Enterprise Sec + User Bahavior Analytics
•Download as PPTX, PDF•
3 likes•1,493 views
The document provides an overview and update on Splunk's Enterprise Security and User Behavior Analytics solutions. It summarizes the key capabilities of each solution, including advanced threat detection, user activity monitoring, and machine learning-based anomaly detection. It also highlights new features recently added to Enterprise Security 4.0 like breach analysis tools and integration with Splunk UBA.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (15)
Similar to Enterprise Sec + User Bahavior Analytics
Similar to Enterprise Sec + User Bahavior Analytics (20)
More from Splunk
More from Splunk (20)
Recently uploaded
Recently uploaded (20)
Enterprise Sec + User Bahavior Analytics
- 1. Copyright © 2015 Splunk Inc. Enterprise Security & UBA Overview splunklive Long Beach 2015 Mark Bonsack, Staff SE James Brodsky, Security SME
- 2. 2 Agenda Splunk Portfolio Update Enterprise Security 4.0 User Behavior Analytics
- 3. VMware Platform for Machine Data Splunk Solutions > Easy to Adopt Exchange PCISecurity Across Data Sources, Use Cases & Consumption Models IT Svc Int Splunk Premium Solutions Rich Ecosystem of Apps ITSI UBA UBA Mainframe Data Relational Databases MobileForwarders Syslog/TCP IoT Devices Network Wire Data Hadoop & NoSQL
- 4. 4 Recent Splunk Releases 4 Splunk Enterprise 6.3 Enterprise Security 4.0 ES User Behavior Analytics 2.0 UBA IT Service Intelligence ITSI
- 5. 5 Enterprise Security Provides support for security operations/command centers Functions: alert management, detects using correlation rules (pre- built), incident response, security monitoring, breach response, threat intelligence automation, statistical analysis, reporting, auditing Persona service: SOC Analyst, security teams, incident responders, hunters, security managers Detections: pre-built advanced threat detection using statistical analysis, user activity tracking, attacks using correlation searches 5
- 6. 6 User Behavior Analytics Provides advanced threat detection using unsupervised machine learning – complements SIEMs (if any) Functions: baselines behavior from log data to detect anomalies and threats Persona service: SOC Analyst, hunters Detections: threat detection (cyber attacker, insider threat) using unsupervised machine learning and data science. 6
- 7. Copyright © 2015 Splunk Inc. Enterprise Security 7
- 8. Machine data contains a definitive record of all interactions Splunk is a very effective platform to collect, store, and analyze all of that data Human Machine Machine Machine
- 9. Rapid Ascent in the Gartner SIEM Magic Quadrant* *Gartner, Inc., SIEM Magic Quadrant 2011-2015. Gartner does not endorse any vendor, product or service depicted in its research publication and not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. 2015 Leader and the only vendor to improve its visionary position 2014 Leader 2013 Leader 2012 Challenger 2011 Niche Player 2015
- 10. 10 10 App Servers Network Threat Intelligence Firewall Web Proxy Internal Network Security Endpoints Splunk as the Security Nerve Center Identity
- 11. 11 ES Fast Facts ● Current version: 4.0 just released a little over a month ago ● Two releases per year ● Content comes from industry experts, market analysis, but most importantly YOU ● The best of Splunk carries through to ES – flexible, scalable, fast, and customizable ● ES has its own development team, dedicated support, services practice, and training courses
- 12. The best part of ES is free! ● You’ve got a bunch of systems… ● How to bring in: ● Network AV ● Windows + OS X AV ● PCI-zone Linux AV ● Network Sandboxing ● APT Protection ● CIM = Data Normalization
- 13. Copyright © 2015 Splunk Inc. NORMALIZATION?!?
- 14. Copyright © 2015 Splunk Inc. NORMALIZATION?!? Relax. This is therefore, CIM gets applied at SEARCH TIME.
- 15. Data Normalization is Mandatory for your SOC “The organization consuming the data must develop and consistently use a standard format for log normalization.” – Jeff Bollinger et. al., Cisco CSIRT Your fields don’t match? Good luck creating investigative queries
- 16. 16 ES Evolution Q3 2014 Q4 2014 Q2 2015 ES 3.1 • Risk Framework • Guided Search • Unified Search Editor • Threatlist Scoring • Threatlist Audit ES 4.0 • Breach Analysis • Integration with Splunk UBA • Splunk Security Framework ES 3.0 ES 3.2 • Protocol Intelligence (Stream capture) • Semantic Search (Dynamic Thresholding) ES 3.3 • Threat Intel framework • User Activity Monitoring • Content Sharing • Data Ingestion Q4 2015
- 17. 17 New Features in Enterprise Security 4.0 Optimize multi-step analyses to improve breach detection and response Extensible Analytics & Collaboration INVESTIGATION COLLABORATION • Investigator Journal • Attack & Investigation Timeline • Open Solutions Framework • Framework App : PCI
- 18. 18 …and, Integration with Splunk UBA SIGNATURES RULES HUMAN ANALYSIS Integrated with Splunk Enterprise Security
- 19. 21 Open Solutions Framework Supports critical security related management framework features 21 Enterprise Security Framework • Notable Events Framework • Thereat Intelligence Framework • Risk Scoring Framework • Identity & Asset Framework Customer Apps APPs / Content Partner Apps APPs / Content Splunk Apps APPs / Content • Export • Import • Share • Summarization Framework • Alerting & Scheduling • Visualization Framework • Application Framework External Instance
- 20. ES Demo
- 21. Copyright © 2015 Splunk Inc. ES Questions? 23
- 23. 25 THREATS CONSTANTLY EVOLVE You never know what’s coming next.
- 24. 26 Traditional SIEM detects 1% of breaches.
- 25. 27 80,000 Information Security Analysts. 0% Unemployment.
- 26. 28 Are they all of the same caliber? Sadly, No.
- 27. 29 Even if you had all the hiring budget in the world – the staff doesn’t exist.
- 28. 30 It’s hard to know what is NORMAL.
- 29. 31 Administering and using complex tech is hard.
- 30. 32 Administering complex tech=hard. INSIDER THREAT is a big problem Outsiders look like insiders!
- 31. 33 Administering complex tech=hard.DATA BREACH COST: $154 on average per record.
- 32. 34 Administering complex tech=hard.DATA BREACH COST: $154 on average per record. We’re gonna need a bigger boat.
- 33. 35 Administering complex tech=hard.DATA BREACH COST: $154 on average per record. UBA Unsupervised Machine Learning + Data Science for User/Entity Behavior Analytics
- 34. 36 Splunk UBA: Main Use Cases Advanced Cyber-Attacks Malicious Insider Threats
- 35. 37 Splunk UBA: Anomaly & Threat ModelsIce cream shops have 31 flavors…
- 36. 38 …Splunk UBA currently has 31 Threat and Anomaly Models ThreatAttackCorrelation Polymorphic Attack Analysis Behavioral Peer Group Analysis User & Entity Behavior Baseline Entropy/Rare Event Detection Cyber Attack / External Threat Detection Reconnaissance, Botnet and C&C Analysis Lateral Movement Analysis Statistical Analysis Data Exfiltration Models IP Reputation Analysis Insider Threat Detection User/Device Dynamic Fingerprinting
- 37. 39 TWO UBA WORKFLOWS Guided SOC Analyst and…
- 38. 40 Hunter.
- 39. 41 OVA provided for on-prem, or bare-metal. AMI available for AWS
- 40. 42 Web Gateway Proxy Server Firewall Box, SF.com, Dropbox, other SaaS apps Mobile Devices Malware Norse, Threat Stream, FS-ISAC or other blacklists for IPs/domains Active Directory/ Domain Controller Single Sign-on HRMS VPN Identity/Auth SaaS/MobileSecurity Products External Threat Feeds Activity (N-S, E-W) OPTIONAL Netflow, PCAP AWS CloudTrail End-point IDS, IPS, AV DNS, DHCP K E YDLP, File Server/Host Logs Data Sources
- 41. 43 Web Gateway Proxy Server Firewall Box, SF.com, Dropbox, other SaaS apps Mobile Devices Malware Norse, Threat Stream, FS-ISAC or other blacklists for IPs/domains Active Directory/ Domain Controller Single Sign-on HRMS VPN Identity/Auth SaaS/MobileSecurity Products External Threat Feeds Activity (N-S, E-W) OPTIONAL Netflow, PCAP AWS CloudTrail End-point IDS, IPS, AV DNS, DHCP K E YDLP, File Server/Host Logs Data Sources Splunk Enterprise & ES preferred, but not required. UBA can be standalone!
- 42. UBA Demo
- 43. UBA Questions?
- 44. Copyright © 2015 Splunk Inc. • September 26-29, 2016 • The Disney Swan and Dolphin, Orlando • 5000+ IT & Business Professionals • 3 days of technical content • 165+ sessions • 3 days of Splunk University • Sept 24-26, 2016 • Get Splunk Certified for FREE! • Get CPE credits for CISSP, CAP, SSCP • Save thousands on Splunk education! • 80+ Customer Speakers • 35+ Apps in Splunk Apps Showcase • 75+ Technology Partners • 1:1 networking: Ask The Experts and • Security Experts, Birds of a Feather and Chalk Talks • NEW hands-on labs! • Expanded show floor, Dashboards Control Room & Clinic, and MORE! .conf2016: The 7th Annual Splunk Worldwide Users’ Conference
- 45. 47 We Want to Hear your Feedback! After the Breakout Sessions conclude Text Splunk to 20691 And be entered for a chance to win a $100 AMEX gift card!
- 46. Thank You!
Editor's Notes
- The Splunk platform consists of multiple products and deployment models to fit your needs. Splunk Enterprise – for on-premise deployment Splunk Cloud – Fully managed service with 100% SLA and all the capabilities of Splunk Enterprise…in the Cloud Splunk Light – log search and analytics for small IT environments Hunk – for analytics on data in Hadoop The products can pull in data from virtually any source to support multiple use cases. Splunk Apps extend and simplify deployments by providing pre-packaged content designed for specific use cases and data types.
- Splunk excels at creating a data fabric Machine data: Anything with a timestamp, regardless of incoming format. Throw it all in there! Collect it. Store it in one place. Make it accessible for search/analytics/reporting/alerting. DETECTION NOT PREVENTION! ASSUME BREACH! So we need a place we can go to DETECT attacks. DETECT breaches. DETECT the “weird.” So if you had a place to see “everything” that happened… ….what would that mean for your SOC and IR teams?
- Our rapid ascent reflects the customer traction we have and value we deliver to customers – with thousands of security customers and 40% year-over-year growth, we are the fastest growing SIEM vendor in the market. 2011 was our first time in the MQ; In 2 short years we raced up to the top quadrant in the MQ.
- We see Splunk as your security nerve center. Security organizations are moving towards putting Splunk at the center of everything. . There’s literally nothing in your environment today when it comes to data that Splunk cannot either ingest or leverage. Just a few of those categories are shown here – some of them are quite typical, like your proxy and firewall data. Others less so – your internal badge readers and cameras, for example. Or the ability to correlate all of your data artifacts with IOCs from your threat intelligence sources. All in one place, all at scale, all in real time. That doesn’t mean that Splunk is always the first place that people go – sometimes Splunk may be feeding another tool, like a traditional SIEM. But Splunk always ends up being the place to see “all of the detail” and the place where customers can mash up the data between many disparate sources.
- 3.3. 3.0 was the first release done against Splunk 6 and that was a huge step forward – mainly because of the use of CIM and accelerated data models. Unlike other competitive solutions ES is constantly evolving – on average twice a year. Upgrades are pretty seamless. Where does content come from? All of the typical places but most importantly it comes from YOU. We take the best ideas that you give us, and we productize them and make them scalable and supportable. Splunk is more than a product – it is a wide open platform that inspires. None of this is lost in ES – splunk with ES is just as flexible and customizable. And it leverages technology in the core product like mapreduce and data models. You need ES to scale to the security intelligence needs of a huge enterprise? No problem. ES has its own dev team and roadmap, dedicated support individuals, a services practice schooled in it and other complementary infosec. Also lots of training is available.
- Underneath ES, there’s this concept called the Common Information Model….This performs normalization on data so that if we have four different AV solutions, for example, in our environment, we can report on them and analyze them and correlate across all of their data regardless of vendor. So normally when we hear normalization…
- …that’s evil. Normalization=bad because it is difficult to customize and maintain, and brittle. But that applies to schema-based normalization, and with splunk…
- …we apply our normalization at search time. Which means that even if you have some old data lying around that was onboarded incorrectly, or if the format of the data changes suddenly, you can tweak the field extractions underneath the CIM and go on with your life.
- It isn’t just us that thinks some form of data normalization is a good idea, especially for security analytics. If you haven’t checked it out, there’s a fantastic book published recently by three guys that work in the Cisco CSIRT, and they detail their extensive use of Splunk for security analysis. They make a strong point early on in the book about the role of data normalization. They mention that each event generated should have the… -Date and Time -Type of action performed -Subsystem performing the action -Identifiers for the object requesting the action -Identifiers for the object providing the action -Status, outcome, or result of the action So CIM helps us get significant regularity out of similar but disparate data types. Also allows cross-domain correlation like IDS to Vuln.
- Let’s talk about “What’s new in Enterprise Security 4.0” First Pillar is investigation : It’s a major release because the design is to Optimized multi-step analyses, specifically for breach analysis. In order for us to accomplish the goal, we are introducing Investigator Journal which is a feature that tracks analyst’s action Attack & Investigation timeline that puts analysis events and notes in timeline to address our plan toward managing kill chain concept. Second pillar is Collaboration : We understand that security is coordination of people and expertise which involves team efforts. So, we believed that it is important to introduce, ES as Open Solutions Framework where analysts and communities can share knowledge objects or ES specific extended features. As an example, PCI app is re written on top of ES open Solutions Framework, PCI conveniently reuses features in ES, like notable events framework, threat intelligence framework, asset and identity framework.. Etc..
- UBA is an entirely new, separate product that applies unsupervised machine learning and data science to the behaviors of users, devices, applications, etc within the environment. It has 31 different models that it applies to incoming event data, within which anomalies are tracked and threats are surfaced. You’ll hear a whole lot more about UBA later, but in ES 4.0 we ship out of the box bidirectional integration. Threats from UBA show up as notable events in ES and can be interacted with. And these threats in turn can be analyzed in UBA to see all of the related anomalies.
- There are still many challenges that the security industry have been dealing with in terms defending / analyzing advanced threats. KEY CHALLENGES : First, Attacks are increasingly dynamic So previous way of detecting these attacks using static correlation, we all know, it is not working, That’s why we see the industry pursuit of detecting these attacks in new ways such as Analytical approach or even Machine Learning approach. Secondly Often times a crucial part of detecting / analyzing these advanced attacks requires : Discovering of the distinct sequence of events by adversaries Basically it means, there is constant need of kill chain analysis Thirdly, As the security organizations analyze these complex attack scenarios, typically it requires multiple analysts and expertise to be involved. Depending on the type of analysis, it involves from Tier 1 analyst, to Tier 4 analyst, requires various skill levels. Lastly, Through it all, due to the nature resource intensiveness, there is always shortage of qualified security analysts. Having all these challenges in mind, we have set the following requirements to address the market : First, is the focus on tracking attack activities by having analyst to provide their knowledge, following attack activities, While the system tracks investigation, actions and notes So we can greatly help the analyst in their thought process of chasing the complex attacks. Second, as the system and analyst tracks the sequence of events using kill chain method, We wanted to allow analysts to quickly determine phases in attack life cycle. Next is to allowing easy collaboration with peers and enhance communication Which allows more dynamically analysis Ultimately we are trying to significantly help analysis, and investigate faster, leveraging expertise across silos more effectively. All of these ES 4.0 innovation efforts goes back to our philosophy which is our constant execution toward empowering people to make more accurate dynamic decisions supported by more meaningful data. We are not trying to just solve typical tracking incident / or workflow of managing a threat, but it’s about tracking the adversary / and providing ability to perform the adhoc analysis to be able to navigate through the story of kill chain.
- Now we understand in order for us to effectively respond to a complex breach incident investigation in a timely manner, There is constant jumping around to find evidence, / dynamic analysis actions which needs to be well organized. Because the investigation analysis and reports are so dynamic… Our goals for delivering “investigator journal and timeline” is to address the very challenges : 1. To be able to track investigator's actions 2. Clearly and accurately communicate the scope of breach / through single aggregated view 3. Leverage collective knowledge of security experienced analysts, / break down the silos, / maximizing capabilities by bringing diverse expertise into one common objective.
- So our vision was to create flexible, yet powerful. Of course open frameworks where we can nurture and embrace our overall eco-system which includes, customer, resellers, technology partners and even students who wants to develop cools features, rules, intelligent feeds etc. on top of ES. the community can easily share the knowledge or provide a mechanism to accelerate the innovation trends. Customers, vendors and third parties can create and extend the functionality of ES, and run the contents within the ES framework. The content can be imported and exported. Developers can share new apps and modules internally, / or distribute them to the Splunk community on splunkbase Content packs have access to ES specific functionality, / including notable events, the risk framework, and the identity framework.
- They have been evolving for years. Go back 15 years and we cared about viruses and worms. Then, phishing and malware and we’re concerned about that too. Malicious insider threats. Now originally we had signature based detection, and the problem there is that things change and morph and come out so quickly that we can’t keep up. There are highly paid groups of people looking to break into our customers organizations and they spend time around the clock every day trying to do that. So we apply a lot of people, process, technology to try and protect ourselves – this is a “defensive” measure.
- ASK: Are you running an existing SIEM? Just about every company invests in a SIEM, sometimes multiple. Do they work? Maybe, if you provide the right care and feeding. SIEM has over promised and under delivered. Why? Basically because SIEMs are programmed by humans to look, mostly, for known events. They use rules, These rules can be complex and quite effective, but they are only as good as the human creating the rules. Think about all of the companies that have been breached in the past few years. Do you think they didn’t have a SIEM? In the 2014 Verizon Data Breach report, it was found that only 1% of successful breaches were spotted by SIEM systems. That figure hasn’t changed much over the past few years. OWNING a SIEM is not the same as RUNNING a SIEM.
- ASK: Are you able to hire good security people? The latest Bureau of Labor Statistics show that there are about 80,000 individuals in the US with this title. Do you know how many are typically unemployed at any given time? 0%
- ASK: Are all of your SOC personnel competent at the same levels? All of those 80,000 employees are not created equal. Some hit a high bar. Others, not so much.
- Even if you have all the money in the world to hire, you often can’t hire the very talented infosec hunters you need to.
- It’s really hard to know what normal is…
- And the last thing these overworked, understaffed groups need is ANOTHER complex security tool where you have to go to training to understand how to run it or how to interpret its results.
- The great majority of successful breaches occur when a users credentials are compromised and then they are used to infiltrate a network, move laterally, and steal stuff. Problem is, how do you know who the “real” users are as opposed to the imposters? 100% of publicized breaches use compromised credentials. So if we can find users or systems USING these credentials…
- Compound all that with the cost of breaches, which on average is $154 in recovery costs per stolen record, and you start to understand the scope of the problem, and realize…
- …we’re gonna need a bigger boat. Because the boat we have today ain’t working all that well for us. We don’t have the time. We don’t have the resources. So let’s take a look at a bigger boat.
- We bought a company called Caspida right before Blackhat this year. They had only been around for about two years, but we were extremely impressed with their technology and vision. This technology has become Splunk UBA. Infosec and threat detection solution. Helps you find hidden threats without using rules, signatures, or human analysis. It uses behavior modeling, peer group analysis, graph models, real time statistical analysis, collaborative filtering, and other machine learning techniques.
- UBA isn’t designed to replace anything in your environment today – it supplements. It focuses on two main uses cases – detecting advanced cyber attacks, and detecting malicious insider threats. And it does this with a very high degree of confidence, automatically. Is it going to find every possible threat in your environment? Nope. But what it does find, you can feel confident in the reported results.
- I’m pretty old – when I went out for ice cream with my family as a kid we always went to Baskin Robbins.
- Now, we do add to these models, but not as quickly as you might think. The reason is – these are all behavior based, and although individual threat patterns and types change frequently, the underlying behavior of the threats does not. So when you have behavior based models you don’t need to constantly update them. We do tweak them and test them though. Modify? Not yet. But if you do have a team of data scientists that can program in Scalar and understand things like Markov probability graphs extensively, then we offer services to allow for your own models. In the future we will provide an SDK.
- When you’re in the product there are two distinct ways to use it, and this is where we have a significant advantage. There’s a wizard-like interface that steps a junior analyst through threats found, and makes recommendations as to what to do. You can click on the findings and see the raw results, too. The interface is beautiful and intuitive. This plays right in line with the need to make life as easy as possible for the tiny number of security analysts that are usually in each account. But for the hardcore geeks that want to pick through the individual anomalies…
- There’s the Hunter workflow. This is more hands on, allowing the seasoned security person to view all anomalous users, or traffic, or devices, or what have you, and use that data to hunt. You can of course drill into this data in Splunk to take things as far as you need to.
- The standard delivery is via an OVA that you install in your current vmware environment. It scales horizontally – about 5,000 EPS per appliance. You can install it on bare metal Linux if you would like. Or, you can install it as an AMI in AWS.
- The data sources that UBA expects to consume are typical, and if you’re an existing Splunk security customer, you are probably putting a lot of this in Splunk today. The more data you feed UBA, the better the analysis will be.
- And…you don’t even need to run traditional Splunk to take advantage of UBA. UBA can consume data directly via a few different methods, and connectors exist for a few of the popular SIEM technologies. Let’s see a quick demo.
- We’re headed to the East Coast! 2 inspired Keynotes – General Session and Security Keynote + Super Sessions with Splunk Leadership in Cloud, IT Ops, Security and Business Analytics! 165+ Breakout sessions addressing all areas and levels of Operational Intelligence – IT, Business Analytics, Mobile, Cloud, IoT, Security…and MORE! 30+ hours of invaluable networking time with industry thought leaders, technologists, and other Splunk Ninjas and Champions waiting to share their business wins with you! Join the 50%+ of Fortune 100 companies who attended .conf2015 to get hands on with Splunk. You’ll be surrounded by thousands of other like-minded individuals who are ready to share exciting and cutting edge use cases and best practices. You can also deep dive on all things Splunk products together with your favorite Splunkers. Head back to your company with both practical and inspired new uses for Splunk, ready to unlock the unimaginable power of your data! Arrive in Orlando a Splunk user, leave Orlando a Splunk Ninja! REGISTRATION OPENS IN MARCH 2016 – STAY TUNED FOR NEWS ON OUR BEST REGISTRATION RATES – COMING SOON!