Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!


Published on

We'll be coving the latest and greatest updates to Phantom (SOAR Platform), the ins-and-outs of the new Endpoint Data Model and what you can use it for and finally showcase some of the awesome beta features just released as part of the Splunk Security Essentials App which includes MITRE ATT&CK and Kill Chain Mappings!

Published in: Data & Analytics
  • Be the first to comment

Splunk Phantom, the Endpoint Data Model & Splunk Security Essentials App!

  1. 1. © 2019 SPLUNK INC.© 2019 SPLUNK INC. Security-focused Splunk User Group
  2. 2. © 2019 SPLUNK INC. Agenda • Housekeeping: Event Overview & House Rules • Phantom Update (Splunk's SOAR Platform) from Tom Wise • Endpoint Data Model Breakdown from Adam Thomson • Showcase of Security Essentials Beta Features from Harry McLaren
  3. 3. © 2019 SPLUNK INC. Hosted by ECS Security Elite Splunk Partner - UK – Security / IT Operations / Managed Services (SOC / Splunk) – Splunk Revolution Award & Splunk Partner of the Year
  4. 4. © 2019 SPLUNK INC. Splunk [Official] User Group “The overall goal is to create an authentic, ongoing user group experience for our users, where they contribute and get involved” ● Technical Discussions ● Sharing Environment ● Build Trust ● No Sales!
  5. 5. © 2019 SPLUNK INC. Phantom Update (SOAR Platform) Tom Wise
  6. 6. © 2019 SPLUNK INC. SOARing with Phantom 4.x Phantom 4.x Update & Demo
  7. 7. © 2019 SPLUNK INC. $WHOAMI ▶ Tom Wise • Senior Security Consultant @ ECS Security – 3 Years • Splunk Consultant – 2 ½ Years • Phantom Security Solutions Engineer – 6 Months • Phantom & Splunk Trainer – ~ 1 Year
  8. 8. © 2019 SPLUNK INC. The Why
  9. 9. © 2019 SPLUNK INC. Why SOAR? The key drivers for a SOAR Implementation are: • Resource Shortages (#1) • ~1 – 1.5 Million Security Professionals required to reduce the global shortage. • Staffing issues such as retention, motivation, drive the above concern. • Escalating Volume of Alerts / Alert Fatigue • Multiple, “Static Consoles” / Vendors Used for Investigation • Improvement to Speed of Detection • Rising Costs Due to All of the Above
  10. 10. © 2019 SPLUNK INC. Why We Can SOAR Now ▶ Security Products are being designed with extensive API capabilities • Beware buggy API’s. ▶ More Cloud-Based services providing context to events: • Reputation Services, Sandboxes, Threat Intelligence Feeds, etc. ▶ Uplift in DevOps capability in the industry driving IT Automation. • Not just in Security but all areas of IT. ▶ Python and other robust programming languages.
  11. 11. © 2019 SPLUNK INC. Aren’t We Already Automating? ▶ YES! ▶ Tools out there have the necessary capability to automate : • Blocking on firewalls, proxies, NAC solutions • Quarantine endpoints via NAC, EDR • Remove messages from mailboxes • Remove files from endpoints, file servers, kill processes ▶ Not many organisations are automating & orchestrating these processes together, and there is almost always a human involved in every process. • No true combined approach
  12. 12. © 2019 SPLUNK INC. The What
  13. 13. © 2019 SPLUNK INC.
  14. 14. © 2019 SPLUNK INC. Case & Ticket Management Threat Intelligence Management Orchestration & Automation Case & Ticket Manageme nt Workflow Engine SOA R A fully-capable SOAR platform maintains all information and enriched data gathered from automated and orchestrated activities and can provide a detailed audit log of all actions taken during the response.
  15. 15. © 2019 SPLUNK INC. Automation & Orchestration Automation: Setting up a single task to run on its own – automating one thing. This single task can be anything from launching a web server, stopping a service, etc. Or, automating the creation of a workflow. Orchestration: Automatically execute a larger workflow or process comprising of manual and automated steps. “You can’t build an Orchestra with a Single Wood Instrument” - Unknown Threat Intelligence Management Case & Ticket Management Orchestration & Automation Workflow Engine SOA R
  16. 16. © 2019 SPLUNK INC. Threat Intelligence Case & Ticket Management Orchestration & Automation Threat Intelligence Manageme nt Workflow Engine SOA R Threat Intelligence is organised, analysed and refined information about potential or current attacks that threaten an organisation. A good SOAR platform can access multiple feeds to add enrichment and maintain a view of the threat landscape.
  17. 17. © 2019 SPLUNK INC. Work Flow Engine Workflow is a part of SOAR but if it’s the only element required, then a fully-capable SOAR platform is not required. Threat Intelligence Management Orchestration & Automation Workflow Engine Case & Ticket Management SOA R
  18. 18. © 2019 SPLUNK INC. The How-to
  19. 19. © 2019 SPLUNK INC. Where to Start? ▶ Event Enrichment: • Using SOAR to enrich tickets with information from the same integration(s) every time, saving analysts time doing repetitive lookups. ▶ Artifact Extraction and Detonation: • Take files from EDR systems, Emails, and other methods, then pass them to a sandbox for detonation and subsequent report retrieval. ▶ Containment/Eradication: • Approval and Initiation can be done by an analyst or left to the automation. • Interact with EDR, AD, NAC, and many more to assist in the containment and eradication of Threats/Events.
  20. 20. © 2019 SPLUNK INC. New to Phantom 4.2
  21. 21. © 2019 SPLUNK INC. What’s New? ▶ Custom Code Blocks….(FINALLY!) ▶ Multiple Prompts ▶ Playbook Copy and Save As.. ▶ Playbook Metadata ▶ Mission Control / UI Improvements ▶ Clustering Improvements ▶ Unprivileged Install
  22. 22. © 2019 SPLUNK INC. DEMO
  23. 23. © 2019 SPLUNK INC. What’s Coming? ▶ Mission Control: Summary View ▶ Custom Statuses ▶ Custom Severity ▶ Custom CEF Fields ▶ New HUD ▶ Whitelists for Case Access ▶ Evidence Marking ▶ Automate on Case Data
  24. 24. © 2019 SPLUNK INC. Questions?
  25. 25. © 2019 SPLUNK INC. Endpoint Data Model Breakdown Adam Thomson
  26. 26. © 2019 SPLUNK INC. ▶ A Data Model is a hierarchically structured search-time mapping of knowledge about one or more datasets – Splunk docs. ▶ In other words: • Multiple Data Sources combined together to make a single data set • Or a method of making data from different origins appear to have the same meaning • For example, taking logs from multiple Firewall vendors which may ship with a different field names and unifying them so that all log sources can be searched using the same syntax What is a Datamodel?
  27. 27. © 2019 SPLUNK INC. ▶ In context of security, most Data Models which ship with Splunk tend to shy away from endpoint data, we have great coverage of of network traffic along with IDS/Malware alerts ▶ Historically, the only Data Models which reference endpoint like data included Application State and Change Analysis ▶ However these barely scratched the surface of endpoint data Current State of Data Models
  28. 28. © 2019 SPLUNK INC. ▶ The Endpoint Data Model has been built based on the the Application State and Change Analysis Data Model, except with extra information you’d expect to receive from your EDR solution such as: • Parent/Child Process relationships, process hashes, integrity levels etc ▶ Rather than creating one large model it has been broken down into five separate datasets for increased performance covering the following area’s: • Ports, Processes, Services, Filesystem and Registry Introducing the Endpoint Data Model
  29. 29. © 2019 SPLUNK INC. ▶ Ports • Source and destination ports, state, protocol, creation time, destination ▶ Processes • Action, process, parent process, process hash, process path, destination ▶ Services • Service path, hash and executable name, description, service DLL path, hash and signature, destination ▶ File System • File access, creation and modification times, destination, user ▶ Registry • Registry Hive, Registry Value Text, status, process ID, destination Data Set Break Down
  30. 30. © 2019 SPLUNK INC. ▶ Windows Sysmon: Now fully CIM compliant! • Recommended Sysmon Config: ▶ EDR Solution Logs: Carbon Black, Tanium, Falcon Endpoint Protection ▶ Scripted Inputs: Output from commands such as netstat, ps, etc. What Data?
  31. 31. © 2019 SPLUNK INC. ▶ Excellent Visibility at the Endpoint • High Fidelity Alerts to assist with hunting and forensics • Identify Instillation, Persistence, Lateral Movement techniques • What tools were being used • Searching for Hashes from IOC’s or Threat Intel ▶ What can we look for? • New Services/Daemons starting • Abnormal Registry Key modifications • Unusual processes or services being launched along with their connections/hashes • New listening ports established • New files in places they shouldn’t (WindowsSystem32…) Benefits What can we achieve with Endpoint Data?
  32. 32. © 2019 SPLUNK INC. ▶ Utilize the accelerated Data Model for: • Running frequent searches over Endpoint Data with little overhead on performance • Carrying out endpoint forensics efficiently ▶ The ESCU app now ships with a variety of more advanced use cases based on the endpoint data model, giving you a good insight into endpoint activity with little engineering work required. For example: • Credential Dumping • Command & Control • Lateral Movement Benefits Why use the Data Model?
  33. 33. © 2019 SPLUNK INC. Before Endpoint Data Model
  34. 34. © 2019 SPLUNK INC. And Now...
  35. 35. © 2019 SPLUNK INC. ▶ Base64 Command • ▶ Sysmon TA & Add-on • • ▶ Common Information Model • ▶ ES Content Update App • Resources
  36. 36. © 2019 SPLUNK INC. Showcase of Security Essentials [Beta] Features Harry McLaren (Inspired by Johan Bjerke)
  37. 37. © 2019 SPLUNK INC. Harry McLaren ● Managing Consultant at ECS Security ● Member of SplunkTrust (MVP) ● Leader of the Splunk User Group Edinburgh ● @cyberharibu
  38. 38. © 2019 SPLUNK INC. ▶ Initial Version (1.0) Released January 7, 2017 ▶ Latest Version (2.4.1) Released April 23, 2019 ▶ 37,692 Downloads ▶ 389 Examples Splunk Security Essentials App Overview How Splunk’s analytics-driven security can be used!
  39. 39. © 2019 SPLUNK INC. ▶ ~100 Examples w/ full SPL + Docs ▶ Prescriptive Journey Splunk Security Essentials Provides a Journey Forward and Helps You Show Outcomes
  40. 40. © 2019 SPLUNK INC. Analyzes your environment for data availability and displays content you can enable. New rich UI for finding the most valuable content ✓ Find opportunities for data re-use easily ✓ Get content selection in just 2-3 clicks ✓ Highlight gaps in coverage ✓ Maps active and available content against MITRE ATT&CK Framework and Cyber Kill Chain ✓ Shows maturity against the Security Journey Analytics Advisor for SSE Key Features
  41. 41. © 2019 SPLUNK INC. ▶ The app delivers analytics that can be used to gather status, assess gaps and plan next steps in security monitoring maturity. Analytics Advisor for SSE Key Features MITRE Mapping Security Journey Maturity Click through to SSE Content view MITRE ATT&CK Navigator Sankey Flow Cyber Kill Chain Mapping
  42. 42. © 2019 SPLUNK INC. Example outcomes Content “what-if” scenarios + Planned Data sources Possible today
  43. 43. © 2019 SPLUNK INC. Example outcomes Current MITRE ATT&CK Mapping
  44. 44. © 2019 SPLUNK INC. Example outcomes Possible MITRE ATT&CK Mapping
  45. 45. © 2019 SPLUNK INC. Analytics Advisor on Splunkbase
  46. 46. © 2019 SPLUNK INC. Demo
  47. 47. © 2019 SPLUNK INC. ▶ Splunk Security Essentials App Download & Instructions ▶ How to Install Splunk Security Essentials ▶ Introducing Analytics Advisor to Splunk Security Essentials security-essentials.html ▶ Using Security Essentials 2.4: Analytics Advisor advisor.html Resources