SplunkLive! London Enterprise Security & UBA
-
Upload
splunk -
Category
Technology
-
view
194 -
download
3
Transcript of SplunkLive! London Enterprise Security & UBA
Copyright©2016SplunkInc.
EnterpriseSecurity&UBAOverview
SplunkLive London2016JohanBjerke,SeniorSalesEngineer
TechnicalSplunkGuy
2
SplunkLiveSecurityTrackToday13:00-14:00: OperationalSecurityIntelligence14:00-15:00: SplunkforEnterpriseSecurityfeaturingUser
BehaviorAnalytics15:00-16:00: CloudBreach– DetectionandResponse
16:00-17:00: HappyHour
17:00– 19:30: SplunkLondonUserGroupMeeting
4
Disclaimer
4
Duringthecourseofthispresentation,wemaymakeforwardlookingstatementsregardingfutureeventsortheexpectedperformanceofthecompany.Wecautionyou thatsuchstatementsreflectourcurrentexpectationsand
estimatesbasedonfactorscurrentlyknowntousandthatactualeventsorresultscoulddiffermaterially.Forimportantfactorsthatmaycauseactualresultstodifferfromthosecontainedinourforward-looking statements,pleasereviewourfilingswiththeSEC.Theforward-looking statementsmadeinthethispresentationarebeingmadeasofthetimeanddateofitslivepresentation.Ifreviewedafteritslivepresentation,thispresentationmaynotcontaincurrentoraccurateinformation.Wedonotassumeanyobligationtoupdateanyforwardlooking statementswemaymake.
Inaddition, anyinformationaboutourroadmapoutlines ourgeneralproductdirectionandissubjecttochangeatanytimewithoutnotice.Itisforinformational purposes only andshallnot, beincorporatedintoanycontractorothercommitment.Splunk undertakesnoobligationeithertodevelopthefeaturesorfunctionality describedortoinclude
anysuch featureorfunctionality inafuturerelease.
5
Agenda
SplunkPortfolioUpdate
EnterpriseSecurity4.1
UserBehaviorAnalytics2.2
6
SplunkSolutions>EasytoAdopt
VMware
PlatformforMachineData
Exchange PCISecurity
AcrossDataSources,UseCases&ConsumptionModels
ITSvcInt
SplunkPremiumSolutions RichEcosystemofApps
ITSI UBA
UBA
MainframeData
RelationalDatabases
MobileForwarders Syslog/TCP IoTDevices
NetworkWireData
Hadoop&NoSQL
WhatisSplunkES?
PlatformforMachineData
SplunkEnterpriseSecurityAdvancinganalytics-drivensecurity
SecurityandComplianceReporting
MonitorandDetect
InvestigateThreatsandIncidents
AnalyzeandOptimizeResponse
9
OpenSolutionsFrameworkSupports critical security related management framework features
9
EnterpriseSecurityFramework
• Notable Events Framework• Threat Intelligence Framework
• Risk Scoring Framework• Identity & Asset Framework
Customer Apps
APPs / Content
Partner Apps
APPs / Content
Splunk Apps
APPs / Content
• Export• Import• Share
• Summarization Framework• Alerting & Scheduling
• Visualization Framework• Application Framework
ExternalInstance
MoreHonors– March2016
● BestSIEMSolution
What’snewinSplunkEnterpriseSecurity4.1?
12
PrioritizeandSpeedInvestigations
Centralizedincidentreviewcombining risk andquicksearch
Usethenewriskscoresandquicksearchestodetermine theimpactofanincidentquickly
Useriskscorestogenerateactionablealertstorespondonmattersthatrequireimmediateattention.
ES4.1
13
EnhancedInvestigationTimeline
AddfileattachmentstoInvestigationTimeline
ExportInvestigationTimelineasPDF
14
BehavioralAnalyticsinSIEMWorkflow
• AllSplunkUBAresultsavailableinEnterpriseSecurity• WorkflowsforSOCManager,SOCanalystandHunter/Investigator• SplunkUBAcanbepurchased/operatedseparatelyfromSplunkEnterpriseSecurity
ES4.1andUBA2.2
15
ExpandedThreatIntelligence ES4.1
SupportsFacebookThreatExchange
Anadditionalthreatintelligencefeedthatprovidesfollowingthreatindicators- domainnames,IPsandhashes
Usewithadhocsearchesandinvestigations
ExtendsSplunk’s ThreatIntelligenceFramework
EnterpriseSecurityDemo
WhatisSplunkUBA?
18
TECHNOLOGY EVOLUTION
19952002
2008
2011
2015
END-POINTSECURITY NETWORKSECURITY EARLYCORRELATION OBJECTANALYSIS BEHAVIORANALYSIS
19
IN2014,INDUSTRYSPENT
$1.7Billion
SECUREEMAILGATEWAY
$1.3Billion
SECUREWEBGATEWAY
$2.8Billion
ENDPOINTPROTECTION
$1.2Billion
INTRUSIONPREVENTION
$9.4Billion
FIREWALL
20
$16+BillionBut,weneedevenmoretools
21
FAMILIARWITHTHESEBREACHES?
January2015 February2015 February2015
MorganStanley
730KPIIRecords
Anthem Insurance
80MPatientRecords
OfficeofPersonalManagement22MPIIRecords
July 2015
PentagonUnclassifiedEmailSystem4KPIIRecords
22
SO,WHATISTHECOMPROMISED/MISUSEDCREDENTIALSORDEVICES
LACKOFRESOURCES(SECURITY EXPERTISE)
LACKOFALERTPRIORITIZATION&EXCESSIVEFALSEPOSITIVES
PROBLEM?
23
EXTERNALATTACK
USERACTIVITYPeterandSamaccessacompromisedwebsite-
backdoorgetsinstalled
Theattackeruses Peter’sstolencredentialandVPNsintoDomainController
Theattackeruses thebackdoorstodownloadandexecuteWCE– passwordcracker
Peter’sandSam’sdevicesbegincommunicatingwithCnC
TheattackerlogsinasSamandaccessessensitivedocumentsfromafileshare
TheattackerstealstheadminKerberosticket andescalatestheprivilegesforSam
Theattackeruses Peter’sVPNcredentialtoconnect,copiesthedocstoanexternalstagingserver, andlogs
outafterthreehours
Day1
.
.
Day2
.
.
DayN
24
INSIDERTHREAT
JohnconnectsviaVPN
Administratorperformsssh (root)toafileshare-financedepartment
Johnexecutesremotedesktopto asystem(administrator) - PCIzone
Johnelevateshisprivileges
root copiesthedocumenttoanotherfileshare-Corporatezone
rootaccessesasensitivedocumentfromthefileshare
rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise
USERACTIVITY
Day1
.
.
Day2
.
.
DayN
SplunkUserBehavioralAnalyticsAutomatedDetectionof INSIDERTHREATSANDCYBERATTACKS
PlatformforMachineData
BehaviorBaselining&Modelling
UnsupervisedMachineLearning
Real-Time&BigDataArchitecture
Threat&AnomalyDetection
SecurityAnalytics
26
MULTI-ENTITYBEHAVIORALMODELTemporalWindow
USER HOST NETWORK APPLICATION DATA
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ActivityA
ActivityN
ACTIVITYA ACTIVITYC ACTIVITYF ACTIVITYB ACTIVITYL
27
ATTACKDEFENSES
28
INSIDERTHREAT
Day1
.
.
Day2
.
.
DayN
JohnconnectsviaVPN
Administratorperformsssh (root)toafileshare-financedepartment
Johnexecutesremotedesktopto asystem(administrator) - PCIzone
Johnelevateshisprivileges
root copiesthedocumenttoanotherfileshare-Corporatezone
rootaccessesasensitivedocumentfromthefileshare
rootusesasetofTwitterhandlestochopandcopythedataoutsidetheenterprise
USERACTIVITY
UnusualMachineAccess(LateralMovement;Individual&PeerGroup)
UnusualZone(CorpàPCI)traversal(LateralMovement)
UnusualActivitySequence
UnusualZoneCombination(PCIàCorp)
UnusualFileAccess(Individual&PeerGroup)
MultipleOutgoingConnections&UnusualSSLsessionduration
AFewCUSTOMERFINDINGS
q MaliciousDomain
q BeaconingActivity
q Malware:Asprox
q Webshell Activity
q PassTheHashAttack
q SuspiciousPrivilegedAccountactivity
q ExploitKit:Fiesta
q LateralMovement
q UnusualGeoLocation
q PrivilegedAccountAbuse
q AccessViolations
q IPTheft
RETAIL HI-TECH MANUFACTURING FINANCIAL
PROXYSERVER
FIREWALL
WHATDOESSPLUNKUBA NEED?
ACTIVEDIRECTORY/DOMAINCONTROLLER
DNS,DHCP
SPLUNKENTERPRISE ANYSIEM ATAMINIMUM
31
WHATCUSTOMERSHAVETOSAYABOUTSPLUNKUBA
Splunk UBA is unique in its data-science driven approach to automatically finding hidden threats rather thanthe traditional rules-based approaches that doesn’t scale. We are pleased with the efficacy and efficiency of thissolution as it makes the life of our SOC analysts’ way better.Mark Grimse, VP IT Security, Rambus
A layered defense architecture is necessary to combat modern-day threats such as cyberattacks and insiderthreats, and it’s crucial to use a data science driven approach in order to find unknown patterns. I found SplunkUBA to be oneof themost advanced technologieswithin thebehavioralanalytics space.Randolph Barr, CSO, Saba
SplunkUBAandSplunkESIntegration
SIEM,Hadoop
Firewall,AD,DLP
AWS,VM,Cloud,Mobile
End-point,App,DB logs
Netflow,PCAP
ThreatFeeds
DATASOURCES
DATASCIENCEDRIVEN
THREATDETECTION
99.99%EVENTREDUCTION
UBA
MACHINELEARNINGIN
SIEMWORKFLOW
ANOMALY-BASEDCORRELATION
101111101010010001000001111011111011101111101010010001000001111011111011
What’sNewinUBA2.2
34
EnhancedInsiderThreatandCyberAttackDetection
DETETION
ThreatDetectionFramework• Customthreatmodelingwithanomalies
ExpandedAttackCoverage• Dataaccessandphysicaldataloss
NewViewpoint• Precision,prioritizationandcorrelationofalertswithanomalies
UBA2.2
35
Create customthreatsusing60+anomalies.
Createcustomthreatscenariosontopofanomaliesdetectedbymachinelearning.
Helpswithreal-timethreatdetectionandleveragetodetectthreatsonhistoricaldata.
Analystscancreatemanycombinations andpermutationsofthreatdetectionscenarios alongwithautomatedthreatdetection.
Detection:CustomThreatModelingFramework UBA2.2
36
Detection:EnhancedSecurityAnalytics
Visibilityandbaselinemetricsarounduser,device,applicationandprotocol
30+newmetrics
USERCENTRIC DEVICECENTRIC
APPLICATION CENTRIC PROTOCOLCENTRIC
DetailedVisibility,UnderstandNormalBehavior
UBA2.2
37
ContextEnrichment
CitrixNetScaler(AppFlow)FireEyeEmail(EX)SymantecDLPBit9/CarbonBlackDigitalGuardianAndmanymore….
ImprovedPrecisionandPrioritizationofThreats
§ RiskPercentile&DynamicPeerGroups§ SupportforAdditional3rd PartyDevices
UBA2.2
UBADemo
39
SEPT26-29,2016WALTDISNEYWORLD,ORLANDOSWANANDDOLPHINRESORTS
• 5000+IT&BusinessProfessionals• 3daysoftechnicalcontent• 165+sessions• 80+CustomerSpeakers• 35+Apps inSplunkAppsShowcase• 75+TechnologyPartners• 1:1networking:AskTheExpertsandSecurityExperts,BirdsofaFeatherandChalkTalks
• NEWhands-on labs!• Expandedshowfloor,DashboardsControlRoom&Clinic,andMORE!
The7th AnnualSplunkWorldwideUsers’Conference
PLUSSplunkUniversity• Threedays:Sept24-26,2016• GetSplunkCertifiedforFREE!• GetCPE creditsforCISSP,CAP,SSCP• Savethousands onSplunkeducation!
ThankYou!