SplunkLive! Warsaw 2016 - Splunk for Security
-
Upload
splunk -
Category
Technology
-
view
46 -
download
0
Transcript of SplunkLive! Warsaw 2016 - Splunk for Security
2
SafeHarborStatementDuring the course of this presentation, wemaymake forward looking statements regarding future eventsor the expected performance of the company. We caution you that such statements reflect our currentexpectations and estimates based on factors currently known to us and that actual events or results coulddiffer materially. For important factors that may cause actual results to differ from those contained in ourforward-looking statements, please review our filings with the SEC. The forward-looking statementsmade in this presentation are being made as of the time and date of its live presentation. If reviewedafter its live presentation, this presentation may not contain current or accurate information. We do notassume any obligation to update any forward looking statements we may make. In addition, anyinformation about our roadmap outlines our general product direction and is subject to change at anytime without notice. It is for informational purposes only and shall not be incorporated into any contractor other commitment. Splunk undertakes no obligation either to develop the features or functionalitydescribed or to include any such feature or functionality in a future release.
7
AdvancedThreatsAreHardtoFind
7
CyberCriminals
NationStates
InsiderThreats
Source:MandiantM-TrendsReport2012/2013/2014
100%Validcredentialswereused
40Average#ofsystemsaccessed
229Median#ofdaysbeforedetection
67%Ofvictimswerenotifiedbyexternalentity
8 8
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/DNS
HypervisorCustomApps
PhysicalAccess
Badges
ThreatIntelligence
Mobile
CMDB
IntrusionDetection
Firewall
DataLossPrevention
Anti-Malware
VulnerabilityScans
Traditional
Authentication
AllDataisSecurityRelevant=BigData
9
Solution:Splunk,TheEngineForMachineData
9
OnlineServices
WebServices
Servers
SecurityGPS
Location
Storage
Desktops Networks
PackagedApplications
CustomApplications
Messaging
TelecomsOnline
ShoppingCart
WebClickstreams
Databases
EnergyMeters
CallDetailRecords
SmartphonesandDevices
RFID
DeveloperPlatform
Reportand
analyze
Customdashboards
Monitorandalert
Adhocsearch
Real-TimeMachineData
References – Codedfields,mappings,aliasesDynamicinformation– Storedinnon-traditionalformatsEnvironmentalcontext– Humanmaintainedfiles,documentsSystem/application– AvailableonlyusingapplicationrequestIntelligence/analytics– Indicators,anomaly,research,white/blacklist
10
Fraud Detection
Insider Threat
Advanced Threat
Detection
Security & Compliance Reporting
Incident Analysis &
Investigations
Real-time Monitoring & Alerting
Security Intelligence Use Cases
Splunk provides solutions that address SIEM use cases and more
Security & Compliance Reporting
Incident Analysis &
Investigations
Real-time Monitoring & Alerting
11 11
ExamplePatternsofFraudinMachineData
Industry TypeofFraud/Theft/Abuse Pattern
FinancialServices Accounttakeover Abnormallyhighnumberordollaramountsofwiretransferwithdrawals
Healthcare Physicianbilling Physicianbillingfordrugsoutsidetheirexpertisearea
E-Tailing Accounttakeover ManyaccountsaccessedfromoneIP
Telecoms Callingplanabuse Customermakingexcessiveamountofinternationalcallsonanunlimitedplan
Online Education Studentloanfraud StudentreceivingfederalloanhasIPin“high-risk”overseascountryandisabsentfromonlineclassroomsandforums
12
InsiderThreatWhatToLookFor Data Source
Abnormallyhighnumber offiletransferstoUSBorCD/DVD OS
Abnormally largeamountofdatagoingtopersonalwebmailaccountoruploadedtoexternalfilehostingsite Email/ webserver
Unusual physicalaccessattempts (afterhours,accessingunauthorizedarea,etc) Physicalbadgerecords/AD
Aboveactions+ employeeisonaninternalwatchlist asresultoftransfer/demotion/poorreview/impendinglayoff HR systems/above
User nameofterminatedemployeeaccessinginternalsystem AD/HRsystems
12
13
ExampleofAdvancedThreatActivities
13
HTTP(web)sessiontocommand&controlserver
Remotecontrol,Stealdata,Persistincompany,Rentasbotnet
WEB
ConductBusiness
Createadditionalenvironment
GainAccesstosystemTransaction
.pdf executes&unpacksmalwareoverwritingandrunning“allowed”programs
Svchost.exeCalc.exe
AttackerhackswebsiteSteals.pdf files
WebPortal.pdf
Attackercreatesmalware,embed in.pdf,
Emailstothetarget MAIL
Reademail,openattachment
Threatintelligence
Auth - UserRoles
HostActivity/Security
NetworkActivity/Security
14
Connectthe“Data-Dots”toSeetheWholeStory
14
Persist,Repeat
Threatintelligence
Auth - UserRoles,CorpContext
HostActivity/Security
NetworkActivity/Security
Attacker,knowrelay/C2sites,infectedsites,IOC, attack/campaignintentandattribution
Wheretheywentto,whotalkedtowhom,attacktransmitted,abnormaltraffic,malwaredownload
Whatprocessisrunning(malicious,abnormal,etc.)Processowner,registrymods,attack/malwareartifacts,patchinglevel,attacksusceptibility
Accesslevel,privilegedusers,likelihoodofinfection,wheretheymightbeinkillchain
Delivery,ExploitInstallation
GainTrustedAccess
ExfiltrationDataGatheringUpgrade(escalate)Lateralmovement
Persist,Repeat
• Third-partyThreatIntel• Opensourceblacklist• Internalthreatintelligence
• Firewall• IDS/IPS• Vulnerabilityscanners
• WebProxy• NetFlow• Network
• Endpoint (AV/IPS/FW)• Malwaredetection• PCLM
• DHCP• OSlogs• Patching
• ActiveDirectory• LDAP• CMDB
• OperatingSystem• Database• VPN,AAA,SSO
15
Threatintelligence
HostActivity/Security
NetworkActivity/Security
Command&ControlExploitation&InstallationDelivery AccomplishMission
SecurityEcosystemforCoverageandProtection
Auth - UserRoles,CorpContext
16
STIX/TAXIIand OpenIOC101• Infosharingacrosscompanies
andindustries• StandardizedXML
• IOCsincludeIPs,web/emaildomains,hashes,processes,registrykey,certificates
18
SampleTAXIIFeedsUser Community Organisation
Cyber Threat XChange Health InformationTrustAlliance
DefenseSecurityInformationExchange DefenseIndustrialBaseInformationand Sharingand AnalysisOrganization
ICS-ISAC IndustrialControlSystemInformationSharingandAnalysisCenter
NH-ISACNationalHealth CybersecurityIntelligence Platform
NationalHealth Informationand AnalysisCenter
FS-ISAC/Soltra Edge FinancialServicesInformation SharingandAnalyses Center(FS-ISAC)
RetailCyber Intelligence SharingCenter,Intelligence SharingPortal
RetailInformationSharingand AnalysisCenter(Retail-ISAC)
More:http://stixproject.github.io/supporters/