SplunkLive! Warsaw 2016 - Splunk for Security

19
Copyright © 2016 Splunk Inc. Security Session Philipp Drieger Sales Engineer

Transcript of SplunkLive! Warsaw 2016 - Splunk for Security

Page 1: SplunkLive! Warsaw 2016 - Splunk for Security

Copyright©2016Splunk Inc.

SecuritySession

PhilippDriegerSalesEngineer

Page 2: SplunkLive! Warsaw 2016 - Splunk for Security

2

SafeHarborStatementDuring the course of this presentation, wemaymake forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentation may not contain current or accurate information. We do notassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytime without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.

Page 3: SplunkLive! Warsaw 2016 - Splunk for Security

3

Agenda

Splunk forSecurityZEUSDemo

Page 4: SplunkLive! Warsaw 2016 - Splunk for Security

Splunk forSecurity

Page 5: SplunkLive! Warsaw 2016 - Splunk for Security

5

Page 6: SplunkLive! Warsaw 2016 - Splunk for Security

6

CYBERCRIMINALS

MALICIOUSINSIDERS

NATIONSTATES

6

Page 7: SplunkLive! Warsaw 2016 - Splunk for Security

7

AdvancedThreatsAreHardtoFind

7

CyberCriminals

NationStates

InsiderThreats

Source:MandiantM-TrendsReport2012/2013/2014

100%Validcredentialswereused

40Average#ofsystemsaccessed

229Median#ofdaysbeforedetection

67%Ofvictimswerenotifiedbyexternalentity

Page 8: SplunkLive! Warsaw 2016 - Splunk for Security

8 8

Servers

Storage

DesktopsEmail Web

TransactionRecords

NetworkFlows

DHCP/DNS

HypervisorCustomApps

PhysicalAccess

Badges

ThreatIntelligence

Mobile

CMDB

IntrusionDetection

Firewall

DataLossPrevention

Anti-Malware

VulnerabilityScans

Traditional

Authentication

AllDataisSecurityRelevant=BigData

Page 9: SplunkLive! Warsaw 2016 - Splunk for Security

9

Solution:Splunk,TheEngineForMachineData

9

OnlineServices

WebServices

Servers

SecurityGPS

Location

Storage

Desktops Networks

PackagedApplications

CustomApplications

Messaging

TelecomsOnline

ShoppingCart

WebClickstreams

Databases

EnergyMeters

CallDetailRecords

SmartphonesandDevices

RFID

DeveloperPlatform

Reportand

analyze

Customdashboards

Monitorandalert

Adhocsearch

Real-TimeMachineData

References – Codedfields,mappings,aliasesDynamicinformation– Storedinnon-traditionalformatsEnvironmentalcontext– Humanmaintainedfiles,documentsSystem/application– AvailableonlyusingapplicationrequestIntelligence/analytics– Indicators,anomaly,research,white/blacklist

Page 10: SplunkLive! Warsaw 2016 - Splunk for Security

10

Fraud Detection

Insider Threat

Advanced Threat

Detection

Security & Compliance Reporting

Incident Analysis &

Investigations

Real-time Monitoring & Alerting

Security Intelligence Use Cases

Splunk provides solutions that address SIEM use cases and more

Security & Compliance Reporting

Incident Analysis &

Investigations

Real-time Monitoring & Alerting

Page 11: SplunkLive! Warsaw 2016 - Splunk for Security

11 11

ExamplePatternsofFraudinMachineData

Industry TypeofFraud/Theft/Abuse Pattern

FinancialServices Accounttakeover Abnormallyhighnumberordollaramountsofwiretransferwithdrawals

Healthcare Physicianbilling Physicianbillingfordrugsoutsidetheirexpertisearea

E-Tailing Accounttakeover ManyaccountsaccessedfromoneIP

Telecoms Callingplanabuse Customermakingexcessiveamountofinternationalcallsonanunlimitedplan

Online Education Studentloanfraud StudentreceivingfederalloanhasIPin“high-risk”overseascountryandisabsentfromonlineclassroomsandforums

Page 12: SplunkLive! Warsaw 2016 - Splunk for Security

12

InsiderThreatWhatToLookFor Data Source

Abnormallyhighnumber offiletransferstoUSBorCD/DVD OS

Abnormally largeamountofdatagoingtopersonalwebmailaccountoruploadedtoexternalfilehostingsite Email/ webserver

Unusual physicalaccessattempts (afterhours,accessingunauthorizedarea,etc) Physicalbadgerecords/AD

Aboveactions+ employeeisonaninternalwatchlist asresultoftransfer/demotion/poorreview/impendinglayoff HR systems/above

User nameofterminatedemployeeaccessinginternalsystem AD/HRsystems

12

Page 13: SplunkLive! Warsaw 2016 - Splunk for Security

13

ExampleofAdvancedThreatActivities

13

HTTP(web)sessiontocommand&controlserver

Remotecontrol,Stealdata,Persistincompany,Rentasbotnet

WEB

ConductBusiness

Createadditionalenvironment

GainAccesstosystemTransaction

.pdf

.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs

Svchost.exeCalc.exe

AttackerhackswebsiteSteals.pdf files

WebPortal.pdf

Attackercreatesmalware,embed in.pdf,

Emailstothetarget MAIL

Reademail,openattachment

Threatintelligence

Auth - UserRoles

HostActivity/Security

NetworkActivity/Security

Page 14: SplunkLive! Warsaw 2016 - Splunk for Security

14

Connectthe“Data-Dots”toSeetheWholeStory

14

Persist,Repeat

Threatintelligence

Auth - UserRoles,CorpContext

HostActivity/Security

NetworkActivity/Security

Attacker,knowrelay/C2sites,infectedsites,IOC, attack/campaignintentandattribution

Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload

Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility

Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain

Delivery,ExploitInstallation

GainTrustedAccess

ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement

Persist,Repeat

• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence

• Firewall• IDS/IPS• Vulnerabilityscanners

• WebProxy• NetFlow• Network

• Endpoint (AV/IPS/FW)• Malwaredetection• PCLM

• DHCP• OSlogs• Patching

• ActiveDirectory• LDAP• CMDB

• OperatingSystem• Database• VPN,AAA,SSO

Page 15: SplunkLive! Warsaw 2016 - Splunk for Security

15

Threatintelligence

HostActivity/Security

NetworkActivity/Security

Command&ControlExploitation&InstallationDelivery AccomplishMission

SecurityEcosystemforCoverageandProtection

Auth - UserRoles,CorpContext

Page 16: SplunkLive! Warsaw 2016 - Splunk for Security

16

STIX/TAXIIand OpenIOC101• Infosharingacrosscompanies

andindustries• StandardizedXML

• IOCsincludeIPs,web/emaildomains,hashes,processes,registrykey,certificates

Page 17: SplunkLive! Warsaw 2016 - Splunk for Security

17

ThreatIntelligenceinSplunk

Page 18: SplunkLive! Warsaw 2016 - Splunk for Security

18

SampleTAXIIFeedsUser Community Organisation

Cyber Threat XChange Health InformationTrustAlliance

DefenseSecurityInformationExchange DefenseIndustrialBaseInformationand Sharingand AnalysisOrganization

ICS-ISAC IndustrialControlSystemInformationSharingandAnalysisCenter

NH-ISACNationalHealth CybersecurityIntelligence Platform

NationalHealth Informationand AnalysisCenter

FS-ISAC/Soltra Edge FinancialServicesInformation SharingandAnalyses Center(FS-ISAC)

RetailCyber Intelligence SharingCenter,Intelligence SharingPortal

RetailInformationSharingand AnalysisCenter(Retail-ISAC)

More:http://stixproject.github.io/supporters/

Page 19: SplunkLive! Warsaw 2016 - Splunk for Security

ZEUSDemo


SplunkLive 2011 Advanced Session

SplunkLive 2011 Advanced Session

SplunkLive Brisbane Splunk for Developers

SplunkLive Brisbane Splunk for Developers

SplunkLive! Warsaw 2016 - Splunk IT Service Intellience

SplunkLive! Warsaw 2016 - Splunk IT Service Intellience

SplunkLive Sydney Machine Learning & Analytics

SplunkLive Sydney Machine Learning & Analytics

SplunkLive Canberra Machine Learning & Analytics

SplunkLive Canberra Machine Learning & Analytics

Security Hands-On - Splunklive! Houston

Security Hands-On - Splunklive! Houston

SplunkLive Auckland 2015 - Splunk for Security

SplunkLive Auckland 2015 - Splunk for Security

SPLUNK & Dell EMC For Operational Intelligence · 2020-02-01 · SPLUNK & Dell EMC For Operational Intelligence Dell EMC Forum Warsaw PAWEŁ ALBERT ... WARM –Recent data but closed

SPLUNK & Dell EMC For Operational Intelligence · 2020-02-01 · SPLUNK & Dell EMC For Operational Intelligence Dell EMC Forum Warsaw PAWEŁ ALBERT ... WARM –Recent data but closed

SplunkLive! Presentation - Data Onboarding with Splunk

SplunkLive! Presentation - Data Onboarding with Splunk

Splunklive! Universo Online

Splunklive! Universo Online

SplunkLive! London 2016 Splunk Overview

SplunkLive! London 2016 Splunk Overview

SplunkLive! Stockholm 2016 - Mr Green

SplunkLive! Stockholm 2016 - Mr Green

SplunkLive! 2018 · Splunk software and get real-world experience from breakout session tracks. Each SplunkLive! will attract 300 – 1200+ attendees at over 20 cities around the

SplunkLive! 2018 · Splunk software and get real-world experience from breakout session tracks. Each SplunkLive! will attract 300 – 1200+ attendees at over 20 cities around the

SplunkLive! Munich 2015 - Graphmasters

SplunkLive! Munich 2015 - Graphmasters

SplunkLive Brisbane Splunk for Operational Security Intelligence

SplunkLive Brisbane Splunk for Operational Security Intelligence

SplunkLive Brisbane Splunking the Endpoint

SplunkLive Brisbane Splunking the Endpoint

SplunkLive! Seattle - Splunk for Developers

SplunkLive! Seattle - Splunk for Developers

SplunkLive! Stockholm 2016 - iZettle

SplunkLive! Stockholm 2016 - iZettle

SplunkLive London 2014 Developer Presentation

SplunkLive London 2014 Developer Presentation

SplunkLive! London Enterprise Security & UBA

SplunkLive! London Enterprise Security & UBA