Copyright © 2014 Splunk Inc.
Splunk for Security
Continuous Monitoring and Analytics-‐Driven Security for Modern Threats
Simon O’Brien, Security SME, ANZ
SPLUNK FOR SECURITYConnecting People and Data, with Context and Extended Intelligence
The Ever-‐Changing Threat Landscape
3
67%Victims notified by external entity
100%Valid credentials
were used
229Median # of days before detection
Source: Mandiant M-‐Trends Report 2012/2013/2014
CYBERCRIMINALS
MALICIOUSINSIDERS
NATIONSTATES
4
New approach to security operation is needed
• Human directed
• Goal-‐oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Fusion of people, process, & technology
• Contextual and behavioral
• Rapid learning and response
• Share info & collaborate
• Analyze all data for relevance
• Leverage IOC & Threat Intel
THREAT Attack Approach Security Approach
5
TECHNOLOGY
PEOPLE
PROCESS
New approach to security operation is neededTHREAT Attack Approach
Analytics-‐driven Security
Security Approach
6
TECHNOLOGY
PEOPLE
PROCESS
• Human directed
• Goal-‐oriented
• Dynamic (adjust to changes)
• Coordinated
• Multiple tools & activities
• New evasion techniques
• Continuously Protect the business against:
ê Data Breaches ê Malware ê Fraud ê IP Theft
• Comply with audit requirements• Provide enterprise Visibility
7
Security & ComplianceTop Splunk Benefits
• 70% to 90% improvement with detection and research of events
• 70% to 95% reduction in security incident investigation time
• 10% to 30% reduction in risks associated with data breaches, fraud and IP theft
• 70% to 90% reduction in compliance labor
Top Goals
8
All Data is Security Relevant = Big Data
Servers
Storage
DesktopsEmail Web
TransactionRecords
NetworkFlows
DHCP/ DNS
HypervisorCustom Apps
PhysicalAccess
Badges
Threat Intelligence
Mobile
CMDB
Intrusion Detection
Firewall
Data Loss Prevention
Anti-‐Malware
VulnerabilityScans
Traditional
Authentication
9
Solution: Splunk, The Engine For Machine Data
Online Services
Web Services
Servers
SecurityGPS
Location
Storage
Desktops Networks
Packaged Applications
CustomApplications
Messaging
TelecomsOnline Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
DeveloperPlatform
Report and
analyze
Custom dashboards
Monitor and alert
Ad hoc search
Real-‐TimeMachine Data
References – Coded fields, mappings, aliasesDynamic information – Stored in non-‐traditional formatsEnvironmental context – Human maintained files, documentsSystem/application – Available only using application requestIntelligence/analytics – Indicators, anomaly, research, white/blacklist
10
The Splunk Platform for Security Intelligence
SPLUNK ENTERPRISE (CORE)
Copyright © 2014 Splunk Inc.
200+ APPS SPLUNK FOR SECURITY SPLUNK-‐BUILT APPS
…
Stream data
Cisco Security Suite
Windows/ AD/ Exchange
Palo Alto Networks
FireEye
Bit9
DShield
DNS
OSSEC
Connecting the “data-‐dots” via multiple/dynamic relationships
Persist, Repeat
Threat intelligence
Auth -‐ User Roles
Host Activity/Security
Network Activity/Security
Attacker, know relay/C2 sites, infected sites, file hashes, IOC, attack/campaign intent and attribution
Where they went, who talked to whom, attack transmitted, abnormal traffic, malware download
What process is running (malicious, abnormal, etc.) Process owner, registry mods, attack/malware artifacts, patching level, attack susceptibility
Access level, privileged users, likelihood of infection, where they might be in kill chain
Delivery, exploit installation
Gain trusted access
ExfiltrationData GatheringUpgrade (escalate)Lateral movement
Persist, Repeat
11
Security Intelligence Use Cases
SECURITY & COMPLIANCE REPORTING
REAL-‐TIME MONITORING OF KNOWN THREATS
DETECTING UNKNOWN THREATS
INCIDENT INVESTIGATIONS & FORENSICS
FRAUD DETECTION
INSIDER THREAT
Complement, replace and go beyond traditional SIEMs12
Splunk Enterprise Security
Risk-‐Based Analytics
Visualize and Discover Relationships
Enrich Security Analysis with
Threat Intelligence
13
The artist formerly known as the ‘app for’
Splunk Enterprise Security – 5 Releases in 21 Months
14
Q3 2014 Q4 2014 Q2 2015
ES 3.1•Risk Framework•Guided Search•Unified Search Editor• ThreatlistScoring• Threatlist Audit
ES 4.0• Breach Analysis• Integration with Splunk UBA• Splunk Security Framework
ES 3.0
ES 3.2•Protocol Intelligence (Stream capture)• Semantic Search (Dynamic Thresholding)
ES 3.3• Threat Intel framework•User Activity Monitoring•Content Sharing•Data Ingestion
Q4 2015
DEMO!
PLAY DEMO
16
17
https://www.splunk.com/getsplunk/es_sandbox
18
Copyright © 2014 Splunk Inc.
Splunk User Behavior Analytics for threat detection
BIG DATA DRIVEN
SECURITYANALYTICS
MACHINELEARNING
A NEW PARADIGM
DATA-‐SCIENCE DRIVEN BEHAVIORAL ANALYTICS
What does Splunk UBA do?
21
SIEM
Firewall, AD, DLP
AWS, VMCloud, Mobile
End point, Host, App, DB logs
Netflow, PCAP
Threat Feeds
Next-Gen Data Science-driven Threat Detection
Application for SOC Analysts
Kill Chain Detection
Ranked Threat Review
Actions & Resolution99.99% event reduction
Security Analytics
SPLUNK UBA
MACHINE LEARNING
BEHAVIOR ANALYTICS
ANOMALY DETECTION
THREAT DETECTION
SECURITY ANALYTICS
22
THREAT DETECTION
KEY WORKFLOWS – SOC ANALYSTSOC ANALYST
§ Quickly spot threats within your network
§ Leverage Threat Detection workflow to investigate insider threats and cyber attacks
§ Act on forensic details – deactivate accounts, unplug network devices, etc.
SECURITY ANALYTICS
KILL-‐CHAIN
HUNTER
KEY WORKFLOWS -‐ HUNTER
§ Investigate suspicious users, devices, and applications
§ Dig deeper into identified anomalies and threat indicators
§ Look for policy violations
Threat Example
25
John logs in via VPN from 1.0.63.14 at 3pm
John elevates his privileges for the PCI network
John performs a remote desktop on a system as Administrator on the PCI network zone
John (Admin) performs an ssh as root to a new machine in the BizDev department
John (Adminàroot) accesses the folder with all the excel and negotiations documents on the BizDev file shares
John (Adminàroot) copies all the negotiation docs to another share on the corpzone
John (Adminàroot) uses a set of Twitter handles to chop and copy the data outside the enterpriseTim
e
Unusual Geo for John (China)
Unusual Activity Time
Unusual Zone (CorpàPCI) traversal for John (lateral movement)
Unusual Machine Access (lateral movement; individual + peer group)
Unusual File Access (individual + peer group)
Excessive Data Transmission(individual + peer group)
Unusual Zone combo (PCIàcorp) for John
Multiple Outgoing Connections
Unusual VPN session duration (11h)
John
3:00 PM
3:05 PM
3:15 PM
3:40 PM
6 PM
11:35 PM
Unusual Activity Sequence (AD/DC Privilege Escalation)
3:10 PM
User Activities Risk/Threat Detection Areas
DEMO!
Thank you!
Top Related