Enterprise Security featuring UBA
-
Upload
splunk -
Category
Technology
-
view
80 -
download
1
Transcript of Enterprise Security featuring UBA
Copyright©2014SplunkInc.
SplunkEnterpriseSecurity&UBAAnalytics-DrivenSecurity
MattPolandSr.SalesEngineer
TheEver-ChangingThreatLandscape
2
53%Victimsnotifiedbyexternalentity
100%Validcredentials
wereused
143Median#ofdaysbeforedetection
Source:MandiantM-TrendsReport2012-2016
3
Splunk Positionedasa LeaderinGartner2016MagicQuadrantforSecurityInformationandEventManagement*
*Gartner,Inc.,2016MagicQuadrantforSecurityInformationandEventManagement,andCriticalCapabilitiesforSecurityInformationandEventManagement,OliverRochford,KellyM.Kavanagh,TobyBussa.10August2016ThisgraphicwaspublishedbyGartner,Inc.aspartofalargerresearchdocumentandshouldbeevaluatedinthecontextoftheentiredocument.TheGartnerdocumentisavailableuponrequestfromSplunk.Gartnerdoesnotendorseanyvendor,productorservicedepictedinitsresearchpublications,anddoesnotadvisetechnologyuserstoselectonlythosevendorswith thehighestratingsorotherdesignation.GartnerresearchpublicationsconsistoftheopinionsofGartner'sresearchorganizationandshouldnotbeconstruedasstatementsoffact.Gartnerdisclaimsallwarranties,expressedorimplied, withrespecttothisresearch,includinganywarrantiesofmerchantabilityorfitnessforaparticularpurpose.
FourYearsinaRowasaLeader
FurthestoverallinCompletenessofVision
Splunk alsoscoreshighestin2016CriticalCapabilitiesforSIEMreportinallthreeUseCases
Splunk– Analytics-DrivenSecurity
4
• APTdetection/hunting(killchainmethod)• Counterthreatautomation• ThreatIntelligenceaggregation(internal&external)• Frauddetection– ATO,accountabuse• Insiderthreatdetection
• ReplaceSIEM@lowerTCO,increasematurity• AugmentSIEM@increasecoverage&agility• Compliancemonitoring,reporting,auditing• Logretention,storage,monitoring,auditing
• Continuousmonitoring/evaluation• Incidentresponseandforensicinvestigation• Eventsearching,reporting,monitoring&correlation• Rapidlearningloop,shortendiscover/detectcycle• Rapidinsightfromalldata
• Fraudanalyst• ThreatResearch/Intelligence•Malwareresearch• CyberSecurity/Threat
• SecurityAnalyst• CSIRT• Forensics• Engineering
• Tier1Analyst• Tier2Analyst• Tier3Analyst• Audit/Compliance
SecurityOperationsRoles/Functions
Reactive
Proactive
Searchand
Investigate
ProactiveMonitoringandAlerting
SecuritySituationalAwareness
Real-timeRisk
Insight
Connectingthe“data-dots”viamultiple/dynamicrelationships
Persist,Repeat
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,filehashes,IOC, attack/campaignintentandattribution
Wheretheywent,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,exploitinstallation
Gaintrustedaccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
5
SplunkEnterpriseSecurity
Risk-BasedAnalytics VisualizeandDiscoverRelationships
EnrichSecurityAnalysiswithThreatIntelligence
6
SplunkEnterpriseSecurityisanadvancedSIEMandSecurityIntelligencePlatformthatempowersSecOps tomonitor,detect,investigateandrespondtoattacksand
threatswhileminimizingriskandsafeguardingyourbusiness.
AnalyticsDrivenSecurityRisk-BasedAnalyticstoAlignSecurityOperationsWiththeBusiness– Riskscoringframeworkenhancesdecisionmakingbyapplyingriskscorestoanydata– QuicklyandeasilyassignanyKSIorKPItoanyeventtoalignwithyourcurrentpriorities– Exposethecontributingfactorsofariskscorefordeeperinsights
VisualizeandDiscoverRelationshipsforFasterDetectionandInvestigation– Visuallyfusedata,contextandthreat-intel acrossthestackandtimetodiscernrelationships– Pre-builtcorrelations,alertsanddashboardsfordetection,investigationandcompliance– Workflowactionsandautomatedlookupsenhancecontextbuilding
EnrichSecurityAnalysiswithThreatIntelligence– Automaticallyapplythreatintelligencefromanynumberofproviders– Applythreatintelligencetoeventdataaswellaswiredata– Conducthistoricalanalysisusingnewthreatintelligenceacrossalldata
7
Demo
FreeESSandbox
Meeting– Cosmopolitan Password– SPLUNK2016
https://www.splunk.com/en_us/download-21.html
CommonInformationModelC
omm
on In
form
atio
n M
odel
Network Traffic
Data ModelsMalware Email Intrusion DetectionAuthentication ... 30 Models ...
action bytes_in bytes_out channel dest_ip dest_mac duration src_ip …...
• Network Traffic Data Model
FW Vendor A• direction• d_ip• ….
FW Vendor B• direction• destin_ip• ….
FW Vendor C• Direction• dest_ip• ….
1 Contextual search / rules / reports across different technologies 2 Dynamic field mapping allow structure
on the fly instead of normalization Key
Purpose
11
Managing Correlation RulesCentral framework to create / update / delete / import correlated rules management for continuous adoption
Enable / Disable rules
ES CORRELATION RULE MANAGMENT
Splunk Inc. 2016 © - Page 11
Comparison– EventCorrelation
• Construct as saved search, simply generate indication of match.
• Self define a placeholder to hold events and link it to process logic.
• Just pass on to the 3rd party incident management / case management.
• Security incident alerts the flows into ES workflow management process.
• Security event focused specific authoring interface, just ready to define new condition.
• Pre-defined out-of-box correlations rules.
ThreatIntelligenceFrameworkFinding hidden IOCs using comprehensive threat intelligence mappings
• Multiplesources
• Multiple transmissiontypes
• Multipletransports
• Multiple data formats
INTEL SOURCES
1. IP2. Emails3. URLs4. Files
names/hashes5. Processes
names6. Services7. Registry entries8. X509 Certificates9. Users
CATEGORIZE
Index, Extract, Categorize
Manage / Audit threat sources
• List status• List mgmt.• List location
COLLECT MANAGE
Data Management
SEARCH
Ad-hoc search, analyze,
investigate, prioritize
Data Search
CORRELATE
Match all IOCs in existing log data
Generate alert for any matches
KSI and trends
Security Dashboard
Correlation Data / Notable Events
FacebookThreatExchange
• Providesdomainnames,IPs,hashthreatindicators
• Usewithadhocsearchesandinvestigations
14
• NeedanappIDandsecretfromFacebook• Config Splunkadd-onforFBThreatExchange• Customersalreadyuse!
What’sNew?
15
StorageTCOReductionOptions
16
ReduceTSIDXforhistoricaldata
RollhistoricaldataintoHadoop
KeepsdatawithinexistingSplunk storage
Exportsdatabutmaintainssearchcapability
Flexibleoptionstoreducestoragerequirementsupto80%
EnhancedInvestigationTimeline
AddfileattachmentstoInvestigationTimeline
17
ExportInvestigationTimelineasPDF
ExtendAnalytics-drivenDecisionsandAutomationwith
AdaptiveResponseinSplunkES
AUTOMATION VISUALIZATION
EnhanceAnalyticsWithGlassTableViewsinSplunkES
AdaptiveResponse:Analytics-drivenDecisions,Automation
• Centrallyautomateretrieval,sharingandresponseactionresultinginimproveddetection,investigationandremediationtimes
• Improveoperationalefficiencyusingworkflow-basedcontextwithautomatedandhuman-assisteddecisions
• Extractnewinsight byleveragingcontext,sharingdataandtakingactionsbetweenEnterpriseSecurityandAdaptiveResponsepartners
AdaptiveResponse Actions(Examples)
AUTOMATION
Category - Informationgathering, Informationconveyance, Permissionscontrol
Task - Create,Update,Delete,Allow,BlockSubject– whatwillbeactedupon(network,endpoint,etc)
Vendor– providingtheaction.Ex;Splunk,Ziften,PaloAltoNetworks,etc
InsightfromAcrossEcosystem
21
Effectivelyleveragesecurityinfrastructuretogainaholisticview
Workflow
Identity
Network
InternalNetworkSecurity
App
Endpoints
WebProxy ThreatIntel
1. PaloAltoNetworks2. Anomali3. Phantom4. Cisco5. Fortinet6. ThreatConnect7. Ziften8. Acalvio9. Proofpoint10. CrowdStrike
11. Symantec(BlueCoat)12. Qualys13. RecordedFuture14. Okta15. DomainTools16. CyberArk17. Tanium18. CarbonBlack19. ForeScout
GlassTablestoEnhanceVisualAnalytics
• SimplifyanalysisbyunderstandingtheimpactofsecuritymetricswithinalogicalorphysicalGlassTableview
• Improveresponsetimeswithnestedviewstodisplaywhat’simportantorrelevant
• Optimizeworkflowwithdrill-downtothesupportingcriteriaofthemetric
UBA
23
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATIONCENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehavior
UBA2.2
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinationsandpermutationsofthreatdetectionscenariosalongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
Summary
26
UBAResultsAcrossSIEMWorkflow
RapidInvestigationofAdvancedThreats
EnhancedInsiderThreat&CyberAttackDetection
ES4.1+UBA2.2 ES4.1 UBA2.2
QuickUBADemo,…thenHappyHour
27