Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security crawl walk run presentation mckay v1 2017

508 views

Published on

How to go from crawl to walk to run with Splunk for Security. By Dimitri McKay, Staff Security Architect, Splunk

Published in: Software
  • Be the first to comment

Security crawl walk run presentation mckay v1 2017

  1. 1. © 2017 SPLUNK INC.© 2017 SPLUNK INC. crawl|walk|run Splunk for Security Dimitri McKay | Staff Security Architect | Splunk
  2. 2. © 2017 SPLUNK INC. During the course of this presentation, we may make forward-looking statements regarding future events or the expected performance of the company. We caution you that such statements reflect our current expectations and estimates based on factors currently known to us and that actual events or results could differ materially. For important factors that may cause actual results to differ from those contained in our forward-looking statements, please review our filings with the SEC. The forward-looking statements made in this presentation are being made as of the time and date of its live presentation. If reviewed after its live presentation, this presentation may not contain current or accurate information. We do not assume any obligation to update any forward-looking statements we may make. In addition, any information about our roadmap outlines our general product direction and is subject to change at any time without notice. It is for informational purposes only and shall not be incorporated into any contract or other commitment. Splunk undertakes no obligation either to develop the features or functionality described or to include any such feature or functionality in a future release. Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners. © 2017 Splunk Inc. All rights reserved. Forward-Looking Statements
  3. 3. © 2017 SPLUNK INC. Agenda Splunk Level Set Intro Maturity Crawl Walk Run Summary
  4. 4. © 2017 SPLUNK INC. Intro Maturity
  5. 5. Technology PeopleProcess 3 equal parts make a mature security program
  6. 6. © 2017 SPLUNK INC. Maturity of a Security Program Search and Investigate Proactive Monitoring and Alerting Security Situational Awareness Real-time Risk Insight Proactive Reactive - Reactive security - Limited visibility - Limited data-sources - Data spread across multiple silos - Specific data-sources captured - Realtime monitoring for specific basic use cases - Simple correlation alerts in use - Monitoring in real-time. - High fidelity correlation in use. - Basic automation for enrichment. - Threat data plays a heavy role in security processes. - Risk framework used to prioritize activity. - Automation is used to reduce noise and threat. - Breaches identified in real-time and thwarted before exfil.
  7. 7. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  8. 8. © 2017 SPLUNK INC. Crawl How do I get started?
  9. 9. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  10. 10. © 2017 SPLUNK INC. 200+ APPS The Splunk Platform for Security Intelligence Splunk Enterprise (CORE) Stream data Cisco Security Suite Windows/ AD/ Exchange Palo Alto Networks FireEye Bit9 DShield DNS OSSEC Splunk-built AppsSplunk for Security
  11. 11. © 2017 SPLUNK INC. Step one? Download Splunk. :)
  12. 12. © 2017 SPLUNK INC. But, consider starting with these top 5 data sources…
  13. 13. © 2017 SPLUNK INC. #1 Windows Splunk Add-on for Microsoft Windows
  14. 14. © 2017 SPLUNK INC. ► Authentication: - Success/ Failures - New account logons - Unused accounts - Anomalous logins ► Endpoint changes: - New applications/ processes - New ports - New services Windows Use Cases #1 Windows Splunk Add-on for Microsoft Windows
  15. 15. © 2017 SPLUNK INC. #2 Linux Splunk Add-on for Unix and Linux Add-on for Auditd
  16. 16. © 2017 SPLUNK INC. #2 Linux Splunk Add-on for Unix and Linux Add-on for Auditd ► Authentication: - Success/ Failures - New account logons - Unused accounts - Anomalous logins ► Endpoint changes: - New applications/ processes - New ports - New services Linux Use Cases
  17. 17. © 2017 SPLUNK INC. #3 Firewalls Splunk Add-on for Juniper, Cisco, Palo Alto, etc.
  18. 18. © 2017 SPLUNK INC. #3 Firewalls Splunk Add-on for Juniper, Cisco, Palo Alto, etc. ► Top categories ► Top apps consuming bandwidth ► Top protocol use ► Top bandwidth consumers ► Top threats by user/host/src ► Top blocked executables ► Top vulnerabilities / vulnerable machines ► Top targets ► Top actions ► Top malware Firewall Use Cases
  19. 19. © 2017 SPLUNK INC. #4 AWS + Cloud Services Adoption of Cloud in the Security space
  20. 20. © 2017 SPLUNK INC. #4 AWS + Cloud Services Adoption of Cloud in the Security space ► Network ACLs ► Security groups ► IAM activity ► S3 data events ► VPC activity/traffic/security analysis ► Cloudfront/ELB/S3 Traffic Analysis ► Top user activity ► Top resource activity AWS/Cloud Use Cases
  21. 21. © 2017 SPLUNK INC. #5 Anti-virus Symantec and McAfee antivirus suites
  22. 22. © 2017 SPLUNK INC. #5 Anti-virus Symantec and McAfee antivirus suites ► Top risks detected ► Top processes blocked ► Top viruses / spyware detected ► Malware client version reports ► Malware virus definitions version reports ► Host changes / modifications Anti-virus Use Cases
  23. 23. © 2017 SPLUNK INC. With these top 5 data sources you manage… ► Detection of Possible Brute Force Attacks ► Detection of Insider Threat ► Expected Host/Log Source Not Reporting ► Unusual Login Behavior ► Unexpected Events Per Second (EPS) from Log Sources ► Detection of Anomalous Ports, Services and Unpatched Devices ► More… http://resources.infosecinstitute.com/top-6-seim-use-cases/#gref
  24. 24. © 2017 SPLUNK INC. Use Cases + Apps Dive into more advanced use cases
  25. 25. © 2017 SPLUNK INC. Next, Dive Into More Advanced Use Cases Security Intelligence Use Cases Security & Compliance Reporting Real-time Monitoring of Known Threats Root Cause Analysis Action AlertingIncident Investigations & Forensics
  26. 26. © 2017 SPLUNK INC. Splunk Security Essentials Access and Network Domain Access Domain • Authentication Against a New Domain Controller • First Time Logon to New Server • Significant Increase in Interactively Logged On Users • Geographically Improbable Access (Superman) • Increase in # of Hosts Logged into • New AD Domain Detected • New Interactive Logon from a Service Account • New Local Admin Account • New Logon Type for User • Short Lived Admin Accounts • Significant Increase in Interactive Logons Network Domain • Detect Algorithmically Generated Domains • Remote PowerShell Launches • Source IPs Communicating with Far More Hosts Than Normal • Sources Sending Many DNS Requests • Sources Sending a High Volume of DNS Traffic
  27. 27. © 2017 SPLUNK INC. Splunk Security Essentials for Ransomware The following are the Use Cases included in this app 1. Fake Windows Processes 2. Malicious Command Line Executions 3. Monitor AutoRun Reported Registry Keys 4. Monitoring Successful Backups 5. Monitor Successful Windows Update 6. Monitoring Unsuccessful Backups 7. Monitor Successful Windows Update 8. Ransomware extensions 9. Ransomware Note Files 10. Ransomware Vulnerabilities 11. SMB traffic Allowed 12. Spike in SMB traffic 13. Detect TOR Traffic
  28. 28. © 2017 SPLUNK INC. CIS Critical Security Controls The CIS Critical Security Controls app for Splunk was designed to provide a consolidated, easily-extensible framework for baseline security “best- practices” based on the Top 20 Critical Security Controls published by the Center for Internet Security. Framework for Baseline Security
  29. 29. © 2017 SPLUNK INC. Crawl How do I get started?
  30. 30. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  31. 31. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  32. 32. © 2017 SPLUNK INC. Splunk Enterprise Security Analytics SIEM Monitoring | Reporting | Alerting • 50,000 foot view of of the organization’s security posture • Out of the box dashboards, reports, correlated alerts, and incident response workflows • Significant Increase in Interactively Logged On Users • Detect unusual activities by leveraging statistical analysis, dynamic thresholds, and anomaly detection. • Verify privileged access and detect unusual activity by applying user- and asset-based context to all Cloud, on-premises and hybrid machine data to monitor user and asset activities. Threat | Case Management • Leverage threat feeds from a broad set of sources, including free threat intelligence feeds, third party subscriptions, law enforcement, FS- ISAC , STIX/TAXII, the Department of Homeland Security’s (DHS) Automated Indicator Sharing (AIS), Facebook ThreatExchange, internal and shared dataRemote PowerShell Launches • Manage alerts/cases and investigations in one place, with the ability to pivot between data sources to decrease remediate and investigation time, thereby reducing risk.
  33. 33. © 2017 SPLUNK INC. Crawl How do I get started?
  34. 34. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  35. 35. © 2017 SPLUNK INC. https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/ https://github.com/swannman/ircapabilities https://creativecommons.org/licenses/by/4.0/
  36. 36. © 2017 SPLUNK INC. Splunk UBA + Enterprise Security Unsupervised Machine Learning Business Risk | Machine Learning • Detects insider threats using out-of-the-box purpose-built but extensible unsupervised machine learning (ML) algorithms • Provides context around the threat via ML driven anomaly correlation and visual mapping of stitched anomalies over various phases of the attack lifecycle (Kill Chain View) • Increases SOC efficiency with rank-ordered threats and supporting evidence • Prioritize assets and identities based on criticality to the business, which then prioritizes alerts and case management as the most important events bubble to the surface. High Fidelity Alerting + Orchestration • By integrating UBA with Enterprise Security, high fidelity alerts are then fed into a central location for remediation. • Alerts are also then actionable, allowing Splunk to orchestrate and automate a response via a single common interface for retrieval, sharing, and response in multi-vendor environments. Examples of those responses might be segregating a host off of a network, re-setting a users password, pushing out antivirus definitions to machines with out of date updates, or blocking IPs and URLs found in threat lists.
  37. 37. © 2017 SPLUNK INC. Summary In Conclusion
  38. 38. The Platform PLATFORM Analytics,Awareness&Action
  39. 39. The Platform PLATFORM SOLUTIONS Analytics,Awareness&Action Vendor Apps | Community Apps | Use Case Apps | Showcase Apps
  40. 40. The Platform Incident Investigations and Forensics Security and Compliance Real-Time Monitoring Root Cause Analysis Automation And Orchestration Reporting And Alerting PLATFORM USE CASES SOLUTIONS Analytics,Awareness&Action Vendor Apps | Community Apps | Use Case Apps | Showcase Apps
  41. 41. © 2017 SPLUNK INC. End Thank you!

×