Copyright © 2013 Splunk Inc.
Splunk the SIEM
Jeff Bollinger 0x506682C5
Technical Leader and Infosec Investigator:
CSIRT
Ci...
About Me...
• Cisco Computer Security Incident Response Team (CSIRT)
• CSIRT = Security Monitoring and Incident Response
•...
The Numb3rs
• Cisco Systems Inc.:
– 100 countries
– 130,000 employees (with laptops and phones)
– 150,000 servers of all t...
The Numb3rs
Cisco indexes almost 1Tb of log data per day
Incident Response Basics
• What am I trying to protect?
• What are the threats?
• > How do I detect them?
• How do we resp...
How Do I Detect?
Out With The Old
• You don’t know what you don’t
know
• Buy and trust a SIEM to run
canned reports
• Wait for updates from...
playbook |ˈplāˈbŏk|
(noun)
A prescriptive collection of repeatable
queries (reports) against security event data
sources t...
A Note on Strategy
Hunting vs. Gathering
Hunting: Build a Query – Find Bad Stuff
• Start with the obvious and simple:
index=wsa earliest=-24h x_wbrs_score=ns
Engli...
Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns
Let me stop you right there…
Hunting: Build a Query – Find Bad Stuff
• Filter based on unique attributes:
index=wsa earliest=-24h x_wbrs_score=ns |wher...
Hunting: Build a Query – Find Bad Stuff
index=wsa earliest=-24h x_wbrs_score=ns | where isnull(cs_referer)
Ok getting bett...
Hunting: Build a Query – Find Bad Stuff
• Filter, refine, filter, refine:
index=wsa earliest=-24h application/x-dosexec ns...
Hunting: Build a Query – Find Bad Stuff
Here we go!
index=wsa earliest=-24h application/x-dosexec ns GET 200 x_wbrs_score=...
Gathering: Build a Query – Find Bad
Stuff
If you can find or create a re-usable pattern, you
can save a search, make a rep...
Gathering: Build a Query – Find Bad
Stuff
For example: this query will detect the Tracur clickfraud trojan:
index=wsa earl...
Do It Yourself
• Once you have:
• Solid, repeatable, saved searches
• Research and intelligence gathering
• Consistent han...
Thank you
Upcoming SlideShare
Loading in...5
×

SplunkLive! Customer Presentation - Cisco Systems, Inc.

904

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
904
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • Trying to protect? infrastructure intellectual property customer and employee data brand reputationWhat are the threats?Malware gone wildTargeted attacksRogue insidersMismanagementHow do I discover them? Security monitoringLogging and event retrievalOperational intelligenceHow do we respond?IR processIdentificationIsolationRemediation
  • Lots of sensorsDefense in depthLog collectionLog analysis
  • Old Way: (SIEM approach, and our early v1 approach with Splunk)Dependent upon vendors to write queries for you or to have a magic box or algorithm that will find it allTuning can be an issue within a SIEM if you can’t do it from the event source itself (i.e. wheat from chaff problem)New Way: data-centric playbook approach using log data and Splunk (v2)Flexible & easily adaptable for updates, and tactical changesTotally custom upfront, but work savings after plays are operationalizedTopical, relevant, and current research can be deployed quickly, even as a simple test for a larger operations
  • In terms of Incident Response a playbook is….
  • Cisco indexes between 150 and 300 Gb of WSA data per day
  • Transcript of "SplunkLive! Customer Presentation - Cisco Systems, Inc."

    1. 1. Copyright © 2013 Splunk Inc. Splunk the SIEM Jeff Bollinger 0x506682C5 Technical Leader and Infosec Investigator: CSIRT Cisco Systems, Inc. https://blogs.cisco.com/author/jeffbollinger/ https://twitter.com/jeffbollinger
    2. 2. About Me... • Cisco Computer Security Incident Response Team (CSIRT) • CSIRT = Security Monitoring and Incident Response • Architecture, Engineering, Research, and Investigations • Enterprise global threat and 24x7 incident response
    3. 3. The Numb3rs • Cisco Systems Inc.: – 100 countries – 130,000 employees (with laptops and phones) – 150,000 servers of all types – 40,000 routers – 1,500 labs – 1 CSIRT analyst for every 7,000 employees
    4. 4. The Numb3rs Cisco indexes almost 1Tb of log data per day
    5. 5. Incident Response Basics • What am I trying to protect? • What are the threats? • > How do I detect them? • How do we respond?
    6. 6. How Do I Detect?
    7. 7. Out With The Old • You don’t know what you don’t know • Buy and trust a SIEM to run canned reports • Wait for updates from the vendor • Try to edit/create custom reports • Build your own collection infrastructure • Data-centric approach • Build your own reports • Research your own intelligence • Operationalize and optimize! The Old Way The New Way
    8. 8. playbook |ˈplāˈbŏk| (noun) A prescriptive collection of repeatable queries (reports) against security event data sources that lead to incident detection and response. Analyze: SIEM
    9. 9. A Note on Strategy Hunting vs. Gathering
    10. 10. Hunting: Build a Query – Find Bad Stuff • Start with the obvious and simple: index=wsa earliest=-24h x_wbrs_score=ns English translation: Splunk, look at our web proxy logs over the past 24 hours, and give me all the web sites (objects) that had no known reputation score.
    11. 11. Hunting: Build a Query – Find Bad Stuff index=wsa earliest=-24h x_wbrs_score=ns Let me stop you right there…
    12. 12. Hunting: Build a Query – Find Bad Stuff • Filter based on unique attributes: index=wsa earliest=-24h x_wbrs_score=ns |where isnull(cs_referer) English translation: Splunk, look at our web proxy logs over the past 24 hours, and give me all the web sites (objects) that had no known reputation score, and there was no HTTP referrer.
    13. 13. Hunting: Build a Query – Find Bad Stuff index=wsa earliest=-24h x_wbrs_score=ns | where isnull(cs_referer) Ok getting better, sort of…
    14. 14. Hunting: Build a Query – Find Bad Stuff • Filter, refine, filter, refine: index=wsa earliest=-24h application/x-dosexec ns GET 200 x_wbrs_score=ns cs_method=GET sc_http_status=200 cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR cdn) | where isnull(cs_referer) English translation: Splunk, query our web proxy logs over the past 24 hours, and give me all the web sites (objects) that had no known reputation score, and there was no HTTP referrer, where either Java or Internet Explorer successfully downloaded an executable file from a site that didn’t have ‘mirror’ or ‘CDN’ in the URL.
    15. 15. Hunting: Build a Query – Find Bad Stuff Here we go! index=wsa earliest=-24h application/x-dosexec ns GET 200 x_wbrs_score=ns cs_method=GET sc_http_status=200 cs_mime_type=application/x-dosexec (java OR MSIE) NOT (mirror OR cdn) | where isnull(cs_referer)
    16. 16. Gathering: Build a Query – Find Bad Stuff If you can find or create a re-usable pattern, you can save a search, make a report, and automate! 16
    17. 17. Gathering: Build a Query – Find Bad Stuff For example: this query will detect the Tracur clickfraud trojan: index=wsa earliest=-6h@h m cs_url="*/m/*” MSIE (NOT (cs_referer="*")) | regex cs_url="^http://(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0- 9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/m/[A-Za-z0- 9/+]{50,1000}$" http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Trojan%3aWin32%2fTracur
    18. 18. Do It Yourself • Once you have: • Solid, repeatable, saved searches • Research and intelligence gathering • Consistent handling procedures • Documentation and tuning • You have your own SIEM, running in Splunk, and completely custom to your organization
    19. 19. Thank you

    ×