0
Understanding	  Security	  Issues	  as                                                             	                      ...
A	  ShiA	  in	  A2ack	  Vectors	                                                                                          ...
Beyond	  Signatures	  and	  Rules:	                   People	  Trump	  Technology	  in	  a	  Behavioral	  Approach	  ü  A...
Implemen=ng	  a	  	  Pa2ern-­‐based	  Strategy	       for	  Security	  
Enabling	  a	  Pa2ern-­‐based	  Strategy	  for	  Security	  ü    Splunk	  supports	  pa2ern	  modeling	  and	  adapta=on	...
Security	  Event	  Pa2erns	  in	  Context	  Augmented	  View	  Security	  Events	  ü  View	  the	  web	  analy=cs	  data	...
How	  is	  this	  Different	  from	  Tradi=onal	  SIEM?	  ü  Rules	  View	     –  Breaking	  the	  speed	  limit	  	     –...
Analy=cs	  and	  data	  pa2erns	  in	  prac=ce	  
DoS	  A2acks	  ü DoS	  a2acks	  at	  the	  network	  layer	  are	  massive	  floods	  of	     traffic	  from	  numerous	  so...
Common	  Anatomy	  of	  a	  Typical	  DoS	  ü  Source	  addresses	  usually	  spoofed	  –	  this	  also	  means	  no	  TC...
HTTP	  Slow	  POST	  A2ack	  ü 	  Client	  issues	  an	  HTTP	  POST	  to	  a	  server	  ü 	  Client	  says	  “I’m	  goi...
Dashboard	  –	  HTTP	  Slow	  POST	                                                     Slow Post AttackThe 2nd Annual Spl...
Connec=on	  Exhaus=on	  Based	  A2acks	  ü Host	  opens	  a	  connec=on	  to	  a	  server	  but	  doesn’t	  send	  a	  si...
Dashboard	  –	  Connec=on	  Exhaus=on	               Attacks detectedThe 2nd Annual Splunk Worldwide Users Conference   14...
Example:	  Time-­‐based	  Pa2ern-­‐detec=on	  	                    for	  Malware	  Ac=vity	  Discovery	  Pa2ern:	  	  requ...
Example:	  Pa2erns	  of	  Beaconing	  Hosts	  	                    to	  Command	  and	  Control	  Pa2ern:	                ...
Other	  Pa2ern	  Uses	           Fraud	  Hand	  off	  to	  Intuit…	  
Intuit,                                                   	                    Financial	  Services	  Division	  Jaime	  R...
Jaime	  Rodriguez	  ü Securing	  banks	  and	  financial	  ins=tu=ons	  since	  1999	  ü Presented	  and	  keynoted	  at	...
Intuit—Financial	  Services	  Division	  ü One	  of	  largest	  providers	  of	   outsourced	  online	  financial	   manag...
All	  of	  Your	  Data	  Is	  Security	  Relevant	  ü Indexing	  our	  infrastructure:	  	    -  Cisco	  Firewalls	    - ...
Splunk	  Speeds	  Remedia=on	                                                                •  Splunk provides a single  ...
From	  Reac=ve	  to	  Proac=ve	  ü Using	  Splunk	  for	  historical	  analysis	  ü New	  fraud	  pa2erns	  iden=fied	  d...
Splunk	  for	  the	  Ops	  Team	  ü Outages	  unacceptable	  ü OAen	  caused	  by	  unauthorized	  change	  ü Splunk	  ...
Truth	  From	  The	  Trenches:	  Wire	  Transfers	  ü Watching	  fraudster	  in	  real-­‐=me—seeing	  $5M,	  $7M,	  $8M	 ...
Truth	  from	  the	  Trenches:	  Geoloca=on	  ü We	  no=ced	  a	  similar	  fraud	   pa2ern	  across	  15	  banks	  ü Th...
The	  World	  of	  Compliance	  FFIEC•  Federal Financial Institutions Exam Council•  Ensures financial organizations follo...
Ge~ng	  Started	  ü Just	  get	  started—Splunk	  is	  great	  out	  of	  the	  box	  for	  quick	  and	  dirty	   analys...
Ques=ons?	  August	  15,	  2011	  odriquez,	  Intuit           Jaime	  R                      	  
Upcoming SlideShare
Loading in...5
×

Splunk .conf2011: Splunk for Fraud and Forensics at Intuit

3,355

Published on

This session will examine how Intuit is using Splunk to prevent fraud and conduct forensic analysis. We’ll show how Splunk helps Intuit monitor for known fraudsters and fraudulent patterns and then speeds forensic investigations to understand which systems may have been compromised.

Published in: Technology, News & Politics
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,355
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
135
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Splunk .conf2011: Splunk for Fraud and Forensics at Intuit"

  1. 1. Understanding  Security  Issues  as   Pa2erns  in  Data  Mark  Seward,  Director,  Security  and  Compliance  Marke=ng  
  2. 2. A  ShiA  in  A2ack  Vectors   Unknown   Splunk  meets   Data  Explosion   behavior  based   the  challenge  Data Volume (‘Big-­‐data’)   a2acks   of  detec=ng     pa2ern-­‐based   behaviors  in  a   Known   ‘Big-­‐data’   signatures   The  increasing  number   context   based  threats   of  a2ack  signatures   and  a2acks   1998 1998 Time 2005 Today The 2nd Annual Splunk Worldwide Users Conference 2   © Copyright Splunk 2011
  3. 3. Beyond  Signatures  and  Rules:   People  Trump  Technology  in  a  Behavioral  Approach  ü  A  move  to  a  behavioral  approach  demands  more  emphasis  on  people  and   less  on  pure  technology  ü  Behavioral  approaches  to  security  require  a  con=nuous  applica=on  of   human  observa=on  and  judgment  ü  Allows  the  analyst  is  to  take  the  “actor  view”  to  understanding  the  goals  and   methods  of  persistent  adversaries  ü  Requires  you  to  baseline  pa2erns  of  normal  or  expected  behavior;  select   thresholds  and  triggers  that  will  alert  administrators  to  suspicious  ac=vi=es   The 2nd Annual Splunk Worldwide Users Conference 3   © Copyright Splunk 2011
  4. 4. Implemen=ng  a    Pa2ern-­‐based  Strategy   for  Security  
  5. 5. Enabling  a  Pa2ern-­‐based  Strategy  for  Security  ü  Splunk  supports  pa2ern  modeling  and  adapta=on  for  security  for  insider   threats,  fraud  scenarios,  and  persistent  adversaries  ü  Pa2erns  enable  a  risk-­‐based  approach  to  an=cipate  a2ack  vectors  and  a2ack   pa2erns  and  behaviors   Seek -- activity and access patterns that contain the weak signals of a potential threat Model -- implement analytics and assessment to determine which patterns present greater risk to the organization by qualifying and quantifying the impact Adapt -- action to protect users, accounts, data and infrastructure from the threat that was discovered and assessed in the previous phases Gartner Research © 2010 The 2nd Annual Splunk Worldwide Users Conference 5   © Copyright Splunk 2011
  6. 6. Security  Event  Pa2erns  in  Context  Augmented  View  Security  Events  ü  View  the  web  analy=cs  data  pa2erns  as   part  of  the  web  applica=on  a2ack   App     IT     Web   Security   Mgmt   Ops   Analy/cs  ü  Monitor  changes  in  server/applica=on   performance  (CPU)  against  a  baseline  as   an  indicator  of  an  a2ack  ü  Understand  authorized  pa2erns  of   changes/  addi=ons  to  configura=ons   and  user  accounts  part  of  fraud   surveillance   Security is a Big Data Problem with no boundaries from on-premise to ‘cloud’ The 2nd Annual Splunk Worldwide Users Conference 6   © Copyright Splunk 2011
  7. 7. How  is  this  Different  from  Tradi=onal  SIEM?  ü  Rules  View   –  Breaking  the  speed  limit     –  If  one  or  more  of  these  things  happen  let  me  know     –  Watches  for  only  what  is  known   –  No  concept  of  what  is  ‘normal’  ü  Pa2erns  view   –  Watches  for  rhythms  in  your  data  over  =me    against  what  is  ‘normal’  (normal  will  not  be  sta=c)     –  Takes  advantage  of  ‘weak  signals’  from  non-­‐tradi=onal     security  data   Patterns allow for data to be –  Watches  for  what  you  don’t  know   viewed as a reflection of human –  Pa2erns  +  Analy=cs  enables  decisions   behavior over time The 2nd Annual Splunk Worldwide Users Conference 7   © Copyright Splunk 2011
  8. 8. Analy=cs  and  data  pa2erns  in  prac=ce  
  9. 9. DoS  A2acks  ü DoS  a2acks  at  the  network  layer  are  massive  floods  of   traffic  from  numerous  sources,  designed  to   overwhelm  resources  ü DoS  a2acks  at  the  applica=on  layer  target  layer-­‐7  and   the  HTTP  protocol   Recent   The 2nd Annual Splunk Worldwide Users Conference 9   © Copyright Splunk 2011
  10. 10. Common  Anatomy  of  a  Typical  DoS  ü  Source  addresses  usually  spoofed  –  this  also  means  no  TCP   session  establishment  possible  ü  True  iden=ty  of  source  very  difficult  to  obtain  ü  A2acks  of  significance  generally  from  a  botnet  ü  TCP  and  UDP  most  common;  ICMP  happens  as  well   The 2nd Annual Splunk Worldwide Users Conference 10   © Copyright Splunk 2011
  11. 11. HTTP  Slow  POST  A2ack  ü   Client  issues  an  HTTP  POST  to  a  server  ü   Client  says  “I’m  going  to  post  a  gig  of  data.”  ü   Client  sends  the  Host  a  gig  but  only  1  byte  –  1  minute  ü   Service  waits  for  the  data  transfer  ü   Usually  in  just  a  couple  of  minutes  –  La  Morte   The 2nd Annual Splunk Worldwide Users Conference 11   © Copyright Splunk 2011
  12. 12. Dashboard  –  HTTP  Slow  POST   Slow Post AttackThe 2nd Annual Splunk Worldwide Users Conference 12   © Copyright Splunk 2011
  13. 13. Connec=on  Exhaus=on  Based  A2acks  ü Host  opens  a  connec=on  to  a  server  but  doesn’t  send  a  single  byte  ü Each  connec=on  =es/up  an  Apache  process.  ü Apache  waits  for  the  connec=on  =me  out  to     expire  then  closes  the  connec=on  ü Connec=ons  fill  up  the  Queue  faster  than  they  =me  out  ü Default  connec=on  queue  for  Apache  is  set  to  511   The 2nd Annual Splunk Worldwide Users Conference 13   © Copyright Splunk 2011
  14. 14. Dashboard  –  Connec=on  Exhaus=on   Attacks detectedThe 2nd Annual Splunk Worldwide Users Conference 14   © Copyright Splunk 2011
  15. 15. Example:  Time-­‐based  Pa2ern-­‐detec=on     for  Malware  Ac=vity  Discovery  Pa2ern:    request  for  download  immediately   Splunk  pa2ern  search  followed  by  more  requests   ü  Time  based  transac=ons  sorted  by  length    ü  Fast  requests  following  the  download  of  a   ü  source=proxy  [search  file=*.pdf  OR   PDF,  java,  zip,  or  exe.  If  a  download  is   file=*.exe  |  dedup  clien=p  |  table  clien=p]   followed  by  rapid  requests  for  more  files   |  transac=on  maxspan=60s  maxpause=5s   this  is  a  poten=al  indicator  of  a  dropper.   clien=p  |  eval  Length=len(_raw)  |  sort  -­‐   Length   The 2nd Annual Splunk Worldwide Users Conference 15   © Copyright Splunk 2011
  16. 16. Example:  Pa2erns  of  Beaconing  Hosts     to  Command  and  Control  Pa2ern:   Splunk  pa2ern  search  ü  APT  malware  ‘beacons’  to  command   ü  Watching  for  hosts  that  talk  to  the  same   and  control  at  specific  intervals   URL  at  the  same  interval  every  day     ü  …  |  streamstats  current=f  last(_=me)  as   next_=me  by  site  |  eval  gap  =  next_=me   -­‐  _=me  |  stats  count  avg(gap)  var(gap)  by   site     ü  What  you’d  be  looking  out  for  are  sites   that  have  a  low  var(gap)  value.   The 2nd Annual Splunk Worldwide Users Conference 16   © Copyright Splunk 2011
  17. 17. Other  Pa2ern  Uses   Fraud  Hand  off  to  Intuit…  
  18. 18. Intuit,   Financial  Services  Division  Jaime  Rodriguez,  Senior  Fraud  Analyst,  Intuit  
  19. 19. Jaime  Rodriguez  ü Securing  banks  and  financial  ins=tu=ons  since  1999  ü Presented  and  keynoted  at  numerous  Informa=on  Security   conferences  all  around  the  US.  ü Contributor  to  a  variety  of  open-­‐source  projects  related  to   many  of  todays  most  popular  security tools. “Fraud teams goal is to provide fraud analysis on a proactive basis--were currently reactive.”   The 2nd Annual Splunk Worldwide Users Conference 19   © Copyright Splunk 2011
  20. 20. Intuit—Financial  Services  Division  ü One  of  largest  providers  of   outsourced  online  financial   management  solu=ons    ü Serving  1800+  financial  ins=tu=ons   and  4  million+  end  customers  ü Applica=ons  include:   -  Consumer  and  business  internet  banking   -  Electronic  bill  payment  and  presentment   -  Personal  online  financial  management     -  Website  hos=ng  and  development  for   financial  ins=tu=ons   The 2nd Annual Splunk Worldwide Users Conference 20   © Copyright Splunk 2011
  21. 21. All  of  Your  Data  Is  Security  Relevant  ü Indexing  our  infrastructure:     -  Cisco  Firewalls   -  Snort   -  App  logs,  WebSense   -  TippingPoint,  IPS  ü Integra=ng  data  from  outside   partners:     -  Known  fraud  rings   -  Bad  IP  addresses   -  Bad  actors   The 2nd Annual Splunk Worldwide Users Conference 21   © Copyright Splunk 2011
  22. 22. Splunk  Speeds  Remedia=on   •  Splunk provides a single view•  Previously  had  customized  parser   •  Role-­‐based  access  provides  •  Searches  conducted  in  batch   secure  views  into  data   taking  3+  hours  via  chron  job   •  Customer  service  and  banking  •  Reports  came  in  piecemeal  across   customer  teams  can  begin   5000  emails  with  different  syntax   queries  on  their  own—no  wai=ng  •  Only  sophis=cated  (aka  highly-­‐ for  access/  permission—no  highly   paid)  users  could  track  pa2erns   paid  engineer  required   •  Results  in  5  minutes   The 2nd Annual Splunk Worldwide Users Conference 22   © Copyright Splunk 2011
  23. 23. From  Reac=ve  to  Proac=ve  ü Using  Splunk  for  historical  analysis  ü New  fraud  pa2erns  iden=fied  drive  reviews  of  past  30  day  /   90  day  /  all  =me  periods  ü As  pa2erns  emerge  we  build  alerts  when  evidence  of  similar   pa2erns  of  known  fraudsters  emerge  (SMS,  email)  ü Showing  monthly  trending  ü We’ve  modified  our  logs  to  be2er  capture  and  expose  the   informa=on  we  need  to  see   The 2nd Annual Splunk Worldwide Users Conference 23   © Copyright Splunk 2011
  24. 24. Splunk  for  the  Ops  Team  ü Outages  unacceptable  ü OAen  caused  by  unauthorized  change  ü Splunk  tracks  changes  to  pinpoint  issues  for  remedia=on  ü Monitoring  throughput  and  access  for  each  financial   ins=tu=on   -  Usages  stats  good  for  re-­‐sell/  upsell  ü Dashboards  show  system  health  and  performance—execs   love  visibility   The 2nd Annual Splunk Worldwide Users Conference 24   © Copyright Splunk 2011
  25. 25. Truth  From  The  Trenches:  Wire  Transfers  ü Watching  fraudster  in  real-­‐=me—seeing  $5M,  $7M,  $8M  wire   a2empts  ü Splunk  exposed  every  element  of  our  infrastructure  that  he   touched  ü Next  we  could  correlate  ac=vi=es  based  on  =me  to   understand  his  pa2ern  of  ac=vity   The 2nd Annual Splunk Worldwide Users Conference 25   © Copyright Splunk 2011
  26. 26. Truth  from  the  Trenches:  Geoloca=on  ü We  no=ced  a  similar  fraud   pa2ern  across  15  banks  ü Then  we  mapped  them  to   see  they  were  within  15  miles   of  one  another  ü Fraud  was  coming  from  one   data  processing  vendor  who   they  all  shared   The 2nd Annual Splunk Worldwide Users Conference 26   © Copyright Splunk 2011
  27. 27. The  World  of  Compliance  FFIEC•  Federal Financial Institutions Exam Council•  Ensures financial organizations follow uniform principles, standards and methods of reporting•  Splunk empowers auditors to ask—and us to quickly and easily answer—any questionSAS70•  Certification of standard controls, communications mechanisms and monitoring procedures•  Required by may financial services clients•  Subset of Sarbanes Oxley CompliancePCI•  PCI: Payment card industry data security Standard•  Promotes trust with customers•  Required by various payment card providers The 2nd Annual Splunk Worldwide Users Conference 27   © Copyright Splunk 2011
  28. 28. Ge~ng  Started  ü Just  get  started—Splunk  is  great  out  of  the  box  for  quick  and  dirty   analysis  ü It  only  gets  be2er  when  you  customize  it  ü Demo  Splunk  to  others—people  are  amazed  at  how  much  data  and   depth  we  can  get  based  on  pivo=ng    ü Follow  the  install  guide!  ü Consider  how  you’ll  expand—and  plan  in  advance  for  that  expansion  ü Move  to  4.2-­‐-­‐-­‐it’s  fast!   The 2nd Annual Splunk Worldwide Users Conference 28   © Copyright Splunk 2011
  29. 29. Ques=ons?  August  15,  2011  odriquez,  Intuit Jaime  R  
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×