  modeling	
  and	
  adapta=on	
  for	
  security	
  for	
  insider	
  
      threats,	
  fraud	
  scenarios,	
  and	
  persistent	
  adversaries	
  
ü    Pa2erns	
  enable	
  a	
  risk-­‐based	
  approach	
  to	
  an=cipate	
  a2ack	
  vectors	
  and	
  a2ack	
  
      pa2erns	
  and	
  behaviors	
  

                                       Seek -- activity and access patterns that contain the weak signals of a
                                       potential threat
                                       Model -- implement analytics and assessment to determine which patterns
                                       present greater risk to the organization by qualifying and quantifying the
                                       impact
                                       Adapt -- action to protect users, accounts, data and infrastructure from the
                                       threat that was discovered and assessed in the previous phases
                                                                                             Gartner Research © 2010



               The 2nd Annual Splunk Worldwide Users Conference                   5	
                    © Copyright Splunk 2011
Security	
  Event	
  Pa2erns	
  in	
  Context	
  
Augmented	
  View	
  Security	
  Events	
  
ü  View	
  the	
  web	
  analy=cs	
  data	
  pa2erns	
  as	
  
    part	
  of	
  the	
  web	
  applica=on	
  a2ack	
              App	
  	
      IT	
  	
               Web	
        Security	
  
                                                                   Mgmt	
        Ops	
                 Analy/cs	
  
ü  Monitor	
  changes	
  in	
  server/applica=on	
  
    performance	
  (CPU)	
  against	
  a	
  baseline	
  as	
  
    an	
  indicator	
  of	
  an	
  a2ack	
  
ü  Understand	
  authorized	
  pa2erns	
  of	
  
    changes/	
  addi=ons	
  to	
  configura=ons	
  
    and	
  user	
  accounts	
  part	
  of	
  fraud	
  
    surveillance	
  

                    Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’


                      The 2nd Annual Splunk Worldwide Users Conference                         6	
                     © Copyright Splunk 2011
How	
  is	
  this	
  Different	
  from	
  Tradi=onal	
  SIEM?	
  
ü  Rules	
  View	
  
   –  Breaking	
  the	
  speed	
  limit	
  	
  
   –  If	
  one	
  or	
  more	
  of	
  these	
  things	
  happen	
  let	
  me	
  know	
  	
  
   –  Watches	
  for	
  only	
  what	
  is	
  known	
  
   –  No	
  concept	
  of	
  what	
  is	
  ‘normal’	
  
ü  Pa2erns	
  view	
  
   –   Watches	
  for	
  rhythms	
  in	
  your	
  data	
  over	
  =me	
  
      	
  against	
  what	
  is	
  ‘normal’	
  (normal	
  will	
  not	
  be	
  sta=c)	
  	
  
   –  Takes	
  advantage	
  of	
  ‘weak	
  signals’	
  from	
  non-­‐tradi=onal	
  	
  
      security	
  data	
                                                                          Patterns allow for data to be
   –  Watches	
  for	
  what	
  you	
  don’t	
  know	
                                          viewed as a reflection of human
   –  Pa2erns	
  +	
  Analy=cs	
  enables	
  decisions	
                                               behavior over time


                 The 2nd Annual Splunk Worldwide Users Conference                                   7	
             © Copyright Splunk 2011
Analy=cs	
  and	
  data	
  
pa2erns	
  in	
  prac=ce	
  
DoS	
  A2acks	
  
ü DoS	
  a2acks	
  at	
  the	
  network	
  layer	
  are	
  massive	
  floods	
  of	
  
   traffic	
  from	
  numerous	
  sources,	
  designed	
  to	
  
   overwhelm	
  resources	
  
ü DoS	
  a2acks	
  at	
  the	
  applica=on	
  layer	
  target	
  layer-­‐7	
  and	
  
   the	
  HTTP	
  protocol	
   Recent	
  



          The 2nd Annual Splunk Worldwide Users Conference   9	
           © Copyright Splunk 2011
Common	
  Anatomy	
  of	
  a	
  Typical	
  DoS	
  
ü  Source	
  addresses	
  usually	
  spoofed	
  –	
  this	
  also	
  means	
  no	
  TCP	
  
    session	
  establishment	
  possible	
  
ü  True	
  iden=ty	
  of	
  source	
  very	
  difficult	
  to	
  obtain	
  
ü  A2acks	
  of	
  significance	
  generally	
  from	
  a	
  botnet	
  
ü  TCP	
  and	
  UDP	
  most	
  common;	
  ICMP	
  happens	
  as	
  well	
  



           The 2nd Annual Splunk Worldwide Users Conference        10	
             © Copyright Splunk 2011
HTTP	
  Slow	
  POST	
  A2ack	
  
ü 	
  Client	
  issues	
  an	
  HTTP	
  POST	
  to	
  a	
  server	
  
ü 	
  Client	
  says	
  “I’m	
  going	
  to	
  post	
  a	
  gig	
  of	
  data.”	
  
ü 	
  Client	
  sends	
  the	
  Host	
  a	
  gig	
  but	
  only	
  1	
  byte	
  –	
  1	
  minute	
  
ü 	
  Service	
  waits	
  for	
  the	
  data	
  transfer	
  
ü 	
  Usually	
  in	
  just	
  a	
  couple	
  of	
  minutes	
  –	
  La	
  Morte	
  


             The 2nd Annual Splunk Worldwide Users Conference                   11	
                    © Copyright Splunk 2011
Dashboard	
  –	
  HTTP	
  Slow	
  POST	
  




                                                   Slow Post Attack

The 2nd Annual Splunk Worldwide Users Conference           12	
       © Copyright Splunk 2011
Connec=on	
  Exhaus=on	
  Based	
  A2acks	
  
ü Host	
  opens	
  a	
  connec=on	
  to	
  a	
  server	
  but	
  doesn’t	
  send	
  a	
  single	
  byte	
  
ü Each	
  connec=on	
  =es/up	
  an	
  Apache	
  process.	
  
ü Apache	
  waits	
  for	
  the	
  connec=on	
  =me	
  out	
  to	
  	
  
   expire	
  then	
  closes	
  the	
  connec=on	
  
ü Connec=ons	
  fill	
  up	
  the	
  Queue	
  faster	
  than	
  they	
  =me	
  out	
  
ü Default	
  connec=on	
  queue	
  for	
  Apache	
  is	
  set	
  to	
  511	
  


            The 2nd Annual Splunk Worldwide Users Conference                13	
                © Copyright Splunk 2011
Dashboard	
  –	
  Connec=on	
  Exhaus=on	
  
             Attacks detected




The 2nd Annual Splunk Worldwide Users Conference   14	
     © Copyright Splunk 2011
Example:	
  Time-­‐based	
  Pa2ern-­‐detec=on	
  	
  
                  for	
  Malware	
  Ac=vity	
  Discovery	
  
Pa2ern:	
  	
  request	
  for	
  download	
  immediately	
                 Splunk	
  pa2ern	
  search	
  
followed	
  by	
  more	
  requests	
                                       ü  Time	
  based	
  transac=ons	
  sorted	
  by	
  length	
  	
  
ü  Fast	
  requests	
  following	
  the	
  download	
  of	
  a	
          ü  source=proxy	
  [search	
  file=*.pdf	
  OR	
  
    PDF,	
  java,	
  zip,	
  or	
  exe.	
  If	
  a	
  download	
  is	
         file=*.exe	
  |	
  dedup	
  clien=p	
  |	
  table	
  clien=p]	
  
    followed	
  by	
  rapid	
  requests	
  for	
  more	
  files	
               |	
  transac=on	
  maxspan=60s	
  maxpause=5s	
  
    this	
  is	
  a	
  poten=al	
  indicator	
  of	
  a	
  dropper.	
          clien=p	
  |	
  eval	
  Length=len(_raw)	
  |	
  sort	
  -­‐	
  
                                                                               Length	
  




                The 2nd Annual Splunk Worldwide Users Conference                                 15	
                        © Copyright Splunk 2011
Example:	
  Pa2erns	
  of	
  Beaconing	
  Hosts	
  	
  
                  to	
  Command	
  and	
  Control	
  
Pa2ern:	
                                                 Splunk	
  pa2ern	
  search	
  
ü  APT	
  malware	
  ‘beacons’	
  to	
  command	
        ü  Watching	
  for	
  hosts	
  that	
  talk	
  to	
  the	
  same	
  
    and	
  control	
  at	
  specific	
  intervals	
            URL	
  at	
  the	
  same	
  interval	
  every	
  day	
  	
  
                                                          ü  …	
  |	
  streamstats	
  current=f	
  last(_=me)	
  as	
  
                                                              next_=me	
  by	
  site	
  |	
  eval	
  gap	
  =	
  next_=me	
  
                                                              -­‐	
  _=me	
  |	
  stats	
  count	
  avg(gap)	
  var(gap)	
  by	
  
                                                              site	
  	
  
                                                          ü  What	
  you’d	
  be	
  looking	
  out	
  for	
  are	
  sites	
  
                                                              that	
  have	
  a	
  low	
  var(gap)	
  value.	
  

             The 2nd Annual Splunk Worldwide Users Conference                     16	
                        © Copyright Splunk 2011
Other	
  Pa2ern	
  Uses	
  

         Fraud	
  
Hand	
  off	
  to	
  Intuit…	
  
Intuit,
                                                   	
  
                  Financial	
  Services	
  Division	
  




Jaime	
  Rodriguez,	
  Senior	
  Fraud	
  Analyst,	
  Intuit
                                                           	
  
Jaime	
  Rodriguez	
  
ü Securing	
  banks	
  and	
  financial	
  ins=tu=ons	
  since	
  1999	
  
ü Presented	
  and	
  keynoted	
  at	
  numerous	
  Informa=on	
  Security	
  
 conferences	
  all	
  around	
  the	
  US.	
  
ü Contributor	
  to	
  a	
  variety	
  of	
  open-­‐source	
  projects	
  related	
  to	
  
 many	
  of	
  today's	
  most	
  popular	
  security tools.

       “Fraud team's goal is to provide fraud analysis on a
            proactive basis--we're currently reactive.”	
  
           The 2nd Annual Splunk Worldwide Users Conference        19	
               © Copyright Splunk 2011
Intuit—Financial	
  Services	
  Division	
  
ü One	
  of	
  largest	
  providers	
  of	
  
 outsourced	
  online	
  financial	
  
 management	
  solu=ons	
  	
  
ü Serving	
  1800+	
  financial	
  ins=tu=ons	
  
 and	
  4	
  million+	
  end	
  customers	
  
ü Applica=ons	
  include:	
  
  -  Consumer	
  and	
  business	
  internet	
  banking	
  
  -  Electronic	
  bill	
  payment	
  and	
  presentment	
  
  -  Personal	
  online	
  financial	
  management	
  	
  
  -  Website	
  hos=ng	
  and	
  development	
  for	
  
    financial	
  ins=tu=ons	
  
               The 2nd Annual Splunk Worldwide Users Conference   20	
     © Copyright Splunk 2011
All	
  of	
  Your	
  Data	
  Is	
  Security	
  Relevant	
  
ü Indexing	
  our	
  infrastructure:	
  	
  
  -  Cisco	
  Firewalls	
  
  -  Snort	
  
  -  App	
  logs,	
  WebSense	
  
  -  TippingPoint,	
  IPS	
  

ü Integra=ng	
  data	
  from	
  outside	
  
 partners:	
  	
  
  -  Known	
  fraud	
  rings	
  
  -  Bad	
  IP	
  addresses	
  
  -  Bad	
  actors	
  


                 The 2nd Annual Splunk Worldwide Users Conference   21	
     © Copyright Splunk 2011
Splunk	
  Speeds	
  Remedia=on	
  
                                                              •  Splunk provides a single
                                                                 view
•  Previously	
  had	
  customized	
  parser	
  
                                                              •  Role-­‐based	
  access	
  provides	
  
•  Searches	
  conducted	
  in	
  batch	
  
                                                                 secure	
  views	
  into	
  data	
  
   taking	
  3+	
  hours	
  via	
  chron	
  job	
  
                                                              •  Customer	
  service	
  and	
  banking	
  
•  Reports	
  came	
  in	
  piecemeal	
  across	
  
                                                                 customer	
  teams	
  can	
  begin	
  
   5000	
  emails	
  with	
  different	
  syntax	
  
                                                                 queries	
  on	
  their	
  own—no	
  wai=ng	
  
•  Only	
  sophis=cated	
  (aka	
  highly-­‐                     for	
  access/	
  permission—no	
  highly	
  
   paid)	
  users	
  could	
  track	
  pa2erns	
                 paid	
  engineer	
  required	
  
                                                              •  Results	
  in	
  5	
  minutes	
  

           The 2nd Annual Splunk Worldwide Users Conference                  22	
                  © Copyright Splunk 2011
From	
  Reac=ve	
  to	
  Proac=ve	
  
ü Using	
  Splunk	
  for	
  historical	
  analysis	
  
ü New	
  fraud	
  pa2erns	
  iden=fied	
  drive	
  reviews	
  of	
  past	
  30	
  day	
  /	
  
 90	
  day	
  /	
  all	
  =me	
  periods	
  
ü As	
  pa2erns	
  emerge	
  we	
  build	
  alerts	
  when	
  evidence	
  of	
  similar	
  
 pa2erns	
  of	
  known	
  fraudsters	
  emerge	
  (SMS,	
  email)	
  
ü Showing	
  monthly	
  trending	
  
ü We’ve	
  modified	
  our	
  logs	
  to	
  be2er	
  capture	
  and	
  expose	
  the	
  
 informa=on	
  we	
  need	
  to	
  see	
  
           The 2nd Annual Splunk Worldwide Users Conference       23	
               © Copyright Splunk 2011
Splunk	
  for	
  the	
  Ops	
  Team	
  
ü Outages	
  unacceptable	
  
ü OAen	
  caused	
  by	
  unauthorized	
  change	
  
ü Splunk	
  tracks	
  changes	
  to	
  pinpoint	
  issues	
  for	
  remedia=on	
  
ü Monitoring	
  throughput	
  and	
  access	
  for	
  each	
  financial	
  
 ins=tu=on	
  
 -  Usages	
  stats	
  good	
  for	
  re-­‐sell/	
  upsell	
  

ü Dashboards	
  show	
  system	
  health	
  and	
  performance—execs	
  
 love	
  visibility	
  
                The 2nd Annual Splunk Worldwide Users Conference   24	
        © Copyright Splunk 2011
Truth	
  From	
  The	
  Trenches:	
  Wire	
  Transfers	
  
ü Watching	
  fraudster	
  in	
  real-­‐=me—seeing	
  $5M,	
  $7M,	
  $8M	
  wire	
  
 a2empts	
  
ü Splunk	
  exposed	
  every	
  element	
  of	
  our	
  infrastructure	
  that	
  he	
  
 touched	
  
ü Next	
  we	
  could	
  correlate	
  ac=vi=es	
  based	
  on	
  =me	
  to	
  
 understand	
  his	
  pa2ern	
  of	
  ac=vity	
  


           The 2nd Annual Splunk Worldwide Users Conference      25	
             © Copyright Splunk 2011
Truth	
  from	
  the	
  Trenches:	
  Geoloca=on	
  
ü We	
  no=ced	
  a	
  similar	
  fraud	
  
 pa2ern	
  across	
  15	
  banks	
  
ü Then	
  we	
  mapped	
  them	
  to	
  
 see	
  they	
  were	
  within	
  15	
  miles	
  
 of	
  one	
  another	
  
ü Fraud	
  was	
  coming	
  from	
  one	
  
 data	
  processing	
  vendor	
  who	
  
 they	
  all	
  shared	
  
           The 2nd Annual Splunk Worldwide Users Conference   26	
     © Copyright Splunk 2011
The	
  World	
  of	
  Compliance	
  
FFIEC
•  Federal Financial Institutions Exam Council
•  Ensures financial organizations follow uniform principles,
   standards and methods of reporting
•  Splunk empowers auditors to ask—and us to quickly and easily answer—any question
SAS70
•  Certification of standard controls, communications mechanisms
   and monitoring procedures
•  Required by may financial services clients
•  Subset of Sarbanes Oxley Compliance
PCI
•  PCI: Payment card industry data security Standard
•  Promotes trust with customers
•  Required by various payment card providers
        The 2nd Annual Splunk Worldwide Users Conference   27	
             © Copyright Splunk 2011
Ge~ng	
  Started	
  
ü Just	
  get	
  started—Splunk	
  is	
  great	
  out	
  of	
  the	
  box	
  for	
  quick	
  and	
  dirty	
  
 analysis	
  
ü It	
  only	
  gets	
  be2er	
  when	
  you	
  customize	
  it	
  
ü Demo	
  Splunk	
  to	
  others—people	
  are	
  amazed	
  at	
  how	
  much	
  data	
  and	
  
 depth	
  we	
  can	
  get	
  based	
  on	
  pivo=ng	
  	
  
ü Follow	
  the	
  install	
  guide!	
  
ü Consider	
  how	
  you’ll	
  expand—and	
  plan	
  in	
  advance	
  for	
  that	
  expansion	
  
ü Move	
  to	
  4.2-­‐-­‐-­‐it’s	
  fast!	
  
               The 2nd Annual Splunk Worldwide Users Conference               28	
                   © Copyright Splunk 2011
Ques=ons?	
  




August	
  15,	
  2011	
  odriquez,	
  Intuit
           Jaime	
  R                      	
  

More Related Content

What's hot

SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunk
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk
 
Splunk 101
Splunk 101Splunk 101
Splunk 101Splunk
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBASplunk
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityGeorg Knon
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands OnSplunk
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunk
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsSplunk
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-onSplunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security IntelligenceSplunk
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für SecuritySplunk
 
Splunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureSplunk
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsSplunk
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsSplunk
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk
 

What's hot (20)

SplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral AnalyticsSplunkSummit 2015 - Splunk User Behavioral Analytics
SplunkSummit 2015 - Splunk User Behavioral Analytics
 
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk ScoringSplunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
Splunk conf2014 - Detecting Fraud and Suspicious Events Using Risk Scoring
 
Splunk 101
Splunk 101Splunk 101
Splunk 101
 
Enterprise Security featuring UBA
Enterprise Security featuring UBAEnterprise Security featuring UBA
Enterprise Security featuring UBA
 
Splunk for Security - Hands-On
Splunk for Security - Hands-On Splunk for Security - Hands-On
Splunk for Security - Hands-On
 
Webinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise SecurityWebinar: Neues zur Splunk App for Enterprise Security
Webinar: Neues zur Splunk App for Enterprise Security
 
Splunk for Security-Hands On
Splunk for Security-Hands OnSplunk for Security-Hands On
Splunk for Security-Hands On
 
SplunkLive! - Splunk for Security
SplunkLive! - Splunk for SecuritySplunkLive! - Splunk for Security
SplunkLive! - Splunk for Security
 
Enterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior AnalyticsEnterprise Sec + User Bahavior Analytics
Enterprise Sec + User Bahavior Analytics
 
Getting Started with Splunk Hands-on
Getting Started with Splunk Hands-onGetting Started with Splunk Hands-on
Getting Started with Splunk Hands-on
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 
Operationalizing Security Intelligence
Operationalizing Security IntelligenceOperationalizing Security Intelligence
Operationalizing Security Intelligence
 
Splunk für Security
Splunk für SecuritySplunk für Security
Splunk für Security
 
Splunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EUSplunk Live! Utrecht 2016 - CERT EU
Splunk Live! Utrecht 2016 - CERT EU
 
Splunk Threat Hunting Workshop
Splunk Threat Hunting WorkshopSplunk Threat Hunting Workshop
Splunk Threat Hunting Workshop
 
DATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
 
Build a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security PostureBuild a Security Portfolio That Strengthens Your Security Posture
Build a Security Portfolio That Strengthens Your Security Posture
 
Enterprise Security and User Behavior Analytics
Enterprise Security and User Behavior AnalyticsEnterprise Security and User Behavior Analytics
Enterprise Security and User Behavior Analytics
 
Delivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT OperationsDelivering New Visibility and Analytics for IT Operations
Delivering New Visibility and Analytics for IT Operations
 
Splunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBASplunk for Enterprise Security Featuring UBA
Splunk for Enterprise Security Featuring UBA
 

Viewers also liked

Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoESplunk
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Erin Sweeney
 
Danfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementDanfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementSplunk
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Splunk
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk
 
SplunkLive Brisbane Getting Started with IT Service Intelligence
SplunkLive Brisbane Getting Started with IT Service IntelligenceSplunkLive Brisbane Getting Started with IT Service Intelligence
SplunkLive Brisbane Getting Started with IT Service IntelligenceSplunk
 
Instrumentation with Splunk
Instrumentation with SplunkInstrumentation with Splunk
Instrumentation with SplunkDatavail
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunk
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use CasesBeth Goldman
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DayZivaro Inc
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Splunk
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersHarry McLaren
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in SplunkSplunk
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk
 
Threat Hunting
Threat HuntingThreat Hunting
Threat HuntingTripwire
 

Viewers also liked (20)

Best Practices for a CoE
Best Practices for a CoEBest Practices for a CoE
Best Practices for a CoE
 
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
Mission Possible: Detect and Prevent CyberAttacks with Splunk and Palo Alto N...
 
Danfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability ManagementDanfoss - Splunk for Vulnerability Management
Danfoss - Splunk for Vulnerability Management
 
Splunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-OnSplunk Enterprise for InfoSec Hands-On
Splunk Enterprise for InfoSec Hands-On
 
Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017Softcat Splunk Discovery Day Manchester, March 2017
Softcat Splunk Discovery Day Manchester, March 2017
 
Splunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search DojoSplunk Ninjas: New Features and Search Dojo
Splunk Ninjas: New Features and Search Dojo
 
SplunkLive Brisbane Getting Started with IT Service Intelligence
SplunkLive Brisbane Getting Started with IT Service IntelligenceSplunkLive Brisbane Getting Started with IT Service Intelligence
SplunkLive Brisbane Getting Started with IT Service Intelligence
 
Miembros
MiembrosMiembros
Miembros
 
Instrumentation with Splunk
Instrumentation with SplunkInstrumentation with Splunk
Instrumentation with Splunk
 
SplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - IntuitSplunkLive! San Francisco Dec 2012 - Intuit
SplunkLive! San Francisco Dec 2012 - Intuit
 
Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Splunk | Reporting Use Cases
Splunk | Reporting Use CasesSplunk | Reporting Use Cases
Splunk | Reporting Use Cases
 
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech DaySplunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
Splunk Fundamentals: Investigations with Core Splunk - Splunk Tech Day
 
Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On) Getting Started with Splunk (Hands-On)
Getting Started with Splunk (Hands-On)
 
Using the Splunk Java SDK
Using the Splunk Java SDKUsing the Splunk Java SDK
Using the Splunk Java SDK
 
Splunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy ForwardersSplunk Dashboarding & Universal Vs. Heavy Forwarders
Splunk Dashboarding & Universal Vs. Heavy Forwarders
 
Splunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data ScienceSplunk conf2014 - Splunk for Data Science
Splunk conf2014 - Splunk for Data Science
 
Making Pretty Charts in Splunk
Making Pretty Charts in SplunkMaking Pretty Charts in Splunk
Making Pretty Charts in Splunk
 
Splunk for Machine Learning and Analytics
Splunk for Machine Learning and AnalyticsSplunk for Machine Learning and Analytics
Splunk for Machine Learning and Analytics
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 

Similar to Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

Splunk for security
Splunk for securitySplunk for security
Splunk for securityGreg Hanchin
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromPROIDEA
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Splunk
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior AnalyticsSplunk
 
Accel Partners New Data Workshop 7-14-10
Accel Partners New Data Workshop 7-14-10Accel Partners New Data Workshop 7-14-10
Accel Partners New Data Workshop 7-14-10keirdo1
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018Splunk
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBlue Coat
 
Josh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh D
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublinDerek King
 
Comm unit 1
Comm unit 1Comm unit 1
Comm unit 1Skript
 
K nearest neighbor classification over semantically secure encrypted relation...
K nearest neighbor classification over semantically secure encrypted relation...K nearest neighbor classification over semantically secure encrypted relation...
K nearest neighbor classification over semantically secure encrypted relation...ieeepondy
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagen|u - The Open Security Community
 
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value Splunk
 
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissanceCloudera, Inc.
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteSplunk
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive OverviewKim Jensen
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT InfrastructureScalar Decisions
 
Information Extraction and Integration of Hard and Soft Information for D2D v...
Information Extraction and Integration of Hard and Soft Information for D2D v...Information Extraction and Integration of Hard and Soft Information for D2D v...
Information Extraction and Integration of Hard and Soft Information for D2D v...DataCards
 

Similar to Splunk .conf2011: Splunk for Fraud and Forensics at Intuit (20)

Splunk for security
Splunk for securitySplunk for security
Splunk for security
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin NystromCONFidence2015: Real World Threat Hunting - Martin Nystrom
CONFidence2015: Real World Threat Hunting - Martin Nystrom
 
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
Better Threat Analytics: From Getting Started to Cloud Security Analytics and...
 
Splunk for Enterprise Security and User Behavior Analytics
 Splunk for Enterprise Security and User Behavior Analytics Splunk for Enterprise Security and User Behavior Analytics
Splunk for Enterprise Security and User Behavior Analytics
 
Accel Partners New Data Workshop 7-14-10
Accel Partners New Data Workshop 7-14-10Accel Partners New Data Workshop 7-14-10
Accel Partners New Data Workshop 7-14-10
 
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
The Splunk AISecOps Initiative - Splunk Security Roundtable: Zurich 2018
 
Cybersecurity - Jim Butterworth
Cybersecurity - Jim ButterworthCybersecurity - Jim Butterworth
Cybersecurity - Jim Butterworth
 
Big Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat ProtectionBig Data Security Intelligence and Analytics for Advanced Threat Protection
Big Data Security Intelligence and Analytics for Advanced Threat Protection
 
Josh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner EventJosh Diakun - Cust Pres - Splunk Partner Event
Josh Diakun - Cust Pres - Splunk Partner Event
 
Needlesand haystacks i360-dublin
Needlesand haystacks i360-dublinNeedlesand haystacks i360-dublin
Needlesand haystacks i360-dublin
 
Comm unit 1
Comm unit 1Comm unit 1
Comm unit 1
 
K nearest neighbor classification over semantically secure encrypted relation...
K nearest neighbor classification over semantically secure encrypted relation...K nearest neighbor classification over semantically secure encrypted relation...
K nearest neighbor classification over semantically secure encrypted relation...
 
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakagenullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
nullcon 2011 - Enterprise Paradigm for Controlling Data Leakage
 
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value
SplunkLive: New Visibility=New Opportunity: How IT Can Drive Business Value
 
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
Splunk conf2014 - Getting Deeper Insights into your Virtualization and Storag...
 
Preparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity RenaissancePreparing for the Cybersecurity Renaissance
Preparing for the Cybersecurity Renaissance
 
Virtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - DeloitteVirtual Gov Day - Security Breakout - Deloitte
Virtual Gov Day - Security Breakout - Deloitte
 
DLP Executive Overview
DLP Executive OverviewDLP Executive Overview
DLP Executive Overview
 
Optimize IT Infrastructure
Optimize IT InfrastructureOptimize IT Infrastructure
Optimize IT Infrastructure
 
Information Extraction and Integration of Hard and Soft Information for D2D v...
Information Extraction and Integration of Hard and Soft Information for D2D v...Information Extraction and Integration of Hard and Soft Information for D2D v...
Information Extraction and Integration of Hard and Soft Information for D2D v...
 

Recently uploaded

Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Will Schroeder
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioChristian Posta
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdfPaige Cruz
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfinfogdgmi
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7DianaGray10
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsSafe Software
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding TeamAdam Moalla
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 

Recently uploaded (20)

201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
Apres-Cyber - The Data Dilemma: Bridging Offensive Operations and Machine Lea...
 
Comparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and IstioComparing Sidecar-less Service Mesh from Cilium and Istio
Comparing Sidecar-less Service Mesh from Cilium and Istio
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf99.99% of Your Traces  Are (Probably) Trash (SRECon NA 2024).pdf
99.99% of Your Traces Are (Probably) Trash (SRECon NA 2024).pdf
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Videogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdfVideogame localization & technology_ how to enhance the power of translation.pdf
Videogame localization & technology_ how to enhance the power of translation.pdf
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7UiPath Studio Web workshop series - Day 7
UiPath Studio Web workshop series - Day 7
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration WorkflowsIgniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
 
9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team9 Steps For Building Winning Founding Team
9 Steps For Building Winning Founding Team
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 

Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

  • 1. Understanding  Security  Issues  as   Pa2erns  in  Data   Mark  Seward,  Director,  Security  and  Compliance  Marke=ng  
  • 2. A  ShiA  in  A2ack  Vectors   Unknown   Splunk  meets   Data  Explosion   behavior  based   the  challenge   Data Volume (‘Big-­‐data’)   a2acks   of  detec=ng     pa2ern-­‐based   behaviors  in  a   Known   ‘Big-­‐data’   signatures   The  increasing  number   context   based  threats   of  a2ack  signatures   and  a2acks   1998 1998 Time 2005 Today The 2nd Annual Splunk Worldwide Users Conference 2   © Copyright Splunk 2011
  • 3. Beyond  Signatures  and  Rules:   People  Trump  Technology  in  a  Behavioral  Approach   ü  A  move  to  a  behavioral  approach  demands  more  emphasis  on  people  and   less  on  pure  technology   ü  Behavioral  approaches  to  security  require  a  con=nuous  applica=on  of   human  observa=on  and  judgment   ü  Allows  the  analyst  is  to  take  the  “actor  view”  to  understanding  the  goals  and   methods  of  persistent  adversaries   ü  Requires  you  to  baseline  pa2erns  of  normal  or  expected  behavior;  select   thresholds  and  triggers  that  will  alert  administrators  to  suspicious  ac=vi=es   The 2nd Annual Splunk Worldwide Users Conference 3   © Copyright Splunk 2011
  • 4. Implemen=ng  a     Pa2ern-­‐based  Strategy   for  Security  
  • 5. Enabling  a  Pa2ern-­‐based  Strategy  for  Security   ü  Splunk  supports  pa2ern  modeling  and  adapta=on  for  security  for  insider   threats,  fraud  scenarios,  and  persistent  adversaries   ü  Pa2erns  enable  a  risk-­‐based  approach  to  an=cipate  a2ack  vectors  and  a2ack   pa2erns  and  behaviors   Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases Gartner Research © 2010 The 2nd Annual Splunk Worldwide Users Conference 5   © Copyright Splunk 2011
  • 6. Security  Event  Pa2erns  in  Context   Augmented  View  Security  Events   ü  View  the  web  analy=cs  data  pa2erns  as   part  of  the  web  applica=on  a2ack   App     IT     Web   Security   Mgmt   Ops   Analy/cs   ü  Monitor  changes  in  server/applica=on   performance  (CPU)  against  a  baseline  as   an  indicator  of  an  a2ack   ü  Understand  authorized  pa2erns  of   changes/  addi=ons  to  configura=ons   and  user  accounts  part  of  fraud   surveillance   Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’ The 2nd Annual Splunk Worldwide Users Conference 6   © Copyright Splunk 2011
  • 7. How  is  this  Different  from  Tradi=onal  SIEM?   ü  Rules  View   –  Breaking  the  speed  limit     –  If  one  or  more  of  these  things  happen  let  me  know     –  Watches  for  only  what  is  known   –  No  concept  of  what  is  ‘normal’   ü  Pa2erns  view   –  Watches  for  rhythms  in  your  data  over  =me    against  what  is  ‘normal’  (normal  will  not  be  sta=c)     –  Takes  advantage  of  ‘weak  signals’  from  non-­‐tradi=onal     security  data   Patterns allow for data to be –  Watches  for  what  you  don’t  know   viewed as a reflection of human –  Pa2erns  +  Analy=cs  enables  decisions   behavior over time The 2nd Annual Splunk Worldwide Users Conference 7   © Copyright Splunk 2011
  • 8. Analy=cs  and  data   pa2erns  in  prac=ce  
  • 9. DoS  A2acks   ü DoS  a2acks  at  the  network  layer  are  massive  floods  of   traffic  from  numerous  sources,  designed  to   overwhelm  resources   ü DoS  a2acks  at  the  applica=on  layer  target  layer-­‐7  and   the  HTTP  protocol   Recent   The 2nd Annual Splunk Worldwide Users Conference 9   © Copyright Splunk 2011
  • 10. Common  Anatomy  of  a  Typical  DoS   ü  Source  addresses  usually  spoofed  –  this  also  means  no  TCP   session  establishment  possible   ü  True  iden=ty  of  source  very  difficult  to  obtain   ü  A2acks  of  significance  generally  from  a  botnet   ü  TCP  and  UDP  most  common;  ICMP  happens  as  well   The 2nd Annual Splunk Worldwide Users Conference 10   © Copyright Splunk 2011
  • 11. HTTP  Slow  POST  A2ack   ü   Client  issues  an  HTTP  POST  to  a  server   ü   Client  says  “I’m  going  to  post  a  gig  of  data.”   ü   Client  sends  the  Host  a  gig  but  only  1  byte  –  1  minute   ü   Service  waits  for  the  data  transfer   ü   Usually  in  just  a  couple  of  minutes  –  La  Morte   The 2nd Annual Splunk Worldwide Users Conference 11   © Copyright Splunk 2011
  • 12. Dashboard  –  HTTP  Slow  POST   Slow Post Attack The 2nd Annual Splunk Worldwide Users Conference 12   © Copyright Splunk 2011
  • 13. Connec=on  Exhaus=on  Based  A2acks   ü Host  opens  a  connec=on  to  a  server  but  doesn’t  send  a  single  byte   ü Each  connec=on  =es/up  an  Apache  process.   ü Apache  waits  for  the  connec=on  =me  out  to     expire  then  closes  the  connec=on   ü Connec=ons  fill  up  the  Queue  faster  than  they  =me  out   ü Default  connec=on  queue  for  Apache  is  set  to  511   The 2nd Annual Splunk Worldwide Users Conference 13   © Copyright Splunk 2011
  • 14. Dashboard  –  Connec=on  Exhaus=on   Attacks detected The 2nd Annual Splunk Worldwide Users Conference 14   © Copyright Splunk 2011
  • 15. Example:  Time-­‐based  Pa2ern-­‐detec=on     for  Malware  Ac=vity  Discovery   Pa2ern:    request  for  download  immediately   Splunk  pa2ern  search   followed  by  more  requests   ü  Time  based  transac=ons  sorted  by  length     ü  Fast  requests  following  the  download  of  a   ü  source=proxy  [search  file=*.pdf  OR   PDF,  java,  zip,  or  exe.  If  a  download  is   file=*.exe  |  dedup  clien=p  |  table  clien=p]   followed  by  rapid  requests  for  more  files   |  transac=on  maxspan=60s  maxpause=5s   this  is  a  poten=al  indicator  of  a  dropper.   clien=p  |  eval  Length=len(_raw)  |  sort  -­‐   Length   The 2nd Annual Splunk Worldwide Users Conference 15   © Copyright Splunk 2011
  • 16. Example:  Pa2erns  of  Beaconing  Hosts     to  Command  and  Control   Pa2ern:   Splunk  pa2ern  search   ü  APT  malware  ‘beacons’  to  command   ü  Watching  for  hosts  that  talk  to  the  same   and  control  at  specific  intervals   URL  at  the  same  interval  every  day     ü  …  |  streamstats  current=f  last(_=me)  as   next_=me  by  site  |  eval  gap  =  next_=me   -­‐  _=me  |  stats  count  avg(gap)  var(gap)  by   site     ü  What  you’d  be  looking  out  for  are  sites   that  have  a  low  var(gap)  value.   The 2nd Annual Splunk Worldwide Users Conference 16   © Copyright Splunk 2011
  • 17. Other  Pa2ern  Uses   Fraud   Hand  off  to  Intuit…  
  • 18. Intuit,   Financial  Services  Division   Jaime  Rodriguez,  Senior  Fraud  Analyst,  Intuit  
  • 19. Jaime  Rodriguez   ü Securing  banks  and  financial  ins=tu=ons  since  1999   ü Presented  and  keynoted  at  numerous  Informa=on  Security   conferences  all  around  the  US.   ü Contributor  to  a  variety  of  open-­‐source  projects  related  to   many  of  today's  most  popular  security tools. “Fraud team's goal is to provide fraud analysis on a proactive basis--we're currently reactive.”   The 2nd Annual Splunk Worldwide Users Conference 19   © Copyright Splunk 2011
  • 20. Intuit—Financial  Services  Division   ü One  of  largest  providers  of   outsourced  online  financial   management  solu=ons     ü Serving  1800+  financial  ins=tu=ons   and  4  million+  end  customers   ü Applica=ons  include:   -  Consumer  and  business  internet  banking   -  Electronic  bill  payment  and  presentment   -  Personal  online  financial  management     -  Website  hos=ng  and  development  for   financial  ins=tu=ons   The 2nd Annual Splunk Worldwide Users Conference 20   © Copyright Splunk 2011
  • 21. All  of  Your  Data  Is  Security  Relevant   ü Indexing  our  infrastructure:     -  Cisco  Firewalls   -  Snort   -  App  logs,  WebSense   -  TippingPoint,  IPS   ü Integra=ng  data  from  outside   partners:     -  Known  fraud  rings   -  Bad  IP  addresses   -  Bad  actors   The 2nd Annual Splunk Worldwide Users Conference 21   © Copyright Splunk 2011
  • 22. Splunk  Speeds  Remedia=on   •  Splunk provides a single view •  Previously  had  customized  parser   •  Role-­‐based  access  provides   •  Searches  conducted  in  batch   secure  views  into  data   taking  3+  hours  via  chron  job   •  Customer  service  and  banking   •  Reports  came  in  piecemeal  across   customer  teams  can  begin   5000  emails  with  different  syntax   queries  on  their  own—no  wai=ng   •  Only  sophis=cated  (aka  highly-­‐ for  access/  permission—no  highly   paid)  users  could  track  pa2erns   paid  engineer  required   •  Results  in  5  minutes   The 2nd Annual Splunk Worldwide Users Conference 22   © Copyright Splunk 2011
  • 23. From  Reac=ve  to  Proac=ve   ü Using  Splunk  for  historical  analysis   ü New  fraud  pa2erns  iden=fied  drive  reviews  of  past  30  day  /   90  day  /  all  =me  periods   ü As  pa2erns  emerge  we  build  alerts  when  evidence  of  similar   pa2erns  of  known  fraudsters  emerge  (SMS,  email)   ü Showing  monthly  trending   ü We’ve  modified  our  logs  to  be2er  capture  and  expose  the   informa=on  we  need  to  see   The 2nd Annual Splunk Worldwide Users Conference 23   © Copyright Splunk 2011
  • 24. Splunk  for  the  Ops  Team   ü Outages  unacceptable   ü OAen  caused  by  unauthorized  change   ü Splunk  tracks  changes  to  pinpoint  issues  for  remedia=on   ü Monitoring  throughput  and  access  for  each  financial   ins=tu=on   -  Usages  stats  good  for  re-­‐sell/  upsell   ü Dashboards  show  system  health  and  performance—execs   love  visibility   The 2nd Annual Splunk Worldwide Users Conference 24   © Copyright Splunk 2011
  • 25. Truth  From  The  Trenches:  Wire  Transfers   ü Watching  fraudster  in  real-­‐=me—seeing  $5M,  $7M,  $8M  wire   a2empts   ü Splunk  exposed  every  element  of  our  infrastructure  that  he   touched   ü Next  we  could  correlate  ac=vi=es  based  on  =me  to   understand  his  pa2ern  of  ac=vity   The 2nd Annual Splunk Worldwide Users Conference 25   © Copyright Splunk 2011
  • 26. Truth  from  the  Trenches:  Geoloca=on   ü We  no=ced  a  similar  fraud   pa2ern  across  15  banks   ü Then  we  mapped  them  to   see  they  were  within  15  miles   of  one  another   ü Fraud  was  coming  from  one   data  processing  vendor  who   they  all  shared   The 2nd Annual Splunk Worldwide Users Conference 26   © Copyright Splunk 2011
  • 27. The  World  of  Compliance   FFIEC •  Federal Financial Institutions Exam Council •  Ensures financial organizations follow uniform principles, standards and methods of reporting •  Splunk empowers auditors to ask—and us to quickly and easily answer—any question SAS70 •  Certification of standard controls, communications mechanisms and monitoring procedures •  Required by may financial services clients •  Subset of Sarbanes Oxley Compliance PCI •  PCI: Payment card industry data security Standard •  Promotes trust with customers •  Required by various payment card providers The 2nd Annual Splunk Worldwide Users Conference 27   © Copyright Splunk 2011
  • 28. Ge~ng  Started   ü Just  get  started—Splunk  is  great  out  of  the  box  for  quick  and  dirty   analysis   ü It  only  gets  be2er  when  you  customize  it   ü Demo  Splunk  to  others—people  are  amazed  at  how  much  data  and   depth  we  can  get  based  on  pivo=ng     ü Follow  the  install  guide!   ü Consider  how  you’ll  expand—and  plan  in  advance  for  that  expansion   ü Move  to  4.2-­‐-­‐-­‐it’s  fast!   The 2nd Annual Splunk Worldwide Users Conference 28   © Copyright Splunk 2011
  • 29. Ques=ons?   August  15,  2011  odriquez,  Intuit Jaime  R