Copyright © 2013 Splunk Inc.
George Starcher, CISSP
University of Alabama
at Birmingham
Enterprise Information Security En...
About UAB
Established in 1936
18,568 students
Peak 175 GB log data/day
2
About Me
George Starcher, Enterprise Information Security Engineer II,
CISSP
Splunk Certified Knowledge Manager and Splunk...
One Year Ago
License Usage was 150GB/day
Ingesting normal log types
Base parsing of fields
We saw huge increase on speed f...
Now
License Usage averaging 175GB/day
Added a lot of log metadata and simplifying searches
Common Information Model
Starti...
Securing the University
6
Before:
• Lots of “typical” log mining
• Not as vibrant integration to ES App as wanted
• Manual...
Common Information Model
http://docs.splunk.com/Documentation/CIM/latest/User/Overview
index=os_osx sshd invalid
• This is...
Data Parsing
Index Time
Search Time
Common Information Model
tag=authentication action=failure | stats values(user)
by src_ip
@SplunkDev Team - THANKS!!
@gblock - Glenn Block
@damiendallimore -Damien Dallimore
David Noble - Twitter App
Alert Scripts - IPS Control
Had manual process for blocking abusive scanners: SSH, RDP,
VNC, etc
– Consumed 30-45 minutes ...
Alert Scripts - How it Works
Intrusion Prevention ApplianceIntrusion Prevention Appliance
Alert Scripts - How it Works
Alert Scripts - How it Works
Alert Scripts - In Action
IPS Quarantine Activity:
Alert Scripts - In Action
Splunk Quarantine Activity:
Phishing
Phishing
Phishing
Phishing
Initial Activity (Nigeria):
Phishing
Started Feb 10, 2014
• Blocked for any access from Nigeria every 5 minutes
Expanded Multi-Country Feb 15, 2014
• ...
Phishing
Single User by
src_ip_country:
Hosted by
src_ip:
Splunk from Tool to Team Member
We recovered an hour of daily operations labor per day by automating
existing processes an...
What is Next
Update to Splunk v6
Update to Splunk App for
Enterprise Security
Application v. 3.0
Add automation to more of...
Thank You!
Upcoming SlideShare
Loading in...5
×

SplunkLive! Customer Presentation - University of Alabama at Birmingham

606

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
606
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Retail loss prevention report. Being able to change the questions.
  • SplunkLive! Customer Presentation - University of Alabama at Birmingham

    1. 1. Copyright © 2013 Splunk Inc. George Starcher, CISSP University of Alabama at Birmingham Enterprise Information Security Engineer II
    2. 2. About UAB Established in 1936 18,568 students Peak 175 GB log data/day 2
    3. 3. About Me George Starcher, Enterprise Information Security Engineer II, CISSP Splunk Certified Knowledge Manager and Splunk Certified Administrator Splunk IRC Channel; Birmingham, AL - Splunk User Group Log all the things! RaspberryPi + Splunk = Optimal Laundry Time Yes, there is a Splunk Universal Forwarder now! www.georgestarcher.com 3
    4. 4. One Year Ago License Usage was 150GB/day Ingesting normal log types Base parsing of fields We saw huge increase on speed for investigating issues The honeymoon period with our data
    5. 5. Now License Usage averaging 175GB/day Added a lot of log metadata and simplifying searches Common Information Model Starting to add external Intelligence Sources We were already doing geo lookups Keeping the magic in the relationship Automating Splunk control over other systems
    6. 6. Securing the University 6 Before: • Lots of “typical” log mining • Not as vibrant integration to ES App as wanted • Manual Daily Operations Processes After: • Searches easier to understand and resilient to new log sources • ES App much better populated • Alert Script Control of Other Systems
    7. 7. Common Information Model http://docs.splunk.com/Documentation/CIM/latest/User/Overview index=os_osx sshd invalid • This is an abstraction process going from raw machine data to a usable nomenclature • Institutionalizes knowledge of log data • Puts focus on the questions not the technical details • Canned questions miss things
    8. 8. Data Parsing Index Time Search Time
    9. 9. Common Information Model tag=authentication action=failure | stats values(user) by src_ip
    10. 10. @SplunkDev Team - THANKS!! @gblock - Glenn Block @damiendallimore -Damien Dallimore David Noble - Twitter App
    11. 11. Alert Scripts - IPS Control Had manual process for blocking abusive scanners: SSH, RDP, VNC, etc – Consumed 30-45 minutes per day – Permanent blacklist entries Moved to automated process – Scheduled Splunk Searches driven by any log source – Greatly reduced time and static blacklist maintenance – Plugged in Web Services (REST) calls to the IPS
    12. 12. Alert Scripts - How it Works Intrusion Prevention ApplianceIntrusion Prevention Appliance
    13. 13. Alert Scripts - How it Works
    14. 14. Alert Scripts - How it Works
    15. 15. Alert Scripts - In Action IPS Quarantine Activity:
    16. 16. Alert Scripts - In Action Splunk Quarantine Activity:
    17. 17. Phishing
    18. 18. Phishing
    19. 19. Phishing
    20. 20. Phishing Initial Activity (Nigeria):
    21. 21. Phishing Started Feb 10, 2014 • Blocked for any access from Nigeria every 5 minutes Expanded Multi-Country Feb 15, 2014 • Blocked for combination from certain countries and a lookup table of hosted providers Feb 17, 2014 • Noticed unexpected Exchange from Nigeria
    22. 22. Phishing Single User by src_ip_country: Hosted by src_ip:
    23. 23. Splunk from Tool to Team Member We recovered an hour of daily operations labor per day by automating existing processes and some regular intelligence reports. The automation provides the ability of our IPS to respond to data it could never handle directly. Combining the automated response with different quarantine policies in the IPS we change the ground under the attacker’s feet. Simplifying searches based on Common Information Model helps with cross training staff and integration of new log sources.
    24. 24. What is Next Update to Splunk v6 Update to Splunk App for Enterprise Security Application v. 3.0 Add automation to more of our systems Add Data exchange from/to Intelligence sharing systems
    25. 25. Thank You!

    ×